Vadim Smirnov

Forum Replies Created

Viewing 15 posts - 991 through 1,005 (of 1,486 total)
  • Author
    Posts
  • Vadim Smirnov
    Keymaster

      I have e-mailed to you the InnoSetup script which was used to generate the run-time library available for download from this site. You can use it for the reference. However, setup procedure is fully described in help file. You must be doing something wrong if driver does not get loaded.

      in reply to: What contents is contained in ndisrd.sys driver source code #6518
      Vadim Smirnov
      Keymaster

        If I want to order ndisrd.sys driver source code, pls tell me what contents or components is contained in its source code base?

        It contains the complete source code for the NDIS hooking and IM drivers.

        For windows x64 OS, why not continue to adopt NDIS-hooking technology, but official IM driver scheme for ndisrd.sys?

        Windows XP/2003 x64 introduced PatchGuard technology which protects NDIS.SYS export table from modifications (if PatchGuard finds that NDIS.SYS was modified then it crashes the system). This is also true for Vista/2008 x64. Preventing PatchGuard from doing is job is possible but requires kernel modifications and these modifications are different for different kernel builds because MS updates PatchGuard each time when they got informed there is a way to workaround the current implementation.

        I search winpkfilter over google and find that an Austria-based company DeskSoft(http://www.desksoft.com) builds its product BWMeter upon WinpkFilter, is it true? Can u confirms that if u don’t mind?

        Yes, it is true.

        in reply to: Why not work properly on another PC with same configuration! #6515
        Vadim Smirnov
        Keymaster

          WinpkFilter installation does not write any license information into the registry and basically installation steps you have performed are correct. Have you rebooted the system after adding the registry key?

          in reply to: Visual Baisc Error GetTcpipBoundAdaptersInfo nHandle, AdList #6512
          Vadim Smirnov
          Keymaster

            I just tried to compile PacketSniffer project under VB6 and it worked just fine. The resulted binary also works without any crashes.

            In you case do you get VB environment or PacketSniffer application crash?

            in reply to: Virtual Network Interface <-> Serial port #6511
            Vadim Smirnov
            Keymaster

              I see two possibilities:

              1) Create a virtual network interface on top of RS232
              2) Use VirtNet+WinpkFilter+special application working with WinpkFilter passing data between RS232 and VirtNet adapter.

              First approach requires driver coding but more solid in design, second one can be implemented completely in user mode.

              in reply to: TCP SYN packet Generation #6510
              Vadim Smirnov
              Keymaster

                System (TCPIP.SYS) recognizes SYN-ACK only when it was establishing the connection (sending SYN) itself. To force TCPIP.SYS to accept SYN-ACK you would have to modify TCPIP.SYS internal structures.

                Normally if you are trying to establish TCP connection with WinpkFilter you have to process SYN-ACK yourself without passing it up to TCPIP.SYS and generate ACK to complete the handshaking.

                in reply to: what’s the time to release new version for winpkfilter #6484
                Vadim Smirnov
                Keymaster

                  1. if i am a license buyer,can we get the both x86 and x64 current version?

                  Yes, of course.

                  2.can u get me some examples at lease two which use winpkfilter for himself software?

                  Not sure what you exctly mean here, but there are a couple of advanced sampes – Internet Gateway and Ethernet Bridge which are available to licensed users.

                  a fool question Rolling Eyes ,it is: if i but the winpkfilter for a license,when i send my software which used the winpkfilter, ~~~~~~this’s to say: the winpktilter driver i paid will be published. how to prevent it?

                  Standard build of WinpkFilter driver is freely available for private and non-commercial use, I don’t think that anyone would steal your custom build.

                  in reply to: Creating Rules #6503
                  Vadim Smirnov
                  Keymaster

                    IN/OUT of firewall rule in terms of TCP protocol is treated as incoming/outgoing connections; in terms of other protocols it is incoming/outgoing packets. As you can see here is a small difference between TCP and UDP.

                    in reply to: IPTables Redirect NAT Support #6489
                    Vadim Smirnov
                    Keymaster

                      Do I need to purchase WinPkFilter in order to get the NAT sample?

                      Yes, you’d have to.

                      I plan to purchase a license, but I am a student, and don’t have a lot of money right now.

                      Drop an e-mail to support(at)ntkernel.com, I think we will be able to help you in this case.

                      in reply to: NDIS Filter Intermediate Passthru #6509
                      Vadim Smirnov
                      Keymaster

                        It seems to me that Microsoft restricts on the name of service ( only Passthru is allowed )

                        No it does not. Basically the steps you did are correct, but probably you missed something.

                        in reply to: Can TCPSendData(…) see the SMB packets? #6505
                        Vadim Smirnov
                        Keymaster

                          It is difficult to say something without understanding of how you have hooked TCPSendData.

                          Processing requests passed to TCPSendData is the same as for TDI requests passed through normal path.

