Forum Replies Created
-
Posts
-
Hmm… And how does TI shape NATted connection!?…
TI developers know for sure. I would try to reverse engineer ICS implementation in Windows and get NAT table.
I would create an event and waited on this event (probably besides few other objects) in the thread routine instead of the KeDelayExecutionThread. Once I need to unload driver I would signal that event so the thread routine left waiting and called PsTerminateSystemThread. At the same time DriverUnload can wait for the thread to exit by waiting on the thread object.
Alternatively (less modifications in your code but not that nice) you can create some global variable and check its state in your Func:
void Func(PVOID a)
{
LARGE_INTEGER delay;
delay.QuadPart = SEC(1);
while(!KeDelayExecutionThread(KernelMode,0,&delay))
{
DbgPrint(">> thread message");
if(g_bLeaveThread)
break;
}
PsTerminateSystemThread();
}
In DriverUnload set the g_bLeaveThread to non-zero value and wait for the thread to exit (KeWaitForSingleObject on the thread object).
Each packet routed outside you intercept twice – first on the internal interface before NAT is applied and second on external interface after NAT is applied and vice versa for packets coming on the external interface. In theory you can match these packets (by IP address information + IP ID + TCP/UDP headers information) and build your own copy of NAT table but collisions are still possible especially if the router is heavily loaded.
I would recommend implementing NAT in the same module which implements shaper, this would save you lots time. NAT is relatively easy to implement (if you are not targeted to support complex protocols like H.323), an example this simple application has taken one day to write http://www.ntkernel.com/w&p.php?id=31
I am running Windows XP on my HP laptop. I installed MioNet which loads the driver NDISRD.SYS. Whenever this driver is loaded and I try to run my Cisco VPN client, the desktop locks up.
Any suggestions?Hmm, basically conflict here can be initiated by MioNet usage of NDISRD (which is a WinpkFilter driver) or by NDISRD directly. So here are some questions:
1) Do you run MioNet at the same time with Cisco VPN client?
2) Could you look at the version of NDISRD.SYS and post it here or e-mail to support(at)ntkernel.com?Also, if it is possible for you then could you please uninstall MioNet and install WinpkFilter package instead and check if problem pops up with WinpkFilter only?
Also, system just hanged? No chance on the crash dump?
Is there a way to unload the ndisrd.sys driver by using a DOS command?
This is not possible.
А с пакетами приходяшими в обратную сторону Вы что делаете? Там по идее нужно подставить обратно адрес источника, чтобы клиент видел что ему сервер ответил, а не кто-то другой…
Суть ясна, варианта можно предложить два:
1) Добавить данные в дополнительный заголовок или в хвост пакета
2) Если решение локальное (адрес источника всегда один и тот же), то можно записать адрес куда изначально был направлен пакет в поле Source IPI have not got ready user mode Ethernet Bridge code I could post here.
The source code for the kernel mode Ethernet Bridge http://www.ntkernel.com/w&p.php?id=20 is available only to WinpkFilter Source Code licensees.
I have never dig deep into file signing, but I’d guess that in case of notepad.exe the signature is not embedded into the executable, but the whole CAT file is signed instead.
How could I determine what catalog file should be used for a specified file?
I think you should use CryptCATXXX functions for this. Probably CryptCATAdminCalcHashFromFileHandle to get the file hash and then enumerate catalogs which contain the specified hash with CryptCATAdminEnumCatalogFromHash.
Basically making bridge is rather straightforward. Just set the promiscuous mode on the bridged adapters (PacketSniffer sample shows how to do this) and repeat packets received from one bridge interface to all other bridged interfaces with NDIS_FLAGS_DONT_LOOPBACK | NDIS_FLAGS_SKIP_LOOPBACK set to avoid loopback packets. These flags combination will work for Windows 2000+, for earlier version you have to track MAC addresses and repeat packets according MAC address table.
Можно как-нибудь быстрее добраться до url’a? Может есть какая-нибуть структура, хранящая его? Т.к. в разных браузерах url в пакете находится разных местах..
RTFM спецификацию HTTP касательно GET.
Вот еще, открываю я страничку, отправляется большой пакет (500-1000 байт) с запросом и отправляются еще штук 10 маленьких пакетиков по 60-80 байт (причем в них не содержатся слова GET или POST)….для чего они? Кто их шлет? Явно не браузер, тк перехватить и посмотреть их не получается…может какая-то проверка соединения…
Кто шлет можно проверить с помощью Local Network Monitor http://www.ntkernel.com/w&p.php?id=24. Если в пакетах нет данных, то LNM их не покажет. Тогда это могут быть подтверждения приема данных, которые шлет стек. RTFM cпецификацию протокола TCP.
