3 TDI questions and one about win32

Hi, I have a couple a questions for which I couldn’t
find any answers on the Internet so I thought this is
the best place to ask:

  1. In a TDI filter driver, if I send a TDI_RECEIVE IRP
    when there is no pending data, it never completes. Is
    this normal behaviour and if yes, why?
  2. When I need to disconnect a connection, I just call
    ClientEventDisconnect. Is this enough, or should I
    send a TDI_DISCONNECT to the lower driver?
  3. I have a program which does some http requests and
    sometimes it hangs. In my driver I see that it sends
    the requests, but no data arrives. In this case, the
    connection shouldn’t timeout?
  4. I’m trying to find in user mode the name of the
    process which sends data across the network. I do this
    by calling OpenProcess and then GetModuleBaseName. But
    on two systems with WinXP sp2 i receive the error
    ERROR_PARTIAL_COPY, which probably comes from
    ReadProcessMemory. I read that you could do a
    VirtualQuery to find the amount of memory that can be
    read, but I have no way to get the base address at
    which GetModuleBaseName starts to read. Any thoughts?

Thanks!

PS: I know that the last question isn’t about driver
development, but I think is more likely to find an
answer here than somewhere else.


Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com

Cristian Berneanu wrote:

Hi, I have a couple a questions for which I couldn’t
find any answers on the Internet so I thought this is
the best place to ask:

  1. In a TDI filter driver, if I send a TDI_RECEIVE IRP
    when there is no pending data, it never completes. Is
    this normal behaviour and if yes, why?

The IRP should be pending until the transport receives some data (see the
DDK help for more info here) for that connection or the connection is
closed.
You should check the return value of IoCallDriver.

  1. When I need to disconnect a connection, I just call
    ClientEventDisconnect. Is this enough, or should I
    send a TDI_DISCONNECT to the lower driver?

  2. I have a program which does some http requests and
    sometimes it hangs. In my driver I see that it sends
    the requests, but no data arrives. In this case, the
    connection shouldn’t timeout?

You could be a bit more explicit here. What do you mean by “it hangs”?
Can you kill the process with the task manager? If not, you are doing
something wrong in your IRP handling code.

  1. I’m trying to find in user mode the name of the
    process which sends data across the network. I do this
    by calling OpenProcess and then GetModuleBaseName. But
    on two systems with WinXP sp2 i receive the error
    ERROR_PARTIAL_COPY, which probably comes from
    ReadProcessMemory. I read that you could do a
    VirtualQuery to find the amount of memory that can be
    read, but I have no way to get the base address at
    which GetModuleBaseName starts to read. Any thoughts?

How about the size of your buffer? Does the function write anything in
your buffer?
From MSDN:

/lpBaseName/
[out] Pointer to the buffer that receives the base name of the
module. If the base name is longer than maximum number of characters
specified by the /nSize/ parameter, the base name is truncated.

Thanks!

PS: I know that the last question isn’t about driver
development, but I think is more likely to find an
answer here than somewhere else.


Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com


Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@bitdefender.com
To unsubscribe send a blank email to xxxxx@lists.osr.com


Ignorance more frequently begets confidence than does knowledge.
— Charles Darwin


This message was scanned for spam and viruses by BitDefender.
For more information please visit http://linux.bitdefender.com/

Hi and thanks for answering.
— Andrei Zlate-Podani
wrote:
> Cristian Berneanu wrote:
>
> >Hi, I have a couple a questions for which I
> couldn’t
> >find any answers on the Internet so I thought this
> is
> >the best place to ask:
> >
> >1) In a TDI filter driver, if I send a TDI_RECEIVE
> IRP
> >when there is no pending data, it never completes.
> Is
> >this normal behaviour and if yes, why?
> >
> >
> The IRP should be pending until the transport
> receives some data (see the
> DDK help for more info here) for that connection or
> the connection is
> closed.
> You should check the return value of IoCallDriver.

IoCallDriver returns STATUS_PENDING, so I wait for it
to complete. But when there is no pending data, I
never see my completion routine getting called.

