Forum Replies Created
-
Posts
-
Hmm, since you are going to create CoClient protocol driver and call manager I assume you have CoNDIS WAN driver for your device. If yes then probably you already have a separate call manager or this CoNDIS WAN driver is an MCM driver. Please clarify.
Of course IP checksum should be recalculated if IP header was altered. PPTP GRE header never has the checksum field (Checksum Present flag is always set to 0 for PPTP).
IP type 47 corresponds PPTP GRE protocol. You can read a nice overview of PPTP protocol issues here:
http://www.microsoft.com/technet/community/columns/cableguy/cg0103.mspx
Below is the most importand NAT relative quote from the link above:
PPTP uses the Sequence Number and Acknowledgement Number fields to detect dropped data packets.
The use of a separate mechanism for PPTP data encapsulation has an interesting side effect for network address translators (NATs). For more information about NATs, see Windows 2000 Network Address Translator (NAT) (the March 2001 Cable Guy article). Most NATs can translate TCP-based traffic for PPTP tunnel maintenance. However, PPTP data packets with the GRE header are not typically translated without using either a static address mapping or a PPTP NAT editor.
When a PPTP server is behind a NAT, the NAT must be manually configured with a static address mapping that maps all the traffic for a specific public address to a specific private address. In this case, only the addresses in the IP header are modified.
When a PPTP client is behind a NAT, a PPTP NAT editor is typically used. A NAT editor is an additional software component on the NAT that performs translation services beyond IP addresses, TCP ports, and UDP ports. Although it is a simple matter for the PPTP NAT editor to monitor incoming packets for GRE payloads and translate the IP addresses in the IP header, there might be multiple PPTP clients behind the NAT. In this case, the NAT is unable to determine to which private client the incoming PPTP data packet is destined, because the same public address is being used for multiple private clients. To determine the private client to which an incoming packet is destined, the PPTP NAT editor uses the Call ID field in the GRE header. However, when two different PPTP clients use the same Call ID, the NAT is unable to determine to which private client the packet is destined.
To provide correct multiplexing of GRE-encapsulated traffic to different private clients, the PTPP NAT editor monitors the PPTP control connection setup and translates both the PPTP client’s Call ID field in the PPTP messages and the GRE-encapsulated data packets in the same way that it translates TCP or UDP source ports. By translating the PPTP client Call ID field, the NAT ensures that a unique Call ID is used for each PPTP tunnel, and for each PPTP client.
1. Do you have any news on this since I very interested by this and this is the only part that is currently missing in my evaluation of your product (I’m particularly interessted by the NAT feature in priority, traffic shaper is a high priority too but less than NAT).
NAT is already implemented in “under development” version of NeT Firewall. Regretfully I can’t point yet the exact release date, all newly addde features should be well tested before it,
2. Do you plan to support Vista too (32 bits), do you have an idea of date (note really for me urgent, but I need to know for future).
Yes, Windows Vista is planned to be supported.
3. Do you have any API that enable me to communication with the Firewall (like the winPkFilter?
In the meantime NeT Firewall interface is not published. However, could you specify for what particular tasks you’d like to use it?
For your information image in the online help are not displayed the link is bad.
Could you point the exact URL for the broken link?
“fatal error LNK1104: cannot open file D:Program.obj”
Try to move project to the path without complex names (with spaces inside) like “D:Program Files…”.
Do you run WinpkFilter inside Virtual PC (guest) system? It should work fine in this environment unless you also have installed some software which conflicts with WinpkFilter drivers.
What ListAdapters does show you? Also could you specify host and guest operating systems along with version of Virtual PC?
The event you set into driver with SetWANEvent is signaled when the new dial-up (VPN, PPPoE and etc…) connection is established or dropped, so you could reinitialize your configuration information. It is rather similar to SetAdapterListChangeEvent than SetPacketEvent which is signaled when new packet is queued.
I would trace through the IRP processing to figure out the exact reason to fail the IRP. May be there is a workaround for this.
