Very Simple TDI Filter Problem (IRQL_NOT_LESS_OR_EQUAL)

[Maleboge]

i have a unknow problem with this very simple TDI hook
after a few “TDIDeviceDispatch” i get this… (WinXP)

#include "test.h"

//::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

DRIVER_OBJECT		g_TDI;

//::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

NTSTATUS TDICompletionRoutine(PDEVICE_OBJECT DeviceObject,PIRP Irp,PVOID Context)

{

PIO_COMPLETION_ROUTINE RealCompletionRoutine = (PIO_COMPLETION_ROUTINE)Context;

if(Context != NULL)

{

return RealCompletionRoutine(DeviceObject,Irp,NULL);

}else{

return STATUS_SUCCESS;

}

}

//::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

NTSTATUS TDIDeviceDispatch(IN PDEVICE_OBJECT DeviceObject,IN PIRP Irp)

{

NTSTATUS 						Status;

PIO_STACK_LOCATION	StackLocationPtr;

if(Irp == NULL) return STATUS_SUCCESS;

StackLocationPtr = IoGetCurrentIrpStackLocation(Irp);

if(StackLocationPtr->CompletionRoutine != NULL)

{

StackLocationPtr->Context = StackLocationPtr->CompletionRoutine;

}else{

StackLocationPtr->Context = NULL;

}

StackLocationPtr->CompletionRoutine = (PIO_COMPLETION_ROUTINE)TDICompletionRoutine;

StackLocationPtr->Control = SL_INVOKE_ON_SUCCESS | SL_INVOKE_ON_ERROR | SL_INVOKE_ON_CANCEL;

Status = g_TDI.MajorFunction[StackLocationPtr->MajorFunction](DeviceObject,Irp);

DbgPrint("TDIDeviceDispatchn");

return Status;

}

//::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

NTSTATUS HookTDI(void)

{

NTSTATUS 				Status;

UNICODE_STRING	usDriverName;

PDRIVER_OBJECT	DriverObjectToHookPtr;

int 						i;

RtlInitUnicodeString(&usDriverName,L"\Driver\Tcpip");

Status = ObReferenceObjectByName(&usDriverName,OBJ_CASE_INSENSITIVE,NULL,0,IoDriverObjectType,KernelMode,NULL,&DriverObjectToHookPtr);

if(Status != STATUS_SUCCESS) return Status;

for(i = 0;i < IRP_MJ_MAXIMUM_FUNCTION;i++)

{

g_TDI.MajorFunction = DriverObjectToHookPtr->MajorFunction;

DriverObjectToHookPtr->MajorFunction = TDIDeviceDispatch;

}

return STATUS_SUCCESS;

}

//::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

NTSTATUS UnHookTDI(void)

{

NTSTATUS Status;

UNICODE_STRING usDriverName;

PDRIVER_OBJECT DriverObjectToHookPtr;

int i;

RtlInitUnicodeString(&usDriverName,L"\Driver\Tcpip");

Status = ObReferenceObjectByName(&usDriverName,OBJ_CASE_INSENSITIVE,NULL,0,IoDriverObjectType,KernelMode,NULL,&DriverObjectToHookPtr);

if(Status != STATUS_SUCCESS) return Status;

for(i = 0;i < IRP_MJ_MAXIMUM_FUNCTION;i++)

DriverObjectToHookPtr->MajorFunction = g_TDI.MajorFunction;

return STATUS_SUCCESS;

}

//::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

VOID OnUnload(PDRIVER_OBJECT DriverObject)

{

UnHookTDI();

DbgPrint("OnUnloadn");

}

//::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

NTSTATUS ForwardAndForget(PDEVICE_OBJECT DeviceObject,PIRP Irp)

{

Irp->IoStatus.Status = STATUS_SUCCESS;

IoCompleteRequest(Irp, IO_NO_INCREMENT);

return Irp->IoStatus.Status;

}

//::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath)

{

int	i;

for (i = 0; i < IRP_MJ_MAXIMUM_FUNCTION; i++)

DriverObject->MajorFunction = ForwardAndForget;

DriverObject->DriverUnload  = OnUnload;

DbgPrint("DriverEntryn");

return HookTDI();

}

//::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

[GeN]

return RealCompletionRoutine(DeviceObject,Irp,NULL);

why dont you pass original context into original completion routine ?

[Author]

Posts