Click here to Skip to main content
15,558,672 members
Please Sign up or sign in to vote.
5.00/5 (1 vote)
See more:
Im hoping someone can clear up a few issues as I have been at this for quite some time with conflicting results. I have a minifilter driver coded in c++ that monitors process creation and I am using FltSendMessage with communication port and I can confirm that the value is being sent correctly from the driver. The issues I am having is when I PInvoke FilterGetMessage and try to convert the intptr back to string to get the output to the VB.NET application. I am receiving nothing at all or getting large amounts of gibberish, Here is the vb.net code if anyone can help see what is going wrong I would greatly appricate it.

<DllImport("fltlib.dll")>
Shared Function FilterConnectCommunicationPort(
<MarshalAs(UnmanagedType.LPWStr)>portName As String,
options As UInteger,
context As IntPtr,
sizeOfContext As Short,
securityAttributes As IntPtr,
<Out> ByRef portHandle As SafeFileHandle) As UInteger
End Function

<DllImport("fltlib.dll")>
Shared Function FilterGetMessage(
portHandle As SafeFileHandle,
messageBuffer As IntPtr, //or? FILTER_MESSAGE_HEADER
messageBufferSize As Integer,
<[In], [Out]> ByRef overlapped As intptr) As Boolean
End Function


<StructLayout(LayoutKind.Sequential)>
   Public Structure FILTER_MESSAGE_HEADER
       Public ReplyLength As UInt32
       Public MessageId As UInt64
   End Structure


I am calling FilterGetMessage From within a thread using a while loop as so


Dim FltSize = ((1 << 11) - 1) * 2 + 2 '4096 Same as buffer size in driver
 Dim FltMessage As IntPtr = Marshal.AllocHGlobal(FltSize)

do while true
If FilterGetMessage(Communication_Port_Handle, FltMessage, FltSize, intptr.Zero) = True Then
       Dim FltPointer = Marshal.PtrToStringUni(FltMessage)
       Invoke(Sub() RichTextBox1.AppendText("FILTERGETMESSAGE: " & FltPointer))
       Invoke(Sub() RichTextBox1.AppendText(vbCrLf))
End If
loop


I have set up a test string within the driver to report to debugview if FltSendMessage is successfull or not and there appears to be no issue with it there and also FilterGetMessage returns true in the vb.net application as there is a valid communication port handle when it connects. So I am lost now as to why I am getting nothing at all and at other times when I run the program I get gibberish.

The driver is sending the file name as wchar_t and after doing some research I found that the vb.net equivlant is of type string I also have this struct

<StructLayout(LayoutKind.Sequential, CharSet:=CharSet.Ansi)>
   Public Structure node
       <MarshalAs(UnmanagedType.ByValTStr, SizeConst:=BUFFER_SIZE)>
       Public y As String
   End Structure


Im not sure if this struct will even be of any use but thought to add it in this question if it may be of any help.

What I have tried:

I have tried using c++/cli with no luck other than returning integers and const litteral strings.

I have tried encoding with unicode, ANSI and other
Also I have checked and re checked the buffer size being sent and allocated
Posted
Updated 11-Jan-23 4:22am
v6
Comments
11917640 Member 14-Nov-22 0:25am    
ByRef messageBuffer As IntPtr - remove ByRef . FilterGetMessage requires pointer to buffer, and you pass pointer to pointer to buffer.
Dale Seeley 14-Nov-22 0:33am    
thank you for this point I will check if that helps I appricate that
Dale Seeley 14-Nov-22 0:35am    
still no luck :(
11917640 Member 14-Nov-22 1:15am    
I don't see in your code anything about FILTER_MESSAGE_HEADER, see https://learn.microsoft.com/en-us/windows/win32/api/fltuser/nf-fltuser-filtergetmessage and https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/fltuserstructures/ns-fltuserstructures-_filter_message_header. Also, if you don't use overlapped IO, lpOverlapped may be declared as IntPtr and set to IntPtr.Zero.
Dale Seeley 14-Nov-22 2:10am    
awesome I was definatly a bit confused with FILTER_MESSAGE_HEADER because I could not understand how having the struct in my client application would use it. It is used in the driver does it also need to be in the client? Byref or ByVal?

1 solution

Do you still need help with that?
Are the buffer size of driver and vb.net client the same?
The P/Invoke signatures for the FilterConnectCommunicationPort and FilterGetMessage functions from the fltlib.dll seems to be correct.

Some issues: such as the FilterGetMessage call, you're passing intptr.Zero, should be Nothing instead. The loop 'do while true' should be changed. Here is what I would suggest:
Dim FltSize = ((1 << 11) - 1) * 2 + 2 '4096 Same as buffer size in driver
Dim FltMessage As IntPtr = Marshal.AllocHGlobal(FltSize)
Dim FltHeader As FILTER_MESSAGE_HEADER

do while true
    If FilterGetMessage(Communication_Port_Handle, FltMessage, FltSize, Nothing) = True Then
        FltHeader = CType(Marshal.PtrToStructure(FltMessage, GetType(FILTER_MESSAGE_HEADER)), FILTER_MESSAGE_HEADER)
        Dim FltPointer = Marshal.PtrToStringUni(FltMessage + Marshal.SizeOf(FltHeader), CInt(FltHeader.ReplyLength))
        Invoke(Sub() RichTextBox1.AppendText("FILTERGETMESSAGE: " & FltPointer))
        Invoke(Sub() RichTextBox1.AppendText(vbCrLf))
    End If
loop
 
Share this answer
 

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)



CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900