none
Possible WFP-Bug (Kernel) in Windows Server 2019 calling WdfRegistryQuery in Callout (extern WDFKEY gParametersKey) RRS feed

  • Question

  • I need to read a DWord from a Callout FWPS_LAYER_INBOUND_TRANSPORT_V4. I do it in Testmode (bcdedit.exe -set TESTSIGNING ON). On my Laptop Windows 10 everything works fine. On my Testserver Windows Server 2019 Standard I can install the driver and also start the service. As soon WdfRegistryQueryULong gets called in the Callout at runtime there is the crash / invalid process attach attempt bluescreen. When I call WdfRegistryQueryULong when the driver loads the same statement works fine. I deactivated Windows Firewall and I have no other protection on my Test-Server. In my view it can just be a Bug in Windows Server 2019 because it worked always on older Windows Versions (since Vista) and it works also on Windows 10. It's very easy to reproduce this. I should put this driver to production in a timely manner for a big company. Need help! Here is my Code:

    extern WDFKEY gParametersKey;
    void transport_classify(
        const FWPS_INCOMING_VALUES* inFixedValues,
        const FWPS_INCOMING_METADATA_VALUES* inMetaValues,
        void* layerData,
        const void* classifyContext,
        const FWPS_FILTER* filter,
        UINT64 flowContext,
        FWPS_CLASSIFY_OUT* classifyOut)
    {

        UNREFERENCED_PARAMETER(inMetaValues);
        UNREFERENCED_PARAMETER(layerData);
        UNREFERENCED_PARAMETER(classifyContext);
        UNREFERENCED_PARAMETER(flowContext);
        UNREFERENCED_PARAMETER(filter);

        UINT32 remote_address = 0;
        
        if (inFixedValues->layerId == FWPS_LAYER_INBOUND_TRANSPORT_V4) {
            remote_address = inFixedValues->incomingValue[FWPS_FIELD_INBOUND_TRANSPORT_V4_IP_REMOTE_ADDRESS].value.uint32;
        }

        if (IsIpPermitted(remote_address)) {
            classifyOut->actionType = FWP_ACTION_PERMIT;
        }
        else {
            classifyOut->actionType = FWP_ACTION_BLOCK;
        }
        return;
    }

    BOOLEAN IsIpPermitted(UINT32 RemoteIPV4)
    {
        NTSTATUS status;
        BOOLEAN permitTraffic = TRUE;

        if (RemoteIPV4 == 0) {
            goto Exit;
        }

        DECLARE_CONST_UNICODE_STRING(valueName, L"NumberOfThings");
        ULONG result;
       

    // Here is the crash (blue screen - attach process-problem)
    status = WdfRegistryQueryULong(gParametersKey, &valueName, &result);
        if (!NT_SUCCESS(status)) {
            permitTraffic = TRUE;
        }
        else
        {
            permitTraffic = FALSE;
        }
        return permitTraffic;
    Exit:
        return TRUE;
    }





    Thursday, March 26, 2020 1:53 PM