Forum Replies Created
-
AuthorPosts
-
January 7, 2008 at 4:02 pm in reply to: Why CPU overhead reach abnormal 100%???Strange!!!!!!!!!!!!!! #6522
I suppose the problem is not in the engine but in what you do with packets:
if(pPktDes->ePktDirection == VG_PACKET_FROM_NIC)
{
memcpy(pEthHdr->h_dest, dstMac, ETH_ALEN);
memcpy(pEthHdr->h_source, srcMac, ETH_ALEN);
if(!VgPdeTransmit((char *)pPktDes->pPktBuf,pPktDes->nPktLen,VG_PACKET_TO_NIC))
{
PdeDemoShow("IpHandler@VgPdeTransmit errorn");
return FALSE;
}
}
else /* from MSTCP */
{
if(!VgPdeTransmit((char *)pPktDes->pPktBuf,pPktDes->nPktLen,VG_PACKET_TO_NIC))
{
PdeDemoShow("IpHandler@VgPdeTransmit errorn");
return FALSE;
}
}I don’t know what are the MAC addresses you have used are taken from. But if the address you set as source MAC does not match the NIC address you send the packet from then you may meet problems. In Windows all packets sent on the network are normally indicated back to protocol (so called hardware loopback). It is posssible to use NDIS_FLAGS_DONT_LOOPBACK or/and NDIS_FLAGS_SKIP_LOOPBACK flags (set for the packet in INTERMEDIATE_BUFFER.m_Flags) to prevent the loopback but these packets are system specific and not guarantee to work properly on every Windows, though I used them just fine for the Ethernet Bridge. WinpkFilter normally filters out the loopback packet by checking the source MAC address (packet is skipped if source MAC = NIC MAC), but in your case it may fail to do so (if source MAC does not match the NIC address) and even single packet starts going in the endless loop (from application to WinkFilter, then From WinpkFilter to NIC, from NIC to WinpkFilter, from WinpkFilter to application and so on) -> 100% CPU load.
You can read this topic on forum regarding the loopback packets:
Not sure why you may need this, but you can swap source and destination Ethernet and IP addresses (you may also need to do something with TCP?UDP headers if necessary). Then just use SendPacketToMstcp instead SendPacketToAdapter.
WinpkFilter 3.0.2 was released 2007-Apr-30, so this is an old news. The coming release will be 3.0.4.
January 2, 2008 at 1:55 pm in reply to: Why not work properly on another PC with same configuration! #6517I have e-mailed to you the InnoSetup script which was used to generate the run-time library available for download from this site. You can use it for the reference. However, setup procedure is fully described in help file. You must be doing something wrong if driver does not get loaded.
January 2, 2008 at 12:20 pm in reply to: What contents is contained in ndisrd.sys driver source code #6518If I want to order ndisrd.sys driver source code, pls tell me what contents or components is contained in its source code base?
It contains the complete source code for the NDIS hooking and IM drivers.
For windows x64 OS, why not continue to adopt NDIS-hooking technology, but official IM driver scheme for ndisrd.sys?
Windows XP/2003 x64 introduced PatchGuard technology which protects NDIS.SYS export table from modifications (if PatchGuard finds that NDIS.SYS was modified then it crashes the system). This is also true for Vista/2008 x64. Preventing PatchGuard from doing is job is possible but requires kernel modifications and these modifications are different for different kernel builds because MS updates PatchGuard each time when they got informed there is a way to workaround the current implementation.
I search winpkfilter over google and find that an Austria-based company DeskSoft(http://www.desksoft.com) builds its product BWMeter upon WinpkFilter, is it true? Can u confirms that if u don’t mind?
Yes, it is true.
January 2, 2008 at 12:07 pm in reply to: Why not work properly on another PC with same configuration! #6515WinpkFilter installation does not write any license information into the registry and basically installation steps you have performed are correct. Have you rebooted the system after adding the registry key?
December 29, 2007 at 11:13 am in reply to: Visual Baisc Error GetTcpipBoundAdaptersInfo nHandle, AdList #6512I just tried to compile PacketSniffer project under VB6 and it worked just fine. The resulted binary also works without any crashes.
In you case do you get VB environment or PacketSniffer application crash?
I see two possibilities:
1) Create a virtual network interface on top of RS232
2) Use VirtNet+WinpkFilter+special application working with WinpkFilter passing data between RS232 and VirtNet adapter.First approach requires driver coding but more solid in design, second one can be implemented completely in user mode.
System (TCPIP.SYS) recognizes SYN-ACK only when it was establishing the connection (sending SYN) itself. To force TCPIP.SYS to accept SYN-ACK you would have to modify TCPIP.SYS internal structures.
Normally if you are trying to establish TCP connection with WinpkFilter you have to process SYN-ACK yourself without passing it up to TCPIP.SYS and generate ACK to complete the handshaking.
