none
How to bind a NDIS 6 filter driver below the built-in NDIS Mux driver? RRS feed

All replies

  • I think that part of your problem is understanding how NDIS6 views the world. A network "stack" is everything between a miniport edge and a protocol edge, inclusive; thus, when an intermediate driver (which has a protocol edge on the bottom, and a miniport edge on the top) is installed you now have two separate stacks. This is described here. So, you need to install your filter on the miniport of each stack if you want to be in both

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    Saturday, March 26, 2016 7:27 PM
    Moderator
  • I still don't know how to do this. Can you be more specific? How to actually "install your filter on the miniport of each stack"? Do I need to change my INF file? I think the most relevant values are UpperRange, LowerRange and FilterMediaTypes. But I think I have specified enough items in FilterMediaTypes.

    My whole INF file is below:

    ;-------------------------------------------------------------------------
    ; NPF.INF -- Npcap NDIS 6.x LightWeight Filter Driver
    ;
    ; Copyright (c) 2015, Insecure.Com LLC.  All rights reserved.
    ;------------------------------------------------------------------------
    [version]
    Signature       = "$Windows NT$"
    Class           = NetService
    ClassGUID       = {4D36E974-E325-11CE-BFC1-08002BE10318}
    CatalogFile     = %NPF_DriverName%.cat
    Provider        = %Insecure%
    DriverVer=05/15/2015,14.48.38.905
    
    
    [Manufacturer]
    %Insecure%=Insecure,NTx86,NTia64,NTamd64
    
    [Insecure.NTx86]
    %NPF_Desc%=Install, INSECURE_NPF
    
    [Insecure.NTia64]
    %NPF_Desc%=Install, INSECURE_NPF
    
    [Insecure.NTamd64]
    %NPF_Desc%=Install, INSECURE_NPF
    
    ;-------------------------------------------------------------------------
    ; Installation Section
    ;-------------------------------------------------------------------------
    [Install]
    AddReg=Inst_Ndi
    Characteristics=0x40000
    NetCfgInstanceId="{7daf2ac8-e9f6-4765-a842-f1f5d2501340}"
    Copyfiles = npf.copyfiles.sys
    
    [SourceDisksNames]
    1=%NPF_Desc%,"",,
    
    [SourceDisksFiles]
    npf.sys=1
    
    [DestinationDirs]
    DefaultDestDir=12
    npf.copyfiles.sys=12
    
    [npf.copyfiles.sys]
    %NPF_DriverName%.sys,,,2
    
    
    ;-------------------------------------------------------------------------
    ; Ndi installation support
    ;-------------------------------------------------------------------------
    [Inst_Ndi]
    HKR, Ndi,Service,,%NPF_DriverName%
    HKR, Ndi,CoServices,0x00010000,%NPF_DriverName%
    HKR, Ndi,HelpText,,%NPF_HelpText%
    HKR, Ndi,FilterClass,, compression
    
    
    ; For a Monitoring filter, use this:
    ;     HKR, Ndi,FilterType,0x00010001, 1 ; Monitoring filter
    ; For a Modifying filter, use this:
    ;     HKR, Ndi,FilterType,0x00010001, 2 ; Modifying filter
    HKR, Ndi,FilterType,0x00010001,2
    
    
    HKR, Ndi\Interfaces,UpperRange, , noupper
    HKR, Ndi\Interfaces,LowerRange, , "ndis5,ndis4"
    
    
    ; TODO: Ensure that the list of media types below is correct.  Typically,
    ; filters include "ethernet".  Filters may also include "ppip" to include
    ; native WWAN stacks, but you must be prepared to handle the packet framing.
    ; Possible values are listed on MSDN, but common values include:
    ;     ethernet, wan, ppip, wlan
    HKR, Ndi\Interfaces, FilterMediaTypes,,"ethernet, fddi, wan, ppip, wlan, bluetooth, ndis5, vwifi, flpp4, flpp6, vchannel, nolower"
    
    
    ; For a Mandatory filter, use this:
    ;     HKR, Ndi,FilterRunType,0x00010001, 1 ; Mandatory filter
    ; For an Optional filter, use this:
    ;     HKR, Ndi,FilterRunType,0x00010001, 2 ; Optional filter
    HKR, Ndi,FilterRunType,0x00010001, 2 ; Optional filter
    
