inject 802.11 packet on win7 with CommView driver

a_j · April 22, 2012, 5:44am

Hi,

I’m writing a LWF driver to inject 802.11 packet on windows. I tried the CommView for wifi(http://www.tamos.com/download/main/ca.php), it provides patch-driver for various of adapters, it CAN inject packet with the patch-driver installed, so I think with the patch driver, I can write my LWF driver to inject too.

this is my inject function:

BOOLEAN inject_packet(UCHAR* buf, INT size) {
UCHAR* frame = (UCHAR*)NdisAllocateMemoryWithTagPriority(G.pFilter->FilterHandle, size,
FILTER_ALLOC_TAG, LowPoolPriority);

PMDL pMdl = NdisAllocateMdl(G.pFilter->FilterHandle, frame, size);
if(pMdl == NULL) {
DEBUGP(DL_AJ, (“alloc mdl error\n”));
return FALSE;
}
NdisMoveMemory(frame, buf, size);

PNET_BUFFER_LIST pNetBufferList = NdisAllocateNetBufferAndNetBufferList(
G.pFilter->pool,
0, //Request
0, // back fill size
pMdl,
0, // Data offset
size);
if(pNetBufferList == NULL) {
DEBUGP(DL_AJ, (“alloc NBL error\n”));
return FALSE;
}

pNetBufferList->SourceHandle = G.pFilter->FilterHandle;
NdisFSendNetBufferLists(G.pFilter->FilterHandle,
pNetBufferList,
NDIS_DEFAULT_PORT_NUMBER,
NDIS_SEND_FLAGS_DISPATCH_LEVEL);

NdisFreeMemory(frame, size, 0);

return TRUE;
}

the code doesn’t work, no packet is sent, I can’t figure out why, anyone tried this before or interested ?
my email: aj3423 at gmail

Thanks in advance

Pavel_A1 · April 22, 2012, 7:07am

On 22-Apr-2012 12:43, xxxxx@gmail.com wrote:

Hi,

I’m writing a LWF driver to inject 802.11 packet on windows. I tried the CommView for wifi(http://www.tamos.com/download/main/ca.php), it provides patch-driver for various of adapters, it CAN inject packet with the patch-driver installed, so I think with the patch driver, I can write my LWF driver to inject too.

What is “patch driver”? do they patch NDIS?
LWFs definitely do not work in that way.

– pa

a_j · April 23, 2012, 12:18pm

The “patch-driver” I mean ad device driver “ts_arnusb.sys”. CV(CommView) recognizes my adapter and installed it.
my adapter is : “TP-Link WN822N v2” USB adapter (Atheros chipset)
and after the driver installed, the name is changed to
“[CommView] Atheros AR7015 Wireless Network Adapter”

I think “ts_” means TomaSoft, “ar” is Atheros

the adapter is blinking all the time, even if set to monitor mode with MicrosoftNetworkMonitor3, but when CV is working(sniffering in monitor mode), the light goes off. So I think maybe the device “status” is changed, I printed some adapter “status” in LWF when CommView is working:
http://i1021.photobucket.com/albums/af333/aj3423/modified_packet.png

operation mode: 4 I’m confused why it’s ext-sta, it should be netmon, because CV is sniffing all the packets in the channel, no matter what the src/dest is.
PHY ID: 2 what does 2(dot11_phy_type_dsss) mean?
desired PHY list with a -1(dot11_phy_type_IHV_end) in the list
I set these three values with my LWF, the adapter is still blinking, so there may be some other “status”?
any idea how CV is working?

Thomas_Divine · April 23, 2012, 2:49pm

You need to ask TomaSoft to give you their intellectual property.

Thomas F. Divine
http://www.pcausa.com

From:
Sent: Monday, April 23, 2012 12:17 PM
To: “Windows System Software Devs Interest List”
Subject: RE:[ntdev] inject 802.11 packet on win7 with CommView driver

> The “patch-driver” I mean ad device driver “ts_arnusb.sys”. CV(CommView)
> recognizes my adapter and installed it.
> my adapter is : “TP-Link WN822N v2” USB adapter (Atheros chipset)
> and after the driver installed, the name is changed to
> “[CommView] Atheros AR7015 Wireless Network Adapter”
>
> I think “ts_” means TomaSoft, “ar” is Atheros
>
> the adapter is blinking all the time, even if set to monitor mode with
> MicrosoftNetworkMonitor3, but when CV is working(sniffering in monitor
> mode), the light goes off. So I think maybe the device “status” is
> changed, I printed some adapter “status” in LWF when CommView is working:
> http://i1021.photobucket.com/albums/af333/aj3423/modified_packet.png
> 1. operation mode: 4 I’m confused why it’s ext-sta, it should be
> netmon, because CV is sniffing all the packets in the channel, no matter
> what the src/dest is.
> 2. PHY ID: 2 what does 2(dot11_phy_type_dsss) mean?
> 3. desired PHY list with a -1(dot11_phy_type_IHV_end) in the
> list
> I set these three values with my LWF, the adapter is still blinking, so
> there may be some other “status”?
> any idea how CV is working?
>
>
>
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer