“James Dunning” wrote in message
news:xxxxx@ntdev…
>
> Norton Internet Security is able to determine which process (application)
is
> sending or receiving data on a particular IP port, and alert the user if
its
> of an unknown type, so they can either permit block or create a rule
filter
> for the current alert.
>
> Does anyone know how an NDIS IM Driver can determine which process
> (application) is sending or receiving data on a particular IP port?
>
> I’ve looked at the following link
> http://www.pcausa.com/resources/winpktfilter.htm which seems to shed some
> light on to how this is done, but i got kinda lost when i read the
following
> paragraph…
>
> “It should also be noted that some network services operate by creating a
> thread attached to the system process. In this case the process
information
> that is available does not specifically identify the actual process that
> initially created the thread. This is especially true of Windows services
> that exist solely in kernel-mode (kernel-mode TDI clients).”
>
> could anyone explain to me in english what this means? and advise me how
to
> determine which process is sending/receving data on a particular ip port?
>
Read the paragraph again. It is a little confusing, I guess, but it is
fairly accurate.
Basically, a driver can use the PsCreateSystemThread() call to create a
thread that runs in the context of the system process. Once started, TDI
operations that are performed in this thread will belong to the “System” (or
possibly “Services.exe”) process. This is not very helpful in identifying
the true “process” that initiated a TCP/IP operation.
Hope this helps.
Good luck,
–
Thomas F. Divine
PCAUSA - Tools & Resources For Network Software Developers
NDIS Protocol/Intermediate/Hooking - TDI Client/Filter
http: - http:</http:></http:>