Sunday, May 15, 2011

[NEWS] Mac OSX First Ever Fake Antivirus

The first fake antivirus has been released on Mac OS X recently which is called MacDefender/MacProtector/MacSecurity.

I had a chance to come across this fake av when I did google image search a few days back. Unsurprisingly, this Mac fake av does exactly the same way as what Windows fake av did that is it also presents a fake browser page showing the user that their machine has been infected with malware.

When I did a google image search, I opened an image indexed by google in which google will redirect me to a compromised website with a "hidden" (from novice computer user point of view) javascript. After the compromised page is opened, it will immediately redirect user to another page with URL top level domain "cz.cc" which is where the fake av page will be displayed.

Figure 1: Image Indexed by Google


Figure 2: Script Redirection From Compromised Site


Figure 3: Fake AV Scan Result

Immediately after the scan finished, it will prompt a dialog box to ask download and execute the file after user clicked "Remove all" button.

Figure 4: Download Fake AV File


If you are interested a get a registered version of this MacSecurity, you can visit this post from Kaspersky Lab, http://www.securelist.com/en/blog/11252/Mac_Protector_Register_your_copy_now where you can get a list of valid license key!

Figure 5: Fake AV Scanning in Action

Now I have a registered MacProtector to clean the "detected" file  =)

Figure 6: Registered Copy of MacProtector

Reference


You can visit http://blog.unmaskparasites.com/2011/05/05/thousands-of-hacked-sites-seriously-poison-google-image-search-results/ for the excellent research on google image SEO poisoning technical information.

Have fun!

Signing off @x9090
Posted by x9090 at 3:28 PM 1 comments
Labels: , , , , ,

Saturday, December 4, 2010

My PC Was Stoned by Ransom Seftad





If you are so unlucky to be one of the victims of Seftad MBR ransomware, do not worry, this MBR infector does not work as what it claims. That is it does not encrypt you hard drive at all but it merely infects your hard disk drive MBR:

Original Clean MBR



Seftad infected MBR






Basically, it replaces the original MBR with the malicious one that is 3 sectors length. The original MBR will be stored at the 4th sector which is offset 0x800.

The password that user entered will be calculated as a word hash value and it can be found here:


The address 7FFA refers to the real-mode address in boot sector and the password is actually located at offset 0x5FA:



which is 0x3c01.

Nevertheless, this MBR infection can be easily solved by using Windows Recovery Console > 'Fixmbr'.

Signing off @x9090
Posted by x9090 at 4:53 PM 2 comments
Labels: , ,

Friday, December 3, 2010

[DOC] Understanding Packets Flow from User Mode to Kernel Mode

It can be determined by first triggering ping and observes how it initiates a packet and send it through to the Network Interface Card (NIC)


Initiate PING

  • When ping is initiated, it will call function IcmpSendEcho2Ex exported by IPHLPAPI.dll to send ICMP packets (NOTE: Assume ping is run from Windows Vista or above, for Windows XP IcmpSendEcho2 will be used instead)

  • At the same time, WinDBG should be connected and find the ping process context:
kd> !process ping.exe
           
            PROCESS 80551d80  SessionId: none  Cid: 0000    Peb: 00000000  ParentCid: 0000
            DirBase: 0032f000  ObjectTable: e1000c68  HandleCount: 180.
            Image: Idle
            VadRoot 00000000 Vads 0 Clone 0 Private 0. Modified 0. Locked 0.
            DeviceMap 00000000
            Token                             e1001790
            ElapsedTime                       00:00:00.000
            UserTime                          00:00:00.000
            KernelTime                        01:50:48.562
            QuotaPoolUsage[PagedPool]         0
            QuotaPoolUsage[NonPagedPool]      0
            Working Set Sizes (now,min,max)  (7, 50, 450) (28KB, 200KB, 1800KB)
            PeakWorkingSetSize                0
            VirtualSize                       0 Mb
            PeakVirtualSize                   0 Mb
            PageFaultCount                    0
            MemoryPriority                    BACKGROUND
            BasePriority                      0
            CommitCharge                      0

                THREAD 80551b20  Cid 0000.0000  Teb: 00000000 Win32Thread: 00000000 RUNNING on processor 0
               
        kd> .process /r /p 80551d80
        *** ERROR: Symbol file could not be found.  Defaulted to export symbols for iphlpapi.dll -
       
        kd> lm m iphlpapi
        start    end        module name
        76d60000 76d79000   iphlpapi   (export symbols)       iphlpapi.dll
  • Set a breakpoint at iphlpapi!IcmpSendEcho2 and find the address before this API call:
kd> kb
        ChildEBP RetAddr  Args to Child             
        WARNING: Stack unwind information not available. Following frames may be wrong.
        0007f9f8 0100237b 0000074c 00000000 00000000 iphlpapi!IcmpSendEcho2
        0007ff44 010029eb 00000003 00034020 00032a98 ping!main+0x9b2
        0007ffc0 7c816fd7 00000010 00000000 7ffd4000 ping!mainCRTStartup+0x125
        0007fff0 00000000 010028c6 00000000 78746341 kernel32!BaseProcessStart+0x23
       
        kd> ub 0100237b
        ping!main+0x9a0:
        01002369 a4              movs    byte ptr es:[edi],byte ptr [esi]
        0100236a 52              push    edx
        0100236b 0001            add     byte ptr [ecx],al
        0100236d 53              push    ebx
        0100236e 53              push    ebx
        0100236f 53              push    ebx
        01002370 ffb52cfbffff    push    dword ptr [ebp-4D4h]
        01002376 e883070000      call    ping!IcmpSendEcho2 (01002afe)
       
        kd> bp 01002376
        kd> bd 0
        kd> bl
         0 d 76d6b73c     0001 (0001) iphlpapi!IcmpSendEcho2
         1 e 01002376     0001 (0001) ping!main+0x9ad

        kd> g
        Breakpoint 1 hit
        ping!main+0x9ad:
        001b:01002376 e883070000      call    ping!IcmpSendEcho2 (01002afe)
        kd> wt
            1     0 [  0] ping!IcmpSendEcho2
           34     0 [  0] iphlpapi!IcmpSendEcho2
            3     0 [  1]   kernel32!LocalAlloc
           19     0 [  2]     kernel32!_SEH_prolog
           18    19 [  1]   kernel32!LocalAlloc
            3     0 [  2]     ntdll!RtlAllocateHeap
           19     0 [  3]       ntdll!_SEH_prolog
           42    19 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
           11     0 [  3]       ntdll!RtlEnterCriticalSection
            2    11 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
           17     0 [  3]       ntdll!RtlpUpdateIndexRemoveBlock
            2    17 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
           19     0 [  3]       ntdll!RtlpUpdateIndexInsertBlock
            2    19 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            8     0 [  3]       ntdll!RtlLeaveCriticalSection
            2     8 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  3]       ntdll!RtlAllocateHeap
            1     0 [  3]       ntdll!RtlAllocateHeap
            1     0 [  3]       ntdll!RtlAllocateHeap
            1     0 [  3]       ntdll!RtlAllocateHeap
            2     4 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            1     0 [  2]     ntdll!RtlAllocateHeap
            2     0 [  2]     ntdll!RtlAllocateHeap
            9     0 [  3]       ntdll!_SEH_epilog
            3     9 [  2]     ntdll!RtlAllocateHeap
           23   321 [  1]   kernel32!LocalAlloc
           10     0 [  2]     kernel32!_SEH_epilog
          100   354 [  0] iphlpapi!IcmpSendEcho2
           56     0 [  1]   kernel32!_SEH_epilog
            3     0 [  1]   ntdll!ZwCreateEvent
            2     0 [  2]     ntdll!KiFastSystemCall
            1     0 [  2]     ntdll!ZwCreateEvent
        >> Unable to match return to kernel32!_SEH_epilog
           40     3 [  1]   ntdll!ZwCreateEvent
        >> Unable to match return to iphlpapi!IcmpSendEcho2
            3     0 [  0] ntdll!NtDeviceIoControlFile
            2     0 [  1]   ntdll!KiFastSystemCall
            1     0 [  1]   ntdll!NtDeviceIoControlFile
        >> Unable to match return to iphlpapi!IcmpSendEcho2
           13     3 [  0] ntdll!NtDeviceIoControlFile
            1     0 [  0] kernel32!_SEH_epilog
            1     0 [  0] ntdll!ZwCreateEvent
        >> Unable to match return to ntdll!KiFastSystemCall
           18     0 [  0] ntdll!NtDeviceIoControlFile
            3     0 [  1]   ntdll!NtWaitForSingleObject
            2     0 [  2]     ping!IcmpSendEcho2
            1     0 [  2]     ntdll!NtWaitForSingleObject
           24     6 [  0] ntdll!NtDeviceIoControlFile
        >> Unable to match return to ntdll!KiFastSystemCall
           16     0 [  0] ntdll!NtClose
            8     0 [  1]   iphlpapi!Icmp6CreateFile
           22     8 [  0] ntdll!NtClose
        >> Unable to match return to ntdll!KiFastSystemCall
            3     0 [  0] ntdll!NtDeviceIoControlFile
           19     0 [  1]   ntdll!RtlSetLastWin32Error
           11    19 [  0] ntdll!NtDeviceIoControlFile
            3     0 [  1]   ntdll!RtlFreeHeap
           19     0 [  2]     0x00000000
           39    19 [  1]   ntdll!RtlFreeHeap
            4     0 [  1]   ntdll!RtlAllocateHeap
        >> Unable to match return to ntdll!RtlAllocateHeap
           38    81 [  0] ntdll!NtDeviceIoControlFile
            1     0 [  0] ntdll!RtlAllocateHeap
            1     0 [  0] ntdll!RtlAllocateHeap
            1     0 [  0] ntdll!RtlAllocateHeap
            1     0 [  0] ntdll!RtlAllocateHeap
            1     0 [  0] ntdll!RtlAllocateHeap
            1     0 [  0] ntdll!RtlAllocateHeap
            1     0 [  0] ntdll!RtlAllocateHeap
            1     0 [  0] ntdll!RtlAllocateHeap
            1     0 [  0] ntdll!RtlAllocateHeap
            1     0 [  0] ntdll!RtlAllocateHeap
            1     0 [  0] ntdll!RtlAllocateHeap
           11     0 [  0] ntdll!RtlAllocateHeap
        >> Unable to match return to ntdll!RtlAllocateHeap
            1     0 [  0] ntdll!RtlAllocateHeap
            1     0 [  0] ntdll!RtlAllocateHeap
            1     0 [  0] ntdll!RtlAllocateHeap
            1     0 [  0] ntdll!RtlAllocateHeap
            1     0 [  0] ntdll!RtlAllocateHeap
            1     0 [  0] ntdll!RtlAllocateHeap
            1     0 [  0] ntdll!RtlAllocateHeap
            1     0 [  0] ntdll!RtlAllocateHeap
            1     0 [  0] ntdll!RtlAllocateHeap
            1     0 [  0] ntdll!RtlAllocateHeap
            1     0 [  0] ntdll!RtlpUpdateIndexInsertBlock
            1     0 [  0] ntdll!RtlAllocateHeap
           44     0 [  0] ntdll!RtlAllocateHeap
           17     0 [  1]   ntdll!RtlAllocateHeap
        >> Unable to match return to ping!IcmpSendEcho2
          114    17 [  0] ntdll!RtlAllocateHeap
           19     0 [  0] ntdll!RtlAllocateHeap
        >> Unable to match return to ping!IcmpSendEcho2
            8     0 [  0] ntdll!RtlAllocateHeap
        >> Unable to match return to ping!IcmpSendEcho2
            1     0 [  0] ntdll!RtlAllocateHeap
            9     0 [  1]   ntdll!RtlAllocateHeap
            2     9 [  0] ntdll!RtlAllocateHeap
        >> Unable to match return to ntdll!RtlAllocateHeap
            6     0 [  0] ntdll!RtlAllocateHeap
        960 instructions were executed in 236 events (0 from other threads)
       
