Tag:io ar os sp on Data bs amp as
Turn: There are many discussions on the internet about NDIS Hook article, but mostly only talk about WIN7 before the hook Ndis_open_block under the routine, as for WIN7 how to HOOK and how to do Miniport-hook, There is little mention on the web. Based on the correlation analysis of the former, I summarize the NDIS hook, there are some articles on the internet that discuss NDIS hook, please read those articles first to have a basic understanding of NDIS hook. [0X01] The first is the device GUID that gets the physical NIC, which can be ignored if you are just doing a normal NDIS hook. Why get the GUID of the physical network card, because there may be multiple miniport in the system, each miniport corresponds to a network card device, Whether the network card is virtual or physical. So we have to do miniport hook, we must find the physical network card corresponding to the miniport. Here are two ways to get the physical NIC GUID. Method 1: Obtain the device name of the NIC via the registry key \\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows Nt\\currentversion\\networkcards, for example { F0AFC092-E841-48DF-909F-78146070F5D3}, but there is no such registry key in some systems, so this method is not universal. Method 2: Or through the registry, first traverse the sub-keys under HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\ENUM\PCI, when traversing to the second level, such as hkey_local_machine\ System\currentcontrolset\enum\pci\ven_10de&dev_0be4&subsys_00000000&rev_a1\4&2f49a5f6&0 &0108. Gets the current device's classguid, if Classguid is {4d36e972-e325-11ce-bfc1-08002be10318}, the current device is a network adapter device, then we continue to read the key value named driver, The data is typically a value similar to {4d36e972-e325-11ce-bfc1-08002be10318}\0007. And then we'll stitch this value into Hkey_local_machine\system\currentcontrolset\cont.Rol\class This path is formed after hkey_local_machine\system\currentcontrolset\control\class\{ 4d36e972-e325-11ce-bfc1-08002be10318}\0007, the key value under this subkey Netcfginstanceid is the device GUID for the physical NIC. [0x02] XP NDIS hook: Through the registration of false protocol, traverse all Ndis_open_block, hook up TCPIP protocol all the relevant routines in Ndis_open_block (Receivehandler, Receivepackethandler,wansendhandler,sendhandler,sendpacketshandler, etc.), which are described in other articles that describe NDIS hooks, are not mentioned here. XP NDIS Miniport HOOK: Still first to register the fake protocol, find DeviceName is the physical NIC device GUID Ndis_open_block, Hook it up with Wsendhandler or Wsendpacketshandler. Only this ndis_open_block is bound to the physical network card. To avoid hooking to a ndis_open_ that is bound to another virtual network card Block or intermediate layer filtering drives the binding relationship between the upper-level protocol (remember, the intermediate-layer filter-driven upperlayer up to the protocol-driven performance of miniport). [0x03] WIN7 NDIS hook: Still traversing all ndis_open_block: The Intercept send operation requires an inline HOOK ndis! Ndissendnetbufferlists, or Hook TCPIP. Ndis! in the IAT of Sys ndissendnetbufferlists, intercept receive operation requires hook Ndis_open_block in Receivenetbufferlistshandler. WIN7 Miniport HOOK: Traverse Ndis_open_block, find DeviceName is the physical network card device GUID Ndis_open_block, according to ndis_open_block positioning to the corresponding Ndis_ Miniport_block, then navigate to the M_driver_block structure (OFFSET:0XE04), and then m_driver_block the offset 0x60is the miniport send function Sendnetbufferlistshandler, directly hooked up here. [0x04] Other instructions: Ndis_prptocol_block: This structure represents the protocol-related information, each protocol corresponds to a ndis_open_block: This structure is the Representation Protocol (PROTOCOL) and the NIC (miniport) Ndis_miniport_block of the binding relationship: This structure represents the small port information, in addition to the physical network card and the virtual network card exists in this structure, IMD (intermediate layer Filter drive) from the upward performance of the miniport, so IMD also exists a structure IMD: The upward performance is miniort, the downward performance is protcol, so there is ndis_open_block between IMD and protocol, and the IMD and the lower Minioport also exist Ndis_open_block
NDIS WIN7 WINXP Hook Network package delivery