From: Leonid Slobodchikov [curvex@online.sinor.ru] Sent: Monday, December 31, 2001 4:39 AM To: NT Developers Interest List Subject: [ntdev] RE: hook ndis under win2k:what is the problem It depends on driver loading order. When your driver is being loaded, other protocols may have no adapters bound to them. So, common method of using NDIS hooks consists in intercepting the NdisRegisterProtocol function at first, and for all that, your driver must be loaded after NDIS.SYS, but before TCPIP.SYS and other protocol drivers. So when you hooked NdisRegisterProtocol you can capture NDIS_PROTOCOL_BLOCK structure pointer of protocols which are registered after you. Then you should set hook at the NdisOpenAdapter function, and when a protocol tries to open an adapter, you can compare NdisProtocolHandle (PNDIS_PROTOCOL_BLOCK) passed to this function with protocol handlers captured by your NdisRegisterProtocol hook. So you can maintain tables of adapters bound to protocols installed on your system and get access to its NDIS_OPEN_BLOCK structures. To Vadim: Does your driver conflict with other ones using NDIS hooks, e.g. the driver of WinRoute or the driver by Dan Lanciani? Thanks. > -----Original Message----- > From: bounce-ntdev-6759@lists.osr.com > [mailto:bounce-ntdev-6759@lists.osr.com]On Behalf Of brucie > Sent: Monday, December 31, 2001 1:00 PM > To: NT Developers Interest List > Subject: [ntdev] RE: hook ndis under win2k:what is the problem > > > Thanks. > protocol = protocol->NextProtocol; > block = protocol->OpenQueue; > Here the protocol is the NextProtocol, I think the OpenQueue of > nextprotocol should not > be NULL. > I think when I call NdisRegisterProtocol, the list of > NDIS_PROTOCOL_BLOCK should be: > next next > p0------>p1------->p2 > | | | > b0------>b1------->b2 > Here p is protocol_block and b is the open_block. So I think > aloughth the OPEN_BLOCK of my > fake protocol is NULL, the Open_Block of the next protocol should > not be NULL. > What is wrong. > > Thanks > > >Hello, > > > >Since no adapters are bind to your protocol, your "block" > variable seems to be NULL. So when you try to view data to which > "block" points, the softice will show ??? for all data. > Generally, "???" are shown when you try to access to data by > virtual address and there is no physical memory assigned to this > virtual address. > >You should to analize the OpenQueue field of a > NDIS_PROTOCOL_BLOCK in your NdisOpenAdapter hook, not in your DriverEntry. > > > >Thanks. > > > >> -----Original Message----- > >> From: bounce-ntdev-6759@lists.osr.com > >> [mailto:bounce-ntdev-6759@lists.osr.com]On Behalf Of brucie > >> Sent: Monday, December 31, 2001 12:00 PM > >> To: NT Developers Interest List > >> Subject: [ntdev] hook ndis under win2k:what is the problem > >> > >> > >> Hi, all. > >> I wrote some codes to hook ndis under win2k. The results is so > strange.:)) > >> Here is the code. > >> ---------------------------------------------- > >> > >> NTSTATUS DriverEntry( > >> IN PDRIVER_OBJECT DriverObject, > >> IN PUNICODE_STRING RegistryPath > >> ) > >> { > >> .... > >> ... > >> //register my fake protocol > >> //register my fake protocol > >> > NdisZeroMemory(&protocolChar,sizeof(NDIS_PROTOCOL_CHARACTERISTICS)); > >> > >> protocolChar.MajorNdisVersion = 4; > >> protocolChar.MinorNdisVersion = 0; > >> protocolChar.Name = protoName; > >> protocolChar.OpenAdapterCompleteHandler = NULL; > >> protocolChar.CloseAdapterCompleteHandler = NULL; > >> protocolChar.SendCompleteHandler = NULL; > >> protocolChar.TransferDataCompleteHandler = NULL; > >> protocolChar.ResetCompleteHandler = NULL; > >> protocolChar.RequestCompleteHandler = NULL; > >> protocolChar.ReceiveHandler = NULL; > >> protocolChar.ReceiveCompleteHandler = NULL; > >> protocolChar.StatusHandler = NULL; > >> protocolChar.StatusCompleteHandler = NULL; > >> protocolChar.BindAdapterHandler = NULL; > >> protocolChar.UnbindAdapterHandler = NULL; > >> protocolChar.UnloadHandler = NULL; > >> protocolChar.ReceivePacketHandler = NULL; > >> // protocolChar.PnPEventHandler = NULL; > >> > >> NdisRegisterProtocol( > >> &status, > >> &Globals.NdisProtocolHandle, > >> &protocolChar, > >> sizeof(NDIS_PROTOCOL_CHARACTERISTICS)); > >> > >> if (status != NDIS_STATUS_SUCCESS) { > >> status = STATUS_UNSUCCESSFUL; > >> return status; > >> } > >> AnalysisProtocolBlock(); > >> } > >> VOID > >> AnalysisProtocolBlock( > >> ) > >> { > >> PNDIS_PROTOCOL_BLOCK protocol; > >> PNDIS_PROTOCOL_BLOCK nextprotocol; > >> PNDIS_OPEN_BLOCK block; > >> PNDIS_OPEN_BLOCK nextblock; > >> NDIS41_PROTOCOL_CHARACTERISTICS protoChar; > >> int i=0; > >> > >> protocol = (PNDIS_PROTOCOL_BLOCK)(&Globals.NdisProtocolHandle); > >> if (protocol->NextProtocol != NULL) > >> { > >> protocol = protocol->NextProtocol; > >> block = protocol->OpenQueue; > >> } > >> } > >> ---------------------------------------------- > >> I set breakpoints at "block = protocol->OpenQueue" > >> in my function AnalysisProtocolBlock, when the code execute at > there, I > >> use softice to see the data of "block". > >> That is the result: > >> block struct _NDIS_OPEN_BLOCK > >> { > >> PNDIS_MAC_BLOCK MacHandle = ??? > >> NDIS_HANDLE MacBindingHandle=??? > >> PNDIS_ADAPTER_BLOCK AdapterHandle=??? > >> PNDIS_PROTOCOL_BLOCK ProtocolHandle =??? > >> NDIS_HANDLE ProtocolBindingContext=??? > >> PNDIS_OPEN_BLOCK AdapterNextOpen=??? > >> PNDIS_OPEN_BLOCK ProtocolNextOpen=??? > >> PFILE_OBJECT FileObject=??? > >> ........ > >> ....... > >> } > >> It is so strange, all the value are ????, why? > >> By the way , I couldnot find the definition of NDIS_PROTOCOL_BLOCK in > >> win2kddk\inc\ddk\ndis.h. So I use NT DDK. > >> > >> > >> what is the problem? > >> > >> Thanks. > >> > >> best regards > >> yours brucie > >> brucie@263.net > >> b箷\?vڵjǮy랊?.˛m?֛zf?yޞ^b(( > b箷\?vڵjǮy랊?.˛m?֛zf?yޞ^b((b.\??v?ׯjzyĽjE-Q d{.n?zwZnV隊[hz{]z?b((