i'm working on modifying how windows (xp) handles certain packets. for example, right now i'm trying to prevent windows from returning a RST when someone tries sending a (SYN-)ACK to a closed port. i'm assuming that this is controlled by tcpip.sys, but i'm not positive. has anyone done any work in this area before?

probably... but why don't you just write your own KMD and intercept the (SYN-)ACK and just drop them? shouldn't be too hard

the problem is, despite all the reading i've been doing lately, i've had trouble finding an "easy" (without me having to re-write tcpip.sys or an ndis interpreter or something like that from scratch) way of intercepting them before they reach tcpip.sys (if that is what handles them). i don't see how a kmd would help

I'm not sure when tcpip.sys is loaded ie. boot, system or automatic... but if you write a KMD that is loaded before tcpip.sys (providing it isn't loaded at boot) it would be before tcpip.sys in the driver chain, iirc, and as such would intercept the packages before it... or you could write one that simply hooks that part of it and RET's without handling it, in effect dropping it... but that is not so easy...

Im very interested in this work too. If I get bored I may track down where in tcpip.sys all the good stuff is. disavowed remember something called IDA Pro. And the other thing called symbols from Microsoft. They make a very powerful pair . In fact I got way into plenty of sys files that way.

Snatch

Ppl:

Look for documentation on NDIS Intermediate Driver and prepare for nightmares and a heavy dosage of sleepless nites/caffeine....

Signed,
-- FoxThree