Comments by Dale Seeley (Top 96 by date)

This is my FILTER_MESSAGE_HEADER Code

<structlayout(layoutkind.sequential)>
Public Structure FILTER_MESSAGE_HEADER
Public ReplyLength As UInt32
Public MessageId As UInt64
End Structure

awesome I was definatly a bit confused with FILTER_MESSAGE_HEADER because I could not understand how having the struct in my client application would use it. It is used in the driver does it also need to be in the client? Byref or ByVal?

still no luck :(

thank you for this point I will check if that helps I appricate that

I am well aware of all the communication port connections on both sides but my .Net does not receive any messages I send with the driver so I thought It was the transition between managed and unmanaged code causing this to happen

Hello Again Rick I have researched 6 different books on c++/cli and have a firm understanding of what it is and what it does. I have a minifilter driver coded in c++ ready and working and also have the cli project sending simple messages to the vb.net application. Now Im lost as to how to receive the messages sent by communication port. I know structs are not the same in managed code to unmanaged code and thats where c++/cli comes in right? what is ment by exported interface? how does this all fit together? thank you in advance

Thank you very very much for this starting point Rick. Does this mean having my driver in C code is alright and still possible to do the rest? I will read every link you have supplied. Is there any talk of a dll interface? Do you mean cli? Or what they call now clr in visual studio? Also is it best practice or just the way it's done to add the cli dll to the driver project and then make sure dependency is set in that manner?

How can I extract the message sent from the driver to my client application?
here is the code I have so far and status returns 0 which is success I believe but after that I get a access violation error reading protected memory to that effect

Dim dataReceive As DATA_RECEIVE = New DATA_RECEIVE()
dataReceive.messageContent = New Byte(BUFFER_SIZE - 1) {}

Dim headerSize As Integer = Marshal.SizeOf(dataReceive.messageHeader)
Dim dataSize As Integer = Marshal.SizeOf(dataReceive) + BUFFER_SIZE

Dim status = FilterGetMessage(OpenPortHandle, dataReceive.messageHeader, dataSize, Nothing)
MsgBox("FltGetMessage Status Code: " & status)

when using this code my DeviceIoControl code no longer gets the IO_GET_CLIENT_PATH and if I remove the DeviceIoControl code it errors with System.AccessViolationException Attempted to read or write protected memory on the End Sub line? this is strange behavior please help. thank you in advance

Yes after a bit of work this is the correct code

Dim dataSize As Integer = Marshal.SizeOf(dataReceive) + BUFFER_SIZE

<structlayout(layoutkind.sequential)>
Public Structure DATA_RECEIVE
Public messageHeader As FILTER_MESSAGE_HEADER
<marshalas(unmanagedtype.byvalarray, sizeconst:="BUFFER_SIZE)">
Public messageContent() As Byte
End Structure

thank you for your help!

I understand that sir I just need some time to make the changes and test it.

Yup I do my testing with windbg and vmware with symbols I will test and debug thank you very much I'll post again today if there is any issues and if not mark this as answered 😀

OK! That's great! Thank you very much I see now what your saying sorry I wasn't clear before I will change this once I get home today and hopefully see some progress. I have one more area I am unsure about and that is the Sendmessage part in my driver can you confirm if this looks correct?

So the message content is prone to change and be dynamic I have looked at the usage of fltGetMessage but because C coding conversion to VB.NET can be tricky it's hard for me to see what I need to change. How is the message content size not the same? Thank you in advance.

I have found this code but I am unaware of how to convert this to VB.Net

public unsafe struct DATA_RECEIVE
{
public FILTER_MESSAGE_HEADER messageHeader;
public fixed byte messageContent[BUFFER_SIZE];
}

I have created a new question here please check it out Randor when you can I would greatly apricate it and thank you for all your help up to now!

https://www.codeproject.com/Questions/5338073/Fltgetmessage-returns-error-code-2147942406

In my VB.NET application I changed the Buffer to 4kb instead of 1024 from:

Dim dataReceive As DATA_RECEIVE = New DATA_RECEIVE()
dataReceive.messageContent = New Byte(BUFFER_SIZE - 1) {}

To this:

Dim dataReceive As DATA_RECEIVE = New DATA_RECEIVE()
dataReceive.messageContent = New Byte(1 << 12) {}

Now it shows 4097 But it doesn't fix my issue?

It appears removing Byref was the cause of the invalid handle thank you but now I get a new returned error code 0x8007007A and decimal 2147942522 which states ERROR_INSUFFICIENT_BUFFER. I would imagine this to be the buffer length I specify in my VB.NET application but its set to max, any ideas?

Once I have changed that the error code returned now is hex 0x8007007A and decimal 2147942522 which states ERROR_INSUFFICIENT_BUFFER. Are you able to see where in my VB.NET code this is happening?

thank you for the pointer I will change that.

This is the new updated code I have uploaded it to my google drive

https://drive.google.com/drive/folders/1Hv957hwAJsE8KDGs9UfV94AG5a9Bneth?usp=sharing

Here is the link!

https://drive.google.com/drive/folders/1fdamAJF-untSeD-xzFyfmf8a2G8B36Ba?usp=sharing

I am about to upload the project to my google drive please let me know if your online now or can take a look I am lost. Thank you Randor C coding is still a challenge for me and not my strong point.

Sure I'll upload it to my Google drive after my work today thank you very much for taking time for me.

