[WFP] about WdfRequestRetrieveOutputBuffer() for user send buffer.

juho_louis · June 1, 2014, 9:03pm

thank to all people who replay my thread!
now i’m try again copy data between user-app <-> WFP driver.
when i send deviceiocontrol() in user-application then wfp driver response about
“MONITOR_IOCTL_GET_EVENT” but i can’t handling about &networkEvent

my code flow is like this.

user-application send devieio code

typedef struct _NETWORK_EVENT
{
TIME_FIELDS time;
ULONG localAddr;
ULONG remoteAddr;
USHORT localPort;
USHORT remotePort;
USHORT ipProto;
BOOLEAN inoutBound;
ULONG processId;
WCHAR procPath[1024];
}NETWORK_EVENT;

ZeroMemory(&networkEvent, sizeof(NETWORK_EVENT));

DeviceIoControl(
monitorDevice,
MONITOR_IOCTL_GET_EVENT,
0,
0,
&networkEvent,
sizeof(NETWORK_EVENT),
&dwBytesReturned,
NULL
);

wfp driver receive ioctl code

MonitorEvtDeviceControl (
In WDFQUEUE Queue,
In WDFREQUEST Request,
In size_t OutputBufferLength,
In size_t InputBufferLength,
In ULONG IoControlCode
)
{
NTSTATUS status = STATUS_SUCCESS;

switch (IoControlCode)
{
case MONITOR_IOCTL_GET_EVENT:
{
DbgPrint(“Get IOCTL event: MONITOR_IOCTL_GET_EVENT from user-application \n”);

NTSTATUS rstatus;
NETWORK_EVENT pOutBuffer;
size_t bufSize;

rstatus = WdfRequestRetrieveOutputBuffer(Request, sizeof(NETWORK_EVENT), &pOutBuffer, &bufSize);
if (!NT_SUCCESS(rstatus))
{
DbgPrint(“Could not get request memory buffer status: %X\n”, rstatus);
status = STATUS_INVALID_PARAMETER;

break;
}
MonitorSendNetworEventToUserApp(pOutBuffer);

break;
}
default:
{
status = STATUS_INVALID_PARAMETER;
}
}

WdfRequestComplete(Request, status);
}

NTSTATUS MonitorSendNetworEventToUserApp(Inout NETWORK_EVENT networkEvent)
{
DbgPrint(“Enterd MonitorSendNetworEventToUserApp function\n”);
KLOCK_QUEUE_HANDLE lockHandle;
NTSTATUS status;

KeAcquireInStackQueuedSpinLock(&flowContextListLock, &lockHandle);

if (!IsListEmpty(&flowContextList))
{
FLOW_DATA* flowContext;
LIST_ENTRY* entry;

entry = RemoveHeadList(&flowContextList);
flowContext = CONTAINING_RECORD(entry, FLOW_DATA, listEntry);

networkEvent.inoutBound = flowContext->inoutBound;
networkEvent.ipProto = flowContext->ipProto;
networkEvent.localAddr = flowContext->localAddressV4;
networkEvent.localPort = flowContext->localPort;
networkEvent.remoteAddr = flowContext->remoteAddressV4;
networkEvent.remotePort = flowContext->remotePort;
networkEvent.processId = flowContext->processId;
RtlCopyBytes(networkEvent.procPath, flowContext->processPath, 1024);
networkEvent.time = flowContext->time;
RtlCopyMemory(pOutBuffer, pNetworkEvent, sizeof(NETWORK_EVENT));

}
else
{
DbgPrint(“list is empty!”);
}

KeReleaseInStackQueuedSpinLock(&lockHandle);

return STATUS_SUCCESS;
}

when i check value networkEvent structer values like this

DbgPrint(“%04d/%02d/%02d %2.2d:%2.2d:%2.2d Connection - proto: [%d] %lx:%d(L) <-> %lx:%d(R), pid:%i, procPath: %S\n”,
networkEvent.time.Year,
networkEvent.time.Month,
networkEvent.time.Day,
networkEvent.time.Hour,
networkEvent.time.Minute,
networkEvent.time.Second,
networkEvent.ipProto,
networkEvent.localAddr,
networkEvent.localPort,
networkEvent.remoteAddr,
networkEvent.remotePort,
networkEvent.processId,
networkEvent.procPath);

all value is fine. but, user-application dosen’t receive networkEvent values.
i think something miss, but i don’t know what should i do

juho_louis · June 1, 2014, 9:09pm

in NTSTATUS MonitorSendNetworEventToUserApp(Inout NETWORK_EVENT networkEvent)