        Function Name                               Invocations MinInst MaxInst AvgInst
        0x00000000                                            1      19      19      19
        iphlpapi!Icmp6CreateFile                              1       8       8       8
        iphlpapi!IcmpSendEcho2                                1     100     100     100
        kernel32!LocalAlloc                                   1      23      23      23
        kernel32!_SEH_epilog                                  3       1      56      22
        kernel32!_SEH_prolog                                  1      19      19      19
        ntdll!KiFastSystemCall                                2       2       2       2
        ntdll!NtClose                                         1      22      22      22
        ntdll!NtDeviceIoControlFile                           4       1      38      19   
        ntdll!NtWaitForSingleObject                           2       1       3       2
        ntdll!RtlAllocateHeap                               202       1     114       2
        ntdll!RtlEnterCriticalSection                         1      11      11      11
        ntdll!RtlFreeHeap                                     1      39      39      39
        ntdll!RtlLeaveCriticalSection                         1       8       8       8
        ntdll!RtlSetLastWin32Error                            1      19      19      19
        ntdll!RtlpUpdateIndexInsertBlock                      2       1      19      10
        ntdll!RtlpUpdateIndexRemoveBlock                      1      17      17      17
        ntdll!ZwCreateEvent                                   3       1      40      14
        ntdll!_SEH_epilog                                     1       9       9       9
        ntdll!_SEH_prolog                                     1      19      19      19
        ping!IcmpSendEcho2                                    2       1       2       1
  • From the summary, this function NtDeviceIoControlFile was called. We know that ping sends the user data/buffer (packets request) to the kernel via this function. We set the breakpoint at the function and look for the parameters that it passes to the kernel:
kd> bp ntdll!NtDeviceIoControlFile
       
        kd> bl
         0 d 76d6b73c     0001 (0001) iphlpapi!IcmpSendEcho2
         1 e 01002376     0001 (0001) ping!main+0x9ad
         2 e 7c90d8e3     0001 (0001) ntdll!NtDeviceIoControlFile

        kd> g
        Breakpoint 2 hit
        ntdll!NtDeviceIoControlFile:
        001b:7c90d8e3 b842000000      mov     eax,42h

        kd> kb
        ChildEBP RetAddr  Args to Child             
        0007f9ac 76d6b8c4 0000074c 00000744 00000000 ntdll!NtDeviceIoControlFile
        WARNING: Stack unwind information not available. Following frames may be wrong.
        0007f9f8 0100237b 0000074c 00000000 00000000 iphlpapi!IcmpSendEcho2+0x188
        0007ff44 010029eb 00000003 00034020 00032a98 ping!main+0x9b2
        0007ffc0 7c816fd7 00000010 00000000 7ffd4000 ping!mainCRTStartup+0x125
        0007fff0 00000000 010028c6 00000000 78746341 kernel32!BaseProcessStart+0x23
       
        kd> !handle 0000074c
        processor number 0, process 817f1428
        PROCESS 817f1428  SessionId: 0  Cid: 00ac    Peb: 7ffd4000  ParentCid: 077c
            DirBase: 085c0260  ObjectTable: e1b31c88  HandleCount:  47.
            Image: ping.exe

        Handle table at e1157000 with 47 Entries in use
        074c: Object: 81779bb0  GrantedAccess: 001200a0 Entry: e1157e98
        Object: 81779bb0  Type: (819b8560) File
            ObjectHeader: 81779b98 (old version)
                HandleCount: 1  PointerCount: 1 
  • Observe the stack:
kd> dd esp lb
    0007f9b0  76d6b8c4 0000074c 00000744 00000000
    0007f9c0  00000000 000a4720 00120000 000a4bf0
    0007f9d0  00001ff8 000a2730 00001ff0
   
    Retn Addr: 76d6b8c4
    1st param: FileHandle > 0000074c
    2nd param: Event > 00000744
    3rd param: ApcRoutine > 00000000
    4th param: ApcContext > 00000000
    5th param: IoStatusBlock > 000a4720
    6th param: IoControlCode > 00120000
    7th param: InputBuffer > 000a4bf0
    8th param: InputBufferLength > 00001ff8
    9th param: OutputBuffer > 000a2730
    10th param: OutputBufferLength > 00001ff0

  • IoControlCode = 0x120000
File Device Type = FILE_DEVICE_NETWORK
                                 Access = FILE_ANY_ACCESS
                                    Method = METHOD_BUFFERED

Inside the Kernel

  1. NtDeviceIoControlFile
    • In order to go to the kernel mode function of NtDeviceIoControlFile, we set the breakpoint at the Windows native system service nt!NtDeviceIoControlFile and also a breakpoint at the caller to function IcmpSendEcho2:
      kd> bp nt!NtDeviceIoControlFile "!handle esp+4;dd esp lb" // Show the object handle and the parameters
      kd> bp ping!main+0x9ad
      kd> bl
         0 e 8056d590     0001 (0001) nt!NtDeviceIoControlFile "!handle esp+4;dd esp lb"
         1 d 76d6b73c     0001 (0001) iphlpapi!IcmpSendEcho2
         2 e 01002376     0001 (0001) ping!main+0x9ad
    • The purpose of doing this is to obtain a list of IoControlCode passed to the kernel immediately after ping send ICMP echo. We will stop collecting Iocontrolcode when breakpoint hits back ping!main+0x9ad.
    • First IoControlCode sent to kernel. Notice that the IoControlCode, process's name and handle match exactly what we got in User Mode above (highlighted in red)
        kd> g
        processor number 0, process 8153f020
        PROCESS 8153f020  SessionId: 0  Cid: 05cc    Peb: 7ffde000  ParentCid: 0298
            DirBase: 08340280  ObjectTable: e1ac1728  HandleCount:  47.
            Image: ping.exe

        Kernel Handle table at e166a000 with 177 Entries in use
        Unable to get _HANDLE_TABLE_ENTRY : 00720add
        f93a5d38  8053ca28 0000074c 00000744 00000000
        f93a5d48  00000000 000a4720 00120000 000a4bf0
        f93a5d58  00001ff8 000a2730 00001ff0
        nt!NtDeviceIoControlFile:
        8056d590 8bff            mov     edi,edi
    •  Second IoControlCode is passed by the explorer.exe:
        kd> g
        processor number 0, process 8153d8a0
        PROCESS 8153d8a0  SessionId: 0  Cid: 01d0    Peb: 7ffdf000  ParentCid: 017c
            DirBase: 08340220  ObjectTable: e1ac1ba8  HandleCount: 330.
            Image: explorer.exe

        Kernel Handle table at e166a000 with 177 Entries in use
        Unable to get _HANDLE_TABLE_ENTRY : 00000a78
        f75dad38  8053ca28 0000031c 00000218 00000000
        f75dad48  00000000 00c9f750 00120003 00c9f778
        f75dad58  00000024 00c9f7b8 0000005c
        nt!NtDeviceIoControlFile:
        8056d590 8bff            mov     edi,edi
    •  The list is very long and there are many duplicated IoControlCode being sent to kernel:
        kd> g
        processor number 0, process 8153d8a0
        PROCESS 8153d8a0  SessionId: 0  Cid: 01d0    Peb: 7ffdf000  ParentCid: 017c
            DirBase: 08340220  ObjectTable: e1ac1ba8  HandleCount: 330.
            Image: explorer.exe

        Kernel Handle table at e166a000 with 177 Entries in use
        Unable to get _HANDLE_TABLE_ENTRY : 00000a78
        f75dad38  8053ca28 0000031c 00000218 00000000
        f75dad48  00000000 00c9f750 00120003 00c9f778
        f75dad58  00000024 00c9f7b8 0000005c
        nt!NtDeviceIoControlFile:
        8056d590 8bff            mov     edi,edi
        kd> g
        processor number 0, process 8153d8a0
        PROCESS 8153d8a0  SessionId: 0  Cid: 01d0    Peb: 7ffdf000  ParentCid: 017c
            DirBase: 08340220  ObjectTable: e1ac1ba8  HandleCount: 330.
            Image: explorer.exe

        Kernel Handle table at e166a000 with 177 Entries in use
        Unable to get _HANDLE_TABLE_ENTRY : 00000a78
        f75dad38  8053ca28 0000031c 00000218 00000000
        f75dad48  00000000 00c9f750 00120003 00c9f778
        f75dad58  00000024 00c9f7b8 0000005c
        nt!NtDeviceIoControlFile:
        8056d590 8bff            mov     edi,edi
        kd> g
        processor number 0, process 8153d8a0
        PROCESS 8153d8a0  SessionId: 0  Cid: 01d0    Peb: 7ffdf000  ParentCid: 017c
            DirBase: 08340220  ObjectTable: e1ac1ba8  HandleCount: 330.
            Image: explorer.exe

        Kernel Handle table at e166a000 with 177 Entries in use
        Unable to get _HANDLE_TABLE_ENTRY : 00000a78
        f75dad38  8053ca28 000004ac 00000218 00000000
        f75dad48  00000000 00c9f784 00120040 00000000
        f75dad58  00000000 01fc8008 00000c30
        nt!NtDeviceIoControlFile:
        8056d590 8bff            mov     edi,edi
        kd> g
        processor number 0, process 8153d8a0
        PROCESS 8153d8a0  SessionId: 0  Cid: 01d0    Peb: 7ffdf000  ParentCid: 017c
            DirBase: 08340220  ObjectTable: e1ac1ba8  HandleCount: 329.
            Image: explorer.exe

        Kernel Handle table at e166a000 with 177 Entries in use
        Unable to get _HANDLE_TABLE_ENTRY : 00000a78
        f75dad38  8053ca28 00000550 00000000 00000000
        f75dad48  00000000 00c9f500 00120003 00c9f5ac
        f75dad58  00000024 00168858 00000100
        nt!NtDeviceIoControlFile:
        8056d590 8bff            mov     edi,edi
        kd> g
        processor number 0, process 8153d8a0
        PROCESS 8153d8a0  SessionId: 0  Cid: 01d0    Peb: 7ffdf000  ParentCid: 017c
            DirBase: 08340220  ObjectTable: e1ac1ba8  HandleCount: 330.
            Image: explorer.exe

        Kernel Handle table at e166a000 with 177 Entries in use
        Unable to get _HANDLE_TABLE_ENTRY : 00000a78
        f75dad38  8053ca28 0000031c 00000218 00000000
        f75dad48  00000000 00c9f4e0 00120003 00c9f508
        f75dad58  00000024 00c9f548 0000005c
        nt!NtDeviceIoControlFile:
        8056d590 8bff            mov     edi,edi
        kd> g
        processor number 0, process 8153d8a0
        PROCESS 8153d8a0  SessionId: 0  Cid: 01d0    Peb: 7ffdf000  ParentCid: 017c
            DirBase: 08340220  ObjectTable: e1ac1ba8  HandleCount: 330.
            Image: explorer.exe

        Kernel Handle table at e166a000 with 177 Entries in use
        Unable to get _HANDLE_TABLE_ENTRY : 00000a78
        f75dad38  8053ca28 0000031c 00000218 00000000
        f75dad48  00000000 00c9f4e0 00120003 00c9f508
        f75dad58  00000024 00c9f548 0000005c
        nt!NtDeviceIoControlFile:
        8056d590 8bff            mov     edi,edi
        kd> g
        processor number 0, process 8153d8a0
        PROCESS 8153d8a0  SessionId: 0  Cid: 01d0    Peb: 7ffdf000  ParentCid: 017c
            DirBase: 08340220  ObjectTable: e1ac1ba8  HandleCount: 330.
            Image: explorer.exe

        Kernel Handle table at e166a000 with 177 Entries in use
        Unable to get _HANDLE_TABLE_ENTRY : 00000a78
        f75dad38  8053ca28 000004ac 00000218 00000000
        f75dad48  00000000 00c9f514 00120040 00000000
        f75dad58  00000000 0018ad70 00000c30
        nt!NtDeviceIoControlFile:
        8056d590 8bff            mov     edi,edi
        kd> g
        processor number 0, process 8153d8a0
        PROCESS 8153d8a0  SessionId: 0  Cid: 01d0    Peb: 7ffdf000  ParentCid: 017c
            DirBase: 08340220  ObjectTable: e1ac1ba8  HandleCount: 329.
            Image: explorer.exe

        Kernel Handle table at e166a000 with 177 Entries in use
        Unable to get _HANDLE_TABLE_ENTRY : 00000a78
        f75dad38  8053ca28 00000550 00000000 00000000
        f75dad48  00000000 00c9f544 00120003 00c9f6d4
        f75dad58  00000024 00c9f6d0 00000004
        nt!NtDeviceIoControlFile:
        8056d590 8bff            mov     edi,edi
        kd> g
        processor number 0, process 8153d8a0
        PROCESS 8153d8a0  SessionId: 0  Cid: 01d0    Peb: 7ffdf000  ParentCid: 017c
            DirBase: 08340220  ObjectTable: e1ac1ba8  HandleCount: 329.
            Image: explorer.exe