Is the code looking correct though? Is there anything missing and is Rtlinitunicodestring used so I can copy memory?

Of course my MiniDriverPreOperation is probably incorrect and missing allot but was my attempt to send the message without using structs but to send the file path I am using UnicodeString and RtlCopyMemory says its incompatible.

Here Is My FLT_PREOP_CALLBACK_STATUS


FLT_PREOP_CALLBACK_STATUS MiniDriverPreOperation(
PFLT_CALLBACK_DATA Data,
PCFLT_RELATED_OBJECTS FltObjects,
PVOID* CompletionContext)
{
UNREFERENCED_PARAMETER(FltObjects);
UNREFERENCED_PARAMETER(CompletionContext);

if ((Data->Iopb->Parameters.AcquireForSectionSynchronization.PageProtection & PAGE_EXECUTE) && (Data->Iopb->Parameters.AcquireForSectionSynchronization.SyncType == SyncTypeCreateSection))
{
PFLT_FILE_NAME_INFORMATION FileNameInfo;
NTSTATUS status;
UNICODE_STRING DoSPath;

status = FltGetFileNameInformation(Data, FLT_FILE_NAME_NORMALIZED | FLT_FILE_NAME_QUERY_DEFAULT, &FileNameInfo);

if (NT_SUCCESS(status)) {

status = FltParseFileNameInformation(FileNameInfo);

if (NT_SUCCESS(status)) {

if (FileNameInfo->Name.MaximumLength < 260) {

status = IoVolumeDeviceToDosName(FltObjects->FileObject->DeviceObject, &DoSPath);
if (NT_SUCCESS(status))
{
//check here to determine if the process should be allowed or not to run
//Data->IoStatus.Status = STATUS_ACCESS_DENIED;
//Data->IoStatus.Information = 0;

if (SendClientPort) {
ULONG PROC_TAG = 0;
UNICODE_STRING processName;

processName.Length = 0;
processName.MaximumLength = (USHORT)DoSPath.MaximumLength + Data->Iopb->TargetFileObject->FileName.MaximumLength + 2;
processName.Buffer = ExAllocatePoolWithTag(PagedPool, processName.MaximumLength, PROC_TAG);

RtlCopyUnicodeString(&processName, &DoSPath);
RtlAppendUnicodeStringToString(&processName, &Data->Iopb->TargetFileObject->FileName);

KdPrint(("%wZ \r\n", processName));
RtlCopyUnicodeString(&ImageP, &processName);

//RtlCopyMemory(processName, processName.Buffer, processName.MaximumLength);
LARGE_INTEGER timeout;
timeout.QuadPart = 10000 * 100;
FltSendMessage(FilterHandle, &SendClientPort, processName.Buffer, processName.MaximumLength, NULL, NULL, &timeout);

}
}
}
}
FltReleaseFileNameInformation(FileNameInfo);
}
}
return FLT_PREOP_SUCCESS_WITH_CALLBACK;
}

Ok this is what I am reading and understanding up to now about FltSendMessage. This takes 7 parameters like so:

1. Filter Handle
2. Client Port
3. Message Buffer
4. Message Buffer Length
5. Reply Buffer
6. Reply Buffer Length
7. Timeout

My book is saying the driver can send any buffer/message described by the third parameter Message Buffer with the length of Message Buffer. Typically the driver will define some structure in a common header file the client can include as well called FileBackupPortMessage. This struct contains the file name length and the file name itself but This seems to be my issue because I am unaware of how to interact with this structure or any from my client using VB.NET. I understand VB.NET is not your strong point to offer help but might there be a way to send the message without the use of this struct? there is also the use of another struct _FILTER_MESSAGE_HEADER if a reply is expected this structure indicates the reply length in bytes and the message ID which again the client should use if it calls FilterReply-Message. Timeout specifies the time waited by the driver to send the message to the client. Unless any of this is incorrect the code should be something like this in C

1. Filter Handle declared global PFLT_FILTER FilterHandle;
2. Client Port declared global PFLT_PORT SendClientPort;

and the rest of the example code is placed within the FLT_PREOP_CALLBACK_STATUS:

if (SendClientPort) {
USHORT nameLen = context->FileName.Length;
USHORT len = sizeof(FileBackupPortMessage) + nameLen;
auto msg = (FileBackupPortMessage*)ExAllocatePoolWithTag(PagedPool, len, DRIVER_TAG);
if (msg) {
msg->FileNameLength = nameLen / sizeof(WCHAR);
RtlCopyMemory(msg->FileName, context->FileName.Buffer, nameLen);
LARGE_INTEGER timeout;
timeout.QuadPart = -10000 * 100; // 100msec
FltSendMessage(gFilterHandle, &SendClientPort, msg, len,
nullptr, nullptr, &timeout);
ExFreePool(msg);
}
}

FltSendMessage in the driver example has parameters 5 and 6 as nullptr because to my understanding the example is only sending a message and does not expect a reply which I am sure I will need in order to block or allow process creation.

OK great I will post the driver code today after work if your still here

The structure part is actually what I am a bit confused about because I am not sure how to interact with it in VB.NET. I can confirm the connection seems good but then I use fltgetmessage in the usermode application or should I be using replymessage? I will give it another try after work today and post some updates thank you for your response and start in the right direction.