RtlCopyMemory(pOutBuffer, pNetworkEvent, sizeof(NETWORK_EVENT)); –> // RtlCopyMemory(pOutBuffer, pNetworkEvent, sizeof(NETWORK_EVENT));

Thomas_Divine · June 1, 2014, 11:26pm

Please read the MSDN topic "Completing I/O Requests ", paying particular
attention to the discussion about setting information such as the number of
bytes to be transferred to user application:

http://msdn.microsoft.com/en-us/library/windows/hardware/ff540740(v=vs.85).a
spx

IOW: You may have filled in the output buffer correctly, but you have not
specified the number of output bytes that should actually be transferred
back to the application.

Thomas F. Divine
http://www.pcausa.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@gmail.com
Sent: Sunday, June 1, 2014 9:03 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] [WFP] about WdfRequestRetrieveOutputBuffer() for user send
buffer.

thank to all people who replay my thread!
now i’m try again copy data between user-app <-> WFP driver.
when i send deviceiocontrol() in user-application then wfp driver response
about “MONITOR_IOCTL_GET_EVENT” but i can’t handling about &networkEvent

my code flow is like this.

user-application send devieio code

typedef struct _NETWORK_EVENT
{
TIME_FIELDS time;
ULONG localAddr;
ULONG remoteAddr;
USHORT localPort;
USHORT remotePort;
USHORT ipProto;
BOOLEAN inoutBound;
ULONG processId;
WCHAR procPath[1024];
}NETWORK_EVENT;

ZeroMemory(&networkEvent, sizeof(NETWORK_EVENT));

DeviceIoControl(
monitorDevice,
MONITOR_IOCTL_GET_EVENT,
0,
0,
&networkEvent,
sizeof(NETWORK_EVENT),
&dwBytesReturned,
NULL
);

wfp driver receive ioctl code

MonitorEvtDeviceControl (
In WDFQUEUE Queue,
In WDFREQUEST Request,
In size_t OutputBufferLength,
In size_t InputBufferLength,
In ULONG IoControlCode
)
{
NTSTATUS status = STATUS_SUCCESS;

switch (IoControlCode)
{
case MONITOR_IOCTL_GET_EVENT:
{
DbgPrint(“Get IOCTL event: MONITOR_IOCTL_GET_EVENT from
user-application \n”);

NTSTATUS rstatus;
NETWORK_EVENT pOutBuffer;
size_t bufSize;

rstatus = WdfRequestRetrieveOutputBuffer(Request,
sizeof(NETWORK_EVENT), &pOutBuffer, &bufSize);
if (!NT_SUCCESS(rstatus))
{
DbgPrint(“Could not get request memory buffer
status: %X\n”, rstatus);
status = STATUS_INVALID_PARAMETER;

break;
}
MonitorSendNetworEventToUserApp(pOutBuffer);

break;
}
default:
{
status = STATUS_INVALID_PARAMETER;
}
}

WdfRequestComplete(Request, status);
}

NTSTATUS MonitorSendNetworEventToUserApp(Inout NETWORK_EVENT networkEvent)
{
DbgPrint(“Enterd MonitorSendNetworEventToUserApp function\n”);
KLOCK_QUEUE_HANDLE lockHandle;
NTSTATUS status;

KeAcquireInStackQueuedSpinLock(&flowContextListLock, &lockHandle);

if (!IsListEmpty(&flowContextList))
{
FLOW_DATA* flowContext;
LIST_ENTRY* entry;

entry = RemoveHeadList(&flowContextList);
flowContext = CONTAINING_RECORD(entry, FLOW_DATA,
listEntry);

networkEvent.inoutBound = flowContext->inoutBound;
networkEvent.ipProto = flowContext->ipProto;
networkEvent.localAddr = flowContext->localAddressV4;
networkEvent.localPort = flowContext->localPort;
networkEvent.remoteAddr = flowContext->remoteAddressV4;
networkEvent.remotePort = flowContext->remotePort;
networkEvent.processId = flowContext->processId;
RtlCopyBytes(networkEvent.procPath,
flowContext->processPath, 1024);
networkEvent.time = flowContext->time;
RtlCopyMemory(pOutBuffer, pNetworkEvent,
sizeof(NETWORK_EVENT));

