locked
Cancel a Net Buffer Send Request RRS feed

  • Question

  • Hello, I am writing a filter driver for inspecting network traffic in Hyper-V. I want to block a static IP address via my virtual switch having that filter driver. Until now I was able to fetch the IP address by netbuffer ( NDIS 6.0). Now I was trying to cancel the send request but when I am trying to access that IP , my VM crashes  showing "irql_not_less_or_equal".

    Here is my code. Please help.

    VOID
    SxNdisSendNetBufferLists(
        NDIS_HANDLE FilterModuleContext,
        PNET_BUFFER_LIST NetBufferLists,
        NDIS_PORT_NUMBER PortNumber,
        ULONG SendFlags
        )
    {
        PSX_SWITCH_OBJECT switchObject = (PSX_SWITCH_OBJECT)FilterModuleContext;
        
        UNREFERENCED_PARAMETER(PortNumber);

    NET_BUFFER* netBuffer = NET_BUFFER_LIST_FIRST_NB(NetBufferLists);

    ETHERNET_HEADER *pEthHeader;
    IPV4_HEADER *pIPv4Header;
    ULONG DataOffset = 0;

    // Fetch Ethernet Header
    pEthHeader = (ETHERNET_HEADER *)NdisGetDataBuffer(
    netBuffer,
    sizeof(ETHERNET_HEADER),
    NULL, // No storage provided or needed
    1, // No alignment requirement
    0
    );

    // Move DataStart to Start of Outer IPv4 Header
    NdisAdvanceNetBufferDataStart(netBuffer, sizeof(ETHERNET_HEADER), FALSE, NULL);
    DataOffset = sizeof(ETHERNET_HEADER);
    // Fetch IPv4 Header
    pIPv4Header = (IPV4_HEADER *)NdisGetDataBuffer(
    netBuffer,
    sizeof(IPV4_HEADER),
    NULL, // No storage provided or needed
    1, // No alignment requirement
    0
    );
    NdisRetreatNetBufferDataStart(netBuffer, DataOffset, 0, NULL);


    IN_ADDR ipSource = pIPv4Header->SourceAddress;

    IN_ADDR ipDest = pIPv4Header->DestinationAddress;

    UINT8 *src, *dest;

    src = (UINT8 *)&ipSource.s_addr;
    dest = (UINT8 *)&ipDest.s_addr;

    ULONG BlockIp = 2381862708; // Long format ip address for www.ntkernel.com

    ULONG NblIpSource = ipSource.s_addr; // Long format ip address for received NBL

    ULONG NblIpDestination = ipDest.s_addr; // Long format ip address for sended NBL

    if (/*BlockIp == NblIpSource || */BlockIp == NblIpDestination)
    {
    DbgPrint("\nBlocking ..........\n");

    NDIS_SET_NET_BUFFER_LIST_CANCEL_ID(NetBufferLists, &g_ulLocalCancelId);

    NdisFCancelSendNetBufferLists(FilterModuleContext, &g_ulLocalCancelId);
    }
    else
    {
    SxExtStartNetBufferListsIngress(switchObject,
    switchObject->ExtensionContext,
    NetBufferLists,
    SendFlags);
    }
    }


    Wednesday, March 30, 2016 4:20 AM

All replies

  • Please post the output of !analyze from WinDBG

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    Wednesday, March 30, 2016 6:53 PM