Yes I can see from my usermode application the return value from the communication port is zero and the port passed to my handle variable is normal. I can post or upload the project to my Google drive for review later today. Thank you for your continuous reply patience and guidance.

Hello again I have created and receive a proper port number for the communication port now I am trying to figure out fltSendmessage and reply so I can impalement the Io blocking feature to allow or block process creation. Can you point me to the next step thanks Randor.

I revised the code, made allot of changes since you seen it last and no longer have any warnings to any unitialized code. The user mode application still receives a communication port handle but I am unsure if it's correct or not. I will upload the project like last time to my Google drive if you have time to look things over I would greatly appreciate it. 🙂

Interesting to know about Assert, so in general NT_ASSERT and FLT_ASSERT is to throw certain errors or to check the outcome if a value is valid or not?. If Assert just throws an error when a value is expected can't that lead to issues? Is this a form of lazy coding? I will revise the C code for variables that are not initialized with values is that why I am not able to connect to the communication port?. Thank you for continuing to coach me through this.

I actually have no idea what FLT_ASSERT does to be honest so I removed it and revised the code in my driver to the information I found in my book "Windows Kernel Programming" chapter 10 mini filter driver. I can see now when the driver is started My filter connection port is created and within the user mode application I make a call to FilterConnectCommunicationPort and the port handle is as follows, 1818164390016. When I exit and restart the user mode application that number changes but I am not sure if this number is correct as it looks to long compared to the IOCTL port number that is created. I assume that number to be the client port. Please advise and if you have any time I can reupload the project to my google drive if you could be so nice to take a look. thanks again Randor

Might be of value to note that the driver upon loading and unloading a time or two had no BSOD but now without changing anything it fails. I am not sure if the communication port is being disposed of and created again properly or if that might be the issue it looks like maybe the driver is ok but the user mode application might have some issue? please advise. thank you Randor

Here is another output

10: kd> !analyze -v
Connected to Windows 10 22000 x64 target at (Wed Jun 29 00:11:11.874 2022 (UTC - 6:00)), ptr64 TRUE
Loading Kernel Symbols
.................................

Press ctrl-c (cdb, kd, ntsd) or ctrl-break (windbg) to abort symbol loads that take too long.
Run !sym noisy before .reload to track down problems loading symbols.

..............................
................................................................
..............................................................
Loading User Symbols
......................................

Press ctrl-c (cdb, kd, ntsd) or ctrl-break (windbg) to abort symbol loads that take too long.
Run !sym noisy before .reload to track down problems loading symbols.

.........................

Loading unloaded module list
...........
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

SYSTEM_SERVICE_EXCEPTION (3b)
An exception happened while executing a system service routine.
Arguments:
Arg1: 00000000c0000420, Exception code that caused the BugCheck
Arg2: fffff80231ba1672, Address of the instruction which caused the BugCheck
Arg3: fffff58709e59830, Address of the context record for the exception that caused the BugCheck
Arg4: 0000000000000000, zero.

Debugging Details:
------------------


KEY_VALUES_STRING: 1

Key : Analysis.CPU.mSec
Value: 2187

Key : Analysis.DebugAnalysisManager
Value: Create

Key : Analysis.Elapsed.mSec
Value: 27410

Key : Analysis.Init.CPU.mSec
Value: 2811

Key : Analysis.Init.Elapsed.mSec
Value: 2766284

Key : Analysis.Memory.CommitPeak.Mb
Value: 92

Key : Bugcheck.Code.DumpHeader
Value: 0x3b

Key : Bugcheck.Code.KiBugCheckData
Value: 0x3b

Key : Bugcheck.Code.Register
Value: 0x3

Key : WER.OS.Branch
Value: co_release

Key : WER.OS.Timestamp
Value: 2021-06-04T16:28:00Z

Key : WER.OS.Version
Value: 10.0.22000.1


BUGCHECK_CODE: 3b

BUGCHECK_P1: c0000420

BUGCHECK_P2: fffff80231ba1672

BUGCHECK_P3: fffff58709e59830

BUGCHECK_P4: 0

CONTEXT: fffff58709e59830 -- (.cxr 0xfffff58709e59830)
rax=fffff80231ba1630 rbx=0000000000000000 rcx=ffffe2835e64ef10
rdx=0000000000000000 rsi=ffffe2835e64ef10 rdi=ffffe2835e185570
rip=fffff80231ba1672 rsp=fffff58709e5a250 rbp=fffff58709e5a310
r8=0000000000000000 r9=0000000000000000 r10=ffffe2835eee97f8
r11=fd55515555555555 r12=ffffe283602c7d38 r13=0000000000000000
r14=0000000000000000 r15=ffffe28363284690
iopl=0 nv up ei pl nz na pe nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00040202
Bitfilter+0x1672:
fffff802`31ba1672 cd2c int 2Ch
Resetting default scope