        Kernel Handle table at e166a000 with 177 Entries in use
        Unable to get _HANDLE_TABLE_ENTRY : 00000a78
        f75dad38  8053ca28 00000550 00000000 00000000
        f75dad48  00000000 00c9f544 00120003 00c9f6d4
        f75dad58  00000024 00c9f74c 000000e1
        nt!NtDeviceIoControlFile:
        8056d590 8bff            mov     edi,edi
        kd> g
        processor number 0, process 8153d8a0
        PROCESS 8153d8a0  SessionId: 0  Cid: 01d0    Peb: 7ffdf000  ParentCid: 017c
            DirBase: 08340220  ObjectTable: e1ac1ba8  HandleCount: 329.
            Image: explorer.exe

        Kernel Handle table at e166a000 with 177 Entries in use
        Unable to get _HANDLE_TABLE_ENTRY : 00000a78
        f75dad38  8053ca28 00000550 00000000 00000000
        f75dad48  00000000 00c9f544 00120003 00c9f6d4
        f75dad58  00000024 00c9f6d0 00000004
        nt!NtDeviceIoControlFile:
        8056d590 8bff            mov     edi,edi
        kd> g
        processor number 0, process 8153d8a0
        PROCESS 8153d8a0  SessionId: 0  Cid: 01d0    Peb: 7ffdf000  ParentCid: 017c
            DirBase: 08340220  ObjectTable: e1ac1ba8  HandleCount: 329.
            Image: explorer.exe

        Kernel Handle table at e166a000 with 177 Entries in use
        Unable to get _HANDLE_TABLE_ENTRY : 00000a78
        f75dad38  8053ca28 00000550 00000000 00000000
        f75dad48  00000000 00c9f544 00120003 00c9f6d4
        f75dad58  00000024 00c9f74c 000000e1
        nt!NtDeviceIoControlFile:
        8056d590 8bff            mov     edi,edi
        kd> g
        processor number 0, process 8153d8a0
        PROCESS 8153d8a0  SessionId: 0  Cid: 01d0    Peb: 7ffdf000  ParentCid: 017c
            DirBase: 08340220  ObjectTable: e1ac1ba8  HandleCount: 330.
            Image: explorer.exe

        Kernel Handle table at e166a000 with 177 Entries in use
        Unable to get _HANDLE_TABLE_ENTRY : 00000a78
        f75dad38  8053ca28 000004ac 00000218 00000000
        f75dad48  00000000 00c9f5a4 00120090 00000000
        f75dad58  00000000 00169078 00000030
        nt!NtDeviceIoControlFile:
        8056d590 8bff            mov     edi,edi
        kd> g
        processor number 0, process 8153d8a0
        PROCESS 8153d8a0  SessionId: 0  Cid: 01d0    Peb: 7ffdf000  ParentCid: 017c
            DirBase: 08340220  ObjectTable: e1ac1ba8  HandleCount: 329.
            Image: explorer.exe

        Kernel Handle table at e166a000 with 177 Entries in use
        Unable to get _HANDLE_TABLE_ENTRY : 00000a78
        f75dad38  8053ca28 00000550 00000000 00000000
        f75dad48  00000000 00c9f544 00120003 00c9f6d4
        f75dad58  00000024 00c9f6cc 00000004
        nt!NtDeviceIoControlFile:
        8056d590 8bff            mov     edi,edi
        kd> g
        processor number 0, process 8153d8a0
        PROCESS 8153d8a0  SessionId: 0  Cid: 01d0    Peb: 7ffdf000  ParentCid: 017c
            DirBase: 08340220  ObjectTable: e1ac1ba8  HandleCount: 329.
            Image: explorer.exe

        Kernel Handle table at e166a000 with 177 Entries in use
        Unable to get _HANDLE_TABLE_ENTRY : 00000a78
        f75dad38  8053ca28 00000550 00000000 00000000
        f75dad48  00000000 00c9f544 00120003 00c9f6d4
        f75dad58  00000024 00c9f64c 0000005c
        nt!NtDeviceIoControlFile:
        8056d590 8bff            mov     edi,edi
        kd> g
        processor number 0, process 8153d8a0
        PROCESS 8153d8a0  SessionId: 0  Cid: 01d0    Peb: 7ffdf000  ParentCid: 017c
            DirBase: 08340220  ObjectTable: e1ac1ba8  HandleCount: 329.
            Image: explorer.exe

        Kernel Handle table at e166a000 with 177 Entries in use
        Unable to get _HANDLE_TABLE_ENTRY : 00000a78
        f75dad38  8053ca28 00000550 00000000 00000000
        f75dad48  00000000 00c9f544 00120003 00c9f6d4
        f75dad58  00000024 000f79b8 00000120
        nt!NtDeviceIoControlFile:
        8056d590 8bff            mov     edi,edi
        kd> g
        processor number 0, process 8153d8a0
        PROCESS 8153d8a0  SessionId: 0  Cid: 01d0    Peb: 7ffdf000  ParentCid: 017c
            DirBase: 08340220  ObjectTable: e1ac1ba8  HandleCount: 329.
            Image: explorer.exe

        Kernel Handle table at e166a000 with 177 Entries in use
        Unable to get _HANDLE_TABLE_ENTRY : 00000a78
        f75dad38  8053ca28 00000550 00000000 00000000
        f75dad48  00000000 00c9f544 00120003 00c9f6d4
        f75dad58  00000024 000de808 0000016c
        nt!NtDeviceIoControlFile:
        8056d590 8bff            mov     edi,edi
        kd> g
        processor number 0, process 8153d8a0
        PROCESS 8153d8a0  SessionId: 0  Cid: 01d0    Peb: 7ffdf000  ParentCid: 017c
            DirBase: 08340220  ObjectTable: e1ac1ba8  HandleCount: 330.
            Image: explorer.exe

        Kernel Handle table at e166a000 with 177 Entries in use
        Unable to get _HANDLE_TABLE_ENTRY : 00000a78
        f75dad38  8053ca28 00000218 00000000 00000000
        f75dad48  00000000 00c9f71c 0021009a 00000000
        f75dad58  00000000 00c9f6b8 0000003c
        nt!NtDeviceIoControlFile:
        8056d590 8bff            mov     edi,edi
        kd> g
        processor number 0, process 8153d8a0
        PROCESS 8153d8a0  SessionId: 0  Cid: 01d0    Peb: 7ffdf000  ParentCid: 017c
            DirBase: 08340220  ObjectTable: e1ac1ba8  HandleCount: 330.
            Image: explorer.exe

        Kernel Handle table at e166a000 with 177 Entries in use
        Unable to get _HANDLE_TABLE_ENTRY : 00000a78
        f75dad38  8053ca28 0000031c 00000218 00000000
        f75dad48  00000000 00c9f750 00120003 00c9f778
        f75dad58  00000024 00c9f7b8 0000005c
        nt!NtDeviceIoControlFile:
        8056d590 8bff            mov     edi,edi
        kd> g
        processor number 0, process 8153d8a0
        PROCESS 8153d8a0  SessionId: 0  Cid: 01d0    Peb: 7ffdf000  ParentCid: 017c
            DirBase: 08340220  ObjectTable: e1ac1ba8  HandleCount: 330.
            Image: explorer.exe

        Kernel Handle table at e166a000 with 177 Entries in use
        Unable to get _HANDLE_TABLE_ENTRY : 00000a78
        f75dad38  8053ca28 0000031c 00000218 00000000
        f75dad48  00000000 00c9f750 00120003 00c9f778
        f75dad58  00000024 00c9f7b8 0000005c
        nt!NtDeviceIoControlFile:
        8056d590 8bff            mov     edi,edi
        kd> g
        processor number 0, process 8153d8a0
        PROCESS 8153d8a0  SessionId: 0  Cid: 01d0    Peb: 7ffdf000  ParentCid: 017c
            DirBase: 08340220  ObjectTable: e1ac1ba8  HandleCount: 330.
            Image: explorer.exe

        Kernel Handle table at e166a000 with 177 Entries in use
        Unable to get _HANDLE_TABLE_ENTRY : 00000a78
        f75dad38  8053ca28 000004ac 00000218 00000000
        f75dad48  00000000 00c9f784 00120040 00000000
        f75dad58  00000000 01fc8008 00000c30
        nt!NtDeviceIoControlFile:
        8056d590 8bff            mov     edi,edi
        kd> g
        processor number 0, process 8153d8a0
        PROCESS 8153d8a0  SessionId: 0  Cid: 01d0    Peb: 7ffdf000  ParentCid: 017c
            DirBase: 08340220  ObjectTable: e1ac1ba8  HandleCount: 329.
            Image: explorer.exe

        Kernel Handle table at e166a000 with 177 Entries in use
        Unable to get _HANDLE_TABLE_ENTRY : 00000a78
        f75dad38  8053ca28 00000550 00000000 00000000
        f75dad48  00000000 00c9f500 00120003 00c9f5ac
        f75dad58  00000024 00168858 00000100
        nt!NtDeviceIoControlFile:
        8056d590 8bff            mov     edi,edi
        kd> g
        processor number 0, process 8153d8a0
        PROCESS 8153d8a0  SessionId: 0  Cid: 01d0    Peb: 7ffdf000  ParentCid: 017c
            DirBase: 08340220  ObjectTable: e1ac1ba8  HandleCount: 330.
            Image: explorer.exe

        Kernel Handle table at e166a000 with 177 Entries in use
        Unable to get _HANDLE_TABLE_ENTRY : 00000a78
        f75dad38  8053ca28 0000031c 00000218 00000000
        f75dad48  00000000 00c9f4e0 00120003 00c9f508
        f75dad58  00000024 00c9f548 0000005c
        nt!NtDeviceIoControlFile:
        8056d590 8bff            mov     edi,edi
        kd> g
        processor number 0, process 8153d8a0
        PROCESS 8153d8a0  SessionId: 0  Cid: 01d0    Peb: 7ffdf000  ParentCid: 017c
            DirBase: 08340220  ObjectTable: e1ac1ba8  HandleCount: 330.
            Image: explorer.exe

        Kernel Handle table at e166a000 with 177 Entries in use
        Unable to get _HANDLE_TABLE_ENTRY : 00000a78
        f75dad38  8053ca28 0000031c 00000218 00000000
        f75dad48  00000000 00c9f4e0 00120003 00c9f508
        f75dad58  00000024 00c9f548 0000005c
        nt!NtDeviceIoControlFile:
        8056d590 8bff            mov     edi,edi
        kd> g
        processor number 0, process 8153d8a0
        PROCESS 8153d8a0  SessionId: 0  Cid: 01d0    Peb: 7ffdf000  ParentCid: 017c
            DirBase: 08340220  ObjectTable: e1ac1ba8  HandleCount: 330.
            Image: explorer.exe

        Kernel Handle table at e166a000 with 177 Entries in use
        Unable to get _HANDLE_TABLE_ENTRY : 00000a78
        f75dad38  8053ca28 000004ac 00000218 00000000
        f75dad48  00000000 00c9f514 00120040 00000000
        f75dad58  00000000 0018ad70 00000c30
        nt!NtDeviceIoControlFile:
        8056d590 8bff            mov     edi,edi
        kd> g
        processor number 0, process 8153d8a0
        PROCESS 8153d8a0  SessionId: 0  Cid: 01d0    Peb: 7ffdf000  ParentCid: 017c
            DirBase: 08340220  ObjectTable: e1ac1ba8  HandleCount: 329.
            Image: explorer.exe

        Kernel Handle table at e166a000 with 177 Entries in use
        Unable to get _HANDLE_TABLE_ENTRY : 00000a78
        f75dad38  8053ca28 00000550 00000000 00000000
        f75dad48  00000000 00c9f544 00120003 00c9f6d4
        f75dad58  00000024 00c9f6d0 00000004
        nt!NtDeviceIoControlFile:
        8056d590 8bff            mov     edi,edi
        kd> g
        processor number 0, process 8153d8a0
        PROCESS 8153d8a0  SessionId: 0  Cid: 01d0    Peb: 7ffdf000  ParentCid: 017c
            DirBase: 08340220  ObjectTable: e1ac1ba8  HandleCount: 329.
            Image: explorer.exe

        Kernel Handle table at e166a000 with 177 Entries in use
        Unable to get _HANDLE_TABLE_ENTRY : 00000a78
        f75dad38  8053ca28 00000550 00000000 00000000
        f75dad48  00000000 00c9f544 00120003 00c9f6d4
        f75dad58  00000024 00c9f74c 000000e1
        nt!NtDeviceIoControlFile:
        8056d590 8bff            mov     edi,edi
        kd> g
        processor number 0, process 8153d8a0
        PROCESS 8153d8a0  SessionId: 0  Cid: 01d0    Peb: 7ffdf000  ParentCid: 017c
            DirBase: 08340220  ObjectTable: e1ac1ba8  HandleCount: 329.
            Image: explorer.exe

