Taras

Forum Replies Created

Viewing 15 posts - 1 through 15 (of 17 total)
  • Author
    Posts
  • in reply to: ICMP interception at TDI level #5686
    Taras
    Participant

    try

    ICMP_ECHO_REQUEST* pIcmpEchoReq = ( ICMP_ECHO_REQUEST* )(
    Irp->AssociatedIrp.SystemBuffer)[
    in reply to: strange IRQL #6208
    Taras
    Participant

    ObjPtr[0] = &g_pWaitItem->hAllow;
    ObjPtr[1] = &g_pWaitItem->hDeny;

    hAllow, hDeny – are they handle of events? KeWaitForMultipleObjects may operate only with direct pointer to KEVENT struct. If you have handles, you should retrieve direct pointer by call ObReferenceObjectByHandle

    in reply to: NDIS IM and TDI question #5718
    Taras
    Participant
    in reply to: netbt, TDI, TCPSendData #5655
    Taras
    Participant

    NTSTATUS
    TcpipSend( IN PIRP SendIrp,
    IN PIO_STACK_LOCATION SendIrpStack );

    in reply to: Help! I can not read Ethernet headers. #5691
    Taras
    Participant

    You can not read ethernet header form raw socket. Never. You should use one of kernel traffic capture method. Foe example, winpcap, NDIS IM and so on.

    in reply to: NDIS IM device stand-by problem #5689
    Taras
    Participant

    You should set PnPEventHandler for your protocol and correctly handle power events. See DDK sample -passthrou.

    in reply to: ICMP interception at TDI level #5684
    Taras
    Participant

    May be two case:
    1) app uses Icmpapi. (for example ping.exe). Then
    /Device/ip get IRP_MJ_INTERNAL_DEVICE_CONTROL
    or IRP_MJ_DEVICE_CONTROL
    MinorFunction = 0
    IOCTL = 0x120000

    and parameter:

    typedef struct __ICMP_ECHO_REQUEST {
    unsigned long Address;
    unsigned long Timeout;
    unsigned short DataOffset;
    unsigned short DataSize;
    unsigned char OptionsValid;
    unsigned char Ttl;
    unsigned char Tos;
    unsigned char Flags;
    unsigned short OptionsOffset;
    unsigned char OptionsSize;
    unsigned char Padding;
    } ICMP_ECHO_REQUEST, *PICMP_ECHO_REQUEST;
    you should intercept such IRPs

    2) app can use raw sockets. In such case you should hijack raw traffic.

    in reply to: Only for TDI filter guru #5683
    Taras
    Participant

    ClientEventChainedReceive
    ClientEventReceiveExpedited
    Do you hook this callback handlers?

    in reply to: NDIS IM driver for analog modem???!!! #5665
    Taras
    Participant

    Why do most commertial personal firewalls use NDIS hooking when it can be done with IM driver?

    IMHO This question is asked by enyone who deal with filtering algorithm
    If you are developing your apps for NT, I think it more easy and better to use IM miniport. My opinion that NDIS hooking is legacy of cross plaform developing for NT and 9x that was actual some yaers ago.

    But I use NDIS hooking in my project. It is paradox. 🙂

    in reply to: NDIS IM driver for analog modem???!!! #5663
    Taras
    Participant


    Look at scheme. Your IM miniport driver will be inserted bettween “transport” and “802.3”. You will not see any modems, but you will see a virtual NIC named “NDISWANIP” which work as multiport NIC. So your driver can work as firewall perfectly

    in reply to: NDIS IM driver for analog modem???!!! #5661
    Taras
    Participant

    Why do thing your IM driver will not handle traffic from modems? Look at QoS driver. It is IM mininport but it filters modem`s traffic 🙂
    All modem are represented as one NIC with several MAC address, so you can deal with them.

    in reply to: Failure to receive data TDI connection endpoint. Please help #5635
    Taras
    Participant

    When tcpip.sys has received data it call Receive Handler for endpoint (if it has set). If your driver regsiter such handler, th must retrieve data (it should setup IRP for last parameter of the handler). If your driver is not interested in the incoming data, it set this irp = 0. Tcpip after seeing this irp = 0 thinks client dont need this data and dont take any action for saving data. So, exsiting client with registered ReceiveHandler which always return irp = 0 way to loose all incoming data for endpoint.

    in reply to: Failure to receive data TDI connection endpoint. Please help #5633
    Taras
    Participant

    I think problem is your routine Recv does nit work at all
    KeWaitForSingleObject(&Event, UserRequest,
    KernelMode, FALSE, 0); dont wait (timeout == 0!!!!), your check
    if(!NT_SUCCESS(status)) dont work
    see declaration:
    #define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)
    and
    STATUS_TIMEOUT ((DWORD )0x00000102L)
    that is your IRP was not handled

    Your debug out is content of uninitialized IoStatus struct and may be different.

    Solve problem:
    Your Recv never will work because you have registerd your Receive Event Handler. You should replace your code from Recv to EventReceive. But you should note, that EventReceive works at IRQL = DISPATCH_LEVEL

    in reply to: A question for a networking guru……….. #5592
    Taras
    Participant

    You can use instead TDI driver LSP (layerd service provider).

    in reply to: Can TDI filter driver inject packet to upper layer? #5586
    Taras
    Participant

    Call client register callback function ClientEventReceive or ClientEventChainedReceive

Viewing 15 posts - 1 through 15 (of 17 total)