Forum Replies Created
-
AuthorPosts
-
Интересно, как именно происходит проверка состояния очереди?
Может есть какой то отдельный поток, который в цикле просматривает состояние очереди, и если она не пуста – сигнализирует в режим юзера?Когда драйвер перехватывает пакет, он его ставит в очередь и выставляет событие сигнализирующее, что очередь не пуста. User-mode поток ожидающий (WaitForSingleObject/WaitForMultipleObjects) на этом событии пробуждается ото сна и читает пакеты из очереди пока они не закончатся, затем ресетит событие и снова ждет на нем. В общем-то, пример passthru показывает как это делается.
Альтернатива – polling пакетов без использования событий (пробуем читать пакет, если чтение успешно, то вычитываем все пакеты пока не кончаться, если чтение неуспешно – засыпаем на какое-то время, пример packetsniffer), но на мой взгляд этот метод менее эффективен.
Смотря что понимать под loopback пакетами. В контексте WinpkFilter под loopback пакетами понимаются пакеты, которые были посланы на реальный сетевой интерфейс и затем показаны (вызваны receive обработчики) локальным протоколам. Благодарая этому механизму, в частности, могут работать сетевые снифферы реализованные в форме протоколов, как например winpcap. Без этого механизма winpcap не смог бы увидеть пакеты уходящие в сеть от TCP/IP.
Совсем другая история с пакетами отправленными на локальные сетевые интерфейсы (на свой собственный адрес) или на localhost (127.XXX.XXX.XXX). Эти пакеты собсвенно никогда не доходят до NDIS, а обрабатываются внутри TCP/IP стека, так что увидеть их с помощью WinpkFilter не удасться. Они собсвенно и не принимают зачастую привычную форму сетевых пакетов. Однако сами данные перехватить действительно можно анпример при помощи TDI фильтра:
http://www.ntkernel.com/w&p.php?id=24
http://www.ntkernel.com/w&p.php?id=8But what may happen in case a packet is twisted in a way ? For example wrong packet length or something like that. Can a twisted packet cause BSOD, for example ? (It is rather DPI than SPI I think).
WinpkFilter driver checks validity of buffers supplied by user, but it does not take care about the packet content. So you can send absolutely anything if modules below and above WinpkFilter accept this.
good!hope the next version~can u give a release time?
It is expected in next couple of weeks.
byt the way. i did not send out a packet by winpkfilter. 3.0.4 need more Characteristic property for firewall secion.
I’m not sure I understand this statement. Could you clarify?
Does winpkt implement SPI and DPI in any way ?
Stateful Packet Inspection? WinpkFilter is a library which takes packet from kernel level and delivers to user mode where you can implement SPI, DPI or whatever you want. It does not implement packet inspection itself.
how to constructre a RST packet can u give me a delphi example?
why it is will be failed for my operation?please give me a slight.~~ SmileI’m sorry, but I’m not a Delphi expert. Though the easiest would be sending your RST packet to the network (in addition to sending to stack) and intercept it with Network Monitor or any other sniffer you prefer. This will help to discover any probelms you may have in forming the packet.
can we make up a hardware filterinfo in the ring0. to complete the drop packet by the ring0 driver not need event. i think this is a necessary for most pelple.it can be improve the performance of winpkfilter.
This is already implemented in WinpkFilter 3.0.4 and currently under testing.
Some years ago I’ve been involved into pop-up windows blocker development (module to prevent undesired browser windows to be opened). In case of Internet Explorer the most usable approach is creating Browser Helper Object http://en.wikipedia.org/wiki/Browser_Helper_Object
According MSDN:
IWebBrowser2 Interface
Exposes methods that are implemented by the WebBrowser control (Microsoft ActiveX control) or implemented by an instance of the InternetExplorer application (OLE Automation).So unless application uses ActiveX, you just get the instance of IE started, which loads BHO, which may prevent the page from being opened…
need to be chechsum or is it will be do the checksum by the SendPacketToMstcp or SendPacketToAdapter?
