Thanks :)) NAT using hook

Hi, Gurus
I solve the problem and now NAT work fine! Thanks for reply.
To hook ndis
, not only hook the dispatch in the NDIS_OPEN_BLOCK, also have to hook the same
dispatch in NDIS_MINIPORT_BLOCK specially SEND_COMPLETE_HANDLER,
STATUS_COMPLETE_HANDLER,REQUEST_COMPLETE_HANDLER. And a strange thing, there are
3 receive paths, but look at the definition of some import api we used in Passthru,
such as
#define NdisIndicateReceiveComplete(NdisBindingContext) \
{ \
KIRQL oldIrql; \
\
KeRaiseIrql( DISPATCH_LEVEL, &oldIrql ); \
(((PNDIS_OPEN_BLOCK)(NdisBindingContext))->PostNt31ReceiveCompleteHandler)( \
((PNDIS_OPEN_BLOCK)(NdisBindingContext))->ProtocolBindingContext); \
KeLowerIrql( oldIrql ); \
}

Ok, in this macro we see PostNt31ReceiveCompleteHandler was called but not
ReceiveCompleteHandler! So strange.

I can’t read this neither in Forte Agent nor in the web interface
(http://www.osr.com/listserver_main.htm).

Hmm, could OSR maybe somehow “convert” 64-bit text to ASCII before
saving it, if the text is actually convertible?

Thanks, Stephan

On Thu, 21 Mar 2002 19:30:16 +0800, brucie wrote:

>
>SGksIEd1cnVzDQpJIHNvbHZlIHRoZSBwcm9ibGVtIGFuZCBub3cgTkFUIHdvcmsgZmluZSEgVGhh
>bmtzIGZvciByZXBseS4NCiBUbyBob29rIG5kaXMNCiwgbm90IG9ubHkgaG9vayB0aGUgZGlzcGF0
>Y2ggaW4gdGhlIE5ESVNfT1BFTl9CTE9DSywgYWxzbyBoYXZlIHRvIGhvb2sgdGhlIHNhbWUNCmRp
>c3BhdGNoIGluIE5ESVNfTUlOSVBPUlRfQkxPQ0sgc3BlY2lhbGx5IFNFTkRfQ09NUExFVEVfSEFO
>RExFUiwgDQpTVEFUVVNfQ09NUExFVEVfSEFORExFUixSRVFVRVNUX0NPTVBMRVRFX0hBTkRMRVIu
>IEFuZCBhIHN0cmFuZ2UgdGhpbmcsIHRoZXJlIGFyZQ0KMyByZWNlaXZlIHBhdGhzLCBidXQgbG9v
>ayBhdCB0aGUgZGVmaW5pdGlvbiBvZiBzb21lIGltcG9ydCBhcGkgd2UgdXNlZCBpbiBQYXNzdGhy
>dSwNCnN1Y2ggYXMgDQojZGVmaW5lIE5kaXNJbmRpY2F0ZVJlY2VpdmVDb21wbGV0ZShOZGlzQmlu
>ZGluZ0NvbnRleHQpCQkJCQkJCQlcDQp7CQkJCQkJCQkJCQkJCQkJCQkJCQkJXA0KCUtJUlFMIG9s
>ZElycWw7CQkJCQkJCQkJCQkJCQkJCQlcDQoJCQkJCQkJCQkJCQkJCQkJCQkJCQlcDQoJS2VSYWlz
>ZUlycWwoIERJU1BBVENIX0xFVkVMLCAmb2xkSXJxbCApOwkJCQkJCQkJCQlcDQoJKCgoUE5ESVNf
>T1BFTl9CTE9DSykoTmRpc0JpbmRpbmdDb250ZXh0KSktPlBvc3ROdDMxUmVjZWl2ZUNvbXBsZXRl
>SGFuZGxlcikoCQlcDQoJCSgoUE5ESVNfT1BFTl9CTE9DSykoTmRpc0JpbmRpbmdDb250ZXh0KSkt
>PlByb3RvY29sQmluZGluZ0NvbnRleHQpOwkJCVwNCglLZUxvd2VySXJxbCggb2xkSXJxbCApOwkJ
>CQkJCQkJCQkJCQkJCVwNCn0NCg0KT2ssIGluIHRoaXMgbWFjcm8gd2Ugc2VlIFBvc3ROdDMxUmVj
>ZWl2ZUNvbXBsZXRlSGFuZGxlciB3YXMgY2FsbGVkIGJ1dCBub3QgDQpSZWNlaXZlQ29tcGxldGVI
>YW5kbGVyISBTbyBzdHJhbmdlLg0K

Looks fine to me, a little obfuscated perhaps, just run your decoder ring
over it.

