KMDF’s NTSTATUS Return Values

September 29, 2007

Frequently happens that, KMDF Functions returns strange status values, that can’t be founded into NtStatus.h, this causes to Newbie KMDF Coders some confusion, the solution is easy, just take a look at \inc\wdf\kmdf\10\wdfstatus.h 😉

See you to the next post 🙂

News From Microsoft

September 5, 2007

USB devices store standard descriptors in firmware for the device, and its interfaces and endpoints. Independent Hardware Vendors (IHVs) can also store class and vendor-specific descriptors. However, the types of information that these descriptors can contain is limited.

So Microsoft implemented OS Descriptors, to enlarge potentialities of IHVs. These descriptors can be used by IHVs to store in firmware much of the information that is now typically provided to customers separately.

Here you can download OS Descriptors.

Measuring Windows Vista Performances
This paper provides information about measuring performance on Windows Vista. It provides guidelines for technical users and professionals who are creating benchmark tests to create accurate, repeatable workloads and measurements.

Optimizing Windows Vista Platforms for Energy Efficiency

This paper explains how to evaluate system energy efficiency and demonstrates example power policy settings to favor power savings or performance. Best practices for energy-efficient platform design are also covered.

Have a nice Day,


Something about Firewall hooking and Packet Filtering #2

August 27, 2007


Here the second and last part of my little paper..
First of all, let’s introduce some more specification, to make previous blog entry more clear
The last struct showed, is the _FIREWALL_CONTEXT_T, and as can be seen there is DIRECTION_E that could be a little obscure, so here is reported:

typedef enum _IP_DIRECTION_E {

Represents easly a packet is Receiver or Transmitted.

The return values by the filter-routine can be:

DROP = 1

that are proper of FORWARD_ACTION

As previously said, to implement IP_SET_FIREWALL_HOOK_INFO, it’s necessary to write a filter function for \device\IP, so the pointer (to IP) self can be obtained easly by calling IoGetDeviceObjectPointer( )

Now can be installed the filter function, by passing througout IP’s pointer the address of the filtering function self, with IoBuildDeviceIoControlRequest(IOCTL_IP_SET_FIREWALL_HOOK, IpDeviceObject,…..)
It’s important to say also (according to DDK documentation) that IOCTL_PF_SET_EXTENSION_POINTERregisters filter-hook callback to the IP filter driver, to “make known” \device\IP to reroute every packet received or transmitted, and finally this same IOCTL clears the filter function from IP device. All these specifications could be made, by filling up the proper structure of this IOCTL, that will go to constitute the InputBuffer of IoBuildDeviceIoControlRequest:

PF_SET_EXTENSION_HOOK_INFO, that inside have another struct PacketFilterExtensionPtr which specifies the pointer to the filter hook callback, and when ins FALSE clears the filter.

typedef PF_FORWARD_ACTION (*PacketFilterExtensionPtr)(
IN unsigned char *PacketHeader, //Pointer to Ip header of packet
IN unsigned char *Packet, //Points a buffer with informations in the packet
//that filter-hook receives
IN unsigned int PacketLength , //Length of the packet
IN unsigned int RecvInterfaceIndex,//Index number for the interface adapter (InGoing)
IN unsigned int SendInterfaceIndex,//Index number for the interface adapter (OutGoing)
IN IPAddr RecvLinkNextHop, //IP address for the interface adapter that received the packet
IN IPAddr SendLinkNextHop //IP address for the interface adapter that will transmit the packet

It’s also important to notice that only on filter function per time can be installed, if others resides functions are stil working this one will not work.

See you to the next post! 🙂

Something about Firewall hooking and Packet Filtering

August 26, 2007


Firewall hooking is a task in major part not well documented, MS doesn’t provides a clear and exaustive documentation about structures and development, so the only mode to have more knowledge is the RCE method.

These filter-hooks obviously works only at kernel mode, installing a callback function, and the driver installs a callback into \device\IP (which can be seen with WinObj) but let’s also parse \system32\Drivers

Fortunately, no extreme binary analysis is needed, we can study directly some header file from DDK, and precisely ipfirewall.h, so let’s take a deeper look to this file. Immediately we can see two intersing structs, the first is IPPacketFirewallPtr that works as a callout routine, and the most interesting _IP_SET_FIREWALL_HOOK_INFO
First Struct:

First Struct: typedef FORWARD_ACTION (*IPPacketFirewallPtr)(
VOID **pData, //can be pMdl or pRcvBuf
UINT RecvInterfaceIndex, //Received Data
UINT *pSendInterfaceIndex, //Index where data is sent
UCHAR *pDestinationType, //Can be Local Network, Remote, Broadcast, Multicast.
VOID *pContext, //Points to _FIREWALL_CONTEXT_T
UINT ContextLength, //sizeof(FIREWALL_CONTEXT_T)
struct IPRcvBuf **pRcvBuf

Second Struct:

IPPacketFirewallPtr FirewallPtr; // Packet filter callout.
UINT Priority; // Priority of the hook
BOOLEAN Add; // if TRUE then ADD else DELETE

This is the heart structure necessary to set-up the filter-hook, which can be done by sending a IOCTL to \device\Ip


IP_SET_FIREWALL_HOOK_INFO will be the Input Structure to be filled for the IOCTL.

By observing IPPacketFirewallPtr, we can see _FIREWALL_CONTEXT_T which is:

typedef struct _FIREWALL_CONTEXT_T {
DIRECTION_E Direction;
void *NTE;
void *LinkCtxt;
UINT LContext2;

After installing the filter-hook, can be powered up a set of rules to FORWARD or DROP a packet.

Thanks to Jesus O.

Good Driver Links

August 24, 2007


Here I inserted some link, just to open thi section 🙂 other links and suggestions are welcome..

Latest WDK :

WDK Documentation:

A bit different from Vista’s Documentation, cause the DTM stuff that this WDK-Doc don’t have.

Debugging Tools for 32 bits:

Debugging Tools for 64 bits, Native Itanium:

Debugging Tools for 64 bits, Native x64:

Virtual Address Space Usage In Windows Game Development

Suggestions for new links are welcome

Best Regards,