December 7, 2007 at 5:45 pm in reply to: what’s the time to release new version for winpkfilter #64841. if i am a license buyer,can we get the both x86 and x64 current version?
Yes, of course.
2.can u get me some examples at lease two which use winpkfilter for himself software?
Not sure what you exctly mean here, but there are a couple of advanced sampes – Internet Gateway and Ethernet Bridge which are available to licensed users.
a fool question Rolling Eyes ,it is: if i but the winpkfilter for a license,when i send my software which used the winpkfilter, ~~~~~~this’s to say: the winpktilter driver i paid will be published. how to prevent it?
Standard build of WinpkFilter driver is freely available for private and non-commercial use, I don’t think that anyone would steal your custom build.
IN/OUT of firewall rule in terms of TCP protocol is treated as incoming/outgoing connections; in terms of other protocols it is incoming/outgoing packets. As you can see here is a small difference between TCP and UDP.
Do I need to purchase WinPkFilter in order to get the NAT sample?
Yes, you’d have to.
I plan to purchase a license, but I am a student, and don’t have a lot of money right now.
Drop an e-mail to support(at)ntkernel.com, I think we will be able to help you in this case.
It seems to me that Microsoft restricts on the name of service ( only Passthru is allowed )
No it does not. Basically the steps you did are correct, but probably you missed something.
It is difficult to say something without understanding of how you have hooked TCPSendData.
Processing requests passed to TCPSendData is the same as for TDI requests passed through normal path.
The wwwcensor.cpp below blocks HTTP packets which contain the specified string pattern. You can change/extend this code to filter ports different from TCP:80 (you have to know which ports are used by each IM you’d like to support) of even just drop everyTCP packet which contain the specified pattenr by one simple modification – remove the following check:
//
// Check if this HTTP packet (destined to remote system port 80, or received from it)
//
if (((pTcpHeader->th_dport == htons (80))&&(PacketBuffer.m_dwDeviceFlags == PACKET_FLAG_ON_SEND))||
((pTcpHeader->th_sport == htons (80))&&(PacketBuffer.m_dwDeviceFlags == PACKET_FLAG_ON_RECEIVE)))
{
/*************************************************************************/
/* Copyright (c) 2000-2007 NT Kernel Resources. */
/* All Rights Reserved. */
/* http://www.ntkernel.com */
/* ndisrd@ntkernel.com */
/* */
/* Module Name: wwwcensor.cpp */
/* */
/* Abstract: Defines the entry point for the console application */
/* */
/*************************************************************************/
#include "stdafx.h"
USHORT ntohs( USHORT netshort )
{
PUCHAR pBuffer;
USHORT nResult;
nResult = 0;
pBuffer = (PUCHAR )&netshort;
nResult = ( (pBuffer[ 0 ] << 8) & 0xFF00 )
| ( pBuffer[ 1 ] & 0x00FF );
return( nResult );
}
#define htons ntohs
int main(int argc, char* argv[])
{
TCP_AdapterList AdList;
CNdisApi api;
ETH_REQUEST Request;
INTERMEDIATE_BUFFER PacketBuffer;
ether_header_ptr pEthHeader = NULL;
iphdr_ptr pIpHeader = NULL;
tcphdr_ptr pTcpHeader = NULL;
HANDLE hEvent[256];
DWORD dwAdIndex = 0;
char szTempString[1500];
char szPattern[256];
BOOL bDrop = FALSE;
if (argc < 2)
{
printf ("Command line syntax:ntwwwcensor.exe pattern ntpattern - phrase or word to block HTTP packets with.n");
return 0;
}
if(!api.IsDriverLoaded())
{
printf ("Driver not installed on this system of failed to load.n");
return 0;
}
if ( strlen(argv[1]) > 255 )
{
printf ("Pattern is too,long, please use one with maximum of 255 characters.n");
return 0;
}
//
// Get pattern in upper case
//
ZeroMemory ( szPattern, 256 );
strcpy ( szPattern, argv[1] );
for ( unsigned i = 0; i < strlen (szPattern); ++i )
{
if (isalpha(((UCHAR)szPattern)))
szPattern = (char)toupper((UCHAR)szPattern);
}
//
// Get system installed network interfaces