}
else
{
DbgPrint(“list is empty!”);
}

KeReleaseInStackQueuedSpinLock(&lockHandle);

return STATUS_SUCCESS;
}

when i check value networkEvent structer values like this

DbgPrint(“%04d/%02d/%02d %2.2d:%2.2d:%2.2d Connection - proto: [%d]
%lx:%d(L) <-> %lx:%d(R), pid:%i, procPath: %S\n”,
networkEvent.time.Year,
networkEvent.time.Month,
networkEvent.time.Day,
networkEvent.time.Hour,
networkEvent.time.Minute,
networkEvent.time.Second,
networkEvent.ipProto,
networkEvent.localAddr,
networkEvent.localPort,
networkEvent.remoteAddr,
networkEvent.remotePort,
networkEvent.processId,
networkEvent.procPath);

all value is fine. but, user-application dosen’t receive networkEvent
values.
i think something miss, but i don’t know what should i do

NTDEV is sponsored by OSR

Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev

OSR is HIRING!! See http://www.osr.com/careers

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

Doron_Holan · June 2, 2014, 1:09am

Retrieval of the output buffer should look like this, not the struct itself

PNETWORK_EVENT pOutBuffer;
size_t bufSize;

rstatus = WdfRequestRetrieveOutputBuffer(Request, sizeof(NETWORK_EVENT), &pOutBuffer, &bufSize);

d

Bent from my phone

From: xxxxx@gmail.com mailto:xxxxx
Sent: ?6/?1/?2014 6:03 PM
To: Windows System Software Devs Interest Listmailto:xxxxx
Subject: [ntdev] [WFP] about WdfRequestRetrieveOutputBuffer() for user send buffer.

thank to all people who replay my thread!
now i’m try again copy data between user-app <-> WFP driver.
when i send deviceiocontrol() in user-application then wfp driver response about
“MONITOR_IOCTL_GET_EVENT” but i can’t handling about &networkEvent

my code flow is like this.

1. user-application send devieio code

typedef struct _NETWORK_EVENT
{
TIME_FIELDS time;
ULONG localAddr;
ULONG remoteAddr;
USHORT localPort;
USHORT remotePort;
USHORT ipProto;
BOOLEAN inoutBound;
ULONG processId;
WCHAR procPath[1024];
}NETWORK_EVENT;

ZeroMemory(&networkEvent, sizeof(NETWORK_EVENT));

DeviceIoControl(
monitorDevice,
MONITOR_IOCTL_GET_EVENT,
0,
0,
&networkEvent,
sizeof(NETWORK_EVENT),
&dwBytesReturned,
NULL
);

2. wfp driver receive ioctl code

MonitorEvtDeviceControl (
In WDFQUEUE Queue,
In WDFREQUEST Request,
In size_t OutputBufferLength,
In size_t InputBufferLength,
In ULONG IoControlCode
)
{
NTSTATUS status = STATUS_SUCCESS;

switch (IoControlCode)
{
case MONITOR_IOCTL_GET_EVENT:
{
DbgPrint(“Get IOCTL event: MONITOR_IOCTL_GET_EVENT from user-application \n”);

NTSTATUS rstatus;
NETWORK_EVENT pOutBuffer;
size_t bufSize;

rstatus = WdfRequestRetrieveOutputBuffer(Request, sizeof(NETWORK_EVENT), &pOutBuffer, &bufSize);
if (!NT_SUCCESS(rstatus))
{
DbgPrint(“Could not get request memory buffer status: %X\n”, rstatus);
status = STATUS_INVALID_PARAMETER;

break;
}
MonitorSendNetworEventToUserApp(pOutBuffer);

break;
}
default:
{
status = STATUS_INVALID_PARAMETER;
}
}

WdfRequestComplete(Request, status);
}

NTSTATUS MonitorSendNetworEventToUserApp(Inout NETWORK_EVENT networkEvent)
{
DbgPrint(“Enterd MonitorSendNetworEventToUserApp function\n”);
KLOCK_QUEUE_HANDLE lockHandle;
NTSTATUS status;

