NDIS Filter Driver question

NTDEV
1

Hi, guys,

Ever since I configured my router to do effective reporting (like sending me automatic emails with a list of web accesses) I’ve been amazed at the amount of stuff that goes on behind my back. That made me tune up my ZoneAlarm, and wow, it’s mind boggling how much Internet access goes on behind my back, even from programs I should supposedly trust and which at least in principle have no business going on-line.

And the Sony CD episode gives me the jitters.

Well, I want to stop that, and being the kernel dev I am, I want to write myself a filter driver, to capture information in the terms I want it to be captured. I know enough about writing communications software, but I don’t have much experience with NDIS itself. Does any of you have any words of wisdom, or some starting point source code I should look at ?

Thanks for any information!

Alberto.

2

Hi Alberto,

Maybe TDIFW, a TDI-based open source firewall for Windows published under a
BSD license, might be a good start.

http://tdifw.sourceforge.net/

Regards

Beyers Cronje

On 11/17/05, Alberto Moreira wrote:
>
> * Hi, guys,*
>
> *Ever since I configured my router to do effective reporting (like sending
> me automatic emails with a list of web accesses) I’ve been amazed at the
> amount of stuff that goes on behind my back. That made me tune up my
> ZoneAlarm, and wow, it’s mind boggling how much Internet access goes on
> behind my back, even from programs I should supposedly trust and which at
> least in principle have no business going on-line. *
>
> *And the Sony CD episode gives me the jitters. *
> **
> Well, I want to stop that, and being the kernel dev I am, I want to write
> myself a filter driver, to capture information in the terms I want it to be
> captured. I know enough about writing communications software, but I don’t
> have much experience with NDIS itself. Does any of you have any words of
> wisdom, or some starting point source code I should look at ?
>
> Thanks for any information!
>
>
> Alberto.
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: unknown lmsubst tag argument: ‘’
>
> To unsubscribe send a blank email to xxxxx@lists.osr.com

3

How about the ddk samples … src\network\ndis\passthru ?
“Alberto Moreira” wrote in message news:xxxxx@ntdev…
Hi, guys,

Ever since I configured my router to do effective reporting (like sending me
automatic emails with a list of web accesses) I’ve been amazed at the amount
of stuff that goes on behind my back. That made me tune up my ZoneAlarm, and
wow, it’s mind boggling how much Internet access goes on behind my back,
even from programs I should supposedly trust and which at least in principle
have no business going on-line.

And the Sony CD episode gives me the jitters.

Well, I want to stop that, and being the kernel dev I am, I want to write
myself a filter driver, to capture information in the terms I want it to be
captured. I know enough about writing communications software, but I don’t
have much experience with NDIS itself. Does any of you have any words of
wisdom, or some starting point source code I should look at ?

Thanks for any information!

Alberto.

4

Alberto,

This is something I dealt with in the past :-).

NDIS is a wrapper library. The personal firewalls could be developed by
using NDIS and Tdi/AFD combinations. There are actually two parts, one
being bad things try to pump out stuff from your PC, and the other being
bad things trying to sneak in to your PC.

If you really want to do for yourself, it is really a long project.

Note that, using a router ( 192.168.x.x ) addressing, and the machines are
usually logged in as non-admin takes away attacks. First how would we know
that being the case ?. Ethreal with winpcap ( open src ) will let you
figure that out. It is a traffic sniffer, and firewall is traffic sniffer

  • policy etc.

As for the architectural side, best thing to do is use an NDIS
intermediate driver model, because ndis 6.0 plus is, IMHO, much better
architecture (chimney and tcp offload with other things ) and some new
firewalling api might be there ( I’m not sure ).

TDI side is used for stopping bad program to access internet and do things
( you know it :slight_smile:

At a minimum, a TDI filter and an NDIS intermediate driver combination
could be of some help.

There are plenty of liturature about firewalls, and also some on intrusion
detection and antivirus, that could help to solidify your architectural
steps.

In case you need more information(s), I would be able to provide some
insight, but why would you try to do this ?

