I want to hook these functions exported from ndis.sys
NdisRegisterProtocol
NdisDeregisterProtocol
NdisOpenAdapter
NdisCloseAdapter
Anyone has an example of how that can be done ?
Thnaks
Matteo
You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
There are ways. Try to look at this
http://www.ntndis.com/articles/firewalleng.htm . The actual technology is
rather similar to the same in user-mode.
BR,
Vadim
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Matteo Pelati
Sent: Thursday, January 17, 2002 7:36 PM
To: NT Developers Interest List
Subject: [ntdev] Hooking
I want to hook these functions exported from ndis.sys
NdisRegisterProtocol
NdisDeregisterProtocol
NdisOpenAdapter
NdisCloseAdapter
Anyone has an example of how that can be done ?
You are currently subscribed to ntdev as: xxxxx@pcausa.com
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
Matteo,
We strongly object to using the so-called NDIS hooking scheme. This is not an architecturally supported way of doing this and any implementation dependent reverse engineering is likely to break from release to release or even from SP to SP. There are supported and documented methods to achieve the results you desire in the relevant DDKs.
The proper and supported method is the PASSTHRU sample in the Windows 2000 and (updated) in the Windows XP DDK.
Bryan S. Burgin
xxxxx@microsoft.com
bburgin x58049 40/2153
This posting is provided “AS IS” with no warranties, and confers no rights ? 2002 Microsoft Corporation. All rights reserved.
-----Original Message-----
From: Vadim Smirnov [mailto:xxxxx@pcausa.com]
Sent: Thursday, January 17, 2002 9:31 AM
To: NT Developers Interest List
Subject: [ntdev] RE: Hooking
You are currently subscribed to ntdev as: xxxxx@microsoft.com
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
Altough I agree with Bryan , a 100% safe way would be to trap the image
load event through hooking the debug interrupt vector (beware of SMP traps )
, and patch the export table of ndis.sys. This requires that your driver is
loaded and initialized before ndis. Softice uses a similar technique to
patch i8042 driver , and if required , the video DLL image. This technique
is SMP safe “enabled” .
Regards , Dan
----- Original Message -----
From: “Bryan Burgin”
To: “NT Developers Interest List”
Cc: ;
Sent: Thursday, January 17, 2002 11:16 PM
Subject: [ntdev] RE: Hooking
Matteo,
We strongly object to using the so-called NDIS hooking scheme. This is not
an architecturally supported way of doing this and any implementation
dependent reverse engineering is likely to break from release to release or
even from SP to SP. There are supported and documented methods to achieve
the results you desire in the relevant DDKs.
The proper and supported method is the PASSTHRU sample in the Windows 2000
and (updated) in the Windows XP DDK.
Bryan S. Burgin
xxxxx@microsoft.com
bburgin x58049 40/2153
This posting is provided “AS IS” with no warranties, and confers no rights ©
2002 Microsoft Corporation. All rights reserved.
-----Original Message-----
From: Vadim Smirnov [mailto:xxxxx@pcausa.com]
Sent: Thursday, January 17, 2002 9:31 AM
To: NT Developers Interest List
Subject: [ntdev] RE: Hooking
There are ways. Try to look at this
http://www.ntndis.com/articles/firewalleng.htm . The actual technology is
rather similar to the same in user-mode.
BR,
Vadim
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Matteo Pelati
Sent: Thursday, January 17, 2002 7:36 PM
To: NT Developers Interest List
Subject: [ntdev] Hooking
I want to hook these functions exported from ndis.sys
NdisRegisterProtocol
NdisDeregisterProtocol
NdisOpenAdapter
NdisCloseAdapter
Anyone has an example of how that can be done ?
Thnaks
Matteo
—
You are currently subscribed to ntdev as: xxxxx@pcausa.com
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
—
You are currently subscribed to ntdev as: xxxxx@microsoft.com
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
—
You are currently subscribed to ntdev as: xxxxx@rdsor.ro
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
—
You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
Dan, there is no 100% safe way if something changes 
If for example a
number of parameters of some hooked function changes in the next SP, you’ll
get BSOD soon (also all other NDIS modules :).