PROCESS_NAME: IOCTL_DRIVER_APP.exe

STACK_TEXT:
fffff587`09e5a250 fffff802`20f47548 : ffffe283`5e64ef10 00000000`00000000 00000000`00000000 fffff587`00000000 : Bitfilter+0x1672
fffff587`09e5a290 fffff802`20f4955b : ffffe283`5eee97e0 ffffda8f`c17d4a30 00000000`00000000 ffffffff`8000403c : FLTMGR!FltpOpenClientPort+0x434
fffff587`09e5a350 fffff802`20f4dbba : ffffe283`5b4aec90 fffff587`09e5a409 ffffe283`5fed7a00 ffffe283`5b4aec90 : FLTMGR!FltpMsgDispatch+0x18b
fffff587`09e5a3c0 fffff802`22d02f65 : 00000000`00000000 fffff802`22cc5d33 ffffda8f`c17d4a78 ffffda8f`c17d4960 : FLTMGR!FltpCreate+0x55a
fffff587`09e5a470 fffff802`23153667 : ffffe283`5b4aec90 ffffe283`5b4aec90 fffff587`09e5a770 ffffc40c`00000040 : nt!IofCallDriver+0x55
fffff587`09e5a4b0 fffff802`23172562 : fffff587`09e5a770 fffff802`23152dd0 ffffda8f`bc1f22a0 ffffe283`5e5f4aa0 : nt!IopParseDevice+0x897
fffff587`09e5a670 fffff802`231719d1 : ffffc40c`79947920 fffff

Hello again Randor I believe I have the symbols set up correctly but I am unsure whats happening here is a output of my windbg. the VMware does not BSOD but there is an Assertion failure

Microsoft (R) Windows Debugger Version 10.0.25136.1001 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.

Opened \\.\pipe\com_2
Waiting to reconnect...
Connected to Windows 10 22000 x64 target at (Tue Jun 28 23:25:44.066 2022 (UTC - 6:00)), ptr64 TRUE
Kernel Debugger connection established.

************* Path validation summary **************
Response Time (ms) Location
Deferred srv*C:\localsymbols*http://msdl.microsoft.com/download/symbols
Symbol search path is: srv*C:\localsymbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows 10 Kernel Version 22000 MP (12 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Edition build lab: 22000.1.amd64fre.co_release.210604-1628
Machine Name:
Kernel base = 0xfffff802`22a00000 PsLoadedModuleList = 0xfffff802`236296b0
Debug session time: Tue Jun 28 23:25:08.905 2022 (UTC - 6:00)
System Uptime: 0 days 1:17:54.711
Break instruction exception - code 80000003 (first chance)
nt!DbgBreakPointWithStatus+0x1:
fffff802`22e1dbf1 c3 ret
1: kd> g
Assertion failure - code c0000420 (first chance)
Bitfilter+0x1672:
fffff802`31b91672 cd2c int 2Ch
11: kd> g
Continuing an assertion failure can result in the debuggee
being terminated (bugchecking for kernel debuggees).
If you want to ignore this assertion, use 'ahi'.
If you want to force continuation, use 'gh' or 'gn'.

8: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

SYSTEM_SERVICE_EXCEPTION (3b)
An exception happened while executing a system service routine.
Arguments:
Arg1: 00000000c0000420, Exception code that caused the BugCheck
Arg2: fffff807689f16bc, Address of the instruction which caused the BugCheck
Arg3: ffffb786b1d7f820, Address of the context record for the exception that caused the BugCheck
Arg4: 0000000000000000, zero.

Debugging Details:
------------------


KEY_VALUES_STRING: 1

Key : Analysis.CPU.mSec
Value: 3358

Key : Analysis.DebugAnalysisManager
Value: Create

Key : Analysis.Elapsed.mSec
Value: 5734

Key : Analysis.Init.CPU.mSec
Value: 421

Key : Analysis.Init.Elapsed.mSec
Value: 4829

Key : Analysis.Memory.CommitPeak.Mb
Value: 96

Key : WER.OS.Branch
Value: co_release

Key : WER.OS.Timestamp
Value: 2021-06-04T16:28:00Z

Key : WER.OS.Version
Value: 10.0.22000.1


FILE_IN_CAB: 061622-6187-01.dmp

VIRTUAL_MACHINE: VMware

BUGCHECK_CODE: 3b

BUGCHECK_P1: c0000420

BUGCHECK_P2: fffff807689f16bc

BUGCHECK_P3: ffffb786b1d7f820

BUGCHECK_P4: 0

CONTEXT: ffffb786b1d7f820 -- (.cxr 0xffffb786b1d7f820)
rax=0000000000000000 rbx=0000000000000000 rcx=ffffc08833eab570
rdx=0000000000000000 rsi=ffffc08833eab570 rdi=ffffc088328c1420
rip=fffff807689f16bc rsp=ffffb786b1d80240 rbp=ffffb786b1d80310
r8=0000000000000000 r9=0000000000000000 r10=ffffc088320f71c8
r11=0000000070634d46 r12=ffffc08833ead838 r13=0000000000000000
r14=0000000000000000 r15=ffffc088362a8270
iopl=0 nv up ei pl nz na pe nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00040202
Bitfilter+0x16bc:
fffff807`689f16bc cd2c int 2Ch
Resetting default scope

BLACKBOXBSD: 1 (!blackboxbsd)


BLACKBOXNTFS: 1 (!blackboxntfs)


BLACKBOXPNP: 1 (!blackboxpnp)


BLACKBOXWINLOGON: 1

CUSTOMER_CRASH_COUNT: 1

PROCESS_NAME: IOCTL_DRIVER_APP.exe

STACK_TEXT:
ffffb786`b1d80240 00000000`0000f10d : 00000000`00000001 ffffc088`362a8270 00000000`00000000 00000001`00000000 : Bitfilter+0x16bc
ffffb786`b1d80248 00000000`00000001 : ffffc088`362a8270 00000000`00000000 00000001`00000000 00000001`33ead838 : 0xf10d
ffffb786`b1d80250 ffffc088`362a8270 : 00000000`00000000 00000001`00000000 00000001`33ead838 ffffc088`328c1420 : 0x1
ffffb786`b1d80258 00000000`00000000 : 00000001`00000000 00000001`33ead838 ffffc088`328c1420 00000000`00000001 : 0xffffc088`362a8270