If you look inside sigcheck.exe you will find that it works through wintrust.dll exported functions.
.text:00402260 sub_402260 proc near ; CODE XREF: _wmain:loc_402016p .text:00402260 mov al, byte_425860 .text:00402265 push ebx .text:00402266 test al, al .text:00402268 push esi .text:00402269 jnz loc_402339 .text:0040226F mov ebx, ds:LoadLibraryW .text:00402275 push offset aWintrust_dll ; "Wintrust.dll" .text:0040227A mov byte_425860, 1 .text:00402281 call ebx ; LoadLibraryW .text:00402283 mov esi, eax .text:00402285 test esi, esi .text:00402287 jnz short loc_40228E .text:00402289 pop esi .text:0040228A xor al, al .text:0040228C pop ebx .text:0040228D retn .text:0040228E ; <hr class="bbcode_rule" /> .text:0040228E .text:0040228E loc_40228E: ; CODE XREF: sub_402260+27j .text:0040228E push edi .text:0040228F mov edi, ds:GetProcAddress .text:00402295 push offset aWinverifytrust ; "WinVerifyTrust" .text:0040229A push esi ; hModule .text:0040229B call edi ; GetProcAddress .text:0040229D push offset aWthelpergetpro ; "WTHelperGetProvSignerFromChain" .text:004022A2 push esi ; hModule .text:004022A3 mov WinVerifyTrustPtr, eax .text:004022A8 call edi ; GetProcAddress .text:004022AA push offset aWthelperprovda ; "WTHelperProvDataFromStateData" .text:004022AF push esi ; hModule .text:004022B0 mov dword_425834, eax .text:004022B5 call edi ; GetProcAddress .text:004022B7 push offset aCryptcatadminr ; "CryptCATAdminReleaseContext" .text:004022BC push esi ; hModule .text:004022BD mov dword_425838, eax .text:004022C2 call edi ; GetProcAddress .text:004022C4 push offset aCryptcatadmi_0 ; "CryptCATAdminReleaseCatalogContext" .text:004022C9 push esi ; hModule .text:004022CA mov dword_42583C, eax .text:004022CF call edi ; GetProcAddress .text:004022D1 push offset aCryptcatcatalo ; "CryptCATCatalogInfoFromContext" .text:004022D6 push esi ; hModule .text:004022D7 mov dword_42585C, eax .text:004022DC call edi ; GetProcAddress .text:004022DE push offset aCryptcatadmine ; "CryptCATAdminEnumCatalogFromHash" .text:004022E3 push esi ; hModule .text:004022E4 mov dword_425854, eax .text:004022E9 call edi ; GetProcAddress .text:004022EB push offset aCryptcatadminc ; "CryptCATAdminCalcHashFromFileHandle" .text:004022F0 push esi ; hModule .text:004022F1 mov dword_425848, eax .text:004022F6 call edi ; GetProcAddress .text:004022F8 push offset aCryptcatadmina ; "CryptCATAdminAcquireContext" .text:004022FD push esi ; hModule .text:004022FE mov dword_425840, eax .text:00402303 call edi ; GetProcAddress .text:00402305 push offset aCryptcatadmi_1 ; "CryptCATAdminAddCatalog" .text:0040230A push esi ; hModule .text:0040230B mov dword_42584C, eax .text:00402310 call edi ; GetProcAddress .text:00402312 push offset aWinverifytrust ; "WinVerifyTrust" .text:00402317 push esi ; hModule .text:00402318 mov dword_425844, eax .text:0040231D call edi ; GetProcAddress .text:0040231F push offset aCertnametostrw ; "CertNameToStrW" .text:00402324 push offset aCrypt32_dll ; "crypt32.dll" .text:00402329 mov WinVerifyTrustPtr, eax .text:0040232E call ebx ; LoadLibraryW .text:00402330 push eax ; hModule .text:00402331 call edi ; GetProcAddress .text:00402333 mov dword_425858, eax .text:00402338 pop edi .text:00402339 .text:00402339 loc_402339: ; CODE XREF: sub_402260+9j .text:00402339 mov ecx, dword_42584C .text:0040233F xor eax, eax .text:00402341 test ecx, ecx .text:00402343 pop esi .text:00402344 pop ebx .text:00402345 setnz al .text:00402348 retn .text:00402348 sub_402260 endpWinVerifyTrust is called with WINTRUST_ACTION_GENERIC_VERIFY_V2 action ID.