Although I also agree with Bryan in principle, practice is different. It is
because developers need to support old OS versions which aren’t interesting
for Microsoft an more. Developers use the easiest way and hooking can be the
best choice. In fact, it is the best choice for w9x “operating systems” if
one have to support them all. Since w2k introduced NDIS filter drivers
situation changed a little because NT4 installation nightmare was solved.
However, if one needs to support NT4, hooking may be still good choice. The
next good reason for hooking which Vadim mentioned in his article is digital
signature: proper installation of non-signed IM driver will scare users with
nasty message, hook driver installation is silent. I understand it isn’t a
good argument for ms
As for breaking from release to release or even SP… I see no real
difference. Written NDIS filters since NT 3.51, it was always necessary to
review code after next OS version release and even after some SPs. There
were (semi-)documented differences and also subtle changes (or bugs). OS
evolves and also drivers have to.
Next reason is complexity. IM driver is an overkill for common tasks as
firewall or packet encryption. Driver needs to see packets and possibly
block or modify them. IM driver is general concept but too general
sometimes. No wonder developers want easier way.
Best regards,
Michal Vodicka
STMicroelectronics Design and Application s.r.o.
[michal.vodicka@st.com, http:://www.st.com]
From: xxxxx@rdsor.ro[SMTP:xxxxx@rdsor.ro]
Reply To: xxxxx@lists.osr.com
Sent: Thursday, January 17, 2002 3:24 PM
To: xxxxx@lists.osr.com
Subject: [ntdev] RE: HookingAltough I agree with Bryan , a 100% safe way would be to trap the image
load event through hooking the debug interrupt vector (beware of SMP traps
)
, and patch the export table of ndis.sys. This requires that your driver
is
loaded and initialized before ndis. Softice uses a similar technique to
patch i8042 driver , and if required , the video DLL image. This technique
is SMP safe “enabled” .Regards , Dan
----- Original Message -----
From: “Bryan Burgin”
> To: “NT Developers Interest List”
> Cc: ;
> Sent: Thursday, January 17, 2002 11:16 PM
> Subject: [ntdev] RE: Hooking
>
>
> Matteo,
>
> We strongly object to using the so-called NDIS hooking scheme. This is
> not
> an architecturally supported way of doing this and any implementation
> dependent reverse engineering is likely to break from release to release
> or
> even from SP to SP. There are supported and documented methods to achieve
> the results you desire in the relevant DDKs.
>
> The proper and supported method is the PASSTHRU sample in the Windows 2000
> and (updated) in the Windows XP DDK.
>
> Bryan S. Burgin
> xxxxx@microsoft.com
> bburgin x58049 40/2153
>
> This posting is provided “AS IS” with no warranties, and confers no rights
> ?
> 2002 Microsoft Corporation. All rights reserved.
>
>
> -----Original Message-----
> From: Vadim Smirnov [mailto:xxxxx@pcausa.com]
> Sent: Thursday, January 17, 2002 9:31 AM
> To: NT Developers Interest List
> Subject: [ntdev] RE: Hooking
>
> There are ways. Try to look at this
> http://www.ntndis.com/articles/firewalleng.htm . The actual technology is
> rather similar to the same in user-mode.
>
> BR,
> Vadim
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com]On Behalf Of Matteo Pelati
> Sent: Thursday, January 17, 2002 7:36 PM
> To: NT Developers Interest List
> Subject: [ntdev] Hooking
> I want to hook these functions exported from ndis.sys
>
> NdisRegisterProtocol
> NdisDeregisterProtocol
> NdisOpenAdapter
> NdisCloseAdapter
>
> Anyone has an example of how that can be done ?