SYMBOL_NAME: Bitfilter+16bc

MODULE_NAME: Bitfilter

IMAGE_NAME: Bitfilter.sys

STACK_COMMAND: .cxr 0xffffb786b1d7f820 ; kb

BUCKET_ID_FUNC_OFFSET: 16bc

FAILURE_BUCKET_ID: 0x3B_C0000420_Bitfilter!unknown_function

OS_VERSION: 10.0.22000.1

BUILDLAB_STR: co_release

OSPLATFORM_TYPE: x64

OSNAME: Windows 10

FAILURE_ID_HASH: {23ee73b4-ac33-c70d-8b59-1288cfa8578b}

Followup: MachineOwner
---------

8: kd> .cxr 0xffffb786b1d7f820
rax=0000000000000000 rbx=0000000000000000 rcx=ffffc08833eab570
rdx=0000000000000000 rsi=ffffc08833eab570 rdi=ffffc088328c1420
rip=fffff807689f16bc rsp=ffffb786b1d80240 rbp=ffffb786b1d80310
r8=0000000000000000 r9=0000000000000000 r10=ffffc088320f71c8
r11=0000000070634d46 r12=ffffc08833ead838 r13=0000000000000000
r14=0000000000000000 r15=ffffc088362a8270
iopl=0 nv up ei pl nz na pe nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00040202
Bitfilter+0x16bc:
fffff807`689f16bc cd2c int 2Ch
8: kd> lmvm Bitfilter
Browse full module list
start end module name
fffff807`689f0000 fffff807`689f8000 Bitfilter T (no symbols)

Ok I have created the VMware and also connected Windbg x64 and can break and resume the debugger. Can you give me links or advise how to properly use and view the exceptions that cause the BSOD? I am unsure of the command line arguments or how to pinpoint the issues while the mini-filter driver is running or causing the error. thank you for your time I look forward to hearing back from you.

Awesome thank you I set up virtual machines or have often in the past so it's no issue but I've been developing on my local machine for months with no lock outs. Just curious why would you be running such a risk or why does windows lock up, I've never experienced that before

On the local machine no vm

Gotcha does there appear to be anything wrong with the driver code at the moment?

I'm using Visual Studio 2019

Yup BSOD :(

Actually I have tried that also thinking the exact same thing I will try now but I'm pretty sure it will BSOD

Thank you for taking a look allowing or blocking processes is causing me so much headache and prolonging my development by months now so im very greatful for this help to understand and get it done hopefully.

https://drive.google.com/drive/folders/1_a8BwvZ_SNBy_SYmJg0WL5rJI3ssOS9I?usp=sharing

Is there any way I can pass the project to you?

I added the line above where you suggested but still it does not connect

Tomorrow I will disclose full code for you to analyze please if you can

It returns a minus number -2147024773

My .NET application runs as Administrator I will try now

OK so adding RtlSetDaclSecurityDescriptor(sd,TRUE,NULL,FALSE) in the driver entry before InitializeObjectAttributes() is what your saying might help?

My user mode counter part is a VB.Net winform. How do I go abouts assigning the descriptor to the communication port? Is it shown in the example? I would imagine of course it is but where? 😅

I asked maybe a silly question at first I will protect the port and service/driver from any other process which tries to kill it along with the program itself but what areas do you know of for drivers that should be restricted? I am fairly new to this and having your insight in very valuable.

Good point I will do it that way to see it work and then secure it. Is it difficult to secure or do I just change the way its called?

I'm not sure it's strange Im just unsure all the steps needed so once I added the code I thought I needed and cleared up the errors in my driver code there appeared to be nothing outstanding but I missed that. Thank you I will include that

Ok I am happy to report that I have created the Communication Port which I checked with WinObj64 and the port is successfully created and removed and the driver works as expected but I have run into a Problem when trying to use FilterConnectCommunicationPort from within my .NET application. I have Pinvoked FilterConnectCommunicationPort like so:

Dim OpenPortHandle As IntPtr = Marshal.AllocHGlobal(Marshal.SizeOf(GetType(IntPtr)))

<dllimport("fltlib", setlasterror:="True)">
Public Shared Function FilterConnectCommunicationPort(<marshalas(unmanagedtype.lpwstr)> portName As String,
options As UInteger,context As IntPtr, sizeOfContext As UInteger, securityAttributes As IntPtr,portPtr As IntPtr) As Integer
End Function

and then in the start monitor section I call:
Dim OpenPortNumber = FilterConnectCommunicationPort("\\PortName", 0, IntPtr.Zero, 0, IntPtr.Zero, OpenPortHandle)

MsgBox(OpenPortNumber)

I have also checked the Name of the port and directory should be exact and seen the example in the scanner which makes the same call. The message box returns -2147024773 which is clear the connection was refused or unable to connect.

Any Ideas what might be going wrong for me?
thank you in advance!

Oh this is amazing thank you very much I really want to complete this chapter of the project and move on lol 😆. I can't wait to check this out after work.

