NDIS hooking

OSR_Community_User · January 19, 2002, 12:17am

Hello.

I am making an NDIS hooking driver (according to vadim smirnov’s
technique), and have run into 2 problems:

Replacing NdisSend() and NdisSendPackets() should be the same since
their prototypes contain NDIS_HANDLE MiniportAdapterContext, but my NDIS.H
has the following macros:

#define NdisSend(Status, NdisBindingHandle, Packet)
{
*(Status) =
(((PNDIS_OPEN_BLOCK)(NdisBindingHandle))->SendHandler)(
((PNDIS_OPEN_BLOCK)(NdisBindingHandle))->MacBindingHandle,
(Packet));
}

#define NdisSendPackets(NdisBindingHandle, PacketArray, NumberOfPackets)
{
(((PNDIS_OPEN_BLOCK)(NdisBindingHandle))->SendPacketsHandler)(
(PNDIS_OPEN_BLOCK)(NdisBindingHandle), (PacketArray),
(NumberOfPackets));
}

The NdisSend seems to receive a pointer to the miniport’s context area, as
the documentation says it does, but NdisSendPackets seems to receive a
pointer to the OPEN_BLOCK, instead of the miniport’s context area. Is my
NDIS.H corrupt? (I have a WORKING IM based on passthru which treats the
NdisSendPackets() NdisBindingHandle parameter as the context area)

Saving NDIS_OPEN_BLOCKs allows me to search for ProtocolBindingContext
in order to tell which protocol needs to be called inside ReceiveXXX
functions, but I do not know where in the OPEN_BLOCK, the
MiniportAdapterContext that I get from the SendXXX functions is. (and, are
the context variables the only method to get to the originator?)

Any help would be greatly appreciated. Thanks.
Yoav.

You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

OSR_Community_User · January 19, 2002, 1:01am

Hello.

It’s not a bug, it’s a feature ;). I’ve showed the approach to NDIS-hooking
driver creation in general, but there are many details skipped. Probably a
good start for one, who would like to try himself on the new field and dig
into NDIS internals. However, your ndis.h file is correct, sure it was the
the first time you’ve look inside this header. Actually, NDIS have even more
suprises for you.

May be you would like to visit http://www.pcausa.com/ndispim/ and order PIM
samples (includes NT ones), it could make your life a bit easier.

BR,
Vadim
http://www.ntndis.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Yoav Nissim
Sent: Saturday, January 19, 2002 12:16 AM
To: NT Developers Interest List
Subject: [ntdev] NDIS hooking

Hello.

I am making an NDIS hooking driver (according to vadim smirnov’s
technique), and have run into 2 problems:

Replacing NdisSend() and NdisSendPackets() should be the same since
their prototypes contain NDIS_HANDLE MiniportAdapterContext, but my NDIS.H
has the following macros:

#define NdisSend(Status, NdisBindingHandle, Packet)
{
*(Status) =
(((PNDIS_OPEN_BLOCK)(NdisBindingHandle))->SendHandler)(
((PNDIS_OPEN_BLOCK)(NdisBindingHandle))->MacBindingHandle,
(Packet));
}

#define NdisSendPackets(NdisBindingHandle, PacketArray, NumberOfPackets)
{
(((PNDIS_OPEN_BLOCK)(NdisBindingHandle))->SendPacketsHandler)(
(PNDIS_OPEN_BLOCK)(NdisBindingHandle), (PacketArray),
(NumberOfPackets));
}

The NdisSend seems to receive a pointer to the miniport’s context area, as
the documentation says it does, but NdisSendPackets seems to receive a
pointer to the OPEN_BLOCK, instead of the miniport’s context area. Is my
NDIS.H corrupt? (I have a WORKING IM based on passthru which treats the
NdisSendPackets() NdisBindingHandle parameter as the context area)

Saving NDIS_OPEN_BLOCKs allows me to search for ProtocolBindingContext
in order to tell which protocol needs to be called inside ReceiveXXX
functions, but I do not know where in the OPEN_BLOCK, the
MiniportAdapterContext that I get from the SendXXX functions is. (and, are
the context variables the only method to get to the originator?)

Any help would be greatly appreciated. Thanks.
Yoav.

You are currently subscribed to ntdev as: xxxxx@pcausa.com
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

OSR_Community_User · January 23, 2002, 3:42am

Hi Mr. Smirnov,

Thank you for your suggestion about PIM, but since I am not on a deadline
and I do this for fun, getting the code would be missing out on all the
fun; speaking of which, I finally got it up and running and it is really a
pleasure to see it working!!
Your ntndis.com was what got me to believe that it can be done without a
team, several months, and NDIS source code
Thanks,

Yoav.