        Kernel Handle table at e166a000 with 177 Entries in use
        Unable to get _HANDLE_TABLE_ENTRY : 00000a78
        f75dad38  8053ca28 00000550 00000000 00000000
        f75dad48  00000000 00c9f544 00120003 00c9f6d4
        f75dad58  00000024 00c9f6d0 00000004
        nt!NtDeviceIoControlFile:
        8056d590 8bff            mov     edi,edi
        kd> g
        processor number 0, process 8153d8a0
        PROCESS 8153d8a0  SessionId: 0  Cid: 01d0    Peb: 7ffdf000  ParentCid: 017c
            DirBase: 08340220  ObjectTable: e1ac1ba8  HandleCount: 329.
            Image: explorer.exe

        Kernel Handle table at e166a000 with 180 Entries in use
        Unable to get _HANDLE_TABLE_ENTRY : 00000a78
        f75dad38  8053ca28 00000550 00000000 00000000
        f75dad48  00000000 00c9f544 00120003 00c9f6d4
        f75dad58  00000024 00c9f74c 000000e1
        nt!NtDeviceIoControlFile:
        8056d590 8bff            mov     edi,edi
        kd> g
        processor number 0, process 8153d8a0
        PROCESS 8153d8a0  SessionId: 0  Cid: 01d0    Peb: 7ffdf000  ParentCid: 017c
            DirBase: 08340220  ObjectTable: e1ac1ba8  HandleCount: 330.
            Image: explorer.exe

        Kernel Handle table at e166a000 with 177 Entries in use
        Unable to get _HANDLE_TABLE_ENTRY : 00000a78
        f75dad38  8053ca28 000004ac 00000218 00000000
        f75dad48  00000000 00c9f5a4 00120090 00000000
        f75dad58  00000000 00169078 00000030
        nt!NtDeviceIoControlFile:
        8056d590 8bff            mov     edi,edi
        kd> g
        processor number 0, process 8153d8a0
        PROCESS 8153d8a0  SessionId: 0  Cid: 01d0    Peb: 7ffdf000  ParentCid: 017c
            DirBase: 08340220  ObjectTable: e1ac1ba8  HandleCount: 329.
            Image: explorer.exe

        Kernel Handle table at e166a000 with 177 Entries in use
        Unable to get _HANDLE_TABLE_ENTRY : 00000a78
        f75dad38  8053ca28 00000550 00000000 00000000
        f75dad48  00000000 00c9f544 00120003 00c9f6d4
        f75dad58  00000024 00c9f6cc 00000004
        nt!NtDeviceIoControlFile:
        8056d590 8bff            mov     edi,edi
        kd> g
        processor number 0, process 8153d8a0
        PROCESS 8153d8a0  SessionId: 0  Cid: 01d0    Peb: 7ffdf000  ParentCid: 017c
            DirBase: 08340220  ObjectTable: e1ac1ba8  HandleCount: 329.
            Image: explorer.exe

        Kernel Handle table at e166a000 with 177 Entries in use
        Unable to get _HANDLE_TABLE_ENTRY : 00000a78
        f75dad38  8053ca28 00000550 00000000 00000000
        f75dad48  00000000 00c9f544 00120003 00c9f6d4
        f75dad58  00000024 00c9f64c 0000005c
        nt!NtDeviceIoControlFile:
        8056d590 8bff            mov     edi,edi
        kd> g
        processor number 0, process 8153d8a0
        PROCESS 8153d8a0  SessionId: 0  Cid: 01d0    Peb: 7ffdf000  ParentCid: 017c
            DirBase: 08340220  ObjectTable: e1ac1ba8  HandleCount: 329.
            Image: explorer.exe

        Kernel Handle table at e166a000 with 177 Entries in use
        Unable to get _HANDLE_TABLE_ENTRY : 00000a78
        f75dad38  8053ca28 00000550 00000000 00000000
        f75dad48  00000000 00c9f544 00120003 00c9f6d4
        f75dad58  00000024 000f79b8 00000120
        nt!NtDeviceIoControlFile:
        8056d590 8bff            mov     edi,edi
        kd> g
        processor number 0, process 8153d8a0
        PROCESS 8153d8a0  SessionId: 0  Cid: 01d0    Peb: 7ffdf000  ParentCid: 017c
            DirBase: 08340220  ObjectTable: e1ac1ba8  HandleCount: 329.
            Image: explorer.exe

        Kernel Handle table at e166a000 with 177 Entries in use
        Unable to get _HANDLE_TABLE_ENTRY : 00000a78
        f75dad38  8053ca28 00000550 00000000 00000000
        f75dad48  00000000 00c9f544 00120003 00c9f6d4
        f75dad58  00000024 000de808 0000016c
        nt!NtDeviceIoControlFile:
        8056d590 8bff            mov     edi,edi
        kd> g
        processor number 0, process 8153d8a0
        PROCESS 8153d8a0  SessionId: 0  Cid: 01d0    Peb: 7ffdf000  ParentCid: 017c
            DirBase: 08340220  ObjectTable: e1ac1ba8  HandleCount: 330.
            Image: explorer.exe

        Kernel Handle table at e166a000 with 177 Entries in use
        Unable to get _HANDLE_TABLE_ENTRY : 00000a78
        f75dad38  8053ca28 00000218 00000000 00000000
        f75dad48  00000000 00c9f71c 0021009a 00000000
        f75dad58  00000000 00c9f6b8 0000003c
        nt!NtDeviceIoControlFile:
        8056d590 8bff            mov     edi,edi
        kd> g
        processor number 0, process 8153d8a0
        PROCESS 8153d8a0  SessionId: 0  Cid: 01d0    Peb: 7ffdf000  ParentCid: 017c
            DirBase: 08340220  ObjectTable: e1ac1ba8  HandleCount: 330.
            Image: explorer.exe

        Kernel Handle table at e166a000 with 177 Entries in use
        Unable to get _HANDLE_TABLE_ENTRY : 00000a78
        f75dad38  8053ca28 00000218 00000000 00000000
        f75dad48  00000000 00c9f7f8 0017003e 76477d3c
        f75dad58  0000003c 00c9f86c 000002d0
        nt!NtDeviceIoControlFile:
        8056d590 8bff            mov     edi,edi
        kd> g
        processor number 0, process 8153d8a0
        PROCESS 8153d8a0  SessionId: 0  Cid: 01d0    Peb: 7ffdf000  ParentCid: 017c
            DirBase: 08340220  ObjectTable: e1ac1ba8  HandleCount: 330.
            Image: explorer.exe

        Kernel Handle table at e166a000 with 177 Entries in use
        Unable to get _HANDLE_TABLE_ENTRY : 00000a78
        f75dad38  8053ca28 0000031c 00000218 00000000
        f75dad48  00000000 00c9f750 00120003 00c9f778
        f75dad58  00000024 00c9f7b8 0000005c
        nt!NtDeviceIoControlFile:
        8056d590 8bff            mov     edi,edi
        kd> g
        processor number 0, process 8153d8a0
        PROCESS 8153d8a0  SessionId: 0  Cid: 01d0    Peb: 7ffdf000  ParentCid: 017c
            DirBase: 08340220  ObjectTable: e1ac1ba8  HandleCount: 330.
            Image: explorer.exe

        Kernel Handle table at e166a000 with 177 Entries in use
        Unable to get _HANDLE_TABLE_ENTRY : 00000a78
        f75dad38  8053ca28 0000031c 00000218 00000000
        f75dad48  00000000 00c9f750 00120003 00c9f778
        f75dad58  00000024 00c9f7b8 0000005c
        nt!NtDeviceIoControlFile:
        8056d590 8bff            mov     edi,edi
        kd> g
        processor number 0, process 8153d8a0
        PROCESS 8153d8a0  SessionId: 0  Cid: 01d0    Peb: 7ffdf000  ParentCid: 017c
            DirBase: 08340220  ObjectTable: e1ac1ba8  HandleCount: 330.
            Image: explorer.exe

        Kernel Handle table at e166a000 with 177 Entries in use
        Unable to get _HANDLE_TABLE_ENTRY : 00000a78
        f75dad38  8053ca28 000004ac 00000218 00000000
        f75dad48  00000000 00c9f784 00120040 00000000
        f75dad58  00000000 01fc8008 00000c30
        nt!NtDeviceIoControlFile:
        8056d590 8bff            mov     edi,edi
        kd> g
        processor number 0, process 8153d8a0
        PROCESS 8153d8a0  SessionId: 0  Cid: 01d0    Peb: 7ffdf000  ParentCid: 017c
            DirBase: 08340220  ObjectTable: e1ac1ba8  HandleCount: 329.
            Image: explorer.exe

        Kernel Handle table at e166a000 with 177 Entries in use
        Unable to get _HANDLE_TABLE_ENTRY : 00000a78
        f75dad38  8053ca28 00000550 00000000 00000000
        f75dad48  00000000 00c9f500 00120003 00c9f5ac
        f75dad58  00000024 00168858 00000100
        nt!NtDeviceIoControlFile:
        8056d590 8bff            mov     edi,edi
        kd> g
        processor number 0, process 8153d8a0
        PROCESS 8153d8a0  SessionId: 0  Cid: 01d0    Peb: 7ffdf000  ParentCid: 017c
            DirBase: 08340220  ObjectTable: e1ac1ba8  HandleCount: 330.
            Image: explorer.exe

        Kernel Handle table at e166a000 with 177 Entries in use
        Unable to get _HANDLE_TABLE_ENTRY : 00000a78
        f75dad38  8053ca28 0000031c 00000218 00000000
        f75dad48  00000000 00c9f4e0 00120003 00c9f508
        f75dad58  00000024 00c9f548 0000005c
        nt!NtDeviceIoControlFile:
        8056d590 8bff            mov     edi,edi
        kd> g
        processor number 0, process 8153d8a0
        PROCESS 8153d8a0  SessionId: 0  Cid: 01d0    Peb: 7ffdf000  ParentCid: 017c
            DirBase: 08340220  ObjectTable: e1ac1ba8  HandleCount: 330.
            Image: explorer.exe

        Kernel Handle table at e166a000 with 178 Entries in use
        Unable to get _HANDLE_TABLE_ENTRY : 00000a78
        f75dad38  8053ca28 0000031c 00000218 00000000
        f75dad48  00000000 00c9f4e0 00120003 00c9f508
        f75dad58  00000024 00c9f548 0000005c
        nt!NtDeviceIoControlFile:
        8056d590 8bff            mov     edi,edi
        kd> g
        processor number 0, process 8153d8a0
        PROCESS 8153d8a0  SessionId: 0  Cid: 01d0    Peb: 7ffdf000  ParentCid: 017c
            DirBase: 08340220  ObjectTable: e1ac1ba8  HandleCount: 330.
            Image: explorer.exe

        Kernel Handle table at e166a000 with 178 Entries in use
        Unable to get _HANDLE_TABLE_ENTRY : 00000a78
        f75dad38  8053ca28 000004ac 00000218 00000000
        f75dad48  00000000 00c9f514 00120040 00000000
        f75dad58  00000000 0018ad70 00000c30
        nt!NtDeviceIoControlFile:
        8056d590 8bff            mov     edi,edi
        kd> g
        processor number 0, process 8153d8a0
        PROCESS 8153d8a0  SessionId: 0  Cid: 01d0    Peb: 7ffdf000  ParentCid: 017c
            DirBase: 08340220  ObjectTable: e1ac1ba8  HandleCount: 329.
            Image: explorer.exe

        Kernel Handle table at e166a000 with 177 Entries in use
        Unable to get _HANDLE_TABLE_ENTRY : 00000a78
        f75dad38  8053ca28 00000550 00000000 00000000
        f75dad48  00000000 00c9f544 00120003 00c9f6d4
        f75dad58  00000024 00c9f6d0 00000004
        nt!NtDeviceIoControlFile:
        8056d590 8bff            mov     edi,edi
        kd> g
        processor number 0, process 8153d8a0
        PROCESS 8153d8a0  SessionId: 0  Cid: 01d0    Peb: 7ffdf000  ParentCid: 017c
            DirBase: 08340220  ObjectTable: e1ac1ba8  HandleCount: 329.
            Image: explorer.exe

