Vadim Smirnov

Forum Replies Created

Viewing 15 posts - 1,006 through 1,020 (of 1,474 total)
  • Author
    Posts
  • in reply to: Aadapter associated packet queue checkup #6474
    Vadim Smirnov
    Keymaster

      Интересно, как именно происходит проверка состояния очереди?
      Может есть какой то отдельный поток, который в цикле просматривает состояние очереди, и если она не пуста – сигнализирует в режим юзера?

      Когда драйвер перехватывает пакет, он его ставит в очередь и выставляет событие сигнализирующее, что очередь не пуста. User-mode поток ожидающий (WaitForSingleObject/WaitForMultipleObjects) на этом событии пробуждается ото сна и читает пакеты из очереди пока они не закончатся, затем ресетит событие и снова ждет на нем. В общем-то, пример passthru показывает как это делается.

      Альтернатива – polling пакетов без использования событий (пробуем читать пакет, если чтение успешно, то вычитываем все пакеты пока не кончаться, если чтение неуспешно – засыпаем на какое-то время, пример packetsniffer), но на мой взгляд этот метод менее эффективен.

      in reply to: loopback sniffer (не работает) #6473
      Vadim Smirnov
      Keymaster

        Смотря что понимать под loopback пакетами. В контексте WinpkFilter под loopback пакетами понимаются пакеты, которые были посланы на реальный сетевой интерфейс и затем показаны (вызваны receive обработчики) локальным протоколам. Благодарая этому механизму, в частности, могут работать сетевые снифферы реализованные в форме протоколов, как например winpcap. Без этого механизма winpcap не смог бы увидеть пакеты уходящие в сеть от TCP/IP.

        Совсем другая история с пакетами отправленными на локальные сетевые интерфейсы (на свой собственный адрес) или на localhost (127.XXX.XXX.XXX). Эти пакеты собсвенно никогда не доходят до NDIS, а обрабатываются внутри TCP/IP стека, так что увидеть их с помощью WinpkFilter не удасться. Они собсвенно и не принимают зачастую привычную форму сетевых пакетов. Однако сами данные перехватить действительно можно анпример при помощи TDI фильтра:

        http://www.ntkernel.com/w&p.php?id=24
        http://www.ntkernel.com/w&p.php?id=8

        in reply to: SPI/DPI #6472
        Vadim Smirnov
        Keymaster

          But what may happen in case a packet is twisted in a way ? For example wrong packet length or something like that. Can a twisted packet cause BSOD, for example ? (It is rather DPI than SPI I think).

          WinpkFilter driver checks validity of buffers supplied by user, but it does not take care about the packet content. So you can send absolutely anything if modules below and above WinpkFilter accept this.

          in reply to: hi,SerpentFly please come in:about send rawpacket #6468
          Vadim Smirnov
          Keymaster

            good!hope the next version~can u give a release time?

            It is expected in next couple of weeks.

            byt the way. i did not send out a packet by winpkfilter. 3.0.4 need more Characteristic property for firewall secion.

            I’m not sure I understand this statement. Could you clarify?

            in reply to: SPI/DPI #6470
            Vadim Smirnov
            Keymaster

              Does winpkt implement SPI and DPI in any way ?

              Stateful Packet Inspection? WinpkFilter is a library which takes packet from kernel level and delivers to user mode where you can implement SPI, DPI or whatever you want. It does not implement packet inspection itself.

              in reply to: hi,SerpentFly please come in:about send rawpacket #6466
              Vadim Smirnov
              Keymaster

                how to constructre a RST packet can u give me a delphi example?
                why it is will be failed for my operation?please give me a slight.~~ Smile

                I’m sorry, but I’m not a Delphi expert. Though the easiest would be sending your RST packet to the network (in addition to sending to stack) and intercept it with Network Monitor or any other sniffer you prefer. This will help to discover any probelms you may have in forming the packet.

                can we make up a hardware filterinfo in the ring0. to complete the drop packet by the ring0 driver not need event. i think this is a necessary for most pelple.it can be improve the performance of winpkfilter.

                This is already implemented in WinpkFilter 3.0.4 and currently under testing.

                in reply to: OLE hooking in Windows #6244
                Vadim Smirnov
                Keymaster

                  Some years ago I’ve been involved into pop-up windows blocker development (module to prevent undesired browser windows to be opened). In case of Internet Explorer the most usable approach is creating Browser Helper Object http://en.wikipedia.org/wiki/Browser_Helper_Object

                  According MSDN:

                  IWebBrowser2 Interface
                  Exposes methods that are implemented by the WebBrowser control (Microsoft ActiveX control) or implemented by an instance of the InternetExplorer application (OLE Automation).

                  So unless application uses ActiveX, you just get the instance of IE started, which loads BHO, which may prevent the page from being opened…

                  in reply to: Send Raw Packet. #6464
                  Vadim Smirnov
                  Keymaster

                    need to be chechsum or is it will be do the checksum by the SendPacketToMstcp or SendPacketToAdapter?

