Forum Replies Created
-
Posts
-
1) This is so called default filter which defines the action for the packets which were not selected by other filters.
2) The default action in this case is FILTER_PACKET_REDIRECT
3) All zeroes entry will be skipped.That depends from the OS you installing on. The functions for NSIS installer are below:
######################################
Function InstallNDISHookDriverNT2000XP
######################################
SetOutPath $SYSDIRdrivers
File ......Kernelbinhookdrvi386ndisrd.sys
!insertmacro CreateRegKey ${HKEY_LOCAL_MACHINE} SystemCurrentControlSetServicesndisrd
WriteRegDWORD HKEY_LOCAL_MACHINE SYSTEMCurrentControlSetServicesndisrd Start 1
WriteRegDWORD HKEY_LOCAL_MACHINE SYSTEMCurrentControlSetServicesndisrd Type 1
WriteRegDWORD HKEY_LOCAL_MACHINE SYSTEMCurrentControlSetServicesndisrd ErrorControl 1
${If} ${IsWinNT4}
WriteRegStr HKEY_LOCAL_MACHINE SYSTEMCurrentControlSetServicesndisrd Group "Network"
${Else}
WriteRegStr HKEY_LOCAL_MACHINE SYSTEMCurrentControlSetServicesndisrd Group "Streams Drivers"
${EndIf}
SetRebootFlag true
FunctionEnd
######################################
################################
Function InstallNDISHookDriver9x
################################
SetOutPath $WINDIRsystem
File ......Kernelbinhookdrvwin9xndisrd.vxd
!insertmacro CreateRegKey ${HKEY_LOCAL_MACHINE} SystemCurrentControlSetServicesVxDndisrd
WriteRegStr HKEY_LOCAL_MACHINE SYSTEMCurrentControlSetServicesVxDndisrd StaticVxD "ndisrd.vxd"
SetRebootFlag true
FunctionEnd
################################
############################
Function InstallNDISIMDriver
############################
SetOutPath $INSTDIRinstimtmp
${If} ${RunningX64}
File ......Setupbinamd64DriverSigning.exe
File ......Setupbinamd64snetcfg.exe
File ......KernelINFndisrd.inf
File ......KernelINFndisrd_m.inf
File ......Kernelbinimdrvamd64ndisrd.sys
${Else}
File ......Setupbini386DriverSigning.exe
File ......Setupbini386snetcfg.exe
File ......KernelINFndisrd.inf
File ......KernelINFndisrd_m.inf
File ......Kernelbinimdrvi386ndisrd.sys
${EndIf}
nsExec::ExecToLog /OEM '"$INSTDIRinstimtmpDriverSigning.exe" /verbose /off'
nsExec::ExecToLog /OEM '"$INSTDIRinstimtmpsnetcfg.exe" -v -l ndisrd.inf -m ndisrd_m.inf -c s -i nt_ndisrd'
nsExec::ExecToLog /OEM '"$INSTDIRinstimtmpDriverSigning.exe" /verbose /on'
SetOutPath $INSTDIR
RMDir /r /REBOOTOK $INSTDIRinstimtmp
FunctionEnd
############################
########################
Function InstallLWFVista
########################
SetOutPath $INSTDIRinstlwftmp
${If} ${RunningX64}
File ......Setupbinamd64snetcfg.exe
File ......Setupbinamd64certinst.exe
File ......Kernelbinlwfvistaamd64packagendisrd_lwf.inf
File ......Kernelbinlwfvistaamd64packagendisrd.cat
File ......Kernelbinlwfvistaamd64packagendisrd.sys
${Else}
File ......Setupbini386snetcfg.exe
File ......Setupbini386certinst.exe
File ......Kernelbinlwfvistai386packagendisrd_lwf.inf
File ......Kernelbinlwfvistai386packagendisrd.cat
File ......Kernelbinlwfvistai386packagendisrd.sys
${EndIf}
File ......Setupcertroot.cer
nsExec::ExecToLog /OEM '"$INSTDIRinstlwftmpcertinst.exe" "$INSTDIRinstlwftmproot.cer"'
nsExec::ExecToLog /OEM '"$INSTDIRinstlwftmpsnetcfg.exe" -v -l ndisrd_lwf.inf -c s -i nt_ndisrd'
SetOutPath $INSTDIR
RMDir /r /REBOOTOK $INSTDIRinstlwftmp
FunctionEnd
########################
####################
Function InstallLWF7
####################
SetOutPath $INSTDIRinstlwftmp
${If} ${RunningX64}
File ......Setupbinamd64snetcfg.exe
