Forum Replies Created
-
Posts
-
Can you direct me to any websites that document the shifting of the SEQ and ACK fields. Also is shifting a set incremental value or is it based on the content of the packet?
I don’t think you will be able to find this sort of information anywhere. The only thing I can suggest is reading some good description of TCP protocol (by R. Stevens http://www.kohala.com/start/ an example).
Yes there is last field EPROCESS block which points to a UNICODE_STRING which gives me the FullPathName , but still I am not able to get the Drive Letters form there.
You have not explained in what form you get full path name here and I supposed you have got volume device name instead drive letter. Seems I got wrong π³
Anyways, why won’t you use the approach I posted above in this thread:
1. Obtain EPROCESS pointer through IoGetCurrentProcess().
2. For NT 4.0 and 5.0 take section handle from EPROCESS(SectionHandle) and using ObReferenceObjectByHandle() we obtain SectionObject; for NT 5.1 we can take SectionObject from EPROCESS directly.
3. From SectionObject we obtain SegmentObject.
4. From SegmentObject we obtain ControlArea.
5. From ControlArea we obtain FilePointer (this is FileObject pointer).
6. Using ObQueryNameString() we obtain full process name
All operations should be performed on PASSIVE_LEVEL and in the context of the process we obtain full path for.This one is proved to work.
Yes there is last field EPROCESS block which points to a UNICODE_STRING which gives me the FullPathName , but still I am not able to get the Drive Letters form there.
Drive letter is a symbolic link to disk object, so you can enumerate symbolic links to get the exact mappings.
I had one more query ,what does DEVICEMAP field in EPROCESS strucure signify…?
Devicemap is used when object manager sees a name beginning from ?? for getting the object directory to use for the particular process.
Using my intercepting application, can I send a tcp request to one of the two applications by filling the Request.EthPacket.Buffer with a new packet that I create and then send it using SendPacketToMstcp or SendPacketToAdapter?
Yes, you can. However, please note that injecting data into the TCP stream is not as easy as it may seem at the first look, because you should properly shift SEQ and ACK fields in your newly inserted packet and all sequent packets.
Would either application be able to tell that the packet didn’t originate from the application it is connected to?
If packet is injected properly then it won’t.
'Dump packet size
sOut = sOut & vbTab & "Packet size = " & PacketBuffer.m_Length & vbCrLf
CopyMemory EthHeader, PacketBuffer.m_IBuffer(0), Len(EthHeader)
The code above is taken from VB passthru sample. Here PacketBuffer.m_IBuffer array contains the entire packet, you can dump it if necessary.
Samples can be compiled with VC6 or VC2005 (projects are provided). You can convert VC6 project to VC2003 one if necessary. The binaries in the package are built with VC6 in order to support Windows 95.
ΠΠΎΠ΄ΡΠΊΠ°ΠΆΠΈ ΠΏΠΎΠΆΠ°Π»ΡΠΉΡΡΠ° Π² ΠΊΠ°ΠΊΠΎΠΌ ΡΠ°Π·Π΄Π΅Π»Π΅ Π² DDK ΡΡΠΎ ΠΌΠΎΠΆΠ½ΠΎ ΠΏΠΎΡΠΈΡΠ°ΡΡ?
ΠΠΏΠΈΡΠ°Π½ΠΈΠ΅ NdisRegisterProtocol Π½Π°ΠΏΡΠΈΠΌΠ΅Ρ…
Ρ.Π΅. Π»ΡΡΡΠ΅ ΡΠΎΠ·Π΄Π°Π²Π°ΡΡ ΡΠ²ΠΎΠΉ ΠΏΠΎΡΠΎΠΊ Π² Π΄ΡΠ°ΠΉΠ²Π΅ΡΠ΅ ΠΏΡΠΈ ΡΠΎΡ ΡΠ°Π½Π΅Π½ΠΈΠΈ? ΠΊΠ°ΠΊΠΎΠΉΠ½ΠΈΠ±ΡΠ΄Ρ ΡΠ°ΠΌ ZwCreateThread ΡΡΠ½ΠΊΡΠΈΠ΅ΠΉ?
