- This topic has 5 replies, 3 voices, and was last updated 20 years, 1 month ago by
.
-
Posts
-
Q: netbt.sys calls tcpip!TCPSendData directly. How can this be explained?
A: Yes, that’s true, tcpip.sys can be requested for the pointer to the internal routine tcpip!TCPSendData. You can see the processing of the particular request (IOCTL_TDI_QUERY_DIRECT_SEND_HANDLER) in reversed engineered code of tcpip!TCPDispatch. This interface improves performance of kernel-mode tcpip.sys clients.
The solution is interception of IOCTL_TDI_QUERY_DIRECT_SEND_HANDLER, saving the TCPSendData pointer and modification of the returned pointer to your own routine. So you can track all calls to TCPSendData.
Hi,
I have successfully tracked IOCTL_TDI_QUERY_DIRECT_SEND_HANDLER and able to hook TCPSendData.
But is there any more undocumented ioctl which needs to be handled?
For e.g. is there any ioctls for receive also: IOCTL_TDI_QUERY_DIRECT_RECEIVE_HANDLER.Waiting for reply.
Hmm, but which IOCTL’s you are interested in? An example, do you need capture IOCTL’s over DeviceIp and DeviceMULTICAST? These devices also allow sending packets; an example DeviceIp is used for sending ICMP packets (ping.exe->ICMP.DLL->DeviceIp). But in general I don’t think that you really need all that stuff.
Hi,
I am concerned only about Devicetcp.
And my query is on direct handlers.
Just to clarify my query:
A TDI client can get pointer to tcpip’s direct send handler using ioctl IOCTL_TDI_QUERY_DIRECT_SEND_HANDLER.
Using this function pointer it can directly pass data to tcpip, bypassing all filter drivers.
I have captured this ioctl from TDI clients and hooked the tcpip direct handler.I want to know if there are more such IOCTLS for Devicetcp, that I need to capture such that no data is bypassed my filter driver.
- You must be logged in to reply to this topic.