Implementation of NDIS Hook and miniport hook

[0x00]

There are many articles about NDIS Hook on the Internet, but most of them only talk about the routines under hook ndis_open_block before win7.
Hook and how to do MINIPORT-HOOK, there is little mention on the network. According to the relevant analysis a while ago, I summarized NDIS Hook, there are some discussions on the Internet
For NDIS Hook articles, please read these articles to have a basic understanding of NDIS Hook.

[0x01]

The first step is to obtain the device guid of the physical Nic. If you only use the normal NDIS Hook, you can skip this step. Why do you need to obtain the guid of the physical Nic,
Because the system may have multiple miniport, each miniport corresponds to a NIC device, whether the NIC is virtual or physical.

Therefore, if you want to create a miniport Hook, you must find the miniport corresponding to the physical Nic. The following are two methods to obtain the guid of the physical Nic.

Method 1: use the registry item \ REGISTRY \ MACHINE \ Software \ Microsoft \ Windows NT \ CurrentVersion \ networkcards
Get the device name of the NIC, such as {F0AFC092-E841-48DF-909F-78146070f5d3}, but this registry entry is not available in some systems, so this
The method is not universal.

Method 2: Use the Registry to traverse the subkeys under HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Enum \ PCI.
Level 2, such
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Enum \ PCI \ ven_10de & dev_0be4 & subsys_00000000 & rev_a1 \ 4 & 2f49a5f6 & 0 & 0108.

Obtains the classguid of the current device. If the classguid is {4d36e972-e325-11ce-bfc1-08002be10318}, the current device is a network.
The adapter device, then we continue to read the key value named driver. The data is generally similar to {4d36e972-e325-11ce-bfc1-08002be10318} \ 0007
Such value.

Then We splice the value to the path HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ class.
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ class \ {4d36e972-e325-11ce-bfc1-08002be10318 }\ 0007,
The key value netdomaininstanceid under this sub-key is the guid of the physical network card.
 
[0x02]

Xp ndis Hook: traverses all ndis_open_block by registering the false protocol, and mounts Related Routines in all ndis_open_block under the TCPIP protocol.
(Receivehandler, receivepackethandler, wansendhandler, sendhandler, sendpacketshandler, etc.).
The NDIS Hook articles are described here.

Xp ndis miniport HOOK: You still need to register the false protocol first, find the ndis_open_block where devicename is the guid of the physical Nic device, and mount it
Wsendhandler or wsendpacketshandler. Only the ndis_open_block is bound to the physical network card.
Filter the binding relationship between the driver and the above-layer protocol from the ndis_open_block or the middle layer of other virtual NICs.
Upperlayer is up to the protocol driver as miniport ).

[0x03]

Win7 NDIS Hook: still traverse all ndis_open_block: inline hook NDIS is required to intercept the send operation! Ndissendnetbufferlists,
Or hook NDIS in IAT of tcpip. sys! Ndissendnetbufferlists. to intercept the receive operation, you must hook
Receivenetbufferlistshandler.

Win7 miniport HOOK: traverse ndis_open_block and find the ndis_open_block whose devicename is the guid of the physical Nic device.
Locate the corresponding ndis_miniport_block, then locate the m_driver_block struct (offset: 0xe04), and then m_driver_block offset 0x60
The message sending function sendnetbufferlistshandler of miniport can be directly attached here.
 
[0x04]

Other Instructions:
Ndis_prptocol_block: indicates the protocol-related information. Each Protocol corresponds to one

Ndis_open_block: indicates the binding relationship between the Protocol (Protocol) and the NIC (miniport ).

Ndis_miniport_block
Therefore, It is shown as miniport upwards, so IMD also has a local structure.

IMD: the upper layer is miniort, and the lower layer is protcol. Therefore, ndis_open_block exists between IMD and protocol, while the lower layer is minioport.
Ndis_open_block also exists

The above is my own analysis and research, and it is applied in the actual project. If you have any errors or problems, please send an email to robinh00d_at_sina.com for your advice.