        Kernel Handle table at e166a000 with 177 Entries in use
        Unable to get _HANDLE_TABLE_ENTRY : 00000a78
        f75dad38  8053ca28 00000550 00000000 00000000
        f75dad48  00000000 00c9f544 00120003 00c9f6d4
        f75dad58  00000024 00c9f74c 000000e1
        nt!NtDeviceIoControlFile:
        8056d590 8bff            mov     edi,edi
        kd> g
        processor number 0, process 8153d8a0
        PROCESS 8153d8a0  SessionId: 0  Cid: 01d0    Peb: 7ffdf000  ParentCid: 017c
            DirBase: 08340220  ObjectTable: e1ac1ba8  HandleCount: 329.
            Image: explorer.exe

        Kernel Handle table at e166a000 with 177 Entries in use
        Unable to get _HANDLE_TABLE_ENTRY : 00000a78
        f75dad38  8053ca28 00000550 00000000 00000000
        f75dad48  00000000 00c9f544 00120003 00c9f6d4
        f75dad58  00000024 00c9f6d0 00000004
        nt!NtDeviceIoControlFile:
        8056d590 8bff            mov     edi,edi
        kd> g
        processor number 0, process 8153d8a0
        PROCESS 8153d8a0  SessionId: 0  Cid: 01d0    Peb: 7ffdf000  ParentCid: 017c
            DirBase: 08340220  ObjectTable: e1ac1ba8  HandleCount: 329.
            Image: explorer.exe

        Kernel Handle table at e166a000 with 177 Entries in use
        Unable to get _HANDLE_TABLE_ENTRY : 00000a78
        f75dad38  8053ca28 00000550 00000000 00000000
        f75dad48  00000000 00c9f544 00120003 00c9f6d4
        f75dad58  00000024 00c9f74c 000000e1
        nt!NtDeviceIoControlFile:
        8056d590 8bff            mov     edi,edi
        kd> g
        processor number 0, process 8153d8a0
        PROCESS 8153d8a0  SessionId: 0  Cid: 01d0    Peb: 7ffdf000  ParentCid: 017c
            DirBase: 08340220  ObjectTable: e1ac1ba8  HandleCount: 330.
            Image: explorer.exe

        Kernel Handle table at e166a000 with 177 Entries in use
        Unable to get _HANDLE_TABLE_ENTRY : 00000a78
        f75dad38  8053ca28 000004ac 00000218 00000000
        f75dad48  00000000 00c9f5a4 00120090 00000000
        f75dad58  00000000 00169078 00000030
        nt!NtDeviceIoControlFile:
        8056d590 8bff            mov     edi,edi
        kd> g
        processor number 0, process 8153d8a0
        PROCESS 8153d8a0  SessionId: 0  Cid: 01d0    Peb: 7ffdf000  ParentCid: 017c
            DirBase: 08340220  ObjectTable: e1ac1ba8  HandleCount: 329.
            Image: explorer.exe

        Kernel Handle table at e166a000 with 177 Entries in use
        Unable to get _HANDLE_TABLE_ENTRY : 00000a78
        f75dad38  8053ca28 00000550 00000000 00000000
        f75dad48  00000000 00c9f544 00120003 00c9f6d4
        f75dad58  00000024 00c9f6cc 00000004
        nt!NtDeviceIoControlFile:
        8056d590 8bff            mov     edi,edi
        kd> g
        processor number 0, process 8153d8a0
        PROCESS 8153d8a0  SessionId: 0  Cid: 01d0    Peb: 7ffdf000  ParentCid: 017c
            DirBase: 08340220  ObjectTable: e1ac1ba8  HandleCount: 329.
            Image: explorer.exe

        Kernel Handle table at e166a000 with 177 Entries in use
        Unable to get _HANDLE_TABLE_ENTRY : 00000a78
        f75dad38  8053ca28 00000550 00000000 00000000
        f75dad48  00000000 00c9f544 00120003 00c9f6d4
        f75dad58  00000024 00c9f64c 0000005c
        nt!NtDeviceIoControlFile:
        8056d590 8bff            mov     edi,edi
        kd> g
        processor number 0, process 8153d8a0
        PROCESS 8153d8a0  SessionId: 0  Cid: 01d0    Peb: 7ffdf000  ParentCid: 017c
            DirBase: 08340220  ObjectTable: e1ac1ba8  HandleCount: 329.
            Image: explorer.exe

        Kernel Handle table at e166a000 with 177 Entries in use
        Unable to get _HANDLE_TABLE_ENTRY : 00000a78
        f75dad38  8053ca28 00000550 00000000 00000000
        f75dad48  00000000 00c9f544 00120003 00c9f6d4
        f75dad58  00000024 000f79b8 00000120
        nt!NtDeviceIoControlFile:
        8056d590 8bff            mov     edi,edi
        kd> g
        processor number 0, process 8153d8a0
        PROCESS 8153d8a0  SessionId: 0  Cid: 01d0    Peb: 7ffdf000  ParentCid: 017c
            DirBase: 08340220  ObjectTable: e1ac1ba8  HandleCount: 329.
            Image: explorer.exe

        Kernel Handle table at e166a000 with 177 Entries in use
        Unable to get _HANDLE_TABLE_ENTRY : 00000a78
        f75dad38  8053ca28 00000550 00000000 00000000
        f75dad48  00000000 00c9f544 00120003 00c9f6d4
        f75dad58  00000024 000de808 0000016c
        nt!NtDeviceIoControlFile:
        8056d590 8bff            mov     edi,edi
        kd> g
        processor number 0, process 8153d8a0
        PROCESS 8153d8a0  SessionId: 0  Cid: 01d0    Peb: 7ffdf000  ParentCid: 017c
            DirBase: 08340220  ObjectTable: e1ac1ba8  HandleCount: 330.
            Image: explorer.exe

        Kernel Handle table at e166a000 with 178 Entries in use
        Unable to get _HANDLE_TABLE_ENTRY : 00000a78
        f75dad38  8053ca28 00000218 00000000 00000000
        f75dad48  00000000 00c9f71c 0021009a 00000000
        f75dad58  00000000 00c9f6b8 0000003c
        nt!NtDeviceIoControlFile:
        8056d590 8bff            mov     edi,edi
        kd> g
        processor number 0, process 8153d8a0
        PROCESS 8153d8a0  SessionId: 0  Cid: 01d0    Peb: 7ffdf000  ParentCid: 017c
            DirBase: 08340220  ObjectTable: e1ac1ba8  HandleCount: 330.
            Image: explorer.exe

        Kernel Handle table at e166a000 with 177 Entries in use
        Unable to get _HANDLE_TABLE_ENTRY : 00000a78
        f75dad38  8053ca28 0000031c 00000218 00000000
        f75dad48  00000000 00c9f750 00120003 00c9f778
        f75dad58  00000024 00c9f7b8 0000005c
        nt!NtDeviceIoControlFile:
        8056d590 8bff            mov     edi,edi
        kd> g
        processor number 0, process 8153d8a0
        PROCESS 8153d8a0  SessionId: 0  Cid: 01d0    Peb: 7ffdf000  ParentCid: 017c
            DirBase: 08340220  ObjectTable: e1ac1ba8  HandleCount: 330.
            Image: explorer.exe

        Kernel Handle table at e166a000 with 177 Entries in use
        Unable to get _HANDLE_TABLE_ENTRY : 00000a78
        f75dad38  8053ca28 0000031c 00000218 00000000
        f75dad48  00000000 00c9f750 00120003 00c9f778
        f75dad58  00000024 00c9f7b8 0000005c
        nt!NtDeviceIoControlFile:
        8056d590 8bff            mov     edi,edi
        kd> g
        processor number 0, process 8153d8a0
        PROCESS 8153d8a0  SessionId: 0  Cid: 01d0    Peb: 7ffdf000  ParentCid: 017c
            DirBase: 08340220  ObjectTable: e1ac1ba8  HandleCount: 330.
            Image: explorer.exe

