How to get process ID in an NDIS driver

Hey.

I’m trying to write a little applicative firewall, by writing an NDIS 6.0 filter driver, using the filter sample of the DDK.

When I receive a data packet, a NET_BUFFER_LIST in my FilterSendNetBufferLists, I need some way to get the process ID of the process which sent the data.

Is there any way to do it in NDIS in a similar way to the WDM’s IoGetRequestorProcessId(PIRP irp)?

Thanks

At the NDIS level you cannot get process information. Sorry. End of subject.

Since you are working on Vista, you may want to consider using the Windows Filtering Platform (WFP) instead. That magic Microsoft concoction, along with Windows Sockets Kernel (WSK) solves all the world’s problems.

No, it isn’t available on pre-Vista platforms.

Thomas F. Divine
http://www.pcausa.com

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:bounce-323411-
xxxxx@lists.osr.com] On Behalf Of xxxxx@hotmail.com
Sent: Tuesday, May 06, 2008 2:12 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] How to get process ID in an NDIS driver

Hey.

I’m trying to write a little applicative firewall, by writing an NDIS
6.0 filter driver, using the filter sample of the DDK.

When I receive a data packet, a NET_BUFFER_LIST in my
FilterSendNetBufferLists, I need some way to get the process ID of the
process which sent the data.

Is there any way to do it in NDIS in a similar way to the WDM’s
IoGetRequestorProcessId(PIRP irp)?

Thanks


NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

#define NDIS_WDM 1

> When I receive a data packet, a NET_BUFFER_LIST in my FilterSendNetBufferLists, I need some way to > get the process ID of the process which sent the data.

If you want to relate packets at NDIS level to the originator process, you need an additional component at the upper edge, i.e. TDI filter on pre-Vista OS and WFP on Vista. This is how firewalls and packet filters normally do things - upper component relates packet information (i.e. address and port number) to the originating process, so that at NDIS level you can use this packet information to relate the packet to the originating process.

Once you target Vista, please note that WFP offers information about PID at some filtering layers, which simplifies things. However, as far as I recall from from a project I did a year ago ( I had exactly the same requirement that you do), filtering level-related information on MSDN is not so precise, so to say (in fact, the same seems to be true for everything concerning WFP). Therefore, you need to experiment a bit and discover which filtering layer suits your needs best… In any case, despite some minor inconveniences and inconsistencies in documentation, this task seems to be easier on Vista, compared to pre-Vista OS versions…

Anton Bassov

Thanks for your replies.

I’d like some way to make sure nothing passes through any network interface - that is why the NDIS filter oprion was so appealing…

What WFP layers are available? do they match the NDIS filter layers? is a some good example of WFP usage?

Thanks,
Ariel.

In that case what is wrong with unplugging the cables? Disabling the
network adapters - don’t forget 1394?

wrote in message news:xxxxx@ntdev…
> Thanks for your replies.
>
> I’d like some way to make sure nothing passes through any network
> interface - that is why the NDIS filter oprion was so appealing…
>
> What WFP layers are available? do they match the NDIS filter layers? is a
> some good example of WFP usage?
>
> Thanks,
> Ariel.
>
>

> I’d like some way to make sure nothing passes through any network interface

In such case NDIS LWF is the right way to go…

What WFP layers are available?

Check MSDN…

do they match the NDIS filter layers?

No - WFP is all about IP, so that the lowest available level is still higher than that of NDIS…

Anton Bassov

Is there some way to be sure nothing does passes through with WFP? Could I just disable any network cards of all kinds in a WFP component programmatically, much like a user can through the “control panel”?

Ariel

wrote in message news:xxxxx@ntdev…
> Is there some way to be sure nothing does passes through with WFP? Could I
> just disable any network cards of all kinds in a WFP component
> programmatically, much like a user can through the “control panel”?
>
> Ariel

You don’t want to disable physical netcards, otherwise (surprise!) nothing
of
your filtered traffic will get outside at all.

Regards,
–PA

say I’m waiting for some interrupt or another IOCTL which the user sends, to let me know it is now ok to enable the network cards.

I want the option of disabling some of them…is there some WFP API for that?

Ariel

wrote in message news:xxxxx@ntdev…
> say I’m waiting for some interrupt or another IOCTL which the user sends,
> to let me know it is now ok to enable the network cards.
>
> I want the option of disabling some of them…is there some WFP API for
> that?
>

In Vista+, WMI class Win32_NetworkAdapter has method Disable().

–PA

It can be also used in XP for sure. And IIRC for 2k SP4 as-well.


V.
This posting is provided “AS IS” with no warranties, and confers no
rights.
“Pavel A.” wrote in message news:xxxxx@ntdev…
>
> wrote in message news:xxxxx@ntdev…
>> say I’m waiting for some interrupt or another IOCTL which the user sends,
>> to let me know it is now ok to enable the network cards.
>>
>> I want the option of disabling some of them…is there some WFP API for
>> that?
>>
>
> In Vista+, WMI class Win32_NetworkAdapter has method Disable().
>
>
> --PA
>
>
>