>
> Thnaks
> Matteo
> —
> You are currently subscribed to ntdev as: xxxxx@pcausa.com
> To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
> —
> You are currently subscribed to ntdev as: xxxxx@microsoft.com
> To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
>
> —
> You are currently subscribed to ntdev as: xxxxx@rdsor.ro
> To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
>
>
>
> —
> You are currently subscribed to ntdev as: michal.vodicka@st.com
> To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
>
—
You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
Bryan,
With all my respect to MS in general and to you in particular I can agree
with you in principle only, regretfully practice is really different. Easy
installation, NT4.0 support, transparent dial-up support, full control over
protocols registration on the system (for virus protection) are advantages
of NDIS-hooking approach. The only disadvantage is no support from MS. As
for compatibility between NT releases and SP’s, you can take NDIS-hooking
binary on the following link and try (there are two ini-files, one for
WinNT4.0 another for 2k and higher). This driver is a bit similar to
PASSTHRU, it’s only limited to TCPIP protocol (including
TCPIP_WANARP/RASARP) and simply traces size of the sent/received packet. I
would appreciate if you find it incompatible with any existing NT releases
(from NT4 till XP) or SP’s.
Warning: Driver is provided with warranty of any kind. Regretfully, I have
not chance to test it on system with more then 2 processors.
http://www.ntndis.com/downloads/ndispim.zip
BR,
Vadim
-----Original Message-----
From: Bryan Burgin [mailto:xxxxx@microsoft.com]
Sent: Friday, January 18, 2002 12:17 AM
To: NT Developers Interest List
Cc: xxxxx@dolce.it; xxxxx@pcausa.com
Subject: RE: [ntdev] RE: Hooking
Matteo,
We strongly object to using the so-called NDIS hooking scheme. This is not
an architecturally supported way of doing this and any implementation
dependent reverse engineering is likely to break from release to release or
even from SP to SP. There are supported and documented methods to achieve
the results you desire in the relevant DDKs.
The proper and supported method is the PASSTHRU sample in the Windows 2000
and (updated) in the Windows XP DDK.
Bryan S. Burgin
xxxxx@microsoft.com
bburgin x58049 40/2153
This posting is provided “AS IS” with no warranties, and confers no rights ?
2002 Microsoft Corporation. All rights reserved.
-----Original Message-----
From: Vadim Smirnov [mailto:xxxxx@pcausa.com]
Sent: Thursday, January 17, 2002 9:31 AM
To: NT Developers Interest List
Subject: [ntdev] RE: Hooking
You are currently subscribed to ntdev as: xxxxx@microsoft.com
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
Michal , of course.
But when I choose to use such a technique, I relay on all facts that are
known to me to the time of release. I cannot foresee
how MS will change an API. Is a calculated and assumed risk to break
functionality in the future. And anyway , if they change the number of
parameters , not even a image wrote after all rules of the art wont work.
Regards , Dan
----- Original Message -----
From: “Michal Vodicka”
To: “NT Developers Interest List”
Sent: Friday, January 18, 2002 7:34 AM
Subject: [ntdev] RE: Hooking
Dan, there is no 100% safe way if something changes If for example a
number of parameters of some hooked function changes in the next SP, you’ll
get BSOD soon (also all other NDIS modules :).
Although I also agree with Bryan in principle, practice is different. It is
because developers need to support old OS versions which aren’t interesting
for Microsoft an more. Developers use the easiest way and hooking can be the
best choice. In fact, it is the best choice for w9x “operating systems” if
one have to support them all. Since w2k introduced NDIS filter drivers
situation changed a little because NT4 installation nightmare was solved.
However, if one needs to support NT4, hooking may be still good choice. The
next good reason for hooking which Vadim mentioned in his article is digital
signature: proper installation of non-signed IM driver will scare users with
nasty message, hook driver installation is silent. I understand it isn’t a
good argument for ms
As for breaking from release to release or even SP… I see no real
difference. Written NDIS filters since NT 3.51, it was always necessary to
review code after next OS version release and even after some SPs. There
were (semi-)documented differences and also subtle changes (or bugs). OS
evolves and also drivers have to.
Next reason is complexity. IM driver is an overkill for common tasks as
firewall or packet encryption. Driver needs to see packets and possibly
block or modify them. IM driver is general concept but too general
sometimes. No wonder developers want easier way.
Best regards,
Michal Vodicka
STMicroelectronics Design and Application s.r.o.
