Problems in Hooking SendHandler (NDIS Hooks)

Home Forums Discussions General Problems in Hooking SendHandler (NDIS Hooks)

Viewing 2 posts - 1 through 2 (of 2 total)
  • Author
    Posts
  • November 28, 2004 at 10:38 pm #4892
    egemen
    Participant

      Hello,
      I wonder if anybody watching this list can give me some hint about the following problem :

      I write NDIS hooking driver which modifies export table of NDIS.sys for NdisDe/RegisterProtocol, NdisOpen/CloseAdapter functions. The driver loads between ndis.sys and tcpip.sys.

      In NdisOpenAdapter handler, after calling original handler and getting NDIS_STATUS_SUCCESS(In case of pending I do handle the case exectly the same in completion routine), I get pointer to NDIS_OPEN_BLOCK structure modify SendHandler,SendPacketsHandler, and TransferDataHandler addresses with my own equivalents.

      Version 1(NdisOpenAdapter Hook)

      NDIS_OPEN_BLOCK pOpenBlock;
      …..
      pOpenBlock = *NdisBindingHandle;
      …..
      InterlockedExchangePointer(&pOpenBlock->SendPacketsHandler,
      (SEND_PACKETS_HANDLER)pAdapterCtx->OSSendPacketsHandler);

      InterlockedExchangePointer(&pOpenBlock->SendHandler,
      (SEND_HANDLER)pAdapterCtx->OSSendHandler);
      ….
      In the first version of my code, I hook handlers without copying original NDIS_OPEN_BLOCK(i.e *NdisBindingHandle) into my own m_OpenBlock structure.

      Now 1st problem : This hooking works most of the time. Namely I can see sending attempts. But sometimes, it is not called even the original handler adresses are modified. For example, When I enable a network connection for the first time, SendHandlers are not called. When I disble and re-enable it, they are called properly. On a connection using a wireless LAN card, SendHandlers are never called.

      Later I modified the code to keep my own NDIS_OPEN_BLOCK structure , m_OpenBlock and copied original open block into this and modified it. Then I modified NdisBindingHandle to point to it.

      Version 2(NdisOpenAdapter Hook)


      NDIS_OPEN_BLOCK pOpenBlock;
      …..
      NdisMoveMemory(&pAdapterCtx->m_OpenBlock,*NdisBindingHandle,sizeof(NDIS_OPEN_BLOCK));

      *NdisBindingHandle = &pAdapterCtx->m_OpenBlock;

      pOpenBlock = *NdisBindingHandle;
      …..
      InterlockedExchangePointer(&pOpenBlock->SendPacketsHandler,
      (SEND_PACKETS_HANDLER)pAdapterCtx->OSSendPacketsHandler);

      InterlockedExchangePointer(&pOpenBlock->SendHandler,
      (SEND_HANDLER)pAdapterCtx->OSSendHandler);
      …..

      This time, the hook never works! For example, when I try to enable a network connection network cable unplugged is reported. 🙂

      Is there any point I am missing? Are there some possible race conditions between hooked calls which may cause this error so that I should handle?Should I also hook BindAdapter routines?(BindAdapterHandler and NdisCompleteBindAdapter)

      I use Windows XP SP1 DDK on Windows XP SP2.

      If somebody could comment on this, I would appreciate.

      Thanks in advance,

      Egemen Tas

      November 30, 2004 at 12:41 am #5672
      Vadim Smirnov
      Keymaster

        1) First issue with direct NDIS_OPEN_BLOCK modification works just like you have described. The only fix is hooking internal NDIS-routines and repatching the NDIS_OPEN_BLOCK each time when handlers are changed,

        2) The second approach with substitution on NDIS_OPEN_BLOCK works fine, and in your case problem is somethere else, lines you have provided look OK.

        In general NDIS hooking driver is relatively complicated and it is difficult to design such a driver from the scratch. So I would recommend to use one of the documented approaches (intermediate, filter hook or etc…) or license ready NDIS hooking solution instead of trying to create the new one.

      • Author
        Posts
      Viewing 2 posts - 1 through 2 (of 2 total)
      • You must be logged in to reply to this topic.