Help Please! (NDIS Hooking problem in SendHandler(s))

OSR_Community_User · November 29, 2004, 6:10pm

Hello,

I wonder if anybody watching this list can give me some hint about the
following problem :

I write NDIS hooking driver which modifies export table of NDIS.sys for
NdisDe/RegisterProtocol, NdisOpen/CloseAdapter functions. The driver loads
between ndis.sys and tcpip.sys.

In NdisOpenAdapter handler, after calling original handler and getting
NDIS_STATUS_SUCCESS(In case of pending I do handle the case exectly the same
in completion routine), I get pointer to NDIS_OPEN_BLOCK structure modify
SendHandler,SendPacketsHandler, and TransferDataHandler addresses with my
own equivalents.

----------------------------Version 1(NdisOpenAdapter
Hook)------------------

NDIS_OPEN_BLOCK pOpenBlock;

…

pOpenBlock = *NdisBindingHandle;

…

InterlockedExchangePointer(&pOpenBlock->SendPacketsHandler,

(SEND_PACKETS_HANDLER)pAdapterCtx->OSSendPacketsHandler);

InterlockedExchangePointer(&pOpenBlock->SendHandler,

(SEND_HANDLER)pAdapterCtx->OSSendHandler);

…

In the first version of my code, I hook handlers without copying original
NDIS_OPEN_BLOCK(i.e *NdisBindingHandle) into my own m_OpenBlock structure.

Now 1st problem : This hooking works most of the time. Namely I can see
sending attempts. But sometimes, it is not called even the original handler
adresses are modified. For example, When I enable a network connection for
the first time, SendHandlers are not called. When I disble and re-enable it,
they are called properly. On a connection using a wireless LAN card,
SendHandlers are never called.

Later I modified the code to keep my own NDIS_OPEN_BLOCK structure ,
m_OpenBlock and copied original open block into this and modified it. Then I
modified NdisBindingHandle to point to it.

-------------------------Version 2(NdisOpenAdapter
Hook)---------------------

…

NDIS_OPEN_BLOCK pOpenBlock;

…

NdisMoveMemory(&pAdapterCtx->m_OpenBlock,*NdisBindingHandle
sizeof(NDIS_OPEN_BLOCK));

InterlockedExchangePointer(NdisBindingHandle ,&pAdapterCtx->m_OpenBlock);

pOpenBlock = *NdisBindingHandle;

…

InterlockedExchangePointer(&pOpenBlock->SendPacketsHandler,

(SEND_PACKETS_HANDLER)pAdapterCtx->OSSendPacketsHandler);

InterlockedExchangePointer(&pOpenBlock->SendHandler,

(SEND_HANDLER)pAdapterCtx->OSSendHandler);

…

This time, the hook never works! For example, when I try to enable a network
connection network cable unplugged is reported.

Is there any point I am missing? Are there some possible race conditions
between hooked calls which may cause this error so that I should
handle?Should I also hook BindAdapter routines?(BindAdapterHandler and
NdisCompleteBindAdapter)

I use Windows XP SP1 DDK on Windows XP SP2.

If somebody could comment on this, I would appreciate.

Thanks in advance,

Egemen Tas

Note : I know Ndis intermediate drivers are clean solutions but this topic has been discussed many times.

OSR_Community_User · November 30, 2004, 5:45am

Hello,

I wonder if anybody watching this list can give me some hint about the

following problem :

I write NDIS hooking driver which modifies export table of NDIS.sys for

NdisDe/RegisterProtocol, NdisOpen/CloseAdapter functions. The driver loads

between ndis.sys and tcpip.sys.

In NdisOpenAdapter handler, after calling original handler and getting

NDIS_STATUS_SUCCESS(In case of pending I do handle the case exectly the same

in completion routine), I get pointer to NDIS_OPEN_BLOCK structure modify

SendHandler,SendPacketsHandler, and TransferDataHandler addresses with my

own equivalents.

----------------------------Version 1(NdisOpenAdapterHook)------------------

NDIS_OPEN_BLOCK pOpenBlock;

…

pOpenBlock = *NdisBindingHandle;

…

InterlockedExchangePointer(&pOpenBlock->SendPacketsHandler,

(SEND_PACKETS_HANDLER)pAdapterCtx->OSSendPacketsHandler);

InterlockedExchangePointer(&pOpenBlock->SendHandler,

(SEND_HANDLER)pAdapterCtx->OSSendHandler);

…

In the first version of my code, I hook handlers without copying original

NDIS_OPEN_BLOCK(i.e *NdisBindingHandle) into my own m_OpenBlock structure.

Now 1st problem : This hooking works most of the time. Namely I can see

sending attempts. But sometimes, it is not called even the original handler

adresses are modified. For example, When I enable a network connection for

the first time, SendHandlers are not called. When I disble and re-enable it,

they are called properly. On a connection using a wireless LAN card,

SendHandlers are never called.

