[GeN]

@nic wrote:

Перехватывать регистрацию event’ов и менять указатели на свои…
-глупый вопрос а как?

не могу не гыгыкнуть 😉
гы гы
кто тут вообще ХОЧЕТ написать TdiMon ? ;-)))

Ну, вообще тебе нужно посмотреть на TDI_SET_EVENT_HANDLER
А так же всю другую инфу по TDI из MSDN.

[GeN]

а ты Windbg юзай …
не надо softice юзать … 😉

[GeN]

Then, you need Hook driver.
to develop drivers for winnt you’ll need DDK
for win9x drivers I’d recommend Numega VToolsD from DriverStudio packet. But this is my “imho”… I know people who do this using DDK for Win98.

If you need samples, take a look at recources on this site.
And some other sites :
http://www.osr.com
http://www.pcausa.com

[GeN]

It depends on your aim, what platforms you wish to protect …

Traditional way is to create kernel-mode drivers ( Hook ). This is because hook drivers are easy to install, have much common source for different platforms.

But if you’d like to support 2k and higher, I’d recommend to write IM-driver.
It’s supported by MS and it will be easier to get licence for it.

[GeN]

@Hexxx wrote:

В майкрософте сидят одни сволочи! В таблице соединений внутри tcpip есть инфа и о Source и о Destination ip/port . Только вот при запросе TDI_QUERY_ADDRESS_INFO копируется из нее только Source… 👿

Пропатчить чтоли tcpip.sys… 😈

Да, кстати об очистке памяти выделеной под контекст. Как же я буду очищать если нулевой хэндлер потом не ставится, как я узнаю что уже можно удалять контекст? Наверно, система шлет ноль только когда собирается переустановить хэндлер. А очищать память надо при закрытии соединения… блин опять же придется делать таблицу соединений…

Когда закроется AddressObject тогда можешь освобождать 100%.

[GeN]

// Я тут хучу tcpip.sys по типу TDIMON, чтобы мониторить соединения

извини, недофтыкнул сразу 😉

думаю, что придется все же мониторить соединения … всмысле следить …

[GeN]

@Hexxx wrote:

И еще вопрос, как по соединению получить remote address? Потому что в TDI_REQUEST_KERNEL_SEND нету RemoteAddress.

Пробовал слать TDI_QUERY_INFORMATION/ TDI_QUERY_DATA_LINK_ADDRESS на file object. Но в отличии от TDI_QUERY_INFORMATION, TDI_QUERY_DATA_LINK_ADDRESS говорит STATUS_NOT_IMPLEMENTED. Неужели единственный путь – это как в TdiMon’e хранить весь набор соединений?

NTSTATUS
ClientEventConnect(
IN PVOID TdiEventContext,
IN LONG RemoteAddressLength,
IN PVOID RemoteAddress,
IN LONG UserDataLength,
IN PVOID UserData,
IN LONG OptionsLength,
IN PVOID Options,
OUT CONNECTION_CONTEXT *ConnectionContext,
OUT PIRP *AcceptIrp
);

ответ понятен, надеюсь

TDI_CONNECT :

IrpSp->Parameters
Pointer to a TDI_REQUEST_KERNEL_CONNECT structure, equivalent to the TDI_REQUEST_KERNEL structure.
The RequestFlags member is irrelevant for connect requests. The transport uses the client-supplied information, such as the remote-node address to which the connection should be offered, in the buffer at RequestConnectionInformation. The transport returns information to the client-supplied buffer at ReturnConnectionInformation. Each of these buffers is formatted as a TDI_CONNECTION_INFORMATION structure.

typedef struct _TDI_CONNECTION_INFORMATION {
LONG UserDataLength;
PVOID UserData;
LONG OptionsLength;
PVOID Options;
LONG RemoteAddressLength;
PVOID RemoteAddress;
} TDI_CONNECTION_INFORMATION, *PTDI_CONNECTION_INFORMATION;

[GeN]

return RealCompletionRoutine(DeviceObject,Irp,NULL);

why dont you pass original context into original completion routine ?

