While it might not be *common* behavior, I think that it is improper to say that it is not *standard* behavior.
In fact, the TCP RFC explicitly calls this behavior out as legitimate:
" Although these
examples do not show connection synchronization using data-carrying
segments, this is perfectly legitimate, so long as the receiving TCP
doesn’t deliver the data to the user until it is clear the data is
valid (i.e., the data must be buffered at the receiver until the
connection reaches the ESTABLISHED state)."
[http://www.faqs.org/rfcs/rfc793.html]
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Gene Soudlenkov
Sent: Wednesday, January 12, 2011 12:37 PM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] Is it possible to append data to a SYN packet from a TDI_CONNECT handler?
As a matter of fact data in SYN packets is treated by many stacks as the first packet to be delivered to the receiver - kind of an optimisation mechanism. however, as Dave pointed out, this is not a standard behaviour and will be frowned upon by most of the IDSes - there were certain trojans that used data in SYN packets for either attacking or passing over data to another machine.
Gene
On 13/01/11 03:55, David R. Cattley wrote:
In a word, no, you cannot.
TDI is an ‘operational’ interface to the transport. Not a protocol packet
interface.
As Anton pointed out, if you really want to do what you say below, you need
to filter and modify the NDIS packet (network frame) generated by TCP/IP in
response to the connect operation.
But just what are you trying to do by modifying the SYN packet in the
three-way handshake? The protocol says that it shall not have any data. I
would presume that such a packet is going to be treated with great suspicion
by firewalls and possibly ignored by another TCP. Are you trying to
modify TCP Options or actually do as you write, add ‘data’ to the packet?
Good Luck,
Dave Cattley
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@gmail.com
Sent: Tuesday, January 11, 2011 11:00 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] Is it possible to append data to a SYN packet from a
TDI_CONNECT handler?
I would like to be able to attach data to a SYN packet from a TDI driver.
After countless hours, I couldn’t find a way to do it, so the question is,
is this even possible? Is there any way to write data in a TDI_CONNECT
handler such that it will be appended to the SYN packet sent out by NDIS?
Here is what I’ve tried so far:
- Placing an MDL with my desired data in Irp->MdlAddress (which is NULL for
TDI_CONNECT). But I find no trace of my MDL at the NDIS layer (the
MiniportSendPackets handler specifically).
- Placing data in the RequestConnectionInformation structure’s UserBuffer
member. My attempts at tracing this value through the function calls saw
the pointer zeroed out in a tcpip.sys function.
Any help would be appreciated.
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer