netbt, TDI, TCPSendData

Home Forums Discussions General netbt, TDI, TCPSendData

Viewing 6 posts - 1 through 6 (of 6 total)
  • Author
    Posts
  • September 21, 2004 at 9:18 pm #4884
    Vijender
    Participant

      Hi All,

      I am developing a TDI filter driver where I am trying to capture all netbt traffic, do some filtering on it and pass to tcp. The problem is netbt!NTSend. This function directly calls tcpip!TCPSendData. So I miss some data here. I just found in NTKernel-Faqs, that it is possible to directly call the tcp send handler.
      On reverse engineering netbt!NTSend, I found that it stores the pointer to TCPSendData in (FsContext+0x64) in connection file object.

      I would like to know if anybody can suggest me some workaround for this. What I can think of is replacing pointer to TCPSendData in FsContext with mine function and call TCPSendData from there.

      Waiting for reply.

      September 22, 2004 at 8:38 pm #5651
      Vadim Smirnov
      Keymaster

        Q: netbt.sys calls tcpip!TCPSendData directly. How can this be explained?

        A: Yes, that’s true, tcpip.sys can be requested for the pointer to the internal routine tcpip!TCPSendData. You can see the processing of the particular request (IOCTL_TDI_QUERY_DIRECT_SEND_HANDLER) in reversed engineered code of tcpip!TCPDispatch. This interface improves performance of kernel-mode tcpip.sys clients.

        The solution is interception of IOCTL_TDI_QUERY_DIRECT_SEND_HANDLER, saving the TCPSendData pointer and modification of the returned pointer to your own routine. So you can track all calls to TCPSendData.

        September 28, 2004 at 5:16 am #5652
        Vijender
        Participant

          Hi,

          I have successfully tracked IOCTL_TDI_QUERY_DIRECT_SEND_HANDLER and able to hook TCPSendData.

          But is there any more undocumented ioctl which needs to be handled?
          For e.g. is there any ioctls for receive also: IOCTL_TDI_QUERY_DIRECT_RECEIVE_HANDLER.

          Waiting for reply.

          September 28, 2004 at 11:59 am #5653
          Vadim Smirnov
          Keymaster

            Hmm, but which IOCTL’s you are interested in? An example, do you need capture IOCTL’s over DeviceIp and DeviceMULTICAST? These devices also allow sending packets; an example DeviceIp is used for sending ICMP packets (ping.exe->ICMP.DLL->DeviceIp). But in general I don’t think that you really need all that stuff.

            September 28, 2004 at 12:07 pm #5654
            Vijender
            Participant

              Hi,

              I am concerned only about Devicetcp.

              And my query is on direct handlers.

              Just to clarify my query:

              A TDI client can get pointer to tcpip’s direct send handler using ioctl IOCTL_TDI_QUERY_DIRECT_SEND_HANDLER.
              Using this function pointer it can directly pass data to tcpip, bypassing all filter drivers.
              I have captured this ioctl from TDI clients and hooked the tcpip direct handler.

              I want to know if there are more such IOCTLS for Devicetcp, that I need to capture such that no data is bypassed my filter driver.

              March 17, 2005 at 9:03 am #5655
              Taras
              Participant

                NTSTATUS
                TcpipSend( IN PIRP SendIrp,
                IN PIO_STACK_LOCATION SendIrpStack );

              • Author
                Posts
              Viewing 6 posts - 1 through 6 (of 6 total)
              • You must be logged in to reply to this topic.