PsCreateSystemThread
ΠΠ±ΡΠ·Π°ΡΠ΅Π»ΡΠ½ΠΎΡΡΡ ΠΈΠ»ΠΈ ΠΎΠΏΡΠΈΠΎΠ½Π°Π»ΡΠ½ΠΎ ΡΡΡ ΠΎΠ±ΡΠ°Π±ΠΎΡΡΠΈΠΊΠΎΠ² Π² NDIS_PROTOCOL_CHARACTERISTICS ΠΈ NDIS_MINIPORT_CHARACTERISTICS ΠΎΠΏΠΈΡΠ°Π½Π° Π² DDK, Π±ΠΎΠ»ΡΡΠΈΠ½ΡΡΠ²ΠΎ ΠΈΠ· Π½ΠΈΡ Π½ΡΠΆΠ½Ρ.
Π‘ΠΎΡ ΡΠ°Π½ΡΡΡ Π² ΡΠ°ΠΉΠ» ΠΌΠΎΠΆΠ½ΠΎ ΠΈ ΠΈΠ· ΡΠ΄ΡΠ° (Π»ΡΡΡΠ΅ ΠΈΠ· ΠΎΡΠ΄Π΅Π»ΡΠ½ΠΎΠ³ΠΎ ΠΏΠΎΡΠΎΠΊΠ° ΡΠ°Π±ΠΎΡΠ°ΡΡΠ΅Π³ΠΎ Π½Π° IRQL_PASSIVE_LEVEL, ΡΠ°ΠΊ ΠΊΠ°ΠΊ receive Π²ΡΠ΅Π³Π΄Π° ΠΏΡΠΈΡ ΠΎΠ΄ΠΈΡ Π½Π° IRQL_DISPATCH_LEVEL).
@kdub wrote:
Hi,
Is the PacketBuffer.m_Length property supposed to hold the length of the entire packet or does it contain the total length of the headers (ETH,IP,TCP)?Yes, this is entire packet length (headers and payload).
@kdub wrote:
I am filtering for only ETH_P_IP packets and the m_Length is always 54 which appears to be the header sizes (14,20,20). I am not able to get the payload data but I can get the IP and TCP header data successfully.
Believe or not, not all packets on the network are 54 bytes length and not all packets are TCP. In order to check if packet is TCP you have to check protocol field on the IP header which specifies next protocol.
@kdub wrote:
What is the correct way to get the length of the entire packet (ETH, IP, TCP,PAYLOAD,CHECKSUM) using the VB PassThru example?
Read Ethernet header, check if next protocol is IP. Read IP header, check if next protocol is TCP. If it is then read TCP header and follow up data if there is any.
You can’t affect cache manager behavior from user mode, however there is another way to do what you want. You can map each of 2000 files into the process memory (CreateFileMapping and MapViewOfFile), 20 megs should easily fit your process address space. Then read one byte from each page (each 4K) of each mapping, this will force system to bring all files into memory.
However, I would not force system to fetch all data from disk at once, but better postpone each fetch operation when it is really necessary.
@kdub wrote:
What is the difference between the NDISAPI.dll provided with the sample applications and the one provided with the Individual license?
There is no difference. DLL in the trial package is fully functional.
The IP and TCP headers are all contained in the same packet right?
Yes
What are the sizes of the IP header and TCP header?
IP header is usually 20 bytes length, but the actual length is specified in the header itself(http://www.erg.abdn.ac.uk/users/gorry/course/inet-pages/ip-packet.html). Same for TCP header (http://www.wtcs.org/snmp4tpc/images/TCP-Header.jpg) TCP header follows IP header, but IP can be used as transport for many other protocols, UDP, ICMP, GRE and etc…
Does the data/payload section always follow the TCP header?
If TCP packet contains data then yes they follow TCP header.
I am a newbie here and I was wondering if you could provide an example of how to read the data contents of a packet using visual basic syntax.
