WinTun support

Home Forums Discussions Support Portal WinTun support

Tagged: 

Viewing 8 posts - 1 through 8 (of 8 total)
  • Author
    Posts
  • #11524
    oriolarcas
    Participant

    Hi,

    I would like to intercept packets before they are processed by a tunnel software, Wintun.

    Wintun creates a virtual interface, similar to a TUN or TAP in Linux. Said interface can be seen using ipconfig. However, it doesn’t appear in NDISAPI’s GetTcpipBoundAdaptersInfo call.

    Is there any solution or workaround?

    Thanks.

    #11525
    oriolarcas
    Participant

    Follow up:

    This is the code in Wintun that creates the adapter:

    
        NDIS_MINIPORT_DRIVER_CHARACTERISTICS miniport = {
            .Header = { .Type = NDIS_OBJECT_TYPE_MINIPORT_DRIVER_CHARACTERISTICS,
                        .Revision = NdisVersion < NDIS_RUNTIME_VERSION_680
                                        ? NDIS_MINIPORT_DRIVER_CHARACTERISTICS_REVISION_2
                                        : NDIS_MINIPORT_DRIVER_CHARACTERISTICS_REVISION_3,
                        .Size = NdisVersion < NDIS_RUNTIME_VERSION_680
                                    ? NDIS_SIZEOF_MINIPORT_DRIVER_CHARACTERISTICS_REVISION_2
                                    : NDIS_SIZEOF_MINIPORT_DRIVER_CHARACTERISTICS_REVISION_3 },
    
            .MajorNdisVersion = (UCHAR)((NdisVersion & 0x00ff0000) >> 16),
            .MinorNdisVersion = (UCHAR)(NdisVersion & 0x000000ff),
    
            .MajorDriverVersion = WINTUN_VERSION_MAJ,
            .MinorDriverVersion = WINTUN_VERSION_MIN,
    
            .InitializeHandlerEx = TunInitializeEx,
            .HaltHandlerEx = TunHaltEx,
            .UnloadHandler = TunUnload,
            .PauseHandler = TunPause,
            .RestartHandler = TunRestart,
            .OidRequestHandler = TunOidRequest,
            .SendNetBufferListsHandler = TunSendNetBufferLists,
            .ReturnNetBufferListsHandler = TunReturnNetBufferLists,
            .CancelSendHandler = TunCancelSend,
            .DevicePnPEventNotifyHandler = TunDevicePnPEventNotify,
            .ShutdownHandlerEx = TunShutdownEx,
            .CancelOidRequestHandler = TunCancelOidRequest,
            .DirectOidRequestHandler = TunDirectOidRequest,
            .CancelDirectOidRequestHandler = TunCancelDirectOidRequest,
            .SynchronousOidRequestHandler = TunSynchronousOidRequest
        };
    
        Status = PsSetCreateProcessNotifyRoutine(TunProcessNotification, FALSE);
        if (!NT_SUCCESS(Status))
            goto cleanupResources;
    
        Status = NdisMRegisterMiniportDriver(DriverObject, RegistryPath, NULL, &miniport, &NdisMiniportDriverHandle);
        if (!NT_SUCCESS(Status))
            goto cleanupNotifier;
    
    #11527
    Vadim Smirnov
    Moderator

    Windows Packet Filter NDIS filter driver does not bind to WinTun network adapter because of the following in wintun.inf:

    HKR, Ndi\Interfaces, LowerRange, , "nolower"

    while in ndisrd_lwf.inf we have:

    HKR, Ndi\Interfaces, FilterMediaTypes,,"ethernet, wan, ppip, bluetooth"

    So there are two choices:

    • Change wintun.inf ‘nolower’ to ‘ethernet’
    • Add ‘nolower’ to the list of FilterMedia types in ndisrd_lwf.inf

    As a side effect second option will cause Windows Packet Filter driver binding to the interfaces it normally would not bind to and therefore it is not supported by stock driver build.

    #11528
    oriolarcas
    Participant

    Thank you Vadim, I added nolower to the FilterMediaTypes list in ndisrd_lwf.inf and it detected the WinTun interface. It worked out of the box.

    #11538
    oriolarcas
    Participant

    Hello again,

    I tried the solution in one Windows 10 machine, but when trying it in another one it did not detect the WinTun adapter.

    What I did was modify the .inf and recreate the .cat and sign with a test certificate. I can successfully install and load the driver in the second machine, but it simply acts as if there was no WinTun adapter, as if the .inf did not include any ‘nolower’ filter.

    I double-checked that the original driver is not present in DriverStore, and the driver that is installed is the one signed by me.