KeAcquireInStackQueuedSpinLock(&flowContextListLock, &lockHandle);

if (!IsListEmpty(&flowContextList))
{
FLOW_DATA* flowContext;
LIST_ENTRY* entry;

entry = RemoveHeadList(&flowContextList);
flowContext = CONTAINING_RECORD(entry, FLOW_DATA, listEntry);

networkEvent.inoutBound = flowContext->inoutBound;
networkEvent.ipProto = flowContext->ipProto;
networkEvent.localAddr = flowContext->localAddressV4;
networkEvent.localPort = flowContext->localPort;
networkEvent.remoteAddr = flowContext->remoteAddressV4;
networkEvent.remotePort = flowContext->remotePort;
networkEvent.processId = flowContext->processId;
RtlCopyBytes(networkEvent.procPath, flowContext->processPath, 1024);
networkEvent.time = flowContext->time;
RtlCopyMemory(pOutBuffer, pNetworkEvent, sizeof(NETWORK_EVENT));

}
else
{
DbgPrint(“list is empty!”);
}

KeReleaseInStackQueuedSpinLock(&lockHandle);

return STATUS_SUCCESS;
}

when i check value networkEvent structer values like this

DbgPrint(“%04d/%02d/%02d %2.2d:%2.2d:%2.2d Connection - proto: [%d] %lx:%d(L) <-> %lx:%d(R), pid:%i, procPath: %S\n”,
networkEvent.time.Year,
networkEvent.time.Month,
networkEvent.time.Day,
networkEvent.time.Hour,
networkEvent.time.Minute,
networkEvent.time.Second,
networkEvent.ipProto,
networkEvent.localAddr,
networkEvent.localPort,
networkEvent.remoteAddr,
networkEvent.remotePort,
networkEvent.processId,
networkEvent.procPath);

all value is fine. but, user-application dosen’t receive networkEvent values.
i think something miss, but i don’t know what should i do

—
NTDEV is sponsored by OSR

Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev

OSR is HIRING!! See http://www.osr.com/careers

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer</mailto:xxxxx></mailto:xxxxx>

juho_louis · June 2, 2014, 1:42am

thanks to replay Thomas Divine.

i try WdfRequestCompleteWithInformation() instead of WdfRequestComplete()

juho_louis · June 2, 2014, 2:05am

thanks to replay Doron Holan.

i must be sensitive and more careful
many times read this function… omg

Buffer [out]
A pointer to a location that receives the buffer’s address.
(by msdn - http://msdn.microsoft.com/en-us/library/windows/hardware/ff550018(v=vs.85).aspx)

juho_louis · June 2, 2014, 3:02am

hum… i have some problem.

BOSD - analysis here.

TRAP_FRAME: fffff8800d149360 – (.trap 0xfffff8800d149360)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000146a84125022 rbx=0000000000000000 rcx=fffff880084db060
rdx=fffffa8013e71ad8 rsi=0000000000000000 rdi=0000000000000000
rip=fffff880084d77f8 rsp=fffff8800d1494f0 rbp=fffff8800d1496b0
r8=0000146a84125022 r9=0000000000000003 r10=654e646e6553726f
r11=000000000000000c r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz na po nc
msnmntr!RemoveHeadList+0x78:
fffff880084d77f8 48894808 mov qword ptr [rax+8],rcx ds:0000146a8412502a=???
Resetting default scope