A piece of code which demonstrates usage of WinVerifyTrust can be found in the Platform SDK samples (vertrust.cpp):
<br /> /////////////////////////////////////////////////////////////////////////////<br /> // IsFileTrusted<br /> //<br /> itvEnum IsFileTrusted(LPCWSTR lpwFile, HWND hwndParent, DWORD dwUIChoice, bool *pfIsSigned, PCCERT_CONTEXT *ppcSigner)<br /> {<br /> char szDebugOutput[MAX_STR_LENGTH] = {0};<br /> <br /> itvEnum itv = itvUnTrusted;<br /> <br /> if (pfIsSigned)<br /> *pfIsSigned = false;<br /> if (ppcSigner)<br /> *ppcSigner = 0;<br /> <br /> GUID guidAction = WINTRUST_ACTION_GENERIC_VERIFY_V2;<br /> <br /> WINTRUST_FILE_INFO sWintrustFileInfo;<br /> WINTRUST_DATA sWintrustData;<br /> HRESULT hr;<br /> <br /> memset((void*)&sWintrustFileInfo, 0x00, sizeof(WINTRUST_FILE_INFO)); // zero out<br /> memset((void*)&sWintrustData, 0x00, sizeof(WINTRUST_DATA)); // zero out<br /> <br /> sWintrustFileInfo.cbStruct = sizeof(WINTRUST_FILE_INFO);<br /> sWintrustFileInfo.pcwszFilePath = lpwFile;<br /> sWintrustFileInfo.hFile = NULL;<br /> <br /> sWintrustData.cbStruct = sizeof(WINTRUST_DATA);<br /> sWintrustData.dwUIChoice = dwUIChoice;<br /> sWintrustData.fdwRevocationChecks = WTD_REVOKE_NONE;<br /> sWintrustData.dwUnionChoice = WTD_CHOICE_FILE;<br /> sWintrustData.pFile = &sWintrustFileInfo;<br /> sWintrustData.dwStateAction = (ppcSigner) ? WTD_STATEACTION_VERIFY : 0;<br /> <br /> HMODULE hWinTrust = LoadLibrary(WINTRUST_DLL);<br /> if (!hWinTrust)<br /> {<br /> // WinTrust is unavailable on the machine<br /> return itvWintrustNotOnMachine;<br /> }<br /> PFnWinVerifyTrust pfnWinVerifyTrust = (PFnWinVerifyTrust)GetProcAddress(hWinTrust, WINTRUSTAPI_WinVerifyTrust);<br /> PFnWTHelperProvDataFromStateData pfnWTHelperProvDataFromStateData= (PFnWTHelperProvDataFromStateData)GetProcAddress(hWinTrust, WINTRUSTAPI_WTHelperProvDataFromStateData);<br /> PFnWTHelperGetProvSignerFromChain pfnWTHelperGetProvSignerFromChain = (PFnWTHelperGetProvSignerFromChain)GetProcAddress(hWinTrust, WINTRUSTAPI_WTHelperGetProvSignerFromChain);<br /> PFnWTHelperGetProvCertFromChain pfnWTHelperGetProvCertFromChain = (PFnWTHelperGetProvCertFromChain)GetProcAddress(hWinTrust, WINTRUSTAPI_WTHelperGetProvCertFromChain);<br /> if (!pfnWinVerifyTrust || !pfnWTHelperProvDataFromStateData || !pfnWTHelperGetProvSignerFromChain || !pfnWTHelperGetProvCertFromChain)<br /> {<br /> // WinTrust is unavailable on the machine<br /> FreeLibrary(hWinTrust);<br /> return itvWintrustNotOnMachine;<br /> }<br /> <br /> hr = pfnWinVerifyTrust(/* UI Window Handle */ (dwUIChoice == WTD_UI_NONE) ? (HWND)INVALID_HANDLE_VALUE : hwndParent, &guidAction, &sWintrustData);<br /> DebugMsg("[WVT] WVT returned 0x%Xn", hr);<br /> <br /> itv = (TRUST_E_PROVIDER_UNKNOWN == hr) ? itvWintrustNotOnMachine : ((S_OK == hr) ? itvTrusted : itvUnTrusted);<br /> <br /> if (itvWintrustNotOnMachine == itv)<br /> {<br /> // release state data<br /> sWintrustData.dwUIChoice = WTD_UI_NONE;<br /> sWintrustData.dwStateAction = WTD_STATEACTION_CLOSE;<br /> pfnWinVerifyTrust((HWND)INVALID_HANDLE_VALUE, &guidAction, &sWintrustData);<br /> <br /> FreeLibrary(hWinTrust);<br /> return itv; // return