Where can I intercept and control UDP connect in TDI filter driver?

oyk · April 21, 2004, 5:23am

hi,guys
From MSDN’s connect remarks:
For a connectionless socket (for example, type SOCK_DGRAM),
the operation performed by connect is merely to establish a default destination address
that can be used on subsequent send/ WSASend and recv/ WSARecv calls. Any datagrams
received from an address other than the destination address specified will be discarded.

I try to intercept UDP and redirect to another IP/Port.
e.g: I can intercept connect(TDI_CONNECT), and do redirect from 192.168.0.158 to 10.1.0.158.
from tcpdump info, when my udp client application call ‘send’ package to the server, the server
can recieve and response the package to my client, but my client application can not ‘recv’ the package.

I think it is the reason that when UDP ‘connect’, it establishs the relationship between the ‘s’
and the ‘destination ip/port’, but I modified the ‘destination ip/port’, so the udp/ip device will
discard the recieved package, right?
If that is true, where and how can I control and modify the relationship?

Thanks!

Best Regards
Ouyang Kai

Maxim_S_Shatskih · April 21, 2004, 6:55am

> e.g: I can intercept connect(TDI_CONNECT)

For what?
Use NDIS IM driver, and patch the UDP/IP headers there.

TDI filters are bad.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

OSR_Community_User · April 21, 2004, 7:35am

Hello,

I try to intercept UDP and redirect to another IP/Port.
e.g: I can intercept connect(TDI_CONNECT), and do redirect from
192.168.0.158 to 10.1.0.158.
from tcpdump info, when my udp client application call ‘send’ package to
the server, the server
can recieve and response the package to my client, but my client
application can not ‘recv’ the package.

I think it is the reason that when UDP ‘connect’, it establishs the
relationship between the ‘s’
and the ‘destination ip/port’, but I modified the ‘destination ip/port’,
so the udp/ip device will
discard the recieved package, right?
If that is true, where and how can I control and modify the relationship?

You should also manually replace IP-address in TDI receive datagram event
handler.

> e.g: I can intercept connect(TDI_CONNECT)

For what?
Use NDIS IM driver, and patch the UDP/IP headers there.

TDI filters are bad.

What about LSP? Some days ago I had a look at ws2ifsl driver that
“redirects” send/recv back to user-mode for LSP filtering. Is such design
better for filters than filtering TDI?

Vlad

oyk · April 21, 2004, 7:45am

Hi??Maxim S. Shatskih
For SSL VPN. I have asked you for a help.
My project is that the legacy application could access the servers based SSL VPN mechanism transparently.
In the last months, I implemented a part functions of this project based on hooking ws2_32.dll. But there
are some difficulty to support all the tcp/udp applications(e.g: NetBT, some udp app).
So, I want to do in TDI or NDIS.

My main demands is shown in the fellow:

User could only access some servers in the VPN(the servers list info could be obtained when user logins)
all data in the public network must be transmitted over SSL.

About NDIS-IM, if I do a virtual NIC like OpenVPN, The server must provide a virtual nic, right? If could,
I do not want to modify the whole server framework.
If the server must be rewrite based on a virtual NIC(e.g: tun), how to solve multi-client problem. About OpenVPN,
it is not solved integrallty.
Thanks!
Best Regards
Ouyang Kai

> e.g: I can intercept connect(TDI_CONNECT)

For what?
Use NDIS IM driver, and patch the UDP/IP headers there.

TDI filters are bad.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@wtwh.com.cn
To unsubscribe send a blank email to xxxxx@lists.osr.com

.

oyk · April 21, 2004, 7:47am

Hi??Vladislav Goncharov

What about LSP? Some days ago I had a look at ws2ifsl driver that
“redirects” send/recv back to user-mode for LSP filtering. Is such design
better for filters than filtering TDI?
What’s it? where can i get more info?

Vlad

Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@wtwh.com.cn
To unsubscribe send a blank email to xxxxx@lists.osr.com

.

OSR_Community_User · April 21, 2004, 8:03am

> >

>What about LSP? …
What’s it? where can i get more info?

http://www.microsoft.com/msj/0599/LayeredService/LayeredService.aspx

Vlad

oyk · April 21, 2004, 9:21am

Hi??Vladislav Goncharov
Best Regards
Ouyang Kai

> >
> >What about LSP? …
> What’s it? where can i get more info?

http://www.microsoft.com/msj/0599/LayeredService/LayeredService.aspx
Thank you so much!
But I am afraid that the LSP could not support NetBios…

Vlad

Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@wtwh.com.cn
To unsubscribe send a blank email to xxxxx@lists.osr.com

.

Maxim_S_Shatskih · April 21, 2004, 3:19pm

> What about LSP? Some days ago I had a look at ws2ifsl driver
that

“redirects” send/recv back to user-mode for LSP filtering. Is
such design
better for filters than filtering TDI?

Probably. At least it is supported by MS and documented.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

Maxim_S_Shatskih · April 21, 2004, 3:22pm

> About NDIS-IM, if I do a virtual NIC like OpenVPN, The server

must provide a virtual nic, right?

Yes.

If could, I do not want to modify the whole server framework.

Modifying the whole framework is by far better then applying hooks to DLLs.

Also SSL is not a solution for VPNs. It is application-level protocol and not
network-level.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

Prokash_Sinha-1 · April 22, 2004, 11:09am

As per my previous research(hack), LSP is probably the best place. IIRC, it
does have two flavors of layering, and one
is more than sufficient, for all these filtering(etc.). But then there are
times when someone gets intothe krnlmode, VPN happens to be one. IM is the
excellent layer for VPN. Process or application context are hard to capture,
as we all know, lower the layer in the driver stack higher the chance of
missing context, asynch/queued processing happens, so people try to get to
that so-called thin upper layer (TDI), since it is documented, and there are
some excellent implementation using that layer ( www.pcusa.com for TDI
filter), and kernel sockets (either from osr or storagecraft). I’M NOT WITH
ANY OF THESE COMPANY, so it is just a customer saisfaction, not an
advertisement :). I would recommend to study those as well …

Finally, the blackArt afd filtering. Since most of today’s traffic is based
on socket, afd is still a junction point, as far as I know, no context loss
or wheel of misfortune.

This is my Pie/2 cents …

-pro

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Maxim S. Shatskih
Sent: Wednesday, April 21, 2004 12:18 PM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] Where can I intercept and control UDP connect in TDI
filter driver?

What about LSP? Some days ago I had a look at ws2ifsl driver
that
“redirects” send/recv back to user-mode for LSP filtering. Is
such design
better for filters than filtering TDI?

Probably. At least it is supported by MS and documented.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@garlic.com
To unsubscribe send a blank email to xxxxx@lists.osr.com