Forum Replies Created
-
AuthorPosts
-
You can’t affect cache manager behavior from user mode, however there is another way to do what you want. You can map each of 2000 files into the process memory (CreateFileMapping and MapViewOfFile), 20 megs should easily fit your process address space. Then read one byte from each page (each 4K) of each mapping, this will force system to bring all files into memory.
However, I would not force system to fetch all data from disk at once, but better postpone each fetch operation when it is really necessary.
@kdub wrote:
What is the difference between the NDISAPI.dll provided with the sample applications and the one provided with the Individual license?
There is no difference. DLL in the trial package is fully functional.
The IP and TCP headers are all contained in the same packet right?
Yes
What are the sizes of the IP header and TCP header?
IP header is usually 20 bytes length, but the actual length is specified in the header itself(http://www.erg.abdn.ac.uk/users/gorry/course/inet-pages/ip-packet.html). Same for TCP header (http://www.wtcs.org/snmp4tpc/images/TCP-Header.jpg) TCP header follows IP header, but IP can be used as transport for many other protocols, UDP, ICMP, GRE and etc…
Does the data/payload section always follow the TCP header?
If TCP packet contains data then yes they follow TCP header.
I am a newbie here and I was wondering if you could provide an example of how to read the data contents of a packet using visual basic syntax.
Regretfully I’m not a VB expert, but parsing Ethernet header is shown in the VB samples. You can parse follow up headers (IP, TCP/UDP) just on the same way.
Also is the data in the packet the same as it would be if I were to view the contents at the winsock level.
On WINSOCK level you work mostly with data streams (no packet headers), here you got packets with Ethernet, IP headers and etc… But packet payload contains the data you seen on winsock layer.
I want to get the source IP and Port and then view the data to determine whether to drop the packet or not, is that possible with WinPKFilter samples?
Yes, that is possible.
С HTTP вроде разобрался – имя хоста в исходящем пакете меняю, сумма сходится но какие то проблемы с ACK SEQ. Я так понял что при изменении длины пакета их надо менять. Как?
Если пакет увеличился в длинне (не выходя за границу Ethernet frame), то SEQ надо увеличить (а во входящем потоке уменьшить ACK). Изменение SEQ/ACK затем нужно тянуть до самого закрытия соединения. Аналогично поступаем при уменьшении длинны с точностью до наоборот.
IMHO проще перехватить DNS пакет и подменить в нем IP.
Any kernel module can run a thread in the context of the system process, what integrity do you mean here?
Hmm… And how does TI shape NATted connection!?…
TI developers know for sure. I would try to reverse engineer ICS implementation in Windows and get NAT table.
I would create an event and waited on this event (probably besides few other objects) in the thread routine instead of the KeDelayExecutionThread. Once I need to unload driver I would signal that event so the thread routine left waiting and called PsTerminateSystemThread. At the same time DriverUnload can wait for the thread to exit by waiting on the thread object.
Alternatively (less modifications in your code but not that nice) you can create some global variable and check its state in your Func:
void Func(PVOID a)
{
LARGE_INTEGER delay;
delay.QuadPart = SEC(1);
while(!KeDelayExecutionThread(KernelMode,0,&delay))
{
DbgPrint(">> thread message");
if(g_bLeaveThread)
break;
}
PsTerminateSystemThread();
}
In DriverUnload set the g_bLeaveThread to non-zero value and wait for the thread to exit (KeWaitForSingleObject on the thread object).
Each packet routed outside you intercept twice – first on the internal interface before NAT is applied and second on external interface after NAT is applied and vice versa for packets coming on the external interface. In theory you can match these packets (by IP address information + IP ID + TCP/UDP headers information) and build your own copy of NAT table but collisions are still possible especially if the router is heavily loaded.
I would recommend implementing NAT in the same module which implements shaper, this would save you lots time. NAT is relatively easy to implement (if you are not targeted to support complex protocols like H.323), an example this simple application has taken one day to write http://www.ntkernel.com/w&p.php?id=31
I am running Windows XP on my HP laptop. I installed MioNet which loads the driver NDISRD.SYS. Whenever this driver is loaded and I try to run my Cisco VPN client, the desktop locks up.
Any suggestions?Hmm, basically conflict here can be initiated by MioNet usage of NDISRD (which is a WinpkFilter driver) or by NDISRD directly. So here are some questions:
1) Do you run MioNet at the same time with Cisco VPN client?
2) Could you look at the version of NDISRD.SYS and post it here or e-mail to support(at)ntkernel.com?Also, if it is possible for you then could you please uninstall MioNet and install WinpkFilter package instead and check if problem pops up with WinpkFilter only?
Also, system just hanged? No chance on the crash dump?
Is there a way to unload the ndisrd.sys driver by using a DOS command?
This is not possible.
А с пакетами приходяшими в обратную сторону Вы что делаете? Там по идее нужно подставить обратно адрес источника, чтобы клиент видел что ему сервер ответил, а не кто-то другой…
Суть ясна, варианта можно предложить два:
1) Добавить данные в дополнительный заголовок или в хвост пакета
2) Если решение локальное (адрес источника всегда один и тот же), то можно записать адрес куда изначально был направлен пакет в поле Source IPI have not got ready user mode Ethernet Bridge code I could post here.
The source code for the kernel mode Ethernet Bridge http://www.ntkernel.com/w&p.php?id=20 is available only to WinpkFilter Source Code licensees.
I have never dig deep into file signing, but I’d guess that in case of notepad.exe the signature is not embedded into the executable, but the whole CAT file is signed instead.
How could I determine what catalog file should be used for a specified file?
I think you should use CryptCATXXX functions for this. Probably CryptCATAdminCalcHashFromFileHandle to get the file hash and then enumerate catalogs which contain the specified hash with CryptCATAdminEnumCatalogFromHash.
Basically making bridge is rather straightforward. Just set the promiscuous mode on the bridged adapters (PacketSniffer sample shows how to do this) and repeat packets received from one bridge interface to all other bridged interfaces with NDIS_FLAGS_DONT_LOOPBACK | NDIS_FLAGS_SKIP_LOOPBACK set to avoid loopback packets. These flags combination will work for Windows 2000+, for earlier version you have to track MAC addresses and repeat packets according MAC address table.
-
AuthorPosts
