Driver Problems? Questions? Issues?
Put OSR's experience to work for you! Contact us for assistance with:
  • Creating the right design for your requirements
  • Reviewing your existing driver code
  • Analyzing driver reliability/performance issues
  • Custom training mixed with consulting and focused directly on your specific areas of interest/concern.
Check us out. OSR, the Windows driver experts.

Monthly Seminars at OSR Headquarters

East Coast USA
Windows Internals and SW Drivers, Dulles (Sterling) VA, 13 November 2017

Kernel Debugging & Crash Analysis for Windows, Nashua (Amherst) NH, 4 December 2017

Writing WDF Drivers I: Core Concepts, Nashua (Amherst) NH, 8 January 2018

WDF Drivers II: Advanced Implementation Techniques, Nashua (Amherst) NH, 15 January 2018


Go Back   OSR Online Lists > ntdev
Welcome, Guest
You must login to post to this list
  Message 1 of 8  
11 Apr 17 03:54
ntdev member 167998
xxxxxx@gmail.com
Join Date:
Posts To This List: 33
Intercepting ping calls and the calling process

I downloaded Windows Filtering Platform Sample which was able to retrieve the process ids when on the connect layer. However, when I use ping in cmd neither connect callback was fired nor it was able to retrieve the calling process id in the transport layer! Any idea how to do that ICMP packets ?
  Message 2 of 8  
11 Apr 17 08:09
Jason Stephenson
xxxxxx@live.co.uk
Join Date: 13 Jul 2015
Posts To This List: 49
Intercepting ping calls and the calling process

What are you callout filters? ALE_AUTH_CONNECT should be triggered for the first outbound non error ICMP packet sent (https://msdn.microsoft.com/en-us/library/windows/desktop/bb613460(v=vs.85).aspx) .
  Message 3 of 8  
15 Apr 17 21:22
ntdev member 167998
xxxxxx@gmail.com
Join Date:
Posts To This List: 33
Intercepting ping calls and the calling process

Hey Jason thanks for your reply, I used ALE_AUTH_CONNECT. The problem is that when I try to retrieve the process id I get the id =4 which is obviously not the correct one.
  Message 4 of 8  
16 Apr 17 02:51
Julian Navascues
xxxxxx@gmail.com
Join Date: 25 Apr 2012
Posts To This List: 27
Intercepting ping calls and the calling process

Maybe PID=4 is not so obviously incorrect for ICMP... but it would be great to retrieve PID of ping.exe El El dom, 16 abr 2017 a las 3:21, <xxxxx@gmail.com> escribi??: > Hey Jason thanks for your reply, > > I used ALE_AUTH_CONNECT. The problem is that when I try to retrieve the > process id I get the id =4 which is obviously not the correct one. > > --- > NTDEV is sponsored by OSR > > Visit the list online at: < > http://www.osronline.com/showlists.cfm?list=ntdev> <...excess quoted lines suppressed...> --
  Message 5 of 8  
16 Apr 17 20:45
ntdev member 167998
xxxxxx@gmail.com
Join Date:
Posts To This List: 33
Intercepting ping calls and the calling process

@Julian Navascues Any idea how to get around this ?
  Message 6 of 8  
17 Apr 17 03:29
Julian Navascues
xxxxxx@gmail.com
Join Date: 25 Apr 2012
Posts To This List: 27
Intercepting ping calls and the calling process

I don't know... maybe aTDI-filter filtering \Device\Ip to catch the PID? but are TDI-filters still working nowadays? also... depending on your what you need, maybe be not enough, 2017-04-17 2:44 GMT+02:00 <xxxxx@gmail.com>: > @Julian Navascues > > Any idea how to get around this ? > > --- > NTDEV is sponsored by OSR > > Visit the list online at: <http://www.osronline.com/ > showlists.cfm?list=ntdev> > <...excess quoted lines suppressed...> --
  Message 7 of 8  
20 Apr 17 02:08
Jason Stephenson
xxxxxx@live.co.uk
Join Date: 13 Jul 2015
Posts To This List: 49
Intercepting ping calls and the calling process

> However, when I use ping in cmd neither connect callback was fired nor it was able to retrieve the calling process id in the transport layer! > I used ALE_AUTH_CONNECT. The problem is that when I try to retrieve the process id I get the id =4 Is your callout being invoked or not? How are you getting the processId? It is available via inMetaValues->processId at the ALE_CONNECT_REDIRECT layers so I would expect it to be available at the ALE_AUTH_CONNECT layer too J
  Message 8 of 8  
21 Apr 17 21:54
ntdev member 167998
xxxxxx@gmail.com
Join Date:
Posts To This List: 33
Intercepting ping calls and the calling process

@Jason I am able to retrieve the proessId via inMetaValues but my main problem is that the returned proessId is not what I am expecting. For example instead of getting the process id of ping.exe which I suppose the process that invokes the ping command, I get process id of 4. I don't know if I am doing something wrong or this is what is expected ?
Posting Rules  
You may not post new threads
You may not post replies
You may not post attachments
You must login to OSR Online AND be a member of the ntdev list to be able to post.

All times are GMT -5. The time now is 16:10.


Copyright ©2015, OSR Open Systems Resources, Inc.
Based on vBulletin Copyright ©2000 - 2005, Jelsoft Enterprises Ltd.
Modified under license