TDI filter driver analysis

Source: Internet
Author: User

From: http://www.longene.org/forum/viewtopic.php? T = 446

Directory

0
0.1 TDI driver
0.2 Windows NT Network Structure

1. filter devices
1.1 bind the target
1.2 Distribution Functions
1.3 filter address
1.4 filter content
1.4.1 filter HTTP
1.4.2 filter DNS

2. Vista Network Structure

3. driver code analysis
3.1 main Data Structure Analysis
3.2 main algorithm analysis

4. Additional content
4.1 http get request data
4.2 http post request data

0. Introduction

0.1 TDI driver

The TDI driver is mainly used in operating systems with versions between NT4 and nt5. This document mainly analyzes the TDI driver by referring to
TDI driver. TDI is the abbreviation of transport driver interface. It mainly provides the Implementation of Network Layer Protocol and transport layer protocol.

0.2 Windows NT Network Structure

Network applications generally use the Winsock network interface through the ws2_32.dll documentation provided by msdn. If other
Windows NT will load the dynamic connection library to implement Winsock API filtering at the application layer. Ws2_32.dll
The service provider Information in the Registry, which calls the implementation interfaces of different service providers. Compared with TCP/IP, the program will enter the msafd. dll and
Wshtcpip. dll. In wshtcpip. dll, the request is sent to AFD. sys by calling the native API in Ntdll. dll. AFD
Is a file system driver, so the Windows NT Network Driver is closely related to files. Then the request arrives at the TDI driver. For TCP/IP
The driver is tcpip. sys. Finally, the request is sent to the NDIS and sent or received by the miniport driver. The above is the network
The general process of data packets. It is worth noting that the AFD (Ancillary Function Driver) design, through the design of a unified interface and Registration
The information in the table achieves different protocol stacks. However, this part of the design also has intel's credit, because the Code contains a lot of intel
Company engineer's signature :-).

1. filter devices

1.1 bind the target

TDI creates four network devices instead of three. They are \ device \ Tcp, \ device \ UDP, \ device \ rawip, \ device \ IP,
We do not need to care about the \ device \ IP. What actually transfers IP data is \ device \ rawip. For our filtering purposes, IP Address Settings
Do not care about backup. In this way, we use iocreatedevice to create two of our own devices and put them in
\ Device \ Tcp and \ device \ UDP. Be careful when using ioattachdevice. ioattachdevice uses iocreatefile
When the target device is enabled, the device is closed after it is bound, but our device is already on the device stack, so we will also receive the close IRP.
We also saved the address of the TDI device for future convenience. Set flags to do_direct_io for the created device because TDI is
This method is used by the slave node.

1.2 Distribution Functions

Except irp_mj_internal_device_control, all IRPs are sent to tcpdispatch. In tcpdispatch
There are several situations:

1. \ device \ ip irp is sent to ipdispatch. These IRPs may be sent from ipconfig, ping, or route.

1.1 ipcleanup is responsible for clearing unprocessed IRPs.

1.2 ipdispatchdevicecontrol first processes the call relationship of ioctl_icmp_echo_request as follows:
Dispatchechorequest-> icmpechorequest-> icmpecho-> sendecho-> iptransmit-> sendippacket.
Ioctl_icmp_echo_request supports the ICMP. DLL Interface implementation provided by the SDK. Icmpechorequest can be
The kernel protocol stack can also be used directly to accept user requests. Ioctl_ip_get_nte_info, ioctl_ip_add_nte,
Ioctl_ip_delete_nte provides the route table setting function. Ioctl_ip_set_dhcp_interface provides DHCP settings.
Ioctl_ip_set_address provides the address setting function. You can use the above functions through the interface APIs.
Ioctl_ip_set_filter_pointer provides support for IP address filter drivers.

2. The other three devices are allocated in tcpdispatch.

2.1 When irp_mj_device_control is processed, tdimapuserrequest is used to convert user I/O control code to internal
Minorfunction. For example, ioctl_tdi_connect is changed to tdi_connect. Call tcpdispatchdevicecontrol
And tcpdispatchinternaldevicecontrol. The former is used to implement ioctl_tcp_query_information_ex and
Ioctl_tcp_set_information_ex. However, after Windows 2000, irp_mj_device_control does not require
To be converted.

2.2 is the irp_mj_query_security reserved interface. It seems that Microsoft was aware of rawip security issues, but this interface is
It takes effect only after the sp2 patch.