                          in reply to: Reading packets #6508
                          Vadim Smirnov
                          Keymaster

                            The wwwcensor.cpp below blocks HTTP packets which contain the specified string pattern. You can change/extend this code to filter ports different from TCP:80 (you have to know which ports are used by each IM you’d like to support) of even just drop everyTCP packet which contain the specified pattenr by one simple modification – remove the following check:

                            //
                            // Check if this HTTP packet (destined to remote system port 80, or received from it)
                            //

                            if (((pTcpHeader->th_dport == htons (80))&&(PacketBuffer.m_dwDeviceFlags == PACKET_FLAG_ON_SEND))||
                            ((pTcpHeader->th_sport == htons (80))&&(PacketBuffer.m_dwDeviceFlags == PACKET_FLAG_ON_RECEIVE)))
                            {

                            /*************************************************************************/
                            /* Copyright (c) 2000-2007 NT Kernel Resources. */
                            /* All Rights Reserved. */
                            /* http://www.ntkernel.com */
                            /* ndisrd@ntkernel.com */
                            /* */
                            /* Module Name: wwwcensor.cpp */
                            /* */
                            /* Abstract: Defines the entry point for the console application */
                            /* */
                            /*************************************************************************/

                            #include "stdafx.h"

                            USHORT ntohs( USHORT netshort )
                            {
                            PUCHAR pBuffer;
                            USHORT nResult;

                            nResult = 0;
                            pBuffer = (PUCHAR )&netshort;

                            nResult = ( (pBuffer[ 0 ] << 8) & 0xFF00 )
                            | ( pBuffer[ 1 ] & 0x00FF );

                            return( nResult );
                            }

                            #define htons ntohs

                            int main(int argc, char* argv[])
                            {
                            TCP_AdapterList AdList;
                            CNdisApi api;
                            ETH_REQUEST Request;
                            INTERMEDIATE_BUFFER PacketBuffer;
                            ether_header_ptr pEthHeader = NULL;
                            iphdr_ptr pIpHeader = NULL;
                            tcphdr_ptr pTcpHeader = NULL;
                            HANDLE hEvent[256];
                            DWORD dwAdIndex = 0;
                            char szTempString[1500];
                            char szPattern[256];
                            BOOL bDrop = FALSE;


                            if (argc < 2)
                            {
                            printf ("Command line syntax:ntwwwcensor.exe pattern ntpattern - phrase or word to block HTTP packets with.n");
                            return 0;
                            }

                            if(!api.IsDriverLoaded())
                            {
                            printf ("Driver not installed on this system of failed to load.n");
                            return 0;
                            }

                            if ( strlen(argv[1]) > 255 )
                            {
                            printf ("Pattern is too,long, please use one with maximum of 255 characters.n");
                            return 0;
                            }

                            //
                            // Get pattern in upper case
                            //
                            ZeroMemory ( szPattern, 256 );
                            strcpy ( szPattern, argv[1] );
                            for ( unsigned i = 0; i < strlen (szPattern); ++i )
                            {
                            if (isalpha(((UCHAR)szPattern)))
                            szPattern
                            = (char)toupper((UCHAR)szPattern);
                            }

                            //
                            // Get system installed network interfaces
                            //
                            api.GetTcpipBoundAdaptersInfo ( &AdList );

                            //
                            // Initialize common ADAPTER_MODE structure (all network interfaces will operate in the same mode)
                            //
                            ADAPTER_MODE Mode;
                            Mode.dwFlags = MSTCP_FLAG_SENT_TUNNEL|MSTCP_FLAG_RECV_TUNNEL;

                            //
                            // Create notification events and initialize the driver to pass packets thru us
                            //
                            for (dwAdIndex = 0; dwAdIndex < AdList.m_nAdapterCount; ++dwAdIndex)
                            {
                            hEvent[dwAdIndex] = CreateEvent(NULL, TRUE, FALSE, NULL);

                            if (!hEvent[dwAdIndex])
                            {
                            printf("Failed to create notification event for network interface n");
                            return 0;
                            }

                            Mode.hAdapterHandle = (HANDLE)AdList.m_nAdapterHandle[dwAdIndex];

                            //
                            // Set MSTCP_FLAG_SENT_TUNNEL|MSTCP_FLAG_RECV_TUNNEL for the network interface
                            //
                            api.SetAdapterMode(&Mode);

                            //
                            // Set packet notification event for the network interface
                            //
                            api.SetPacketEvent((HANDLE)AdList.m_nAdapterHandle[dwAdIndex], hEvent[dwAdIndex]);
                            }


                            // Initialize common part of ETH_REQUEST
                            ZeroMemory ( &Request, sizeof(ETH_REQUEST) );
                            ZeroMemory ( &PacketBuffer, sizeof(INTERMEDIATE_BUFFER) );
                            Request.EthPacket.Buffer = &PacketBuffer;

                            //
                            // Go into the endless loop (this is just a sample application)
                            //
                            while (TRUE)
                            {
                            //
                            // Wait before any of the interfaces is ready to indicate the packet
                            //
                            dwAdIndex = WaitForMultipleObjects ( AdList.m_nAdapterCount, hEvent, FALSE, INFINITE ) - WAIT_OBJECT_0;

