locked
Adding Callout: should GUIDs match? RRS feed

  • Question

  • As described in MSDN, a callout should be registered within a kernel mode driver with FwpsCalloutRegister0|1|2() function. Then the callout should be added within user mode application with FwpmCalloutAdd0() function. I assume that calloutKey member of FWPS_CALLOUT0|1|2 data structure used in FwpsCalloutRegister0|1|2() function should match to calloutKey member FWPM_CALLOUT0 used in FwpmCalloutAdd0() function so that BFE will be able to match registered callout with added callout. However in the WFPSampler these calloutKey members does not match completely. For example, for callouts registered with the following GUIDs (calloutKey members):
    • 53504657-6D61-5F70-4361-6C6C50424142
    • 53504657-6D61-5F70-4361-6C6C50424143
    • 53504657-6D61-5F70-4361-6C6C50424144
    • 53504657-6D61-5F70-4361-6C6C50424145
    the following GUID is used with FwpmCalloutAdd0() function:
    • 53504657-6D61-5F70-4361-6C6C504241FF
    It is easy to see that first 15 bytes of all these GUIDs are the same and the last byte of GUID used with FwpmCalloutAdd0() function is 0xFF. However GUIDs are different and it is not clear how all these GUIDs are matched with each other by BFE.
    Wednesday, April 2, 2014 1:50 PM

Answers

  • I have got it myself.

    The last byte of all callouts used with FwpmCalloutAdd0() function is assigned with HlprFwpmLayerGetIDByKey() function. This function receives layer of the filter and returns value that corresponds to 42, 43, 44, or 45 according to the layer value. Therefore the statement "both GUIDs for registering and adding of callout should match" is true.

    • Marked as answer by Petr Alexeev Thursday, April 3, 2014 10:17 AM
    Thursday, April 3, 2014 10:17 AM