How to get and set "raw packet" in NDIS_PACKET structure?

I think by "raw packet" you mean for example a raw ethernet packet with the
MAC header, right?

An NDIS_PACKET contains a chain of 1 or more NDIS_BUFFERs that contain the
packet. This means that the packet can be contained into one or more
buffers.

You need to use NdisQueryPacket to get the first NDIS_BUFFER and then
NdisQueryBufferSafe to get the actual data of the packet. If the packet is
stored into multiple NDIS_BUFFERs, you need to use NdisGetNextBuffer to go
through the chain of NDIS_BUFFERs.

MPReturnPacket (i.e. the MiniportReturnPacket callback) is not the right
callback you want to modify. You usually want to modify the PTReceive,
PTReceivePacket, MPSend and MPSendPackets functions.

Have a nice day
GV



"Aimslife" <> wrote in message
news:...
> Hi,
>
> I did not get any result from Google, please guide me, how I can get and
> set
> "raw packet" in NDIS_PACKET structure?
>
> I am trying to intercept tcp traffic on gateway and add one parameter in
> GET
> packet then release it. For this task, I am using NDIS "passthru" sample
> and
> writting code in "MPReturnPacket" function. Please guide me, am I on
> track?
>
> Regards,
> -Aimslife
>
>
>
>

Hi,

I did not get any result from Google, please guide me, how I can get and set
"raw packet" in NDIS_PACKET structure?

I am trying to intercept tcp traffic on gateway and add one parameter in GET
packet then release it. For this task, I am using NDIS "passthru" sample and
writting code in "MPReturnPacket" function. Please guide me, am I on track?

Regards,
-Aimslife

> with similar HTTP GET Protocol. We need to write a driver for gateway
> machine to add
> one parameter (for e.g. *Accept-Language: en-US*) in one of the GET
> command. All GET commands will communicate on the same session.

Parse all packet flow and inject the packet with *Accept-Language: en-US*

Note that the injection spot can be in the middle of some other packet, in which case you will need not only to inject, but to split too.

After injection, the TCP sequence number flow will be changed, and you must then update all sequence numbers in all remaining packets for this flow, and recompute the checksums.

This is how NAT editors work for "PORT" FTP command and for some other cases (PPTP?)

A hard thing. HTTP proxy is maybe simpler, or a stupid TCP-to-TCP, socket-to-socket user-mode proxy.

> I have done packet reading. Please guide how I can set "raw packet"
> (including ether header, ip header, tcp header and tcp payload with new
> field) bytes to NDIS_PACKET structure?

In the chain of NDIS_BUFFERs, which can be many.

--
Maxim S. Shatskih
Windows DDK MVP

http://www.storagecraft.com

Thanks Gianluca!

>I think by "raw packet" you mean for example a raw ethernet packet with the
>MAC header, right?
Actually, we have two servers and they communicate each other through
gateway machine
with similar HTTP GET Protocol. We need to write a driver for gateway
machine to add
one parameter (for e.g. *Accept-Language: en-US*) in one of the GET
command. All GET commands will communicate on the same session.

I have done packet reading. Please guide how I can set "raw packet"
(including ether header, ip header, tcp header and tcp payload with new
field) bytes to NDIS_PACKET structure?

Thanks in advance for help!

Regards,
-Aimslife

>> In the chain of NDIS_BUFFERs, which can be many.
>
> Please guide me with example code.

NDIS_PACKET has a chain of NDIS_BUFFERs in it, each NDIS_BUFFER is a MDL which describes some byte range of data withing the packet.

There are some macros in NDIS IIRC which allow you to access this chain.

All of this is NDIS < 6, for NDIS6, the things are different.

--
Maxim S. Shatskih
Windows DDK MVP

http://www.storagecraft.com

Hi Maxim,

> > I have done packet reading. Please guide how I can set "raw packet"
> > (including ether header, ip header, tcp header and tcp payload with new
> > field) bytes to NDIS_PACKET structure?