Is device created with NdisMRegisterDevice? Well, it is difficult to say who exactly fails your IRP (NDIS, IM driver itself or filter driver attached to the IM created device), but you can check it yourself in kernel mode debugger. Probably one of these components checks the IRP origination (user or kernel) and if kernel mode component issues IRP_MJ_DEVICE_CONTROL then it fails. Basically as DDK documentation says kernel mode component usually issues IRP_MJ_INTERNAL_DEVICE_CONTROL:
IRP_MJ_DEVICE_CONTROL
A driver receives this I/O control code because user-mode thread has called the Microsoft® Win32® DeviceIoControl function, or a higher-level kernel-mode driver has set up the request.
IRP_MJ_INTERNAL_DEVICE_CONTROL
This I/O control code has been defined for communication between paired and layered kernel-mode drivers, such as one or more class drivers layered over a port driver. The higher-level driver sets up IRPs with device- or driver-specific I/O control codes, requesting support from the next-lower driver.I suppose it is far easier to change NDIS IM driver to process IRP_MJ_INTERNAL_DEVICE_CONTROL along with IRP_MJ_DEVICE_CONTROL.
case IRP_MJ_DEVICE_CONTROL:
case IRP_MJ_INTERNAL_DEVICE_CONTROL:
{… PUT YOUR I/O PROCESSING CODE HERE…}The configuration seems ok and I hope it fits your requirements. However, I would make rules stricter. An example, your rule for HTTP is very common. Basically it passes any TCP packet which has source or destination port equal to 80. If this rule is intended to allow you internet browsing I would make it to apply to OUTGOING packets (instead both directions) or/and specified local IP in the source address field (if it is fixed, if not then your ISP subnet). If you want to create the rule for WWW server at your side then you could set it to INCOMING and specify your server IP in the destination field (along with port 80).
ndisapi.dll is a Win32 DLL and you can call it from C#. Please check the links below about calling Win32 DLL from C#
http://www.codeproject.com/Purgatory/C_DLL_with_Csharp.asp
http://msdn.microsoft.com/msdnmag/issues/02/08/CQA/
http://msdn.microsoft.com/msdnmag/issues/03/07/NET/My question, is that possible to intall remotely Net-Firewall to our dedicated server over VNC?
Yes, you can install NeT Firewall rmotely using Remote Desktop or VNC.
Is your program will blocked my VNC traffic after restart the machine?
After installation NeT Firewall start in PASS ALL default mode and it won’t block VNC. You have to configure NeT Firewall after this and be carefull with setting rules and modes because one of the rules or modes may block VNC. I would recommend to create ALLOW rule for VNC traffic before creating any other rules.
