how to figure out where my ndis filter driver is binding to?

Hi,
I’m trying to inject 802.11 packet with win7 filter driver, here’s what I tried

  1. for monitoring driver, it’s bound both above and below native wifi filter, here’s the FilterModuleGuidName output in my FilterAttach:

{3D718FA4-E700-434D-8AFE-EA7576F75781}-{5CBF81BD-5055-47CD-9055-A76B2B4E3697}-0000
{3D718FA4-E700-434D-8AFE-EA7576F75781}-{5CBF81BD-5055-47CD-9055-A76B2B4E3697}-0001
{3D718FA4-E700-434D-8AFE-EA7576F75781}-{5CBF81BD-5055-47CD-9055-A76B2B4E3697}-0002
{3D718FA4-E700-434D-8AFE-EA7576F75781}-{5CBF81BD-5055-47CD-9055-A76B2B4E3697}-0003
{3D718FA4-E700-434D-8AFE-EA7576F75781}-{5CBF81BD-5055-47CD-9055-A76B2B4E3697}-0004

it’s bound five times, two of them is 802_11(AttachParameters->MiniportMediaType==NdisMediumNative802_11),
these two instance are below the native wifi filter, is this correct? how to verify this?
and if I send packet from these two instance, the packet should be directly send to nic, is this correct? I tried this, but no packet captured in CommView, I don’t know if it’s really binding below native wifi filter, or because my nic is dropping the packet? I’m using the netgear wg111v2 usb card(with RTL8187L chipset), it’s always used in WEP crack, so it should be able to send packet in monitor mode…

  1. and for modifying driver, the output:
    {3D718FA4-E700-434D-8AFE-EA7576F75781}-{5CBF81BD-5055-47CD-9055-A76B2B4E3697}-0000
    AttachParameters->MiniportMediaType==NdisMedium802_3

it seems binding to the native wifi filter, how to print the driver stack and verify it?

another question, is ‘nativewifip’ the service of native wifi filter?
if I stop this service by ‘net stop nativewifip’, then my filter driver should directly bind to nic, and become able to send packet? I tried this, why it still not work…

Thanks in advance.

For the monitoring filter the filter name with the lowest altitude suffix
(-0000) is probably closest to the lowest-level native 802.11 miniport.

Thomas F. Divine


From:
Sent: Tuesday, March 06, 2012 11:31 AM
To: “Windows System Software Devs Interest List”
Subject: [ntdev] how to figure out where my ndis filter driver is binding
to?

> Hi,
> I’m trying to inject 802.11 packet with win7 filter driver, here’s what I
> tried
>
> 1. for monitoring driver, it’s bound both above and below native wifi
> filter, here’s the FilterModuleGuidName output in my FilterAttach:
>
> {3D718FA4-E700-434D-8AFE-EA7576F75781}-{5CBF81BD-5055-47CD-9055-A76B2B4E3697}-0000
> {3D718FA4-E700-434D-8AFE-EA7576F75781}-{5CBF81BD-5055-47CD-9055-A76B2B4E3697}-0001
> {3D718FA4-E700-434D-8AFE-EA7576F75781}-{5CBF81BD-5055-47CD-9055-A76B2B4E3697}-0002
> {3D718FA4-E700-434D-8AFE-EA7576F75781}-{5CBF81BD-5055-47CD-9055-A76B2B4E3697}-0003
> {3D718FA4-E700-434D-8AFE-EA7576F75781}-{5CBF81BD-5055-47CD-9055-A76B2B4E3697}-0004
>
> it’s bound five times, two of them is
> 802_11(AttachParameters->MiniportMediaType==NdisMediumNative802_11),
> these two instance are below the native wifi filter, is this correct? how
> to verify this?
> and if I send packet from these two instance, the packet should be
> directly send to nic, is this correct? I tried this, but no packet
> captured in CommView, I don’t know if it’s really binding below native
> wifi filter, or because my nic is dropping the packet? I’m using the
> netgear wg111v2 usb card(with RTL8187L chipset), it’s always used in WEP
> crack, so it should be able to send packet in monitor mode…
>
> 2. and for modifying driver, the output:
> {3D718FA4-E700-434D-8AFE-EA7576F75781}-{5CBF81BD-5055-47CD-9055-A76B2B4E3697}-0000
> AttachParameters->MiniportMediaType==NdisMedium802_3
>
> it seems binding to the native wifi filter, how to print the driver stack
> and verify it?
>
> another question, is ‘nativewifip’ the service of native wifi filter?
> if I stop this service by ‘net stop nativewifip’, then my filter driver
> should directly bind to nic, and become able to send packet? I tried this,
> why it still not work…
>
> Thanks in advance.
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer

how can i verify this?