tcp filter example

tcp filter example

Let me first describe some situations of tcp / ip protocol under 2000 / nt. Under 2000 / nt, ip, tcp, udp are in
The one implemented in a driver is called tcp.sys. This driver creates 3 devices, namely ip, tcp, udp
.
First describe driverentry. The first is of course iocreatedevice, using file_device_unknown,
Because this parameter is used by tcp devices. code show as below:
RtlInitUnicodeString (& usDeviceName, FILTER_NAME);
status = IoCreateDevice (DriverObject,
sizeof (DEVICE_EXTENSION),
& usDeviceName,
FILE_DEVICE_UNKNOWN,
0,
FALSE,
& pDevObj);
Then call iogetdeviceobjectpointer to get the pointer of the tcp device.
code show as below:
RtlInitUnicodeString (& usTargetName, TARGET_NAME);
status = IoGetDeviceObjectPointer (& usTargetName,
FILE_ALL_ACCESS,
& pTargetFileObj,
& pTargetDevObj);
Note that TARGET_NAME is case sensitive, I use #define TARGET_NAME L "\\ Device \\ Tcp",
Cannot be written as #define TARGET_NAME L "\\ Device \ cp".
Then we started calling IoAttachDeviceToDevieStatck to insert it into the tcp device.
After the call is completed, we want to make our device behave the same as tcp, so we put all of its
Features are copied from tcpobj (pdevobj-> xxx = ptcpobj-> xxx).
Then scan the majorfuncTIon of his tcpdriverobject, our drivers must all
stand by. Finally set driverunload, because in order to facilitate debugging, we must write an unload

I have already talked about driverentry before. After driverentry, all the originals should be sent to
The irp of the tcp device is now sent to the processing function of our device, if nothing is done,
Then you can simply call iocalldriver to send this irp to the tcp device for processing.
Of course, we have to do something, so the code is as follows:
UCHAR MajorFuncTIon, MinorFuncTIon;
PDEVICE_EXTENSION pDevExt = (PDEVICE_EXTENSION) DeviceObject-> DeviceExt
ension;
PIO_STACK_LOCATION pIrpStack = IoGetCurrentIrpStackLocation (Irp);
MajorFunction = pIrpStack-> MajorFunction;
MinorFunction = pIrpStack-> MinorFunction;
// DBGPRINT (...)
ParseIrp (Irp);
IoCopyCurrentIrpStackLocationToNext (Irp);
IoSetCompletionRoutine (Irp,
CompletionRoutine,
NULL, // context
TRUE, // InvokeOnSuccess
TRUE, // InvokeOnError
TRUE); // InvokeOnCancel
return IoCallDriver (pDevExt-> TargetDevObj, Irp);
The code is very simple, except parsirp, others are routine. Pre-processing for tcp devices
It's in this function. Post-processing functions can be placed in completionroution.
Ok, we have got all the irp sent to the tcp device, this time our task is to understand
How exactly does the tcp device work.

In this case, the data will not be obtained without passing through the tcp device.
In order to understand how to get information from the irp sent to the tcp device, first of all I will describe how the tdi client
How does communication with tcp and tdi client generally work?
There are several examples in driverstdio about tdi client, but these examples are based on its own
Class library, but these examples are very powerful, one of the usb + web thermometer's creativity simply surprised me
Stupid.
Because I have also made the driver of the pci thermometer, but I never thought I could add a web server in
inside.
Because the example in driverstdio is too complicated, I will briefly describe it here and give a small example.
Because the sending process is relatively simple, the sending will be described first.
First call pIrp = TdiBuildInternalDeviceControlIrp (
TDI_SEND_DATAGRAM, // sub
function
pDeviceObject, // poin
ter to device object
pTransportObject, // poin
ter to udp object
NULL, // poin
ter to event
NULL); // poin
ter to return buffer
Allocate an irp, then call
TdiBuildSendDatagram (
pIrp, // poin
ter to irp
pDeviceObject, // poin
ter to device object
pTransportObject, // poin
ter to file object
NULL, // comp
letion routine
NULL, // comp
letion context
pMdl, // poin
ter to data
dBufferSize, // size
of data
pConnectInfo); // conn
ection information
Needless to say, I should know that the data is placed in a buf. Before calling this function, you must build an mdl
And put this buf
put in.
Then ... irp is good, as long as IoCallDriver (pUDPObject, PIrp) is enough ...
The example above uses UDP (Datagram), but tcp is the same, although the function is a bit different, but it is also large
Same with little difference (TdiBuildSend).
In order to find out exactly what the above two functions did (what exactly the irp built looks like), there is no need to go
Tracking, actually, tdibuildxxx
It's just a macro, you can find it in tdikrnl.h. Open tdikrnl.h and see that there are
Such a sentence:
_IRPSP-> MajorFunction = IRP_MJ_INTERNAL_DEVICE_CONTROL;
So we know that tdi client is through majorfunction = IRP_MJ_INTERNAL_DEVICE_CONTROL, m
inorfunction = send / recv / ...
Communicating with tcp. This convinces us that this method is feasible. (Not directly calling the tdi function, but
Hair irp)

