smilish

Forum Replies Created

Viewing 8 posts - 1 through 8 (of 8 total)
  • Author
    Posts
  • in reply to: Install IM Driver on x64 system #6067
    smilish
    Participant

      That worked, thank you very much.

      Inf files are really a pain in the neck. I will never understand them.

      😕

      in reply to: WinpktFilter hooking vs intermediate driver #5963
      smilish
      Participant

        I do understand. But what about Vista?

        Thanks
        Frank

        in reply to: Need to know what application is associated with a packet #5473
        smilish
        Participant

          Readable content? What do you expect? Machines are communicating…not humans! But you may see some readable frazzles.

          For DNS:

          1. Intercept all incoming UDP packets from remote-port 53 (DNS)
          2. Extract the DNS-information from the data-part of the packets (as described in RFC1034 and RFC1035)
          3. Modify the DNS-info
          4. Build new (faked) UDP packets
          5. Send them to your local-port

          That’s it!

          in reply to: Need to know what application is associated with a packet #5471
          smilish
          Participant

            You should read serpent’s suggestions more carefully:

            To assign PIDs to IP-packets is one thing. Modifying DNS request is another.

            To modify DNS requests you don’t need his TDI filter. This for keeping track of connections/PIDs only.

            If you want to develop a “Personal Firewall” you need two drivers:

            1. NDIS filter doing the main tasks: Block/Allow ether-packets…Reading/modifying the packets by parsing the underlaying services (e.g. http, dns)
            2. TDI filter for keeping track of local connections and processes.

            in reply to: Answer a packet #5461
            smilish
            Participant

              Well, you were absolutly right! Again another “Net to Host” failure. Here’s the corrected line of code:

              pTcp->th_ack = htonl(ntohl(pTcp->th_seq)+1);

              Thanks again!

              in reply to: Answer a packet #5459
              smilish
              Participant

                I am not sure, if you got me right. I am *not* trying to reject a remote machine. I am trying to reject a connection initiated from my *local* machine (outgoing connection)

                I’ve checked that out in more detail. The RST-packet I am generating is definetly ok. I’ve sent my packets to Ethereal, and it stated them as valid (checksums are ok etc.).

                The local system sends 3 SYN packets. If they will be rejected (RST) by a remote machine, these 3 packets will be sent in a row very quickly. So the local TCP-Stack obviously recognizes these reject packets.

                If *my* software do answer those SYN packets with a RST, further SYN packets come with a gap. Although SendPacketToMstcp returned with “TRUE”, the RST packet has *not* been recognized. The local TCP-Stack timedout, as if the SYN packet has been got lost.

                in reply to: Answer a packet #5458
                smilish
                Participant

                  Well, I have watched such a RST packet with Ethereal. And did set it up like thath. Thanks anyway.

                  Btw: Generally, I am rejecting connection request through a TDI filter, that schedules TCP-Connection-IRPs to ring3, but some IRPs can’t be scheduled to ring3 (those with RequestorMode == KernelMode). So I got to get this to work.

                  in reply to: WinpkFilter #5453
                  smilish
                  Participant

                    Yeah, good to hear that I’ve chosen the right way. But I will buy the source anyway, because I need a customized device-object-name.

                    By the way: ICMP is also diffcult to catch by a TDI-filter.

                    Thank you very much for answering.

                  Viewing 8 posts - 1 through 8 (of 8 total)