A driver that listens to traffic

@ Don

Can a process make the OS sends a packet on its behalf? Or can a malware do that to hide it’s identity?

Thanks.

For any normal situation the filter will catch all the packets, including
ones from the OS. If you can insert code into the OS there is never a
guarantee that someone can’t figure out a way to bypass any protection
mechanism you have. This is why if you look back in the archives most of us
emphasize that if the kernel is infected there is no way to fix things.

Don Burn
Windows Driver Consulting
Website: http://www.windrvr.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
Sent: Sunday, July 31, 2016 7:16 AM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] A driver that listens to traffic

@ Don

Can a process make the OS sends a packet on its behalf? Or can a malware do
that to hide it’s identity?

Thanks.


NTDEV is sponsored by OSR

Visit the list online at:
http:

MONTHLY seminars on crash dump analysis, WDF, Windows internals and software
drivers!
Details at http:

To unsubscribe, visit the List Server section of OSR Online at
http:</http:></http:></http:>

I compiled the driver and used net start inspect to start the service. The code seems to complex for me but I found some functions in inspect.c

TLInspectALERecvAcceptClassify

TLInspectALERecvAcceptNotify

I put a dbgPrint statement in them but they don’s seem to be the functions that are called when recv is called because they are only called once or twice! Also there is something called “ale” which I don’t seem to understand!

ALE layers are described here: https://msdn.microsoft.com/en-us/library/windows/desktop/bb613460(v=vs.85).aspx

ALE is described here: https://msdn.microsoft.com/en-us/library/windows/desktop/aa363971(v=vs.85).aspx

I was able to capture all the packets. but still have no idea how to get
the process associated with each packer?

On Sun, Jul 31, 2016 at 4:38 PM, Don Burn wrote:

> For any normal situation the filter will catch all the packets, including
> ones from the OS. If you can insert code into the OS there is never a
> guarantee that someone can’t figure out a way to bypass any protection
> mechanism you have. This is why if you look back in the archives most of
> us
> emphasize that if the kernel is infected there is no way to fix things.
>
>
> Don Burn
> Windows Driver Consulting
> Website: http://www.windrvr.com
>
>
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of
> xxxxx@gmail.com
> Sent: Sunday, July 31, 2016 7:16 AM
> To: Windows System Software Devs Interest List
> Subject: RE:[ntdev] A driver that listens to traffic
>
> @ Don
>
> Can a process make the OS sends a packet on its behalf? Or can a malware do
> that to hide it’s identity?
>
> Thanks.
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list online at:
> http:
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software
> drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at
> http:
>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list online at: http:> showlists.cfm?list=ntdev>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer&gt;
></http:></http:></http:></http:></http:>

Take a look at https://msdn.microsoft.com/en-us/library/windows/hardware/ff559179(v=vs.85).aspx If you test for TRUE
“FWPS_IS_METADATA_FIELD_PRESENT( MetaValues, FWPS_METADATA_FIELD_PROCESS_ID )” you can then retrieve the
PID from MetaValues->processId;

This is in the WFP sample, but as I warned you at the beginning it is a huge sample. You are going to have to study the MSDN
Documentation to know what you can get where to get data, start you doc search at https://msdn.microsoft.com/en-us/library/windows/hardware/ff546100(v=vs.85).aspx

Don Burn
Windows Driver Consulting
Website: http://www.windrvr.com

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of zaid ALYAFEY
Sent: Friday, August 05, 2016 3:02 PM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] A driver that listens to traffic

I was able to capture all the packets. but still have no idea how to get the process associated with each packer?

On Sun, Jul 31, 2016 at 4:38 PM, Don Burn > wrote:

For any normal situation the filter will catch all the packets, including
ones from the OS. If you can insert code into the OS there is never a
guarantee that someone can’t figure out a way to bypass any protection
mechanism you have. This is why if you look back in the archives most of us
emphasize that if the kernel is infected there is no way to fix things.

Don Burn
Windows Driver Consulting
Website: http://www.windrvr.com

-----Original Message-----
From: xxxxx@lists.osr.com mailto:xxxxx
[mailto:xxxxx@lists.osr.com mailto:xxxxx] On Behalf Of xxxxx@gmail.com mailto:xxxxx
Sent: Sunday, July 31, 2016 7:16 AM
To: Windows System Software Devs Interest List >
Subject: RE:[ntdev] A driver that listens to traffic

@ Don

Can a process make the OS sends a packet on its behalf? Or can a malware do
that to hide it’s identity?