It should be enough to create the single rule with NeT Firewall to block the specific IP address (create the DENY rule which specifies the source IP and leave all other fields unchanged).
If you still have problem with it then could you please send some screenshots (firewall rules, log) to support(at)ntkernel.com?
Also isn’t IoGetCurrentProcess() is a kernel routine not user mode?
It is kernel routine but see the topic title “retrieving full process image path name in kernel mode”. 8)
And can show me your EPROCESS structure?
EPROCESS definitions for NT 4.0, 2000, XP, 2003 are below:
typedef struct _EPROCESS_NT4
{
KPROCESS_NT4 Pcb;
NTSTATUS ExitStatus;
KEVENT LockEvent;
ULONG LockCount;
LARGE_INTEGER CreateTime;
LARGE_INTEGER ExitTime;
PKTHREAD_NT4 LockOwner;
ULONG UniqueProcessId;
LIST_ENTRY ActiveProcessLinks;
ULONGLONG QuotaPeakPoolUsage;
ULONGLONG QuotaPoolUsage;
ULONG PagefileUsage;
ULONG CommitCharge;
ULONG PeakPagefileUsage;
ULONG PeakVirtualSize;
ULONGLONG VirtualSize;
MMSUPPORT_NT4 Vm;
ULONG LastProtoPteFault;
ULONG DebugPort;
ULONG ExceptionPort;
PHANDLE_TABLE ObjectTable;
PACCESS_TOKEN Token;
FAST_MUTEX WorkingSetLock;
ULONG WorkingSetPage;
BOOLEAN ProcessOutswapEnabled;
BOOLEAN ProcessOutswapped;
BOOLEAN AddressSpaceInitialized;
BOOLEAN AddressSpaceDeleted;
FAST_MUTEX AddressCreationLock;
KSPIN_LOCK HyperSpaceLock;
PETHREAD_NT4 ForkInProgress;
USHORT VmOperation;
BOOLEAN ForkWasSuccessful;
UCHAR MmAgressiveWsTrimMask;
PKEVENT VmOperationEvent;
HARDWARE_PTE PageDirectoryPte;
ULONG LastFaultCount;
ULONG ModifiedPageCount;
PVOID VadRoot;
PVOID VadHint;
ULONG CloneRoot;
ULONG NumberOfPrivatePages;
ULONG NumberOfLockedPages;
USHORT NextPageColor;
BOOLEAN ExitProcessCalled;
BOOLEAN CreateProcessReported;
HANDLE SectionHandle;
PPEB Peb;
PVOID SectionBaseAddress;
PEPROCESS_QUOTA_BLOCK QuotaBlock;
NTSTATUS LastThreadExitStatus;
PPROCESS_WS_WATCH_INFORMATION WorkingSetWatch;
HANDLE Win32WindowStation;
HANDLE InheritedFromUniqueProcessId;
ACCESS_MASK GrantedAccess;
ULONG DefaultHardErrorProcessing;
PVOID LdtInformation;
PVOID VadFreeHint;
PVOID VdmObjects;
KMUTANT ProcessMutant;
UCHAR ImageFileName[16];
ULONG VmTrimFaultValue;
UCHAR SetTimerResolution;
UCHAR PriorityClass;
union
{
struct
{
UCHAR SubSystemMinorVersion;
UCHAR SubSystemMajorVersion;
};
USHORT SubSystemVersion;
};
PVOID Win32Process;
} EPROCESS_NT4, *PEPROCESS_NT4;
typedef struct _EPROCESS_W2K
{
KPROCESS_W2K Pcb;
NTSTATUS ExitStatus;
KEVENT LockEvent;
ULONG LockCount;
LARGE_INTEGER CreateTime;
LARGE_INTEGER ExitTime;
PKTHREAD_W2K LockOwner;
ULONG UniqueProcessId;
LIST_ENTRY ActiveProcessLinks;
ULONGLONG QuotaPeakPoolUsage;
ULONGLONG QuotaPoolUsage;
ULONG PagefileUsage;
ULONG CommitCharge;
ULONG PeakPagefileUsage;
ULONG PeakVirtualSize;
ULONGLONG VirtualSize;
MMSUPPORT_W2K Vm;
LIST_ENTRY SessionProcessLinks;
