Re: Need Advice

Anton,

I cannot argue with your analysis based on ease of use, but it should
be pointed out that Firewall-hook drivers are discouraged by Microsoft, and
Filter-hook drivers only allow one to be registered. So if the OP is
looking for a long term viable solution, he needs to think about option 1.


--
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
http://www.windrvr.com
Remove StopSpam from the email to reply



"anton bassov" <soviet_bloke@xxxxxxxxxxx> wrote in message
news:1154817617.350640.305830@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Hi mate

You have 2 options:

1. Write NDIS IM. This is quite complex thing, with around 95% of code
that is totally unrelated to your actual task - you would have to make
sure that your driver fully conforms to NDIS model. Furthermore, you
are more than likely to get into trouble with NDISWAN and virtual
adapters, so that you will have quite a few extra things to worry about

2. Write NDIS-hooking solution. This is easier, because you are able to
concentrate only on the part that indicates incoming packets to
protocol drivers (NdisXXXIndicateYYY()), or
just with protocols Receive() and ReceivePackets handlers()

When you go for option 2, you have to register do-nothing protocol
driver (just in order to get a valid protocol handle) and cast it to
NDIS_PROTOCOL_BLOCK structure. At this point you will be able to get
access to the whole chain of NDIS_PROTOCOL_BLOCK, NDIS_OPEN_BLOCK and
NDIS_MINIPORT_BLOCK structures, where you will be able to find
addresses of functions you want to patch.

I would recommend you to start with option 2, and to implement it not
as firewall but
just as packet analyzer that captures all packets, but does not do
anything else - you can add filtering capabilities to it at some later
stage.

Anton Bassov




euacela@xxxxxxxxx wrote:
hi man,
what would you recomand me to use in making an effective firewall.
Not a too fency one but just a simple one. For example what do
TinyPersonalFirewall uses or other firewalls. I don't thing they just
hook kernel mode functions.
Do they use NDIS ?
if you have better suggestions please .. .they are welcome . . . how
would you do a fireweall ?


anton bassov wrote:
That's the whole point. What you perceive as a lack of proper
documentation
is the proper documentation. The Windows DDK is the most complete and
authoritative source of information on the subject.

The above statement just shows Slava M. Usov's "expertize" on the
subject. If Slava
M.Usov had some brains, some analytical skills plus SoftIce debugger,
he would have known that even ndis.h is incomplete. For example, he
would have known that NDIS_OPEN_BLOCK structure that is declared in
ndis.h is just part of the one that is actually used by Windows
(although these "hidden" fields seem to be different for W2K and XP).
He would have known that NDIS "handles" that are accepted as
parameters and returned by NDIS functions are not handles but pointers,
and that these "handles" are not as opaque as official documentation
claims - he would have known which "handle" is a pointer to
NDIS_OPEN_BLOCK, which "handle" is a pointer to NDIS_MINIPORT_BLOCK and
which "handle" is a pointer to NDIS_PROTOCOL_BLOCK. At this point he
would understand that, in actuality,
NDIS is, probably, the most undocumented part of the OS.

This fully explains all his statements about "months and months of
learning" and his inquiries about a "genious" who is able to learn NDIS
in less than a month - he does not seem to understand that NDIS library
in itself is just a glue that holds network stack together


Anton Bassov




Slava M. Usov wrote:
<euacela@xxxxxxxxx> wrote in message
news:1154614602.586993.296550@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

I am not a complete newbe but I do not have proper documentation.

That's the whole point. What you perceive as a lack of proper
documentation
is the proper documentation. The Windows DDK is the most complete and
authoritative source of information on the subject. Another important
source
is PCAUSA, which supplements the DDK in the advanced area, and there
is
hardly anything else.

S



.

Relevant Pages

  • Re: Running NDISTest on Vista with an NDIS IM Driver
    ... Currenty there are no logo programs or tests that test any NDIS IM drivers. ... I tried using the version that comes with WLK/DTM on PassThru (NDIS IM ... Loaded Module Info: ...
    (microsoft.public.development.device.drivers)
  • Re: WindowsXP slower after reinstall.
    ... Did you install the drivers for your motherboard, ... >>> this I can reinstall them from backup. ... >> Did you get on the Internet unprotected by a firewall or antivirus? ... >> Direct Download of Service Pack 2 for Windows XP ...
    (microsoft.public.windowsxp.basics)
  • Re: How to check if a spin lock has been freed or released?
    ... >> they're writing Windows drivers, ... Both on NDIS as well as on if or how other people make ... I think you assumed that I'm a Windows driver developer. ... I said that I wrote the FreeBSD NDIS emulator (or "NDIS ...
    (microsoft.public.development.device.drivers)
  • Re: New application to front
    ... It contains advice ... using Windows XP "prettifications". ... latest drivers for your hardware devices. ... You should at least turn on the built in firewall. ...
    (microsoft.public.windowsxp.basics)
  • Re: sp2
    ... > since instaling sp2 i have started getting runtime errors on vid players ... If I was to give one personal reason for someone to upgrade to SP2, ... Why you should use a computer firewall.. ... You also have hardware on your machine that requires drivers to interface ...
    (microsoft.public.windowsxp.newusers)