        Kernel Handle table at e166a000 with 177 Entries in use
        Unable to get _HANDLE_TABLE_ENTRY : 00000a78
        f75dad38  8053ca28 000004ac 00000218 00000000
        f75dad48  00000000 00c9f784 00120040 00000000
        f75dad58  00000000 01fc8008 00000c30
        nt!NtDeviceIoControlFile:
        8056d590 8bff            mov     edi,edi
        kd> g
        Breakpoint 4 hit
        ping!main+0x9ad:
        001b:01002376 e883070000      call    ping!IcmpSendEcho2 (01002afe)
    • The summary of IoControlCode sent to kernel:
      IOCTL_CODEFILE_DEVICE_TYPE
      120000FILE_DEVICE_NETWORK
      120003FILE_DEVICE_NETWORK
      120040FILE_DEVICE_NETWORK
      120090FILE_DEVICE_NETWORK
      21009aFILE_DEVICE_TRANSPORT
      17003eFILE_DEVICE_PHYSICAL_NETCARD
    • We want to check the flow when packets passed to the NIC driver, we focus on FILE_DEVICE_PHYSICAL_NETCARD. Before that check out this disassembly first:
kd> u nt!NtDeviceIoControlFile l20
nt!NtDeviceIoControlFile:
8056d590 8bff            mov     edi,edi
8056d592 55              push    ebp
8056d593 8bec            mov     ebp,esp
8056d595 6a01            push    1
8056d597 ff752c          push    dword ptr [ebp+2Ch]
8056d59a ff7528          push    dword ptr [ebp+28h]
8056d59d ff7524          push    dword ptr [ebp+24h]
8056d5a0 ff7520          push    dword ptr [ebp+20h]
8056d5a3 ff751c          push    dword ptr [ebp+1Ch]
8056d5a6 ff7518          push    dword ptr [ebp+18h]
8056d5a9 ff7514          push    dword ptr [ebp+14h]
8056d5ac ff7510          push    dword ptr [ebp+10h]
8056d5af ff750c          push    dword ptr [ebp+0Ch]
8056d5b2 ff7508          push    dword ptr [ebp+8]
8056d5b5 e854e8ffff      call    nt!IopXxxControlFile (81a62764)
8056d5ba 5d              pop     ebp
8056d5bb c22800          ret     28h
8056d5be 90              nop
kd> bp 8056d5b5
kd> g
Breakpoint 2 hit
nt!NtDeviceIoControlFile+0x25:
8056d5b5 e8bc700000      call    nt!IopXxxControlFile (80574676)
kd> wt
    3     0 [  0] nt!IopXxxControlFile
   19     0 [  1]   nt!_SEH_prolog
   48    19 [  0] nt!IopXxxControlFile
   23     0 [  1]   nt!ObReferenceObjectByHandle
   13     0 [  2]     nt!ExMapHandleToPointerEx
   29     0 [  3]       nt!ExpLookupHandleTableEntry
   36    29 [  2]     nt!ExMapHandleToPointerEx
   67    65 [  1]   nt!ObReferenceObjectByHandle
   22     0 [  2]     nt!ExUnlockHandleTableEntry
   83    87 [  1]   nt!ObReferenceObjectByHandle
   72   189 [  0] nt!IopXxxControlFile
   14     0 [  1]   nt!ObfReferenceObject
   82   203 [  0] nt!IopXxxControlFile
   23     0 [  1]   nt!IoGetRelatedDeviceObject
   97   226 [  0] nt!IopXxxControlFile
    5     0 [  1]   nt!IoAllocateIrp
    3     0 [  1]   nt!IopAllocateIrpPrivate
   19     0 [  2]     nt!_SEH_prolog
   38    19 [  1]   nt!IopAllocateIrpPrivate
    3     0 [  2]     nt!ExInterlockedPopEntrySList
    5     0 [  2]     nt!ExpInterlockedPopEntrySListResume
    1     0 [  2]     nt!ExpInterlockedPopEntrySListFault
    5     0 [  2]     nt!ExpInterlockedPopEntrySListEnd
  207    33 [  1]   nt!IopAllocateIrpPrivate
    9     0 [  2]     nt!_SEH_epilog
  208    42 [  1]   nt!IopAllocateIrpPrivate
  158   481 [  0] nt!IopXxxControlFile
   25     0 [  1]   nt!ExAllocatePoolWithQuotaTag
   44     0 [  2]     nt!ExAllocatePoolWithTag
    3     0 [  3]       nt!ExInterlockedPopEntrySList
    5     0 [  3]       nt!ExpInterlockedPopEntrySListResume
    1     0 [  3]       nt!ExpInterlockedPopEntrySListFault
    5     0 [  3]       nt!ExpInterlockedPopEntrySListEnd
   73    14 [  2]     nt!ExAllocatePoolWithTag
   46    87 [  1]   nt!ExAllocatePoolWithQuotaTag
   63     0 [  2]     nt!PsChargeProcessPoolQuota
   51   150 [  1]   nt!ExAllocatePoolWithQuotaTag
   14     0 [  2]     nt!ObfReferenceObject
   59   164 [  1]   nt!ExAllocatePoolWithQuotaTag
  194   704 [  0] nt!IopXxxControlFile
   27     0 [  1]   nt!IoAllocateMdl
    3     0 [  2]     nt!ExInterlockedPopEntrySList
    5     0 [  2]     nt!ExpInterlockedPopEntrySListResume
    1     0 [  2]     nt!ExpInterlockedPopEntrySListFault
    5     0 [  2]     nt!ExpInterlockedPopEntrySListEnd
   55    14 [  1]   nt!IoAllocateMdl
  206   773 [  0] nt!IopXxxControlFile
    7     0 [  1]   nt!IopGetMountFlag
    3     0 [  2]     nt!MmProbeAndLockPages
   19     0 [  3]       nt!_SEH_prolog
  123    19 [  2]     nt!MmProbeAndLockPages
    5     0 [  3]       hal!KeRaiseIrqlToDpcLevel
  199    24 [  2]     nt!MmProbeAndLockPages
    9     0 [  3]       nt!_SEH_epilog
  200    33 [  2]     nt!MmProbeAndLockPages
   11   233 [  1]   nt!IopGetMountFlag
  232  1017 [  0] nt!IopXxxControlFile
    8     0 [  1]   nt!IopSynchronousServiceTail
    7     0 [  2]     hal!KfRaiseIrql
   28     7 [  1]   nt!IopSynchronousServiceTail
    9     0 [  2]     nt!IopUpdateOtherOperationCount
    3     0 [  2]     nt!ExInterlockedAddLargeStatistic
   32    19 [  1]   nt!IopSynchronousServiceTail
    1     0 [  2]     nt!IofCallDriver
   14     0 [  2]     nt!IopfCallDriver
   64     0 [  3]       NDIS!ndisDeviceControlIrpHandler
   44     0 [  4]         nt!ExAllocatePoolWithTag
    3     0 [  5]           nt!ExInterlockedPopEntrySList
    5     0 [  5]           nt!ExpInterlockedPopEntrySListResume
    1     0 [  5]           nt!ExpInterlockedPopEntrySListFault
    5     0 [  5]           nt!ExpInterlockedPopEntrySListEnd
   73    14 [  4]         nt!ExAllocatePoolWithTag
  108    87 [  3]       NDIS!ndisDeviceControlIrpHandler
   42     0 [  4]         nt!MmMapLockedPagesSpecifyCache
   19     0 [  5]           nt!MiReserveSystemPtes
   43     0 [  6]             nt!ExRemoveHeadNBQueue
   12     0 [  7]               nt!ExfInterlockedCompareExchange64
   50    12 [  6]             nt!ExRemoveHeadNBQueue
   13     0 [  7]               nt!InterlockedPushEntrySList
   56    25 [  6]             nt!ExRemoveHeadNBQueue
   44    81 [  5]           nt!MiReserveSystemPtes
  123   125 [  4]         nt!MmMapLockedPagesSpecifyCache
  122   335 [  3]       NDIS!ndisDeviceControlIrpHandler      
   31     0 [  4]         NDIS!ndisQueryStatisticsOids       
   71     0 [  5]           nt!ExAllocatePoolWithTag
    5     0 [  6]             hal!KeRaiseIrqlToDpcLevel
  173     5 [  5]           nt!ExAllocatePoolWithTag
  104   178 [  4]         NDIS!ndisQueryStatisticsOids
   52     0 [  5]           NDIS!ndisValidOid
  120   230 [  4]         NDIS!ndisQueryStatisticsOids
   20     0 [  5]           NDIS!ndisQueryDeviceOid
   13     0 [  6]             NDIS!ndisQuerySetMiniport
    5     0 [  7]               NDIS!ndisReferencePackage
   57     0 [  8] nt!MmLockPagableSectionByHandle
   24     0 [  9]   nt!MiLockCode
    7     0 [ 10]     hal!KfRaiseIrql
   28     7 [  9]   nt!MiLockCode
   23     0 [ 10]     nt!ExAcquireResourceExclusiveLite
   30    30 [  9]   nt!MiLockCode
    5     0 [ 10]     hal!KeRaiseIrqlToDpcLevel
  489    35 [  9]   nt!MiLockCode
   31     0 [ 10]     nt!ExReleaseResourceLite
  496    66 [  9]   nt!MiLockCode
   73   562 [  8] nt!MmLockPagableSectionByHandle
   10   635 [  7]               NDIS!ndisReferencePackage
   27   645 [  6]             NDIS!ndisQuerySetMiniport
   14     0 [  7]               nt!KeInitializeEvent
   44   659 [  6]             NDIS!ndisQuerySetMiniport
    5     0 [  7]               hal!KfAcquireSpinLock
   47   664 [  6]             NDIS!ndisQuerySetMiniport
    2     0 [  7]               nt!PsGetCurrentThread
   52   666 [  6]             NDIS!ndisQuerySetMiniport
    9     0 [  7]               NDIS!ndisMQueueRequest
   58   675 [  6]             NDIS!ndisQuerySetMiniport
    2     0 [  7]               nt!PsGetCurrentThread
   62   677 [  6]             NDIS!ndisQuerySetMiniport
   24     0 [  7]               NDIS!ndisMDoRequests
    1     0 [  7]               NDIS!ndisMDoRequests
    1     0 [  7]               NDIS!ndisMDoRequests
    1     0 [  7]               NDIS!ndisMDoRequests
    1     0 [  7]               NDIS!ndisMDoRequests
    1     0 [  7]               NDIS!ndisMDoRequests
    1     0 [  7]               NDIS!ndisMDoRequests
    1     0 [  7]               NDIS!ndisMDoRequests
    1     0 [  7]               NDIS!ndisMDoRequests
    1     0 [  7]               NDIS!ndisMDoRequests
    1     0 [  7]               NDIS!ndisMDoRequests
    1     0 [  7]               NDIS!ndisMDoRequests
    1     0 [  7]               NDIS!ndisMDoRequests
    1     0 [  7]               NDIS!ndisMDoRequests
    1     0 [  7]               NDIS!ndisMDoRequests
    1     0 [  7]               NDIS!ndisMDoRequests
    1     0 [  7]               NDIS!ndisMDoRequests
    1     0 [  7]               NDIS!ndisMDoRequests
    1     0 [  7]               NDIS!ndisMDoRequests
    1     0 [  7]               NDIS!ndisMDoRequests
    1     0 [  7]               NDIS!ndisMDoRequests
    1     0 [  7]               NDIS!ndisMDoRequests
    1     0 [  7]               NDIS!ndisMDoRequests
    1     0 [  7]               NDIS!ndisMDoRequests
    1     0 [  7]               NDIS!ndisMDoRequests
    1     0 [  7]               NDIS!ndisMDoRequests
    1     0 [  7]               NDIS!ndisMDoRequests
    1     0 [  7]               NDIS!ndisMDoRequests
    1     0 [  7]               NDIS!ndisMDoRequests
   16     0 [  8] NDIS!ndisMDispatchRequest
    1     0 [  8] NDIS!ndisMDispatchRequest
    1     0 [  8] NDIS!ndisMDispatchRequest
    1     0 [  8] NDIS!ndisMDispatchRequest
    1     0 [  8] NDIS!ndisMDispatchRequest
   13     0 [  8] NDIS!ndisMDispatchRequest
    1     0 [  9]   nt!KefReleaseSpinLockFromDpcLevel
    3     0 [  9]   NDIS!ndisMDispatchRequest
    1     0 [  9]   NDIS!ndisMDispatchRequest
    1     0 [  9]   NDIS!ndisMDispatchRequest
    1     0 [  9]   NDIS!ndisMDispatchRequest
    1     0 [  9]   NDIS!ndisMDispatchRequest
    1     0 [  9]   NDIS!ndisMDispatchRequest
    1     0 [  9]   NDIS!ndisMDispatchRequest
    1     0 [  9]   NDIS!ndisMDispatchRequest
    1     0 [  9]   NDIS!ndisMDispatchRequest
    1     0 [  9]   NDIS!ndisMDispatchRequest
    1     0 [  9]   NDIS!ndisMDispatchRequest
    1     0 [  9]   NDIS!ndisMDispatchRequest
    1     0 [  9]   NDIS!ndisMDispatchRequest
*** ERROR: Module load completed but symbols could not be loaded for vmxnet.sys
    1     0 [ 10]     vmxnet
    1     0 [ 10]     vmxnet
    1     0 [ 10]     vmxnet
    1     0 [ 10]     vmxnet
    1     0 [ 10]     vmxnet
    1     0 [ 10]     vmxnet
    1     0 [ 10]     vmxnet
    1     0 [ 10]     vmxnet
    1     0 [ 10]     vmxnet
    1     0 [ 10]     vmxnet
    1     0 [ 10]     vmxnet
    1     0 [ 10]     vmxnet
    1     0 [ 10]     vmxnet
    1     0 [ 10]     vmxnet
    1     0 [ 10]     vmxnet
    1     0 [ 10]     vmxnet
    1     0 [ 10]     vmxnet
    1     0 [ 10]     vmxnet
    1     0 [ 10]     vmxnet
    1     0 [ 10]     vmxnet
    1     0 [ 10]     vmxnet
    1     0 [ 10]     vmxnet
    1     0 [ 10]     vmxnet
    1     0 [ 10]     vmxnet
    1     0 [ 10]     vmxnet
    1     0 [ 10]     vmxnet
    1     0 [ 10]     vmxnet
    1     0 [ 10]     vmxnet
    1     0 [ 10]     vmxnet
    1     0 [ 10]     vmxnet
    1     0 [ 10]     vmxnet
    1     0 [ 10]     vmxnet
    1     0 [ 10]     vmxnet
    1     0 [ 10]     vmxnet
    1     0 [ 10]     vmxnet
    1     0 [ 10]     vmxnet
    1     0 [ 10]     vmxnet
    1     0 [ 10]     vmxnet
    1     0 [ 10]     vmxnet
    1     0 [ 10]     vmxnet
    1     0 [ 10]     vmxnet
    1     0 [ 10]     vmxnet
    1     0 [ 10]     vmxnet
    1     0 [ 10]     vmxnet
    1     0 [ 10]     vmxnet
    1     0 [ 10]     vmxnet
    1     0 [ 10]     vmxnet
    1     0 [ 10]     vmxnet
    1     0 [ 10]     vmxnet
    1     0 [ 11]       vmxnet
   30     0 [ 11]       nt!memcpy
    ...
    ...
    ...
19154 instructions were executed in 1347 events (0 from other threads)

