Hi All
Please can somebody help…
I need to obtain the originating Process ID, that opened the socket connection. We can trap the SYN Packet from within the IM driver, and then at this time we require to get the Process ID that initiated the Socket Open. We need this for establishing the originating application window under WINTERM…
Thanks in advance
Steve
You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
Steve,
The only method that I am aware of that can reliably make an association
between TCP/IP connections and their associated local process involve a
filter immediately above the kernel-mode TCP/IP driver. This sort of filter
is known as a Transport Data Interface (TDI) Filter. A TDI Filter can
observe the creation of TDI address objects and track the creator’s process
ID.
It’s fairly messy…
At the NDIS level most operations are performed in arbitrary thread context.
If the packet that you are trapping is being sent on the local host there is
a small chance that the call to your NDIS IM driver’s SEND routine is still
in the context of the process that initiated the send. You could see if
PsGetCurrentProcess() fetches meaningful information - but I doubt it…
Good luck,
Thomas F. Divine
PCAUSA - Tools & Resources For Network Software Developers
NDIS Protocol/Intermediate/Hooking - TDI Client/Filter
http://www.pcausa.com - http://www.rawether.net
“Steven Pratt” wrote in message news:xxxxx@ntdev…
Hi All
Please can somebody help…
I need to obtain the originating Process ID, that opened the socket
connection. We can trap the SYN Packet from within the IM driver, and then
at this time we require to get the Process ID that initiated the Socket
Open. We need this for establishing the originating application window under
WINTERM…
Thanks in advance
Steve
—
You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com
> ----------
From: xxxxx@hotmail.com[SMTP:xxxxx@hotmail.com]
Reply To: xxxxx@lists.osr.com
Sent: Wednesday, February 13, 2002 5:59 PM
To: xxxxx@lists.osr.com
Subject: [ntdev] Re: Obtaining Process ID from with NDIS IM Driver
At the NDIS level most operations are performed in arbitrary thread
context.
If the packet that you are trapping is being sent on the local host there
is
a small chance that the call to your NDIS IM driver’s SEND routine is
still
in the context of the process that initiated the send. You could see if
PsGetCurrentProcess() fetches meaningful information - but I doubt it…
It may work in some cases but generally it is unreliable. Once I examined
the context of send routines and found sometimes it is called in original
thread context but also it can be called in packet receive context which is
really arbitrary. It may depend on current network load and also on number
of processors. TDI filter seems as better idea although I would try to find
a solution where this info isn’t needed.
Best regards,
Michal Vodicka
STMicroelectronics Design and Application s.r.o.
[michal.vodicka@st.com, http:://www.st.com]
You are currently subscribed to ntdev as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntdev-$subst(‘Recip.MemberIDChar’)@lists.osr.com