Thanks.


NTDEV is sponsored by OSR

Visit the list online at:
http: >

MONTHLY seminars on crash dump analysis, WDF, Windows internals and software
drivers!
Details at http:

To unsubscribe, visit the List Server section of OSR Online at
http: >


NTDEV is sponsored by OSR

Visit the list online at: http: >

MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
Details at http:

To unsubscribe, visit the List Server section of OSR Online at http: >

— NTDEV is sponsored by OSR Visit the list online at: MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers! Details at To unsubscribe, visit the List Server section of OSR Online at</http:></http:></http:></http:></http:></http:></mailto:xxxxx></mailto:xxxxx></mailto:xxxxx>

One more question,

What I understood that we can get the process id at the layers for connect,
accept and bind (handshake layers). But what about the packets generated by
(send, recv) function calls ? Also from msdn I have the following "only the
first TCP *send()*
https:
and
the first TCP recv()
https:
over
raw sockets will be filtered. " what does that mean ?

On Fri, Aug 5, 2016 at 10:20 PM, Don Burn wrote:

> Take a look at https://msdn.microsoft.com/en-us/library/windows/hardware/
> ff559179(v=vs.85).aspx If you test for TRUE
> “FWPS_IS_METADATA_FIELD_PRESENT( MetaValues,
> FWPS_METADATA_FIELD_PROCESS_ID )” you can then retrieve the
> PID from MetaValues->processId;
>
> This is in the WFP sample, but as I warned you at the beginning it is a
> huge sample. You are going to have to study the MSDN
> Documentation to know what you can get where to get data, start you doc
> search at https://msdn.microsoft.com/en-us/library/windows/hardware/
> ff546100(v=vs.85).aspx
>
>
> Don Burn
> Windows Driver Consulting
> Website: http://www.windrvr.com
>
>
>
>
> -----Original Message-----
> From: xxxxx@lists.osr.com [mailto:bounce-613882-122747@
> lists.osr.com] On Behalf Of zaid ALYAFEY
> Sent: Friday, August 05, 2016 3:02 PM
> To: Windows System Software Devs Interest List
> Subject: Re: [ntdev] A driver that listens to traffic
>
> I was able to capture all the packets. but still have no idea how to get
> the process associated with each packer?
>
> On Sun, Jul 31, 2016 at 4:38 PM, Don Burn > xxxxx@windrvr.com> > wrote:
>
>
> For any normal situation the filter will catch all the packets,
> including
> ones from the OS. If you can insert code into the OS there is
> never a
> guarantee that someone can’t figure out a way to bypass any
> protection
> mechanism you have. This is why if you look back in the archives
> most of us
> emphasize that if the kernel is infected there is no way to fix
> things.
>
>
> Don Burn
> Windows Driver Consulting
> Website: http://www.windrvr.com
>
>
>
> -----Original Message-----
> From: xxxxx@lists.osr.com mailto:> xxxxx@lists.osr.com>
> [mailto:xxxxx@lists.osr.com mailto:> xxxxx@lists.osr.com>] On Behalf Of xxxxx@gmail.com
> mailto:xxxxx
> Sent: Sunday, July 31, 2016 7:16 AM
> To: Windows System Software Devs Interest List <
> xxxxx@lists.osr.com mailto:xxxxx >
> Subject: RE:[ntdev] A driver that listens to traffic
>
>
> @ Don
>
> Can a process make the OS sends a packet on its behalf? Or can a
> malware do
> that to hide it’s identity?
>
> Thanks.
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list online at:
> http:> http://www.osronline.com/showlists.cfm?list=ntdev&gt; >
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals
> and software
> drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at
> http:> http://www.osronline.com/page.cfm?name=ListServer&gt; >
>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list online at: http:> showlists.cfm?list=ntdev http:> showlists.cfm?list=ntdev> >
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals
> and software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer <
> http://www.osronline.com/page.cfm?name=ListServer&gt; >
>
>
>
> — NTDEV is sponsored by OSR Visit the list online at: MONTHLY seminars
> on crash dump analysis, WDF, Windows internals and software drivers!
> Details at To unsubscribe, visit the List Server section of OSR Online at
>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list online at: http:> showlists.cfm?list=ntdev>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer&gt;
></http:></http:></http:></http:></http:></http:></http:></http:></mailto:xxxxx></mailto:xxxxx></mailto:></mailto:></https:></https:>

> only the first TCP *send()* https: and the first TCP recv() https: over raw sockets will be filtered. " what does that mean ?