2.3 tcpcreate, tcpclose, and tcpcleanup dispatch functions to process tdi_control_channel_file,
Tdi_connection_file and tdi_transport_address_file. The EA corresponding to tdi_control_channel_file is empty.
. Tcpcreate is implemented as follows: Obtain the EA (extra abbreviation) parameter from ntcreatefile. If it is null
Tdi_control_channel_file is created. If not empty, use findea to find the tditransportaddress. If
Find the address object created with tdiopenaddress. The transfer address object is available to all three devices. Search with findea
Tdiconnectioncontext. If it is found, use tdiopenconnection to establish a connection object, and only the TCP device can
Create.

2.4 tcpdispatchinternaldevicecontrol implements most TDI functions. Similar to common file system drivers, TDI
The driver uses the fscontext file control block created by the AFD file system driver, while fscontext2 stores the address object type.
If fscontext2 is tdi_connection_file, that is, the connection object, these types of IRPs process tdi_receive,
Tdi_disassociate_address, tdi_connecttdi_disconnect, tdi_listentdi_accept, tdi_send,
Tdi_associate_address.
If fscontext2 is tdi_transport_address_file,
Tdi_send_datagram and tdi_receive_datve.
The last two types of tdi_query_information and tdi_set_information can be processed.

Tdimapuserrequest is used to map irp_mj_device_control to irp_mj_internal_device_control.
Network requests sent through AFD. sys are converted to irp_mj_internal_device_control.
Irp_mj_device_control. In addition, the WINNT component uses ioctl_tdi_query_direct_send_handler internally.
And ioctl_tdi_query_direct_senddg_handler to directly send data packets. This undisclosed mechanism can bypass
Our filter. Consider this when necessary.

1.3 filter address

1.3.1 local address

Put the local address after eaname, sin_port and in_addr in the tdi_address_ip in the transport_address structure.

1.3.2 remote address

The TCP remote address is in (ptdi_request_kernel_connect) & (irpsp-> parameters.
The remote addresses of rawip and UDP are in (ptdi_request_kernel_senddg) & (irpsp-> parameters.

1.4 filter content

When filtering tdi_send, tdi_receive, tdi_send_datagram, and tdi_receive_datve, view IRP-> mdladdress.

1.4.1 filter HTTP

For this section, refer to rfc1945, 2068, 2616 about HTTP 1.0/1.1 protocol standards and rfc2518, 3253 about WebDAV.

1. filter requests. The request messages to be filtered include get and post. Request line format: Request uri http Version.
The GET request in the instance is: Get/cgi-bin/cvstrac/networkaudit/wiki HTTP/1.1 \ r \ n
The post request in the instance is: Post/cgi-bin/cvstrac/networkaudit/login HTTP/1.1 \ r \ n
The packet header mainly includes:
Accept: image/GIF, image/X-xbitmap, image/JPEG,... application/MSWord, */* \ r \ n
Referer:
Http: // 192.168.0.8/cgi-bin/cvstrac/netw... audit/wiki \ r \ n
Accept-language: ZH-CN \ r \ n
Content-Type: Application/X-WWW-form-urlencoded \ r \ n
Accept-encoding: gzip, deflate \ r \ n
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; sv1;. Ne ...... 7) \ r \ n
HOST: 192.168.0.8 \ r \ n
Content-Length: 80 \ r \ n
Connection: keep-alive \ r \ n
Cache-control: No-Cache \ r \ n
Content-Length is important, followed by the length of the body.
Body part. Only the POST request has the body part. The body follows the header and has a blank line. For example, post form parameters:
NXP = % 2fcgi-bin % 2 fcvstrac % 2 fnetworkaudit % 2 fwiki & U = welear & P = Welfar & in = % B5 % C7 % C2 % BC

2. filter the response. The response line is in the format of HTTP Version Number status code. The head is the same as the body and request. For example:
HTTP/1.1 302 moved temporarily \ r \ n
Date: Tue, 11 Mar 2008 09:32:00 GM \ r \ n
Server: Apache/1.3.19 (UNIX) (red-hat/Linux) \ r \ n
Location:/cgi... \ r \ n
Content-Length: 106 \ r \ n
Keep-alive: timeout = 15, max = 100 \ r \ n
Connection: keep-alive \ r \ n
Content-Type: text/html; charset = gb2312 \ r \ n
Content-Type and Content-Length are important. The status code is 200.
However, further research is required to filter the resumable upload.

Filter the header information as needed and save part of the body content. You can use the optional field host to obtain the URL of the user's browser Uri.
To determine the user's intention, you also need to filter the suffix of the GET request file. Generally, html and htm are used as the default Suffix of a webpage.
ASP, aspx, PHP, and JSP are default extensions of dynamic web pages. POST requests do not filter suffixes and post parameters. If the host field is unavailable
Then, you must use the method described in "filter DNS" below.

