How an NDIS filter driver can interact with a user-mode program

Hello everybody.Who can help me. How can I send outgoing Net Buffer Lists (outgoing traffic from NDIS filter driver (FilterSendNetBufferLists)) to user mode program for some modifications. I am doing it with IRPs, but I think it is not a best case. Because initiator of IRP is user, but I need the driver to be an initiator of communication between NDIS driver and user program.

First you can encrypt in the kernel, the operating system even has calls for the common model it provides in user space. If you really need to send it to user space look up “inverted call” that is well documented on the OSR site see https://www.osr.com/nt-insider/2013-issue1/inverted-call-model-kmdf/

1 Like

Thank you Mr Don_Burn. This is very helpful advice. Yes, maybe “inverted call” is what I need. But please tell us about the first method you mentioned. (First you can encrypt in the kernel, the operating system even has calls for the common model it provides in user space.)

And the second question. Will “inverted call” work in an NDIS environment

Bcrypt.h has a kernel version, if you can use the Bcrypt calls in user mode, they should do the work in kernel mode if you want. Yes, the basic inverted call model works with NDIS.

I read “Inverted Call”. This is what I have already done. Yes, from the user mode program I issue an IOCTL request, in the driver I receive this request and store it in the context structure of the driver module. After that, I take it from the FilterSendNetBufferLists function, fill the MDL from NetBufferLists and return it to the user program. If this is the right way, then thanks…

DLLs can be loaded in kernel mode, as long as they don’t call user-mode APIs.

well, thank You Mr.