TDImon...

I would like to ask if any one know where can I get a sample TDI filter
driver’s source code in the web?

I am not aware of a sample on the web.

There are several techniques for filtering TDI. TDI is basically a “legacy”
NT driver. This means that ordinary NT-style filter drivers can be installed
above TDI. See IoAddachDevice, etc. and books about the general topic of NT
(not WDM) layered device drivers. This technique, plus a thorough
understanding of TDI, is sufficient to make a simple TDI Filter.

Good luck,

Thomas F. Divine

PCAUSA - Tools & Resources For Network Software Developers
NDIS Protocol/Intermediate/Hooking - TDI Client/Filter
http: - http:

“Sherman” wrote in message news:xxxxx@ntdev…
>
> I would like to ask if any one know where can I get a sample TDI filter
> driver’s source code in the web?
>
></http:></http:>

With this in mind, is the concept of TDI filtering going to be a problem
in the future regarding enhancements to the OS? I assume that a
‘legacy’ nt tdi filter driver will function on 2k and xp…is this
correct?

  • jb

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Thomas F. Divine
Sent: Saturday, March 23, 2002 12:36 PM
To: NT Developers Interest List
Subject: [ntdev] Re: TDImon…

I am not aware of a sample on the web.

There are several techniques for filtering TDI. TDI is basically a
“legacy” NT driver. This means that ordinary NT-style filter drivers can
be installed above TDI. See IoAddachDevice, etc. and books about the
general topic of NT (not WDM) layered device drivers. This technique,
plus a thorough understanding of TDI, is sufficient to make a simple TDI
Filter.

Good luck,

Thomas F. Divine

PCAUSA - Tools & Resources For Network Software Developers
NDIS Protocol/Intermediate/Hooking - TDI Client/Filter
http: - http:

“Sherman” wrote in message news:xxxxx@ntdev…
>
> I would like to ask if any one know where can I get a sample TDI
> filter driver’s source code in the web?
>
>


You are currently subscribed to ntdev as: xxxxx@earthlink.net To
unsubscribe send a blank email to %%email.unsub%%</http:></http:>

As long as the Microsoft TDI drivers are legacy drivers, the layered
NT-style filter is appropriate. This is true at least through Windows XP.

Thos

“Jonathan Borden” wrote in message
news:xxxxx@ntdev…
>
> With this in mind, is the concept of TDI filtering going to be a problem
> in the future regarding enhancements to the OS? I assume that a
> ‘legacy’ nt tdi filter driver will function on 2k and xp…is this
> correct?
>
> - jb
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of Thomas F. Divine
> Sent: Saturday, March 23, 2002 12:36 PM
> To: NT Developers Interest List
> Subject: [ntdev] Re: TDImon…
>
>
> I am not aware of a sample on the web.
>
> There are several techniques for filtering TDI. TDI is basically a
> “legacy” NT driver. This means that ordinary NT-style filter drivers can
> be installed above TDI. See IoAddachDevice, etc. and books about the
> general topic of NT (not WDM) layered device drivers. This technique,
> plus a thorough understanding of TDI, is sufficient to make a simple TDI
> Filter.
>
> Good luck,
> –
> Thomas F. Divine
>
> PCAUSA - Tools & Resources For Network Software Developers
> NDIS Protocol/Intermediate/Hooking - TDI Client/Filter
> http: - http:
>
>
> “Sherman” wrote in message news:xxxxx@ntdev…
> >
> > I would like to ask if any one know where can I get a sample TDI
> > filter driver’s source code in the web?
> >
> >
>
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@earthlink.net To
> unsubscribe send a blank email to %%email.unsub%%
>
>
>
></http:></http:>

there was a posting from one guy to this list about three or four weeks ago,
containing a link to his TDI Filter source.

johnny

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Sherman
Sent: Samstag, 23. März 2002 16:47
To: NT Developers Interest List
Subject: [ntdev] TDImon…

I would like to ask if any one know where can I get a sample TDI filter
driver’s source code in the web?


You are currently subscribed to ntdev as: xxxxx@yahoo.de
To unsubscribe send a blank email to %%email.unsub%%


Do You Yahoo!?

Get your free @yahoo.com address at http://mail.yahoo.com

> there was a posting from one guy to this list about three or four weeks ago,

containing a link to his TDI Filter source.

do you mean http://ntdev.h1.ru/tdi_flt.zip?

It only has filter driver part. Since I am a beginner, I am looking for
source for both driver and UI. Is the idea of TDIMon similar to that of
FileMon? except the lower device being monitored is different?

Sherman,

do you mean http://ntdev.h1.ru/tdi_flt.zip?

yes, I ment that.

There are differrent ways to bring Information from Ring0 to Ring3, like
polling, sharing memory between Ring0 driver and Ring3 app, APC, and so
on…

As I can remember, there was an interesting article in MSJ long time ago.

One of the easiest ways is to create a Device Object and Symbolic link for
it in your driver. Open this device in your app and use DeviceIoControl()
API function to pick up information from your driver. Your driver could use
a linked list to keep the information and fill in your Output Buffer during
the IRP_MJ_DEVICE_CONTROL. You can event use ReadFile or WriteFile APIs.

