Tag Archives: NDIS IM

Network traffic filtering technologies for Windows

Network traffic Filtering techniques for Windows, either in user-mode or kernel-mode, falls into one of two categories: stream and packet methods. This document presents useful techniques to build robust security software products such as personal firewalls and VPN clients for Windows 2000 or higher.

Before going further with this article, I would personally recommend WPF for Vista and higher, and TDI filters + NDIS Hook for earlier versions to build a combined stream and packet filtering solutions.

Winsock Layered Service Provider

A Winsock Layered Service Provider (LSP) is a DLL that operates on the Winsock functions to inspect, modify and intercept the inbound and outbound Internet traffic as streams and not as packets. LSP also runs in the workspace of the process it intercepts making easy to filter streams based on caller PID, short name or full path.

LSP can be chained and are useful tool for data-monitoring, content filtering, stream based sniffers, Quality of Service (QoS), authentication, encryption … LSP technology is often exploited by spyware and adware programs to bombard users with advertisements and email spam.

There is one known limitation and one common issue with LSPs. On some Windows versions, LSP can be bypassed by calling TCP/IP stack directly via TDI making useless, for instance, Trojan or virus protections at this level. A bogus LSP or improper LSP removal/unregistration operation may break the whole TCP/IP stack or leave the machine without working network connection.

Windows 2000/XP Filter Hook Driver

A Filter Hook driver is supported on Windows 2000/XP only and is implemented as a kernel mode driver. It operates by registering a callback with the IP Filter Driver that gets called when sending a receiving a packet. Filtering rules are limited to pass, drop or forward decision based on IP addresses and ports information.

The callback registration process uses an IRP with IOCTL_PF_SET_EXTENSION_POINTER as an IO control code and a PF_SET_EXTENSION_HOOK_INFO structure filled with a pointer to the callback routine.

A Filter Hook driver is simple to implement but has three serious limitations. Only one callback routine can be installed each time on the system. It is not possible to filter Ethernet frames. Outgoing packets cannot be modified.

Windows 2000/XP Firewall Hook Driver

A Firewall Hook driver is very similar to a Filter-Hook driver but installs a callback in the IP driver. The callback registration process uses an IRP with IOCTL_IP_SET_FIREWALL_HOOK as an IO control code and an IP_SET_FIREWALL_HOOK_INFO structure filled with a pointer to the callback routine.

Although it is not well documented, writing a Firewall Hook driver requires few lines of code. The main limitation is the support of Windows 2000 and XP only.

NDIS Hook Driver

There are two approved techniques to write an NDIS Hook driver. The first one is based on interception of some NDIS wrapper functions at runtime by writing a kernel mode driver that patches NDIS.sys in memory to replace the addresses of NdisRegisterProtocol, NdisDeregisterProtocol, NdisOpenAdapter and NdisCloseAdapter functions with internal ones.

The second one is based on registering a fake NDIS Protocol driver just to get a pointer to an internal NDIS structure NDIS_PROTOCOL_BLOCK.

At this level, both methods have enough information to substitute all protocols and adapters handlers to getting full control over all network traffic.

Although these approaches use sophisticated hacking techniques and require good understanding of different NDIS versions internals, an NDIS Hook driver is easy to install and able to filter, inject or modify packets. Several security software products including personal firewalls and VPN clients use these techniques.

This approach is discouraged for Windows Vista and higher.

NDIS Intermediate Driver

An NDIS intermediate driver, also called NDIS IM driver, is inserted just above miniport drivers and just below transport protocols in the overall networking protocol stack allowing incoming and outgoing packets filtering, inspection or modification. An NDIS Intermediate driver is a documented alternative to NDIS Hook drivers and offers the same functionalities.

NDIS intermediate drivers should be digitally signed at Microsoft to allow silent installations. This technology is replaced by NDIS Lightweight Filter drivers on Vista and higher.

NDIS Lightweight Filter Driver

NDIS Lightweight Filter drivers (LWF drivers) are introduced in Windows Vista and higher to replace NDIS Intermediate driver technology. They offer the same packets filtering, inspection or modification capabilities.

NDIS Lightweight Filter drivers are easier to implement and are designed to improve overall performances.

TDI Filter Driver

The Transport Driver Interface (TDI) defines a kernel mode network interface that is exposed at the upper edge of all transport protocol stacks. TDI also provides standard methods for protocol addressing, sending and receiving datagrams, writing and reading streams, initiating connections, detecting disconnects making it the only socket interface in the kernel.

TDI Filter drivers sit between TDI clients (such as AFD.sys, NETBT.sys) and TDI transports (such as TCPIP.sys) and intercept the communication between them. In case of TCP/IP filtering, the technique consists in writing a kernel-mode driver that layers itself over devices created by TCPIP.sys driver (\Device\RawIp, \Device\Udp, \Device\Tcp, \Device\Ip and \Device\MULTICAST) using IoAttachDevice routine. A good understanding of how to handle and interact with IRPs is required.

It is recommended to stop using TDI filters and move to Windows Filtering Platform (WFP) on Vista and later platforms. Windows makes it possible for TDI filters to see TCP/IP traffic is just for compatibility reasons and it does not yield good performance.