    
    ; By default, Mandatory filters unbind all protocols when they are
    ; installed/uninstalled, while Optional filters merely pause the stack.  If you
    ; would like to override this behavior, you can include these options.  These
    ; options only take effect with 6.30 filters on Windows "8" or later.
    ; To prevent a full unbind, and merely pause/restart protocols:
    ;     HKR, Ndi,UnbindOnAttach,0x00010001, 0 ; Do not unbind during FilterAttach
    ;     HKR, Ndi,UnbindOnDetach,0x00010001, 0 ; Do not unbind during FilterDetach
    ; To force a full unbind/bind (which includes pause/restart, of course):
    ;     HKR, Ndi,UnbindOnAttach,0x00010001, 1 ; Unbind during FilterAttach
    ;     HKR, Ndi,UnbindOnDetach,0x00010001, 1 ; Unbind during FilterDetach
    ;
    
    ;-------------------------------------------------------------------------
    ; Service installation support
    ;-------------------------------------------------------------------------
    [Install.Services]
    AddService=%NPF_DriverName%,,NPF_Service_Inst
    
    [NPF_Service_Inst]
    DisplayName     = %NPF_Desc%
    ServiceType     = 1 ;SERVICE_KERNEL_DRIVER
    StartType       = 3 ;SERVICE_DEMAND_START
    ErrorControl    = 1 ;SERVICE_ERROR_NORMAL
    ServiceBinary   = %12%\%NPF_DriverName%.sys
    LoadOrderGroup  = NDIS
    Description     = %NPF_Desc%
    AddReg          = Common.Params.reg, NdisImPlatformBindingOptions.reg
    
    [Install.Remove.Services]
    DelService=%NPF_DriverName%,0x200 ; SPSVCINST_STOPSERVICE
    
    [Common.Params.reg]
    
    [NdisImPlatformBindingOptions.reg]
    ; By default, when an LBFO team or Bridge is created, all filters will be
    ; unbound from the underlying members and bound to the TNic(s). This keyword
    ; allows a component to opt out of the default behavior
    ; To prevent binding this filter to the TNic(s):
    ;   HKR, Parameters, NdisImPlatformBindingOptions,0x00010001,1 ; Do not bind to TNic
    ; To prevent unbinding this filter from underlying members:
    ;   HKR, Parameters, NdisImPlatformBindingOptions,0x00010001,2 ; Do not unbind from Members
    ; To prevent both binding to TNic and unbinding from members:
    ;   HKR, Parameters, NdisImPlatformBindingOptions,0x00010001,3 ; Do not bind to TNic or unbind from Members
    HKR, Parameters, NdisImPlatformBindingOptions,0x00010001,0 ; Subscribe to default behavior
    
    [Strings]
    NPF_DriverName = "npf"
    Insecure = "Nmap Project"
    NPF_Desc = "Npcap Packet Driver (NPCAP)"
    NPF_HelpText = "A NDIS 6 filter driver & WFP callout driver to support packet capturing and sending under Windows 7, 8 & 10"
    


    Sunday, March 27, 2016 1:15 AM
  • Check the MediaType of the MUX's miniport INF file (it will be in C:\Windows\INF), and ensure that it is part of your FilterMediaTypes

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    Sunday, March 27, 2016 1:22 AM
    Moderator
  • I think you mean the NdisMedium802_3 in NdisImPlatformMp.inf? I feel weird about it because it doesn't look like other values:

    my INF file now:

    ; TODO: Ensure that the list of media types below is correct.  Typically,
    ; filters include "ethernet".  Filters may also include "ppip" to include
    ; native WWAN stacks, but you must be prepared to handle the packet framing.
    ; Possible values are listed on MSDN, but common values include:
    ;     ethernet, wan, ppip, wlan
    HKR, Ndi\Interfaces, FilterMediaTypes,,"ethernet, fddi, wan, ppip, wlan, bluetooth, ndis5, vwifi, flpp4, flpp6, vchannel, nolower, NdisMedium802_3"

    I rebuilt and installed my driver, but still no use.