-pro

Hi, guys,

Ever since I configured my router to do effective reporting (like sending
me automatic emails with a list of web accesses) I’ve been amazed at the
amount of stuff that goes on behind my back. That made me tune up my
ZoneAlarm, and wow, it’s mind boggling how much Internet access goes on
behind my back, even from programs I should supposedly trust and which at
least in principle have no business going on-line.

And the Sony CD episode gives me the jitters.

Well, I want to stop that, and being the kernel dev I am, I want to write
myself a filter driver, to capture information in the terms I want it to
be captured. I know enough about writing communications software, but I
don’t have much experience with NDIS itself. Does any of you have any
words of wisdom, or some starting point source code I should look at ?

Thanks for any information!

Alberto.

5

Alberto,

you can start with passthru DDK sample. Adding hard-code passive filtering logic or traffic reporting shouldn’t be too hard but for anything more sophisticated count with months of time. Try to search for Thomas Divines’s work and articles about this topic.

I wrote NDIS filter drivers for NT 3.51, 4.0, w9x and w2k. It was far from easy task. Since then NDIS was improved and the worst part, driver installation, it quite easy now. However, as everything in kernel, NDIS learing curve is flat on the beginning. I guess it is much easier to configure ZoneAlarm or other firewall according to your needs than trying to develop own one. Yes, it is interesting task but necessary time investment is signifficant.

BTW, it seems Sony already gave up :slight_smile:

Best regards,

Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]

From: xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com] on behalf of Alberto Moreira[SMTP:xxxxx@ieee.org]
Reply To: Windows System Software Devs Interest List
Sent: Thursday, November 17, 2005 1:59 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] NDIS Filter Driver question

Hi, guys,

Ever since I configured my router to do effective reporting (like sending me automatic emails with a list of web accesses) I’ve been amazed at the amount of stuff that goes on behind my back. That made me tune up my ZoneAlarm, and wow, it’s mind boggling how much Internet access goes on behind my back, even from programs I should supposedly trust and which at least in principle have no business going on-line.

And the Sony CD episode gives me the jitters.

Well, I want to stop that, and being the kernel dev I am, I want to write myself a filter driver, to capture information in the terms I want it to be captured. I know enough about writing communications software, but I don’t have much experience with NDIS itself. Does any of you have any words of wisdom, or some starting point source code I should look at ?

Thanks for any information!

Alberto.

Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

6

Uh, instead of “passive filtering” I meant packet filtering without modifying packets contents. Just allow or refuse logic.

Best regards,

Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]

From: xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com] on behalf of Michal Vodicka[SMTP:xxxxx@upek.com]
Reply To: Windows System Software Devs Interest List
Sent: Friday, November 18, 2005 12:38 AM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] NDIS Filter Driver question

Alberto,

you can start with passthru DDK sample. Adding hard-code passive filtering logic or traffic reporting shouldn’t be too hard but for anything more sophisticated count with months of time. Try to search for Thomas Divines’s work and articles about this topic.

I wrote NDIS filter drivers for NT 3.51, 4.0, w9x and w2k. It was far from easy task. Since then NDIS was improved and the worst part, driver installation, it quite easy now. However, as everything in kernel, NDIS learing curve is flat on the beginning. I guess it is much easier to configure ZoneAlarm or other firewall according to your needs than trying to develop own one. Yes, it is interesting task but necessary time investment is signifficant.

BTW, it seems Sony already gave up :slight_smile:

Best regards,

Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]

> ----------
> From: xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com] on behalf of Alberto Moreira[SMTP:xxxxx@ieee.org]
> Reply To: Windows System Software Devs Interest List
> Sent: Thursday, November 17, 2005 1:59 PM
> To: Windows System Software Devs Interest List
> Subject: [ntdev] NDIS Filter Driver question
>
> Hi, guys,
>
> Ever since I configured my router to do effective reporting (like sending me automatic emails with a list of web accesses) I’ve been amazed at the amount of stuff that goes on behind my back. That made me tune up my ZoneAlarm, and wow, it’s mind boggling how much Internet access goes on behind my back, even from programs I should supposedly trust and which at least in principle have no business going on-line.
>
> And the Sony CD episode gives me the jitters.
>
> Well, I want to stop that, and being the kernel dev I am, I want to write myself a filter driver, to capture information in the terms I want it to be captured. I know enough about writing communications software, but I don’t have much experience with NDIS itself. Does any of you have any words of wisdom, or some starting point source code I should look at ?
>
> Thanks for any information!
>
>
> Alberto.
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: unknown lmsubst tag argument: ‘’
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>

Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

7

Hi, Pro,

At this time all I want is some kind of selective logger. I want
to know precisely what’s been sent and received from/to my
computer, and I want to have some control that tells it
precisely what to look at. I can filter things at my router, but
I want to know what to filter! So, you may be right, let me
look at Ethereal and see if I can live with it.

Tks,

Alberto.

----- Original Message -----
From:
To: “Windows System Software Devs Interest List”

Sent: Thursday, November 17, 2005 11:06 AM
Subject: RE: [ntdev] NDIS Filter Driver question

Alberto,

This is something I dealt with in the past :-).

NDIS is a wrapper library. The personal firewalls could be
developed by
using NDIS and Tdi/AFD combinations. There are actually two
parts, one
being bad things try to pump out stuff from your PC, and the
other being
bad things trying to sneak in to your PC.

If you really want to do for yourself, it is really a long
project.

Note that, using a router ( 192.168.x.x ) addressing, and the
machines are
usually logged in as non-admin takes away attacks. First how
would we know
that being the case ?. Ethreal with winpcap ( open src ) will
let you
figure that out. It is a traffic sniffer, and firewall is
traffic sniffer
+ policy etc.

As for the architectural side, best thing to do is use an NDIS
intermediate driver model, because ndis 6.0 plus is, IMHO, much
better
architecture (chimney and tcp offload with other things ) and
some new
firewalling api might be there ( I’m not sure ).

TDI side is used for stopping bad program to access internet and
do things
( you know it :slight_smile:

At a minimum, a TDI filter and an NDIS intermediate driver
combination
could be of some help.

There are plenty of liturature about firewalls, and also some on
intrusion
detection and antivirus, that could help to solidify your
architectural
steps.

In case you need more information(s), I would be able to provide
some
insight, but why would you try to do this ?

-pro

> Hi, guys,

Ever since I configured my router to do effective reporting
(like sending
me automatic emails with a list of web accesses) I’ve been
amazed at the
amount of stuff that goes on behind my back. That made me tune
up my
ZoneAlarm, and wow, it’s mind boggling how much Internet access
goes on
behind my back, even from programs I should supposedly trust and
which at
least in principle have no business going on-line.

And the Sony CD episode gives me the jitters.

Well, I want to stop that, and being the kernel dev I am, I want
to write
myself a filter driver, to capture information in the terms I
want it to
be captured. I know enough about writing communications
software, but I
don’t have much experience with NDIS itself. Does any of you
have any
words of wisdom, or some starting point source code I should
look at ?

Thanks for any information!

Alberto.


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: unknown lmsubst tag
argument: ‘’
To unsubscribe send a blank email to
xxxxx@lists.osr.com

8

The problem is, Zone Alarm doesn’t tell me in detail what’s
going on. Right now what I want is a configurable logger that I
can direct to give me the information I want, on a selective
basis. I have done lots of networking programming in the past,
so, I’m not worried about that side of the equation; but I worry
about NDIS itself not letting me do what I want.

And yes, I know that Sony gave up, but it may only be temporary,
and it raises the bar for other people to try to sneak in. I
spent some time reading Russinovich’s blog, it’s very
entertaining! And very worrying too. If it takes someone of his
caliber to figure out what’s going on, imagine what is happening
inside a normal non-technical user’s computer…

Thanks for the info! I’ll try the passthru as a starter.

Alberto.

----- Original Message -----
From: “Michal Vodicka”
To: “Windows System Software Devs Interest List”

Sent: Thursday, November 17, 2005 6:38 PM
Subject: RE: [ntdev] NDIS Filter Driver question

Alberto,

you can start with passthru DDK sample. Adding hard-code passive
filtering logic or traffic reporting shouldn’t be too hard but
for anything more sophisticated count with months of time. Try
to search for Thomas Divines’s work and articles about this
topic.

