RE: How to get the PID of the process that send a packet using IpFltDrv

NTDEV
1

Gedon:
Than you very much for your answer. I’m interested on knowing the process
that which make a connect or send a packet in order to allow or denny it. We
would like to do some stuff regarding this based on the application.
Best regards,

Jose Vicente.

-----Mensaje original-----
De: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]En nombre de Rosner, Gedon
Enviado el: viernes, 03 de enero de 2003 2:33
Para: NT Developers Interest List
Asunto: [ntdev] RE: How to get the PID of the process that send a packet
using IpFltDrv

Jose,
I don’t know the answer to your specific question (actually I’m interested
in the answer myself) but for tcpip packets perhaps you can use the
ip_address+ tcp/udp port number for tracking flows. That won’t give you too
much information regarding the application process id but might be helpful.
Regards,
Gedon.

-----Original Message-----
From: Jos? Vicente S?nchez Ortega [mailto:xxxxx@secuware.com]
Sent: Thursday, January 02, 2003 9:54 PM
To: NT Developers Interest List
Subject: [ntdev] How to get the PID of the process that send a packet using
IpFltDrv

I think this topic was asked before but now I don’t find the answers. I have
made a driver that registers itself with IpFltDrv.sys in order to filter IP
traffic and I would need to know, for a given packet, the PID of the process
that sent the packet. Is it possible? Does anybody know how to acomplish
this feature? Does anybody know another method in order to stablish a
relationship bewteen an IP packet emitted by a machine (or a connection
action) and the process from wich it proceed?

Thanks in advance.

Jose Vicente.

You are currently subscribed to ntdev as: xxxxx@intel.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

You are currently subscribed to ntdev as: xxxxx@secuware.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

2

I don?t know if this is a good answer to your query, but do take a look
at the LSP sample.
You might want to do something in the user mode itself than doing it in
the kernel.
the path is … \SDK\samples\netds\WinSock\LSP

-G

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Jos? Vicente
S?nchez Ortega
Sent: Friday, January 03, 2003 2:12 PM
To: NT Developers Interest List
Subject: [ntdev] RE: How to get the PID of the process that send a
packet using IpFltDrv

Gedon:
Than you very much for your answer. I’m interested on knowing the
process that which make a connect or send a packet in order to allow or
denny it. We would like to do some stuff regarding this based on the
application. Best regards,

Jose Vicente.

-----Mensaje original-----
De: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]En nombre de Rosner, Gedon
Enviado el: viernes, 03 de enero de 2003 2:33
Para: NT Developers Interest List
Asunto: [ntdev] RE: How to get the PID of the process that send a packet
using IpFltDrv

Jose,
I don’t know the answer to your specific question (actually I’m
interested in the answer myself) but for tcpip packets perhaps you can
use the ip_address+ tcp/udp port number for tracking flows. That won’t
give you too much information regarding the application process id but
might be helpful. Regards, Gedon.

-----Original Message-----
From: Jos? Vicente S?nchez Ortega [mailto:xxxxx@secuware.com]
Sent: Thursday, January 02, 2003 9:54 PM
To: NT Developers Interest List
Subject: [ntdev] How to get the PID of the process that send a packet
using IpFltDrv

I think this topic was asked before but now I don’t find the answers. I
have made a driver that registers itself with IpFltDrv.sys in order to
filter IP traffic and I would need to know, for a given packet, the PID
of the process that sent the packet. Is it possible? Does anybody know
how to acomplish this feature? Does anybody know another method in order
to stablish a relationship bewteen an IP packet emitted by a machine (or
a connection
action) and the process from wich it proceed?

Thanks in advance.

Jose Vicente.

You are currently subscribed to ntdev as: xxxxx@intel.com To
unsubscribe send a blank email to xxxxx@lists.osr.com

You are currently subscribed to ntdev as: xxxxx@secuware.com To
unsubscribe send a blank email to xxxxx@lists.osr.com

You are currently subscribed to ntdev as: xxxxx@cisco.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

3

There are several ways you may be able to do this. I have never done it,
but here are my thoughts:

  1. Filter AFD.SYS
  2. Filter TDI (TCPIP.SYS)

I am not 100% sure, but I would suspect that the IRP_MJ_CREATE call is
called (in both drivers) in the context of the calling process (if the
requestor mode is user mode).

If this is the case, you can track all the create requests for that
process. Subsequently, in other calls, you can check to see if the file
object is owned by the process in question. This is just my initial
thoughts.

Jamey

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Girish Kulkarni
(kulkis)
Sent: Friday, January 03, 2003 12:56 AM
To: NT Developers Interest List
Subject: [ntdev] RE: How to get the PID of the process that send a
packet using IpFltDrv

I don?t know if this is a good answer to your query, but do take a look
at the LSP sample.
You might want to do something in the user mode itself than doing it in
the kernel.
the path is … \SDK\samples\netds\WinSock\LSP

-G

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Jos? Vicente
S?nchez Ortega
Sent: Friday, January 03, 2003 2:12 PM
To: NT Developers Interest List
Subject: [ntdev] RE: How to get the PID of the process that send a
packet using IpFltDrv

Gedon:
Than you very much for your answer. I’m interested on knowing the
process that which make a connect or send a packet in order to allow or
denny it. We would like to do some stuff regarding this based on the
application. Best regards,

Jose Vicente.

-----Mensaje original-----
De: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]En nombre de Rosner, Gedon
Enviado el: viernes, 03 de enero de 2003 2:33
Para: NT Developers Interest List
Asunto: [ntdev] RE: How to get the PID of the process that send a packet
using IpFltDrv

Jose,
I don’t know the answer to your specific question (actually I’m
interested in the answer myself) but for tcpip packets perhaps you can
use the ip_address+ tcp/udp port number for tracking flows. That won’t
give you too much information regarding the application process id but
might be helpful. Regards, Gedon.

-----Original Message-----
From: Jos? Vicente S?nchez Ortega [mailto:xxxxx@secuware.com]
Sent: Thursday, January 02, 2003 9:54 PM
To: NT Developers Interest List
Subject: [ntdev] How to get the PID of the process that send a packet
using IpFltDrv

I think this topic was asked before but now I don’t find the answers. I
have made a driver that registers itself with IpFltDrv.sys in order to
filter IP traffic and I would need to know, for a given packet, the PID
of the process that sent the packet. Is it possible? Does anybody know
how to acomplish this feature? Does anybody know another method in order
to stablish a relationship bewteen an IP packet emitted by a machine (or
a connection
action) and the process from wich it proceed?

Thanks in advance.

Jose Vicente.

You are currently subscribed to ntdev as: xxxxx@intel.com To
unsubscribe send a blank email to xxxxx@lists.osr.com

You are currently subscribed to ntdev as: xxxxx@secuware.com To
unsubscribe send a blank email to xxxxx@lists.osr.com

You are currently subscribed to ntdev as: xxxxx@cisco.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

You are currently subscribed to ntdev as: xxxxx@storagecraft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com