NDIS Filter - modifying an adapter's MAC Address

gokul_tv · November 26, 2018, 3:32pm

Hi,

I’m new to the NDIS world & started playing around NDIS Filter driver (for learning purpose).

I’ve modified the ndislwf sample & started handling the OID_802_3_CURRENT_ADDRESS (@FilterOidRequest callback). I’m seeing this OID request is called during the initial stage & whenever I open “Network & sharing settings (Win10)”. In the callback, I override with a dummy MAC address & returning NDIS_STATUS_SUCCESS.

The particular code-snippet looks similar to the below code,

NDIS_STATUS
FilterOidRequest(
NDIS_HANDLE FilterModuleContext,
PNDIS_OID_REQUEST Request
)
{
NDIS_OID oid = Request->DATA.QUERY_INFORMATION.Oid;

if (oid == OID_802_3_CURRENT_ADDRESS && Request->RequestType == NdisRequestQueryInformation)
{
		NDIS_STATUS newStatus = NDIS_STATUS_SUCCESS;
		char overrideMac[6] = { 0xAA, 0xBB, 0xCC, 1, 2, 3 };
                    ULONG macAddrSz = 6;

		if (Request->DATA.QUERY_INFORMATION.InformationBufferLength >= macAddrSz )
		{
			RtlCopyMemory(Request->DATA.QUERY_INFORMATION.InformationBuffer, overrideMac, macAddrSz );
			Request->DATA.QUERY_INFORMATION.BytesWritten = macAddrSz ;
			Request->DATA.QUERY_INFORMATION.BytesNeeded = macAddrSz ;
		}
		else
		{
			Request->DATA.QUERY_INFORMATION.BytesWritten = 0;
			Request->DATA.QUERY_INFORMATION.BytesNeeded = macAddrSz ;
			newStatus = NDIS_STATUS_INVALID_LENGTH;
		}

		return newStatus;
}

But nowhere the new MAC address is reflected (ipconfig /all, getmac, Get-NetAdapters …).

So, is it possible to change an adapter’s MAC address from NDIS Filter driver? If no, what is the purpose of “OID_802_3_CURRENT_ADDRESS”?

Thanks & Regards,
Gokul T V

Jeffrey_Tippet_MSFT · November 29, 2018, 11:24pm

The easiest way to change a network adapter’s MAC address is with the Set-NetAdapter -MacAddress powershell command.

I’m not sure it’s really possible to replace a MAC address from a LWF. The reason is that there’s actually a fair amount of code in NDIS and the rest of the OS that cares about the MAC address. Simply editing one OID isn’t enough to notify NDIS and the world to update all their various caches. It could be possible to make this work, but so far nobody’s asked (me) for the feature.

If you really want to solve this using drivers, you can do it with an IM driver. However, IM drivers are difficult to write, and mostly there to solve specific, complex problems. Also, the IM drivers that are built into the OS are already able to “change” the MAC address – both LBFO and vSwitch can accomplish this.

If you’re just looking to learn LWFs, I would suggest a different exercise. You could, for example, make a LWF that causes the NIC to automatically send a ping to a hardcoded IP address whenever you plug the Ethernet cable into the NIC (on edge transition of linkstate = up).

gokul_tv · November 30, 2018, 6:43am

Hi Jeffrey Tippet,

Thank you for your valuable inputs and pointers. This is really helpful.