- This topic has 3 replies, 2 voices, and was last updated 17 years, 7 months ago by
.
-
Posts
-
Hi all,
I want to intercept ICMP requests made to DeviceIp, from a TDI filter driver. It’s easy to hook the device object, but what’s the format of data being sent to tcpip.sys?… Is there any documentation available? Thanks a lot.
May be two case:
1) app uses Icmpapi. (for example ping.exe). Then
/Device/ip get IRP_MJ_INTERNAL_DEVICE_CONTROL
or IRP_MJ_DEVICE_CONTROL
MinorFunction = 0
IOCTL = 0x120000and parameter:
typedef struct __ICMP_ECHO_REQUEST {
unsigned long Address;
unsigned long Timeout;
unsigned short DataOffset;
unsigned short DataSize;
unsigned char OptionsValid;
unsigned char Ttl;
unsigned char Tos;
unsigned char Flags;
unsigned short OptionsOffset;
unsigned char OptionsSize;
unsigned char Padding;
} ICMP_ECHO_REQUEST, *PICMP_ECHO_REQUEST;
you should intercept such IRPs2) app can use raw sockets. In such case you should hijack raw traffic.
Hello,
the code handling / filtering this request is doing
PIO_STACK_LOCATION pIOSL = IoGetCurrentIrpStackLocation( pIRP );
ICMP_ECHO_REQUEST* pIcmpEchoReq = ( ICMP_ECHO_REQUEST* )( &( pIOSL->Parameters ) );pIcmpEchoReq has a strange format, it doesn’t contain any information that I have passed, such as the IP address to which I’ve issued the ping command. Perhaps there is smth wrong with my code?
Thank you.
- You must be logged in to reply to this topic.