Hi, I’m implemented a filter hook driver. I’ve a problem to read correctly
the payload of the outgoing TCP’s packets, while on the incoming packets
and on the packets made with socket raw I’ve no problem.
I try to filter the outgoing packets originated from a simple client-serve
that exchanges simple information (ex. Name and Nick-Name).
When try to print out the contents of the payload of the TCP packet (after
I have jumped the tcp header and, if there are, the options) my debug,
print some characters that have no sense.
The payload of the outgoing packets is unavailable in the hook driver
interface.
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of aurox
Sent: Tuesday, May 07, 2002 6:33 PM
To: NT Developers Interest List
Subject: [ntdev] Help - Filter Hook Driver
Hi, I’m implemented a filter hook driver. I’ve a problem to
read correctly the payload of the outgoing TCP’s packets,
while on the incoming packets and on the packets made with
socket raw I’ve no problem.
I try to filter the outgoing packets originated from a simple
client-serve that exchanges simple information (ex. Name and
Nick-Name).
When try to print out the contents of the payload of the TCP
packet (after I have jumped the tcp header and, if there are,
the options) my debug, print some characters that have no sense.
Could someone help me?
Thanks, Aurox.
You are currently subscribed to ntdev as: xxxxx@hollistech.com To unsubscribe send a blank email to
%%email.unsub%%
Oh, you want to know *why* it is this way? I’ve wondered that myself, and my
guess is that this is what I refer to as an ‘artifact of implementation’,
which is to say, ‘a bug’. My theory is that on the receive side the packet
data is *generally* available in the same MDL segment as the IP header,
while on transmit the packet data is *almost always* not in the same MDL
segment as the IP header. Which is to say that the hook interface is,
perhaps stupidly, providing only a look at the first MDL segment of the
data, rather than the entire MDL chain. I do not think this is a security
issue. It is the reason, in my opinion, that the hook interface falls short
of usefullness.
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of aurox
Sent: Wednesday, May 08, 2002 3:37 AM
To: NT Developers Interest List
Subject: [ntdev] RE: Help - Filter Hook Driver
Hi,
I ask you if you know the reasons of you said me about
outgoing packets and filter hook driver; more I ask you if
you are sure.
For me to know better is very important because i’m a
student of information technologies and I work about my
thesis about Security.
More Thanks, aurox.
You are currently subscribed to ntdev as: xxxxx@hollistech.com To unsubscribe send a blank email to
%%email.unsub%%
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of aurox
Sent: Thursday, May 09, 2002 3:25 AM
To: NT Developers Interest List
Subject: [ntdev] RE: Help - Filter Hook Driver
Thank you very much.
The last question: It’s not possible to retrieve the other MDL?
Again thank, aurox.
You are currently subscribed to ntdev as: xxxxx@hollistech.com To unsubscribe send a blank email to
%%email.unsub%%
Hi, It’s me again!!! I used containing_record (defined in ntddk.h) to
retrieve PMdl and by Next field (of Mdl) to jump to next Mdl but crash
when try to access to ->MappedSystemVa (where would be the second buffer,
the first is really in first Mdl->MappedSystemVa) there is no hope?
Try using MmGetSystemAddressForMdlSafe on the secondary mdls. Nice job
of figuring this out.
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of aurox
Sent: Thursday, May 09, 2002 12:27 PM
To: NT Developers Interest List
Subject: [ntdev] RE: Help - Filter Hook Driver
Hi, It’s me again!!! I used containing_record (defined in
ntddk.h) to retrieve PMdl and by Next field (of Mdl) to jump
to next Mdl but crash
when try to access to ->MappedSystemVa (where would be the
second buffer, the first is really in first
Mdl->MappedSystemVa) there is no hope?
Call MmGetSystemAddressForMdlSafe before (and instead) of accessing MappedSystemVa.
Max
----- Original Message -----
From: “aurox” To: “NT Developers Interest List” Sent: Thursday, May 09, 2002 8:27 PM Subject: [ntdev] RE: Help - Filter Hook Driver
> Hi, It’s me again!!! I used containing_record (defined in ntddk.h) to > retrieve PMdl and by Next field (of Mdl) to jump to next Mdl but crash > when try to access to ->MappedSystemVa (where would be the second buffer, > the first is really in first Mdl->MappedSystemVa) there is no hope? > > typedef struct _MDL { > struct _MDL *Next; > CSHORT Size; > CSHORT MdlFlags; > struct _EPROCESS *Process; > PVOID MappedSystemVa; > PVOID StartVa; > ULONG ByteCount; > ULONG ByteOffset; > } MDL, *PMDL; > > I’m finding to save all my work and so I’m trying everything. > > Thank for patience. aurox. > > — > You are currently subscribed to ntdev as: xxxxx@storagecraft.com > To unsubscribe send a blank email to %%email.unsub%% >
I try using MmGetSystemAddressForMdlSafe, but on the second Mdl the system
crash (not on the first). why? Could be that the other buffer are in paged
address memory??? If yes, I can do something???