> >2) When I need to disconnect a connection, I just
> call
> >ClientEventDisconnect. Is this enough, or should I
> >send a TDI_DISCONNECT to the lower driver?
> >
> >
> >3) I have a program which does some http requests
> and
> >sometimes it hangs. In my driver I see that it
> sends
> >the requests, but no data arrives. In this case,
> the
> >connection shouldn’t timeout?
> >
> >
> You could be a bit more explicit here. What do you
> mean by “it hangs”?
> Can you kill the process with the task manager? If
> not, you are doing
> something wrong in your IRP handling code.

Yes, the process can be killed with the task manager.
Just that I don’t know what is the timout value for a
TCP connection when no traffic is being made.

> >4) I’m trying to find in user mode the name of the
> >process which sends data across the network. I do
> this
> >by calling OpenProcess and then GetModuleBaseName.
> But
> >on two systems with WinXP sp2 i receive the error
> >ERROR_PARTIAL_COPY, which probably comes from
> >ReadProcessMemory. I read that you could do a
> >VirtualQuery to find the amount of memory that can
> be
> >read, but I have no way to get the base address at
> >which GetModuleBaseName starts to read. Any
> thoughts?
> >
> >
> How about the size of your buffer? Does the function
> write anything in
> your buffer?
> From MSDN:
>
> /lpBaseName/
> [out] Pointer to the buffer that receives the
> base name of the
> module. If the base name is longer than maximum
> number of characters
> specified by the /nSize/ parameter, the base
> name is truncated.

My buffer is 64 bytes long and when I receive that
error no data is being written.

>
> >Thanks!
> >
> >PS: I know that the last question isn’t about
> driver
> >development, but I think is more likely to find an
> >answer here than somewhere else.
> >
> > ________________
> >Do You Yahoo!?
> >Tired of spam? Yahoo! Mail has the best spam
> protection around
> >http://mail.yahoo.com
> >
> >—
> >Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
> >
> >You are currently subscribed to ntdev as:
> xxxxx@bitdefender.com
> >To unsubscribe send a blank email to
> xxxxx@lists.osr.com
> >
> >
> >
> >
>
>
> –
> Ignorance more frequently begets confidence than
> does knowledge.
> — Charles Darwin
>
>
>
> –
> This message was scanned for spam and viruses by
> BitDefender.
> For more information please visit
> http://linux.bitdefender.com/
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as:
> xxxxx@yahoo.com
> To unsubscribe send a blank email to
> xxxxx@lists.osr.com
>


Do you Yahoo!?
Plan great trips with Yahoo! Travel: Now over 17,000 guides!
http://travel.yahoo.com/p-travelguide

Cristian Berneanu wrote:

Hi and thanks for answering.
— Andrei Zlate-Podani
>wrote:
>
>
>>Cristian Berneanu wrote:
>>
>>
>>
>>>Hi, I have a couple a questions for which I
>>>
>>>
>>couldn’t
>>
>>
>>>find any answers on the Internet so I thought this
>>>
>>>
>>is
>>
>>
>>>the best place to ask:
>>>
>>>1) In a TDI filter driver, if I send a TDI_RECEIVE
>>>
>>>
>>IRP
>>
>>
>>>when there is no pending data, it never completes.
>>>
>>>
>>Is
>>
>>
>>>this normal behaviour and if yes, why?
>>>
>>>
>>>
>>>
>>The IRP should be pending until the transport
>>receives some data (see the
>>DDK help for more info here) for that connection or
>>the connection is
>>closed.
>>You should check the return value of IoCallDriver.
>>
>>
>
>IoCallDriver returns STATUS_PENDING, so I wait for it
>to complete. But when there is no pending data, I
>never see my completion routine getting called.
>
>
By waiting for the IRP in your dispatch routine, you are making an async
operation
synchronous. This is why your process gets “hanged”. The cancel
mechanism cannot
run because the dispatch routine hasn’t returned status pending.

And about that buffer, the sample from MSDN uses a MAX_PATH sized buffer.
If you compile your app for Unicode, the actual capacity of the buffer
is 32 wchars.

