Forum Replies Created
-
Posts
-
I have e-mailed to you the InnoSetup script which was used to generate the run-time library available for download from this site. You can use it for the reference. However, setup procedure is fully described in help file. You must be doing something wrong if driver does not get loaded.
If I want to order ndisrd.sys driver source code, pls tell me what contents or components is contained in its source code base?
It contains the complete source code for the NDIS hooking and IM drivers.
For windows x64 OS, why not continue to adopt NDIS-hooking technology, but official IM driver scheme for ndisrd.sys?
Windows XP/2003 x64 introduced PatchGuard technology which protects NDIS.SYS export table from modifications (if PatchGuard finds that NDIS.SYS was modified then it crashes the system). This is also true for Vista/2008 x64. Preventing PatchGuard from doing is job is possible but requires kernel modifications and these modifications are different for different kernel builds because MS updates PatchGuard each time when they got informed there is a way to workaround the current implementation.
I search winpkfilter over google and find that an Austria-based company DeskSoft(http://www.desksoft.com) builds its product BWMeter upon WinpkFilter, is it true? Can u confirms that if u don’t mind?
Yes, it is true.
WinpkFilter installation does not write any license information into the registry and basically installation steps you have performed are correct. Have you rebooted the system after adding the registry key?
I just tried to compile PacketSniffer project under VB6 and it worked just fine. The resulted binary also works without any crashes.
In you case do you get VB environment or PacketSniffer application crash?
I see two possibilities:
1) Create a virtual network interface on top of RS232
2) Use VirtNet+WinpkFilter+special application working with WinpkFilter passing data between RS232 and VirtNet adapter.First approach requires driver coding but more solid in design, second one can be implemented completely in user mode.
System (TCPIP.SYS) recognizes SYN-ACK only when it was establishing the connection (sending SYN) itself. To force TCPIP.SYS to accept SYN-ACK you would have to modify TCPIP.SYS internal structures.
Normally if you are trying to establish TCP connection with WinpkFilter you have to process SYN-ACK yourself without passing it up to TCPIP.SYS and generate ACK to complete the handshaking.
1. if i am a license buyer,can we get the both x86 and x64 current version?
Yes, of course.
2.can u get me some examples at lease two which use winpkfilter for himself software?
Not sure what you exctly mean here, but there are a couple of advanced sampes – Internet Gateway and Ethernet Bridge which are available to licensed users.
a fool question Rolling Eyes ,it is: if i but the winpkfilter for a license,when i send my software which used the winpkfilter, ~~~~~~this’s to say: the winpktilter driver i paid will be published. how to prevent it?
Standard build of WinpkFilter driver is freely available for private and non-commercial use, I don’t think that anyone would steal your custom build.
IN/OUT of firewall rule in terms of TCP protocol is treated as incoming/outgoing connections; in terms of other protocols it is incoming/outgoing packets. As you can see here is a small difference between TCP and UDP.
Do I need to purchase WinPkFilter in order to get the NAT sample?
Yes, you’d have to.
I plan to purchase a license, but I am a student, and don’t have a lot of money right now.
Drop an e-mail to support(at)ntkernel.com, I think we will be able to help you in this case.
It seems to me that Microsoft restricts on the name of service ( only Passthru is allowed )
No it does not. Basically the steps you did are correct, but probably you missed something.
It is difficult to say something without understanding of how you have hooked TCPSendData.
Processing requests passed to TCPSendData is the same as for TDI requests passed through normal path.