Later I modified the code to keep my own NDIS_OPEN_BLOCK structure ,

m_OpenBlock and copied original open block into this and modified it. Then I

modified NdisBindingHandle to point to it.

-------------------------Version 2(NdisOpenAdapterHook)---------------------

…

NDIS_OPEN_BLOCK pOpenBlock;

…

NdisMoveMemory(&pAdapterCtx->m_OpenBlock,*NdisBindingHandle

sizeof(NDIS_OPEN_BLOCK));

InterlockedExchangePointer(NdisBindingHandle ,&pAdapterCtx->m_OpenBlock);

pOpenBlock = *NdisBindingHandle;

…

InterlockedExchangePointer(&pOpenBlock->SendPacketsHandler,

(SEND_PACKETS_HANDLER)pAdapterCtx->OSSendPacketsHandler);

InterlockedExchangePointer(&pOpenBlock->SendHandler,

(SEND_HANDLER)pAdapterCtx->OSSendHandler);

…

This time, the hook never works! For example, when I try to enable a network

connection network cable unplugged is reported.

Is there any point I am missing? Are there some possible race conditions

between hooked calls which may cause this error so that I should

handle?Should I also hook BindAdapter routines?(BindAdapterHandler and

NdisCompleteBindAdapter)

I use Windows XP SP1 DDK on Windows XP SP2.

If somebody could comment on this, I would appreciate.

Thanks in advance,

Egemen Tas

Note : I know Ndis intermediate drivers are clean solutions but this topic
has been discussed many times.

Bryan_Burgin · November 30, 2004, 5:55am

Re your comment “I know Ndis intermediate drivers are clean solutions
but this topic has been discussed many times”, this is probably because
NDIS IM drivers are the right way to do this.

Use of the hooking scheme can cause serious OS problems and should not
be used.

Again, as I posted on Sunday, please, do not use the NDIS hooking
scheme. It is unsupported and there are documented ways to accomplish
what you are trying to do. Look at the PASSTHRU and MUX samples in the
DDK.

Bryan S. Burgin
xxxxx@microsoft.com

This posting is provided “AS IS” with no warranties, and confers no
rights.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Egemen Tas
Sent: Tuesday, November 30, 2004 2:43 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] Help Please! (NDIS Hooking problem in SendHandler(s))

Hello,

I wonder if anybody watching this list can give me some hint about the

following problem :

I write NDIS hooking driver which modifies export table of NDIS.sys for

NdisDe/RegisterProtocol, NdisOpen/CloseAdapter functions. The driver
loads

between ndis.sys and tcpip.sys.

In NdisOpenAdapter handler, after calling original handler and getting

NDIS_STATUS_SUCCESS(In case of pending I do handle the case exectly the
same

in completion routine), I get pointer to NDIS_OPEN_BLOCK structure
modify

SendHandler,SendPacketsHandler, and TransferDataHandler addresses with
my

own equivalents.

----------------------------Version
1(NdisOpenAdapterHook)------------------

NDIS_OPEN_BLOCK pOpenBlock;

…

pOpenBlock = *NdisBindingHandle;

…

InterlockedExchangePointer(&pOpenBlock->SendPacketsHandler,

(SEND_PACKETS_HANDLER)pAdapterCtx->OSSendPacketsHandler);

InterlockedExchangePointer(&pOpenBlock->SendHandler,

(SEND_HANDLER)pAdapterCtx->OSSendHandler);

…

In the first version of my code, I hook handlers without copying
original

NDIS_OPEN_BLOCK(i.e *NdisBindingHandle) into my own m_OpenBlock
structure.

Now 1st problem : This hooking works most of the time. Namely I can see

sending attempts. But sometimes, it is not called even the original
handler

adresses are modified. For example, When I enable a network connection
for

the first time, SendHandlers are not called. When I disble and re-enable
it,

they are called properly. On a connection using a wireless LAN card,

SendHandlers are never called.

Later I modified the code to keep my own NDIS_OPEN_BLOCK structure ,

m_OpenBlock and copied original open block into this and modified it.
Then I

modified NdisBindingHandle to point to it.

-------------------------Version
2(NdisOpenAdapterHook)---------------------

…

NDIS_OPEN_BLOCK pOpenBlock;

…

NdisMoveMemory(&pAdapterCtx->m_OpenBlock,*NdisBindingHandle

sizeof(NDIS_OPEN_BLOCK));

InterlockedExchangePointer(NdisBindingHandle
,&pAdapterCtx->m_OpenBlock);

pOpenBlock = *NdisBindingHandle;

…

InterlockedExchangePointer(&pOpenBlock->SendPacketsHandler,

(SEND_PACKETS_HANDLER)pAdapterCtx->OSSendPacketsHandler);

InterlockedExchangePointer(&pOpenBlock->SendHandler,

(SEND_HANDLER)pAdapterCtx->OSSendHandler);

…

This time, the hook never works! For example, when I try to enable a
network

connection network cable unplugged is reported.

