Filter hook driver: dispatch routine isn't called

StackOverflow https://stackoverflow.com/questions/16762935

  •  30-05-2022
  •  | 
  •  

Question

I'm trying to write legacy filter-hook driver, firewall-like: look for dst port and block it. But when packets are sent, dispatcher routine isn't called.

Register dispatch:

DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DrvDispatch;

Start ipfilter driver:

C:\Users\unnamed>net start ipfilterdriver

After that, launch debug driver via Visual DDK. Driver load successfully, but breakpoint in dispatcher isn't reached. What am I doing wrong?

NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING  RegistryPath)
{
    UNICODE_STRING DeviceName,Win32Device;
    PDEVICE_OBJECT DeviceObject = NULL;
    NTSTATUS status;
    unsigned i;

    RtlInitUnicodeString(&DeviceName,L"\\Device\\driver10");
    RtlInitUnicodeString(&Win32Device,L"\\DosDevices\\driver10");

    for (i = 0; i <= IRP_MJ_MAXIMUM_FUNCTION; i++)
        DriverObject->MajorFunction[i] = driver1DefaultHandler;
    /*
    DriverObject->MajorFunction[IRP_MJ_CREATE] = driver1CreateClose;
    DriverObject->MajorFunction[IRP_MJ_CLOSE] = driver1CreateClose;
    DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DrvDispatch;
    */
    status = IoCreateDevice(DriverObject, 0, &DeviceName,
                 FILE_DEVICE_DRVFLTIP, 0, FALSE,
                 &DeviceObject);
    if (NT_SUCCESS(status)) {
         status = IoCreateSymbolicLink(&Win32Device, &DeviceName);
         if (!NT_SUCCESS(status))        
                dprintf("DrvFltIp.SYS: IoCreateSymbolicLink failed\n");

        DriverObject->MajorFunction[IRP_MJ_CREATE]         =
        DriverObject->MajorFunction[IRP_MJ_CLOSE]          =
        DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DrvDispatch;
        DriverObject->DriverUnload = driver1Unload;
    }
    if (!NT_SUCCESS(status)) {
        dprintf("Error in initialization. Unloading...");        
        driver1Unload(DriverObject);
    }

    if (!DeviceObject)
        return STATUS_UNEXPECTED_IO_ERROR;
/*
DeviceObject->Flags |= DO_DIRECT_IO;
DeviceObject->Flags &= ~DO_DEVICE_INITIALIZING; 
DeviceObject->AlignmentRequirement = FILE_WORD_ALIGNMENT;
*/
    DbgPrint("Driver started\n");       
    return status;
}
NTSTATUS DrvDispatch(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)
{
    dprintf("DrvDispatch called\n");
    PIO_STACK_LOCATION  irpStack;
    PVOID               ioBuffer;
    ULONG               inputBufferLength;
    ULONG               outputBufferLength;
    ULONG               ioControlCode;
    NTSTATUS            ntStatus;

    Irp->IoStatus.Status      = STATUS_SUCCESS;
    Irp->IoStatus.Information = 0;

    irpStack = IoGetCurrentIrpStackLocation(Irp);

    switch (irpStack->MajorFunction) {
    case IRP_MJ_CREATE:
        dprintf("DrvFltIp.SYS: IRP_MJ_CREATE\n");
        break;

    case IRP_MJ_CLOSE:
        dprintf("DrvFltIp.SYS: IRP_MJ_CLOSE\n");
        break;

    case IRP_MJ_DEVICE_CONTROL:
        dprintf("DrvFltIp.SYS: IRP_MJ_DEVICE_CONTROL\n");           
        break;
    }    
    ntStatus = Irp->IoStatus.Status;
    IoCompleteRequest(Irp, IO_NO_INCREMENT);
    return ntStatus;
}
Was it helpful?

Solution

Just forgot register filter-hook callback function in the DriverEntry: Registering and Clearing a Filter Hook

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top