> In the chain of NDIS_BUFFERs, which can be many.

Please guide me with example code.

Thanks in advance.

Regards,
-Aimslife

Maxim S. Shatskih wrote:
>>> In the chain of NDIS_BUFFERs, which can be many.
>> Please guide me with example code.
>
> NDIS_PACKET has a chain of NDIS_BUFFERs in it, each NDIS_BUFFER is a MDL which describes some byte range of data withing the packet.
>
> There are some macros in NDIS IIRC which allow you to access this chain.
>
> All of this is NDIS < 6, for NDIS6, the things are different.
>

All that it takes to copy data from a buffer to NDIS_PACKET:

- NdisAllocateBuffer of max. size, mapped to that buffer
( or NdisAllocateMDL for ndis6 )
- add this buffer to an NDIS_PACKET: NdisChainBufferAtFront

Send this packet up, or call NdisCopyFromPacketToPacketSafe from this
new packet to another packet

Good luck.
-- PA

I'm afraid you are too deeply confused and may want to look for a
consultant.

-- pa

"Aimslife" <> wrote in message
news:...
>
> Hi,
>
> Thanks Pavel and Maxim.
>
>>>>> In the chain of NDIS_BUFFERs, which can be many.
>>>> Please guide me with example code.
>>>
>>> NDIS_PACKET has a chain of NDIS_BUFFERs in it, each NDIS_BUFFER is a MDL
>>> which describes some byte range of data withing the packet.
>>>
>>> There are some macros in NDIS IIRC which allow you to access this chain.
>>>
>>> All of this is NDIS < 6, for NDIS6, the things are different.
>>>
>>
>> All that it takes to copy data from a buffer to NDIS_PACKET:
>>
>> - NdisAllocateBuffer of max. size, mapped to that buffer
>> ( or NdisAllocateMDL for ndis6 )
>> - add this buffer to an NDIS_PACKET: NdisChainBufferAtFront
>>
>> Send this packet up, or call NdisCopyFromPacketToPacketSafe from this new
>> packet to another packet
>
> I have written given code for testing purpose but system is hanging. This
> code will execute if and only if network card will receive ICMP
> ping-request.
>
> NOTE: "Packet" is PNDIS_PACKET structure having ICMP ping-request packet.
> "icmp" is structure of ICMP packet having ether-header, ip-header,
> icmp-header and modified icmp-data.
>
> <code_snap>
> UINT PhysicalBufferCount;
> UINT BufferCount;
> PNDIS_BUFFER CurrentBuffer;
> NDIS_STATUS BufferStatus;
> UINT TotalPacketLength;
> GUINT8 buffer[33] = { NULL };
>
> UtilDumpNdisPacket(Packet); // Print Src-MAC, Dst-MAC, Src-IP, Dst-IP
>
> memcpy(icmp.icmp.data, "|-AIMSlife--AIMSLIFE--aimsLIFE-|", 32);
> ComputeAndSetICMPChecksum(&icmp.icmp);
> memcpy(buffer, icmp.icmp.data, 32);
> DbgPrint("ICMP Data : %s", buffer);
>
> NdisQueryPacket(Packet, &PhysicalBufferCount, &BufferCount,
> &CurrentBuffer, &TotalPacketLength);
>
> NdisFreeBuffer(CurrentBuffer);
>
> NdisAllocateBuffer(&BufferStatus, &CurrentBuffer, ProtocolBindingContext,
> &icmp, SIZE_ICMP_PACKET_FIX);
> NdisChainBufferAtFront(Packet, CurrentBuffer);
> </code_snap>
>
> Please guide me, what have did wrong.
>
> Thanks in advance.
>
> Regards,
> -Aimslife
>
>

Hi,

Thanks Pavel and Maxim.

