Prototype of ndisMSwapOpenHandlers and ndisMRestoreOpenHandlers functions

As with my replies on Sunday and yesterday, there are supported, documented ways to develop NDIS IM drivers. Is there a reason that you insist on using unsupported methods?

NDIS hooking drivers have been known to cause problems, mostly with interactions with other products and bugchecks. The author of such drivers is usually not aware of the difficulties that their non-standard driver has caused. Furthermore, it’s likely to have real problems in future stacks when inserted between an NDIS 6 miniport and a NDIS 6 transport.

Any development using the hooking scheme is likely to cause problems in the present and possibly cease to work in the future.

Bryan S. Burgin
xxxxx@microsoft.com

This posting is provided “AS IS” with no warranties, and confers no rights.


From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Egemen Tas
Sent: Wednesday, December 01, 2004 4:19 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] Prototype of ndisMSwapOpenHandlers and ndisMRestoreOpenHandlers functions

Hello?all,
?
While doing research on NDIS, I have seen two functions for which I have found no documentation.
?
Does anybody know the function prototypes of the following undocumented NDIS functions:
?
ndisMSwapOpenHandlers: Which swaps the Send handlers of a protocol with the bogus ones(which always return error) in case of Media disconnect and reset.
ndisMRestoreOpenHandlers:Which restores the handlers previously swapped by ndisMSwapOpenHandlers.
?
I have also found that? there is a protocol named HOOKPROC which is used to get a handle to current?protocol chain to dynamically hook NDIS?. Do you know which software may possibly initiate?this attempt?
?
Thanks in advance,
Egemen Tas
http://www.modemwall.com
?
?
?


Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

Hello Bryan,

I have read all of your messages about NDIS hooking.

I also agree with you that Hooking may not be applicaple with the future
advances in NDIS(like NDIS 6 and 64 bit OSs).

However, I am making a serious research on a topic which DO require NDIS
hooking. And research sometimes DO require hooking where documented ways are
not enough.

Even Microsoft Research itself has a package called DETOURS to hook api for
research purposes.

There is no need to discuss further about shortcomings of NDIS hooking.

So I have to hook NDIS. And I need help on topics I have posted before.
Please let the others who might have some idea about the issues to post a
reply to me.

Regards,

Egemen Tas

http://www.modemwall.com

-------Original Message-------

From: Bryan Burgin

Date: 12/01/04 15:02:03

To: Windows System Software Devs Interest List

Cc: xxxxx@gmail.com

Subject: RE: [ntdev] Prototype of ndisMSwapOpenHandlers and
ndisMRestoreOpenHandlers functions

As with my replies on Sunday and yesterday, there are supported, documented
ways to develop NDIS IM drivers. Is there a reason that you insist on using
unsupported methods?

NDIS hooking drivers have been known to cause problems, mostly with
interactions with other products and bugchecks. The author of such drivers
is usually not aware of the difficulties that their non-standard driver has
caused. Furthermore, it’s likely to have real problems in future stacks when
inserted between an NDIS 6 miniport and a NDIS 6 transport.

Any development using the hooking scheme is likely to cause problems in the
present and possibly cease to work in the future.

Bryan S. Burgin

xxxxx@microsoft.com

This posting is provided “AS IS” with no warranties, and confers no rights.


From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr
com">mailto:xxxxx@lists.osr.com">xxxxx@lists.osr
com [mailto:xxxxx@lists.osr.com] On Behalf Of Egemen Tas

Sent: Wednesday, December 01, 2004 4:19 AM

To: Windows System Software Devs Interest List

Subject: [ntdev] Prototype of ndisMSwapOpenHandlers and
ndisMRestoreOpenHandlers functions

Hello all,

While doing research on NDIS, I have seen two functions for which I have
found no documentation.

Does anybody know the function prototypes of the following undocumented NDIS
functions:

ndisMSwapOpenHandlers: Which swaps the Send handlers of a protocol with the
bogus ones(which always return error) in case of Media disconnect and reset.

ndisMRestoreOpenHandlers:Which restores the handlers previously swapped by
ndisMSwapOpenHandlers.