-----Original Message-----
From: xxxxx@hotmail.com [mailto:xxxxx@hotmail.com]
Sent: Thursday, March 21, 2002 9:13 AM
To: NT Developers Interest List
Subject: [ntdev] Re: Thanks :)) NAT using hook

I can’t read this neither in Forte Agent nor in the web
interface (http://www.osr.com/listserver_main.htm).

Hmm, could OSR maybe somehow “convert” 64-bit text to ASCII
before saving it, if the text is actually convertible?

Thanks, Stephan

On Thu, 21 Mar 2002 19:30:16 +0800, brucie wrote:
>
> >
> >SGksIEd1cnVzDQpJIHNvbHZlIHRoZSBwcm9ibGVtIGFuZCBub3cgTkFUIHdvc
> msgZmluZSE
> >gVGhh
> >bmtzIGZvciByZXBseS4NCiBUbyBob29rIG5kaXMNCiwgbm90IG9ubHkgaG9va
> yB0aGUgZGlzcGF0
> >Y2ggaW4gdGhlIE5ESVNfT1BFTl9CTE9DSywgYWxzbyBoYXZlIHRvIGhvb2sgd
> GhlIHNhbWUNCmRp
> >c3BhdGNoIGluIE5ESVNfTUlOSVBPUlRfQkxPQ0sgc3BlY2lhbGx5IFNFTkRfQ
> 09NUExFVEVfSEFO
> >RExFUiwgDQpTVEFUVVNfQ09NUExFVEVfSEFORExFUixSRVFVRVNUX0NPTVBMR
> VRFX0hBTkRMRVIu
> >IEFuZCBhIHN0cmFuZ2UgdGhpbmcsIHRoZXJlIGFyZQ0KMyByZWNlaXZlIHBhd
> GhzLCBidXQgbG9v
> >ayBhdCB0aGUgZGVmaW5pdGlvbiBvZiBzb21lIGltcG9ydCBhcGkgd2UgdXNlZ
> CBpbiBQYXNzdGhy
> >dSwNCnN1Y2ggYXMgDQojZGVmaW5lIE5kaXNJbmRpY2F0ZVJlY2VpdmVDb21wb
> GV0ZShOZGlzQmlu
> >ZGluZ0NvbnRleHQpCQkJCQkJCQlcDQp7CQkJCQkJCQkJCQkJCQkJCQkJCQkJX
> A0KCUtJUlFMIG9s
> >ZElycWw7CQkJCQkJCQkJCQkJCQkJCQlcDQoJCQkJCQkJCQkJCQkJCQkJCQkJC
> QlcDQoJS2VSYWlz
> >ZUlycWwoIERJU1BBVENIX0xFVkVMLCAmb2xkSXJxbCApOwkJCQkJCQkJCQlcD
> QoJKCgoUE5ESVNf
> >T1BFTl9CTE9DSykoTmRpc0JpbmRpbmdDb250ZXh0KSktPlBvc3ROdDMxUmVjZ
> Wl2ZUNvbXBsZXRl
> >SGFuZGxlcikoCQlcDQoJCSgoUE5ESVNfT1BFTl9CTE9DSykoTmRpc0JpbmRpb
> mdDb250ZXh0KSkt
> >PlByb3RvY29sQmluZGluZ0NvbnRleHQpOwkJCVwNCglLZUxvd2VySXJxbCggb
> 2xkSXJxbCApOwkJ
> >CQkJCQkJCQkJCQkJCVwNCn0NCg0KT2ssIGluIHRoaXMgbWFjcm8gd2Ugc2VlI
> FBvc3ROdDMxUmVj
> >ZWl2ZUNvbXBsZXRlSGFuZGxlciB3YXMgY2FsbGVkIGJ1dCBub3QgDQpSZWNla
> XZlQ29tcGxldGVI
> >YW5kbGVyISBTbyBzdHJhbmdlLg0K
>
> —
> You are currently subscribed to ntdev as:
> xxxxx@stratus.com To unsubscribe send a blank email to
> %%email.unsub%%
>