Awesome thank you for that very useful info that gets me started! Ill post again tomorrow when I have the first step complete thank you Randor.

That sounds like a great plan!! at the moment I am reading up on creating the communication port in the driver. FltCbdqInitialize and FltCbdqInsertIo along with creating and receiving the communication port are callback methods?

Thank you so much for responding I do indeed need to pend i/o operations so that the driver will wait until the user allows or denies the process to launch (if this is its intended use?) but as you have stated I will need to learn this and research it, hopefully with your help in the future. Currently I have IOCTL working as you know so maybe for now I can try the Communication Port and FltSendMessage way of receiving notifications from the driver to the user mode application. Will this method also cause the driver to wait for a response or can that only be achieved by pending i/o operations?.

I have also seen someone say to use inverted call but I have no idea how that works or how it fits into a mini filter driver

Can you please let me know what is needed on the application side and driver to set up a event so that the driver will pause until the application/user makes a decision. I hope you can still help 🙏

Filter Name Num Instances Altitude Frame
------------------------------ ------------- ------------ -----
bindflt 1 409800 0
WdFilter 7 328010 0
storqosflt 0 244000 0
wcifs 0 189900 0
PrjFlt 0 189800 0
CldFlt 1 180451 0
FileCrypt 0 141100 0
luafv 1 135000 0
npsvctrig 1 46000 0
Wof 5 40700 0
FileInfo 7 40500 0

The BSOD occurs when I try to load the Driver sys file using OSRLOADER

Unhandled System Threading Exception

Yes please I would greatly appricate your help Randor. I am trying to understand how the logic works for this. I have changed the driver to include the ObReferenceObjectByHandle like so:

status = ObReferenceObjectByHandle(registerEvent->hEvent,
SYNCHRONIZE | EVENT_MODIFY_STATE,
*ExEventObjectType,
Irp->RequestorMode,
¬ifyRecord->Message.Event,
NULL
);

This code is from the driver event example you suggested to me. I have tried to run that example but it BSOD my system so I am trying to understand and add it to my mini filter driver to notify my user mode application.

is this thinking correct?

application creates the event object and passes the handle to the driver via IOCTL. the driver then gets a object reference by handle and CustomTimerDPC is called to Signal KeSetEvent so waitforsingleobject in user mode is satisfied to show the notification which in my case is just a simple message box but could work for anything.

at the moment the DeviceIoControl is always returning false or I am having BSOD with error code IRQL not equal or less or thread exception not handled... basically I am trying all i can think but getting nowhere.

I am aware but not sure where and when to set apc or dispatch levels and where all this fits into the mini filter driver.

Hello again Randor I am finally at the point where I would like to notify my usermode application of events happening within my driver. Its no surprise that I seem to be lost when trying to use the example from the Windows driver sample as it compiles but BSOD my computer because of a unhandled threading exception. I would like to use the IRP_BASED notify approach as it says there are 2 advantages to using that approach. If you can again point me in the right direction I would like to know what each side needs to make the notification work. I know to define a global event within the driver but because I am using .NET for the application side its difficult to understand the concept and how to receive the notification and have the driver wait until it receives the response from the usermode application.

This post is old but I came across it with limited understanding at first and can confirm this works great! the code is basically the same in pure C if anyone needs it.

ULONG PROC_TAG = 0;
UNICODE_STRING processName;

processName.Length = 0;
processName.MaximumLength = (USHORT)DoSPath.MaximumLength + Data->Iopb->TargetFileObject->FileName.MaximumLength + 2;
processName.Buffer = ExAllocatePoolWithTag(PagedPool, processName.MaximumLength, PROC_TAG);

RtlCopyUnicodeString(&processName, &DoSPath);
RtlAppendUnicodeStringToString(&processName, &Data->Iopb->TargetFileObject->FileName);
KdPrint(("%wZ \r\n", processName));

cheers and thank you to the original solution!

thank you after some hair pulling I finally got the filepath correct! thank you Randor

I am noticing and maybe its a realization if correct... Are you not able to get drive letter within the pre operation and only in the post operation? because its not actually loaded yet? if that is the case how can I stop this in the file layer before its loaded into memory and still determine the drive or dos path?

Getting the dosName would be preferred

Currently I am using fltparsefilenameinformation but it still only gives me the path like so:
Information: \Device\HarddiskVolume6\Windows\System32\wbem\wmiutils.dll

Where I would like to change is \Device\HarddiskVolume6\ to display a Drive Letter Instead.

My question now is... Communication with my application, can you still use DeviceIOControl or is there a better method? Also the file paths come up like this:

Information: \Device\HarddiskVolume6\Program Files\WindowsApps\Microsoft.WindowsNotepad_11.2203.10.0_x64__8wekyb3d8bbwe\Notepad\Notepad.exe

is there a way to get the drive letter to form a proper path?

