Results 1 to 6 of 6

Thread: tcpip.sys?

  1. #1
    <script>alert(0)</script> disavowed's Avatar
    Join Date
    Apr 2002
    Posts
    1,281

    tcpip.sys?

    i'm working on modifying how windows (xp) handles certain packets. for example, right now i'm trying to prevent windows from returning a RST when someone tries sending a (SYN-)ACK to a closed port. i'm assuming that this is controlled by tcpip.sys, but i'm not positive. has anyone done any work in this area before?

  2. #2
    probably... but why don't you just write your own KMD and intercept the (SYN-)ACK and just drop them? shouldn't be too hard

  3. #3
    <script>alert(0)</script> disavowed's Avatar
    Join Date
    Apr 2002
    Posts
    1,281
    the problem is, despite all the reading i've been doing lately, i've had trouble finding an "easy" (without me having to re-write tcpip.sys or an ndis interpreter or something like that from scratch) way of intercepting them before they reach tcpip.sys (if that is what handles them). i don't see how a kmd would help :)

  4. #4
    I'm not sure when tcpip.sys is loaded ie. boot, system or automatic... but if you write a KMD that is loaded before tcpip.sys (providing it isn't loaded at boot) it would be before tcpip.sys in the driver chain, iirc, and as such would intercept the packages before it... or you could write one that simply hooks that part of it and RET's without handling it, in effect dropping it... but that is not so easy...

  5. #5
    Snatch
    Guest
    Im very interested in this work too. If I get bored I may track down where in tcpip.sys all the good stuff is. disavowed remember something called IDA Pro. And the other thing called symbols from Microsoft. They make a very powerful pair . In fact I got way into plenty of sys files that way.

    Snatch
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  6. #6
    foxthree
    Guest

    Heh heh... NDIS IM :)

    Ppl:

    Look for documentation on NDIS Intermediate Driver and prepare for nightmares and a heavy dosage of sleepless nites/caffeine....

    Signed,
    -- FoxThree
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. Vista x64 SP1 tcpip.sys runtime patching
    By LordByte in forum Advanced Reversing and Programming
    Replies: 3
    Last Post: March 17th, 2008, 19:26

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •