Calling ZwQueryInformationToken() at FWPM_LAYER_ALE_FLOW_ESTABLISHED_V4 layer RRS feed

  • Question

  • Hi All,

    I am using ZwQueryInformationToken() at WFP call out layer FWPM_LAYER_ALE_FLOW_ESTABLISHED_V4 .

    Is it safe to call this at FWPM_LAYER_ALE_FLOW_ESTABLISHED_V4  layer?



    Monday, June 13, 2011 7:07 AM


All replies

  • No, it is not safe. classifyFn0 may be called on IRQL <= DISPATCH_LEVEL, and function ZwQueryInformationToken must be called on IRQL == PASSIVE_LEVEL. This will cause  BSODs
    Monday, June 13, 2011 11:02 AM
  • Thanks for your reply. That is much appreciated.

    I am planning to get the user sid from the FWPM_LAYER_ALE_FLOW_ESTABLISHED_V4  layer using

    FWPS_FIELD_ALE_FLOW_ESTABLISHED_V4_ALE_USER_ID. I need to understand the following things.



    1. How to identify Impersonation token for the current thread

    2. How to determine the token groups.

    Since we cannot use the  ZwQueryInformationToken() method safely, can we use the TOKEN_ACCESS_INFORMATION to get these details? Could you please point towards any documentation or code sample?

    Thanks in advance.



    Tuesday, June 14, 2011 8:39 AM
  • You can use the following approach:
     * use workitem to execute code on PASSIVE_LEVEL (ExInitializeWorkItem + ExQueueWorkItem). If it is mass operation - use a separate system thread-worker (PsCreateSystemThread).
     * suspend current request processing - call FwpsPendOperation0
     * process pended request in your worker on PASSIVE_LEVEL

    For example, you can see inspect sample from DDK: ~\src\network\trans\inspect\sys\
    It suspend packets and uses reading of registry (for decision making) from a separate thread on PASSIVE_LEVEL.

    Tuesday, June 14, 2011 9:12 AM
  • Hi EreTlk,

    Many thanks for your answer.



    Wednesday, June 15, 2011 3:50 AM
  • Hi EreTlk,

    As per the documentation of FwpsPendOperation0,

    "A callout can call this function only to pend a packet that originates from the FWPM_LAYER_ALE_RESOURCE_ASSIGNMENT_ Xxx, FWPM_LAYER_ALE_AUTH_LISTEN_ Xxx, or FWPM_LAYER_ALE_AUTH_CONNECT_ Xxx filtering layers.".

    Can I use this method from FWPM_LAYER_ALE_FLOW_ESTABLISHED_V4 layer ? Could you please tell me what is he alternative if the above method is not possible?

    Any help is greatly appreciated. Thanks in advance.



    Tuesday, June 21, 2011 9:49 AM
  • Yes. It is better not to use call of FwpsPendOperation0 on FWPS_LAYER_ALE_FLOW_ESTABLISHED_Vx layer.

    If callout driver must block some packets (as result) - move processing to FWPS_LAYER_ALE_AUTH_CONNECT_Vx and FWPS_LAYER_ALE_AUTH_RECV_ACCEPT_Vx layers.
    If callout driver analyzes only (without blocking) - move calling ZwQueryInformationToken(...) to asynchronous worker without pending of WFP requests.

    Tuesday, June 21, 2011 1:38 PM
  • Hi EreTlk,

    Thank you so much for your answer. That is much appreciated.

    Actually, I have two callouts in my driver.



    In FWPS_LAYER_ALE_FLOW_ESTABLISHED_Vx layer, I would get the address, port , flowHandle and processId values and fills a connection information data structure. Also I need to create a GUID for the connection. For that I am using ExUuidCreate method. I need to get the user information for the connection as well. So I get the current process and identify the primary token. From that, the token groups will also be identified. The methods I use for these are PsReferencePrimaryToken(PsGetCurrentProcess()), ZwQueryInformationToken(), RtlLengthSid(),RtlCopyMemory() etc. Once I got all these information in the connection information structure, I would associate the callout driver-defined context with a data flow and set the classify out action type to continue ( classifyOut->actionType = FWP_ACTION_CONTINUE; )

    Basically I am not blocking anything at this layer.

    In FWPM_LAYER_STREAM_V4 layer, the asscoicated data flow will be retreived and blocked based on certain conditions (depends on port and some sites).

    Since   ExUuidCreate, ZwQueryInformationToken(), RtlLengthSid etc. must be called on PASSIVE_LEVEL and < DISPATCH_LEVEL, I need to either go for pending the operation (which is not good at this layer according to your advice and need to move everything to  FWPS_LAYER_ALE_AUTH_CONNECT_Vx and FWPS_LAYER_ALE_AUTH_RECV_ACCEPT_Vx layers) or  to move calling ZwQueryInformationToken(...) to asynchronous worker without pending of WFP requests.

    1. Could you please advise me what would be the best option according to the business requirements here ?

    2. Also please could you advise whether we can call asynchronous worker multiple times (for getting the connection GUID and user information).

    3. Understanding my filter requirements, could you please advise me whether I am following the right approach?

    Once again, thanks for the help so far. That really helped.





    Wednesday, June 22, 2011 5:09 AM