Modify packet from NDIS driver

Hello Experts,

We are developing an NDIS intermediate filter driver which analyzes the network packets, but we cannot handle the web packets which are gzipped. So we think that if we could modify the outgoing packets we could prevent gzipped web communication. We know that this is not the best solution but it should work. Our problem is that we cannot modify the packets. Every time when we try to modify a packet we get blue screen of death. Is it possible to modify an outgoing packet from NDIS intermediate driver? If not is there any way to assemble the gzipped packets as a http packet and unzip it?
Thank you in advance.

Q1: Is it possible to modify an outgoing packet from NDIS intermediate
driver?

No, it is possible to copy the packet (make a copy of the packet) and modify
the copy. The copy is sent *instead* of the original packet. On
ProtocolSendComplete(), the copy needs to be freed and the original packet
completed.

Q2: If not is there any way to assemble the gzipped packets as a http packet
and unzip it?

Sure. But you might seriously consider doing that in usermode as a Layered
Service Provider and *not* an IM driver. Also, if you are simply trying to
process HTTP, have you thought about interposing a proxy server (via
redirect or other means) into the HTTP transaction so that (as the proxy
server) you can inspect all of this?

Good Luck
-dave

David R. Cattley
Consulting Engineer
Systems Software Development

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@freemail.hu
Sent: Thursday, November 08, 2007 6:18 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] Modify packet from NDIS driver

Hello Experts,

We are developing an NDIS intermediate filter driver which analyzes the
network packets, but we cannot handle the web packets which are gzipped. So
we think that if we could modify the outgoing packets we could prevent
gzipped web communication. We know that this is not the best solution but it
should work. Our problem is that we cannot modify the packets. Every time
when we try to modify a packet we get blue screen of death. Is it possible
to modify an outgoing packet from NDIS intermediate driver? If not is there
any way to assemble the gzipped packets as a http packet and unzip it?
Thank you in advance.


NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

Thank you for the quick reply.
We cannot use a proxy because this driver is doing other jobs too, but it will be enough for us if we can send a modified copy of the original packet. Thank you.

If you are modifying the packet copy you have to recalculate all the
checksums n do lot of processing which is highly lacks feasibility, let me
be clear, if you want to just deny the gzipped packet u can very well write
a small function that’ll identify the http header sequence and all you have
to do is indicate the packet send complete to ndis and just silently drop
the packet.
remember that u have to identify the http ports effectively since memory
comparison on data part of packets can cause high latency.

On 08/11/2007, xxxxx@freemail.hu wrote:
>
> Thank you for the quick reply.
> We cannot use a proxy because this driver is doing other jobs too, but it
> will be enough for us if we can send a modified copy of the original packet.
> Thank you.
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>


‘‘The Blessed Lord said: Time I am, destroyer of the worlds, and I have come
to engage all people. With the exception of you, all the soldiers here on
both sides will be slain.’’
-Bhagwad Gita

Anand C. Iyer
Gsec1 Limited
Chennai, India | Manchester, UK
www.gsec1.com