I downloaded Windows Filtering Platform Sample which was able to retrieve the process ids when on the connect layer. However, when I use ping in cmd neither connect callback was fired nor it was able to retrieve the calling process id in the transport layer! Any idea how to do that ICMP packets ?
What are you callout filters? ALE_AUTH_CONNECT should be triggered for the first outbound non error ICMP packet sent (https://msdn.microsoft.com/en-us/library/windows/desktop/bb613460(v=vs.85).aspx).
Hey Jason thanks for your reply,
I used ALE_AUTH_CONNECT. The problem is that when I try to retrieve the process id I get the id =4 which is obviously not the correct one.
Maybe PID=4 is not so obviously incorrect for ICMP… but it would be great
to retrieve PID of ping.exe
El El dom, 16 abr 2017 a las 3:21, escribió:
> Hey Jason thanks for your reply,
>
> I used ALE_AUTH_CONNECT. The problem is that when I try to retrieve the
> process id I get the id =4 which is obviously not the correct one.
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list online at: <
> http://www.osronline.com/showlists.cfm?list=ntdev>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer>
></http:>
@Julian Navascues
Any idea how to get around this ?
I don’t know… maybe aTDI-filter filtering \Device\Ip to catch the PID?
but are TDI-filters still working nowadays? also… depending on your what
you need, maybe be not enough,
2017-04-17 2:44 GMT+02:00 :
> @Julian Navascues
>
> Any idea how to get around this ?
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list online at: http:> showlists.cfm?list=ntdev>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer>
></http:></http:>
> However, when I use ping in cmd neither connect callback was fired nor it was able to retrieve the calling process id in the transport layer!
I used ALE_AUTH_CONNECT. The problem is that when I try to retrieve the process id I get the id =4
Is your callout being invoked or not? How are you getting the processId? It is available via inMetaValues->processId at the ALE_CONNECT_REDIRECT layers so I would expect it to be available at the ALE_AUTH_CONNECT layer too
J
I am able to retrieve the proessId via inMetaValues but my main problem is that the returned proessId is not what I am expecting. For example instead of getting the process id of ping.exe which I suppose the process that invokes the ping command, I get process id of 4. I don’t know if I am doing something wrong or this is what is expected ?