On 01/19/02, ““Vadim Smirnov” ” wrote:
> Hello.
>
> It’s not a bug, it’s a feature ;). I’ve showed the approach to NDIS-hooking
> driver creation in general, but there are many details skipped. Probably a
> good start for one, who would like to try himself on the new field and dig
> into NDIS internals. However, your ndis.h file is correct, sure it was the
> the first time you’ve look inside this header. Actually, NDIS have even more
> suprises for you.
>
> May be you would like to visit http://www.pcausa.com/ndispim/ and order PIM
> samples (includes NT ones), it could make your life a bit easier.
>
> BR,
> Vadim
> http://www.ntndis.com
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com]On Behalf Of Yoav Nissim
> Sent: Saturday, January 19, 2002 12:16 AM
> To: NT Developers Interest List
> Subject: [ntdev] NDIS hooking
>
>
> Hello.
>
> I am making an NDIS hooking driver (according to vadim smirnov’s
> technique), and have run into 2 problems:
>
> 1. Replacing NdisSend() and NdisSendPackets() should be the same since
> their prototypes contain NDIS_HANDLE MiniportAdapterContext, but my NDIS.H
> has the following macros:
>
> #define NdisSend(Status, NdisBindingHandle, Packet)
> {
> *(Status) =
> (((PNDIS_OPEN_BLOCK)(NdisBindingHandle))->SendHandler)(
> ((PNDIS_OPEN_BLOCK)(NdisBindingHandle))->MacBindingHandle,
> (Packet));
> }
>
> #define NdisSendPackets(NdisBindingHandle, PacketArray, NumberOfPackets)
> {
> (((PNDIS_OPEN_BLOCK)(NdisBindingHandle))->SendPacketsHandler)(
> (PNDIS_OPEN_BLOCK)(NdisBindingHandle), (PacketArray),
> (NumberOfPackets));
> }
>
> The NdisSend seems to receive a pointer to the miniport’s context area, as
> the documentation says it does, but NdisSendPackets seems to receive a
> pointer to the OPEN_BLOCK, instead of the miniport’s context area. Is my
> NDIS.H corrupt? (I have a WORKING IM based on passthru which treats the
> NdisSendPackets() NdisBindingHandle parameter as the context area)
>
> 2. Saving NDIS_OPEN_BLOCKs allows me to search for ProtocolBindingContext
> in order to tell which protocol needs to be called inside ReceiveXXX
> functions, but I do not know where in the OPEN_BLOCK, the
> MiniportAdapterContext that I get from the SendXXX functions is. (and, are
> the context variables the only method to get to the originator?)
>
> Any help would be greatly appreciated. Thanks.
> Yoav.
>
> —
> You are currently subscribed to ntdev as: xxxxx@pcausa.com
> To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
>
>
> —
> You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
> To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

—
You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com

Michal_Vodicka-1 · January 23, 2002, 7:09pm

> ----------

From: xxxxx@hotmail.com[SMTP:xxxxx@hotmail.com]
Reply To: xxxxx@lists.osr.com
Sent: Wednesday, January 23, 2002 3:40 AM
To: xxxxx@lists.osr.com
Subject: [ntdev] RE: NDIS hooking

Thank you for your suggestion about PIM, but since I am not on a deadline
and I do this for fun, getting the code would be missing out on all the
fun; speaking of which, I finally got it up and running and it is really a

pleasure to see it working!!
Your ntndis.com was what got me to believe that it can be done without a
team, several months, and NDIS source code

I’m affraid Vadim’s article can induce false sense that writing hooking
driver is easier that IM driver. It may be the case only if you already have
a kit which provides hooking and allows to write plugins for particular
functionality (don’t ask, I don’t know about such a kit). The only thing
which is really easier is installation and not too much since w2k. Writing
hooking driver from scratch is probably harder, you have to understand NDIS
very well including its internal structures which isn’t necessary for IM
driver. On the other hand, if you write IM driver from scratch (i.e. not
copy/paste passthru) and make it working, you will understand NDIS well to
make hooking driver. Team and NDIS source code isn’t necessary (although it
would help) but several months probably yes; it depends on your current NDIS
knowledge.

Best regards,

Michal Vodicka
STMicroelectronics Design and Application s.r.o.
[michal.vodicka@st.com, http:://www.st.com]

You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com