ICMP interception at TDI level

Home Forums Discussions General Discussion ICMP interception at TDI level

This topic contains 3 replies, has 2 voices, and was last updated by  Taras 11 years, 2 months ago.

Viewing 4 posts - 1 through 4 (of 4 total)
  • Author
    Posts
  • #4897

    Deneb
    Participant

    Hi all,

    I want to intercept ICMP requests made to DeviceIp, from a TDI filter driver. It’s easy to hook the device object, but what’s the format of data being sent to tcpip.sys?… Is there any documentation available? Thanks a lot.

    #5684

    Taras
    Participant

    May be two case:
    1) app uses Icmpapi. (for example ping.exe). Then
    /Device/ip get IRP_MJ_INTERNAL_DEVICE_CONTROL
    or IRP_MJ_DEVICE_CONTROL
    MinorFunction = 0
    IOCTL = 0x120000

    and parameter:

    typedef struct __ICMP_ECHO_REQUEST {
    unsigned long Address;
    unsigned long Timeout;
    unsigned short DataOffset;
    unsigned short DataSize;
    unsigned char OptionsValid;
    unsigned char Ttl;
    unsigned char Tos;
    unsigned char Flags;
    unsigned short OptionsOffset;
    unsigned char OptionsSize;
    unsigned char Padding;
    } ICMP_ECHO_REQUEST, *PICMP_ECHO_REQUEST;
    you should intercept such IRPs

    2) app can use raw sockets. In such case you should hijack raw traffic.

    #5685

    Deneb
    Participant

    Hello,

    the code handling / filtering this request is doing

    PIO_STACK_LOCATION pIOSL = IoGetCurrentIrpStackLocation( pIRP );
    ICMP_ECHO_REQUEST* pIcmpEchoReq = ( ICMP_ECHO_REQUEST* )( &( pIOSL->Parameters ) );

    pIcmpEchoReq has a strange format, it doesn’t contain any information that I have passed, such as the IP address to which I’ve issued the ping command. Perhaps there is smth wrong with my code?

    Thank you.

    #5686

    Taras
    Participant

    try

    ICMP_ECHO_REQUEST* pIcmpEchoReq = ( ICMP_ECHO_REQUEST* )(
    Irp->AssociatedIrp.SystemBuffer)[
Viewing 4 posts - 1 through 4 (of 4 total)

You must be logged in to reply to this topic.