ULONG DebugPort;
ULONG ExceptionPort;
PHANDLE_TABLE ObjectTable;
PACCESS_TOKEN Token;
FAST_MUTEX WorkingSetLock;
ULONG WorkingSetPage;
BOOLEAN ProcessOutswapEnabled;
BOOLEAN ProcessOutswapped;
BOOLEAN AddressSpaceInitialized;
BOOLEAN AddressSpaceDeleted;
FAST_MUTEX AddressCreationLock;
KSPIN_LOCK HyperSpaceLock;
PETHREAD_W2K ForkInProgress;
USHORT VmOperation;
BOOLEAN ForkWasSuccessful;
UCHAR MmAgressiveWsTrimMask;
PKEVENT VmOperationEvent;
PVOID PaeTop;
ULONG LastFaultCount;
ULONG ModifiedPageCount;
PVOID VadRoot;
PVOID VadHint;
ULONG CloneRoot;
ULONG NumberOfPrivatePages;
ULONG NumberOfLockedPages;
USHORT NextPageColor;
BOOLEAN ExitProcessCalled;
BOOLEAN CreateProcessReported;
HANDLE SectionHandle;
PPEB Peb;
PVOID SectionBaseAddress;
PEPROCESS_QUOTA_BLOCK QuotaBlock;
NTSTATUS LastThreadExitStatus;
PPROCESS_WS_WATCH_INFORMATION WorkingSetWatch;
HANDLE Win32WindowStation;
HANDLE InheritedFromUniqueProcessId;
ACCESS_MASK GrantedAccess;
ULONG DefaultHardErrorProcessing;
PVOID LdtInformation;
PVOID VadFreeHint;
PVOID VdmObjects;
PDEVICE_MAP DeviceMap;
ULONG SessionId;
LIST_ENTRY PhysicalVadList;
HARDWARE_PTE PageDirectoryPte;
ULONG Filler;
ULONG PaePageDirectoryPage;
UCHAR ImageFileName[16];
ULONG VmTrimFaultValue;
UCHAR SetTimerResolution;
UCHAR PriorityClass;
union
{
struct
{
UCHAR SubSystemMinorVersion;
UCHAR SubSystemMajorVersion;
};
USHORT SubSystemVersion;
};
PVOID Win32Process;
PEJOB Job;
ULONG JobStatus;
LIST_ENTRY JobLinks;
PVOID LockedPageList;
PVOID SecurityPort;
PWOW64_PROCESS Wow64Process;
LARGE_INTEGER ReadOperationCount;
LARGE_INTEGER WriteOperationCount;
LARGE_INTEGER OtherOperationCount;
LARGE_INTEGER ReadTransferCount;
LARGE_INTEGER WriteTransferCount;
LARGE_INTEGER OtherTransferCount;
ULONG CommitChargeLimit;
ULONG CommitChargePeek;
LIST_ENTRY ThreadListHead;
PRTL_BITMAP VadPhysicalPagesBitMap;
ULONG VadPhysicalPages;
ULONG AweLock;
} EPROCESS_W2K, *PEPROCESS_W2K;
typedef struct _EPROCESS_XP
{
KPROCESS_XP Pcb;
EX_PUSH_LOCK ProcessLock;
LARGE_INTEGER CreateTime;
LARGE_INTEGER ExitTime;
EX_RUNDOWN_REF RundownProtect;
PVOID UniqueProcessId;
LIST_ENTRY ActiveProcessLinks;
ULONG QuotaUsage[3];
ULONG QuotaPeak[3];
ULONG CommitCharge;
ULONG PeakVirtualSize;
ULONG VirtualSize;
LIST_ENTRY SessionProcessLinks;
PVOID DebugPort;
PVOID ExceptionPort;
PHANDLE_TABLE ObjectTable;
EX_FAST_REF Token;
FAST_MUTEX WorkingSetLock;
ULONG WorkingSetPage;
FAST_MUTEX AddressCreationLock;
KSPIN_LOCK HyperSpaceLock;
PETHREAD_XP ForkInProgress;
ULONG HardwareTrigger;
PVOID VadRoot;
PVOID VadHint;
PVOID CloneRoot;
ULONG NumberOfPrivatePages;
ULONG NumberOfLockedPages;
PVOID Win32Process;
PEJOB Job;
PSECTION_OBJECT SectionObject;
PVOID SectionBaseAddress;
PEPROCESS_QUOTA_BLOCK QuotaBlock;
PPAGEFAULT_HISTORY WorkingSetWatch;