I wrote NDIS filter drivers for NT 3.51, 4.0, w9x and w2k. It
was far from easy task. Since then NDIS was improved and the
worst part, driver installation, it quite easy now. However, as
everything in kernel, NDIS learing curve is flat on the
beginning. I guess it is much easier to configure ZoneAlarm or
other firewall according to your needs than trying to develop
own one. Yes, it is interesting task but necessary time
investment is signifficant.

BTW, it seems Sony already gave up :slight_smile:

Best regards,

Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]

> ----------
> From:
> xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com]
> on behalf of Alberto Moreira[SMTP:xxxxx@ieee.org]
> Reply To: Windows System Software Devs Interest List
> Sent: Thursday, November 17, 2005 1:59 PM
> To: Windows System Software Devs Interest List
> Subject: [ntdev] NDIS Filter Driver question
>
> Hi, guys,
>
> Ever since I configured my router to do effective reporting
> (like sending me automatic emails with a list of web accesses)
> I’ve been amazed at the amount of stuff that goes on behind my
> back. That made me tune up my ZoneAlarm, and wow, it’s mind
> boggling how much Internet access goes on behind my back, even
> from programs I should supposedly trust and which at least in
> principle have no business going on-line.
>
> And the Sony CD episode gives me the jitters.
>
> Well, I want to stop that, and being the kernel dev I am, I
> want to write myself a filter driver, to capture information
> in the terms I want it to be captured. I know enough about
> writing communications software, but I don’t have much
> experience with NDIS itself. Does any of you have any words
> of wisdom, or some starting point source code I should look at
> ?
>
> Thanks for any information!
>
>
> Alberto.
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: unknown lmsubst tag
> argument: ‘’
> To unsubscribe send a blank email to
> xxxxx@lists.osr.com
>


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: unknown lmsubst tag
argument: ‘’
To unsubscribe send a blank email to
xxxxx@lists.osr.com

9

Thanks, Beyers! Much appreciated.

Alberto.

----- Original Message -----
From: Beyers Cronje
To: Windows System Software Devs Interest List
Sent: Thursday, November 17, 2005 8:19 AM
Subject: Re: [ntdev] NDIS Filter Driver question

Hi Alberto,

Maybe TDIFW, a TDI-based open source firewall for Windows published under a BSD license, might be a good start.

http://tdifw.sourceforge.net/

Regards

Beyers Cronje

On 11/17/05, Alberto Moreira wrote:
Hi, guys,

Ever since I configured my router to do effective reporting (like sending me automatic emails with a list of web accesses) I’ve been amazed at the amount of stuff that goes on behind my back. That made me tune up my ZoneAlarm, and wow, it’s mind boggling how much Internet access goes on behind my back, even from programs I should supposedly trust and which at least in principle have no business going on-line.

And the Sony CD episode gives me the jitters.

Well, I want to stop that, and being the kernel dev I am, I want to write myself a filter driver, to capture information in the terms I want it to be captured. I know enough about writing communications software, but I don’t have much experience with NDIS itself. Does any of you have any words of wisdom, or some starting point source code I should look at ?

Thanks for any information!

Alberto.


Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

— Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256 You are currently subscribed to ntdev as: unknown lmsubst tag argument: ‘’ To unsubscribe send a blank email to xxxxx@lists.osr.com

10

Thanks, Lyndon! I’m going to try starting with the passthru, it
removes some of the mechanical work from my path.

Alberto.