LAST_CONTROL_TRANSFER: from fffff80003287169 to fffff80003287bc0

STACK_TEXT:
fffff8800d149218 fffff80003287169 : 000000000000000a 0000146a8412502a 0000000000000002 0000000000000001 : nt!KeBugCheckEx
fffff8800d149220 fffff80003285de0 : fffffa8013e71ad8 0000146a84125022 0000000000000003 fffffa80139681d0 : nt!KiBugCheckDispatch+0x69
fffff8800d149360 fffff880084d77f8 : fffff880084db060 fffffa8013e71ad8 0000146a84125022 fffff80000000001 : nt!KiPageFault+0x260
fffff8800d1494f0 fffff880084d75fc : fffff880084db060 fffffa80139681d0 fffffa80137ee3f0 fffff8800d1494f0 : msnmntr!RemoveHeadList+0x78 [c:\program files (x86)\windows kits\8.1\include\km\wdm.h @ 9564]
fffff8800d149530 fffff880084d7a33 : fffffa80140ef7c0 0000000000000824 fffff8800d149620 fffff8800d149640 : msnmntr!MonitorSendNetworEventToUserApp+0x4c [d:\project\test\akama\windows filtering platform msn messenger monitor sample\c++\sys\msnmntr.c @ 728]
fffff8800d1495a0 fffff88000ed0b7c : 0000057fec3bbfd8 0000057fec697e28 0000000000000824 0000000000000000 : msnmntr!MonitorEvtDeviceControl+0x133 [d:\project\test\akama\windows filtering platform msn messenger monitor sample\c++\sys\ctl.c @ 141]
fffff8800d149670 fffff88000ed01ff : fffffa8013c44000 fffffa8000000000 fffffa8013c44020 fffffa801356e6e8 : Wdf01000!FxIoQueue::DispatchRequestToDriver+0x488
fffff8800d1496f0 fffff88000edb2fb : fffffa80137ee3f0 fffffa8013968100 0000000000000000 fffffa80139681d0 : Wdf01000!FxIoQueue::DispatchEvents+0x66f
fffff8800d149770 fffff88000ed151a : fffffa80137ee300 fffffa80139681d0 fffffa80139ba5e0 fffff8800d149850 : Wdf01000!FxIoQueue::QueueRequest+0x2ab
fffff8800d1497e0 fffff88000ecd79a : fffffa80139681d0 fffffa80139ba5e0 fffff8800d149b60 fffffa80139ba5e0 : Wdf01000!FxPkgIo::Dispatch+0x4da
fffff8800d149850 fffff88000ecd866 : fffffa80139ba5e0 fffff8800d149b60 fffffa8013cb2e10 0000000000000001 : Wdf01000!FxDevice::Dispatch+0x19a
fffff8800d149890 fffff800035a4e67 : fffffa80139f5270 fffff8800d149b60 fffffa80139f5270 fffffa80139ba5e0 : Wdf01000!FxDevice::DispatchWithLock+0xa6
fffff8800d1498d0 fffff800035a56c6 : fffff683ff7d3a01 0000000000000000 0000000000000000 0000000000000000 : nt!IopXxxControlFile+0x607
fffff8800d149a00 fffff80003286e53 : fffffa801297c4b0 fffff8800d149b60 0000000000000003 0000098000000000 : nt!NtDeviceIoControlFile+0x56
fffff8800d149a70 0000000076d9132a : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!KiSystemServiceCopyEnd+0x13
000000000405ea88 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : 0x76d9132a

STACK_COMMAND: kb

FOLLOWUP_IP:
msnmntr!RemoveHeadList+78 [c:\program files (x86)\windows kits\8.1\include\km\wdm.h @ 9564]
fffff880`084d77f8 48894808 mov qword ptr [rax+8],rcx

FAULTING_SOURCE_LINE: c:\program files (x86)\windows kits\8.1\include\km\wdm.h

FAULTING_SOURCE_FILE: c:\program files (x86)\windows kits\8.1\include\km\wdm.h

FAULTING_SOURCE_LINE_NUMBER: 9564

FAULTING_SOURCE_CODE:
9560: (PVOID)NextEntry);
9561: }
9562:
9563: ListHead->Flink = NextEntry;

9564: NextEntry->Blink = ListHead;
9565:
9566: return Entry;
9567: }
9568:
9569: FORCEINLINE

SYMBOL_STACK_INDEX: 3

SYMBOL_NAME: msnmntr!RemoveHeadList+78

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: msnmntr

IMAGE_NAME: msnmntr.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 538c1422

FAILURE_BUCKET_ID: X64_0xD1_msnmntr!RemoveHeadList+78

BUCKET_ID: X64_0xD1_msnmntr!RemoveHeadList+78

msnmntr!RemoveHeadList+0x78: <— before this function i checked is empty.

if (!IsListEmpty(&flowContextList))
{
…
}

by the way BSOD put the code IRQL_NOT_LESS_OR_EQUAL ??