The wwwcensor.cpp below blocks HTTP packets which contain the specified string pattern. You can change/extend this code to filter ports different from TCP:80 (you have to know which ports are used by each IM you’d like to support) of even just drop everyTCP packet which contain the specified pattenr by one simple modification – remove the following check:
//
// Check if this HTTP packet (destined to remote system port 80, or received from it)
//
if (((pTcpHeader->th_dport == htons (80))&&(PacketBuffer.m_dwDeviceFlags == PACKET_FLAG_ON_SEND))||
((pTcpHeader->th_sport == htons (80))&&(PacketBuffer.m_dwDeviceFlags == PACKET_FLAG_ON_RECEIVE)))
{
/*************************************************************************/
/* Copyright (c) 2000-2007 NT Kernel Resources. */
/* All Rights Reserved. */
/* http://www.ntkernel.com */
/* ndisrd@ntkernel.com */
/* */
/* Module Name: wwwcensor.cpp */
/* */
/* Abstract: Defines the entry point for the console application */
/* */
/*************************************************************************/
#include "stdafx.h"
USHORT ntohs( USHORT netshort )
{
PUCHAR pBuffer;
USHORT nResult;
nResult = 0;
pBuffer = (PUCHAR )&netshort;
nResult = ( (pBuffer[ 0 ] << 8) & 0xFF00 )
| ( pBuffer[ 1 ] & 0x00FF );
return( nResult );
}
#define htons ntohs
int main(int argc, char* argv[])
{
TCP_AdapterList AdList;
CNdisApi api;
ETH_REQUEST Request;
INTERMEDIATE_BUFFER PacketBuffer;
ether_header_ptr pEthHeader = NULL;
iphdr_ptr pIpHeader = NULL;
tcphdr_ptr pTcpHeader = NULL;
HANDLE hEvent[256];
DWORD dwAdIndex = 0;
char szTempString[1500];
char szPattern[256];
BOOL bDrop = FALSE;
if (argc < 2)
{
printf ("Command line syntax:ntwwwcensor.exe pattern ntpattern - phrase or word to block HTTP packets with.n");
return 0;
}
if(!api.IsDriverLoaded())
{
printf ("Driver not installed on this system of failed to load.n");
return 0;
}
if ( strlen(argv[1]) > 255 )
{
printf ("Pattern is too,long, please use one with maximum of 255 characters.n");
return 0;
}
//
// Get pattern in upper case
//
ZeroMemory ( szPattern, 256 );
strcpy ( szPattern, argv[1] );
for ( unsigned i = 0; i < strlen (szPattern); ++i )
{
if (isalpha(((UCHAR)szPattern)))
szPattern = (char)toupper((UCHAR)szPattern);
}
//
// Get system installed network interfaces
//
api.GetTcpipBoundAdaptersInfo ( &AdList );
//
// Initialize common ADAPTER_MODE structure (all network interfaces will operate in the same mode)
//
ADAPTER_MODE Mode;
Mode.dwFlags = MSTCP_FLAG_SENT_TUNNEL|MSTCP_FLAG_RECV_TUNNEL;
//
// Create notification events and initialize the driver to pass packets thru us
//
for (dwAdIndex = 0; dwAdIndex < AdList.m_nAdapterCount; ++dwAdIndex)
{
hEvent[dwAdIndex] = CreateEvent(NULL, TRUE, FALSE, NULL);
if (!hEvent[dwAdIndex])
{
printf("Failed to create notification event for network interface n");
return 0;
}
Mode.hAdapterHandle = (HANDLE)AdList.m_nAdapterHandle[dwAdIndex];
//
// Set MSTCP_FLAG_SENT_TUNNEL|MSTCP_FLAG_RECV_TUNNEL for the network interface
//
api.SetAdapterMode(&Mode);
//
// Set packet notification event for the network interface
//
api.SetPacketEvent((HANDLE)AdList.m_nAdapterHandle[dwAdIndex], hEvent[dwAdIndex]);
}
// Initialize common part of ETH_REQUEST
ZeroMemory ( &Request, sizeof(ETH_REQUEST) );
ZeroMemory ( &PacketBuffer, sizeof(INTERMEDIATE_BUFFER) );
Request.EthPacket.Buffer = &PacketBuffer;
