none
can I add new filter while the driver working ?? RRS feed

  • Question

  • Hi

    I want to know if I can add new filter while the driver working ?
    in the start of driver I open engine handle, start transaction , register callout and add filter and until here all thing work perfect , but while my driver checking packets I decide to add new filter to block traffic from specific IP can I do this ??
    I try to use the same engine handle which I use in the first and I did not close the engine or abort the transaction until unload the driver , in this way no problem when I did not add new filter but when I try to add filter I get exception with blue screen ??
    what problem ? should I use new engine handle and new session ??or adding filter during pending packet is impossible ?

    Saturday, September 8, 2012 6:15 PM

All replies

  • Yes, you can add a filter while the driver is processing NBLs.  Can you provide a stack dump? 

    Thanks,


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------

    Saturday, September 8, 2012 9:11 PM
    Moderator
  • do you mean this ?

    SYSTEM_THREAD_EXCEPTION_NOT_HANDLED_M (1000007e)
    This is a very common bugcheck.  Usually the exception address pinpoints
    the driver/function that caused the problem.  Always note this address
    as well as the link date of the driver/image that contains this address.
    Some common problems are exception code 0x80000003.  This means a hard
    coded breakpoint or assertion was hit, but this system was booted
    /NODEBUG.  This is not supposed to happen as developers should never have
    hardcoded breakpoints in retail code, but ...
    If this happens, make sure a debugger gets connected, and the
    system is booted /DEBUG.  This will let us see why this breakpoint is
    happening.
    Arguments:
    Arg1: c0000005, The exception code that was not handled
    Arg2: 9e420b0d, The address that the exception occurred at
    Arg3: 99eb1b54, Exception Record Address
    Arg4: 99eb1730, Context Record Address

    Debugging Details:
    ------------------


    EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

    FAULTING_IP:
    NONPNP+1b0d
    9e420b0d 8902            mov     dword ptr [edx],eax

    EXCEPTION_RECORD:  99eb1b54 -- (.exr 0xffffffff99eb1b54)
    ExceptionAddress: 9e420b0d (NONPNP+0x00001b0d)
       ExceptionCode: c0000005 (Access violation)
      ExceptionFlags: 00000000
    NumberParameters: 2
       Parameter[0]: 00000001
       Parameter[1]: 00000000
    Attempt to write to address 00000000

    CONTEXT:  99eb1730 -- (.cxr 0xffffffff99eb1730)
    eax=1febb610 ebx=00000000 ecx=585c885c edx=00000000 esi=85ad8940 edi=00000000
    eip=9e420b0d esp=99eb1c1c ebp=99eb1d0c iopl=0         nv up ei pl zr na pe nc
    cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010246
    NONPNP+0x1b0d:
    9e420b0d 8902            mov     dword ptr [edx],eax  ds:0023:00000000=????????
    Resetting default scope

    CUSTOMER_CRASH_COUNT:  1

    DEFAULT_BUCKET_ID:  NULL_DEREFERENCE

    PROCESS_NAME:  System

    CURRENT_IRQL:  0

    ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

    EXCEPTION_PARAMETER1:  00000001

    EXCEPTION_PARAMETER2:  00000000

    WRITE_ADDRESS: GetPointerFromAddress: unable to read from 82db3848
    Unable to read MiSystemVaType memory at 82d92e20
     00000000

    FOLLOWUP_IP:
    NONPNP+1b0d
    9e420b0d 8902            mov     dword ptr [edx],eax

    BUGCHECK_STR:  0x7E

    LAST_CONTROL_TRANSFER:  from 9e4207d4 to 9e420b0d

    STACK_TEXT:  
    WARNING: Stack unwind information not available. Following frames may be wrong.
    99eb1d0c 9e4207d4 0c0a85fa 000100a6 00000020 NONPNP+0x1b0d
    99eb1d50 82e5305e 00000000 bc50e120 00000000 NONPNP+0x17d4
    99eb1d90 82cfb119 9e420760 00000000 00000000 nt!PspSystemThreadStartup+0x9e
    00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x19

    Saturday, September 8, 2012 9:51 PM
  • It's a NULL pointer dereference.  In your KD, run !analyze -v

    If you provide a memory dump, I can assist you in debugging this.


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------


    Sunday, September 9, 2012 2:46 AM
    Moderator
  • Thank u Dusty , I catch my mistake but here I want to add filters each one  to block specific IP and I have Basic filter which allow all traffic what the weight should be for the basic filter and for the new Ones ??
    the filtering on INBOUND_IPPACKET_V4
    • Edited by Mosbah_syr Sunday, September 9, 2012 5:59 PM
    Sunday, September 9, 2012 4:56 PM
  • First thing I see is your TransactionBegin / TransactionCommit calls.  For this code those are a waste of processing.  Individual APIs are themselves transactional.  The only time the Transaction APIs are beneficial are if you are making multiple calls (i.e. adding multiple filters).  You should remove those API calls.



    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------

    Sunday, September 9, 2012 8:10 PM
    Moderator
  • I don't understand what this related to my question ? but what I do open transaction when start the driver to register callouts and add one filter and add sublayer and I don't call TransactionAbort() and close the Handle until the driver Unload , I use this way because when I try to open new engine with new session I get error related to firewall when I tried to add filter so I use the same engine handle and the same session and the new filter added successfully.

    so now what about weights of filters? the first filter catch every thing in inbound IPpacket and callout out terminating but I need filter block specific IP in the same layer and sublayer , so the second IP's weight should be higher than the first :

    filter 1 (allow every thing):

    filter.weight.type = FWP_UINT8;
    filter.weight.uint8=0x01 ;

    filter 2(block specific IP):

    filter.weight.type=FWP_UINT8;
    filter.weight.uint8=0x0F;

    is this right??

    Sunday, September 9, 2012 9:27 PM
  • When arbitrated, the most specific filter that matches the traffic will win.  This means that you don't need to muck with your weights.  However as a general rule, yes, weight the block all filter as the lowest weight, and the more specific as higher weights.

    The documentation for filter arbitration should help you out: http://msdn.microsoft.com/en-us/library/windows/desktop/aa364008(v=vs.85).aspx

    Hope this helps,


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------

    Sunday, September 9, 2012 11:22 PM
    Moderator