FltCreateCommunicationPort causes a blue

Hello.
Please who can help me.
I need to call the FltCreateCommunicationPort function from an NDIS filter driver.
I call it from DriverEntry. (Is this correct or call it from within FilterAttach ?)
The first argument to this function
PFLT_FILTER Filter;
This identificator is set when the Filter Driver is registered with FltRegisterFilter (as the 3rd parameter);
But the registration function for the NDIS filter driver is NdisFRegisterFilterDriver(); This is different from FltRegisterFilter() for NDIS,
and the 3rd argument of NdisFRegisterFilterDriver is a FilterDriverHandle instead of a RetFilter (an opaque filter handle to the caller); What can I do?;
This causes a blue screen.
This is the code I added to the DriverEntry to create a communication port with the user mode application to send to user mode all outgoing packets over the network;

Use_decl_annotations NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath)
{
… . …
… . …
… . …
Status = NdisFRegisterFilterDriver(DriverObject, (NDIS_HANDLE)FilterDriverObject,&FChars,&FilterDriverHandle); // //FltRegisterFilter(DriverObject, &fff, &RetFilter) for non-NDIS drivers
… . …
… . …
… . …
///////////////////////// Creating a communication port
UNICODE_STRING single line;
RtlInitUnicodeString(&uniString, NDISENCRYPT_PORT_NAME);
OBJECT_ATTRIBUTES ObjectAttr = { 0 };
InitializeObjectAttributes(&ObjectAttr, (&uniString), OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL);
Status = FltCreateCommunicationPort((PFLT_FILTER)(FilterDriverHandle), pServerPort, &ObjectAttr, NULL, ConClbk, DisconClbk, MsgClbk, 1);
// then a blue screen appears
if (Status!= STATUS_SUCCESS) {
if (Status == STATUS_FLT_DELETING_OBJECT) KdPrint((“NdisFilterDr → The specified filter is being demolished. This is an error code \n”));
else if (Status == STATUS_INSUFFICIENT_RESOURCES) KdPrint((“NdisFilterDr → FltCreateCommunicationPort encountered a pool allocation error \n”));
else if (Status == STATUS_OBJECT_NAME_COLLISION) KdPrint((“NdisFilterDr → Filter communication port with the same name already exists\n”));
else KdPrint((“NdisFilterDr → FltCreateCommunicationPort encountered an error\n”));
}
////////////////////////////////////////////////

  } while(bFalse);

  DEBUGP(DL_TRACE, "<===DriverEntry, Status = %8x\n", Status);
  return status;

}

Hello.
Please who can help me.
I need to call the FltCreateCommunicationPort function from an NDIS filter driver.
I call it from DriverEntry. (Is this correct or call it from within FilterAttach ?)
The first argument to this function
PFLT_FILTER Filter;
This identificator is set when the Filter Driver is registered with FltRegisterFilter (as the 3rd parameter);
But the registration function for the NDIS filter driver is NdisFRegisterFilterDriver(); This is different from FltRegisterFilter() for NDIS,
and the 3rd argument of NdisFRegisterFilterDriver is a FilterDriverHandle instead of a RetFilter (an opaque filter handle to the caller); What can I do?;
This causes a blue screen.
This is the code I added to the DriverEntry to create a communication port with the user mode application to send to user mode all outgoing packets over the network;

FltCreateCommunicationPort only works for file system filters. Bottom line, you are using an API that does not work in the NDIS environment.

?
Just register a minifilter, and it works (no need to axtually filter
anything).

I.e. pass the filter handle from FltRegisterFilter.

Dejan.

Thank you. Mr. Dejan_Maximovic. And help me please. How can I communicate an NDIS filter driver to a user mode application. It is required to send to the user program all outgoing and incoming packets captured by the filter driver. Those. how can i pass all network traffic to a program running in user mode to make some changes

If I need to answer that question, you’re in trouble :slight_smile:
Not because the implementation would be easy and you should figure it in
minutes, but because sending that much data will kill your OS.