                            //
                            // Complete initialization of ETH_REQUEST
                            //

                            Request.hAdapterHandle = (HANDLE)AdList.m_nAdapterHandle[dwAdIndex];

                            //
                            // Read packet from the interface until there are any
                            //
                            while(api.ReadPacket(&Request))
                            {
                            //
                            // Get Ethernet header
                            //
                            pEthHeader = (ether_header_ptr)PacketBuffer.m_IBuffer;

                            //
                            // Check if Ethernet frame contains IP packet
                            //
                            if(ntohs(pEthHeader->h_proto) == ETH_P_IP)
                            {
                            //
                            // Get IP header
                            //
                            pIpHeader = (iphdr_ptr)(pEthHeader + 1);

                            //
                            // Check if IP packet contains TCP packet
                            //
                            if (pIpHeader->ip_p == IPPROTO_TCP)
                            {
                            //
                            // Get TCP header pointer
                            //
                            pTcpHeader = (tcphdr_ptr)((PUCHAR)pIpHeader + pIpHeader->ip_hl*4);

                            //
                            // Check if this HTTP packet (destined to remote system port 80, or received from it)
                            //

                            if (((pTcpHeader->th_dport == htons (80))&&(PacketBuffer.m_dwDeviceFlags == PACKET_FLAG_ON_SEND))||
                            ((pTcpHeader->th_sport == htons (80))&&(PacketBuffer.m_dwDeviceFlags == PACKET_FLAG_ON_RECEIVE)))
                            {
                            //
                            // Get data size in the packet and pointer to the data
                            //

                            DWORD dwDataLength = PacketBuffer.m_Length - (sizeof(ether_header) + pIpHeader->ip_hl*4 + pTcpHeader->th_off*4);
                            PCHAR pData = (PCHAR)pEthHeader + (sizeof(ether_header) + pIpHeader->ip_hl*4 + pTcpHeader->th_off*4);

                            // If packet contains any data - process it
                            if (dwDataLength)
                            {
                            //
                            // Copy packet payload into the temporary string, replace all 0 bytes with 0x20, convert string to upper case and place at the end
                            //
                            memcpy (szTempString, pData, dwDataLength);
                            for (unsigned t = 0; t < dwDataLength; ++t)
                            {
                            if (szTempString[t] == 0)
                            szTempString[t] = 0x20;

                            if (isalpha((UCHAR)szTempString[t]))
                            szTempString[t] = (char)toupper((UCHAR)szTempString[t]);
                            }
                            szTempString[dwDataLength] = 0;

                            //
                            // Check if this packet payload contains user supplied pattern in ASCII code
                            //

                            if (strstr ( szTempString, szPattern ))
                            bDrop = TRUE;
                            }
                            }

                            }
                            }

                            if(bDrop)
                            {
                            printf ("TCP %d.%d.%d.%d:%d -> %d.%d.%d.%d:%d pattern found & packet dropped n",
                            pIpHeader->ip_src.S_un.S_un_b.s_b1, pIpHeader->ip_src.S_un.S_un_b.s_b2, pIpHeader->ip_src.S_un.S_un_b.s_b3, pIpHeader->ip_src.S_un.S_un_b.s_b4, ntohs(pTcpHeader->th_sport),
                            pIpHeader->ip_dst.S_un.S_un_b.s_b1, pIpHeader->ip_dst.S_un.S_un_b.s_b2, pIpHeader->ip_dst.S_un.S_un_b.s_b3, pIpHeader->ip_dst.S_un.S_un_b.s_b4, ntohs (pTcpHeader->th_dport));
                            bDrop = FALSE;
                            }
                            else
                            if (PacketBuffer.m_dwDeviceFlags == PACKET_FLAG_ON_SEND)
                            {
                            // Place packet on the network interface
                            api.SendPacketToAdapter(&Request);
                            }
                            else
                            {
                            // Indicate packet to MSTCP
                            api.SendPacketToMstcp(&Request);
                            }
                            }

                            //
                            // Reset signalled event
                            //
                            ResetEvent(hEvent[dwAdIndex]);

                            }

                            return 0;
                            }

                            in reply to: Creating Rules #6501
                            Vadim Smirnov
                            Keymaster

                              – Any Source to “My IP and Port”

                              This rule alows incoming connections (in case of TCP protocol) on the specified port. So it is applicable to both incoming and outgoing packets.

                              in reply to: Modify Packet #5449
                              Vadim Smirnov
                              Keymaster

                                It works with http requests. But its not working with the IM’s like yahoo/gtalk. Can any one please helpe me out.

                                The code above (ParsePacketHeaders) is specific to HTTP packets (TCP port 80) and it is not applicable to IM (which use different port numbers or even UDP instead of TCP) interception unless it uses HTTP as a transport.

                                in reply to: Creating Rules #6499
                                Vadim Smirnov
                                Keymaster

                                  I assume that 192.168.1.1 is your local IP address? Is so the rule is just fine. However, please note that in order to allow FTP access you also need to open port 22.

                                Viewing 15 posts - 991 through 1,005 (of 1,486 total)