Is there any point I am missing? Are there some possible race conditions

between hooked calls which may cause this error so that I should

handle?Should I also hook BindAdapter routines?(BindAdapterHandler and

NdisCompleteBindAdapter)

I use Windows XP SP1 DDK on Windows XP SP2.

If somebody could comment on this, I would appreciate.

Thanks in advance,

Egemen Tas

Note : I know Ndis intermediate drivers are clean solutions but this
topic
has been discussed many times.

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@microsoft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Maxim_S_Shatskih · December 6, 2004, 5:33am

Forget hooking and use NDIS IM instead. Hooking gives no advantages.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

----- Original Message -----
From: “Egemen Tas”
To: “Windows System Software Devs Interest List”
Sent: Tuesday, November 30, 2004 2:07 AM
Subject: [ntdev] Help Please! (NDIS Hooking problem in SendHandler(s))

> Hello,
>
>
>
> I wonder if anybody watching this list can give me some hint about the
> following problem :
>
>
>
> I write NDIS hooking driver which modifies export table of NDIS.sys for
> NdisDe/RegisterProtocol, NdisOpen/CloseAdapter functions. The driver loads
> between ndis.sys and tcpip.sys.
>
>
>
> In NdisOpenAdapter handler, after calling original handler and getting
> NDIS_STATUS_SUCCESS(In case of pending I do handle the case exectly the same
> in completion routine), I get pointer to NDIS_OPEN_BLOCK structure modify
> SendHandler,SendPacketsHandler, and TransferDataHandler addresses with my
> own equivalents.
>
>
>
> ----------------------------Version 1(NdisOpenAdapter
> Hook)------------------
>
> NDIS_OPEN_BLOCK pOpenBlock;
>
> …
>
> pOpenBlock = *NdisBindingHandle;
>
> …
>
> InterlockedExchangePointer(&pOpenBlock->SendPacketsHandler,
>
> (SEND_PACKETS_HANDLER)pAdapterCtx->OSSendPacketsHandler);
>
>
>
> InterlockedExchangePointer(&pOpenBlock->SendHandler,
>
> (SEND_HANDLER)pAdapterCtx->OSSendHandler);
>
> …
>
> In the first version of my code, I hook handlers without copying original
> NDIS_OPEN_BLOCK(i.e *NdisBindingHandle) into my own m_OpenBlock structure.
>
>
>
> Now 1st problem : This hooking works most of the time. Namely I can see
> sending attempts. But sometimes, it is not called even the original handler
> adresses are modified. For example, When I enable a network connection for
> the first time, SendHandlers are not called. When I disble and re-enable it,
> they are called properly. On a connection using a wireless LAN card,
> SendHandlers are never called.
>
>
>
> Later I modified the code to keep my own NDIS_OPEN_BLOCK structure ,
> m_OpenBlock and copied original open block into this and modified it. Then I
> modified NdisBindingHandle to point to it.
>
>
>
> -------------------------Version 2(NdisOpenAdapter
> Hook)---------------------
>
> …
>
> NDIS_OPEN_BLOCK pOpenBlock;
>
> …
>
> NdisMoveMemory(&pAdapterCtx->m_OpenBlock,*NdisBindingHandle
> sizeof(NDIS_OPEN_BLOCK));
>
>
>
> InterlockedExchangePointer(NdisBindingHandle ,&pAdapterCtx->m_OpenBlock);
>
>
>
> pOpenBlock = *NdisBindingHandle;
>
> …
>
> InterlockedExchangePointer(&pOpenBlock->SendPacketsHandler,
>
> (SEND_PACKETS_HANDLER)pAdapterCtx->OSSendPacketsHandler);
>
>
>
> InterlockedExchangePointer(&pOpenBlock->SendHandler,
>
> (SEND_HANDLER)pAdapterCtx->OSSendHandler);
>
> …
>
>
>
> -----------------------------------------
>
> This time, the hook never works! For example, when I try to enable a network
> connection network cable unplugged is reported.
>
>
>
> Is there any point I am missing? Are there some possible race conditions
> between hooked calls which may cause this error so that I should
> handle?Should I also hook BindAdapter routines?(BindAdapterHandler and
> NdisCompleteBindAdapter)
>
>
>
> I use Windows XP SP1 DDK on Windows XP SP2.
>
>
>
> If somebody could comment on this, I would appreciate.
>
>
>
> Thanks in advance,
>
>
>
> Egemen Tas
>
>
>
> Note : I know Ndis intermediate drivers are clean solutions but this topic
has been discussed many times.
>
> —
> Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>