[GeN]

;

---

;
; ;
; PASSTHRU.INF ;
; ;
; Windows 98 Installation for NDIS Intermediate Driver example PASSTHRU.SYS ;
; Based largely on NETLANE.INF ;
; ;
; Copyright (c) 1993-2000, Microsoft Corporation ;
; ;
;

---

;

[version]
signature=”$CHICAGO$”
Class=NetTrans
ClassGUID={4d36e975-e325-11ce-bfc1-08002be10318}
provider=%V_MS%
DriverVer=08/24/2000

[Manufacturer]
%V_MS%=MS

[MS]
%PASSTHRU.DeviceDesc%= PASSTHRU.ndi, PASSTHRU
%PASSMINI.DeviceDesc%= PASSMINI.ndi, PASSMINI

[ControlFlags]
ExcludeFromSelect=PASSMINI

[SourceDiskNames]
1=,,,

[SourceDiskFiles]
Passthru.sys=1,,
Passthru.inf=1,,

;

---

;
; PASSTHRU — Protocol edge ;
;

---

;

[PASSTHRU.ndi]
CopyFiles=PASSTHRU.Inf.CopyFiles
AddReg=PASSTHRU.ndi.reg
DeviceID=PASSTHRU
MaxInstance=4
DriverVer=06/08/2000

[PASSTHRU.ndi.reg]
HKR,Ndi,DeviceID,,PASSTHRU
HKR,Ndi,MaxInstance,,8
HKR,Ndi,NetType,,1
HKR,NDIS,LogDriverName,,PASSTHRU
HKR,NDIS,MiniportLogDriverName,,PASSMINI
HKR,NDIS,MajorNdisVersion,1,03
HKR,NDIS,MinorNdisVersion,1,0A
HKR,NdiInterfaces,DefUpper,,”PASSTHRU”
HKR,NdiInterfaces,DefLower,,”ndis3,ndis4,ndis5″
HKR,NdiInterfaces,UpperRange,,”PASSTHRU”
HKR,NdiInterfaces,LowerRange,,”ndis3,ndis4,ndis5″
HKR,NdiInstallInf,,”PassThru.inf”
HKR,NdiInstall,,,”PASSTHRU.Install”
HKR,NdiRemove,,,”PASSTHRU.Remove”
HKR,Ndi,HelpText,,%PASSTHRU_HELP%
HKR,NdiCompatibility,RequireAll,,”PASSMINI”

[PASSTHRU.Install]
AddReg=PASSTHRU.AddReg, PASSTHRU.IMDevNode.AddReg
CopyFiles=PASSTHRU.CopyFiles

[PASSTHRU.AddReg]
HKR,,DevLoader,,*ndis
HKR,,DeviceVxDs,,passthru.sys
HKR,,IntermediateProtocol,,1

[PASSTHRU.IMDevNode.AddReg]
HKLM,SystemCurrentControlSetServicesClassNdis
HKLM,SystemCurrentControlSetServicesClassNdis,,,”Network intermediate drivers”
HKLM,SystemCurrentControlSetServicesClassNdis,Icon,,”-6″
HKLM,SystemCurrentControlSetServicesClassNdis,NoUseClass,,”1″
HKLM,SystemCurrentControlSetServicesClassNdis,DevLoader,,”*ndis”
HKLM,EnumRootNDISPASSTHRU
HKLM,EnumRootNDISPASSTHRU,DeviceDesc,,”PASSTHRU Protocol driver”
HKLM,EnumRootNDISPASSTHRU,Class,,”Ndis”
HKLM,EnumRootNDISPASSTHRU,ConfigFlags,1,10,00,00,00
HKLM,EnumRootNDISPASSTHRU,Driver,,”Ndis”

[PASSTHRU.IMDevNode.DelReg]
HKLM,EnumRootNDISPASSTHRU

[PASSTHRU.CopyFiles]
Passthru.sys,,,2

[PASSTHRU.Inf.CopyFiles]
Passthru.inf,,,2

[PASSTHRU.Remove]
DelReg=PASSTHRU.IMDevNode.DelReg

;

---

;
; PASSMINI — Miniport edge ;
;

---

;

[PASSMINI.ndi]
AddReg=PASSMINI.ndi.reg
DeviceID=PASSMINI
MaxInstance=8
DriverVer=06/08/2000