immediately<br /> }<br /> <br /> if (pfIsSigned)<br /> *pfIsSigned = (TRUST_E_NOSIGNATURE == hr) ? false : true;<br /> <br /> if (TRUST_E_NOSIGNATURE == hr)<br /> {<br /> // release state data<br /> sWintrustData.dwUIChoice = WTD_UI_NONE;<br /> sWintrustData.dwStateAction = WTD_STATEACTION_CLOSE;<br /> pfnWinVerifyTrust((HWND)INVALID_HANDLE_VALUE, &guidAction, &sWintrustData);<br /> <br /> FreeLibrary(hWinTrust);<br /> return itv;<br /> }<br /> <br /> if (ppcSigner)<br /> {<br /> CRYPT_PROVIDER_DATA const *psProvData = NULL;<br /> CRYPT_PROVIDER_SGNR *psProvSigner = NULL;<br /> CRYPT_PROVIDER_CERT *psProvCert = NULL;<br /> <br /> // grab the provider data<br /> psProvData = pfnWTHelperProvDataFromStateData(sWintrustData.hWVTStateData);<br /> if (psProvData)<br /> {<br /> // grab the signer data from the CRYPT_PROV_DATA<br /> psProvSigner = pfnWTHelperGetProvSignerFromChain((PCRYPT_PROVIDER_DATA)psProvData, 0 /*first signer*/, FALSE /* not a counter signer */, 0);<br /> if (psProvSigner)<br /> {<br /> // grab the signer cert from CRYPT_PROV_SGNR (pos 0 = signer cert; pos csCertChain-1 = root cert)<br /> psProvCert = pfnWTHelperGetProvCertFromChain(psProvSigner, 0);<br /> }<br /> }<br /> <br /> if (!psProvCert)<br /> {<br /> // some failure in obtaining the signer cert data<br /> *ppcSigner = 0;<br /> }<br /> else<br /> {<br /> // duplicate the cert<br /> HMODULE hCrypt32 = LoadLibrary(CRYPT32_DLL);<br /> if (hCrypt32)<br /> {<br /> PFnCertDuplicateCertificateContext pfnCertDuplicateCertificateContext = (PFnCertDuplicateCertificateContext)GetProcAddress(hCrypt32, CRYPTOAPI_CertDuplicateCertificateContext);<br /> if (pfnCertDuplicateCertificateContext)<br /> *ppcSigner = pfnCertDuplicateCertificateContext(psProvCert->pCert);<br /> FreeLibrary(hCrypt32);<br /> }<br /> }<br /> <br /> // release state data<br /> sWintrustData.dwUIChoice = WTD_UI_NONE;<br /> sWintrustData.dwStateAction = WTD_STATEACTION_CLOSE;<br /> pfnWinVerifyTrust((HWND)INVALID_HANDLE_VALUE, &guidAction, &sWintrustData);<br /> }<br /> <br /> FreeLibrary(hWinTrust);<br /> return itv;<br /> }<br />Hope it helps…
WinpkFilter 3.0.2 released. This service release includes:
1. Few changes in API DLL required for Windows Vista support
2. Installation scripts are updated to properly install drivers on Windows VistaImportant note:
For Windows Vista and later versions of the Windows family of operating systems, kernel-mode software must have a digital signature to load on x64-based computer systems. WinpkFilter drivers are not signed and in order to test them on Vista x64 you should press F8 during system boot and choose Disable Driver Signature Enforcement option. For the commercial software you’d have to obtain Code Signing certificate from Verysign.If you are eligible for a free update, please send the following details to support@ntkernel.com to receive an update instruction:
1. Your order ID.
2. An approximate date of purchasing.Вот типовой HTTP GET пакет. Где искать URL видно вполне наглядно. Детали смотри в спецификации HTTP.
00000000 00 15 E9 76 C3 A0 00 16 E6 5C CA A8 08 00 45 00 ...v.........E.
00000010 03 66 3C C2 40 00 80 06 9E A3 C0 A8 01 65 40 FB .f<.@........e@.
