大家。我正在开发 NDIS 6 过滤器驱动程序 (LWF)。 DriverEntry 例程中的 NdisFRegisterFilterDriver 调用因 NDIS_STATUS_FAILURE 失败。只出现在Win8 x86上,驱动在Win7 x86下可以正常运行。太奇怪了。我看过这个线程但没有用: Why does NdisFRegisterFilterDriver return NDIS_STATUS_FAILURE?
这是我的 DriverEntry 例程和 inf 文件。
_Use_decl_annotations_
NTSTATUS
DriverEntry(
IN PDRIVER_OBJECT DriverObject,
IN PUNICODE_STRING RegistryPath
)
{
NDIS_FILTER_DRIVER_CHARACTERISTICS FChars;
NTSTATUS Status = STATUS_SUCCESS;
// NDIS_STRING FriendlyName = NDIS_STRING_CONST("WinPcap NDIS LightWeight Filter");
// NDIS_STRING UniqueName = NDIS_STRING_CONST("{5cbf81bd-5055-47cd-9055-a76b2b4e2637}"); //unique name, quid name
// NDIS_STRING ServiceName = NDIS_STRING_CONST("npf6x"); //this to match the service name in the INF
NDIS_STRING FriendlyName = RTL_CONSTANT_STRING(L"WinPcap NDIS LightWeight Filter");
NDIS_STRING UniqueName = RTL_CONSTANT_STRING(L"{5cbf81bd-5055-47cd-9055-a76b2b4e2637}"); //unique name, quid name
NDIS_STRING ServiceName = RTL_CONSTANT_STRING(L"npf6x"); //this to match the service name in the INF
WCHAR* bindT;
PKEY_VALUE_PARTIAL_INFORMATION tcpBindingsP;
UNICODE_STRING macName;
ULONG OsMajorVersion, OsMinorVersion;
TRACE_ENTER();
UNREFERENCED_PARAMETER(RegistryPath);
FilterDriverObject = DriverObject;
//
// Get OS version and store it in a global variable.
//
// Note: both RtlGetVersion() and PsGetVersion() are documented to always return success.
//
// OsVersion.dwOSVersionInfoSize = sizeof(OsVersion);
// RtlGetVersion(&OsVersion);
//
PsGetVersion(&OsMajorVersion, &OsMinorVersion, NULL, NULL);
TRACE_MESSAGE2(PACKET_DEBUG_INIT, "OS Version: %d.%d\n", OsMajorVersion, OsMinorVersion);
NdisInitUnicodeString(&g_NPF_Prefix, g_NPF_PrefixBuffer);
//
// Get number of CPUs and save it
//
#ifdef NDIS620
g_NCpu = NdisGroupMaxProcessorCount(ALL_PROCESSOR_GROUPS);
#else
g_NCpu = NdisSystemProcessorCount();
#endif
//
// TODO: Most handlers are optional, however, this sample includes them
// all for illustrative purposes. If you do not need a particular
// handler, set it to NULL and NDIS will more efficiently pass the
// operation through on your behalf.