File ......Setupbinamd64certinst.exe
File ......Kernelbinlwfwin7amd64packagendisrd_lwf.inf
File ......Kernelbinlwfwin7amd64packagendisrd.cat
File ......Kernelbinlwfwin7amd64packagendisrd.sys
${Else}
File ......Setupbini386snetcfg.exe
File ......Setupbini386certinst.exe
File ......Kernelbinlwfwin7i386packagendisrd_lwf.inf
File ......Kernelbinlwfwin7i386packagendisrd.cat
File ......Kernelbinlwfwin7i386packagendisrd.sys
${EndIf}
File ......Setupcertroot.cer
nsExec::ExecToLog /OEM '"$INSTDIRinstlwftmpcertinst.exe" "$INSTDIRinstlwftmproot.cer"'
nsExec::ExecToLog /OEM '"$INSTDIRinstlwftmpsnetcfg.exe" -v -l ndisrd_lwf.inf -c s -i nt_ndisrd'
SetOutPath $INSTDIR
RMDir /r /REBOOTOK $INSTDIRinstlwftmp
FunctionEnd
####################
####################
Function InstallLWF8
####################
SetOutPath $INSTDIRinstlwftmp
${If} ${RunningX64}
File ......Setupbinamd64snetcfg.exe
File ......Setupbinamd64certinst.exe
File ......Kernelbinlwfwin8amd64packagendisrd_lwf.inf
File ......Kernelbinlwfwin8amd64packagendisrd.cat
File ......Kernelbinlwfwin8amd64packagendisrd.sys
${Else}
File ......Setupbini386snetcfg.exe
File ......Setupbini386certinst.exe
File ......Kernelbinlwfwin8i386packagendisrd_lwf.inf
File ......Kernelbinlwfwin8i386packagendisrd.cat
File ......Kernelbinlwfwin8i386packagendisrd.sys
${EndIf}
File ......Setupcertroot.cer
nsExec::ExecToLog /OEM '"$INSTDIRinstlwftmpcertinst.exe" "$INSTDIRinstlwftmproot.cer"'
nsExec::ExecToLog /OEM '"$INSTDIRinstlwftmpsnetcfg.exe" -v -l ndisrd_lwf.inf -c s -i nt_ndisrd'
SetOutPath $INSTDIR
RMDir /r /REBOOTOK $INSTDIRinstlwftmp
FunctionEnd
####################
#############################
Function InstallNDISLWFDriver
#############################
SetOutPath $INSTDIRinstlwftmp
${If} ${IsWinVista}
${OrIf} ${IsWin2008}
call InstallLWFVista
Return
${EndIf}
${If} ${IsWin7}
${OrIf} ${IsWin2008R2}
call InstallLWF7
Return
${EndIf}
call InstallLWF8
FunctionEnd
#############################
#################################
Function InstallWinpkFilterDriver
#################################
${If} ${AtLeastWinVista}
call InstallNDISLWFDriver
GoTo post
${EndIf}
StrCmp $bIMUsed "1" 0 +3
call InstallNDISIMDriver
GoTo post
${If} ${RunningX64}
${OrIf} ${AtLeastWinXP}
call InstallNDISIMDriver
${ElseIf} ${IsNT}
call InstallNDISHookDriverNT2000XP
${Else}
call InstallNDISHookDriver9x
${EndIf}
post:
#Kernel components
SetOutPath $INSTDIRKernelbindlli386
File ......Kernelbindlli386ndisapi.dll
File ......Kernelbindlli386ndisapi.lib
SetOutPath $INSTDIRKernelbindllamd64
File ......Kernelbindllamd64ndisapi.dll
File ......Kernelbindllamd64ndisapi.lib
WriteRegStr HKLM "${REGKEY}" NDISIMUsed $bIMUsed
WriteRegStr HKLM "${REGKEY}Components" Main $availDrv
Call EnableRouter
FunctionEnd
#################################
You can query all IP addresses corresponding google.com:
Addresses: 2a00:1450:4002:800::1003
188.43.67.102
188.43.67.106
188.43.67.108
188.43.67.109
188.43.67.113
188.43.67.117
188.43.67.121
188.43.67.123
188.43.67.79
188.43.67.83
188.43.67.87
188.43.67.91
188.43.67.93
188.43.67.94
188.43.67.98
and monitor packets to/from these IP’s. If you suspect that IP of google.com may change you can also monitor DNS queries and update the domain IP list accordingly.The problem caused by -DUNICODE compiler switch. If you want your project to use UNICODE then you have to recompile ndisapi.dll as UNICODE either. For backward compatibility with earlier versions of Windows ndisapi.dll distributed within WinpkFilter package is built as multibyte.