Function Name               Invocations MinInst MaxInst AvgInst
NDIS!__security_check_cookie          2       5       5       5
NDIS!_alldiv          1       1       1       1
NDIS!_allmul          1       1       1       1
NDIS!ndisDereferencePackage           8       9       9       9
NDIS!ndisDeviceControlIrpHandler      1     158     158     158
NDIS!ndisMDispatchRequest           152       1      17       3
NDIS!ndisMDoRequests272       1      24       2
NDIS!ndisMQueueRequest8       9       9       9
NDIS!ndisMSyncQueryInformationComplete               96       1      27       4
NDIS!ndisQueryDeviceOid               8      22      22      22
NDIS!ndisQuerySetMiniport             8      92      92      92
NDIS!ndisQueryStatisticsOids         71       1     660      23
NDIS!ndisReferencePackage             8      10      10      10
NDIS!ndisValidOid     9       3     190     131
hal!KeAcquireInStackQueuedSpinLockRaiseToSynch        1       6       6       6
hal!KeRaiseIrqlToDpcLevel            35       5       5       5
hal!KfAcquireSpinLock 8       5       5       5
hal!KfRaiseIrql       9       7       7       7
hal!READ_PORT_ULONG   1       3       3       3
nt!ExAcquireResourceExclusiveLite     8      23      23      23
nt!ExAllocatePoolWithQuotaTag         1      59      59      59
nt!ExAllocatePoolWithTag              3      73     173     106
nt!ExFreePoolWithTag  2      82     130     106
nt!ExInsertTailNBQueue1      70      70      70
nt!ExInterlockedAddLargeStatistic     1       3       3       3
nt!ExInterlockedPopEntrySList         6       3       3       3
nt!ExMapHandleToPointerEx             1      36      36      36
nt!ExReleaseResourceLite              8      31      31      31
nt!ExRemoveHeadNBQueue1      56      56      56
nt!ExUnlockHandleTableEntry           1      22      22      22
nt!ExfInterlockedCompareExchange64    3      12      12      12
nt!ExpInterlockedPopEntrySListEnd     6       5       5       5
nt!ExpInterlockedPopEntrySListFault   6       1       1       1
nt!ExpInterlockedPopEntrySListResume  6       5       5       5
nt!ExpLookupHandleTableEntry          1      29      29      29
nt!InterlockedPushEntrySList          2      13      13      13
nt!IoAllocateIrp      1       5       5       5
nt!IoAllocateMdl      1      55      55      55
nt!IoGetRelatedDeviceObject           1      23      23      23
nt!IofCallDriver      1       1       1       1
nt!IofCompleteRequest 1       1       1       1
nt!IopAllocateIrpPrivate              1     208     208     208
nt!IopGetMountFlag    1      11      11      11
nt!IopSynchronousServiceTail          1      57      57      57
nt!IopUpdateOtherOperationCount       1       9       9       9
nt!IopXxxControlFile  1     235     235     235
nt!IopfCallDriver     1      16      16      16
nt!IopfCompleteRequest1     106     106     106
nt!KeInitializeApc    1      26      26      26
nt!KeInitializeEvent  8      14      14      14
nt!KeInsertQueueApc   1      31      31      31
nt!KeQueryTimeIncrement               1       2       2       2
nt!KeSetEvent         8      27      27      27
nt!KeWaitForSingleObject              8      66      66      66
nt!KefAcquireSpinLockAtDpcLevel       8       1       1       1
nt!KefReleaseSpinLockFromDpcLevel     8       1       1       1
nt!KiAdjustQuantumThread              8      18      42      27
nt!KiFindReadyThread  3      43      49      47
nt!KiInsertQueueApc   1      51      51      51
nt!MiLockCode         8     496     496     496
nt!MiReleaseSystemPtes1      57      57      57
nt!MiReserveSystemPtes1      44      44      44
nt!MmLockPagableSectionByHandle       8      73      73      73
nt!MmMapLockedPagesSpecifyCache       1     123     123     123
nt!MmProbeAndLockPages1     200     200     200
nt!MmUnlockPagableImageSection        8     368     368     368
nt!MmUnlockPages      1      88      88      88
nt!MmUnmapLockedPages 1      34      34      34
nt!ObReferenceObjectByHandle          1      83      83      83
nt!ObfDereferenceObject               1      26      26      26
nt!ObfReferenceObject 2      14      14      14
nt!PsChargeProcessPoolQuota           1      63      63      63
nt!PsGetCurrentThread24       2       2       2
nt!RtlFillMemoryUlonglong             1      15      15      15
nt!_SEH_epilog        3       9       9       9
nt!_SEH_prolog        3      19      19      19
nt!_alldiv            1      27      27      27
nt!_allmul            1       8       8       8
nt!memcpy             8      30      32      31
nt!memmove           15      32      34      32
vmxnet              584       1       2       1
  1. NdisDeviceControlIrpHandler
    • We got 3 informations here:
      1. NIC driver name > vmxnet
      2. NDIS!ndisQueryStatisticsOids is used to query the NIC stat info
      3. NDIS!ndisDeviceControlIrpHandler is a dispatch handler for IRP_MJ_DEVICE_CONTROL major function that is reponsible to handle DeviceIoControl called from user mode
        • The ndisDeviceControlIrpHandler is registered by ndis.sys by one of the exported function NdisMRegisterMiniport 
export function NdisMRegisterMiniport -> NdisRegisterMiniportDriver -> Dispatch routine NdisDeviceControlIrpHandler -> NdisQueryStatisticsOids    // Its called NdisDeviceControlIrpHandler in Windows XP ndis.sys 

Diagram Illustration of how NdisDeviceControlIrpHandler is called
    • To verify that:
Case (i):

kd> !drvobj \driver\vmxnet 7
Driver object (81862f38) is for:
*** ERROR: Module load completed but symbols could not be loaded for vmxnet.sys
\Driver\vmxnet
Driver Extension List: (id , addr)
(4e4d4944 8197a600)
Device Object list:
818627e0

DriverEntry: f9cc2685 vmxnet
DriverStartIo: 00000000
DriverUnload: f96cb89b NDIS!ndisMUnload
AddDevice: f96c75b4 NDIS!ndisPnPAddDevice

Dispatch routines:
[00] IRP_MJ_CREATE f96bae6b NDIS!ndisCreateIrpHandler
[01] IRP_MJ_CREATE_NAMED_PIPE f96c11f4 NDIS!ndisDummyIrpHandler
[02] IRP_MJ_CLOSE f96bad9c NDIS!ndisCloseIrpHandler
[03] IRP_MJ_READ f96c11f4 NDIS!ndisDummyIrpHandler
[04] IRP_MJ_WRITE f96c11f4 NDIS!ndisDummyIrpHandler
[05] IRP_MJ_QUERY_INFORMATION f96c11f4 NDIS!ndisDummyIrpHandler
[06] IRP_MJ_SET_INFORMATION f96c11f4 NDIS!ndisDummyIrpHandler
[07] IRP_MJ_QUERY_EA f96c11f4 NDIS!ndisDummyIrpHandler
[08] IRP_MJ_SET_EA f96c11f4 NDIS!ndisDummyIrpHandler
[09] IRP_MJ_FLUSH_BUFFERS f96c11f4 NDIS!ndisDummyIrpHandler
[0a] IRP_MJ_QUERY_VOLUME_INFORMATION f96c11f4 NDIS!ndisDummyIrpHandler
[0b] IRP_MJ_SET_VOLUME_INFORMATION f96c11f4 NDIS!ndisDummyIrpHandler
[0c] IRP_MJ_DIRECTORY_CONTROL f96c11f4 NDIS!ndisDummyIrpHandler
[0d] IRP_MJ_FILE_SYSTEM_CONTROL f96c11f4 NDIS!ndisDummyIrpHandler
[0e] IRP_MJ_DEVICE_CONTROL f96c1010 NDIS!ndisDeviceControlIrpHandler
[0f] IRP_MJ_INTERNAL_DEVICE_CONTROL f96c11f4 NDIS!ndisDummyIrpHandler
[10] IRP_MJ_SHUTDOWN f96c11f4 NDIS!ndisDummyIrpHandler
[11] IRP_MJ_LOCK_CONTROL f96c11f4 NDIS!ndisDummyIrpHandler
[12] IRP_MJ_CLEANUP f96c11f4 NDIS!ndisDummyIrpHandler
[13] IRP_MJ_CREATE_MAILSLOT f96c11f4 NDIS!ndisDummyIrpHandler
[14] IRP_MJ_QUERY_SECURITY f96c11f4 NDIS!ndisDummyIrpHandler
[15] IRP_MJ_SET_SECURITY f96c11f4 NDIS!ndisDummyIrpHandler
[16] IRP_MJ_POWER f96ce877 NDIS!ndisPowerDispatch
[17] IRP_MJ_SYSTEM_CONTROL f96c1415 NDIS!ndisWMIDispatch
[18] IRP_MJ_DEVICE_CHANGE f96c11f4 NDIS!ndisDummyIrpHandler
[19] IRP_MJ_QUERY_QUOTA f96c11f4 NDIS!ndisDummyIrpHandler
[1a] IRP_MJ_SET_QUOTA f96c11f4 NDIS!ndisDummyIrpHandler
[1b] IRP_MJ_PNP f96c3ab9 NDIS!ndisPnPDispatch


Case (ii)&(iii):

kd> bp NDIS!ndisDeviceControlIrpHandler ".echo ====NdisDeviceControlIrpHandler breakpoint hit====\n;.echo IoControlCode>\n;dd poi(poi(esp+8)+60)+c l1\n;.echo OutputBufferLength>\n;dd poi(poi(esp+8)+60)+4 l1\n;.echo OutputBuffer>\n;dd poi(poi(poi(esp+8)+4)+10)+86c l3d\n;.echo InputBufferLength>\n;dd poi(poi(esp+8)+60)+8 l1\n;.echo InputBuffer>\n;dd poi(poi(esp+8)+c)\n;"
kd> g
Breakpoint 3 hit
====NdisDeviceControlIrpHandler breakpoint hit====
IoControlCode>
8155a2f8 0017003e
OutputBufferLength:>
8155a2f0 000002d0
OutputBuffer:>
01a0f86c 00000000 00000000 00000000 00000000
01a0f87c 00000000 00000000 00000000 00000000
01a0f88c 00000000 00000000 00000000 00000000
01a0f89c 00000000 00000000 00000000 00000000
01a0f8ac 00000000 00000000 00000000 00000000
01a0f8bc 00000000 00000000 00000000 00000000
01a0f8cc 00000000 00000000 00000000 00000000
01a0f8dc 00000000 00000000 00000000 00000000
01a0f8ec 00000000 00000000 00000000 00000000
01a0f8fc 00000000 00000000 00000000 00000000
01a0f90c 00000000 00000000 00000000 00000000
01a0f91c 00000000 00000000 00000000 00000000
01a0f92c 00000000 00000000 00000000 00000000
01a0f93c 00000000 00000000 00000000 00000000
01a0f94c 00000000 00000000 00000002 00000002
01a0f95c 00000000
InputBufferLength:>
8155a2f4 0000003c
InputBuffer:>
81977300 00010107 80010104 80010114 00020101
81977310 00020102 00020103 00020104 80020208
81977320 80020201 80020207 80ffffff 80020213
81977330 80020214 80020215 80010202 f763b6a4
81977340 00060009 20646156 8168e170 8173ce20
81977350 00000000 00000000 816c8af8 07100002
81977360 817a12d0 e1be6290 fffffffc 40000000
81977370 0a050006 6e66744e 001c0707 00000000
NDIS!ndisDeviceControlIrpHandler:
f96c1010 8bff mov edi,edi
kd> kb
ChildEBP RetAddr Args to Child
f763bc34 804edfe3 818627e0 8155a258 806d02d0 NDIS!ndisDeviceControlIrpHandler
f763bc44 80573dce 8155a2ec 81731dd8 8155a258 nt!IopfCallDriver+0x31
f763bc58 80574c5d 818627e0 8155a258 81731dd8 nt!IopSynchronousServiceTail+0x60
f763bd00 8056d5ba 000001fc 00000000 00000000 nt!IopXxxControlFile+0x5e7
f763bd34 8053ca28 000001fc 00000000 00000000 nt!NtDeviceIoControlFile+0x2a
f763bd34 7c90eb94 000001fc 00000000 00000000 nt!KiFastCallEntry+0xf8
01a0f7b8 7c90d8ef 7c801671 000001fc 00000000 ntdll!KiFastSystemCallRet
01a0f7bc 7c801671 000001fc 00000000 00000000 ntdll!ZwDeviceIoControlFile+0xc
01a0f81c 76468375 000001fc 0017003e 76477d3c kernel32!DeviceIoControl+0xdd
01a0fb40 7645f5c7 000f6d94 01a0fb5c 01a0fc08 NETSHELL!NdisQueryStatistics+0x88
01a0fbc8 76460d32 01a0fbe4 01a0fc08 001622a0 NETSHELL!CLanStatEngine::HrUpdateData+0x37
01a0fbec 7645d7a4 000f6d00 01a0fc08 01a0fc8c NETSHELL!CNetStatisticsEngine::UpdateStatistics+0x2d
01a0fc10 7645e7eb 00165dd4 7645e7b5 00134bf8 NETSHELL!CNetStatisticsCentral::RefreshStatistics+0x4e
01a0fc24 7e418734 00000000 00000113 00007ff4 NETSHELL!CNetStatisticsCentral::TimerCallback+0x36
01a0fc50 7e419857 7645e7b5 00000000 00000113 USER32!InternalCallWinProc+0x28
01a0fcb8 7e419791 00000000 7645e7b5 00000000 USER32!UserCallWinProc+0xf3
01a0fd10 7e418a10 01a0fd68 00000000 01a0fd8c USER32!DispatchMessageWorker+0x10e
01a0fd20 7628155a 01a0fd68 00000000 76280000 USER32!DispatchMessageW+0xf
01a0fd8c 76283746 76280000 00000000 000100c8 stobject!SysTrayMain+0x177
01a0ffb4 7c80b683 00000000 00000000 00000000 stobject!CSysTray::SysTrayThreadProc+0x4f
Diagram Shows Explorer Retrieve Network Statistics from NIC

