Re: NDIS_MINIPORT_CHARACTERISTICS

From: Brad Miller (nospam_at_nospam.net)
Date: 05/26/04

Next message: Alex: "Re: Pending IRP"
Previous message: WDD: "Re: AVStream: DMA & Process() QUEUEing"
In reply to: Thomas F. Divine [DDK MVP]: "Re: NDIS_MINIPORT_CHARACTERISTICS"
Next in thread: Alex: "Re: NDIS_MINIPORT_CHARACTERISTICS"
Messages sorted by: [ date ] [ thread ]

Date: Wed, 26 May 2004 17:24:11 +0100

On Tue, 25 May 2004 23:40:45 -0400, "Thomas F. Divine [DDK MVP]"
<tdivine@NOpcausaSPAM.com> wrote:

>A couple of points:
>
>1.) Most commercial firewalls already use NDIS-hooking.

I am referring to NDIS-hooking filters that wrap the NDIS interfaces.
Whilst this is done the filtering only seems to be performed at
protocol and upper miniport interfaces. The miniports lower interface
is rarely filtered, mainly due to:

- The NDIS wrapper being so thin here.
- Hardware specific issues.
- Stability

>2.) There is always someone smarter then you (or me).

Indeed. But that doesn't mean that one should never seek to improve
oneself... rather, it demonstrates WHY one should always strive to
improve.

>3.) If the smarter developer has Admin rights, then you are toast.

If a smarter developer can filter my method then I shall take a good
look at his firewall code and improve my method. Like I said, I would
hook HAL and whisper right into the NIC if I really had to. But then,
I'm emulating a system cracker - I have absolutely no duty of care to
the system.

<rant>
This 'smarter developer' SHOULD have been MSFT. there is no value in
kernel security if unsigned drivers and components can so easily
subvert it (and they can.) Far better to allow unsigned drivers a
high position and allow only securely signed and trusted drivers
(hardware vendors/respected security products) access to such low
positions. One could mention WHQL but its not quite the same is it?
The drivers I am sitting on are WHQL certified. I can still overwrite
them in memory. Not too wise IMO.
</rant>

>BTW, PCAUSA no longer offers NDIS-hooking drivers as off-the-shelf samples
>(They are only available by special order...)

Thats a shame, you guys were very informative.

> Any overlooked detail can easily put a company out of business.

Quite true. However I'm a student on a personal tour of discovery.
Any commercialisation or distribution of this backdoor code would
almost certainly be illegal in my country. Not to mention against my
personal ethics.

>Good luck,

Why thank you.

>Thomas F. Divine
>http://www.pcausa.com
Great name :) Great company!

Next message: Alex: "Re: Pending IRP"
Previous message: WDD: "Re: AVStream: DMA & Process() QUEUEing"
In reply to: Thomas F. Divine [DDK MVP]: "Re: NDIS_MINIPORT_CHARACTERISTICS"
Next in thread: Alex: "Re: NDIS_MINIPORT_CHARACTERISTICS"
Messages sorted by: [ date ] [ thread ]

Relevant Pages

Crap: Really no programmatically filter control in DirectShow??
... I try to use several MPEG2-Decoders in my DirectShow application. ... Besides the quality and performance issues among all the filters you can get ... If I have to know what interfaces a COM object can use (I can only ... So I can only control these filters, where .h header files exist from the ...
(microsoft.public.win32.programmer.directx.video)
XDS Codec - any experiences
... We have been implementing a number of filters in WME9, ... except the XDS_Codec filter and interfaces ... In the documentation, there are several vague points which we ...
(microsoft.public.windowsmedia.sdk)
Looking for more docs on PfCreateInterface
... My main goal is to add filters to the WAN ips on the server boxes so that I ... Are the filter interfaces created via PfCreateInterface persisted on the ... without modifying the settings? ...
(microsoft.public.win32.programmer.networks)
Learning basics of Directshow and questions
... Each type of Directshow filters has its own Standard interfaces, ... custom interfaces. ...
(microsoft.public.win32.programmer.directx.video)