1.4.2 filter DNS

Filtering DNS data packets is necessary to restore the domain name function. DNS query and response may use UDP or
TCP protocol. In actual tests, it is found that connect is not used when DNS packets are sent. DNS queries and responses are in the same package format,
The meanings of each field are as follows:

1. Id. 2 bytes to determine the ing between queries and responses.

2. Flag. 2 bytes, indicating the meaning details of the Protocol package.
Or (1bit): 0 indicates the query, and 1 indicates the response.
Opcode (4bit): 0 indicates the standard query, 1 indicates the reverse query, and 2 indicates the server status request.
AA (1bit): Name Server authorizes this domain.
TC (1 bit): indicates that over 512 bytes can be truncated.
Rd (1bit): indicates the expected query.
RA (1bit): Indicates recursive query.
Zero (3bit): 0.
RCODE (4bit): 0 indicates no error, and 3 indicates a name error.

3. Number of problems, number of resource records, number of authorized resource records, and number of additional resource records. Each field occupies 2 bytes, representing a variety
Number of records. Generally, the number of problems or resources is 1, and the other values are 0.

2. Vista Network Structure

Vista has made major changes in the network. Replace wsk (Winsock kernel) and WFP (Windows Filtering Platform)
TDI driver.

2.1 Winsock Kernel

The layer-4 simplified network protocol, from the seven layers of ISO protocol to the vast majority of practical applications, laid the design foundation for the network Implementation of the operating system.
In the WINNT network, designers divide the problem into two aspects: TDI and NDIS. NDIS implements the standard network protocol
Integration with NICs, that is, the connection between the network layer and the transport layer and the data link layer and the physical layer. Earlier TDI mainly includes
Socket emulator, NetBIOS emulator, and redirector. In this way, the socket interface only works at the application layer.
These TDI still need to use the socket-based network protocol at the end, and some interfaces in TDI can be put together to reduce
Amount of code. In the design of Vista, the socket is placed in the kernel as the interface of TDI and NDIS, and the original TDI has a new location,
That is, wsk application, which implements wsk client NPI. Below is the original version of Vista DDK:
"Wsk applications discover and attach to the wsk subsystem by using a set of wsk
Registration functions. Applications can use these functions to dynamically detect
When the wsk subsystem is available and to exchange dispatch tables that constitute
The provider and client side implementations of the wsk NPI ."
The wsk subsystem here is the real-time receiver of the socket in the kernel.
The wsk client registers itself with the provider module using the interfaces provided by the network module Registrar (NMR. Most importantly
The wsk client must use the address family, socket type, and protocol parameters to convert the device name to TDI transports,
Call the wskcontrolclient provided by wsk subsystem and set the wsk_tdi_devicename_mapping parameter.
Finally, there may be another reason for Microsoft's design: UNIX operating systems all implement Socket network interfaces in the kernel.
Like others, there are a lot of open-source operating systems for reference. The Network Design with socket as the interface has been well implemented.

2.2 Windows Filtering Platform

WFP is a replacement for TDI filter driver. Vista provides a unified interface to implement the filter engine, and we become its customer. :-(