Regretfully I’m not a VB expert, but parsing Ethernet header is shown in the VB samples. You can parse follow up headers (IP, TCP/UDP) just on the same way.
Also is the data in the packet the same as it would be if I were to view the contents at the winsock level.
On WINSOCK level you work mostly with data streams (no packet headers), here you got packets with Ethernet, IP headers and etc… But packet payload contains the data you seen on winsock layer.
I want to get the source IP and Port and then view the data to determine whether to drop the packet or not, is that possible with WinPKFilter samples?
Yes, that is possible.
Π‘ HTTP Π²ΡΠΎΠ΄Π΅ ΡΠ°Π·ΠΎΠ±ΡΠ°Π»ΡΡ – ΠΈΠΌΡ Ρ ΠΎΡΡΠ° Π² ΠΈΡΡ ΠΎΠ΄ΡΡΠ΅ΠΌ ΠΏΠ°ΠΊΠ΅ΡΠ΅ ΠΌΠ΅Π½ΡΡ, ΡΡΠΌΠΌΠ° ΡΡ ΠΎΠ΄ΠΈΡΡΡ Π½ΠΎ ΠΊΠ°ΠΊΠΈΠ΅ ΡΠΎ ΠΏΡΠΎΠ±Π»Π΅ΠΌΡ Ρ ACK SEQ. Π― ΡΠ°ΠΊ ΠΏΠΎΠ½ΡΠ» ΡΡΠΎ ΠΏΡΠΈ ΠΈΠ·ΠΌΠ΅Π½Π΅Π½ΠΈΠΈ Π΄Π»ΠΈΠ½Ρ ΠΏΠ°ΠΊΠ΅ΡΠ° ΠΈΡ Π½Π°Π΄ΠΎ ΠΌΠ΅Π½ΡΡΡ. ΠΠ°ΠΊ?
ΠΡΠ»ΠΈ ΠΏΠ°ΠΊΠ΅Ρ ΡΠ²Π΅Π»ΠΈΡΠΈΠ»ΡΡ Π² Π΄Π»ΠΈΠ½Π½Π΅ (Π½Π΅ Π²ΡΡ ΠΎΠ΄Ρ Π·Π° Π³ΡΠ°Π½ΠΈΡΡ Ethernet frame), ΡΠΎ SEQ Π½Π°Π΄ΠΎ ΡΠ²Π΅Π»ΠΈΡΠΈΡΡ (Π° Π²ΠΎ Π²Ρ ΠΎΠ΄ΡΡΠ΅ΠΌ ΠΏΠΎΡΠΎΠΊΠ΅ ΡΠΌΠ΅Π½ΡΡΠΈΡΡ ACK). ΠΠ·ΠΌΠ΅Π½Π΅Π½ΠΈΠ΅ SEQ/ACK Π·Π°ΡΠ΅ΠΌ Π½ΡΠΆΠ½ΠΎ ΡΡΠ½ΡΡΡ Π΄ΠΎ ΡΠ°ΠΌΠΎΠ³ΠΎ Π·Π°ΠΊΡΡΡΠΈΡ ΡΠΎΠ΅Π΄ΠΈΠ½Π΅Π½ΠΈΡ. ΠΠ½Π°Π»ΠΎΠ³ΠΈΡΠ½ΠΎ ΠΏΠΎΡΡΡΠΏΠ°Π΅ΠΌ ΠΏΡΠΈ ΡΠΌΠ΅Π½ΡΡΠ΅Π½ΠΈΠΈ Π΄Π»ΠΈΠ½Π½Ρ Ρ ΡΠΎΡΠ½ΠΎΡΡΡΡ Π΄ΠΎ Π½Π°ΠΎΠ±ΠΎΡΠΎΡ.
IMHO ΠΏΡΠΎΡΠ΅ ΠΏΠ΅ΡΠ΅Ρ Π²Π°ΡΠΈΡΡ DNS ΠΏΠ°ΠΊΠ΅Ρ ΠΈ ΠΏΠΎΠ΄ΠΌΠ΅Π½ΠΈΡΡ Π² Π½Π΅ΠΌ IP.
