About Hooking NDIS Driver

Hi, Everyone,

I’m trying to hook E1000 network card driver, which is a NDIS driver. But I’ve got a problem due to memory mapped I/O. Since the system maps the registers of the network card to the memory, so the driver can directly access to the mapping memory when it want to write/read the register. The problem is that it can directly use pointer operations to write/read memory instead of using the API calls (like WRITE_REGISTER_ULONG, etc.). So in this way, the API hook does not work if I want to be notified as soon as the driver writes or reads a register in the network card.

For example, in E100 network card driver, if it want to modified the command filed of a CSR register, it can directly modify the memory like this:

FdoData->CSRAddress->ScbCommandLow = ScbCommandLow;

I just wonder if there are some ways to intercept such memory operations when only a binary code is available?

Thanks so much.

–Arike

Why are you hooking?

d

debt from my phone

-----Original Message-----
From: xxxxx@gmail.com
Sent: Saturday, July 09, 2011 5:33 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] About Hooking NDIS Driver

Hi, Everyone,

I’m trying to hook E1000 network card driver, which is a NDIS driver. But I’ve got a problem due to memory mapped I/O. Since the system maps the registers of the network card to the memory, so the driver can directly access to the mapping memory when it want to write/read the register. The problem is that it can directly use pointer operations to write/read memory instead of using the API calls (like WRITE_REGISTER_ULONG, etc.). So in this way, the API hook does not work if I want to be notified as soon as the driver writes or reads a register in the network card.

For example, in E100 network card driver, if it want to modified the command filed of a CSR register, it can directly modify the memory like this:

FdoData->CSRAddress->ScbCommandLow = ScbCommandLow;

I just wonder if there are some ways to intercept such memory operations when only a binary code is available?

Thanks so much.

–Arike

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

For my research project, in order to monitor the network packages through the network card and run time events that the driver operates the network card.

Why not use a filter driver?

Thomas F. Divine
http://www.pcausa.com

From:
Sent: Saturday, July 09, 2011 8:56 PM
To: “Windows System Software Devs Interest List”
Subject: RE:[ntdev] About Hooking NDIS Driver

> For my research project, in order to monitor the network packages through
> the network card and run time events that the driver operates the network
> card.
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer

Thanks, yes, the filter driver can get the network package, but it seems that it can not intercept the driver’s write/read operation to the register of the network card. Write/Read the registers is important to me.

Is there a way that I can do it? It seems a little difficult.

Why not use a filter driver?

There is no way you can hook the memory access. You will have the same problem with any PCI based nic. A USB based nic is entirely protocol based, so you could put a lower filter below the miniport and see all USB traffic, including reads and writes.

d

debt from my phone

-----Original Message-----
From: xxxxx@gmail.com
Sent: Saturday, July 09, 2011 6:08 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] About Hooking NDIS Driver

Thanks, yes, the filter driver can get the network package, but it seems that it can not intercept the driver’s write/read operation to the register of the network card. Write/Read the registers is important to me.

Is there a way that I can do it? It seems a little difficult.

Why not use a filter driver?

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

OP,

Remove the mapped pages from PDE/PTE, install your page fault handler.
Everytime the driver access the paged out MMIO region, then your PF
handler catches them.
Calvin
On Sat, Jul 9, 2011 at 7:36 PM, Doron Holan wrote:

> There is no way you can hook the memory access. You will have the same
> problem with any PCI based nic. A USB based nic is entirely protocol based,
> so you could put a lower filter below the miniport and see all USB traffic,
> including reads and writes.
>
> d
>
> debt from my phone
>
> -----Original Message-----
> From: xxxxx@gmail.com
> Sent: Saturday, July 09, 2011 6:08 PM
> To: Windows System Software Devs Interest List
> Subject: RE:[ntdev] About Hooking NDIS Driver
>
>
> Thanks, yes, the filter driver can get the network package, but it seems
> that it can not intercept the driver’s write/read operation to the register
> of the network card. Write/Read the registers is important to me.
>
> Is there a way that I can do it? It seems a little difficult.
> --------------------------------------------------
>
> >Why not use a filter driver?
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

A la softice.