//
//
// Register as a service with NDIS
//
// NdisZeroMemory(&FChars, NDIS_SIZEOF_FILTER_DRIVER_CHARACTERISTICS_REVISION_1);
// FChars.Header.Type = NDIS_OBJECT_TYPE_FILTER_DRIVER_CHARACTERISTICS;
// FChars.Header.Size = NDIS_SIZEOF_FILTER_DRIVER_CHARACTERISTICS_REVISION_1;
// FChars.Header.Revision = NDIS_FILTER_CHARACTERISTICS_REVISION_1;
//
// Register as a service with NDIS
//
NdisZeroMemory(&FChars, sizeof(NDIS_FILTER_DRIVER_CHARACTERISTICS));
FChars.Header.Type = NDIS_OBJECT_TYPE_FILTER_DRIVER_CHARACTERISTICS;
FChars.Header.Size = sizeof(NDIS_FILTER_DRIVER_CHARACTERISTICS);
#if NDIS_SUPPORT_NDIS61
FChars.Header.Revision = NDIS_FILTER_CHARACTERISTICS_REVISION_2;
#else
FChars.Header.Revision = NDIS_FILTER_CHARACTERISTICS_REVISION_1;
#endif
FChars.MajorNdisVersion = NDIS_FILTER_MAJOR_VERSION;
FChars.MinorNdisVersion = NDIS_FILTER_MINOR_VERSION;
FChars.MajorDriverVersion = 1;
FChars.MinorDriverVersion = 0;
FChars.Flags = 0;
FChars.FriendlyName = FriendlyName;
FChars.UniqueName = UniqueName;
FChars.ServiceName = ServiceName;
FChars.SetOptionsHandler = NPF_RegisterOptions;
FChars.AttachHandler = NPF_Attach;
FChars.DetachHandler = NPF_Detach;
FChars.RestartHandler = NPF_Restart;
FChars.PauseHandler = NPF_Pause;
FChars.SetFilterModuleOptionsHandler = NPF_SetModuleOptions;
FChars.OidRequestHandler = NPF_OidRequest;
FChars.OidRequestCompleteHandler = NPF_OidRequestComplete;
FChars.CancelOidRequestHandler = NPF_CancelOidRequest;
FChars.SendNetBufferListsHandler = NPF_SendEx;
FChars.ReturnNetBufferListsHandler = NPF_ReturnEx;
FChars.SendNetBufferListsCompleteHandler = NPF_SendCompleteEx;
FChars.ReceiveNetBufferListsHandler = NPF_TapEx;
FChars.DevicePnPEventNotifyHandler = NPF_DevicePnPEventNotify;
FChars.NetPnPEventHandler = NPF_NetPnPEvent;
FChars.StatusHandler = NPF_Status;
FChars.CancelSendNetBufferListsHandler = NPF_CancelSendNetBufferLists;
DriverObject->DriverUnload = NPF_Unload;
//
// Initialize spin locks
//
//NdisAllocateSpinLock(&FilterListLock);
//InitializeListHead(&FilterModuleList);
//
// Standard device driver entry points stuff.
//
DriverObject->MajorFunction[IRP_MJ_CREATE] = NPF_OpenAdapter;
DriverObject->MajorFunction[IRP_MJ_CLOSE] = NPF_CloseAdapter;
DriverObject->MajorFunction[IRP_MJ_CLEANUP] = NPF_Cleanup;
DriverObject->MajorFunction[IRP_MJ_READ] = NPF_Read;
DriverObject->MajorFunction[IRP_MJ_WRITE] = NPF_Write;
DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = NPF_IoControl;
bindP = getAdaptersList();
if (bindP == NULL)
{
TRACE_MESSAGE(PACKET_DEBUG_INIT, "Adapters not found in the registry, try to copy the bindings of TCP-IP.");
tcpBindingsP = getTcpBindings();
if (tcpBindingsP == NULL)
{
TRACE_MESSAGE(PACKET_DEBUG_INIT, "TCP-IP not found, quitting.");
goto RegistryError;
}
bindP = (WCHAR *)tcpBindingsP;
bindT = (WCHAR *)(tcpBindingsP->Data);
}
else
{
bindT = bindP;
}
for (; *bindT != UNICODE_NULL; bindT += (macName.Length + sizeof(UNICODE_NULL)) / sizeof(WCHAR))
{
RtlInitUnicodeString(&macName, bindT);
NPF_CreateDevice(DriverObject, &macName);
}
Status = NdisFRegisterFilterDriver(DriverObject,
(NDIS_HANDLE) FilterDriverObject,
&FChars,
&FilterDriverHandle);
if (Status != NDIS_STATUS_SUCCESS)
{
TRACE_MESSAGE(PACKET_DEBUG_INIT, "Failed to register filter with NDIS.");
TRACE_EXIT();
return Status;
}
TRACE_EXIT();
return STATUS_SUCCESS;
RegistryError :
Status = STATUS_UNSUCCESSFUL;
TRACE_EXIT();
return(Status);
}
inf文件:
;-------------------------------------------------------------------------
; NPF6X.INF -- NPF NDIS 6.x LightWeight Filter Driver
;
; Copyright (c) 2013, InSecure.Com, LLC. All rights reserved.