PVOID Win32WindowStation;
PVOID InheritedFromUniqueProcessId;
PVOID LdtInformation;
PVOID VadFreeHint;
PVOID VdmObjects;
PDEVICE_MAP DeviceMap;
LIST_ENTRY PhysicalVadList;
union
{
HARDWARE_PTE PageDirectoryPte;
ULONGLONG Filler;
};
PVOID Session;
UCHAR ImageFileName[16];
LIST_ENTRY JobLinks;
PVOID LockedPageList;
LIST_ENTRY ThreadListHead;
PVOID SecurityPort;
PVOID PaeTop;
ULONG ActiveThreads;
ULONG GrantedAccess;
ULONG DefaultHardErrorProcessing;
NTSTATUS LastThreadExitStatus;
PPEB Peb;
EX_FAST_REF PrefetchTrace;
LARGE_INTEGER ReadOperationCount;
LARGE_INTEGER WriteOperationCount;
LARGE_INTEGER OtherOperationCount;
LARGE_INTEGER ReadTransferCount;
LARGE_INTEGER WriteTransferCount;
LARGE_INTEGER OtherTransferCount;
ULONG CommitChargeLimit;
ULONG CommitChargePeek;
PVOID AweInfo;
SE_AUDIT_PROCESS_CREATION_INFO SeAuditProcessCreationInfo;
MMSUPPORT_XP Vm;
ULONG LastFaultCount;
ULONG ModifiedPageCount;
ULONG NumberOfVads;
ULONG JobStatus;
union
{
ULONG Flags;
struct
{
ULONG CreateReported : 1;
ULONG NoDebugInherit : 1;
ULONG ProcessExiting : 1;
ULONG ProcessDelete : 1;
ULONG Wow64SplitPages : 1;
ULONG VmDeleted : 1;
ULONG OutswapEnabled : 1;
ULONG Outswapped : 1;
ULONG ForkFailed : 1;
ULONG HasPhysicalVad : 1;
ULONG AddressSpaceInitialized : 2;
ULONG SetTimerResolution : 1;
ULONG BreakOnTermination : 1;
ULONG SessionCreationUnderway : 1;
ULONG WriteWatch : 1;
ULONG ProcessInSession : 1;
ULONG OverrideAddressSpace : 1;
ULONG HasAddressSpace : 1;
ULONG LaunchPrefetched : 1;
ULONG InjectInpageErrors : 1;
ULONG Unused : 11;
};
};
NTSTATUS ExitStatus;
USHORT NextPageColor;
union
{
struct
{
UCHAR SubSystemMinorVersion;
UCHAR SubSystemMajorVersion;
};
USHORT SubSystemVersion;
};
UCHAR PriorityClass;
BOOLEAN WorkingSetAcquiredUnsafe;
} EPROCESS_XP, *PEPROCESS_XP;
typedef struct _EPROCESS_2K3
{
/*+0x000*/ KPROCESS_2K3 Pcb;
/*+0x06c*/ EX_PUSH_LOCK ProcessLock;
/*+0x070*/ LARGE_INTEGER CreateTime;
/*+0x078*/ LARGE_INTEGER ExitTime;
/*+0x080*/ EX_RUNDOWN_REF RundownProtect;
/*+0x084*/ PVOID UniqueProcessId;
/*+0x088*/ LIST_ENTRY ActiveProcessLinks;
/*+0x090*/ ULONG QuotaUsage[3];
/*+0x09c*/ ULONG QuotaPeak[3];
/*+0x0a8*/ ULONG CommitCharge;
/*+0x0ac*/ ULONG PeakVirtualSize;
/*+0x0b0*/ ULONG VirtualSize;
/*+0x0b4*/ LIST_ENTRY SessionProcessLinks;
/*+0x0bc*/ PVOID DebugPort;
/*+0x0c0*/ PVOID ExceptionPort;
/*+0x0c4*/ PHANDLE_TABLE ObjectTable;
/*+0x0c8*/ EX_FAST_REF Token;
/*+0x0cc*/ ULONG WorkingSetPage;
/*+0x0d0*/ KGUARDED_MUTEX AddressCreationLock;
/*+0x0f0*/ KSPIN_LOCK HyperSpaceLock;
/*+0x0f4*/ PETHREAD_2K3 ForkInProgress;
/*+0x0f8*/ ULONG HardwareTrigger;
/*+0x0fc*/ PMM_AVL_TABLE PhysicalVadRoot;
/*+0x100*/ PVOID CloneRoot;
/*+0x104*/ ULONG NumberOfPrivatePages;
/*+0x108*/ ULONG NumberOfLockedPages;
/*+0x10c*/ PVOID Win32Process;
/*+0x110*/ PEJOB Job;