----- Original Message -----
From: “Lyndon J Clarke”
Newsgroups: ntdev
To: “Windows System Software Devs Interest List”

Sent: Thursday, November 17, 2005 8:32 AM
Subject: Re:[ntdev] NDIS Filter Driver question

> How about the ddk samples … src\network\ndis\passthru ?
> “Alberto Moreira” wrote in message
> news:xxxxx@ntdev…
> Hi, guys,
>
> Ever since I configured my router to do effective reporting
> (like sending me automatic emails with a list of web accesses)
> I’ve been amazed at the amount of stuff that goes on behind my
> back. That made me tune up my ZoneAlarm, and wow, it’s mind
> boggling how much Internet access goes on behind my back, even
> from programs I should supposedly trust and which at least in
> principle have no business going on-line.
>
> And the Sony CD episode gives me the jitters.
>
> Well, I want to stop that, and being the kernel dev I am, I
> want to write myself a filter driver, to capture information
> in the terms I want it to be captured. I know enough about
> writing communications software, but I don’t have much
> experience with NDIS itself. Does any of you have any words
> of wisdom, or some starting point source code I should look at
> ?
>
> Thanks for any information!
>
>
> Alberto.
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@ieee.org
> To unsubscribe send a blank email to
> xxxxx@lists.osr.com

11

It sounds like you already got a good starting point, but this tripped me up for a bit, so thought I’d share…

Technically, you don’t want a filter driver, in NDIS terms, you want an intermediate miniport (IM in DDK docs) driver, which passthru is. Filter drivers aren’t really recommended due to lack of functionality.

Oh, and to add additional paranoia, ZoneAlarm does not track traffic nearly as closely as it could… or should

From: “Alberto Moreira”
> Date: 2005/11/18 Fri AM 09:05:16 EST
> To: “Windows System Software Devs Interest List”
> Subject: Re: Re:[ntdev] NDIS Filter Driver question
>
> Thanks, Lyndon! I’m going to try starting with the passthru, it
> removes some of the mechanical work from my path.
>
> Alberto.
>
>
> ----- Original Message -----
> From: “Lyndon J Clarke”
> Newsgroups: ntdev
> To: “Windows System Software Devs Interest List”
>
> Sent: Thursday, November 17, 2005 8:32 AM
> Subject: Re:[ntdev] NDIS Filter Driver question
>
>
> > How about the ddk samples … src\network\ndis\passthru ?
> > “Alberto Moreira” wrote in message
> > news:xxxxx@ntdev…
> > Hi, guys,
> >
> > Ever since I configured my router to do effective reporting
> > (like sending me automatic emails with a list of web accesses)
> > I’ve been amazed at the amount of stuff that goes on behind my
> > back. That made me tune up my ZoneAlarm, and wow, it’s mind
> > boggling how much Internet access goes on behind my back, even
> > from programs I should supposedly trust and which at least in
> > principle have no business going on-line.
> >
> > And the Sony CD episode gives me the jitters.
> >
> > Well, I want to stop that, and being the kernel dev I am, I
> > want to write myself a filter driver, to capture information
> > in the terms I want it to be captured. I know enough about
> > writing communications software, but I don’t have much
> > experience with NDIS itself. Does any of you have any words
> > of wisdom, or some starting point source code I should look at
> > ?
> >
> > Thanks for any information!
> >
> >
> > Alberto.
> >
> >
> > —
> > Questions? First check the Kernel Driver FAQ at
> > http://www.osronline.com/article.cfm?id=256
> >
> > You are currently subscribed to ntdev as: xxxxx@ieee.org
> > To unsubscribe send a blank email to
> > xxxxx@lists.osr.com
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@ainfosec.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>

12

> ----------

From: xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com] on behalf of Alberto Moreira[SMTP:xxxxx@ieee.org]
Reply To: Windows System Software Devs Interest List
Sent: Friday, November 18, 2005 3:00 PM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] NDIS Filter Driver question

The problem is, Zone Alarm doesn’t tell me in detail what’s
going on. Right now what I want is a configurable logger that I
can direct to give me the information I want, on a selective
basis. I have done lots of networking programming in the past,
so, I’m not worried about that side of the equation; but I worry
about NDIS itself not letting me do what I want.

No problem at NDIS side, you can see everything there. However, you’d see only network traffic without any association to applications. Also, you’ll see only raw packets and will have to parse IP/TCP/UDP headers. Things become even more complicated if you want to log some application protocols as FTP, HTTP etc. You can find yourself rewriting TCP stack :slight_smile: I’d rather start with existing tools; Ethereal was already mentioned, MS Network Monitor also isn’t bad.

Best regards,

Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]