This is only relavent at the ALE layers: https://msdn.microsoft.com/en-us/library/windows/desktop/bb613460(v=vs.85).aspx

If you want to associate every packet with a process you’ll need to look at the Transport / IP layers. It looks like the processid is not immediately available at these layers. (https://msdn.microsoft.com/en-us/library/windows/hardware/ff559179(v=vs.85).aspx)

Looks like you’ll need to maintain your own state tables for this or store it the processid in the flow context and retrieve it at these layers.

J</https:></https:>

Since I know the process id of each packet in ale connect , can’t I
associate every send or receive packet with the corresponding connection?
On 15 Aug 2016 17:37, wrote:

> > only the first TCP send() https:> en-us/library/windows/desktop/ms740149(v=vs.85).aspx> and the first TCP
> recv() https:> ms740121(v=vs.85).aspx> over raw sockets will be filtered. " what does
> that mean ?
>
> This is only relavent at the ALE layers: https://msdn.microsoft.com/en-
> us/library/windows/desktop/bb613460(v=vs.85).aspx
>
> If you want to associate every packet with a process you’ll need to look
> at the Transport / IP layers. It looks like the processid is not
> immediately available at these layers. (https://msdn.microsoft.com/
> en-us/library/windows/hardware/ff559179(v=vs.85).aspx)
>
> Looks like you’ll need to maintain your own state tables for this or store
> it the processid in the flow context and retrieve it at these layers.
>
> J
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list online at: http:> showlists.cfm?list=ntdev>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer&gt;
></http:></http:></https:></https:>

Zaid alyafeai wrote:

> Looks like you’ll need to maintain your own state tables for
> this or store it the processid in the flow context and retrieve
> it at these layers.

Since I know the process id of each packet in ale connect , can’t I
associate every send or receive packet with the corresponding
connection?

Uh, isn’t that what you were *just* told?

Hi

As far as I know,ale connect and ale recv accept flow context cannot be got in transport layers.

We need to maintain our own context for example search key will be 5 tuple.


From: xxxxx@lists.osr.com on behalf of xxxxx@gmail.com
Sent: Thursday, August 18, 2016 8:50 AM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] A driver that listens to traffic

Zaid alyafeai wrote:

>> Looks like you’ll need to maintain your own state tables for
>> this or store it the processid in the flow context and retrieve
>> it at these layers.
>
> Since I know the process id of each packet in ale connect , can’t I
> associate every send or receive packet with the corresponding
> connection?

Uh, isn’t that what you were just told?


NTDEV is sponsored by OSR

Visit the list online at: http:
OSR Online NTDEV Listhttp:
www.osronline.com
OSR Online is the homepage for Windows driver writers. The NTDEV, NTFSD, and NTTALK lists are world-wide peer support forums administered by OSR.

MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
Details at http:

To unsubscribe, visit the List Server section of OSR Online at http:</http:></http:></http:></http:>

As far as I know,ale connect and ale recv accept flow context cannot be got in
transport layers.

We need to maintain our own context for example search key will be 5 tuple.

How do I know that two packets in the transport layer belong to the same
tcp connection ?
On 18 Aug 2016 13:01, wrote:

> As far as I know,ale connect and ale recv accept flow context cannot be
> got in
> transport layers.
>
> We need to maintain our own context for example search key will be 5
> tuple.
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list online at: http:> showlists.cfm?list=ntdev>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer&gt;
></http:></http:>

At least for most cases check out FWPS_METADATA_FIELD_TRANSPORT_ENDPOINT_HANDLE

Don Burn
Windows Driver Consulting
Website: http://www.windrvr.com

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of zaid ALYAFEY
Sent: Friday, August 19, 2016 5:22 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] A driver that listens to traffic

How do I know that two packets in the transport layer belong to the same tcp connection ?

On 18 Aug 2016 13:01, > wrote:

As far as I know,ale connect and ale recv accept flow context cannot be got in
transport layers.

We need to maintain our own context for example search key will be 5 tuple.


NTDEV is sponsored by OSR

Visit the list online at: http: >

MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
Details at http:

To unsubscribe, visit the List Server section of OSR Online at http: >

— NTDEV is sponsored by OSR Visit the list online at: MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers! Details at To unsubscribe, visit the List Server section of OSR Online at</http:></http:></http:>

A network 5 tuple uniquely identifies a TCP connection.