;------------------------------------------------------------------------
[version]
Signature = "$Windows NT$"
Class = NetService
ClassGUID = {4D36E974-E325-11CE-BFC1-08002BE10318}
CatalogFile = npf6x.cat
Provider = %Insecure%
DriverVer=08/18/2013,0.31.43.389
[Manufacturer]
%Insecure%=Insecure,NTx86,NTia64,NTamd64
[Insecure.NTx86]
%NPF6x_Desc%=Install, INSECURE_NPF6X
[Insecure.NTia64]
%NPF6x_Desc%=Install, INSECURE_NPF6X
[Insecure.NTamd64]
%NPF6x_Desc%=Install, INSECURE_NPF6X
;-------------------------------------------------------------------------
; Installation Section
;-------------------------------------------------------------------------
[Install]
AddReg=Inst_Ndi
Characteristics=0x40000
NetCfgInstanceId="{5cbf81bd-5055-47cd-9055-a76b2b4e2637}"
Copyfiles = npf6x.copyfiles.sys
[SourceDisksNames]
1=%NPF6x_Desc%,"",,
[SourceDisksFiles]
npf6x.sys=1
[DestinationDirs]
DefaultDestDir=12
npf6x.copyfiles.sys=12
[npf6x.copyfiles.sys]
npf6x.sys,,,2
;-------------------------------------------------------------------------
; Ndi installation support
;-------------------------------------------------------------------------
[Inst_Ndi]
HKR, Ndi,Service,,"npf6x"
HKR, Ndi,CoServices,0x00010000,"npf6x"
HKR, Ndi,HelpText,,%NPF6X_HelpText%
HKR, Ndi,FilterClass,, compression
; For a Monitoring filter, use this:
; HKR, Ndi,FilterType,0x00010001, 1 ; Monitoring filter
; For a Modifying filter, use this:
; HKR, Ndi,FilterType,0x00010001, 2 ; Modifying filter
HKR, Ndi,FilterType,0x00010001,2
HKR, Ndi\Interfaces,UpperRange,,"noupper"
HKR, Ndi\Interfaces,LowerRange,,"nolower"
; TODO: Ensure that the list of media types below is correct. Typically,
; filters include "ethernet". Filters may also include "ppip" to include
; native WWAN stacks, but you must be prepared to handle the packet framing.
; Possible values are listed on MSDN, but common values include:
; ethernet, wan, ppip, wlan
HKR, Ndi\Interfaces, FilterMediaTypes,,"ethernet, wan, ppip, wlan"
; For a Mandatory filter, use this:
; HKR, Ndi,FilterRunType,0x00010001, 1 ; Mandatory filter
; For an Optional filter, use this:
; HKR, Ndi,FilterRunType,0x00010001, 2 ; Optional filter
HKR, Ndi,FilterRunType,0x00010001, 2 ; Optional filter
; By default, Mandatory filters unbind all protocols when they are
; installed/uninstalled, while Optional filters merely pause the stack. If you
; would like to override this behavior, you can include these options. These
; options only take effect with 6.30 filters on Windows "8" or later.
