WFP connect redirect cause BSOD on Windows11

Question

Hello,

I use WFP’s redirect asynchronous mode to process traffic In Windows 11(build 22621.525). The processing process is as follows:

Async:

From classifyFn --

1) FwpsAcquireClassifyHandle0

2) [optional] allocate a FWPS_CLASSIFY_OUT0 sized object and copy all fields from the classifyOut param to the driver- allocated object.

3) FwpsPendClassify0(..., classifyOut);

From worker thread --

3) FwpsAcquireWritableLayerDataPointer0(..., NULL);

4) modify writable fields of FWPS_CONNECT_REQUEST0 (after casting from the OUT writableLayerData parameter) as desired.

5) FwpsApplyModifiedLayerData0 (Set the FWPS_CLASSIFY_FLAG_REAUTHORIZE_IF_MODIFIED_BY_OTHERS flag if you wish to be re-authorized should your modification is furthur modified by another callout)

6) FwpsCompleteClassify0 (Pass in the driver-allocated classifyOut object if you wish to avoid completion- triggered re-auth; set the actionType to PERMIT before passing the pointer)

7) FwpsReleaseClassifyHandle0

The program can work normally. However, when I enable Verifier’s code integrity check, it will trigger a BSOD.

*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

DRIVER_VERIFIER_DETECTED_VIOLATION (c4)
A device driver attempting to corrupt the system has been caught.  This is
because the driver was specified in the registry as being suspect (by the
administrator) and the kernel has enabled substantial checking of this driver.
If the driver attempts to corrupt the system, BugChecks 0xC4, 0xC1 and 0xA will
be among the most commonly seen crashes.
Arguments:
Arg1: ffffa50dbb487910, subclass of driver violation.
Arg2: 0000000000000000
Arg3: 0000000000000000
Arg4: 0000000000000000

Debugging Details:
------------------

DBGHELP: Timeout to store: d:\mysymbols*http://10.70.48.40/symbols

KEY_VALUES_STRING: 1

    Key  : Analysis.CPU.mSec
    Value: 3046

    Key  : Analysis.DebugAnalysisManager
    Value: Create

    Key  : Analysis.Elapsed.mSec
    Value: 40134

    Key  : Analysis.Init.CPU.mSec
    Value: 5030

    Key  : Analysis.Init.Elapsed.mSec
    Value: 2445416

    Key  : Analysis.Memory.CommitPeak.Mb
    Value: 94

    Key  : WER.OS.Branch
    Value: ni_release

    Key  : WER.OS.Timestamp
    Value: 2022-05-06T12:50:00Z

    Key  : WER.OS.Version
    Value: 10.0.22621.1


BUGCHECK_CODE:  c4

BUGCHECK_P1: ffffa50dbb487910

BUGCHECK_P2: 0

BUGCHECK_P3: 0

BUGCHECK_P4: 0

ADDITIONAL_DEBUG_TEXT:  Failed to find the associated rule. Please upgrade your debugger (ext.dll).

DV_RULE_INFO: 0xBB487910

PROCESS_NAME:  System

STACK_TEXT:  
ffffb50a`0be86ca8 fffff805`3c960262     : ffffb50a`0be86e10 fffff805`3c70bb60 ffff9480`d6ee0180 ffffa50d`bb487901 : nt!DbgBreakPointWithStatus
ffffb50a`0be86cb0 fffff805`3c95f953     : ffff9480`00000003 ffffb50a`0be86e10 fffff805`3c8419b0 00000000`000000c4 : nt!KiBugCheckDebugBreak+0x12
ffffb50a`0be86d10 fffff805`3c82b0b7     : 00000000`00000000 00000000`00000b00 ffffa50d`bb487910 fffff805`3db068f0 : nt!KeBugCheck2+0xba3
ffffb50a`0be87480 fffff805`3ec88dd8     : 00000000`000000c4 ffffa50d`bb487910 00000000`00000000 00000000`00000000 : nt!KeBugCheckEx+0x107
ffffb50a`0be874c0 fffff805`3ec88a04     : ffffa50d`bb095720 00000000`00000000 ffffa50d`00000002 00000000`000001a0 : tcpip!AlepValidateConnectRedirectLayerData+0x38
ffffb50a`0be87500 fffff805`3ea915af     : ffffa50d`bb487910 fffff805`3eabc000 ffffa50d`b6bd5240 ffffa50d`b6bd5240 : tcpip!AlepFreeCloneConnectRedirectLayerData+0x34
ffffb50a`0be87530 fffff805`3ea929ac     : 00000000`00000000 ffffa50d`be2847f0 ffffa50d`be2847f0 00000000`00000000 : NETIO!ClassifyContextCleanupRoutine+0x12f
ffffb50a`0be87570 fffff805`3ea9275c     : 00000000`00000004 ffffa50d`00000000 09e05c89`95c9c4f4 fffff804`e79808db : NETIO!WfpObjectDereference+0x20
ffffb50a`0be875a0 fffff805`3ee67140     : 00000000`00000004 00000000`00000000 ffffa50d`b9e06060 ffffa50d`b9f652d0 : NETIO!FeReleaseClassifyHandle+0x6c
ffffb50a`0be875d0 fffff804`e79814cb     : ffffa50d`bbae0010 ffffa50d`bb486050 ffffb50a`0be876f1 fffff804`00000738 : fwpkclnt!FwpsReleaseClassifyHandle0+0x10

This program can work well on Win7, Win10, and Win11 (build 22000.556), and pass all tests through Verifier. However, there are issues on Win11 (build 22621.1265). After reverse engineering AlepValidateConnectRedirectLayerData, it was found that Win11 (build 22621.1265) added special code for code integrity check.

void __fastcall AlepValidateConnectRedirectLayerData(ULONG_PTR BugCheckParameter1)
{
  unsigned int v1; // eax

  if ( (gVerifierFlags & 0x2000000) != 0 )
  {
    v1 = *(_DWORD *)(BugCheckParameter1 + 324);
    if ( v1 != 1819435841 )
      KeBugCheckEx(0xC4u, BugCheckParameter1, v1, 0i64, 0i64);
  }
}

Please tell me how can solve this problem?

Answer 1

RT .

How to solve it?