Thomas_Divine · June 2, 2014, 6:55am

Looks like you have some basic ‘C’ pointer manipulation problem. You need to
review your code for basic ‘C’ bugs. Stepping through the code with WinDbg
in the area where that bug occurred is a thought.

Good luck!

Thomas F. Divine
http://www.pcasua.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@gmail.com
Sent: Monday, June 2, 2014 3:03 AM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] [WFP] about WdfRequestRetrieveOutputBuffer() for user
send buffer.

hum… i have some problem.

BOSD - analysis here.

TRAP_FRAME: fffff8800d149360 – (.trap 0xfffff8800d149360)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000146a84125022 rbx=0000000000000000 rcx=fffff880084db060
rdx=fffffa8013e71ad8 rsi=0000000000000000 rdi=0000000000000000
rip=fffff880084d77f8 rsp=fffff8800d1494f0 rbp=fffff8800d1496b0
r8=0000146a84125022 r9=0000000000000003 r10=654e646e6553726f
r11=000000000000000c r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz na po nc
msnmntr!RemoveHeadList+0x78:
fffff880084d77f8 48894808 mov qword ptr [rax+8],rcx ds:0000146a8412502a=???
Resetting default scope

LAST_CONTROL_TRANSFER: from fffff80003287169 to fffff80003287bc0

STACK_TEXT:
fffff8800d149218 fffff80003287169 : 000000000000000a 0000146a8412502a
0000000000000002 0000000000000001 : nt!KeBugCheckEx
fffff8800d149220 fffff80003285de0 : fffffa8013e71ad8 0000146a84125022
0000000000000003 fffffa80139681d0 : nt!KiBugCheckDispatch+0x69
fffff8800d149360 fffff880084d77f8 : fffff880084db060 fffffa8013e71ad8
0000146a84125022 fffff80000000001 : nt!KiPageFault+0x260
fffff8800d1494f0 fffff880084d75fc : fffff880084db060 fffffa80139681d0
fffffa80137ee3f0 fffff8800d1494f0 : msnmntr!RemoveHeadList+0x78
[c:\program files (x86)\windows kits\8.1\include\km\wdm.h @ 9564]
fffff8800d149530 fffff880084d7a33 : fffffa80140ef7c0 0000000000000824
fffff8800d149620 fffff8800d149640 :
msnmntr!MonitorSendNetworEventToUserApp+0x4c [d:\project\test\akama\windows
filtering platform msn messenger monitor sample\c++\sys\msnmntr.c @ 728]
fffff8800d1495a0 fffff88000ed0b7c : 0000057fec3bbfd8 0000057fec697e28
0000000000000824 0000000000000000 : msnmntr!MonitorEvtDeviceControl+0x133
[d:\project\test\akama\windows filtering platform msn messenger monitor
sample\c++\sys\ctl.c @ 141]
fffff8800d149670 fffff88000ed01ff : fffffa8013c44000 fffffa8000000000
fffffa8013c44020 fffffa801356e6e8 :
Wdf01000!FxIoQueue::DispatchRequestToDriver+0x488
fffff8800d1496f0 fffff88000edb2fb : fffffa80137ee3f0 fffffa8013968100
0000000000000000 fffffa80139681d0 :
Wdf01000!FxIoQueue::DispatchEvents+0x66f
fffff8800d149770 fffff88000ed151a : fffffa80137ee300 fffffa80139681d0
fffffa80139ba5e0 fffff8800d149850 : Wdf01000!FxIoQueue::QueueRequest+0x2ab
fffff8800d1497e0 fffff88000ecd79a : fffffa80139681d0 fffffa80139ba5e0
fffff8800d149b60 fffffa80139ba5e0 : Wdf01000!FxPkgIo::Dispatch+0x4da
fffff8800d149850 fffff88000ecd866 : fffffa80139ba5e0 fffff8800d149b60
fffffa8013cb2e10 0000000000000001 : Wdf01000!FxDevice::Dispatch+0x19a
fffff8800d149890 fffff800035a4e67 : fffffa80139f5270 fffff8800d149b60
fffffa80139f5270 fffffa80139ba5e0 :
Wdf01000!FxDevice::DispatchWithLock+0xa6
fffff8800d1498d0 fffff800035a56c6 : fffff683ff7d3a01 0000000000000000
0000000000000000 0000000000000000 : nt!IopXxxControlFile+0x607
fffff8800d149a00 fffff80003286e53 : fffffa801297c4b0 fffff8800d149b60
0000000000000003 0000098000000000 : nt!NtDeviceIoControlFile+0x56
fffff8800d149a70 0000000076d9132a : 0000000000000000 0000000000000000
0000000000000000 0000000000000000 : nt!KiSystemServiceCopyEnd+0x13
000000000405ea88 0000000000000000 : 0000000000000000 0000000000000000
0000000000000000 0000000000000000 : 0x76d9132a