The receiving process is more complicated (tdi client has more choices, so various situations should be considered)
At the beginning, I saw such a macro in the ddk document: tdibuildreceive, I want to ok,
Like send, I thought it was simple at the time, thinking that the tdi client was about to accept data, it sent a tcp
irp, then return pending, when data comes, tcp finishes processing this irp, then tdi client only needs to
This irp
The data processed in irp_complete will do. This is indeed an option for tdi client, but
When I experimented, I found that at least wsock did not do this, because I opened an ie, browsed a web
page,
But I found that the data I sent was well captured, but there was no data received, and in fact
,
tcp doesn't seem to receive the irp with minorfunction = tdi_receive. I have been upset about this for a while,

Later, I read the ddk document carefully and found that the tdi client still has the second option, first send a tcp
Pc
irp, minorfunction = tdi_sethandler, set some callback functions, and then when things happen, tc
p
These callback functions will be called. The names of these functions are clientEventxxx. This process can be seen carefully ddk do
cument,
Look at TdiBuildSetEventHandler to know which processes can use this method. receive is one of them
, So
Our method is obtained. First we got the irp, if it is set_eventhandler, then modify tdi c
lient
The entrance of the callback function set to tcp, point it to a function we wrote, while retaining the original entrance,

Then call it in our own function.
code show as below:
PIO_STACK_LOCATION pIrpStack = IoGetCurrentIrpStackLocation (Irp);
MajorFunction = pIrpStack-> MajorFunction;
MinorFunction = pIrpStack-> MinorFunction;
FileObject = pIrpStack-> FileObject;
....
switch (MajorFunction)
{
...
case IRP_MJ_INTERNAL_DEVICE_CONTROL:
{
switch (MinorFunction)
{
...
case TDI_SET_EVENT_HANDLER:
pRequestSetEvent = (PTDI_REQUEST_KERNEL_SET_EVENT) (& (pIrpStack-> Pa
rameters.DeviceIoControl));
EventType = pRequestSetEvent-> EventType;
EventHandler = pRequestSetEvent-> EventHandler;
EventContext = pRequestSetEvent-> EventContext;
...
switch (EventType)
{
...
case TDI_EVENT_RECEIVE:
pRequestSetEvent-> EventHandler = OurClientEventReceive;
g_EventReceive = EventHandler;
break;
...
It is worth noting that even set_eventhandler does not necessarily receive data in tdi_event_receive
,
There are many options for this tdi_client, and there is ClientEventChainedReceive or something. For details, see ddk,

Winsock seems to have never used this. But this does not affect, we can put all possible situations in ddk

All are listed, judged one by one, and dealt with separately. For clienteventreceive, here are a few words to say
Say
It is clear that the data is not obtained every time this function is called, which depends on the ReceiveFlags parameter, tdi cl
ient
According to this parameter, it is decided whether to send tdi_receive irp to get the data. So our processing function must judge
This one
Parameters in order to make corresponding processing, my own code has been running in the actual environment for a while, and it seems that
Question, but
I dare not say that I have considered every situation.

Plug-in Connecting Terminals

Plug-In Connecting Terminals,Insulated Spade Terminals,Cable Connector Double Spade Terminals,Vinyl-Insulated Locking Spade Terminals

Taixing Longyi Terminals Co.,Ltd. , https://www.lycopperlugs.com

Posted on