NDIS-HOOKING技术怎么样？

下面有点资料，谁有这个程序呢？

Universal NDIS-Hooking
Driver Samples
(All Windows Platforms)

Truth In Advertising
Carefully consider these points when evaluating the suitability of this product or NDIS-Hooking techniques for your needs:

 NDIS-Hooking methods as well as these PCAUSA samples are intended only for special purposes where other Microsoft-supported NDIS filtering techniques, such as NDIS Intermediate (IM) drivers, have proven to be inadequate or impractical.

 The Windows NT/W2K/WXP NDIS-Hooking methods are implemented by manipulating poorly-documented kernel data structures. This may influence your decision to use this type of technology. Here are some considerations:

 Microsoft reserves the right to make changes in these structures in future OS releases or even Service Packs. Such changes may break the functionality of the NDIS-Hooking samples. Although PCAUSA will use its best effort to update the technology in this event, PCAUSA cannot guarantee the timeliness of such an update.
  
 PCAUSA does not know the Microsoft policy concerning WHQL approval and Driver Signing for drivers that use NDIS-hooking technology.
  
 Microsoft rightfully discourages use of NDIS-Hooking methods in cases where the use of documented techniques will suffice.
  
 The NDIS-Hooking samples are only suitable for use by developers who already have a thorough knowledge of Windows device driver programming and debugging techniques as well as an existing knowledge of the Windows NDIS API. These samples are suitable for advanced kernel-mode developers only.

 The Windows 9X/ME NDIS-Hooking samples are Virtual Device Drivers (VxDs) built using the Compuware/NuMega VtoolsD VxD Framework. If you do not have VtoolsD, then acquiring the VtoolsD software will be an additional cost to you.

With the above considerations understood, it should also be understood that there are a variety of successful commercial network products that are implemented using NDIS-Hooking techniques because of special functional requirements. If you believe that you have such requirements, please read on.

 



NDIS-Hooking Overview
A NDIS-Hooking driver is \"logically similar\" to an NDIS Intermediate (IM) driver. However, it is implemented differently.

A PCAUSA NDIS-Hooking driver samples use a technique called \"hooking\" to intercept services exported by the Windows NDIS wrapper. The NDIS-Hooking driver hooks the NDIS wrapper at a point in the load sequence before NDIS protocols begin their binding process.

Because the NDIS-Hooking driver hooks services exported by the NDIS wrapper, it can intercept each protocol\'s call to NdisRegisterProtocol and replace the protocol\'s characteristics table (jump table) with a table containing pointers to functions within the NDIS-Hooking driver. After that, the NDIS-Hooking driver intercepts each protocol\'s call to NdisOpenAdapter so it can track the adapters that are opened.

With a little bookkeeping, the NDIS-Hooking driver inserts itself between MSTCP and all of the adapters that it binds to. When MSTCP calls NdisSend to send a packet, the packet comes to the NDIS-Hooking driver first for filtering. Likewise, packets that are to be indicated (received) on MSTCP go to the NDIS-Hooking driver first where they also can be filtered.

Here are links to supplemental information on NDIS-Hooking techniques:

 Diagram of the Windows Network Architecture that illustrates NDIS-Hooking filters
 
 
 Firewall For Windows 9X/NT/2000 (Includes NDIS-Hooking Technical Notes)
 

 

 



NDIS-Hooking Sample Overview
The new NDIS-Hooking samples include samples for the following platforms:

 Windows 95/98/ME - Using VxD drivers. Requires VtoolsD.
 Windows NT/W2K/WXP - Using \"NT-Style\" drivers.

The sample drivers for each platform include:

 Base NDIS-Hooking PassThru Sample
 Ethernet Bridge Sample
 Performance Optimized PassThru NDIS-Hooking  Sample
 Simple Firewall Driver
 Performance Optimized NDIS Filter Sample

 

Base and Performance Oriented PassThru NDIS-Hooking Samples
Both of these implement a \"PassThru\" NDIS-Hooking driver. The main difference between Base and Performance Optimized versions is that:

 The Base PassThru sample is oriented towards filter drivers that may need to modify packet contents. It illustrates duplicating packet contents (to allow modification) by copying packet data to an INTERMEDIATE_BUFFER structure.  
  
 The Performance Optimized PassThru sample is oriented towards filter drivers that monitor or block packets (without changing). It involves less copying and works more directly with the NDIS_PACKET structures.  

Copying from one memory buffer to another has some performance impact (it

不知版主找到没有，我也感兴趣。