[michal.vodicka@st.com, http:://www.st.com]
> ----------
> From: xxxxx@rdsor.ro[SMTP:xxxxx@rdsor.ro]
> Reply To: xxxxx@lists.osr.com
> Sent: Thursday, January 17, 2002 3:24 PM
> To: xxxxx@lists.osr.com
> Subject: [ntdev] RE: Hooking
>
> Altough I agree with Bryan , a 100% safe way would be to trap the image
> load event through hooking the debug interrupt vector (beware of SMP traps
> )
> , and patch the export table of ndis.sys. This requires that your driver
> is
> loaded and initialized before ndis. Softice uses a similar technique to
> patch i8042 driver , and if required , the video DLL image. This technique
> is SMP safe “enabled” .
>
> Regards , Dan
>
> ----- Original Message -----
> From: “Bryan Burgin”
> To: “NT Developers Interest List”
> Cc: ;
> Sent: Thursday, January 17, 2002 11:16 PM
> Subject: [ntdev] RE: Hooking
>
>
> Matteo,
>
> We strongly object to using the so-called NDIS hooking scheme. This is
> not
> an architecturally supported way of doing this and any implementation
> dependent reverse engineering is likely to break from release to release
> or
> even from SP to SP. There are supported and documented methods to achieve
> the results you desire in the relevant DDKs.
>
> The proper and supported method is the PASSTHRU sample in the Windows 2000
> and (updated) in the Windows XP DDK.
>
> Bryan S. Burgin
> xxxxx@microsoft.com
> bburgin x58049 40/2153
>
> This posting is provided “AS IS” with no warranties, and confers no rights
> ©
> 2002 Microsoft Corporation. All rights reserved.
>
>
> -----Original Message-----
> From: Vadim Smirnov [mailto:xxxxx@pcausa.com]
> Sent: Thursday, January 17, 2002 9:31 AM
> To: NT Developers Interest List
> Subject: [ntdev] RE: Hooking
>
> There are ways. Try to look at this
> http://www.ntndis.com/articles/firewalleng.htm . The actual technology is
> rather similar to the same in user-mode.
>
> BR,
> Vadim
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com]On Behalf Of Matteo Pelati
> Sent: Thursday, January 17, 2002 7:36 PM
> To: NT Developers Interest List
> Subject: [ntdev] Hooking
> I want to hook these functions exported from ndis.sys
>
> NdisRegisterProtocol
> NdisDeregisterProtocol
> NdisOpenAdapter
> NdisCloseAdapter
>
> Anyone has an example of how that can be done ?
>
> Thnaks
> Matteo
> —
> You are currently subscribed to ntdev as: xxxxx@pcausa.com
> To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
> —
> You are currently subscribed to ntdev as: xxxxx@microsoft.com
> To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
>
> —
> You are currently subscribed to ntdev as: xxxxx@rdsor.ro
> To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
>
>
>
> —
> You are currently subscribed to ntdev as: michal.vodicka@st.com
> To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
>
—
You are currently subscribed to ntdev as: xxxxx@rdsor.ro
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
—
You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
> ----------
From: xxxxx@pcausa.com[SMTP:xxxxx@pcausa.com]
Reply To: xxxxx@lists.osr.com
Sent: Friday, January 18, 2002 8:00 AM
To: xxxxx@lists.osr.com
Cc: xxxxx@microsoft.com
Subject: [ntdev] RE: Hookingof NDIS-hooking approach. The only disadvantage is no support from MS.
Is it the disadvantage at all? I always wondered what the words “support” or
“supported” mean with relation to MS (tried once 5 years before and said
“Never more!”). Can anybody write some success story with MS support here?
How it helped with driver development, development problem solution, what
was the cost, time and how long it took to fix a bug if MS found / admit it.
I mean real problems, not something solvable by RTFM or copy/paste an
example. Also how knowledgeable and responsive were support people. Thanks.
Note I really appreciate MS people input in this list as Bryan Burgin, Jake
Oshins and others. I presume it is their personal initiative and not
official support.
Best regards,
Michal Vodicka
STMicroelectronics Design and Application s.r.o.
[michal.vodicka@st.com, http:://www.st.com]
You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com