Kind regards, Dejan Maksimovic.
FS Lead: http://www.alfasp.com

Thank you, Mister. But I will only send the shared addresses of these packets, and I think that in this way I can change the outgoing and incoming Ethernet packets (or not?). Tell me please. What mechanism to use. Possibly an IRP. (inverted call). For one month, I tried some mechanisms, but nothing worked.
I will copy that packets and pass to user program the copy, and return original packets to kernel from inside FilterSend and FilterReceive procedures of my NDIS filter driver. Thank You

Do you have a sense how many packets per second you would send and wait for
UM to process?

No, because this driver will be installed on all hosts in the private network and users will communicate with each other․
They will do whatever they want.
I have already done driver and encryption. But now they want to make the encryption process in user mode, so I have to send all outgoing and incoming packets to the user program.
Thank You Mr. Dejan_Maksimovic.
Thank You Mr.Don_Burn.

Hello everybody.Who can help me. How can I send outgoing Net Buffer Lists (outgoing traffic from NDIS filter driver (FilterSendNetBufferLists)) to user mode program for some modifications. I am doing it with IRPs, but I think it is not a best case. Because initiator of IRP is user, but I need the driver to be an initiator of communication between NDIS driver and user program.
Thank You.

How is this not a big security flaw anyway? OP wants to modify packets captured in kernel from usermode… Meaning anyone who attacks the usermode application can basically alter every single packets sent or received by the computer. I understand that this is on a private network but still, this project of yours and its use case doesn’t make any sense to me.

@Arsen said:
Hello everybody.Who can help me. How can I send outgoing Net Buffer Lists (outgoing traffic from NDIS filter driver (FilterSendNetBufferLists)) to user mode program for some modifications. I am doing it with IRPs, but I think it is not a best case. Because initiator of IRP is user, but I need the driver to be an initiator of communication between NDIS driver and user program.
Thank You.

You might want to ask new question s in a new thread.

Thanks for the answer. My goal is to encrypt packets in user mode. Because the encryption algorithm is in a dll, it runs in user mode. This algorithm is safe and cannot be inside a driver. The driver images are on the hard drive, which is a security breach

Driver developed by me. NDIS filter driver. I think if the driver wants to, it should be able to communicate with the user mode. There is a communication mechanism (FtlCreateCommunicationPort) for non NDIS drivers, it does not work for NDIS drivers.

>

Thanks for the answer. My goal is to encrypt packets in user mode. Because
the encryption algorithm is in a dll, it runs in user mode. This algorithm
is safe and cannot be inside a driver. The driver images are on the hard
drive, which is a security breach

Could you translate this for me, please?
User mode is not on a hard drive, but drivers are?

Again, how much data and how often do you need to send to user mode? 10 per
second, millisecond, microsecond, nanosecond?

Mr. Deyan_Maximovich. I wrote an NDIS filter driver. It will be installed on some isolated networks. How much data will be transmitted over the network there, I do not know. They will send documents, hold teleconferences and much more. I dont know. I think this is not very important, because. at first, customers suggested me to send outgoing packets back to user mode using a loop, i.e. to send packets back through sockets.
This means that all packets will be circulated 3 times. From the application to the network driver, from the driver to the user-mode encryption program, and finally from that program to the network.

Try sending a million packets between kernel and user mode per second, and
check the latency difference. (Any packet, no need to test NDIS packets for
this test)

If you do that, I suspect you will find the performanxece to be
unacceptable.

I don’t have a good sense of how many NDIS packets go per second, so maybe
I am off by an order of 1000x.

Dejan.

Could you translate this for me, please?
User mode is not on a hard drive, but drivers are?

The driver image is on the hard drive. We cannot call the driver from flash. But we can’t put the algorithm in the driver code, because someone can copy this driver from //Windows//system//drivers. Therefore, we decided to transfer the source packets to a user program on a removable disk, which should receive all packets from the driver, perform encryption and transfer back to the driver.

well, thank You Mr.

That… will be awesome, perf wise, when paging kicks in :slight_smile:
Ok, you can use the AvScan example to send data. But test the performance,
I think you will run into unacceptable bottlenecks

OT: how da heck did the message get translated into… Russian, but only via
email?? When I go to the forum, it is in English :slight_smile: