IRQL_NOT_LESS_OR_EQUAL – Enter the DDK / WDK

Recently a friend of mine asked for a way to limit internet access. What he wanted was a way to only allow email access as well as a hand selected list of websites. Immediately I thought of downloading a free firewall to solve his problem (but that would be too easy). I started looking for an open source firewall application for windows that I could modify to suit the needs of my friend. This is when the trouble began.

There are numerous applications you can download from places like sourceforge.net and codeproject.com but either the code was not usable with the development tools I have or they did not implement enough for me to work with to accomplish my goal easily. My dev tools include Borland C++ Builder 6 pro and Microsoft Visual C++ Express 2008. Many example firewall programs make use of device driver code. I decided to jump into the Windows DDK – device driver kit (now called WDK – Windows Device Kit). I signed up to the WDK group on connections.microsoft.com and downloaded the 500_ MB ISO image of the WDK. Using the free VC++ Express 2008 I was able to configure my environment to compile and work with the WDK. Now the real troubles began!

I have developed software professionally for over 15+ years, but nothing had prepared me for device driver development. When writing kernel mode drivers there are MANY rules and restrictions on what you can do. As I began working on my device driver I quickly leanred about what you can do and what you cannot do. I frequently got many IRQL_NOT_LESS_OR_EQUAL blue screen of death BSOD errors and other related system crashes. This forced me to write code on my dev box and use my poor children’s computers as guinea pigs (can you say crash * 100!). Having learned about Kexxx methods, APC’s, DPC’s, IRP’s, IOCTL’s and user / kernel mode interactions I finally wrote a working firewall. The GUI client uses Borland C++ Builder 6 and the device driver uses VC++ 2008 express (I cannot stand MFC.. its so ugly compared to the VCL). All is working nicely, but one problem exists. I am using the built in windows device driver IpFltDrv.sys to hook my own device driver to the IP layer which is perfectly ok, except that my friend happens to be running Vista! Vista does have the driver, but it somehow does not work with the filter callback hooking. (I plan to examine a claim from another developer that says he got it working, but that will take more time).

So how did I help my neighbour / friend? Here is how we implemented the solution. My friend has a DLINK WBR 1310 wireless router. The router configuration has a section where you may turn ON/OFF website filtering. Since the router allows for password protection via the admin user, it was perfect, my friend could turn the filtering off and on at his convenience while also specifying which websites are allowed when the filter is turned on. One big annoyance was related to the fact that after you login to the router it seems ANYONE on the network can connect to the router without logging in again until you reboot the router (which takes 300 seconds). I was hoping to find a logout button but found none (and spent much time googling etc). Fortunately there IS a logout for this router! Simply access it via the URL http://1921.68.0.1/logout.php (assuming your router is at 192.168.0.1) and voila.

Now that I have a working firewall I plan to add IP filtering capabilities to TimeTracker to optionally allow parents to limit their children’s access on the internet if desired. It has been an interesting 3 months, from Windows Hooks to Code Caves to Assembly Language to Device Drivers… a lot of new things on my plate. I do plan to release this firewall with source code once I have tweaked it and cleaned up the code (need to remove experimental stuff and get it working with Vista as well).


Comments are closed.