//
api.GetTcpipBoundAdaptersInfo ( &AdList );
//
// Initialize common ADAPTER_MODE structure (all network interfaces will operate in the same mode)
//
ADAPTER_MODE Mode;
Mode.dwFlags = MSTCP_FLAG_SENT_TUNNEL|MSTCP_FLAG_RECV_TUNNEL;
//
// Create notification events and initialize the driver to pass packets thru us
//
for (dwAdIndex = 0; dwAdIndex < AdList.m_nAdapterCount; ++dwAdIndex)
{
hEvent[dwAdIndex] = CreateEvent(NULL, TRUE, FALSE, NULL);
if (!hEvent[dwAdIndex])
{
printf("Failed to create notification event for network interface n");
return 0;
}
Mode.hAdapterHandle = (HANDLE)AdList.m_nAdapterHandle[dwAdIndex];
//
// Set MSTCP_FLAG_SENT_TUNNEL|MSTCP_FLAG_RECV_TUNNEL for the network interface
//
api.SetAdapterMode(&Mode);
//
// Set packet notification event for the network interface
//
api.SetPacketEvent((HANDLE)AdList.m_nAdapterHandle[dwAdIndex], hEvent[dwAdIndex]);
}
// Initialize common part of ETH_REQUEST
ZeroMemory ( &Request, sizeof(ETH_REQUEST) );
ZeroMemory ( &PacketBuffer, sizeof(INTERMEDIATE_BUFFER) );
Request.EthPacket.Buffer = &PacketBuffer;
//
// Go into the endless loop (this is just a sample application)
//
while (TRUE)
{
//
// Wait before any of the interfaces is ready to indicate the packet
//
dwAdIndex = WaitForMultipleObjects ( AdList.m_nAdapterCount, hEvent, FALSE, INFINITE ) - WAIT_OBJECT_0;
//
// Complete initialization of ETH_REQUEST
//
Request.hAdapterHandle = (HANDLE)AdList.m_nAdapterHandle[dwAdIndex];
//
// Read packet from the interface until there are any
//
while(api.ReadPacket(&Request))
{
//
// Get Ethernet header
//
pEthHeader = (ether_header_ptr)PacketBuffer.m_IBuffer;
//
// Check if Ethernet frame contains IP packet
//
if(ntohs(pEthHeader->h_proto) == ETH_P_IP)
{
//
// Get IP header
//
pIpHeader = (iphdr_ptr)(pEthHeader + 1);
//
// Check if IP packet contains TCP packet
//
if (pIpHeader->ip_p == IPPROTO_TCP)
{
//
// Get TCP header pointer
//
pTcpHeader = (tcphdr_ptr)((PUCHAR)pIpHeader + pIpHeader->ip_hl*4);
//
// Check if this HTTP packet (destined to remote system port 80, or received from it)
//
if (((pTcpHeader->th_dport == htons (80))&&(PacketBuffer.m_dwDeviceFlags == PACKET_FLAG_ON_SEND))||
((pTcpHeader->th_sport == htons (80))&&(PacketBuffer.m_dwDeviceFlags == PACKET_FLAG_ON_RECEIVE)))
{
//
// Get data size in the packet and pointer to the data
//
DWORD dwDataLength = PacketBuffer.m_Length - (sizeof(ether_header) + pIpHeader->ip_hl*4 + pTcpHeader->th_off*4);
PCHAR pData = (PCHAR)pEthHeader + (sizeof(ether_header) + pIpHeader->ip_hl*4 + pTcpHeader->th_off*4);
// If packet contains any data - process it
if (dwDataLength)
{
//
// Copy packet payload into the temporary string, replace all 0 bytes with 0x20, convert string to upper case and place at the end
//
memcpy (szTempString, pData, dwDataLength);
for (unsigned t = 0; t < dwDataLength; ++t)
{
if (szTempString[t] == 0)
szTempString[t] = 0x20;
if (isalpha((UCHAR)szTempString[t]))
szTempString[t] = (char)toupper((UCHAR)szTempString[t]);
}
szTempString[dwDataLength] = 0;
//
// Check if this packet payload contains user supplied pattern in ASCII code
//
if (strstr ( szTempString, szPattern ))
bDrop = TRUE;
}
}
}
}
if(bDrop)
{
printf ("TCP %d.%d.%d.%d:%d -> %d.%d.%d.%d:%d pattern found & packet dropped n",
pIpHeader->ip_src.S_un.S_un_b.s_b1, pIpHeader->ip_src.S_un.S_un_b.s_b2, pIpHeader->ip_src.S_un.S_un_b.s_b3, pIpHeader->ip_src.S_un.S_un_b.s_b4, ntohs(pTcpHeader->th_sport),
pIpHeader->ip_dst.S_un.S_un_b.s_b1, pIpHeader->ip_dst.S_un.S_un_b.s_b2, pIpHeader->ip_dst.S_un.S_un_b.s_b3, pIpHeader->ip_dst.S_un.S_un_b.s_b4, ntohs (pTcpHeader->th_dport));
bDrop = FALSE;
}
else
if (PacketBuffer.m_dwDeviceFlags == PACKET_FLAG_ON_SEND)
{
// Place packet on the network interface
api.SendPacketToAdapter(&Request);
}
else
{
// Indicate packet to MSTCP
api.SendPacketToMstcp(&Request);
}
}
//
// Reset signalled event
//
ResetEvent(hEvent[dwAdIndex]);
}
return 0;
}
-
AuthorPosts