; To prevent a full unbind, and merely pause/restart protocols:
; HKR, Ndi,UnbindOnAttach,0x00010001, 0 ; Do not unbind during FilterAttach
; HKR, Ndi,UnbindOnDetach,0x00010001, 0 ; Do not unbind during FilterDetach
; To force a full unbind/bind (which includes pause/restart, of course):
; HKR, Ndi,UnbindOnAttach,0x00010001, 1 ; Unbind during FilterAttach
; HKR, Ndi,UnbindOnDetach,0x00010001, 1 ; Unbind during FilterDetach
;
;-------------------------------------------------------------------------
; Service installation support
;-------------------------------------------------------------------------
[Install.Services]
AddService=npf,,NPF6X_Service_Inst
[NPF6X_Service_Inst]
DisplayName = %NPF6x_Desc%
ServiceType = 1 ;SERVICE_KERNEL_DRIVER
StartType = 3 ;SERVICE_DEMAND_START
ErrorControl = 1 ;SERVICE_ERROR_NORMAL
ServiceBinary = %12%\npf6x.sys
LoadOrderGroup = NDIS
Description = %NPF6x_Desc%
[Install.Remove.Services]
DelService=npf,0x200 ; SPSVCINST_STOPSERVICE
[NdisImPlatformBindingOptions.reg]
; By default, when an LBFO team or Bridge is created, all filters will be
; unbound from the underlying members and bound to the TNic(s). This keyword
; allows a component to opt out of the default behavior
; To prevent binding this filter to the TNic(s):
; HKR, Parameters, NdisImPlatformBindingOptions,0x00010001,1 ; Do not bind to TNic
; To prevent unbinding this filter from underlying members:
; HKR, Parameters, NdisImPlatformBindingOptions,0x00010001,2 ; Do not unbind from Members
; To prevent both binding to TNic and unbinding from members:
; HKR, Parameters, NdisImPlatformBindingOptions,0x00010001,3 ; Do not bind to TNic or unbind from Members
HKR, Parameters, NdisImPlatformBindingOptions,0x00010001,0 ; Subscribe to default behavior
[Strings]
Insecure = "Nmap Project"
NPF6X_Desc = "WinPcap Lightweight Filter Driver (NPF)"
NPF6X_HelpText = "A NDIS 6 kernel filter driver to support packet capturing under Windows 7 & Windows 8"
最佳答案
以下是我将遵循的诊断步骤:
将 NetCfgInstanceId 更改为 a new GUID 非常重要,不同于{5cbf81bd...}示例驱动程序使用的 GUID。
检查是否真的安装了过滤器。使用来自 here 的 bindview .或查看 HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{ your NetCfgInstanceId }\Ndi并验证您的过滤器驱动程序是否有条目。 NDIS 需要有 FilterType和 FilterRunType该键下的值。
检查您的 NPF_RegisterOptions正在调用例程,如果是,是否返回 NDIS_STATUS_SUCCESS .
启用 NDIS 跟踪,如所述here .可能有一条信息性消息说明 NDIS 为何无法注册筛选器驱动程序。 (尽管老实说,我们在那里没有我想要的那么多痕迹。)请注意,在 Windows 8 及更高版本上,您不再需要下载 TMF 文件,因为 TMF 内置于 NDIS.PDB 中调试器会自动为您下载。
在调用 NdisFRegisterFilterDriver 期间, NDIS 会调用几个内部例程。尝试在每个断点上设置断点,以查看调用了哪些断点以及它们返回了哪些状态代码。 (请注意,在 x86 上,eax 寄存器通常保存返回值,因此您需要在每个子例程返回到 eax 后检查 NdisFRegisterFilterDriver 寄存器。
ndisCreateFilterDriverRegistry ndisReadFilterDriverRegistry ndisFInvokeSetOptions 关于c - 为什么 NdisFRegisterFilterDriver 在 Windows 8 下失败并显示 NDIS_STATUS_FAILURE?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/18352982/