4. Additional content

4.1 http get request data

0000 00 11 09 8d EC 80 00 0a EB 86 D9 D4 08 00 45 00.
0010 02 0a 11 38 40 00 40 06 2a C0 A8 00 33 C0 A8... 8 ..
0020 00 08 05 8e 00 50 3B 50 27 49 10 ed E2 31 50 18... P; P 'I... 1 p.
0030 fa 84 D6 0d 00 00 47 45 54 20 2f 63 67 69 2D 62 ...... ge t/cgi-B
0040 69 6e 2f 63 76 73 74 72 61 63 2f 4E 65 74 57 6f in/cvstr AC/netwo
0050 72 6B 41 75 64 69 74 2f 6C 6f 67 69 6e 3f 6e 78 rkaudit/login? NX
0060 70 3D 2f 63 67 69 2D 62 69 6e 2f 63 76 73 74 72 p =/cgi-B in/cvstr
0070 61 63 2f 4E 65 74 57 6f 72 6B 41 75 64 69 74 2f AC/netwo rkaudit/
0080 77 69 6B 69 20 48 54 54 50 2f 31 2E 31 0d 0a 41 wiki htt P/1. 1.
0090 63 63 65 70 74 3A 20 69 6D 61 67 65 2f 67 69 66 ccept: I mage/GIF
00a0 2C 20 69 6D 61 67 65 2f 78 2D 78 62 69 74 6D 61, image/X-xbitma
00b0 70 2C 20 69 6D 61 67 65 2f 6a 70 65 67 2C 20 69 p, image/JPEG, I
00c0 6D 61 67 65 2f 70 6a 70 65 67 2C 20 61 70 6C mage/pjp EG, appl
00d0 69 63 61 74 69 6f 6e 2f 78 2D 73 68 6f 63 6B 77 ication/X-shockw
00e0 61 76 65 2d 66 6C 61 73 68 2C 20 61 70 6C 69 ave-flas H, appli
00f0 63 61 74 69 6f 6e 2f 76 6e 64 2E 6D 73 2D 65 78 cation/V Nd. MS-ex
0100 63 65 6C 2C 20 61 70 70 6C 69 63 61 74 69 6f 6e cel, App lication
0110 2f 76 6e 64 2E 6D 73 2D 70 6f 77 65 72 70 6f 69/vnd. MS-powerpoi
0120 6e 74 2C 20 61 70 70 6C 69 63 61 74 69 6f 6e 2f nt, appl ication/
0130 6D 73 77 6f 72 64 2C 20 2a 2f 2a 0d 0a 52 65 66 MSWord, */* .. ref
0140 65 72 65 72 3A 20 68 74 74 70 3A 2f 2f 31 39 32 erer: Ht
TP: // 192
0150 2E 31 36 38 2E 30 2E 38 0d 0a 41 63 65 70 74. 168.0.8 .. accept
0160 2D 4C 61 6e 67 75 61 67 65 3A 20 7A 68 2D 63 6e-sans ag e: ZH-CN
0170 0d 0a 41 63 63 65 70 74 2D 45 6e 63 6f 64 69 6e .. accept-encodin
0180 67 3A 20 67 7A 69 70 2C 20 64 65 66 6C 61 74 65G: gzip, deflate
0190 0d 0a 55 73 65 72 2D 41 67 65 6e 74 3A 20 4D 6f .. user-a gent: Mo
01a0 7A 69 6C 6C 61 2f 34 2E 30 20 28 63 6f 6D 70 61 Zilla/4. 0 (compa
01b0 74 69 62 6C 65 3B 20 4D 53 49 45 20 36 2E 30 3B tible; m sie 6.0;
01c0 20 57 69 6e 64 6f 77 73 20 4E 54 20 35 2E 31 3B Windows NT 5.1;
01d0 20 53 56 31 3B 20 2E 4E 45 54 20 43 4C 52 20 32 sv1;. N et CLR 2
01e0 2E 30 2E 35 30 37 32 37 29 0d 0a 48 6f 73 74 3A. 0.50727) .. Host:
01f0 20 31 39 32 2E 31 36 38 2E 30 2E 38 0d 0a 43 6f 192.168. 0. 8 .. Co
0200 6e 6e 65 63 74 69 6f 6e 3A 20 4B 65 65 70 2D 41 nnection: Keep-
0210 6C 69 76 65 0d 0a 0d 0a live ....