It only has filter driver part. Since I am a beginner, I am looking for
source for both driver and UI. Is the idea of TDIMon similar to that of
FileMon? except the lower device being monitored is different?

What is your question? Do you mean the User-Kernel-mode communication? Yes
they are similar

One more point: The TDIMon application from Sysinternals is not a TDI Filter
Driver in classic way…it goes an other not documented way, it replaces
the Dispatch routines of MS TCPIP Driver.

Regards

Johnny

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Sherman
Sent: Sonntag, 24. März 2002 09:48
To: NT Developers Interest List
Subject: [ntdev] RE: TDImon…

there was a posting from one guy to this list about three or four weeks
ago,
containing a link to his TDI Filter source.

do you mean http://ntdev.h1.ru/tdi_flt.zip?

It only has filter driver part. Since I am a beginner, I am looking for
source for both driver and UI. Is the idea of TDIMon similar to that of
FileMon? except the lower device being monitored is different?


You are currently subscribed to ntdev as: xxxxx@yahoo.de
To unsubscribe send a blank email to %%email.unsub%%


Do You Yahoo!?

Get your free @yahoo.com address at http://mail.yahoo.com

Johnny,

There are differrent ways to bring Information from Ring0 to Ring3, like
polling, sharing memory between Ring0 driver and Ring3 app, APC, and so
on…

As I can remember, there was an interesting article in MSJ long time ago.

I have checked the back issues of MSJ, but cannot find that article, would
you mind finding that for me?

One of the easiest ways is to create a Device Object and Symbolic link for
it in your driver. Open this device in your app and use DeviceIoControl()
API function to pick up information from your driver. Your driver could use
a linked list to keep the information and fill in your Output Buffer during
the IRP_MJ_DEVICE_CONTROL. You can event use ReadFile or WriteFile APIs.

What side can use ReadFile or WriteFile APIs? Driver or app?
What are the purposes of using them? For application to call the driver?

I read the source code of FileMon, and found that in its implementation,
the app polls for shared memory between app and driver to see if there is
new information available.

Is it possible for the driver to actively call the app when there is new
information available?

>It only has filter driver part. Since I am a beginner, I am looking for
>source for both driver and UI. Is the idea of TDIMon similar to that of
>FileMon? except the lower device being monitored is different?

What is your question? Do you mean the User-Kernel-mode communication? Yes
they are similar

I want to ask is whether the principle of filtering File I/O requests and
TCP/IP requests are the same, can I modify the FileMon to be the upper
filter driver of TDI layer and perform the function similar to those of
TDIMon?

One more point: The TDIMon application from Sysinternals is not a TDI Filter
Driver in classic way…it goes an other not documented way, it replaces
the Dispatch routines of MS TCPIP Driver.

Which implementation will be easier? TDI Filter Driver or Replacing the
Dispatch routines of MS TCPIP Driver?

Are there any information and/or source code about how to replace the
dispatch routines of MS TCPIP driver on the web?

Thank you for answering my questions.

Regards,
Sherman

You can create a thread or threads in your application that pend IOCTL
IRPS to the driver. These threads will sit blocked in
DeviceIoControlFile() until the driver completes the request.

So, in this situation, the driver will have a queue of IRPS from the
application that the driver marks as pending and places in a queue. When
the driver has information it wants to send to the application, it fills
in the data in one of these IRPS and completes the request. The/A tread
wakes up and returns from the DeviceIoControl() call. Reads the data in
the IRP and does what it needs to do.

You can be more asynchronous if you use over-lapped requests.

Jamey Kirby
StorageCraft, inc.
xxxxx@storagecraft.com
www.storagecraft.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Sherman
Sent: Sunday, March 24, 2002 11:50 AM
To: NT Developers Interest List
Subject: [ntdev] RE: TDImon…

Johnny,

There are differrent ways to bring Information from Ring0 to Ring3,
like
polling, sharing memory between Ring0 driver and Ring3 app, APC, and
so
on…

As I can remember, there was an interesting article in MSJ long time
ago.

I have checked the back issues of MSJ, but cannot find that article,
would
you mind finding that for me?

One of the easiest ways is to create a Device Object and Symbolic link
for
it in your driver. Open this device in your app and use
DeviceIoControl()
API function to pick up information from your driver. Your driver
could use
a linked list to keep the information and fill in your Output Buffer
during
the IRP_MJ_DEVICE_CONTROL. You can event use ReadFile or WriteFile
APIs.

What side can use ReadFile or WriteFile APIs? Driver or app?
What are the purposes of using them? For application to call the driver?

I read the source code of FileMon, and found that in its implementation,
the app polls for shared memory between app and driver to see if there
is
new information available.

Is it possible for the driver to actively call the app when there is new
information available?

>It only has filter driver part. Since I am a beginner, I am looking
for
>source for both driver and UI. Is the idea of TDIMon similar to that
of
>FileMon? except the lower device being monitored is different?