                    The sample above does not initialize IP header and above, it forms and sends a sample Ethernet frame filled with zeros. If you are creating real world IP/TCP/UDP packet then you have to properly initialize required headers and calculate checksums.

                    by the way,if i want to close the connection,need i send send a rst packet to both MSTCP and Adapter?

                    Depends from your task, in general it is enough to send RST packet to local stack, another peer will close connection by timeout. But of course you can send RST packets to both, local and remote peers.

                    in reply to: Packet filtering for pornography blocking #6362
                    Vadim Smirnov
                    Keymaster

                      I’m glad tat the issue is resolved.

                      i checked the signdrv.bat file to see the script. there are no options for “save” and “restore”. But my question is how they are successfully executed during installation of winpkfilter?

                      The reason is that there are two versions of signdrv.bat with different syntax. Latest one has simplified syntax of disable/enable. Thats why you got that error message.

                      in reply to: Packet filtering for pornography blocking #6359
                      Vadim Smirnov
                      Keymaster

                        please send the install script.

                        E-mailed to the address specified in the forum details.

                        Just for sure, are you playing with standard or custom build? Here can be the difference, since custom build has different device name.

                        in reply to: Packet filtering for pornography blocking #6357
                        Vadim Smirnov
                        Keymaster

                          the winpkfilter installation on vista (x86) is installed smoothly and I am able to run test applications successfully.

                          So installer was able to install WinpkFilter driver successfully, but you can’t install files taken from “winpkfilter frameworkkerneldriver” on ANOTHER Vista x86 system?

                          This is very confusing… I can send you installation script to refer, but it does not do anything special beyond mentioned commands.

                          in reply to: why not i can load the NDISRD.sys by code #6465
                          Vadim Smirnov
                          Keymaster

                            If you mean NDIS hooking variant of WinpkFilter then it MUST be loaded after NDIS.SYS and before TCPIP.SYS to work normally, otherwise it not able to intercept TCP/IP protcol registration.

                            If you are about NDIS IM variant, then it can be added/removed dynamically in most cases, but SCM API is not suitable to this. I would recommend having a look at SNETCFG sample from DDK.

                            in reply to: Send Raw Packet. #6462
                            Vadim Smirnov
                            Keymaster

                              I’m wondering if it has the ability to send raw packet???

                              Sure it can.

                              int main(int argc, char* argv[])
                              {
                              UINT counter = 0;
                              ether_header* pEthHeader = NULL;

                              if (argc < 3)
                              {
                              printf ("Command line syntax:ntsender.exe index numntindex - network interface index.ntnum - number or packets to sendntYou can use ListAdapters to determine correct index.n");
                              return 0;
                              }

                              iIndex = atoi(argv[1]) - 1;
                              counter = atoi(argv[2]);

                              if(!api.IsDriverLoaded())
                              {
                              printf ("Driver not installed on this system of failed to load.n");
                              return 0;
                              }

                              api.GetTcpipBoundAdaptersInfo ( &AdList );

                              if ( iIndex + 1 > AdList.m_nAdapterCount )
                              {
                              printf("There is no network interface with such index on this system.n");
                              return 0;
                              }

                              // Initialize Request
                              ZeroMemory ( &Request, sizeof(ETH_REQUEST) );
                              ZeroMemory ( &PacketBuffer, sizeof(INTERMEDIATE_BUFFER) );
                              Request.EthPacket.Buffer = &PacketBuffer;
                              Request.hAdapterHandle = (HANDLE)AdList.m_nAdapterHandle[iIndex];

                              pEthHeader = (ether_header*)PacketBuffer.m_IBuffer;

                              memcpy(&pEthHeader->h_source, AdList.m_czCurrentAddress[iIndex], ETH_ALEN);
                              memset(&pEthHeader->h_dest, 0xFF, ETH_ALEN);
                              pEthHeader->h_proto = ETH_P_IP;
                              Request.EthPacket.Buffer->m_Length = MAX_ETHER_FRAME;

                              while (counter--)
                              api.SendPacketToAdapter(&Request);

                              return 0;
                              }

                              The code above initializes Ethernet header (broadcast IP packet) and sends it over the network. IP header and above are not initialized (packet is filled by zeros).

                              in reply to: IP fragments reassembly #6461
                              Vadim Smirnov
                              Keymaster

                                I think you could test with large ICMP PING packets. PING utility from Windows allows sending PING packet of large length (up to maximum IP packet size) which is fragmented by TCP/IP.

                                in reply to: Packet filtering for pornography blocking #6355
                                Vadim Smirnov
                                Keymaster

                                  1) Are you trying to install on Vista x86 or x64?
                                  2) Have you taken the correct drivers, INF files and snetcfg matching the OS (32 bit driver for x86, 64 bit for x64)? May be the problem in snetcfg tool if you have taken the original version from DDK instead the modified one we use.
                                  3) Commands mentioned should be executed under Administrator account. You have mentioned that you tried, but I would recommend to recheck.
                                  4) And the last, if you run WinpkFilter run-time installation does it install normally?

                                Viewing 15 posts - 1,006 through 1,020 (of 1,474 total)