Hello Again Randor you suggested I keep researching, learning and experimenting so I am doing just that and making progress in my minifilter driver. here is my code so far:

#include <fltkernel.h>
#include <dontuse.h>

PFLT_FILTER FilterHandle = NULL;
NTSTATUS MiniBitUnload(FLT_FILTER_UNLOAD_FLAGS Flags);
FLT_PREOP_CALLBACK_STATUS MiniDriverPreOperation(PFLT_CALLBACK_DATA Data, PCFLT_RELATED_OBJECTS FltObjects, PVOID* CompletionContext);
FLT_POSTOP_CALLBACK_STATUS MiniDriverPostOperation(PFLT_CALLBACK_DATA Data, PCFLT_RELATED_OBJECTS FltObjects, PVOID* CompletionContext);

const FLT_OPERATION_REGISTRATION Callbacks[] = {
{IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION, 0, MiniDriverPreOperation, MiniDriverPostOperation},
{IRP_MJ_OPERATION_END}
};

const FLT_REGISTRATION FilterRegistration = {
sizeof(FLT_REGISTRATION),
FLT_REGISTRATION_VERSION,
0,
NULL,
Callbacks,
MiniBitUnload,
NULL,
NULL,
NULL,
NULL,
NULL,
NULL,
NULL,
NULL
};

NTSTATUS MiniBitUnload(FLT_FILTER_UNLOAD_FLAGS Flags) {
KdPrint(("Driver Unload \r\n"));
FltUnregisterFilter(FilterHandle);
return STATUS_SUCCESS;
};

NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject,
PUNICODE_STRING RegistryPath) {
NTSTATUS status;
status = FltRegisterFilter(DriverObject, &FilterRegistration, &FilterHandle);

if (NT_SUCCESS(status)) {
status = FltStartFiltering(FilterHandle);

if (!NT_SUCCESS(status)){
FltUnregisterFilter(FilterHandle);
}
}

}

FLT_PREOP_CALLBACK_STATUS MiniDriverPreOperation(PFLT_CALLBACK_DATA Data,
PCFLT_RELATED_OBJECTS FltObjects,
PVOID* CompletionContext) {

if ((Data->Iopb->Parameters.AcquireForSectionSynchronization.PageProtection & PAGE_EXECUTE) && (Data->Iopb->Parameters.AcquireForSectionSynchronization.SyncType == SyncTypeCreateSection))
{
PFLT_FILE_NAME_INFORMATION FileNameInfo;
NTSTATUS status;
WCHAR Name[200] = { 0 };

status = FltGetFileNameInformation(Data, FLT_FILE_NAME_NORMALIZED | FLT_FILE_NAME_QUERY_DEFAULT, &FileNameInfo);

if (NT_SUCCESS(status)) {

status = FltParseFileNameInformation(FileNameInfo);

if (NT_SUCCESS(status)) {

if (FileNameInfo->Name.MaximumLength < 260) {

// I will check here to determine if the process should be allowed or not to run
//Data->IoStatus.Status = STATUS_ACCESS_DENIED;
//Data->IoStatus.Information = 0;

RtlCopyMemory(Name, FileNameInfo->Name.Buffer, FileNameInfo->Name.MaximumLength);
KdPrint(("Information: %ws \r\n", Name));
}
}

FltReleaseFileNameInformation(FileNameInfo);
}
}
return FLT_PREOP_SUCCESS_NO_CALLBACK;
}

FLT_POSTOP_CALLBACK_STATUS MiniDriverPostOperation(PFLT_CALLBACK_DATA Data,
PCFLT_RELATED_OBJECTS FltObjects,
PVOID* CompletionContext){
KdPrint(("Post Create Is Running \r\n"));
return FLT_POSTOP_FINISHED_PROCESSING;
}

This is a

No just a friendly person like yourself who decided to help

awesome I will be creating a minifilter driver then to deal with process notifications and blocking. I will look at the link you have provided to try and learn how the events work and how to signal or notify my usermode application and send a response back to the driver. I hope to put this part of the project to bed soon as its quite in depth and has already taken me so long to understand lol. just to clarify I can define a event globally and then set that event within the callback to have the callback wait for a response as to block or allow?

Thank you again for the quick response and time taken to help me out in my driver adventure. I agree with you that a minifilter driver would be best also now that I research it and take your advise but will my current code be sufficient or does my current code allow the process to load into memory?

I found this code but its unclear where its called in the driver and if its to be used within a minifilter or Kernel driver

if( ( Data->Iopb->Parameters.AcquireForSectionSynchronization.PageProtection & PAGE_EXECUTE ) && ( Data->Iopb->Parameters.AcquireForSectionSynchronization.SyncType == SyncTypeCreateSection ) )
{
// this is a process execution which is about to start, determine here if the process is allowed to run, if not:
Data->IoStatus.Status = STATUS_ACCESS_DENIED; <-- this will deny the process execution ^_^
Data->IoStatus.Information = 0;
}

Should I be using a minifilter driver or Kernel driver or will it make much difference?

Actually I can see now that within my PsSetCreateProcessNotifyRoutineEx I do have PS_CREATE_NOTIFY_INFO and going to that definition shows the exact structure that you have posted here. Is this the file layer that you are speaking of? here is the code I have in that area:

void OnProcessNotify(PEPROCESS Process, HANDLE ProcessId, PPS_CREATE_NOTIFY_INFO CreateInfo)
{
UNREFERENCED_PARAMETER(Process);

if (CreateInfo) {
ProcId = HandleToUlong(ProcessId);
RtlCopyUnicodeString(&ImageP, CreateInfo->ImageFileName);
//DbgPrint("%d %wZ", ProcId, ImageP);
if (!CreateInfo->IsSubsystemProcess) {
CreateInfo->CreationStatus = STATUS_ACCESS_DISABLED_NO_SAFER_UI_BY_POLICY;
}
}
}

