Kernel Mode Interception

NTDEV
1

Has anyone done much kernel mode interception? I’m interested in
intercepting several functions (particularly network) calls made in
kernel mode. Any ideas where to start? Can anyone point me in the
right direction?

Thanks,

~ ).(.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Maxim S. Shatskih
Sent: Saturday, July 13, 2002 3:54 AM
To: NT Developers Interest List
Subject: [ntdev] Re: Win2K “Disk Admistrator” related queries

(D) Is there an API, which a priviledged program can
use, to tell OS to scan for any newly added or removed
disk devices ?

CM_Reenumerate_DevNode. Or Device Manager’s “Scan For Hardware
Changes”.

Max

You are currently subscribed to ntdev as: xxxxx@fit.edu
To unsubscribe send a blank email to %%email.unsub%%

2

What do you mean by interception.? Filtering IO? And what exactly do you
wanna intercept ?

Dan

“Jorge E. Coll” wrote in message news:xxxxx@ntdev…
>
> Has anyone done much kernel mode interception? I’m interested in
> intercepting several functions (particularly network) calls made in
> kernel mode. Any ideas where to start? Can anyone point me in the
> right direction?
>
> Thanks,
>
> ~ ).(.
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of Maxim S. Shatskih
> Sent: Saturday, July 13, 2002 3:54 AM
> To: NT Developers Interest List
> Subject: [ntdev] Re: Win2K “Disk Admistrator” related queries
>
> > (D) Is there an API, which a priviledged program can
> > use, to tell OS to scan for any newly added or removed
> > disk devices ?
>
> CM_Reenumerate_DevNode. Or Device Manager’s “Scan For Hardware
> Changes”.
>
> Max
>
>
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@fit.edu
> To unsubscribe send a blank email to %%email.unsub%%
>
>
>
>

3

I’m trying to manipulate network traffic at the transport layer and I’m
trying to figure out the best possible way – either by creating my own
TDI filter driver or by intercepting calls made to tcpip.sys. I think
the stuff at http://www.pcausa.com sounds good, but how do I go about
writing one of these myself? Where do I start?

Thanks again,

~ ).(.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Dan Partelly
Sent: Saturday, July 13, 2002 6:33 AM
To: NT Developers Interest List
Subject: [ntdev] Re: Kernel Mode Interception

What do you mean by interception.? Filtering IO? And what exactly do
you
wanna intercept ?

Dan

“Jorge E. Coll” wrote in message news:xxxxx@ntdev…
>
> Has anyone done much kernel mode interception? I’m interested in
> intercepting several functions (particularly network) calls made in
> kernel mode. Any ideas where to start? Can anyone point me in the
> right direction?
>
> Thanks,
>
> ~ ).(.
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of Maxim S.
Shatskih
> Sent: Saturday, July 13, 2002 3:54 AM
> To: NT Developers Interest List
> Subject: [ntdev] Re: Win2K “Disk Admistrator” related queries
>
> > (D) Is there an API, which a priviledged program can
> > use, to tell OS to scan for any newly added or removed
> > disk devices ?
>
> CM_Reenumerate_DevNode. Or Device Manager’s “Scan For Hardware
> Changes”.
>
> Max
>
>
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@fit.edu
> To unsubscribe send a blank email to %%email.unsub%%
>
>
>
>


You are currently subscribed to ntdev as: xxxxx@fit.edu
To unsubscribe send a blank email to %%email.unsub%%

4

Write a filter driver. There are no “calls” made directly to TCP/IP , it
follows the regular layered IRP based IO mechansim.
Be warned , MS do not agrees much filter drivers which manipulates the data.
Its fairly simple to write a TCP filter based, save for a few quirks , and
there is a free example somewhere @ www.ntndis.com .

Ciao

----- Original Message -----
From: “Jorge E. Coll”
To: “NT Developers Interest List”
Sent: Sunday, July 14, 2002 12:34 AM
Subject: [ntdev] Re: Kernel Mode Interception

> I’m trying to manipulate network traffic at the transport layer and I’m
> trying to figure out the best possible way – either by creating my own
> TDI filter driver or by intercepting calls made to tcpip.sys. I think
> the stuff at http://www.pcausa.com sounds good, but how do I go about
> writing one of these myself? Where do I start?
>
> Thanks again,
>
> ~ ).(.
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of Dan Partelly
> Sent: Saturday, July 13, 2002 6:33 AM
> To: NT Developers Interest List
> Subject: [ntdev] Re: Kernel Mode Interception
>
> What do you mean by interception.? Filtering IO? And what exactly do
> you
> wanna intercept ?
>
> Dan
>
> “Jorge E. Coll” wrote in message news:xxxxx@ntdev…
> >
> > Has anyone done much kernel mode interception? I’m interested in
> > intercepting several functions (particularly network) calls made in
> > kernel mode. Any ideas where to start? Can anyone point me in the
> > right direction?
> >
> > Thanks,
> >
> > ~ ).(.
> >
> > -----Original Message-----
> > From: xxxxx@lists.osr.com
> > [mailto:xxxxx@lists.osr.com] On Behalf Of Maxim S.
> Shatskih
> > Sent: Saturday, July 13, 2002 3:54 AM
> > To: NT Developers Interest List
> > Subject: [ntdev] Re: Win2K “Disk Admistrator” related queries
> >
> > > (D) Is there an API, which a priviledged program can
> > > use, to tell OS to scan for any newly added or removed
> > > disk devices ?
> >
> > CM_Reenumerate_DevNode. Or Device Manager’s “Scan For Hardware
> > Changes”.
> >
> > Max
> >
> >
> >
> >
> > —
> > You are currently subscribed to ntdev as: xxxxx@fit.edu
> > To unsubscribe send a blank email to %%email.unsub%%
> >
> >
> >
> >
>
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@fit.edu
> To unsubscribe send a blank email to %%email.unsub%%
>
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@rdsor.ro
> To unsubscribe send a blank email to %%email.unsub%%
>