Windows Filtering Platform

Windows Filtering Platform (WPF) is a new architecture available in Windows Vista and higher that was built to replace all existing packet filtering technologies such as Winsock LSP, TDI filter and NDIS Intermediate driver and to provide better performance and less development complexities. Callout drivers, Filter Engine, Base Filtering Engine and Shims are components of the WPF architecture.

The WFP API consists of a user-mode API and a kernel-mode API that interacts with the packet processing that takes place at several layers in the networking stack. With WFP, incoming and outgoing packets can be filtered and modified before they reach their destinations, making this architecture ideal for implementing various filtering applications or solutions (such as personal firewalls, intrusion detection systems, antivirus programs, network monitoring tools, and parental controls). WFP arbitration rules also minimize the risk that software components get affected by any future Service Pack release.

WPF is highly recommended for developing security related solutions on Vista and higher.

Advertisements

NDIS driver types

Windows network driver developers interested in network interface card (NIC) drivers, Ethernet/IP packet interception, filtering and modification must have a good understanding of the Network Driver Interface Specification (NDIS).
In this document, I mainly focus on NDIS 5.0 or higher and on the most common network drivers (old Windows versions prior to 2000 are no longer widely used).

Introduction

NDIS is originally developed to hide the underlying complexity of the NIC hardware and to allow for multiple network adapters and higher level protocol drivers (such as TCP/IP, NetBEUI …) to coexist in a single computer. Early versions of NDIS were jointly developed by Microsoft and the 3Com Corporation. Versions starting from 2.0 are Microsoft proprietary specifications. The open source ndiswrapper project also allows many NDIS-compliant NICs to be used with Linux.

NDIS is implemented as kernel mode driver called NDIS.sys sometimes referred to as the NDIS wrapper. The later is a small piece of code surrounding all types of the NDIS device drivers. It aims to hide platform dependencies and to maintain state information and parameters for network drivers.
Next sections will describe most common NDIS driver types as illustrated in the following simplified diagram:

NDIS Protocol Driver

The NDIS Protocol is the highest driver in the NDIS hierarchy of drivers. At it upper edge, it exports ProtocolXxx functions to the lower edge of the transport protocol stack (such as a TCP/IP stack). At its lower edge, it interfaces with NDIS Intermediate drivers and NDIS miniport drivers.

Protocol drivers always use NDIS-provided functions to communicate with underlying NDIS drivers to send and receive packets. The NDIS wrapper also calls the ProtocolXxx functions for its own purposes or on behalf of lower-level drivers to indicate up received packets, indicate the status of lower-level drivers …
NDIS protocols driver are often used to inject or capture packets on the network.

NDIS Miniport Driver

A miniport driver is a driver that connects hardware devices to higher-level drivers (protocol drivers, Intermediate drivers and filter drivers) and implements sending and receiving data on the network adapter. The most common miniport drivers are:

    • Connectionless miniport drivers
    • Connection-oriented miniport drivers
    • NDISWAN miniport drivers
    • Non-NDIS Lower Interface miniport drivers

Connectionless miniport drivers control NICs for connectionless network media, such as Ethernet, FDDI, and Token Ring. Connectionless miniport drivers can be serialized or deserialized. Serialized drivers rely on NDIS to sequence calls to miniport functions and to manage send queues. Deserialized miniport drivers internally queue all incoming send packets rather than using NDIS. This can result in a better full duplex performance.

Connection-oriented miniport drivers control NICs for connection-oriented network media, such as ISDN. Connection-oriented miniport drivers are always deserialized and a connection must be established between two points before data can be exchanged.

NDISWAN miniport contains the necessary code to operate the dial-up equipment. They are used with ISDN, Frame Relay and X.25.

A Non-NDIS lower interface driver is a connection-oriented miniport driver that exposes a standard NDIS miniport driver interface on the top, but on the bottom can interface to devices, such as USB, IEEE 1394, and serial devices by sending I/O request packets (IRPs).

NDIS Virtual Miniport Driver

A virtual miniport driver is a miniport driver that does not interact directly with any physical network adapter. A virtual miniport driver adds a virtual adapter that shows up in the network connections and ipconfig result.

NDIS virtual miniport drivers are used in several VPN clients and virtualization softwares.

NDIS Intermediate Driver

An NDIS intermediate driver, also called NDIS IM driver, looks like a protocol driver to an underlying miniport driver and looks like a miniport driver to an overlying protocol driver. An intermediate driver is inserted just above miniport drivers and just below transport protocols in the overall networking protocol stack allowing incoming and outgoing packets filtering, inspection or modification. There are two types of NDIS intermediate driver: the LAN emulation intermediate driver and the Filter driver.

The LAN emulation intermediate driver translates packets from the overlying connectionless transport’s LAN format to the connection-oriented format (such as ATM) allow them to be sent over a separate and a different medium.

Filter drivers perform special operations (such as compression, encryption and tracing) on packets being transported through them. Various services utilize this type driver, such as the packet scheduler in Quality of Service (QoS) and Network Load Balancing.

NDIS Lightweight Filter Driver

NDIS Lightweight Filter drivers (LWF drivers) are introduced in NDIS 6.0 to replace NDIS intermediate drivers. They are typically layered between miniport adapters and protocol bindings and offer the same packets filtering, inspection or modification capabilities. NDIS Lightweight Filter drivers always use NDIS-provided functions, are easier to implement and are designed to improve overall performances.