//
// Go into the endless loop (this is just a sample application)
//
while (TRUE)
{
//
// Wait before any of the interfaces is ready to indicate the packet
//
dwAdIndex = WaitForMultipleObjects ( AdList.m_nAdapterCount, hEvent, FALSE, INFINITE ) - WAIT_OBJECT_0;
//
// Complete initialization of ETH_REQUEST
//
Request.hAdapterHandle = (HANDLE)AdList.m_nAdapterHandle[dwAdIndex];
//
// Read packet from the interface until there are any
//
while(api.ReadPacket(&Request))
{
//
// Get Ethernet header
//
pEthHeader = (ether_header_ptr)PacketBuffer.m_IBuffer;
//
// Check if Ethernet frame contains IP packet
//
if(ntohs(pEthHeader->h_proto) == ETH_P_IP)
{
//
// Get IP header
//
pIpHeader = (iphdr_ptr)(pEthHeader + 1);
//
// Check if IP packet contains TCP packet
//
if (pIpHeader->ip_p == IPPROTO_TCP)
{
//
// Get TCP header pointer
//
pTcpHeader = (tcphdr_ptr)((PUCHAR)pIpHeader + pIpHeader->ip_hl*4);
//
// Check if this HTTP packet (destined to remote system port 80, or received from it)
//
if (((pTcpHeader->th_dport == htons (80))&&(PacketBuffer.m_dwDeviceFlags == PACKET_FLAG_ON_SEND))||
((pTcpHeader->th_sport == htons (80))&&(PacketBuffer.m_dwDeviceFlags == PACKET_FLAG_ON_RECEIVE)))
{
//
// Get data size in the packet and pointer to the data
//
DWORD dwDataLength = PacketBuffer.m_Length - (sizeof(ether_header) + pIpHeader->ip_hl*4 + pTcpHeader->th_off*4);
PCHAR pData = (PCHAR)pEthHeader + (sizeof(ether_header) + pIpHeader->ip_hl*4 + pTcpHeader->th_off*4);
// If packet contains any data - process it
if (dwDataLength)
{
//
// Copy packet payload into the temporary string, replace all 0 bytes with 0x20, convert string to upper case and place at the end
//
memcpy (szTempString, pData, dwDataLength);
for (unsigned t = 0; t < dwDataLength; ++t)
{
if (szTempString[t] == 0)
szTempString[t] = 0x20;
if (isalpha((UCHAR)szTempString[t]))
szTempString[t] = (char)toupper((UCHAR)szTempString[t]);
}
szTempString[dwDataLength] = 0;
//
// Check if this packet payload contains user supplied pattern in ASCII code
//
if (strstr ( szTempString, szPattern ))
bDrop = TRUE;
}
}
}
}
if(bDrop)
{
printf ("TCP %d.%d.%d.%d:%d -> %d.%d.%d.%d:%d pattern found & packet dropped n",
pIpHeader->ip_src.S_un.S_un_b.s_b1, pIpHeader->ip_src.S_un.S_un_b.s_b2, pIpHeader->ip_src.S_un.S_un_b.s_b3, pIpHeader->ip_src.S_un.S_un_b.s_b4, ntohs(pTcpHeader->th_sport),
pIpHeader->ip_dst.S_un.S_un_b.s_b1, pIpHeader->ip_dst.S_un.S_un_b.s_b2, pIpHeader->ip_dst.S_un.S_un_b.s_b3, pIpHeader->ip_dst.S_un.S_un_b.s_b4, ntohs (pTcpHeader->th_dport));
bDrop = FALSE;
}
else
if (PacketBuffer.m_dwDeviceFlags == PACKET_FLAG_ON_SEND)
{
// Place packet on the network interface
api.SendPacketToAdapter(&Request);
}
else
{
// Indicate packet to MSTCP
api.SendPacketToMstcp(&Request);
}
}
//
// Reset signalled event
//
ResetEvent(hEvent[dwAdIndex]);
}
return 0;
}
– Any Source to “My IP and Port”
This rule alows incoming connections (in case of TCP protocol) on the specified port. So it is applicable to both incoming and outgoing packets.
It works with http requests. But its not working with the IM’s like yahoo/gtalk. Can any one please helpe me out.
The code above (ParsePacketHeaders) is specific to HTTP packets (TCP port 80) and it is not applicable to IM (which use different port numbers or even UDP instead of TCP) interception unless it uses HTTP as a transport.
