inet_ntoa

NTDEV
1

Hi.

Whats the WDK WindowsXP version of inet_ntoa?

2

AFAIK there is the capability for WPP tracing using the IpAddr format, and
other than that in the kernel you will have to roll your own.


Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

wrote in message news:xxxxx@ntdev…
> Hi.
>
> Whats the WDK WindowsXP version of inet_ntoa?
>
>
> Information from ESET NOD32 Antivirus, version of virus
> signature database 4573 (20091104)
>
> The message was checked by ESET NOD32 Antivirus.
>
> http://www.eset.com
>
>
>

Information from ESET NOD32 Antivirus, version of virus signature database 4573 (20091104)

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com

3

How about just printing the bytes?

%d.%d.%d.%d

Thomas F. Divine

From:
Sent: Wednesday, November 04, 2009 10:54 AM
To: “Windows System Software Devs Interest List”
Subject: [ntdev] inet_ntoa

> Hi.
>
> Whats the WDK WindowsXP version of inet_ntoa?
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer

4

How about

RtlStringCbPrintfA(,“%u.%u.%u.%u”, in->S_un.S_un_b.s_b1,
in->S_un.S_un_b.s_b2, in->S_un.S_un_b.s_b3, in->S_un.S_un_b.s_b4);

(you fill in the rest).

Good Luck,
Dave Cattley

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@hotmail.co.uk
Sent: Wednesday, November 04, 2009 10:55 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] inet_ntoa

Hi.

Whats the WDK WindowsXP version of inet_ntoa?

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

5

I know this is a daft question.

But how do I do that?

inet_ntoa

How about just printing the bytes?

%d.%d.%d.%d

Thomas F. Divine

6

Thankyou so much.

I don’t suppose there is a way to find out which process id sent a packet?

7

Well thankyou anyway.

8

I applaud you and appreciate that you recognize your question probably had
most reacting with “Oh, my, this person is writing driver code”. Yes, it
is a bit daft to ask how to perform string formatting in kernel mode but
there are some very important points to know about that are not at all
obvious.

  1. The cost of a mistake is a bugcheck so make sure you get it right.

  2. There are restrictions on which format specifiers are available are
    important. Pay attention to the IRQL requirements when a format operation
    might require the UNICODE translation tables.

  3. *ALWAYS* use the ‘safe-string’ functions which require the size of the
    buffer be known.

  4. Avoid static buffers if such buffers are not protected by a
    synchronization scheme. Multiple threads/CPUs formatting into the same
    buffer tend to produce curiously unusable output.

Just what exactly are you trying to accomplish? It seems that formatting an
IPv4 address as an char string is not the entire story. You will get
better help if you are more ‘complete’ in describing your issue.

Now regarding the “can I get the process ID that sent the packet” the answer
is in general, no, you cannot. Well, not without quite a bit of work.
Typically it requires that you either track what processes do at a high
level (WFP callout or TDI Filter) to build a table of 5-tuple to process ID
and then look in the table, or, you have a usermode service that can given
the 5-tuple make an attempt to find the socket (process) owner associated
with the 5-tuple. I suggest you scan the archives of this list as this
topic has been discussed often.

Good Luck,
Dave Cattley

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@hotmail.co.uk
Sent: Wednesday, November 04, 2009 11:16 AM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] inet_ntoa

I know this is a daft question.

But how do I do that?

inet_ntoa

How about just printing the bytes?

%d.%d.%d.%d

Thomas F. Divine

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

9

It is.

Is it possible to exchange a EPROCESS to a integer?

-----Original Message-----
RE: inet_ntoa

I applaud you and appreciate that you recognize your question probably had
most reacting with “Oh, my, this person is writing driver code”. Yes, it
is a bit daft to ask how to perform string formatting in kernel mode but
there are some very important points to know about that are not at all
obvious.

  1. The cost of a mistake is a bugcheck so make sure you get it right.

  2. There are restrictions on which format specifiers are available are
    important. Pay attention to the IRQL requirements when a format operation
    might require the UNICODE translation tables.

  3. *ALWAYS* use the ‘safe-string’ functions which require the size of the
    buffer be known.

  4. Avoid static buffers if such buffers are not protected by a
    synchronization scheme. Multiple threads/CPUs formatting into the same
    buffer tend to produce curiously unusable output.