What is your question? Do you mean the User-Kernel-mode communication?
Yes
they are similar

I want to ask is whether the principle of filtering File I/O requests
and
TCP/IP requests are the same, can I modify the FileMon to be the upper
filter driver of TDI layer and perform the function similar to those of
TDIMon?

One more point: The TDIMon application from Sysinternals is not a TDI
Filter
Driver in classic way…it goes an other not documented way, it
replaces
the Dispatch routines of MS TCPIP Driver.

Which implementation will be easier? TDI Filter Driver or Replacing the
Dispatch routines of MS TCPIP Driver?

Are there any information and/or source code about how to replace the
dispatch routines of MS TCPIP driver on the web?

Thank you for answering my questions.

Regards,
Sherman


You are currently subscribed to ntdev as: xxxxx@storagecraft.com
To unsubscribe send a blank email to %%email.unsub%%

Sherman,

I have checked the back issues of MSJ, but cannot find that article, would
you mind finding that for me?

Here your are:
http://www.microsoft.com/msj/defaultframe.asp?page=/msj/0799/nerd/nerd0799.h
tm&nav=/msj/0799/newnav.htm

What side can use ReadFile or WriteFile APIs? Driver or app?

Of cource your app

What are the purposes of using them? For application to call the driver?
For app to get requested information from your driver

I read the source code of FileMon, and found that in its implementation,
the app polls for shared memory between app and driver to see if there is
new information available.

Is it possible for the driver to actively call the app when there is new
information available?

Of course it is, use APCs in your driver or Create an NAMED event in your
driver, open this event it your app, create a thread in your app, wait on
the event in your thread, signal the event in your driver when you want to
inform the app.

I want to ask is whether the principle of filtering File I/O requests and
TCP/IP requests are the same, can I modify the FileMon to be the upper
filter driver of TDI layer and perform the function similar to those of
TDIMon?

you can just keep the part regarding Usermode-kernel-mode communication,
almost every thing else must be changed.

Which implementation will be easier? TDI Filter Driver or Replacing the
Dispatch routines of MS TCPIP Driver?

I would recommand to use the documented way.

Are there any information and/or source code about how to replace the
dispatch routines of MS TCPIP driver on the web?

Not as far as I know

regards

johnny


Do You Yahoo!?

Get your free @yahoo.com address at http://mail.yahoo.com

This is not a big deal to write it yourself…
As you’ll sit above \Tcp and \Udp you do not even
need PnP filter driver, just generic NT4-style
filter. Actually this topic (filtering TCP traffic)
was ducsussed here millions of times, you just can
search the list history to find the links and
source code parts. If you’ll fail you can write me
an e-mail and I’ll try to help you with NT/2K/XP
and 95/98/ME TCP filter driver source code.

Anton

We even have the same driver binary for NT, 2K
and XP environments =)

Anton

Hi, guys!

I missed your discussion but want to tell some news. I wrote a simple UI
which can control driver and get some information from it. You can download
updated sources.

vlad-ntdev

> there was a posting from one guy to this list about three or four weeks
ago,
> containing a link to his TDI Filter source.
>
do you mean http://ntdev.h1.ru/tdi_flt.zip?

It only has filter driver part. Since I am a beginner, I am looking for
source for both driver and UI. Is the idea of TDIMon similar to that of
FileMon? except the lower device being monitored is different?

> I missed your discussion but want to tell some news. I wrote a simple UI

which can control driver and get some information from it. You can download
updated sources.

vlad-ntdev

Thank you for your updated sources!
I am trying my best to understand it now.
Can you suggest some more reference materials about that for me to read?

I have read part of your TDI filter driver source code. As I am a beginner
I found many things I cannot understand.

Why quick_filter only execute in tdi_connect, tdi_receive_datagram,
tdi_send_datagram, tdi_event_connect, tdi_event_receive_datagram and
tdi_event_chained_receive_datagram?

Why “if (result == FILTER_DENY) goto done;” only appear in
tdi_receive_complete, tdi_receive_datagram, tdi_receive_datagram_complete,
tdi_send, tdi_send_datagram, tdi_event_connect?

I’ve added some code to see which dispatcher or event handler called
quick_filter, but I can only see tdi_connect, tdi_event_receive_datagram
and tdi_event_send_datagram, under what situation will other event
handlers execute?

In a test I’ve set added “insert -r DENY -p TCP -d IN -l” and as the rule.
Why other machine can still telnet to my machine? Did I misunderstand the
meaning of “incoming TCP packet”?

In another test I’ve set added “insert -r DENY -p UDP -d IN -l” as the
rule. Why I can still resolve the IP address? It seems to me that the
resolution is not done by UDP.

Or it uses IP or RAWIP? Actually what are they? When will they be used?
What are their differences?

In the readme, there is a line “qf_control insert -r ALLOW -p TCP -d IN -t
127.0.0.1 -l” why the direction of data is “IN” but “Outgoing address” is
used?

Thank you for answer me so much questions in advance.