00000020 19 24 43 FF 00 50 D1 1A 24 E5 1D 0E F2 A5 50 18 .$C..P..$.....P.
00000030 FF FF 1F 85 00 00 47 45 54 20 2F 20 48 54 54 50 ......GET./.HTTP
00000040 2F 31 2E 31 0D 0A 48 6F 73 74 3A 20 77 77 77 2E /1.1..Host:.www.
00000050 6E 74 6B 65 72 6E 65 6C 2E 63 6F 6D 0D 0A 55 73 ntkernel.com..Us
00000060 65 72 2D 41 67 65 6E 74 3A 20 4D 6F 7A 69 6C 6C er-Agent:.Mozill
00000070 61 2F 35 2E 30 20 28 57 69 6E 64 6F 77 73 3B 20 a/5.0.(Windows;.
00000080 55 3B 20 57 69 6E 64 6F 77 73 20 4E 54 20 35 2E U;.Windows.NT.5.
00000090 31 3B 20 72 75 3B 20 72 76 3A 31 2E 38 2E 31 2E 1;.ru;.rv:1.8.1.
000000A0 33 29 20 47 65 63 6B 6F 2F 32 30 30 37 30 33 30 3).Gecko/2007030
000000B0 39 20 46 69 72 65 66 6F 78 2F 32 2E 30 2E 30 2E 9.Firefox/2.0.0.
000000C0 33 0D 0A 41 63 63 65 70 74 3A 20 74 65 78 74 2F 3..Accept:.text/
000000D0 78 6D 6C 2C 61 70 70 6C 69 63 61 74 69 6F 6E 2F xml,application/
000000E0 78 6D 6C 2C 61 70 70 6C 69 63 61 74 69 6F 6E 2F xml,application/
000000F0 78 68 74 6D 6C 2B 78 6D 6C 2C 74 65 78 74 2F 68 xhtml+xml,text/h
00000100 74 6D 6C 3B 71 3D 30 2E 39 2C 74 65 78 74 2F 70 tml;q=0.9,text/p
00000110 6C 61 69 6E 3B 71 3D 30 2E 38 2C 69 6D 61 67 65 lain;q=0.8,image
00000120 2F 70 6E 67 2C 2A 2F 2A 3B 71 3D 30 2E 35 0D 0A /png,*/*;q=0.5..
00000130 41 63 63 65 70 74 2D 4C 61 6E 67 75 61 67 65 3A Accept-Language:
00000140 20 72 75 2D 72 75 2C 72 75 3B 71 3D 30 2E 38 2C .ru-ru,ru;q=0.8,
00000150 65 6E 2D 75 73 3B 71 3D 30 2E 35 2C 65 6E 3B 71 en-us;q=0.5,en;q
00000160 3D 30 2E 33 0D 0A 41 63 63 65 70 74 2D 45 6E 63 =0.3..Accept-Enc
00000170 6F 64 69 6E 67 3A 20 67 7A 69 70 2C 64 65 66 6C oding:.gzip,defl
00000180 61 74 65 0D 0A 41 63 63 65 70 74 2D 43 68 61 72 ate..Accept-Char
00000190 73 65 74 3A 20 77 69 6E 64 6F 77 73 2D 31 32 35 set:.windows-125
000001A0 31 2C 75 74 66 2D 38 3B 71 3D 30 2E 37 2C 2A 3B 1,utf-8;q=0.7,*;
000001B0 71 3D 30 2E 37 0D 0A 4B 65 65 70 2D 41 6C 69 76 q=0.7..Keep-Aliv
000001C0 65 3A 20 33 30 30 0D 0A 43 6F 6E 6E 65 63 74 69 e:.300..Connecti
000001D0 6F 6E 3A 20 6B 65 65 70 2D 61 6C 69 76 65 0D 0A on:.keep-alive..
...
Изначально я понял задачу несколько по другому: нужно сохранить копию некого файла, который другое приложение скачивает. Если речь о том чтобы из IM драйвера скачать файл по HTTP, то придется реализовать TCP/IP стек + HTTP протокол. Вместо реализации собственного TCP/IP можно использовать TDI оригинального стека, но HTTP писать придется по любому.
Весь сетевой трафик идет через IM драйвер, в том числе пойдут и данные скачиваемого файла. Правда построить файл из данных пакетов будет не просто, придется пропарсить TCP/HTTP заголовки и выделить данные принадлежащие файлу. По поводу парсинга заголовков копай в сторону сетвых сниферов в исходниках…