I have also found that there is a protocol named HOOKPROC which is used to
get a handle to current protocol chain to dynamically hook NDIS . Do you
know which software may possibly initiate this attempt?

Thanks in advance,

Egemen Tas

http://www.modemwall.com


Questions? First check the Kernel Driver FAQ at http://www.osronline
com/article.cfm?id=256

You are currently subscribed to ntdev as: unknown lmsubst tag argument: ‘’

To unsubscribe send a blank email to xxxxx@lists.osr.com

> ----------

From: xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com] on behalf of Egemen Tas[SMTP:xxxxx@gmail.com]
Reply To: Windows System Software Devs Interest List
Sent: Wednesday, December 01, 2004 3:41 PM
To: Windows System Software Devs Interest List
Cc: OSR Developers List
Subject: RE: [ntdev] Prototype of ndisMSwapOpenHandlers and ndisMRestoreOpenHandlers functions

However, I am making a serious research on a topic which DO require NDIS
hooking. And research sometimes DO require hooking where documented ways are
not enough.

Which topic need NDIS hooking? There were good reasons for hooking at w9x and maybe NT4 but I don’t know any for w2k and above.

So I have to hook NDIS. And I need help on topics I have posted before.
Please let the others who might have some idea about the issues to post a
reply to me.

With hooking you’re on your own. You have to understand how NDIS works with many details, have to disassemble at least ndis.sys and be very good in debugging and analysis. Then you’d be able to answer yourself. Catch 22. Also, when you solve it, you probably wouldn’t want to share your hardly given knowledge with others. Which may be the reason why you don’t get answered. The other may be nobody which is able to do it can lose time which something as dubious.

Best regards,

Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]

Ok.

My aim for using NDIS Hooking is to collect information about the registered
protocols(possibly, of rootkits) and their characteristics such as TCP/UDP
packet information sent/received, handler addresses and memory patterns.
This is just a statistical work. And I do not know any way to detect and
collect information about every protocol diver registering themselves
without using ndis hooks.

Is this possible with an IM driver? If so, it would be much more time
efficient for me to work on samples coming with DDK.

Thanks in advance.

Egemen Tas,

http://www.modemwall.com

-------Original Message-------

From: Michal Vodicka

Date: 12/01/04 22:31:30

To: Windows System Software Devs Interest List

Subject: RE: [ntdev] Prototype of ndisMSwapOpenHandlers and
ndisMRestoreOpenHandlers functions


From: xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr
com] on behalf of Egemen Tas[SMTP:xxxxx@gmail.com]

Reply To: Windows System Software Devs Interest List

Sent: Wednesday, December 01, 2004 3:41 PM

To: Windows System Software Devs Interest List

Cc: OSR Developers List

Subject: RE: [ntdev] Prototype of ndisMSwapOpenHandlers and
ndisMRestoreOpenHandlers functions

However, I am making a serious research on a topic which DO require NDIS

hooking. And research sometimes DO require hooking where documented ways
are

not enough.

Which topic need NDIS hooking? There were good reasons for hooking at w9x
and maybe NT4 but I don’t know any for w2k and above.

So I have to hook NDIS. And I need help on topics I have posted before.

Please let the others who might have some idea about the issues to post a

reply to me.

With hooking you’re on your own. You have to understand how NDIS works with
many details, have to disassemble at least ndis.sys and be very good in
debugging and analysis. Then you’d be able to answer yourself. Catch 22.
Also, when you solve it, you probably wouldn’t want to share your hardly
given knowledge with others. Which may be the reason why you don’t get
answered. The other may be nobody which is able to do it can lose time which
something as dubious.

Best regards,

Michal Vodicka

UPEK, Inc.

[xxxxx@upek.com, http://www.upek.com]


Questions? First check the Kernel Driver FAQ at http://www.osronline
com/article.cfm?id=256

You are currently subscribed to ntdev as: unknown lmsubst tag argument: ‘’

To unsubscribe send a blank email to xxxxx@lists.osr.com