locked
WDK Inspect sample RRS feed

  • Question

  • Hi.

    Is there anything against modifying the WDK "inspect" sample to work for *all* IP-addresses? Means to pend *every* ALE request that arrives, not just for a particular IP-address?


    Thanks
    Frank
    Friday, March 6, 2009 9:02 AM

Answers

  • Indicating 0.0.0.0 duirng re-auth sounds like a bug. Can you see if you can repro this on Win7 RC build?

    Thanks,
    Biao.W.

    Thursday, May 7, 2009 8:53 AM

All replies

  • Well, take the sample and strip the parts of "Config" and "filterCondition", so that the sample is open for any IP-address.

    Run the modified sample and you will see that for some connections during re-auth, "IsMatchingConnectPacket" can't find the matching pended Connect, because the "Remote address" field of re-auth's "inFixedValues" is zero. Which in turn leads to "ASSERT(layerData != NULL)" or to a total hang of the network.

    Why is it zero? How to find the matching pended connect for sure?

    Thanky you.
    Wednesday, March 11, 2009 9:52 AM
  • Here's another one for the "inspect" sample:

    On "ALEConnect" during outbound re-auth: why do you queue the re-auth packet to the worker thread for injection? Why don't you inject in place? All functions used for outbound injection can be called at dispatch-level.



    Monday, March 16, 2009 5:05 PM
  • smilish said:

    Hi.

    Is there anything against modifying the WDK "inspect" sample to work for *all* IP-addresses? Means to pend *every* ALE request that arrives, not just for a particular IP-address?


    Thanks
    Frank


    No, you can use the sample however it helps you best. 

    smilish said:

    Well, take the sample and strip the parts of "Config" and "filterCondition", so that the sample is open for any IP-address.

    Run the modified sample and you will see that for some connections during re-auth, "IsMatchingConnectPacket" can't find the matching pended Connect, because the "Remote address" field of re-auth's "inFixedValues" is zero. Which in turn leads to "ASSERT(layerData != NULL)" or to a total hang of the network.

    Why is it zero? How to find the matching pended connect for sure?

    Thanky you.



    We will have to try to repro in-house and get back to you on this.

    smilish said:

    Here's another one for the "inspect" sample:

    On "ALEConnect" during outbound re-auth: why do you queue the re-auth packet to the worker thread for injection? Why don't you inject in place? All functions used for outbound injection can be called at dispatch-level.





    This is just sample code.  One could do it either way.  When the sample was written, this was thought to be the most common way it would be done.

    Hope this helps



    Dusty Harper [MSFT]
    Tuesday, March 17, 2009 11:04 PM
    Moderator
  • Hi, I have exact the same problem, as smilish.

    The best way to reproduce the problem is:
    1) To take inspect.c
    2) To add a little delay in the function TLInspectWorker:

    void
    TLInspectWorker(
       IN PVOID StartContext
       )
    
    ...
    
       while (1)
       {
          KeWaitForSingleObject(
             &gWorkerEvent,
             Executive, 
             KernelMode, 
             FALSE, 
             NULL
             );
    
          if (gDriverUnloading)
          {
             break;
          }
    
    #define CONVERT_MS_TO_100NS(x) ((LONGLONG)(x)*1000*10)
          {
              KEVENT DbgSleepEvt;
              LARGE_INTEGER DbgSleepTime;
              KeInitializeEvent(&DbgSleepEvt, NotificationEvent, FALSE);
              DbgSleepTime.QuadPart = -CONVERT_MS_TO_100NS(1000*2);
              KdPrint(("=============PRE\n"));
              KeWaitForSingleObject(&DbgSleepEvt, Executive, KernelMode, FALSE, &DbgSleepTime);
              KdPrint(("=============POST\n"));
    }
    ...