Not without its problems, to be sure.

mm

From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Calvin Guan (news)
Sent: Sunday, July 10, 2011 12:31 AM
To: Windows System Software Devs Interest List
Subject: Re: RE:[ntdev] About Hooking NDIS Driver

OP,

Remove the mapped pages from PDE/PTE, install your page fault handler.
Everytime the driver access the paged out MMIO region, then your PF handler
catches them.

Calvin

On Sat, Jul 9, 2011 at 7:36 PM, Doron Holan
wrote:

There is no way you can hook the memory access. You will have the same
problem with any PCI based nic. A USB based nic is entirely protocol based,
so you could put a lower filter below the miniport and see all USB traffic,
including reads and writes.

d

debt from my phone

-----Original Message-----

From: xxxxx@gmail.com

Sent: Saturday, July 09, 2011 6:08 PM
To: Windows System Software Devs Interest List

Subject: RE:[ntdev] About Hooking NDIS Driver

Thanks, yes, the filter driver can get the network package, but it seems
that it can not intercept the driver’s write/read operation to the register
of the network card. Write/Read the registers is important to me.

Is there a way that I can do it? It seems a little difficult.
--------------------------------------------------

>Why not use a filter driver?

—
NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

—
NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

— NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and
other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the
List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

Thanks, Calvin.

Do you mean that I can use VDDInstallMemoryHook as the following link:

http://www.osronline.com/ddkx/other/vdd_6l2r.htm

or there are some other ways to do this? I’m not sure how to remove the pages out, and install the page fault handler, are there some kernel APIs I can use?

Thanks.

-Arike

OP,

Remove the mapped pages from PDE/PTE, install your page fault handler.
Everytime the driver access the paged out MMIO region, then your PF
handler catches them.
Calvin

On Sat, Jul 9, 2011 at 7:36 PM, Doron Holan wrote:

> There is no way you can hook the memory access. You will have the same
> problem with any PCI based nic. A USB based nic is entirely protocol based,
> so you could put a lower filter below the miniport and see all USB traffic,
> including reads and writes.
>
> d
>
> debt from my phone
>
> -----Original Message-----
<…excess quoted lines suppressed…>

No.

This is purely an architecture thing - read the Intel IA-32/Intel 64 System
Programming Manual Volume 3, if you really want to do this.

That being said, unless you have a REALLY good reason to do this, you
DEFINITELY do not want to undertake this sort of thing. By doing something
like this, you’re really undercutting one of the most important mechanisms
of the OS. Done correctly, it can be made to work, at least for your
(research) purposes, but done incorrectly, and what’ll you’ll have is a
debugging disaster.

Minimally, were I you, I’d implement the other features that Doron and
others have suggested - usb filter, et. c.

Good luck,

mm

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
Sent: Sunday, July 10, 2011 1:34 AM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] About Hooking NDIS Driver

Thanks, Calvin.

Do you mean that I can use VDDInstallMemoryHook as the following link:

http://www.osronline.com/ddkx/other/vdd_6l2r.htm

or there are some other ways to do this? I’m not sure how to remove the
pages out, and install the page fault handler, are there some kernel APIs I
can use?

Thanks.

-Arike

OP,

Remove the mapped pages from PDE/PTE, install your page fault handler.
Everytime the driver access the paged out MMIO region, then your PF handler
catches them.
Calvin

On Sat, Jul 9, 2011 at 7:36 PM, Doron Holan wrote:

> There is no way you can hook the memory access. You will have the same
> problem with any PCI based nic. A USB based nic is entirely protocol
> based, so you could put a lower filter below the miniport and see all
> USB traffic, including reads and writes.
>
> d
>
> debt from my phone
>
> -----Original Message-----
<…excess quoted lines suppressed…>

—
NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

>if I want to be notified as soon as the driver writes or reads a register in the network card.

You cannot be notified, just plain and simple.

You can be notified on packet traffic, using NDIS IM (pre-Vista) and NDIS filter (Vista+).

I just wonder if there are some ways to intercept such memory operations when only a binary code is available?

Write your own NIC driver from scratch.

–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com

> Do you mean that I can use VDDInstallMemoryHook as the following link:

This will only influence the DOS VMs.

–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com