/*+0x114*/ PSECTION_OBJECT SectionObject;
/*+0x118*/ PVOID SectionBaseAddress;
/*+0x11c*/ PEPROCESS_QUOTA_BLOCK QuotaBlock;
/*+0x120*/ PPAGEFAULT_HISTORY WorkingSetWatch;
/*+0x124*/ PVOID Win32WindowStation;
/*+0x128*/ PVOID InheritedFromUniqueProcessId;
/*+0x12c*/ PVOID LdtInformation;
/*+0x130*/ PVOID VadFreeHint;
/*+0x134*/ PVOID VdmObjects;
/*+0x138*/ PVOID DeviceMap;
/*+0x13c*/ PVOID Spare0[3];
union {
/*+0x148*/HARDWARE_PTE PageDirectoryPte;
/*+0x148*/ULONGLONG Filler;
};
/*+0x150*/ PVOID Session;
/*+0x154*/ UCHAR ImageFileName[16];
/*+0x164*/ LIST_ENTRY JobLinks;
/*+0x16c*/ PVOID LockedPagesList;
/*+0x170*/ LIST_ENTRY ThreadListHead;
/*+0x178*/ PVOID SecurityPort;
/*+0x17c*/ PVOID PaeTop;
/*+0x180*/ ULONG ActiveThreads;
/*+0x184*/ ULONG GrantedAccess;
/*+0x188*/ ULONG DefaultHardErrorProcessing;
/*+0x18c*/ NTSTATUS LastThreadExitStatus;
/*+0x190*/ PPEB Peb;
/*+0x194*/ EX_FAST_REF PrefetchTrace;
/*+0x198*/ LARGE_INTEGER ReadOperationCount;
/*+0x1a0*/ LARGE_INTEGER WriteOperationCount;
/*+0x1a8*/ LARGE_INTEGER OtherOperationCount;
/*+0x1b0*/ LARGE_INTEGER ReadTransferCount;
/*+0x1b8*/ LARGE_INTEGER WriteTransferCount;
/*+0x1c0*/ LARGE_INTEGER OtherTransferCount;
/*+0x1c8*/ ULONG CommitChargeLimit;
/*+0x1cc*/ ULONG CommitChargePeak;
/*+0x1d0*/ PVOID AweInfo;
/*+0x1d4*/ SE_AUDIT_PROCESS_CREATION_INFO SeAuditProcessCreationInfo;
/*+0x1d8*/ MMSUPPORT_2K3 Vm;
/*+0x238*/ LIST_ENTRY MmProcessLinks;
/*+0x240*/ ULONG ModifiedPageCount;
/*+0x244*/ ULONG JobStatus;
union{
/*+0x248*/ ULONG Flags;
struct{
/*+0x248*/ ULONG CreateReported : 1;
/*+0x248*/ ULONG NoDebugInherit : 1;
/*+0x248*/ ULONG ProcessExiting : 1;
/*+0x248*/ ULONG ProcessDelete : 1;
/*+0x248*/ ULONG Wow64SplitPages : 1;
/*+0x248*/ ULONG VmDeleted : 1;
/*+0x248*/ ULONG OutswapEnabled : 1;
/*+0x248*/ ULONG Outswapped : 1;
/*+0x248*/ ULONG ForkFailed : 1;
/*+0x248*/ ULONG Wow64VaSpace4Gb : 1;
/*+0x248*/ ULONG AddressSpaceInitialized :2;
/*+0x248*/ ULONG SetTimerResolution : 1;
/*+0x248*/ ULONG BreakOnTermination : 1;
/*+0x248*/ ULONG SessionCreationUnderway :1;
/*+0x248*/ ULONG WriteWatch : 1;
/*+0x248*/ ULONG ProcessInSession : 1;
/*+0x248*/ ULONG OverrideAddressSpace : 1;
/*+0x248*/ ULONG HasAddressSpace : 1;
/*+0x248*/ ULONG LaunchPrefetched : 1;
/*+0x248*/ ULONG InjectInpageErrors : 1;
/*+0x248*/ ULONG VmTopDown : 1;
/*+0x248*/ ULONG ImageNotifyDone : 1;
/*+0x248*/ ULONG PdeUpdateNeeded : 1;
/*+0x248*/ ULONG VdmAllowed : 1;
/*+0x248*/ ULONG Unused : 7;
};
};
/*+0x24c*/ NTSTATUS ExitStatus;
/*+0x250*/ USHORT NextPageColor;
union {
struct {
/*+0x252*/ UCHAR SubSystemMinorVersion;
/*+0x253*/ UCHAR SubSystemMajorVersion;
};
/*+0x252*/ USHORT SubSystemVersion;
};
/*+0x254*/ UCHAR PriorityClass;
/*+0x258*/ MM_AVL_TABLE VadRoot;
} EPROCESS_2K3, *PEPROCESS_2K3;
