- This topic has 7 replies, 2 voices, and was last updated 3 years, 6 months ago by
.
-
Posts
-
Hi,
I would like to intercept packets before they are processed by a tunnel software, Wintun.
Wintun creates a virtual interface, similar to a TUN or TAP in Linux. Said interface can be seen using
ipconfig. However, it doesn’t appear in NDISAPI’sGetTcpipBoundAdaptersInfocall.Is there any solution or workaround?
Thanks.
Follow up:
This is the code in Wintun that creates the adapter:
NDIS_MINIPORT_DRIVER_CHARACTERISTICS miniport = { .Header = { .Type = NDIS_OBJECT_TYPE_MINIPORT_DRIVER_CHARACTERISTICS, .Revision = NdisVersion < NDIS_RUNTIME_VERSION_680 ? NDIS_MINIPORT_DRIVER_CHARACTERISTICS_REVISION_2 : NDIS_MINIPORT_DRIVER_CHARACTERISTICS_REVISION_3, .Size = NdisVersion < NDIS_RUNTIME_VERSION_680 ? NDIS_SIZEOF_MINIPORT_DRIVER_CHARACTERISTICS_REVISION_2 : NDIS_SIZEOF_MINIPORT_DRIVER_CHARACTERISTICS_REVISION_3 }, .MajorNdisVersion = (UCHAR)((NdisVersion & 0x00ff0000) >> 16), .MinorNdisVersion = (UCHAR)(NdisVersion & 0x000000ff), .MajorDriverVersion = WINTUN_VERSION_MAJ, .MinorDriverVersion = WINTUN_VERSION_MIN, .InitializeHandlerEx = TunInitializeEx, .HaltHandlerEx = TunHaltEx, .UnloadHandler = TunUnload, .PauseHandler = TunPause, .RestartHandler = TunRestart, .OidRequestHandler = TunOidRequest, .SendNetBufferListsHandler = TunSendNetBufferLists, .ReturnNetBufferListsHandler = TunReturnNetBufferLists, .CancelSendHandler = TunCancelSend, .DevicePnPEventNotifyHandler = TunDevicePnPEventNotify, .ShutdownHandlerEx = TunShutdownEx, .CancelOidRequestHandler = TunCancelOidRequest, .DirectOidRequestHandler = TunDirectOidRequest, .CancelDirectOidRequestHandler = TunCancelDirectOidRequest, .SynchronousOidRequestHandler = TunSynchronousOidRequest }; Status = PsSetCreateProcessNotifyRoutine(TunProcessNotification, FALSE); if (!NT_SUCCESS(Status)) goto cleanupResources; Status = NdisMRegisterMiniportDriver(DriverObject, RegistryPath, NULL, &miniport, &NdisMiniportDriverHandle); if (!NT_SUCCESS(Status)) goto cleanupNotifier;Windows Packet Filter NDIS filter driver does not bind to WinTun network adapter because of the following in wintun.inf:
HKR, Ndi\Interfaces, LowerRange, , "nolower"while in ndisrd_lwf.inf we have:
HKR, Ndi\Interfaces, FilterMediaTypes,,"ethernet, wan, ppip, bluetooth"So there are two choices:
- Change wintun.inf ‘nolower’ to ‘ethernet’
- Add ‘nolower’ to the list of FilterMedia types in ndisrd_lwf.inf
As a side effect second option will cause Windows Packet Filter driver binding to the interfaces it normally would not bind to and therefore it is not supported by stock driver build.
Thank you Vadim, I added
nolowerto the FilterMediaTypes list in ndisrd_lwf.inf and it detected the WinTun interface. It worked out of the box.Hello again,
I tried the solution in one Windows 10 machine, but when trying it in another one it did not detect the WinTun adapter.
What I did was modify the .inf and recreate the .cat and sign with a test certificate. I can successfully install and load the driver in the second machine, but it simply acts as if there was no WinTun adapter, as if the .inf did not include any ‘nolower’ filter.
I double-checked that the original driver is not present in DriverStore, and the driver that is installed is the one signed by me.
The Windows 10 versions are the same (20H2), the only difference is that one is Home (unregistered) and the other is Education (registered).
Any ideas? Any checklist that I could follow? Thanks in advance.
This one seems to work just fine:
;------------------------------------------------------------------------- ; ndiswg_lwf.INF -- WinpkFilter NDIS LWF driver (WinTun build) ; ; Copyright (c) NT Kernel Resources. All rights reserved. ;------------------------------------------------------------------------- [version] Signature = "$Windows NT$" Class = NetService ClassGUID = {4D36E974-E325-11CE-BFC1-08002BE10318} Provider = %Ntkr% CatalogFile = ndiswg.cat PnpLockdown = 1 [Manufacturer] %Ntkr%=Ntkr,NTx86,NTia64,NTamd64,NTARM64 [Ntkr.NTx86] %ndiswg_Desc%=Install, nt_ndiswg [Ntkr.NTia64] %ndiswg_Desc%=Install, nt_ndiswg [Ntkr.NTamd64] %ndiswg_Desc%=Install, nt_ndiswg [Ntkr.NTARM64] %ndiswg_Desc%=Install, nt_ndiswg ;------------------------------------------------------------------------- ; Installation Section ;------------------------------------------------------------------------- [Install] AddReg=Inst_Ndi Characteristics=0x40000 NetCfgInstanceId="{ACAA7086-8B4C-4443-B5CE-9694A907670C}" Copyfiles = ndiswg.copyfiles.sys [SourceDisksNames] 1=%ndiswg_Desc%,"",, [SourceDisksFiles] ndiswg.sys=1 [DestinationDirs] DefaultDestDir=12 ndiswg.copyfiles.sys=12 [ndiswg.copyfiles.sys] ndiswg.sys,,,2 ;------------------------------------------------------------------------- ; Ndi installation support ;------------------------------------------------------------------------- [Inst_Ndi] HKR, Ndi,Service,,"ndiswg" HKR, Ndi,CoServices,0x00010000,"ndiswg" HKR, Ndi,HelpText,,%ndiswg_HelpText% HKR, Ndi,FilterClass,, compression HKR, Ndi,FilterType,0x00010001,0x00000002 HKR, Ndi\Interfaces,UpperRange,,"noupper" HKR, Ndi\Interfaces,LowerRange,,"ndis5,ndis4" HKR, Ndi\Interfaces, FilterMediaTypes,,"ethernet, wan, ppip, bluetooth, ndis5, nolower" HKR, Ndi,FilterRunType, 0x00010001, 1 ;this filter must run before any protocol can bind to the below miniport ;------------------------------------------------------------------------- ; Service installation support ;------------------------------------------------------------------------- [Install.Services] AddService=ndiswg,,ndiswg_Service_Inst [ndiswg_Service_Inst] DisplayName = %ndiswg_Desc% ServiceType = 1 ;SERVICE_KERNEL_DRIVER StartType = 1 ;SERVICE_SYSTEM_START ErrorControl = 1 ;SERVICE_ERROR_NORMAL ServiceBinary = %12%\ndiswg.sys LoadOrderGroup = NDIS Description = %ndiswg_Desc% AddReg = NdisImPlatformBindingOptions.reg [Install.Remove.Services] DelService=ndiswg,0x200 [NdisImPlatformBindingOptions.reg] HKR, Parameters, NdisImPlatformBindingOptions,0x00010001,2 [Strings] Ntkr = "NT Kernel Resources" ndiswg_Desc = "WinpkFilter LightWeight Filter for WinTun" ndiswg_HelpText = "WinpkFilter NDIS LightWeight Filter for WinTun"
- You must be logged in to reply to this topic.