NDIS Hook sendPacketsHandler

1
votes

I use NdisRegisterProtocol() to register a protocol driver, and use _NDIS_OPEN_BLOCK and _NDIS_PROTOCOL_BLOCK structures to hook the ReceivePacketHandler successful, use MyRecivePacket() to instead of NDIS receive packet functions, when I open a website, MyRecievePacket() will be run.

My question is: When I open a website(like www.stackoverflow.com) using IE, how can I hook the SendPacketsHandler to get this packet and get the url www.stackoverflow.com string. In other words, how to capture the url in kernel mode. thanks

3
chookwdkndiswdm

3 Answers

0
votes

That's not something you should normally do, URL data belongs to the application layer of network stack and shouldn't be accessed by the lower layers which reside in Kernel space. See more here on protocol driver layering inside Windows network architecture: http://msdn.microsoft.com/en-us/library/windows/hardware/ff571073(v=vs.85).aspx

However, it might be possible by removing the headers that where added to packets on the way down to your protocol driver by the protocols sitting on top of it, such as HTTP, TCP, IP etc. You need to know the exact protocols that where applied to your data packet on the way to your protocol driver. The headers are added incrementally, for each underlying layer the input from the above layer is an opaque block of data (which consists of the upper layer data and header). E.g., your packet may start as a pure data, to which HTTP header was added at start, TCP header after that, and IP header after that. You need to remove the headers in the opposite order to restore the original data.

Note, this is not always possible as the protocols on the way down may change the data, e.g. by encrypting it. In this case you won't be able to extract the original data with doing the reverse operation (such as decryption).

0
votes

There are tools and techniques that called Deep Packet Inspection(DPI) which used to unpacked the transfered packet upon rich its application layer , there are libraries like openDPI which can be used even on kernel land to track the packets content.

When you can unpack the network packets up-to application layer then you can change its content. You should be award that its not easy to capture and unpack each packets which throw your NIC.

0
votes

First of all, I have not really clear what you want to do... My main doubt:

  • ¿are you registering a Protocol Driver, or hooking the ReceivePacketHandler of a previously existing driver? It's something really different.

I'll assume that your target is just to intercept URL's, not hooking an exising protocol driver. As @icepack comments, using a procol driver it's not 'the easy way' beacause you should track all TCP connections to extract HTTP stuff.

But, if it's mandatory for you to use NDIS, you should check the PassThru example[1] of the DDK, or the NDIS Filter driver [2] example, and implement the necessary logic to parse TCP protocol and HTTP headers.

If NDIS it's not mandatory there are easier techniques like using a TDI (deprecated but still functionally[3]) or a WFP driver [4] to intercept communications in a higher level than TCP stack.

[1] http://code.msdn.microsoft.com/windowshardware/NDISLWFSYS-Sample-NDIS-60-42b76875

[2] http://msdn.microsoft.com/en-us/library/windows/hardware/ff565501(v=vs.85).aspx

[3] http://technet.microsoft.com/en-us/library/cc939977.aspx

[4] http://msdn.microsoft.com/en-us/library/windows/hardware/gg463267.aspx