Implementing Filter-Hook Drivers
When you implement a filter-hook driver, you should consider both the reliability and the efficiency of using this type of driver.
As with any kernel-mode driver, a filter-hook driver is considered a trusted component and can crash the system if it executes an illegal instruction or references an invalid region of memory.
The integrity of data being sent over the network might be suspicious, or faulty hardware or other drivers might submit data in unexpected or improper formats. Therefore, a filter hook must validate the format of such data.
A filter hook must limit the amount of per-packet processing that it performs to reduce the overhead associated with each incoming and outgoing packet. A filter hook should be optimized to minimize the average time it spends processing packets.