Could you please explain more? What are the members of the tuple ?
On 20 Aug 2016 21:11, wrote:

> A network 5 tuple uniquely identifies a TCP connection.
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list online at: http:> showlists.cfm?list=ntdev>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer&gt;
></http:></http:>

local address,remote address,local port,remote port and protocol

@Don

What do you mean by most cases ?

So transportEndpointHandle will have a unique value in both ale and
transport callouts for the same tcp connecting ? Also I noticed that the
value of transportEndpointHandle is sometimes equal to zero what does that
mean ?

On Sat, Aug 20, 2016 at 12:36 AM, Don Burn wrote:

> At least for most cases check out FWPS_METADATA_FIELD_TRANSPORT_
> ENDPOINT_HANDLE
>
>
> Don Burn
> Windows Driver Consulting
> Website: http://www.windrvr.com
>
>
>
>
> -----Original Message-----
> From: xxxxx@lists.osr.com [mailto:bounce-614816-122747@
> lists.osr.com] On Behalf Of zaid ALYAFEY
> Sent: Friday, August 19, 2016 5:22 PM
> To: Windows System Software Devs Interest List
> Subject: RE:[ntdev] A driver that listens to traffic
>
> How do I know that two packets in the transport layer belong to the same
> tcp connection ?
>
> On 18 Aug 2016 13:01, > xxxxx@hotmail.com> > wrote:
>
>
> As far as I know,ale connect and ale recv accept flow context
> cannot be got in
> transport layers.
>
> We need to maintain our own context for example search key will
> be 5 tuple.
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list online at: http:> showlists.cfm?list=ntdev http:> showlists.cfm?list=ntdev> >
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals
> and software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer <
> http://www.osronline.com/page.cfm?name=ListServer&gt; >
>
>
> — NTDEV is sponsored by OSR Visit the list online at: MONTHLY seminars
> on crash dump analysis, WDF, Windows internals and software drivers!
> Details at To unsubscribe, visit the List Server section of OSR Online at
>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list online at: http:> showlists.cfm?list=ntdev>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer&gt;
></http:></http:></http:></http:></http:>

The transportEndpointHandle (when it is not zero) will allow to match a unique value for the duration of the bind/connect to unbind. See https://social.msdn.microsoft.com/Forums/en-US/6280b002-f93d-4dab-b892-1e138ceabfcd/fwpsmetadatafieldtransportendpointhandle-bit-is-set-but-meta-data-field-0?forum=wfp for some instances that you get zero. I don’t have a good solution for the zero value case.

Don Burn
Windows Driver Consulting
Website: http://www.windrvr.com

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of zaid ALYAFEY
Sent: Sunday, August 21, 2016 6:21 PM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] A driver that listens to traffic

@Don

What do you mean by most cases ?

So transportEndpointHandle will have a unique value in both ale and transport callouts for the same tcp connecting ? Also I noticed that the value of transportEndpointHandle is sometimes equal to zero what does that mean ?

On Sat, Aug 20, 2016 at 12:36 AM, Don Burn > wrote:

At least for most cases check out FWPS_METADATA_FIELD_TRANSPORT_ENDPOINT_HANDLE

Don Burn
Windows Driver Consulting
Website: http://www.windrvr.com

-----Original Message-----
From: xxxxx@lists.osr.com mailto:xxxxx [mailto:xxxxx@lists.osr.com mailto:xxxxx] On Behalf Of zaid ALYAFEY
Sent: Friday, August 19, 2016 5:22 PM
To: Windows System Software Devs Interest List >
Subject: RE:[ntdev] A driver that listens to traffic

How do I know that two packets in the transport layer belong to the same tcp connection ?

On 18 Aug 2016 13:01, mailto:xxxxx > > wrote:

As far as I know,ale connect and ale recv accept flow context cannot be got in
transport layers.

We need to maintain our own context for example search key will be 5 tuple.