>>>> In the chain of NDIS_BUFFERs, which can be many.
>>> Please guide me with example code.
>>
>> NDIS_PACKET has a chain of NDIS_BUFFERs in it, each NDIS_BUFFER is a MDL
>> which describes some byte range of data withing the packet.
>>
>> There are some macros in NDIS IIRC which allow you to access this chain.
>>
>> All of this is NDIS < 6, for NDIS6, the things are different.
>>
>
> All that it takes to copy data from a buffer to NDIS_PACKET:
>
> - NdisAllocateBuffer of max. size, mapped to that buffer
> ( or NdisAllocateMDL for ndis6 )
> - add this buffer to an NDIS_PACKET: NdisChainBufferAtFront
>
> Send this packet up, or call NdisCopyFromPacketToPacketSafe from this new
> packet to another packet

I have written given code for testing purpose but system is hanging. This
code will execute if and only if network card will receive ICMP
ping-request.

NOTE: "Packet" is PNDIS_PACKET structure having ICMP ping-request packet.
"icmp" is structure of ICMP packet having ether-header, ip-header,
icmp-header and modified icmp-data.

<code_snap>
UINT PhysicalBufferCount;
UINT BufferCount;
PNDIS_BUFFER CurrentBuffer;
NDIS_STATUS BufferStatus;
UINT TotalPacketLength;
GUINT8 buffer[33] = { NULL };

UtilDumpNdisPacket(Packet); // Print Src-MAC, Dst-MAC, Src-IP, Dst-IP

memcpy(icmp.icmp.data, "|-AIMSlife--AIMSLIFE--aimsLIFE-|", 32);
ComputeAndSetICMPChecksum(&icmp.icmp);
memcpy(buffer, icmp.icmp.data, 32);
DbgPrint("ICMP Data : %s", buffer);

NdisQueryPacket(Packet, &PhysicalBufferCount, &BufferCount, &CurrentBuffer,
&TotalPacketLength);

NdisFreeBuffer(CurrentBuffer);

NdisAllocateBuffer(&BufferStatus, &CurrentBuffer, ProtocolBindingContext,
&icmp, SIZE_ICMP_PACKET_FIX);
NdisChainBufferAtFront(Packet, CurrentBuffer);
</code_snap>

Please guide me, what have did wrong.

Thanks in advance.

Regards,
-Aimslife

Hi Pavel,

> I'm afraid you are too deeply confused and may want to look for a
> consultant.

I made it ! ! !

Given code is working perfect and it will change ICMP-Data for ICMP packet.
This was the first milestone for bigger goal which I have achieved.

<code>

UINT PhysicalBufferCount;
UINT BufferCount;
PNDIS_BUFFER CurrentBuffer;
NDIS_STATUS BufferStatus;
PGUINT8 VirtualAddress;
UINT TotalPacketLength;
GUINT8 buffer[33] = { NULL };

debug("TRUE");

UtilDumpNdisPacket(Packet);

memcpy(icmp.icmp.data, "|-AIMSlife--AIMSLIFE--aimsLIFE-|", 32);
ComputeAndSetICMPChecksum(&icmp.icmp);
memcpy(buffer, icmp.icmp.data, 32);
debug("ICMP Data : %s", buffer);

NdisQueryPacket(Packet, &PhysicalBufferCount, &BufferCount, &CurrentBuffer,
&TotalPacketLength);

debug("PhysicalBufferCount : %d, BufferCount : %d, TotalPacketLength : %d",
PhysicalBufferCount, BufferCount, TotalPacketLength);

NdisQueryBuffer(CurrentBuffer, &VirtualAddress, &BufferCount);

debug("BufferCount : %d", BufferCount);
NdisMoveMemory(VirtualAddress, &icmp, SIZE_ICMP_PACKET_FIX);
debug("Packet copy has done!");

</code>

Now, my next milestone is intercept HTTP GET request and send it in correct
manor.

I shall be thankful to you, if you will guide me, if incase of any problem
will be faced.

Thanks for motivation.

Regards,
-Aimslife
..