Just what exactly are you trying to accomplish? It seems that formatting an
IPv4 address as an char string is not the entire story. You will get
better help if you are more ‘complete’ in describing your issue.

Now regarding the “can I get the process ID that sent the packet” the answer
is in general, no, you cannot. Well, not without quite a bit of work.
Typically it requires that you either track what processes do at a high
level (WFP callout or TDI Filter) to build a table of 5-tuple to process ID
and then look in the table, or, you have a usermode service that can given
the 5-tuple make an attempt to find the socket (process) owner associated
with the 5-tuple. I suggest you scan the archives of this list as this
topic has been discussed often.

Good Luck,
Dave Cattley

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@hotmail.co.uk
Sent: Wednesday, November 04, 2009 11:16 AM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] inet_ntoa

I know this is a daft question.

But how do I do that?

inet_ntoa

How about just printing the bytes?

%d.%d.%d.%d

Thomas F. Divine

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

10

No, it is a pointer, and on x64 “int” cannot hold a pointer.

Use ULONG_PTR or LONG_PTR

Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com

----- Original Message -----
From:
To: “Windows System Software Devs Interest List”
Sent: Thursday, November 05, 2009 9:27 PM
Subject: RE:[ntdev] inet_ntoa

> It is.
>
> Is it possible to exchange a EPROCESS to a integer?
>
> -----Original Message-----
> RE: inet_ntoa
>
> --------------------------------------------------------------------------------
>
> I applaud you and appreciate that you recognize your question probably had
> most reacting with “Oh, my, this person is writing driver code”. Yes, it
> is a bit daft to ask how to perform string formatting in kernel mode but
> there are some very important points to know about that are not at all
> obvious.
>
> 1. The cost of a mistake is a bugcheck so make sure you get it right.
>
> 2. There are restrictions on which format specifiers are available are
> important. Pay attention to the IRQL requirements when a format operation
> might require the UNICODE translation tables.
>
> 3. ALWAYS use the ‘safe-string’ functions which require the size of the
> buffer be known.
>
> 4. Avoid static buffers if such buffers are not protected by a
> synchronization scheme. Multiple threads/CPUs formatting into the same
> buffer tend to produce curiously unusable output.
>
>
> Just what exactly are you trying to accomplish? It seems that formatting an
> IPv4 address as an char string is not the entire story. You will get
> better help if you are more ‘complete’ in describing your issue.
>
> Now regarding the “can I get the process ID that sent the packet” the answer
> is in general, no, you cannot. Well, not without quite a bit of work.
> Typically it requires that you either track what processes do at a high
> level (WFP callout or TDI Filter) to build a table of 5-tuple to process ID
> and then look in the table, or, you have a usermode service that can given
> the 5-tuple make an attempt to find the socket (process) owner associated
> with the 5-tuple. I suggest you scan the archives of this list as this
> topic has been discussed often.
>
> Good Luck,
> Dave Cattley
>
>
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of
> xxxxx@hotmail.co.uk
> Sent: Wednesday, November 04, 2009 11:16 AM
> To: Windows System Software Devs Interest List
> Subject: RE:[ntdev] inet_ntoa
>
> I know this is a daft question.
>
> But how do I do that?
>
>> inet_ntoa
>
>> How about just printing the bytes?
>
>> %d.%d.%d.%d
>
>> Thomas F. Divine
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
>

11

What I mean is, is it possible to change EPROCESS to the PID number most reconised by userlevel?

12

wrote in message news:xxxxx@ntdev…
> What I mean is, is it possible to change EPROCESS to the PID number most
> reconised by userlevel?

PsGetProcessId

-scott


Scott Noone
Consulting Associate
OSR Open Systems Resources, Inc.
http://www.osronline.com

wrote in message news:xxxxx@ntdev…
> What I mean is, is it possible to change EPROCESS to the PID number most
> reconised by userlevel?
>

13

You do realize that the process ‘current’ at the time a packet is sent from
TCPIP.SYS via NDIS through an IM driver and onto the NIC has no relationship
to the process that generated the (socket) send request in the first place,
right?

Your original question(s) seemed to imply you were trying to determine the
process associated with a network packet. The thread has somewhat wandered
at this point…

Good Luck,
Dave Cattley