>
>
>>>2) When I need to disconnect a connection, I just
>>>
>>>
>>call
>>
>>
>>>ClientEventDisconnect. Is this enough, or should I
>>>send a TDI_DISCONNECT to the lower driver?
>>>
>>>
>>>3) I have a program which does some http requests
>>>
>>>
>>and
>>
>>
>>>sometimes it hangs. In my driver I see that it
>>>
>>>
>>sends
>>
>>
>>>the requests, but no data arrives. In this case,
>>>
>>>
>>the
>>
>>
>>>connection shouldn’t timeout?
>>>
>>>
>>>
>>>
>>You could be a bit more explicit here. What do you
>>mean by “it hangs”?
>>Can you kill the process with the task manager? If
>>not, you are doing
>>something wrong in your IRP handling code.
>>
>>
>
>Yes, the process can be killed with the task manager.
>Just that I don’t know what is the timout value for a
>TCP connection when no traffic is being made.
>
>
>
>>>4) I’m trying to find in user mode the name of the
>>>process which sends data across the network. I do
>>>
>>>
>>this
>>
>>
>>>by calling OpenProcess and then GetModuleBaseName.
>>>
>>>
>>But
>>
>>
>>>on two systems with WinXP sp2 i receive the error
>>>ERROR_PARTIAL_COPY, which probably comes from
>>>ReadProcessMemory. I read that you could do a
>>>VirtualQuery to find the amount of memory that can
>>>
>>>
>>be
>>
>>
>>>read, but I have no way to get the base address at
>>>which GetModuleBaseName starts to read. Any
>>>
>>>
>>thoughts?
>>
>>
>>>
>>>
>>>
>>>
>>How about the size of your buffer? Does the function
>>write anything in
>>your buffer?
>> From MSDN:
>>
>>/lpBaseName/
>> [out] Pointer to the buffer that receives the
>>base name of the
>> module. If the base name is longer than maximum
>>number of characters
>> specified by the /nSize/ parameter, the base
>>name is truncated.
>>
>>
>
>My buffer is 64 bytes long and when I receive that
>error no data is being written.
>
>
>
>>>Thanks!
>>>
>>>PS: I know that the last question isn’t about
>>>
>>>
>>driver
>>
>>
>>>development, but I think is more likely to find an
>>>answer here than somewhere else.
>>>
>>> ________________
>>>Do You Yahoo!?
>>>Tired of spam? Yahoo! Mail has the best spam
>>>
>>>
>>protection around
>>
>>
>>>http://mail.yahoo.com
>>>
>>>—
>>>Questions? First check the Kernel Driver FAQ at
>>>
>>>
>>http://www.osronline.com/article.cfm?id=256
>>
>>
>>>You are currently subscribed to ntdev as:
>>>
>>>
>>xxxxx@bitdefender.com
>>
>>
>>>To unsubscribe send a blank email to
>>>
>>>
>>xxxxx@lists.osr.com
>>
>>
>>>
>>>
>>>
>>>
>>–
>>Ignorance more frequently begets confidence than
>>does knowledge.
>>— Charles Darwin
>>
>>
>>
>>–
>>This message was scanned for spam and viruses by
>>BitDefender.
>>For more information please visit
>>http://linux.bitdefender.com/
>>
>>
>>—
>>Questions? First check the Kernel Driver FAQ at
>>http://www.osronline.com/article.cfm?id=256
>>
>>You are currently subscribed to ntdev as:
>>xxxxx@yahoo.com
>>To unsubscribe send a blank email to
>>xxxxx@lists.osr.com
>>
>>
>>
>
>
>
>

>Do you Yahoo!?
>Plan great trips with Yahoo! Travel: Now over 17,000 guides!
>http://travel.yahoo.com/p-travelguide
>
>—
>Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256
>
>You are currently subscribed to ntdev as: xxxxx@bitdefender.com
>To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
>
>


Ignorance more frequently begets confidence than does knowledge.
— Charles Darwin


This message was scanned for spam and viruses by BitDefender.
For more information please visit http://linux.bitdefender.com/