ReadPackets/SendPacketsToXXX were added to reduce number of user/kernel context switches and thus increase the performance.
The easiest approach would be processing packets one by one in one thread, however, if you use multiply threads for and still want to take an advantage of SendPacketsToXXX API calls I would keep an internal queue of packets for each network interface which are ready to send to driver (actually two queues, one for outgoing and one for incoming packets). Queue should be sent to driver on one of two events:
1) Queue size reached its “immediate sent” size
2) Timeout occursSize and timeout should be dynamic parameters adjusted depending on the amount of packets you get from the driver. E.g. the faster you read packets from the driver the less the timeout.
Yes, Windows 2000 is supported, although the driver installed for that OS is different from the one used for XP or Vista and later.
If you can collect the crash dump (kernel or full) we could check what has happened. I suspect this could we a sort of software conflict if you have firewalling/AV software installed.
Hi,
I nearly have no experience in VB, but there is a C sample filter.cpp which has a scenario to redirect only DNS packets for processing by WinpkFilter application.
This sample scenario can be easily modified to intercept only DNS queries destined to local DNS server this way:
pFilters->m_TableSize = 2;
// 1. Incoming DNS requests filter: REDIRECT IN UDP packets with destination PORT 53
// Common values
pFilters->m_StaticFilters[0].m_Adapter.QuadPart = 0; // applied to all adapters
pFilters->m_StaticFilters[0].m_ValidFields = NETWORK_LAYER_VALID | TRANSPORT_LAYER_VALID;
pFilters->m_StaticFilters[0].m_FilterAction = FILTER_PACKET_REDIRECT;
pFilters->m_StaticFilters[0].m_dwDirectionFlags = PACKET_FLAG_ON_RECEIVE;
// Network layer filter
pFilters->m_StaticFilters[0].m_NetworkFilter.m_dwUnionSelector = IPV4;
pFilters->m_StaticFilters[0].m_NetworkFilter.m_IPv4.m_ValidFields = IP_V4_FILTER_PROTOCOL;
pFilters->m_StaticFilters[0].m_NetworkFilter.m_IPv4.m_Protocol = IPPROTO_UDP;
// Transport layer filter
pFilters->m_StaticFilters[0].m_TransportFilter.m_dwUnionSelector = TCPUDP;
pFilters->m_StaticFilters[0].m_TransportFilter.m_TcpUdp.m_ValidFields = TCPUDP_SRC_PORT;
pFilters->m_StaticFilters[0].m_TransportFilter.m_TcpUdp.m_DestPort.m_StartRange = 53; // DNS
pFilters->m_StaticFilters[0].m_TransportFilter.m_TcpUdp.m_DestPort.m_EndRange = 53;
//***************************************************************************************
// 2. Pass all packets (skipped by previous filters) without processing in user mode
// Common values
pFilters->m_StaticFilters[1].m_Adapter.QuadPart = 0; // applied to all adapters
pFilters->m_StaticFilters[1].m_ValidFields = 0;
pFilters->m_StaticFilters[1].m_FilterAction = FILTER_PACKET_PASS;
pFilters->m_StaticFilters[1].m_dwDirectionFlags = PACKET_FLAG_ON_RECEIVE | PACKET_FLAG_ON_SEND;
break;
The filter you showed in your initial post should select only outgoing DNS queries, not incoming ones.
From what I can see WinpkFilter is installed and works. An example these are definitely your ICMP PING packets:
9 – MSTCP –> Interface
Packet size = 74
Source MAC: C0A8010CC0A8
Destination MAC: 000080016CC38 – Interface –> MSTCP
Packet size = 74
Source MAC: C0A80102C0A8
Destination MAC: 0000800164E8But for some reason packet is not correctly parsed by passthru sample. This may be caused by version mismatch between driver and passthru application (INTERMEDIATE_BUFFER structure was changed several times in last versions and it is important to use driver and application built on the same common.h).