    The Windows 10 versions are the same (20H2), the only difference is that one is Home (unregistered) and the other is Education (registered).

    Any ideas? Any checklist that I could follow? Thanks in advance.

    #11539
    Vadim Smirnov
    Moderator

    Try to add ‘ndis5’ to the list and let me know if it helped.

    #11540
    Vadim Smirnov
    Moderator

    This one seems to work just fine:

    ;-------------------------------------------------------------------------
    ; ndiswg_lwf.INF -- WinpkFilter NDIS LWF driver (WinTun build)
    ;
    ; Copyright (c) NT Kernel Resources.  All rights reserved.
    ;-------------------------------------------------------------------------
    [version]
    Signature   	= "$Windows NT$"
    Class     	= NetService
    ClassGUID  	= {4D36E974-E325-11CE-BFC1-08002BE10318}
    Provider    = %Ntkr%
    CatalogFile = ndiswg.cat
    PnpLockdown	= 1
    
    [Manufacturer]
    %Ntkr%=Ntkr,NTx86,NTia64,NTamd64,NTARM64
    
    [Ntkr.NTx86]
    %ndiswg_Desc%=Install, nt_ndiswg
    
    [Ntkr.NTia64]
    %ndiswg_Desc%=Install, nt_ndiswg
    
    [Ntkr.NTamd64]
    %ndiswg_Desc%=Install, nt_ndiswg
    
    [Ntkr.NTARM64]
    %ndiswg_Desc%=Install, nt_ndiswg
    
    ;-------------------------------------------------------------------------
    ; Installation Section
    ;-------------------------------------------------------------------------
    [Install]
    AddReg=Inst_Ndi
    Characteristics=0x40000
    NetCfgInstanceId="{ACAA7086-8B4C-4443-B5CE-9694A907670C}"
    Copyfiles = ndiswg.copyfiles.sys
    
    [SourceDisksNames]
    1=%ndiswg_Desc%,"",,
    
    [SourceDisksFiles]
    ndiswg.sys=1
    
    [DestinationDirs]
    DefaultDestDir=12
    ndiswg.copyfiles.sys=12
    
    [ndiswg.copyfiles.sys]
    ndiswg.sys,,,2
    
    ;-------------------------------------------------------------------------
    ; Ndi installation support
    ;-------------------------------------------------------------------------
    [Inst_Ndi]
    HKR, Ndi,Service,,"ndiswg"
    HKR, Ndi,CoServices,0x00010000,"ndiswg"
    HKR, Ndi,HelpText,,%ndiswg_HelpText%
    HKR, Ndi,FilterClass,, compression
    HKR, Ndi,FilterType,0x00010001,0x00000002
    HKR, Ndi\Interfaces,UpperRange,,"noupper"
    HKR, Ndi\Interfaces,LowerRange,,"ndis5,ndis4"
    HKR, Ndi\Interfaces, FilterMediaTypes,,"ethernet, wan, ppip, bluetooth, ndis5, nolower"
    HKR, Ndi,FilterRunType, 0x00010001, 1 ;this filter must run before any protocol can bind to the below miniport 
    
    ;-------------------------------------------------------------------------
    ; Service installation support
    ;-------------------------------------------------------------------------
    [Install.Services]
    AddService=ndiswg,,ndiswg_Service_Inst
    
    [ndiswg_Service_Inst]
    DisplayName     = %ndiswg_Desc%
    ServiceType     = 1 ;SERVICE_KERNEL_DRIVER
    StartType       = 1 ;SERVICE_SYSTEM_START
    ErrorControl    = 1 ;SERVICE_ERROR_NORMAL
    ServiceBinary   = %12%\ndiswg.sys
    LoadOrderGroup  = NDIS
    Description     = %ndiswg_Desc%
    AddReg          = NdisImPlatformBindingOptions.reg
    
    [Install.Remove.Services]
    DelService=ndiswg,0x200
    
    [NdisImPlatformBindingOptions.reg]
    HKR, Parameters, NdisImPlatformBindingOptions,0x00010001,2
    
    [Strings]
    Ntkr = "NT Kernel Resources"
    ndiswg_Desc = "WinpkFilter LightWeight Filter for WinTun"
    ndiswg_HelpText = "WinpkFilter NDIS LightWeight Filter for WinTun"
    #11543
    oriolarcas
    Participant

    Hello,

    It worked. It seems we were missing this change:

    HKR, Ndi\Interfaces,LowerRange,,"ndis5,ndis4"

    Thank you again for your excellent support.

    Oriol

Viewing 8 posts - 1 through 8 (of 8 total)
  • You must be logged in to reply to this topic.