STACK_COMMAND: kb

FOLLOWUP_IP:
msnmntr!RemoveHeadList+78 [c:\program files (x86)\windows
kits\8.1\include\km\wdm.h @ 9564]
fffff880`084d77f8 48894808 mov qword ptr [rax+8],rcx

FAULTING_SOURCE_LINE: c:\program files (x86)\windows
kits\8.1\include\km\wdm.h

FAULTING_SOURCE_FILE: c:\program files (x86)\windows
kits\8.1\include\km\wdm.h

FAULTING_SOURCE_LINE_NUMBER: 9564

FAULTING_SOURCE_CODE:
9560: (PVOID)NextEntry);
9561: }
9562:
9563: ListHead->Flink = NextEntry;

9564: NextEntry->Blink = ListHead;
9565:
9566: return Entry;
9567: }
9568:
9569: FORCEINLINE

SYMBOL_STACK_INDEX: 3

SYMBOL_NAME: msnmntr!RemoveHeadList+78

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: msnmntr

IMAGE_NAME: msnmntr.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 538c1422

FAILURE_BUCKET_ID: X64_0xD1_msnmntr!RemoveHeadList+78

BUCKET_ID: X64_0xD1_msnmntr!RemoveHeadList+78

msnmntr!RemoveHeadList+0x78: <— before this function i checked is empty.

if (!IsListEmpty(&flowContextList))
{
…
}

by the way BSOD put the code IRQL_NOT_LESS_OR_EQUAL ??

NTDEV is sponsored by OSR

Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev

OSR is HIRING!! See http://www.osr.com/careers

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

juho_louis · June 2, 2014, 11:39am

thanks to replay Thomas F. Divine

i’ll try debugging!

thank’s again!

juho_louis · June 2, 2014, 1:46pm

hum… i ask other things
how do i programming to install wfp driver without inf file
if there is no way, then how should do i install inf file in my program.

maybe… use shellexcute function? argv is %SystemRoot%\System32\InfDefaultInstall.exe ~.inf ?

Tim_Roberts · June 2, 2014, 2:11pm

xxxxx@gmail.com wrote:

hum… i ask other things
how do i programming to install wfp driver without inf file
if there is no way, then how should do i install inf file in my program.

maybe… use shellexcute function? argv is %SystemRoot%\System32\InfDefaultInstall.exe ~.inf ?

You’re overthinking this. A WFP callout driver is just a normal legacy
driver. To install one, you need two steps:

Copy the sys file into place
Create a service to point to that file

There are many ways to accomplish those two tasks. Using an INF file
with [DefaultInstall], you can call InstallHinfSection directly. You
can invoke InfDefaultInstall. You can use ShellExecut to execute the
“install” verb on your INF file. Or, you can skip the INF file, and
write a batch file to call Copy and “sc create”. Or, you can write your
own application to call CopyFile and CreateService.

A [DefaultInstall] INF file is not magic. It’s basically a batch file
with different spelling.

(By the way, InfDefaultInstall is an absolutely trivial application that
does nothing except call InstallHinfSection. It’s just a nicer-looking
way to do “rundll32 setupapi.dll,InstallHinfSection DefaultInstall 132
xxxx.inf”. In fact, if you look at the executable, you’ll see that
string in there.)

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

juho_louis · June 4, 2014, 8:12am

thanks to replay Tim Roberts!

yes, you right. WFP callout dirver is just a nomal legacy driver.
i try to use “CreateService()” thanks a lot and have a nice day all guys.