[zhouws]

hi guys
can anyone show me how to send irp to tcpip driver to get network connection???

so complecated,i can't get it... thanks in adv!!!

[GamingMasteR]

Hi,

What do you mean by "get network connection" ?
Do you mean network status ? Or do you mean send/recv network packets ?

[Alex]

This article should be useful - Driver Development Part 5: Introduction to the Transport Device Interface (Introduction to TDI Client drivers and more IRP handling.).

[zhouws]

@GamingMasteR
that would be network status,like ip port,and corresponding process.

@alex.
as i know ,the TDI layer had been removed under win7.

that's why i want to know how to implement without sending irp to TDI in ring0

[EP_X0FF]

TDI replaced by NPI since Windows Vista.
You can try Winsock Kernel.

[zhouws]

well ,in fact ,all i wanna do is to try hide the connection i specified.

to some extend .i alread achieved it by hook NSI deviceobject,but it does not work for some ark.

[GamingMasteR]

You need to RE the ARK to know the mechanism it uses to detect the connections .

[zhouws]

You need to RE the ARK to know the mechanism it uses to detect the connections .

- -,
sounds like bad news........

[GamingMasteR]

Do you filter IOCTL_TCP_QUERY_INFORMATION_EX ?

[zhouws]

- -,in early befor vista. i hook ZwDeviceIoControlFile and filter IOCTL_TCP_QUERY_INFORMATION_EX,
later in vistat ,i hook the nis deviceobject,'s ,(nsiproxy driver) dispatcher routing .and also filter IOCTL_TCP_QUERY_INFORMATION_EX,

that's how i do, it works greate ."netstat -an" just blind.

so i assume maybe the ark sends irp to tcpip driver directly....but i do not know the parameter struct exactly

can u help me out?