4.2 http post request data

0000 00 11 09 8d EC 80 00 0a EB 86 D9 D4 08 00 45 00.
0010 02 DC 19 B7 40 00 40 06 9C D9 C0 A8 00 33 C0 A8 ..
0020 00 08 05 94 00 50 35 A6 5d ad 4C C0 7C 0C 50 18 .....]. l .. |. P.
0030 fa F0 81 BB 00 00 50 4f 53 54 20 2f 63 67 69 2D ...... Po ST/cgi-
0040 62 69 6e 2f 63 76 73 74 72 61 63 2f 4E 65 74 57 bin/cvst rac/netw
0050 6f 72 6B 41 75 64 69 74 2f 6C 6f 67 69 6e 20 48 orkaudit/login H
0060 54 54 50 2f 31 2E 31 0d 0a 41 63 63 65 70 74 3A TTP/1.1 .. accept:
0070 20 69 6D 61 67 65 2f 67 69 66 2C 20 69 6D 61 67 image/G if, imag
0080 65 2f 78 2D 78 62 69 74 6D 61 70 2C 20 69 6D 61 E/X-xbit map, IMA
0090 67 65 2f 6a 70 65 67 2C 20 69 6D 61 67 65 2f 70 Ge/JPEG, image/P
00a0 6a 70 65 67 2C 20 61 70 70 6C 69 63 61 74 69 6f JPEG, AP plicatio
00b0 6e 2f 78 2D 73 68 6f 63 6B 77 61 76 65 2d 66 6C N/X-shoC kwave-fl
00c0 61 73 68 2C 20 61 70 70 6C 69 63 61 74 69 6f 6e ash, App lication
00d0 2f 76 6e 64 2E 6D 73 2D 65 78 63 65 6C 2C 20 61/vnd. MS-Excel,
00e0 70 6C 69 63 61 74 69 6f 6e 2f 76 6e 64 2E 6D pplicati on/vnd. m
00f0 73 2D 70 6f 77 65 72 70 6f 69 6e 74 2C 20 61 70 s-powerp oint, AP
0100 70 6C 69 63 61 74 69 6f 6e 2f 6D 73 77 6f 72 64 plicatio N/MSWord
0110 2C 20 2a 2f 2a 0d 0a 52 65 66 65 72 65 72 3A 20, */*. r eferer:
0120 68 74 70 3A 2f 31 39 32 2E 31 36 38 2E 30
Http: // 1 92.160
0130 2E 38 2f 63 67 69 2D 62 69 6e 2f 63 76 73 74 72. 8/cgi-B in/cvstr
0140 61 63 2f 4E 65 74 57 6f 72 6B 41 75 64 69 74 2f AC/netwo rkaudit/
0150 6C 6f 67 69 6e 3f 6e 78 70 3D 2f 63 67 69 2D 62 login? Nx p =/cgi-B
0160 69 6e 2f 63 76 73 74 72 61 63 2f 4E 65 74 57 6f in/cvstr AC/netwo
0170 72 6B 41 75 64 69 74 2f 77 69 6B 69 0d 0a 41 63 rkaudit/wiki .. AC
0180 63 65 70 74 2D 4C 61 6e 67 75 61 67 65 3A 20 7A cept-lan guage: Z
0190 68 2D 63 6e 0d 0a 43 6f 6e 74 65 6e 74 2D 54 79 H-cn .. co ntent-ty
01a0 70 65 3A 20 61 70 70 6C 69 63 61 74 69 6f 6e 2f PE: appl ication/
01b0 78 2D 77 77 2d 66 6f 72 6D 2D 75 72 6C 65 6e X-WWW-fo rm-urlen
01c0 63 6f 64 65 64 0d 0a 41 63 63 65 70 74 2D 45 6e coded .. A ccept-en
01d0 63 6f 64 69 6e 67 3A 20 67 7A 69 70 2C 20 64 65 coding: gzip, de
01e0 66 6C 61 74 65 0d 0a 55 73 65 72 2D 41 67 65 6e flate... u ser-Agen
01f0 74 3A 20 4D 6f 7A 69 6C 6C 61 2f 34 2E 30 20 28 T: mozil La/4.0 (
0200 63 6f 6D 70 61 74 69 62 6C 65 3B 20 4D 53 49 45 compatib le; MSIE
0210 20 36 2E 30 3B 20 57 69 6e 64 6f 77 73 20 4E 54 6.0; Wi ndows NT
0220 20 35 2E 31 3B 20 53 56 31 3B 20 2E 4E 45 54 20 5.1; SV 1;. net
0230 43 4C 52 20 32 2E 30 2E 35 30 37 32 37 29 0d 0a CLR 2.0. 50727 )..
0240 48 6f 73 74 3A 20 31 39 32 2E 31 36 38 2E 30 2E HOST: 19 1270.
0250 38 0d 0a 43 6f 6e 74 65 6e 74 2D 4C 65 6e 67 74 8 .. conte nt-lengt
0260 68 3A 20 38 30 0d 0a 43 6f 6e 6e 65 63 74 69 6f H: 80 .. c onnectio
0270 6e 3A 20 4B 65 65 70 2D 41 6C 69 76 65 0d 0a 43 N: keep-alive.. c
0280 61 63 68 65 2D 43 6f 6e 74 72 6f 6C 3A 20 6e 6f ache-con trol: No
0290 2D 63 61 63 68 65 0d 0a 0d 0a 6e 78 70 3D 25 32-cache... NXP = % 2
02a0 46 63 67 69 2D 62 69 6e 25 32 46 63 76 73 74 72 fcgi-bin % 2 fcvstr
02b0 61 63 25 32 46 4E 65 74 57 6f 72 6B 41 75 64 69 AC % 2 fnet workaudi
02c0 74 25 32 46 77 69 6B 69 26 75 3D 77 65 6C 65 61 T % 2 fwiki & U = welea
02d0 72 26 70 3D 77 65 6C 66 61 72 26 69 6e 3D 25 42 R & P = welf AR & in = % B
02e0 35 25 43 37 25 43 25 42 42 5% C7 % C2 % BC

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.