From: brucie [brucie@263.net]
Sent: Friday, December 28, 2001 3:47 AM
To: NT Developers Interest List
Subject: [ntdev] Re: hook ndis under win2k like under Win9x

Thanks for reply. I have some ideas after read your article.
I will go to write some codes:)))
Thank u very much
>Brucie,
>
>In addition to patching NDIS.SYS export table (which is used in some
>commercial products) or direct code modification (look www.danlan.com )there
>is one more way is like well-known personal firewall ZoneAlarm
>(www.zonealarm.com) works. It register it's own fake protocol (most of the
>handlers are null subroutines, others like ReceiveHandler returnes
>NDIS_STATUS_NOT_ACCEPTED). I was a bit confused what for it register
>protocol. Then found that just for getting ProtocolBindingHandle, which is
>actually a pointer to internal NDIS structure NDIS_PROTOCOL_BLOCK (defined
>on different wayes for different NDIS versions). This structure contains a
>pointer to NDIS_PROTOCOL_BLOCK list of all previously registered
>protocols, NDIS_PROTOCOL_CHARACTERISTICS given in NdisRegisterProtocol and
>pointer to
>a list of all adapters (described by NDIS_OPEN_BLOCK structure) binded to
>this protocol. So having this pointer you may substitute all protocol
>handlers
>you want and NDIS_OPEN_BLOCK handlers also, getting ful control over all
>network trafic. Additionally, it tracks all working processes and threads
>in the system and hooks TDI for originated call process determination, but
>this is out of our subject. However, I suspect that in comparison to
>NDIS.SYS patching export table this approach can be unsafe for SMP systems.
>
>Regards,
>
>Vadim
>
>-----Original Message-----
>From: bounce-ntdev-6615@lists.osr.com
>[mailto:bounce-ntdev-6615@lists.osr.com]On Behalf Of brucie
>Sent: Friday, December 28, 2001 6:00 AM
>To: NT Developers Interest List
>Subject: [ntdev] Re: hook ndis under win2k like under Win9x
>
>
>Windump just listen the packets on the local network but cannt filter the
>packets. Although NDIS IM driver is the best solution to filtering the
>packets, but I want to know the way some products such as Norton Personal
>Firewall achieve this? As I know many commercial products use the method
>like under Win9x to hook the NDIS services, but not patch the export
>table of "ndis.sys".As I know, there are two important structures defined
>in ndis.h: NDIS_PROTOCOL_BLOCK and NDIS_OPEN_BLOCK.
>>At 21.47 27/12/2001 +0800, you wrote:
>>>Under Win9x, we can use hook_device_service to implement a
>>>pseudo-intermediate driver to filtering the ethernet packets. How can it
>>>be done under win2k?
>>
>>have a look at tcpdump:
>>
>>http://netgroup-serv.polito.it/windump/
>>
>>hooks anything but the PPP adapter. Works great on Ethernet
>>
>>
>>---
>>You are currently subscribed to ntdev as: brucie@263.net
>>To unsubscribe send a blank email to leave-ntdev-4165Y@lists.osr.com
>b­®¶¹®vµjš¢jr‰“¢éì¹??Þ±éÝi¹ZžG¦j)m¢Wš½éíuëúë^U?-²‹+
>
>
>---
>You are currently subscribed to ntdev as: brucie@263.net
>To unsubscribe send a blank email to leave-ntdev-4165Y@lists.osr.com
b‹š­ç.®·§¶\¬¹??Þv?µ×¯jÁ¥zyÄ½êáj»EŠ»-Q ¢dèº{.n?‰·¬zwZnV§‘éšŠ[h•æ¯z{]zý¸?b²Û(²·(