Hello everyone I am trying to develop a mini-filter driver using fltsendmessage that interacts with a client application using fltgetmessage coded in VB.NET. I seem to have issues with either the Pinvoke statements or within the mini-filter or both. I have tried for weeks now and would apricate any help.
To start I have created a communication port like so within my Mini-Filter Driver:
PFLT_PORT ServerPort;
PSECURITY_DESCRIPTOR sd;
status = FltBuildDefaultSecurityDescriptor(&sd, FLT_PORT_ALL_ACCESS);
if (!NT_SUCCESS(status))
break;
UNICODE_STRING name = RTL_CONSTANT_STRING(L"\\BitPort");
OBJECT_ATTRIBUTES attr;
InitializeObjectAttributes(&attr, &name, OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE, NULL, sd);
status = FltCreateCommunicationPort(FilterHandle, &ServerPort, &attr, NULL,PortConnectNotify, PortDisconnectNotify, PortMessageNotify, 1);
FltFreeSecurityDescriptor(sd);
I am using Winobj and can confirm that the Connection port is created successfully listed type as a FilterConnectionPort in the "\" directory.
My VB.NET Client application needs a way to connect to the connection port which requires Pinvoke to deal with unmanaged code like so:
Dim OpenPortHandle As IntPtr
<DllImport("fltlib.dll")>
Public Shared Function FilterConnectCommunicationPort(<MarshalAs(UnmanagedType.LPWStr)>
portName As String,
options As UInteger,
context As IntPtr,
sizeOfContext As UInteger,
securityAttributes As IntPtr,
<Out> ByRef portHandle As IntPtr) As UInteger
End Function
Dim OpenPortNumber = FilterConnectCommunicationPort("\BitPort", 0, IntPtr.Zero, 0, IntPtr.Zero, OpenPortHandle)
MsgBox("Open Communication Port Status: " & OpenPortNumber & " Port Number: " & OpenPortHandle.ToString)
The Client Application MsgBox Shows this when the Communication Port is connected.
"Open Communication Port Status: 0 Port Number: 1236"
Back to the Mini-Filter Driver I have PortConnectNotify, PortDisconnectNotify, PortMessageNotify like so:
NTSTATUS PortConnectNotify(PFLT_PORT ClientPort, PVOID ServerPortCookie, PVOID ConnectionContext, ULONG SizeOfContext, PVOID* ConnectionPortCookie) {
UNREFERENCED_PARAMETER(ServerPortCookie);
UNREFERENCED_PARAMETER(ConnectionContext);
UNREFERENCED_PARAMETER(SizeOfContext);
UNREFERENCED_PARAMETER(ConnectionPortCookie);
SendClientPort = ClientPort;
return STATUS_SUCCESS;
}
void PortDisconnectNotify(PVOID ConnectionCookie) {
UNREFERENCED_PARAMETER(ConnectionCookie);
FltCloseClientPort(FilterHandle, &SendClientPort);
SendClientPort = NULL;
}
NTSTATUS PortMessageNotify(PVOID PortCookie, PVOID InputBuffer, ULONG InputBufferLength, PVOID OutputBuffer, ULONG OutputBufferLength, PULONG ReturnOutputBufferLength) {
UNREFERENCED_PARAMETER(PortCookie);
UNREFERENCED_PARAMETER(InputBuffer);
UNREFERENCED_PARAMETER(InputBufferLength);
UNREFERENCED_PARAMETER(OutputBuffer);
UNREFERENCED_PARAMETER(OutputBufferLength);
UNREFERENCED_PARAMETER(ReturnOutputBufferLength);
return STATUS_SUCCESS;
}
Within my drivers FLT_PREOP_CALLBACK_STATUS I have my fltsendmessage code:
if (SendClientPort) {
ULONG PROC_TAG = 0;
UNICODE_STRING processName;
processName.Length = 0;
processName.MaximumLength = (USHORT)DoSPath.MaximumLength + Data->Iopb->TargetFileObject->FileName.MaximumLength + 2;
processName.Buffer = ExAllocatePoolWithTag(PagedPool, processName.MaximumLength, PROC_TAG);
RtlCopyUnicodeString(&processName, &DoSPath);
RtlAppendUnicodeStringToString(&processName, &Data->Iopb->TargetFileObject->FileName);
KdPrint(("%wZ \r\n", processName));
RtlCopyUnicodeString(&ImageP, &processName);
RtlCopyMemory(processName.Buffer, processName.Buffer, processName.MaximumLength);
LARGE_INTEGER timeout;
timeout.QuadPart = -10000 * 100;
FltSendMessage(FilterHandle, &SendClientPort, processName.Buffer, processName.MaximumLength, NULL, NULL, &timeout);
}
Within the VB.NET Client Application I need to get the message from the Mini-Filter Driver and have this so far:
<DllImport("fltlib.dll")>
Public Shared Function FilterGetMessage(portHandle As IntPtr,
ByRef messageBuffer As FILTER_MESSAGE_HEADER,
messageBufferSize As Integer,
overlapped As IntPtr) As UInteger
End Function
<StructLayout(LayoutKind.Sequential)>
Public Structure FILTER_MESSAGE_HEADER
Public ReplyLength As UInteger
Public MessageId As ULong
End Structure
<StructLayout(LayoutKind.Sequential)>
Public Structure DATA_RECEIVE
Public messageHeader As FILTER_MESSAGE_HEADER
Public messageContent() As Byte
End Structure
Dim dataReceive As DATA_RECEIVE = New DATA_RECEIVE()
dataReceive.messageContent = New Byte(BUFFER_SIZE - 1) {}
Dim headerSize As Integer = Marshal.SizeOf(dataReceive.messageHeader)
Dim dataSize As Integer = Marshal.SizeOf(dataReceive)
Dim status As UInteger = FilterGetMessage(OpenPortHandle,dataReceive.messageHeader,dataSize,Nothing)
MsgBox("FltGetMessage Status Code: " & status)
this is the error code I see within the Message box
"FltGetMessage Status Code: 2147942406"
Researching this error code says:
PInvoke.HResult.Code.E_HANDLE = 2147942406 -> PInvoke.HResult.Code
Here is a link to the project from my google drive in hopes someone can take a closer look and help out:
BitMon – Google Drive[
^]
Please Help thank you! :)
What I have tried:
Tried everything I can think of google search two driver books and related questions here on code project.