Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTDEV
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


Ndis driver load order

IkkepopIkkepop Member Posts: 22
edited February 21 in NTDEV

I'm working on a "kill-switch" ndis filter that will shutdown internet until a certain app loads (to prevent ip leaks). And I realized the ethernet driver is already loaded by the time my filter loads.
And that seems like it could give away the users ip, which would be bad. Is there any way to load a Ndis filter before the ethernet drivers or prevent ethernet from sending packets until my filter loads?
EDIT: I accidentally posted in the wrong forum, can't find any way to move or delete the post, i apologize in advance

Comments

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 8,013

    (moved at OP's request)

    Peter Viscarola
    OSR
    @OSRDrivers

  • Pavel_APavel_A Member Posts: 2,726

    Is there any way to load a Ndis filter before the ethernet drivers

    No, the ethernet is the lowest layer (medium) ; an NDIS entity cannot be placed below it.

    or prevent ethernet from sending packets until my filter loads?

    Hmm. Maybe. For example, if you disable the ethernet controller at boot time and enable later.

    -- pa

  • MBond2MBond2 Member Posts: 177

    if you control the hardware, this can be done. if not, then a task of preventing any packets with 'unauthorized' content from being sent over the wire is infeasible.

    confining yourself preventing the transmission of particular data in TCP connections or UDP packets is one thing, but the actual IP address of the interface (presumably static since DHCP traffic could be sniffed) and other lower level details is another. even if you could prevent any packets from Windows, consider features like PXE boot and whatever else the UEFI / hypervisor might do underneath you. and the Ethernet switch (physical or virtual) will certainly discover your IP eventually if you have any meaningful communication on that interface so there seems little point to this

  • David_R._CattleyDavid_R._Cattley Member - All Emails Posts: 2,115
    I recall that a Mandatory Filter Driver might be helpful in this case but I don’t recall what happens exactly during Boot

    https://docs.microsoft.com/en-us/windows-hardware/drivers/network/mandatory-filter-drivers

    Good luck,
    Dave Cattley
  • IkkepopIkkepop Member Posts: 22

    @David_R._Cattley said:
    I recall that a Mandatory Filter Driver might be helpful in this case but I don’t recall what happens exactly during Boot

    https://docs.microsoft.com/en-us/windows-hardware/drivers/network/mandatory-filter-drivers

    Good luck,
    Dave Cattley

    That might be my saving grace, I will read up on it :smile:

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Kernel Debugging 30 Mar 2020 OSR Seminar Space
Developing Minifilters 15 Jun 2020 LIVE ONLINE
Writing WDF Drivers 22 June 2020 LIVE ONLINE
Internals & Software Drivers 28 Sept 2020 Dulles, VA