I was first wondering how this structure was called, a bit embarrassing seeing this now sorry Its painfully obvious I am not strong yet in C coding. So that brings me back to the MajorFunction IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION as I understand this is the callback that is called when file operations occur:

NTSTATUS FsRtlRegisterFileSystemFilterCallbacks(
[in] _DRIVER_OBJECT *FilterDriverObject,
[in] PFS_FILTER_CALLBACKS Callbacks
);

So I pass in The DriverObject and PFS_FILTER_CALLBACKS which I found to be:

typedef struct _FS_FILTER_CALLBACKS {
ULONG SizeOfFsFilterCallbacks;
ULONG Reserved;
PFS_FILTER_CALLBACK PreAcquireForSectionSynchronization;
PFS_FILTER_COMPLETION_CALLBACK PostAcquireForSectionSynchronization;
PFS_FILTER_CALLBACK PreReleaseForSectionSynchronization;
PFS_FILTER_COMPLETION_CALLBACK PostReleaseForSectionSynchronization;
PFS_FILTER_CALLBACK PreAcquireForCcFlush;
PFS_FILTER_COMPLETION_CALLBACK PostAcquireForCcFlush;
PFS_FILTER_CALLBACK PreReleaseForCcFlush;
PFS_FILTER_COMPLETION_CALLBACK PostReleaseForCcFlush;
PFS_FILTER_CALLBACK PreAcquireForModifiedPageWriter;
PFS_FILTER_COMPLETION_CALLBACK PostAcquireForModifiedPageWriter;
PFS_FILTER_CALLBACK PreReleaseForModifiedPageWriter;
PFS_FILTER_COMPLETION_CALLBACK PostReleaseForModifiedPageWriter;
PFS_FILTER_CALLBACK PreQueryOpen;
PFS_FILTER_COMPLETION_CALLBACK PostQueryOpen;
} FS_FILTER_CALLBACKS, *PFS_FILTER_CALLBACKS;

How is this used to get notified at the file layer which you describe is better because it happens before the process or file is loaded into memory.

Thank you Randor for bringing this to my attention I am not sure how I overlooked this with all the hours of research I've been doing but reading the PS_CREATE_NOTIFY_INFO link you have supplied is a structure and not a callback? how is this implemented into the driver if ProcessCreationNotifyEx is not the way and by that time the process is already loaded into memory? Will replacing my major function DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = IoControl; to IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION make it possible to receive the callbacks at the file layer level? and to my original question how would I go about setting an event within all this and wait for response from my user mode application. I have heard inverted calls might be the answer but if there is a better way I am all ears.

SUCCESS!!! removing both if statements seemed to do the trick!!!! SO VERY HAPPY! Thank you Thank you Thank you

Ok I must be almost there.... ALMOST!! but still no cigar
Everything you have described is changed in the code, both in the driver and in the application but once again I have hit a few snags.

This is my driver switch statement as of now

UNREFERENCED_PARAMETER(DeviceObject);
NTSTATUS status = STATUS_UNSUCCESSFUL;
PIO_STACK_LOCATION irpsp = IoGetCurrentIrpStackLocation(Irp);
ULONG returnLength = 0;
PVOID* buffer = Irp->AssociatedIrp.SystemBuffer;
ULONG inLength = irpsp->Parameters.DeviceIoControl.InputBufferLength;
ULONG outLength = irpsp->Parameters.DeviceIoControl.OutputBufferLength;

switch (irpsp->Parameters.DeviceIoControl.IoControlCode)
{
case RECEIVE_FROM_USER:
break;
case SEND_PID_TO_USER:
if (outLength == sizeof(ULONG))
{
*buffer = ProcId;
returnLength = sizeof(*buffer);
status = STATUS_SUCCESS;
}
break;
case SEND_PATH_TO_USER:
if (outLength <= (ImageP.Length / 2) - 1)
{
RtlFillMemory(buffer, outLength, 0);
RtlCopyBytes(buffer, ImageP.Buffer, ImageP.Length * 2);
status = STATUS_SUCCESS;
returnLength = ImageP.Length * 2;
}
break;
}

I get a warning in RtlCopyBytes C26451 Arithmetic overflow: Using operator "*" on a 4 byte value and then casting the result to 8 byte value. Cast the value to the wider type before calling operator "*" to avoid overflow (io2)

4 byte value is the return length in bytes of the UNICODE_STRING? What types in C++ are wider to cast to and how? is there a WUNICODE_STRING? of some kind?

OMG!!! SUCCESS!! I am able to see the UNICODE_STRING Process Path in my application but only if I remove the "if" statement... if (outLength <= (ImageP.Length /2) -1) from SEND_PATH_TO_USER but then the SEND_PID_TO_USER CTL fails in my application and I only Receive the Process path and not the PID. Again if I remove the "if" statement from SEND_PID_TO_USER I get only the PID and not the process Path. It appears to be an issue with the outLength or using outLength where I should not be using it Can you please let me know what you think is wrong? I am so so close and owe it to you thank you for being so patient and I look forward to seeing your answer. Might be a simple question to help me solve this issue but what does nOutBufferSize refer to? sizeof(buffer)? or sizeof/Length of UNICODE_STRING or something else?

Thank you so much the way you describe everything is amazing and the level of detail you go to describe what's happening so very much apricated. True Life Saver thank you again!

Thank you very much for this!