    Maybe this trace will ____ you to understand what's wrong: (look at 0.0.0.0:53)
    [Inspect][s:3AF u:AE8]Detected outgoing connection: Proto: 17; Local: 192.168.113.10:57583; Remote: 192.168.113.9:53
    [Inspect][s:3AF u:AE8]+++ Allocated outbound packet 0x83C49818
    [Inspect][s:3AF u:AE8]Operation marked as pended. Context:0x83C87610; Packet: 0x83C49818 (IRQL:0)
    [Inspect][s:0FF u:A28]=============PRE
    [Inspect][s:3AF u:AE8]Detected outgoing connection: Proto: 17; Local: 192.168.113.10:57583; Remote: 192.168.113.9:53
    [Inspect][s:3AF u:AE8]+++ Allocated outbound packet 0x83ADC2E8
    [Inspect][s:3AF u:AE8]Operation marked as pended. Context:0x837F5C50; Packet: 0x83ADC2E8 (IRQL:0)
    [Inspect][s:DAF u:F98]Detected outgoing connection: Proto: 17; Local: 192.168.113.10:62938; Remote: 192.168.113.9:53
    [Inspect][s:DAF u:F98]+++ Allocated outbound packet 0x837E0BE8
    [Inspect][s:DAF u:F98]Operation marked as pended. Context:0x83A4D3A0; Packet: 0x837E0BE8 (IRQL:0)
    [Inspect][s:0FF u:A28]=============POST
    [Inspect][s:0FF u:A28]packet 0x83C49818 type:0 dir:0 is processing by TLInspectWorker
    [Inspect][s:0FF u:A28]Calling TlInspectCompletePendedConnection for packet 0x83C49818
    [Inspect][s:0FF u:A28]Finalizing pended operation. Context:0x83C87610; Packet: 0x83C49818 (IRQL:0)
    [Inspect][s:3AF u:AE8]Detected outgoing connection: Proto: 17; Local: 192.168.113.10:57583; Remote: 192.168.113.9:53
    [Inspect][s:3AF u:AE8]+++ Allocated outbound packet 0x837C96E0
    [Inspect][s:3AF u:AE8]Operation marked as pended. Context:0x83B12D38; Packet: 0x837C96E0 (IRQL:0)
    [Inspect][s:0FF u:A28]Detected outgoing connection: Proto: 17; Local: 192.168.113.10:57583; Remote: 0.0.0.0:53
    [Inspect][s:0FF u:A28]TLInspectALEConnectClassify detected re-auth
    
    *** Assertion failed: layerData != NULL
    ***   Source File: j:\sdb\tfs\research\sdbinspectoriginal\inspect.c, line 339
    
    Break repeatedly, break Once, Ignore, terminate Process, or terminate Thread (boipt)? i
    i
    [Inspect][s:0FF u:A28]+++ Allocated outbound packet 0x83B2B978
    [Inspect][s:0FF u:A28]--- FreePendedPacket for packet [0x837C96E0 type:0 dir:0 netBuff:83BF1528]
    
    *** Assertion failed: packet->direction == FWP_DIRECTION_INBOUND
    ***   Source File: j:\sdb\tfs\research\sdbinspectoriginal\utils.c, line 276
    
    Break repeatedly, break Once, Ignore, terminate Process, or terminate Thread (boipt)? i
    i
    [Inspect][s:0FF u:A28]Detected outgoing connection: Proto: 17; Local: 192.168.113.10:57583; Remote: 0.0.0.0:53
    [Inspect][s:0FF u:A28]TLInspectALEConnectClassify detected re-auth
    
    *** Assertion failed: layerData != NULL
    ***   Source File: j:\sdb\tfs\research\sdbinspectoriginal\inspect.c, line 339
    
    Break repeatedly, break Once, Ignore, terminate Process, or terminate Thread (boipt)? i
    i
    [Inspect][s:0FF u:A28]+++ Allocated outbound packet 0x83C53160 [Inspect][s:0FF u:A28]--- FreePendedPacket for packet [0x837C96E0 type:0 dir:0 netBuff:83BF1528] *** Assertion failed: packet->direction == FWP_DIRECTION_INBOUND *** Source File: j:\sdb\tfs\research\sdbinspectoriginal\utils.c, line 276 Break repeatedly, break Once, Ignore, terminate Process, or terminate Thread (boipt)? i i [Inspect][s:EC8 u:000]Detected incoming connection: Proto: 17; Local: 192.168.113.255:138; Remote: 192.168.113.52:138 [Inspect][s:EC8 u:000]+++ Allocated inbound packet 0x837AA948 *** Fatal System Error: 0x000000c2 (0x00000007,0x0000110B,0x0811000A,0x837C96E0) [Inspect][s:EC8 u:000]Operation marked as pended. Context:0x83AC4B78; Packet: 0x837AA948 (IRQL:2) Break instruction exception - code 80000003 (first chance) A fatal system error has occurred. Debugger entered on first try; Bugcheck callbacks have not been invoked.
    Tuesday, April 28, 2009 1:32 PM
  • Hi, I have exact the same problem, as smilish.

    The best way to reproduce the problem is:
    1) To take inspect.c
    2) To add a little delay in the function TLInspectWorker:
    I noticed that the bug can be reproduced on Windows Vista SP1 with Windows Firewall turned on.
    The bug can't be reproduced on Windows Vista SP1 with Windows Firewall turned off.
    The bug can't be reproduced on Windows 2008 with or without Windows Firewall.

    Seems to be the problem is in Windows Firewall?! Maybe this bug will be fixed in Windows Vista SP2?
    Wednesday, April 29, 2009 1:56 PM
  • Indicating 0.0.0.0 duirng re-auth sounds like a bug. Can you see if you can repro this on Win7 RC build?

    Thanks,
    Biao.W.

    Thursday, May 7, 2009 8:53 AM