  1. NdisQueryStatisticsOids
    • What basically this function does is:
      1. Check the request info passed by InputBuffer, these info are OIDs that ontains the constants specifies the codes of the NDIS request.
#define OID_GEN_MEDIA_IN_USE                  0x00010104
#define OID_GEN_MEDIA_CONNECT_STATUS          0x00010114
#define OID_GEN_PHYSICAL_MEDIUM               0x00010202
#define OID_GEN_XMIT_OK                       0x00020101
#define OID_GEN_RCV_OK                        0x00020102
#define OID_GEN_XMIT_ERROR                    0x00020103
#define OID_GEN_RCV_ERROR                     0x00020104
#define OID_GEN_DIRECTED_BYTES_XMIT           0x00020201
#define OID_GEN_DIRECTED_BYTES_RCV            0x00020207
#define OID_GEN_DIRECTED_FRAMES_RCV           0x00020208
#define OID_GEN_INIT_TIME_MS                  0x00020213
#define OID_GEN_RESET_COUNTS                  0x00020214
#define OID_GEN_MEDIA_SENSE_COUNTS            0x00020215
    • The output will be stored in OutputBuffer and should look like this:
                     01a0f86c  00010107 00000004 00989680 80010104
            01a0f87c  00000004 00000000 80010114 00000004
            01a0f88c  00000000 00020101 00000008 00000083
            01a0f89c  00000000 00020102 00000008 000001d6
            01a0f8ac  00000000 00020103 00000004 00000000
            01a0f8bc  00020104 00000004 00000000 80020208
            01a0f8cc  00000008 00000016 00000000 80020201
            01a0f8dc  00000008 00002253 00000000 80020207
            01a0f8ec  00000008 0000bd9d 00000000 80ffffff
            01a0f8fc  00000004 00000588 80020213 00000004
            01a0f90c  0000000f 80020214 00000004 00000000
            01a0f91c  80020215 00000004 00000000 80010202
            01a0f92c  00000004 00000000 00000000 00000000
            01a0f93c  00000000 00000000 00000000 00000000
            01a0f94c  00000000 00000000 00000002 00000002
           
          The structure of the output: [[Request_OID][Output_Length][Output]]

    • Call NDIS!NdisMDispatchRequest which will then call the handler function to transfer the request to the NIC driver. The handler function is stored in one of the members of NDIS_MINIPORT_CHARACTERISTICS.
  1. QueryInformationHandler
    1. One of the handler functions store in NDIS_MINIPORT_CHARACTERISTICS
    2. it specifies the entry point of the caller's MiniportQueryInformation function
    3. In order to find the MiniportQueryInformation address registered by the miniport driver (\driver\vmxnet in this case):

      kd> !drvobj \driver\vmxnet
      Driver object (81862f38) is for:
      \Driver\vmxnet
      Driver Extension List: (id , addr)
      (4e4d4944 8197a600)
      Device Object list:
      818627e0
    4. DriverObjectExtension = 8197a600, allocated by'IoAllocateDriverObjectExtension call within NdisRegisterMiniportDriver ndis.sys export function.
    5. DriverObjectExtension is the driver specified structure, in this case the structure is called NDIS_M_DRIVER_BLOCK that store the miniport-ndis driver information:
      6. NDIS!_NDIS_M_DRIVER_BLOCK
                 +0x000 NextDriver       : Ptr32 _NDIS_M_DRIVER_BLOCK
                 +0x004 MiniportQueue    : Ptr32 _NDIS_MINIPORT_BLOCK
                 +0x008 NdisDriverInfo   : Ptr32 _NDIS_WRAPPER_HANDLE
                 +0x00c AssociatedProtocol : Ptr32 _NDIS_PROTOCOL_BLOCK
                 +0x010 DeviceList       : _LIST_ENTRY
                 +0x018 PendingDeviceList : Ptr32 _NDIS_PENDING_IM_INSTANCE
                 +0x01c UnloadHandler    : Ptr32     void
                 +0x020 MiniportCharacteristics : _NDIS51_MINIPORT_CHARACTERISTICS
                 +0x09c MiniportsRemovedEvent : _KEVENT
                 +0x0ac Ref              : _REFERENCE
                 +0x0b4 Flags            : Uint2B
                 +0x0b8 IMStartRemoveMutex : _KMUTANT
                 +0x0d8 DriverVersion    : Uint4B
                 
              kd> dt _NDIS51_MINIPORT_CHARACTERISTICS 817dfb50+20
              NDIS!_NDIS51_MINIPORT_CHARACTERISTICS
                 +0x000 MajorNdisVersion : 0x5 ''
                 +0x001 MinorNdisVersion : 0 ''
                 +0x002 Filler           : 0
                 +0x004 Reserved         : 0
                 +0x008 CheckForHangHandler : 0xf9cc5822     unsigned char  +0
                 +0x00c DisableInterruptHandler : (null)
                 +0x010 EnableInterruptHandler : (null)
                 +0x014 HaltHandler      : 0xf9cc73a6     void  +0
                 +0x018 HandleInterruptHandler : 0xf9cc6eec     void  +0  
                 +0x01c InitializeHandler : 0xf9cc676c     int  +0               +0x020 ISRHandler: 0xf9cc5678     void  +0            +0x024 QueryInformationHandler : 0xf9cc5b58     int  +0 
                 +0x028 ReconfigureHandler : (null)
                 +0x02c ResetHandler     : 0xf9cc589e     int  +0
                 +0x030 SendHandler      : (null)
                 +0x030 WanSendHandler   : (null)
                 +0x034 SetInformationHandler : 0xf9cc7448     int  +0
                 +0x038 TransferDataHandler : (null)
                 +0x038 WanTransferDataHandler : (null)
                 +0x03c ReturnPacketHandler : 0xf9cc57e6     void  +0
                 +0x040 SendPacketsHandler : 0xf9cc7662     void  +0
                 +0x044 AllocateCompleteHandler : (null)
                 +0x048 CoCreateVcHandler : (null)
                 +0x04c CoDeleteVcHandler : (null)
                 +0x050 CoActivateVcHandler : (null)
                 +0x054 CoDeactivateVcHandler : (null)
                 +0x058 CoSendPacketsHandler : (null)
                 +0x05c CoRequestHandler : (null)
                 +0x060 CancelSendPacketsHandler : (null)
                 +0x064 PnPEventNotifyHandler : (null)
                 +0x068 AdapterShutdownHandler : (null)
                 +0x06c Reserved1        : (null)
                 +0x070 Reserved2        : (null)
                 +0x074 Reserved3        : (null)
                 +0x078 Reserved4        : (null)

We intercept the following OIDs:

#define OID_GEN_MEDIA_IN_USE 0x00010104
#define OID_GEN_MEDIA_CONNECT_STATUS 0x00010114
#define OID_GEN_PHYSICAL_MEDIUM 0x00010202
#define OID_GEN_XMIT_OK 0x00020101
#define OID_GEN_RCV_OK 0x00020102
#define OID_GEN_XMIT_ERROR 0x00020103
#define OID_GEN_RCV_ERROR 0x00020104
#define OID_GEN_DIRECTED_BYTES_XMIT 0x00020201
#define OID_GEN_DIRECTED_BYTES_RCV 0x00020207
#define OID_GEN_DIRECTED_FRAMES_RCV 0x00020208
#define OID_GEN_INIT_TIME_MS 0x00020213
#define OID_GEN_RESET_COUNTS 0x00020214
#define OID_GEN_MEDIA_SENSE_COUNTS 0x00020215

Extra Note

In Vista (or above), it uses NDIS_MINIPORT_DRIVER_CHARACTERISTICS.OidRequestHandler (Similar to QueryInformationHandler), for example in Vista vmware it uses Intel PRO/100 Network Interface Card:

  • NIC Driver (\Driver\E1G60) -> E1G60I32!E1000Request(NDIS_HANDLE MiniportAdapterContext, PNDIS_OID_REQUEST NdisRequest) 
kd> g
E1G60I32!E1000Request:
892b1046 8bff            mov     edi,edi

kd> dd esp
9bcfa6d4  85ccd3a4 8509b008 8948c1a8 85367868
        [MiniportAdapterContext][NdisRequest]
      
kd> dd 8948c1a8     //PNDIS_OID_REQUEST
8948c1a8  008c0196 00000002 00000000 00000000
8948c1b8  00000000 00000000 00020102 838335d8
8948c1c8  00000008 00000000 00000000 00000000
8948c1d8  00000000 00000000 85367ac0 85367ac0

typedef struct _NDIS_OID_REQUEST
{
    //
    // Caller must set Header to
    //     Header.Type = NDIS_OBJECT_TYPE_OID_REQUEST
    //     Header.Revision = NDIS_OID_REQUEST_REVISION_1
    //     Header.Size = NDIS_SIZEOF_OID_REQUEST_REVISION_1
    //
    NDIS_OBJECT_HEADER          Header;
    NDIS_REQUEST_TYPE           RequestType;
    NDIS_PORT_NUMBER            PortNumber;
    UINT                        Timeout; // in Seconds
    PVOID                       RequestId;
    NDIS_HANDLE                 RequestHandle;

    //
    // OID - Information
    //
    union _REQUEST_DATA
    {
        struct _QUERY
        {
            NDIS_OID    Oid;
            PVOID       InformationBuffer;
            UINT        InformationBufferLength;
            UINT        BytesWritten;
            UINT        BytesNeeded;
        } QUERY_INFORMATION;
  
        struct _SET
        {
            NDIS_OID    Oid;
            PVOID       InformationBuffer;
            UINT        InformationBufferLength;
            UINT        BytesRead;
            UINT        BytesNeeded;
        } SET_INFORMATION;
  
        struct _METHOD
        {
            NDIS_OID            Oid;
            PVOID               InformationBuffer;
            ULONG               InputBufferLength;
            ULONG               OutputBufferLength;
            ULONG               MethodId;
            UINT                BytesWritten;
            UINT                BytesRead;
            UINT                BytesNeeded;
        } METHOD_INFORMATION;
    } DATA;
    //
    // NDIS Reserved
    //
    UCHAR       NdisReserved[NDIS_OID_REQUEST_NDIS_RESERVED_SIZE * sizeof(PVOID)];
    UCHAR       MiniportReserved[2*sizeof(PVOID)];
    UCHAR       SourceReserved[2*sizeof(PVOID)];
    UCHAR       SupportedRevision;
    UCHAR       Reserved1;
    USHORT      Reserved2;

}NDIS_OID_REQUEST, *PNDIS_OID_REQUEST;
  • E1G60I32!E1000Request > _E1000QueryInformationSafe(MiniportAdapterContext, Oid, InformationBuffer, InformationBufferLength, &BytesWritten, &BytesNeeded) 
  • The following OIDs are checked:
#define OID_GEN_XMIT_OK                   0x00020101
#define OID_GEN_RCV_OK                    0x00020102
#define OID_GEN_STATISTICS                0x00020106
  • OID_GEN_STATISTICS is the OID to obtain statistics of an adapter for NDIS >= 6.0
typedef struct _NDIS_STATISTICS_INFO {
    NDIS_OBJECT_HEADER Header;       // 0x00
    ULONG SupportedStatistics;       // 0x04
    ULONG64 ifInDiscards;            // 0x08
    ULONG64 ifInErrors;              // 0x10
    ULONG64 ifHCInOctets;            // 0x18
    ULONG64 ifHCInUcastPkts;         // 0x20
    ULONG64 ifHCInMulticastPkts;     // 0x28
    ULONG64 ifHCInBroadcastPkts;     // 0x30
    ULONG64 ifHCOutOctets;           // 0x38
    ULONG64 ifHCOutUcastPkts;        // 0x40
    ULONG64 ifHCOutMulticastPkts;    // 0x48
    ULONG64 ifHCOutBroadcastPkts;    // 0x50
    ULONG64 ifOutErrors;             // 0x58
    ULONG64 ifOutDiscards;           // 0x60
    ULONG64 ifHCInUcastOctets;       // 0x68
    ULONG64 ifHCInMulticastOctets;   // 0x70
    ULONG64 ifHCInBroadcastOctets;   // 0x78
    ULONG64 ifHCOutUcastOctets;      // 0x80
    ULONG64 ifHCOutMulticastOctets;  // 0x88
    ULONG64 ifHCOutBroadcastOctets;  // 0x90
} NDIS_STATISTICS_INFO, *PNDIS_STATISTICS_INFO;

Demo


 

 
Signing off @x9090
Posted by x9090 at 1:15 AM 3 comments
Labels: ,
Subscribe to: Posts (Atom)