[PASSMINI.ndi.reg]
HKR,Ndi,DeviceID,,PASSMINI
HKR,Ndi,MaxInstance,,8
HKR,NDIS,LogDriverName,,PASSMINI
HKR,NDIS,MajorNdisVersion,1,03
HKR,NDIS,MinorNdisVersion,1,0A
HKR,NdiInterfaces,DefUpper,,”ndis3,ndis4,ndis5″
HKR,NdiInterfaces,DefLower,,”PASSTHRU”
HKR,NdiInterfaces,UpperRange,,”ndis3,ndis4,ndis5″
HKR,NdiInterfaces,LowerRange,,”PASSTHRU”
HKR,NdiInstall,,,”PASSMINI.Install”
HKR,NdiRemove,,,”PASSMINI.Remove”
HKR,Ndi,HelpText,,%PASSMINI_HELP%
HKR,NdiCompatibility,RequireAll,,”PASSTHRU”

[PASSMINI.Install]
AddReg=PASSMINI.AddReg
CopyFiles=PASSMINI.CopyFiles

[PASSMINI.AddReg]
HKR,,DevLoader,,*ndis
HKR,,DeviceVxDs,,passthru.sys
HKR,,RealClass,,Net

[PASSMINI.CopyFiles]

[PASSMINI.Remove]
AddReg=PASSMINI.Rmv.AddReg

[PASSMINI.Rmv.AddReg]

;

---

;
; DIRECTORIES and STRINGS ;
;

---

;

[DestinationDirs]
DefaultDestDir = 11
PASSTHRU.CopyFiles = 11
PASSTHRU.Inf.CopyFiles = 17
PASSMINI.CopyFiles = 11

[strings]
V_MS=”Microsoft”
V_CLASSNAME=”Network Protocol”
PASSTHRU.DeviceDesc=”PASSTHRU Protocol”
PASSTHRU_HELP=”This implements the protocol edge of the PASSTHRU NDIS Intermedate Driver example.”
PASSMINI.DeviceDesc=”PASSTHRU Miniport”
PASSMINI_HELP=”This creates the miniport edge of the PASSTHRU NDIS Intermedate Driver example.”

[GeN]

Try VTune.

[GeN]

@Deneb wrote:

thnks GeN, it’s clear. One more question – the MiniportTransferData will be called before Ndis..Indicate.. returns? So – am I free to release the handle upon exit of ProtocolTransferDataComplete ( from where I do the indication )?

Thnks a lot.

yes.

[GeN]

@Deneb wrote:

Hello guys,

one problem concerning ProtocolReceive in NDIS IM driver. I see the
functions indicates up the data received using MacReceiveContext with
the NDIS_HANDLE MacReceiveContext parameter ( the second parameter ).
If data received is not enough, I call NdisTransferData to get the
rest of the packet, and I wnat to delay the indication until
NdisTransferData returns successfull. I want to indicate the receive
in the ProtocolTransferDataComplete handler. The problem is, what
function should I use to indicate and, if NdisMEthIndicateReceive is
the answer ( for 802_3 ) then what parameter should I pass in the
MacReceiveContext?

Thanks.

MacReceiveContext – is the context of Packet Receive Operation.
You can pass any handle there, but be ready to be called at MiniportTransferData with this very handle. And you’ll have to copy the data of the packet for that handle.
Do I make myself clear ?

[GeN]

@Vijender wrote:

Hi,

And ya, its not a simple TDI filter driver. Its a buffered TDI filter driver.

What do you mean ?

[GeN]

We tried to get certified our NDIS hook driver.
Negative. They explained us, that hooking is bad and may cause bad things … So if you wanna get certified you should find alternative way.

@Deneb wrote:

Hello, I have a question regarding NDIS hooking as it is presented in the sample. I’m currently writing a firewall for windows and my software has to be “Windows XP Certified”. If I’m using the standard modification of the NDIS export table in memory, will I be Windows XP Certified?…

[GeN]

the thing is that TCPIP sets OPEN_BLOCK callbacks into original state after completing OpenAdapter…

[Author]

Posts