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001\Linkage\FilterList didn't list my driver's GUID. (0001 is one of the bridged Ethernet adapter: Intel(R) 82574L Gigabit Network Connection)

    Did I do anything wrong here?

    Paste a part of NdisImPlatformMp.inf if useful:

    [NdisImPlatformMp.ndi]
    AddReg             = NdisImPlatformMp.ndi.AddReg
    Characteristics    = 0x21          ; NCF_NOT_USER_REMOVABLE | NCF_VIRTUAL
    *IfType            = 6             ; IF_TYPE_ETHERNET_CSMACD 
    *MediaType         = 0             ; NdisMedium802_3 
    *PhysicalMediaType = 14            ; NdisPhysicalMedium802_3
    
    [NdisImPlatformMp.ndi.AddReg]
    HKR, Ndi, Service,  0,  NdisImPlatformMp
    HKR, Ndi, HelpText, 0,  "@%%SystemRoot%%\System32\drivers\ndisimplatform.sys,-530"
    HKR, Ndi\Interfaces,    UpperRange, 0,  "ndis5"
    HKR, Ndi\Interfaces,    LowerRange, 0,  "ethernet, ms_implatform"


    Sunday, March 27, 2016 2:33 AM
  • Sorry, I meant the LowerRange on the miniport edge, which in this case is "Ethernet, ms_implatform". You should be loaded. The only reason I can think of why you wouldn't be is because the MUX's notify object is trimming you out. Replace NdisMedium802_3 with ms_implatform in your FilterMediaTypes. If that doesn't work, then I'll have Jeff look at it.

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    Sunday, March 27, 2016 3:34 AM
    Moderator
  • I have modified my INF file to this. Then rebuild and install.

    ; TODO: Ensure that the list of media types below is correct.  Typically,
    ; filters include "ethernet".  Filters may also include "ppip" to include
    ; native WWAN stacks, but you must be prepared to handle the packet framing.
    ; Possible values are listed on MSDN, but common values include:
    ;     ethernet, wan, ppip, wlan
    HKR, Ndi\Interfaces, FilterMediaTypes,,"ethernet, ms_implatform, fddi, wan, ppip, wlan, bluetooth, ndis5, vwifi, flpp4, flpp6, vchannel, nolower"
    But unfortunately, it still doesn't work. The member adapters are not listed by my driver. And my driver GUID doesn't show up in the above mentioned registry key. 

    Just FYI, my driver is an integration of LWF driver and WFP Callout. So there are two INFs. I don't know if there are any relationships with this condition. I added ms_implatform to both INF files. The contents of two INFs can be found:

    https://github.com/nmap/npcap/blob/master/packetWin7/npf/npf/npf.inf

    https://github.com/nmap/npcap/blob/master/packetWin7/npf/npf/npf_wfp.inf

    My test machine is a VMware guest running Win10 10586 x64. Hope this will help.

    Sunday, March 27, 2016 7:48 AM
  • UPDATE:

    I found these comments in my driver's INF file (which is inherited from the ndislwf example):

    [NdisImPlatformBindingOptions.reg]
    ; By default, when an LBFO team or Bridge is created, all filters will be
    ; unbound from the underlying members and bound to the TNic(s). This keyword
    ; allows a component to opt out of the default behavior
    ; To prevent binding this filter to the TNic(s):
    ;   HKR, Parameters, NdisImPlatformBindingOptions,0x00010001,1 ; Do not bind to TNic
    ; To prevent unbinding this filter from underlying members:
    ;   HKR, Parameters, NdisImPlatformBindingOptions,0x00010001,2 ; Do not unbind from Members
    ; To prevent both binding to TNic and unbinding from members:
    ;   HKR, Parameters, NdisImPlatformBindingOptions,0x00010001,3 ; Do not bind to TNic or unbind from Members

    This seems to be the option I'm looking for? So I changed this option to 2:

    HKR, Parameters, NdisImPlatformBindingOptions,0x00010001,2

    However, it doesn't work either.

    Wait for better solutions here..


    Tuesday, March 29, 2016 5:16 AM
  • Hi.

    Any updates on this issue? Thanks!

    Tuesday, April 5, 2016 6:07 AM
  • I asked Jeff to take a look at this thread, but I guess that he's busy

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    Tuesday, April 5, 2016 6:13 PM
    Moderator