在内核驱动程序中使用Windows筛选平台 [英] using Windows Filtering Platform in Kernel Driver

问题描述

我们最近在驱动程序中添加了Windows筛选平台功能。

We recently added Windows Filtering Platform capabilities to our driver.

我们设法从wfp毫无问题地获取了所需的信息，但是问题出在引导过程中-由于我们添加了wfp功能，因此使用驱动程序的机器无法启动-他们陷入僵局（计算机的卡在启动画面中）。

We managed to get the information we required from the wfp with no problem, but the problem is during the boot process - eversince we added the wfp capabilities, machines using the driver cannot boot - they get a deadlock (the computer's "stuck" in the splash screen).

我们发现它的原因可能是因为我们的驱动程序仅依赖于FltMgr，并且可能在加载wfp框架之前已加载（TcpStack？）。

We figured its probably because our driver is dependent only on FltMgr and is probably loaded before the wfp framework is loaded (TcpStack?).

我的问题是-是否可以询问服务管理器或任何其他授权机构是否加载了wfp框架？甚至更进一步-wfp所依赖的驱动程序 是什么？ （这样我就可以在开始使用它们之前检查它们是否已加载）。

My question is - is there a way to ask the Service Manager or any other authority whether or not the wfp framework is loaded? or even further - what is the drivers wfp is dependent on? (so I could check if they are loaded before starting using it)

推荐答案

这是我在DriverEntry中所做的事情。

Here is what I do in DriverEntry.

//
// Wait for the WFP engine to be ready.
//

FWPM_SERVICE_STATE  bfeState;

bfeState = FwpmBfeStateGet0();
if (bfeState != FWPM_SERVICE_RUNNING) 
{
    WaitTime.QuadPart = (-5000000);   // wait 500000us (500ms) relative
    do {
        KeDelayExecutionThread (KernelMode, FALSE, &WaitTime);
        bfeState = FwpmBfeStateGet0();
        WaitCycles--;
    } while (bfeState != FWPM_SERVICE_RUNNING && WaitCycles > 0);
}

if (bfeState != FWPM_SERVICE_RUNNING)
{
    // log and error handling
}

这篇关于在内核驱动程序中使用Windows筛选平台的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！