NTDEV is sponsored by OSR

Visit the list online at: http: http: > >

MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
Details at http:

To unsubscribe, visit the List Server section of OSR Online at http: http: > >

— NTDEV is sponsored by OSR Visit the list online at: MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers! Details at To unsubscribe, visit the List Server section of OSR Online at


NTDEV is sponsored by OSR

Visit the list online at: http: >

MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
Details at http:

To unsubscribe, visit the List Server section of OSR Online at http: >

— NTDEV is sponsored by OSR Visit the list online at: MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers! Details at To unsubscribe, visit the List Server section of OSR Online at</http:></http:></http:></http:></http:></http:></http:></http:></mailto:xxxxx></mailto:xxxxx></mailto:xxxxx>

So this is just a bug ?

On Mon, Aug 22, 2016 at 2:13 AM, Don Burn wrote:

> The transportEndpointHandle (when it is not zero) will allow to match a
> unique value for the duration of the bind/connect to unbind. See
> https://social.msdn.microsoft.com/Forums/en-US/6280b002-
> f93d-4dab-b892-1e138ceabfcd/fwpsmetadatafieldtransportendp
> ointhandle-bit-is-set-but-meta-data-field-0?forum=wfp for some instances
> that you get zero. I don’t have a good solution for the zero value case.
>
>
> Don Burn
> Windows Driver Consulting
> Website: http://www.windrvr.com
>
>
>
> -----Original Message-----
> From: xxxxx@lists.osr.com [mailto:bounce-614890-122747@
> lists.osr.com] On Behalf Of zaid ALYAFEY
> Sent: Sunday, August 21, 2016 6:21 PM
> To: Windows System Software Devs Interest List
> Subject: Re: [ntdev] A driver that listens to traffic
>
> @Don
>
> What do you mean by most cases ?
>
> So transportEndpointHandle will have a unique value in both ale and
> transport callouts for the same tcp connecting ? Also I noticed that the
> value of transportEndpointHandle is sometimes equal to zero what does that
> mean ?
>
>
> On Sat, Aug 20, 2016 at 12:36 AM, Don Burn > xxxxx@windrvr.com> > wrote:
>
>
> At least for most cases check out FWPS_METADATA_FIELD_TRANSPORT_
> ENDPOINT_HANDLE
>
>
> Don Burn
> Windows Driver Consulting
> Website: http://www.windrvr.com
>
>
>
>
> -----Original Message-----
> From: xxxxx@lists.osr.com mailto:> xxxxx@lists.osr.com> [mailto:bounce-614816-122747@
> lists.osr.com mailto:xxxxx] On Behalf Of
> zaid ALYAFEY
> Sent: Friday, August 19, 2016 5:22 PM
> To: Windows System Software Devs Interest List <
> xxxxx@lists.osr.com mailto:xxxxx >
> Subject: RE:[ntdev] A driver that listens to traffic
>
> How do I know that two packets in the transport layer belong to
> the same tcp connection ?
>
> On 18 Aug 2016 13:01, > xxxxx@hotmail.com> mailto:xxxxx> xxxxx@hotmail.com> > > wrote:
>
>
> As far as I know,ale connect and ale recv accept flow
> context cannot be got in
> transport layers.
>
> We need to maintain our own context for example search
> key will be 5 tuple.
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list online at: http:> showlists.cfm?list=ntdev http:> showlists.cfm?list=ntdev> http:> showlists.cfm?list=ntdev http:> showlists.cfm?list=ntdev> > >
>
> MONTHLY seminars on crash dump analysis, WDF, Windows
> internals and software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR
> Online at http:> http://www.osronline.com/page.cfm?name=ListServer&gt; <
> http://www.osronline.com/page.cfm?name=ListServer <
> http://www.osronline.com/page.cfm?name=ListServer&gt; > >
>
>
> — NTDEV is sponsored by OSR Visit the list online at: MONTHLY
> seminars on crash dump analysis, WDF, Windows internals and software
> drivers! Details at To unsubscribe, visit the List Server section of OSR
> Online at
>
>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list online at: http:> showlists.cfm?list=ntdev http:> showlists.cfm?list=ntdev> >
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals
> and software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer <
> http://www.osronline.com/page.cfm?name=ListServer&gt; >
>
>
>
> — NTDEV is sponsored by OSR Visit the list online at: MONTHLY seminars
> on crash dump analysis, WDF, Windows internals and software drivers!
> Details at To unsubscribe, visit the List Server section of OSR Online at
>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list online at: http:> showlists.cfm?list=ntdev>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer&gt;
></http:></http:></http:></http:></http:></http:></http:></http:></http:></http:></http:></mailto:xxxxx></mailto:xxxxx></mailto:xxxxx></mailto:>