If you look at the filter.cpp sample you can find the scenario which redirects only DNS packets to user mode and passes any other packets. Filters are defined as the following:
//**************************************************************************************
// 1. Outgoing DNS requests filter: REDIRECT OUT UDP packets with destination PORT 53
// Common values
pFilters->m_StaticFilters[0].m_Adapter.QuadPart = 0; // applied to all adapters
pFilters->m_StaticFilters[0].m_ValidFields = NETWORK_LAYER_VALID | TRANSPORT_LAYER_VALID;
pFilters->m_StaticFilters[0].m_FilterAction = FILTER_PACKET_REDIRECT;
pFilters->m_StaticFilters[0].m_dwDirectionFlags = PACKET_FLAG_ON_SEND;
// Network layer filter
pFilters->m_StaticFilters[0].m_NetworkFilter.m_dwUnionSelector = IPV4;
pFilters->m_StaticFilters[0].m_NetworkFilter.m_IPv4.m_ValidFields = IP_V4_FILTER_PROTOCOL;
pFilters->m_StaticFilters[0].m_NetworkFilter.m_IPv4.m_Protocol = IPPROTO_UDP;
// Transport layer filter
pFilters->m_StaticFilters[0].m_TransportFilter.m_dwUnionSelector = TCPUDP;
pFilters->m_StaticFilters[0].m_TransportFilter.m_TcpUdp.m_ValidFields = TCPUDP_DEST_PORT;
pFilters->m_StaticFilters[0].m_TransportFilter.m_TcpUdp.m_DestPort.m_StartRange = 53; // DNS
pFilters->m_StaticFilters[0].m_TransportFilter.m_TcpUdp.m_DestPort.m_EndRange = 53;
//****************************************************************************************
// 2. Incoming DNS responses filter: REDIRECT IN UDP packets with source PORT 53
// Common values
pFilters->m_StaticFilters[1].m_Adapter.QuadPart = 0; // applied to all adapters
pFilters->m_StaticFilters[1].m_ValidFields = NETWORK_LAYER_VALID | TRANSPORT_LAYER_VALID;
pFilters->m_StaticFilters[1].m_FilterAction = FILTER_PACKET_REDIRECT;
pFilters->m_StaticFilters[1].m_dwDirectionFlags = PACKET_FLAG_ON_RECEIVE;
// Network layer filter
pFilters->m_StaticFilters[1].m_NetworkFilter.m_dwUnionSelector = IPV4;
pFilters->m_StaticFilters[1].m_NetworkFilter.m_IPv4.m_ValidFields = IP_V4_FILTER_PROTOCOL;
pFilters->m_StaticFilters[1].m_NetworkFilter.m_IPv4.m_Protocol = IPPROTO_UDP;
// Transport layer filter
pFilters->m_StaticFilters[1].m_TransportFilter.m_dwUnionSelector = TCPUDP;
pFilters->m_StaticFilters[1].m_TransportFilter.m_TcpUdp.m_ValidFields = TCPUDP_SRC_PORT;
pFilters->m_StaticFilters[1].m_TransportFilter.m_TcpUdp.m_SourcePort.m_StartRange = 53; // DNS
pFilters->m_StaticFilters[1].m_TransportFilter.m_TcpUdp.m_SourcePort.m_EndRange = 53;
//***************************************************************************************
// 3. Pass all packets (skipped by previous filters) without processing in user mode
// Common values
pFilters->m_StaticFilters[2].m_Adapter.QuadPart = 0; // applied to all adapters
pFilters->m_StaticFilters[2].m_ValidFields = 0;
pFilters->m_StaticFilters[2].m_FilterAction = FILTER_PACKET_PASS;
pFilters->m_StaticFilters[2].m_dwDirectionFlags = PACKET_FLAG_ON_RECEIVE | PACKET_FLAG_ON_SEND;
break;Does this sample work for you?
Hi Ghita,
I can’t see the filters you have set, but I suspect that your filters for blocking TCP/UDP may be destination IP/MAC address specfic and therefore broadcast/multicast packets get passed (they have special broadcast/multicast MAC and IP adresses).
Hope it helps…
Could you provide more details?
1) ListAdapters output.
2) PassThru output. For this test ping one of other notebooks.
3) IPCONFIG output.We are not aware about any issues with Windows 7, so it must be something about your configuration or usage.
To resolve an issue with DNS you can change all your filters from blocking to redirect and check filter ID in the DNS packets. So you can identify filter which selects DNS packets.