b> To hook ndis
b> , not only hook the dispatch in the NDIS_OPEN_BLOCK, also have to hook the same
b> dispatch in NDIS_MINIPORT_BLOCK specially SEND_COMPLETE_HANDLER,
b> STATUS_COMPLETE_HANDLER,REQUEST_COMPLETE_HANDLER.
i think that you are wrong… My driver works fine and hooks only
NDIS_OPEN_BLOCK
b> And a strange thing, there are
b> 3 receive paths, but look at the definition of some import api we used in Passthru,
b> such as
b> #define NdisIndicateReceiveComplete(NdisBindingContext) \
b> { \
b> KIRQL oldIrql; \
b> \
b> KeRaiseIrql( DISPATCH_LEVEL, &oldIrql ); \
b> (((PNDIS_OPEN_BLOCK)(NdisBindingContext))->PostNt31ReceiveCompleteHandler)( \
b> ((PNDIS_OPEN_BLOCK)(NdisBindingContext))->ProtocolBindingContext); \
b> KeLowerIrql( oldIrql ); \
b> }

b> Ok, in this macro we see PostNt31ReceiveCompleteHandler was called but not
b> ReceiveCompleteHandler! So strange.
you can see NdisMxxxIndicateReceive()function

hello
How do you hook. Modify the EXPORT Table of NDIS.SYS?
But as I do , I really could not hook SEND_COMPLETE_HANDLER.

b> To hook ndis
b> , not only hook the dispatch in the NDIS_OPEN_BLOCK, also have to hook the same
b> dispatch in NDIS_MINIPORT_BLOCK specially SEND_COMPLETE_HANDLER,
b> STATUS_COMPLETE_HANDLER,REQUEST_COMPLETE_HANDLER.
i think that you are wrong… My driver works fine and hooks only
NDIS_OPEN_BLOCK
b> And a strange thing, there are
b> 3 receive paths, but look at the definition of some import api we used in Passthru,
b> such as
b> #define NdisIndicateReceiveComplete(NdisBindingContext) \
b> { \
b> KIRQL oldIrql; \
b> \
b> KeRaiseIrql( DISPATCH_LEVEL, &oldIrql ); \
b> (((PNDIS_OPEN_BLOCK)(NdisBindingContext))->PostNt31ReceiveCompleteHandler)( \
b> ((PNDIS_OPEN_BLOCK)(NdisBindingContext))->ProtocolBindingContext); \
b> KeLowerIrql( oldIrql ); \
b> }

b> Ok, in this macro we see PostNt31ReceiveCompleteHandler was called but not
b> ReceiveCompleteHandler! So strange.
you can see NdisMxxxIndicateReceive()function

---

You are currently subscribed to ntdev as: brucie@263.net
To unsubscribe send a blank email to xxxxx@lists.osr.com

= = = = = = = = = = = = = = = = = = = =

??
???

brucie
brucie@263.net
2002-03-22

Hello brucie,

b> hello
b> How do you hook. Modify the EXPORT Table of NDIS.SYS?
i dont modify export …
I hook as ZoneAlarm do it…
So why i cant hook SEND_COMPLETE_HANDLER
you can see it in NDIS_OPEN_BLOCK

as for PostNt31ReceiveCompleteHandler i think so:
ndis call it when miniport is wan or unknown type
otherwise - call ReceiveCompleteHandler

Yes, If you do only hook the SEND_COMPLETE_HANLDER in NDIS_OPEN_BLOCK,
you newSendCompleteHanler will not work. As you see some macro’s definition
in ndis.h, you will find some SEND_COMPLETE_HANDLER defined( IN NDIS_OPEN_BLOCK,
NDIS_MINIPORT_BLOCK). And you can use debug symbols to see these openblocks’s
detail information. YOu will see the SEND_COMPLETE_HANDLER defined in NDIS_OPEN_BLOCK
and NDIS_MINIPORT_BLOCK point to the same address! So if you only substitute
the handler in NDIS_OPEN_BLOCK, but when miniport call NdisMSendComplete,
What will happen? It still calls the old path.

Hello brucie,

b> hello
b> How do you hook. Modify the EXPORT Table of NDIS.SYS?
i dont modify export …
I hook as ZoneAlarm do it…
So why i cant hook SEND_COMPLETE_HANDLER
you can see it in NDIS_OPEN_BLOCK

as for PostNt31ReceiveCompleteHandler i think so:
ndis call it when miniport is wan or unknown type
otherwise - call ReceiveCompleteHandler

---

You are currently subscribed to ntdev as: brucie@263.net
To unsubscribe send a blank email to xxxxx@lists.osr.com