类classAprivatedeffooputs:fooendpublicdefbarputs:barendprivatedefzimputs:zimendprotecteddefdibputs:dibendendA的实例a=A.new测试a.foorescueputs:faila.barrescueputs:faila.zimrescueputs:faila.dibrescueputs:faila.gazrescueputs:fail测试输出failbarfailfailfail.发送测试[:foo,:bar,:zim,:dib,:gaz].each{|m|a.send(m)resc
我需要在客户计算机上运行Ruby应用程序。通常需要几天才能完成(复制大备份文件)。问题是如果启用sleep,它会中断应用程序。否则,计算机将持续运行数周,直到我下次访问为止。有什么方法可以防止执行期间休眠并让Windows在执行后休眠吗?欢迎任何疯狂的想法;-) 最佳答案 Here建议使用SetThreadExecutionStateWinAPI函数,使应用程序能够通知系统它正在使用中,从而防止系统在应用程序运行时进入休眠状态或关闭显示。像这样的东西:require'Win32API'ES_AWAYMODE_REQUIRED=0x0
我有一个模型:classItem项目有一个属性“商店”基于存储的值,我希望Item对象对特定方法具有不同的行为。Rails中是否有针对此的通用设计模式?如果方法中没有大的if-else语句,这是如何干净利落地完成的? 最佳答案 通常通过Single-TableInheritance. 关于ruby-on-rails-Rails-子类化模型的设计模式是什么?,我们在StackOverflow上找到一个类似的问题: https://stackoverflow.co
我正在使用的第三方API的文档状态:"[O]urAPIonlyacceptspaddedBase64encodedstrings."什么是“填充的Base64编码字符串”以及如何在Ruby中生成它们。下面的代码是我第一次尝试创建转换为Base64的JSON格式数据。xa=Base64.encode64(a.to_json) 最佳答案 他们说的padding其实就是Base64本身的一部分。它是末尾的“=”和“==”。Base64将3个字节的数据包编码为4个编码字符。所以如果你的输入数据有长度n和n%3=1=>"=="末尾用于填充n%
我主要使用Ruby来执行此操作,但到目前为止我的攻击计划如下:使用gemsrdf、rdf-rdfa和rdf-microdata或mida来解析给定任何URI的数据。我认为最好映射到像schema.org这样的统一模式,例如使用这个yaml文件,它试图描述数据词汇表和opengraph到schema.org之间的转换:#SchemaXtoschema.orgconversion#data-vocabularyDV:name:namestreet-address:streetAddressregion:addressRegionlocality:addressLocalityphoto:i
为什么4.1%2返回0.0999999999999996?但是4.2%2==0.2。 最佳答案 参见此处:WhatEveryProgrammerShouldKnowAboutFloating-PointArithmetic实数是无限的。计算机使用的位数有限(今天是32位、64位)。因此计算机进行的浮点运算不能代表所有的实数。0.1是这些数字之一。请注意,这不是与Ruby相关的问题,而是与所有编程语言相关的问题,因为它来自计算机表示实数的方式。 关于ruby-为什么4.1%2使用Ruby返
它不等于主线程的binding,这个toplevel作用域是什么?此作用域与主线程中的binding有何不同?>ruby-e'putsTOPLEVEL_BINDING===binding'false 最佳答案 事实是,TOPLEVEL_BINDING始终引用Binding的预定义全局实例,而Kernel#binding创建的新实例>Binding每次封装当前执行上下文。在顶层,它们都包含相同的绑定(bind),但它们不是同一个对象,您无法使用==或===测试它们的绑定(bind)相等性。putsTOPLEVEL_BINDINGput
我可以得到Infinity和NaNn=9.0/0#=>Infinityn.class#=>Floatm=0/0.0#=>NaNm.class#=>Float但是当我想直接访问Infinity或NaN时:Infinity#=>uninitializedconstantInfinity(NameError)NaN#=>uninitializedconstantNaN(NameError)什么是Infinity和NaN?它们是对象、关键字还是其他东西? 最佳答案 您看到打印为Infinity和NaN的只是Float类的两个特殊实例的字符串
如果您尝试在Ruby中的nil对象上调用方法,则会出现NoMethodError异常并显示消息:"undefinedmethod‘...’fornil:NilClass"然而,有一个tryRails中的方法,如果它被发送到一个nil对象,它只返回nil:require'rubygems'require'active_support/all'nil.try(:nonexisting_method)#noNoMethodErrorexceptionanymore那么try如何在内部工作以防止该异常? 最佳答案 像Ruby中的所有其他对象
关闭。这个问题需要detailsorclarity.它目前不接受答案。想改进这个问题吗?通过editingthispost添加细节并澄清问题.关闭8年前。Improvethisquestion为什么SecureRandom.uuid创建一个唯一的字符串?SecureRandom.uuid#=>"35cb4e30-54e1-49f9-b5ce-4134799eb2c0"SecureRandom.uuid方法创建的字符串从不重复?