The sample above does not initialize IP header and above, it forms and sends a sample Ethernet frame filled with zeros. If you are creating real world IP/TCP/UDP packet then you have to properly initialize required headers and calculate checksums.
by the way,if i want to close the connection,need i send send a rst packet to both MSTCP and Adapter?
Depends from your task, in general it is enough to send RST packet to local stack, another peer will close connection by timeout. But of course you can send RST packets to both, local and remote peers.
I’m glad tat the issue is resolved.
i checked the signdrv.bat file to see the script. there are no options for “save” and “restore”. But my question is how they are successfully executed during installation of winpkfilter?
The reason is that there are two versions of signdrv.bat with different syntax. Latest one has simplified syntax of disable/enable. Thats why you got that error message.
please send the install script.
E-mailed to the address specified in the forum details.
Just for sure, are you playing with standard or custom build? Here can be the difference, since custom build has different device name.
the winpkfilter installation on vista (x86) is installed smoothly and I am able to run test applications successfully.
So installer was able to install WinpkFilter driver successfully, but you can’t install files taken from “winpkfilter frameworkkerneldriver” on ANOTHER Vista x86 system?
This is very confusing… I can send you installation script to refer, but it does not do anything special beyond mentioned commands.
If you mean NDIS hooking variant of WinpkFilter then it MUST be loaded after NDIS.SYS and before TCPIP.SYS to work normally, otherwise it not able to intercept TCP/IP protcol registration.
If you are about NDIS IM variant, then it can be added/removed dynamically in most cases, but SCM API is not suitable to this. I would recommend having a look at SNETCFG sample from DDK.
I’m wondering if it has the ability to send raw packet???
Sure it can.
int main(int argc, char* argv[])
{
UINT counter = 0;
ether_header* pEthHeader = NULL;
if (argc < 3)
{
printf ("Command line syntax:ntsender.exe index numntindex - network interface index.ntnum - number or packets to sendntYou can use ListAdapters to determine correct index.n");
return 0;
}
iIndex = atoi(argv[1]) - 1;
counter = atoi(argv[2]);
if(!api.IsDriverLoaded())
{
printf ("Driver not installed on this system of failed to load.n");
return 0;
}
api.GetTcpipBoundAdaptersInfo ( &AdList );
if ( iIndex + 1 > AdList.m_nAdapterCount )
{
printf("There is no network interface with such index on this system.n");
return 0;
}
// Initialize Request
ZeroMemory ( &Request, sizeof(ETH_REQUEST) );
ZeroMemory ( &PacketBuffer, sizeof(INTERMEDIATE_BUFFER) );
Request.EthPacket.Buffer = &PacketBuffer;
Request.hAdapterHandle = (HANDLE)AdList.m_nAdapterHandle[iIndex];
pEthHeader = (ether_header*)PacketBuffer.m_IBuffer;
memcpy(&pEthHeader->h_source, AdList.m_czCurrentAddress[iIndex], ETH_ALEN);
memset(&pEthHeader->h_dest, 0xFF, ETH_ALEN);
pEthHeader->h_proto = ETH_P_IP;
Request.EthPacket.Buffer->m_Length = MAX_ETHER_FRAME;
while (counter--)
api.SendPacketToAdapter(&Request);
return 0;
}
The code above initializes Ethernet header (broadcast IP packet) and sends it over the network. IP header and above are not initialized (packet is filled by zeros).
I think you could test with large ICMP PING packets. PING utility from Windows allows sending PING packet of large length (up to maximum IP packet size) which is fragmented by TCP/IP.
1) Are you trying to install on Vista x86 or x64?
2) Have you taken the correct drivers, INF files and snetcfg matching the OS (32 bit driver for x86, 64 bit for x64)? May be the problem in snetcfg tool if you have taken the original version from DDK instead the modified one we use.
3) Commands mentioned should be executed under Administrator account. You have mentioned that you tried, but I would recommend to recheck.
4) And the last, if you run WinpkFilter run-time installation does it install normally? -
AuthorPosts