[Anton]

Hi.

You can use IPHelper API to query all the installed network adapters and NICs’ ip addresses. Then you can use this information to identify NIC by local ip address.

Best Regards,
Anton.

[Anton]

>I tries the redir sample which comes with the local network monitor api.
>Is it possible to redirect a http requeest e.g. to google to my server?
>I want to redirect requests to blocked domain names to my little web server which will send a block page.

redir is a basic sample. For example: redir * 0.0.0.0 80 your_server_ip your_server_port will redirect all local http requests to your private web server.

in production solution you need to analyze destination ip address and substitute it with your server address for blocked domains.

>I tried the sample but even with telnet I do not get a connection. Any idea? Or is the local network api the >wrong lib?

Can you, please, provide the command line for redir sample and for telnet program.

[Anton]

Dave,

Local Network Monitor uses the following format for packets logging:

50 19:57:07:167 ICQ.exe:3084 Completion 8A2229B0 Connection TCP Send 127.0.0.1:6754 127.0.0.1:33333 TDI_SUCCESS 16
Packet data:
00002A 02 4D 71 00 0A 00 01 00 06 00 00 00 00 00 06 *.Mq…………

51 19:57:07:276 ICQ.exe:3084 Completion 875F7D00 Connection TCP Disconnect 10.30.18.221:6733 92.241.170.164:80 TDI_SUCCESS 16
DisconnectFlags:=00000000
Timeout = 0 ms
52 19:57:07:276 ICQ.exe:3084 Origination 875F7D00 Connection TCP Close socket 10.30.18.221:6733 92.241.170.164:80 TDI_SUCCESS 0
53 19:57:07:276 ICQ.exe:3084 Origination 879A5940 Address TCP Close socket 0.0.0.0:6733 0.0.0.0:0 TDI_SUCCESS 0
54 19:57:07:307 ICQ.exe:3084 Completion 8A2229B0 Connection TCP Recv 127.0.0.1:6754 127.0.0.1:33333 TDI_MORE_PROCESSING 0

Regards,
Anton.

[Anton]

Hi,

> The Monitor sample included does not capture packets sent to/from ping.exe on windows server 2008 x64 but does on windows XP SP3!

Yes, it’s limitation for Vistaw2k8. Unfortunatly ICMP can’t be caught on tdi level for these platforms.

> On this subject, the PROTOCOL enumeration in nttdiapi.cs has only 23 members, however the GetProtocolName function in Monitor.cs lists every protocol.

PROTOCOL enumeration contains protocols defined in winsock2.h (ws2def.h). Example shows all the possible protocols.

> Given that PROTOCOL_ANY is 0 but the iana shows 0 is asigned to HOPOPT,

0 = HOPOPT (IPv6 Hop-by-Hop Option) for IPv6
0 = IP (Any IP protocol) for IPv4

Nttdiapi works for ipv4 only and doesn’t support ipv6.

> what are the valid values for m_Protocol in FILTER_INFO and what are the possible values returned in a LOG_INFO?

Valid protocol number for ipv4.

=Anton.

[Anton]

Hi,

It looks like an error in GetWaitEvent declaration for C#.
Should return int.

We’ll fix it into the next update.

Thank you for feedback.
=Anton.

[Anton]

Hi,

Yes, you are right.

=Anton.

[Anton]

Hi,

Please, provide us what the VS version do you use? Did you try to build release or debug configuration? LNM API run-time version doesn’t provide the debug libraries versions. This may be the issue.

Regards,
NT Kernel Resources Team.

[Anton]

Hi,

It’s really disappointing bug in NtTdiDr driver. We’ll fix it asap.
Thank you for your feedback.

Regards,
NT Kernel Resources Team.

[Anton]

Look’s like you missed something… Please, send me your sources to anton@ntkernel.com

[Anton]

Hi,

>1. Does all log entries read by ReadLog are automatically removed from driver’s
>queue? If not, then how to synchronize user-mode log entries purging (after they’ve
>been read) with kernel mode log filling and not to delete unread entries?

Yes, driver removes log entries automatically

>2. I found FLT_ACTION_NOTIFY filter action flag which is not described in help file
>at all.

FLT_ACTION_NOTIFY is not used now.

>3. I want to make simplified version of Network Monitor App (traffic monitor): I don’t
>need to capture data itself, I need only to know data size >(PLOG_INFO->m_FullDataLength). So data logging shown in “Monitor” example app
>is redundant. What methods(calls) should I use?

It’s not possible with the current api. Driver always logs request’s data. You should modify driver sources for capturing without data.

Regards
Anton.

[Anton]

These messages are system TDI-level messages wrappers. All messages have TDI_EVENT_TYPE enumeration type and defined in includecommon.h. Message can be reported before it was processed by TCPIP stack (request origination) and after it was processed by TCPIP stack (request completion).

In your case tdi messages mean:
Message #=1
Create Address object on IP-address 120.0.0.1:2298
Protocol TCP, process name thunderbird.exe, process id 2180

Message #=2
Create connection endpoint
Protocol TCP, process name thunderbird.exe, process id 2180

Message #=3
Bind connection endpoint to address object
Protocol TCP, process name thunderbird.exe, process id 2180

Message #=4
Create the second connection endpoint
Protocol TCP, process name thunderbird.exe, process id 2180

Message #=5
Bind the second connection endpoint to address object
Protocol TCP, process name thunderbird.exe, process id 2180

Message #=16
The incoming connection request from 127.0.0.1:2299 to 127.0.0.1:2298
Protocol TCP, process name thunderbird.exe, process id 2180

Message #=17
Accept the incoming connection request from 127.0.0.1:2299 to 127.0.0.1:2298
Protocol TCP, process name thunderbird.exe, process id 2180

You can use TDI_EVT_CONNECT and TDI_EVT_INCOMING_CONNECTION events to store connection information into the connection table and TDI_EVT_DISCONNECT, TDI_EVT_INCOMING_DISCONNECT to remove it.

[Anton]

Thanks for your feed back.
The nearest Local Host Monitor API version (2.0) will contain the fitering rules support.
The interactive network requests filtring and the conntections tables are in our plans for the next releases.

[Anton]

Take a look at MS$ sample in DDK
WINDDK3790srcgeneraltoaster

[Anton]

Для работы с сетевыми пакетами используется Transport Driver Interface. Почитать про него можно в ddk, а примеры использования есть в driver studio или вот здесь http://www.rootkit.com/newsread.php?newsid=416

[Anton]

Some standard windows object, like files, devices, etc. have the Size field at the begining of the structure.
dt -bv nt!_FILE_OBJECT ff4dcd20
struct _FILE_OBJECT, 27 elements, 0x70 bytes
+0x000 Type : 5
+0x002 Size : 112
……
Size value is equal to the object Body size in bytes.

The dispatcher objects, like events, mutants, etc., have Header.Size field at the begining of the structure.
dt -bv nt!_KEVENT ff4d6ee8
struct _KEVENT, 1 elements, 0x10 bytes
+0x000 Header : struct _DISPATCHER_HEADER, 10 elements, 0x10 bytes
+0x000 Type : 0x1 ”
+0x001 Absolute : 0x2 ”
+0x001 NpxIrql : 0x2 ”
+0x002 Size : 0x4 ”
…..
Size value is equal to the object Body size in DWORDS.

Unfortunately, this rule can’t be applied to the regitsry keys, window stations and desktops.

[Author]

Posts