Registering and Clearing a Filter Hook
A filter-hook driver registers its filter-hook callback function with the IP filter driver to inform the IP filter driver to call the hook callback for every IP packet that is received or transmitted. A filter-hook driver might also clear a previously registered hook callback. To register or clear a hook callback function, the filter-hook driver must first create an IRP using a pointer to the device object for the IP filter driver and IOCTL_PF_SET_EXTENSION_POINTER. The filter-hook driver then submits this IRP to the IP filter driver.
The filter-hook driver registers or clears hook callback functions as follows:
Calls the IoGetDeviceObjectPointer function to retrieve a pointer to the device object for the IP filter driver
The filter-hook driver passes:
- A pointer to a buffer that contains the string for the name of the IP filter driver
- Values that specify synchronous, read, and write access to the IP filter driver
- Pointers to buffers to hold the returned pointers to the device object and corresponding file object
Calls the IoBuildDeviceIoControlRequest function to set up an IRP
The filter-hook driver passes parameters that specify:
IOCTL_PF_SET_EXTENSION_POINTER value
Pointer to the device object for the IP filter driver
Buffer that contains an PF_SET_EXTENSION_HOOK_INFO structure
To register the filter hook, this structure holds information that specifies the address of the filter-hook callback function. To clear the filter hook, this structure contains a NULL value.
This call returns a pointer to an IRP with the I/O stack location set up from the supplied parameters.
Calls the IoCallDriver function to submit the IRP to the IP filter driver
The filter-hook driver passes parameters that specify the pointer to the device object for the IP filter driver and a pointer to the previously created IRP.
The filter-hook driver must clear its filter hook from the same entity with which it registered its filter hook; therefore, the filter-hook driver should store the pointers to the IP filter driver's file and device objects in global variables. Only then can the filter-hook driver call the ObDereferenceObjectfunction to decrement the reference count of the IP filter driver's file and device objects.