A forum for reverse engineering, OS internals and malware analysis 

Forum for discussion about kernel-mode development.
 #25392  by fsdhook
 Thu Mar 05, 2015 8:48 am
Hi, everyone.
I want to send a NET_BUFFER_LIST in FilterReceiveNetBufferLists routine. How to do that?
I try to use NdisSendNetBufferLists but BSOD at once.
Code: Select all
VOID FilterReceiveNetBufferLists
(
    NDIS_HANDLE         FilterModuleContext,
    PNET_BUFFER_LIST    NetBufferLists,
    NDIS_PORT_NUMBER    PortNumber,
    ULONG               NumberOfNetBufferLists,
    ULONG               ReceiveFlags
)
{
	PMS_FILTER			pFilter = (PMS_FILTER)FilterModuleContext;
	PNET_BUFFER			NetBuffer;
	UCHAR				TempBuffer[MAX_BUFFER_SIZE];
	ULONG				BytesCopied;
	BOOLEAN				bFalse = FALSE;
	//DbgPrint(">>> FilterReceiveNetBufferLists: %p\n", NetBufferLists, ReceiveFlags, NumberOfNetBufferLists);
	do
	{
		for(NetBuffer = NetBufferLists->FirstNetBuffer;
			NetBuffer != NULL;
			NetBuffer = NetBuffer->Next)
		{
			//DbgPrint("[FilterReceiveNetBufferLists]ENTER for LOOP: %p\n",NetBufferLists);
			GetNetBufferData(NetBuffer, TempBuffer, MAX_BUFFER_SIZE, &BytesCopied);
			if (BytesCopied == 0)
			{
				DbgPrint("[FilterReceiveNetBufferLists]Net buffer catch error\n");
			}
			else
			{
				//search TCP_MUX_TEST
				PCHAR ptr = (PCHAR)TempBuffer;
				ULONG i;
				for(i=0;i<BytesCopied;i++)
				{
					if(!_strnicmp(ptr+i,"TCP_MUX_TEST",12))
					{
						ULONG TargetIP=0,SourceIP=0;
						USHORT TargetPort=0,SourcePort=0;
						UCHAR TargetMac[6]={0},SourceMac[6]={0};
						PBEFORE_HTTP_HEADER pBTH = (PBEFORE_HTTP_HEADER)TempBuffer;
						//
						TargetIP = pBTH->ipHeader.dstaddr; TargetPort=pBTH->tcpHeader.dst_port; memcpy(TargetMac,pBTH->eHeader.dstmac,6);
						SourceIP = pBTH->ipHeader.srcaddr; SourcePort=pBTH->tcpHeader.src_port; memcpy(SourceMac,pBTH->eHeader.srcmac,6);
						DbgPrint("[FilterReceiveNetBufferLists]FIND TCP_MUX_TEST! [SRC]%X [DST]%X\n",SourceIP,TargetIP);
						//
						//WAY-1: PASS DOWN THE DATA
						//
						//break;
						//==========================
						//
						//WAY-2: DROP THE DATA
						//
						//return;
						//==========================
						//
						//WAT-3: DROP THE DATA AND SEND BACK THE DATA (try to fix MAC of ETH head and CHECKSUM of IP head)
						//
						pBTH->ipHeader.dstaddr = SourceIP;
						pBTH->ipHeader.srcaddr = TargetIP;
						pBTH->tcpHeader.dst_port = SourcePort;
						pBTH->tcpHeader.src_port = TargetPort;
						memcpy(TargetMac,pBTH->eHeader.srcmac,6);
						memcpy(SourceMac,pBTH->eHeader.dstmac,6);
						SetNetBufferData(NetBuffer, TempBuffer, BytesCopied, &BytesCopied);
						//NdisReturnNetBufferLists(FilterModuleContext,NetBufferLists,NDIS_RETURN_FLAGS_DISPATCH_LEVEL);
						NdisSendNetBufferLists(FilterModuleContext, NetBufferLists, PortNumber, NDIS_SEND_FLAGS_DISPATCH_LEVEL);
						return;
					}
				}
			}
		}
	}
	while (bFalse);
	//DbgPrint("[FilterReceiveNetBufferLists][IRQL=%d]\n",KeGetCurrentIrql());
	NdisFIndicateReceiveNetBufferLists(pFilter->FilterHandle, NetBufferLists, PortNumber, NumberOfNetBufferLists, ReceiveFlags);
}
(Full driver source code is in the ATTACHMENT.)
Thanks in advance.
Attachments
(22.51 KiB) Downloaded 30 times
 #25443  by EP_X0FF
 Thu Mar 12, 2015 4:03 am
No one wants to debug your(anyone else) driver. If you have BSOD, minidump should be attached, if capslock button broken then new keyboard required.
 #25450  by fsdhook
 Thu Mar 12, 2015 8:53 am
EP_X0FF wrote:No one wants to debug your(anyone else) driver. If you have BSOD, minidump should be attached, if capslock button broken then new keyboard required.
BSOD on Ndis(F)SendNetBufferList, with an unreasonable code: D1(DRIVER_IRQL_NOT_LESS_OR_EQUAL).

But my real question is: How to send a NetBufferList in FilterReceiveNetBufferLists routine.