Message 1 of 1
17 Mar 17 07:13
Join Date: 02 Jun 2016
Posts To This List: 16
FilterGetMessage and insufficient buffers
Because couldn't find documentation nor samples, I did some reverse engineering
on FilterGetMessage/FltSendMessage/etc. calls and would like to confirm the
behavior if the buffer that receives a message or reply from/to driver is not
Based on what I see, assuming we are sending a message from driver to usermode
1) If buffer size of FilterGetMessage is small, the API will return
ERROR_INSUFFICIENT_BUFFER or ERROR_MORE_DATA and we can retry the call using a
larger buffer. FltSendMessage will wait for a new request from usermode.
2) When we call FilterReplyMessage with a larger buffer FltSendMessage expects
FltSendMessage will return STATUS_BUFFER_OVERFLOW or STATUS_BUFFER_TOO_SMALL.
Usermode will get the win32 error.