SSL, Kernel, and NDIS

TheMSsForum.com: The Microsoft Software Forum

Is there any way to implement SSL in the NDIS IM Driver? I think there
is, but I'm not sure as to the first way to go about this.

-Jay
(patelj27b at gmail dot com)
Top

Re: SSL, Kernel, and NDIS by Skywing

Skywing
Fri Mar 10 08:27:09 CST 2006

Sure - but you would need to do all of the crypto yourself. I would
recommend wrappering some library like OpenSSL for that purpose.

BTW, if at all possible, I would avoid doing this in kernel mode at all.

<patelj27b@gmail.com> wrote in message
news:1141941528.607756.40740@u72g2000cwu.googlegroups.com...
> Is there any way to implement SSL in the NDIS IM Driver? I think there
> is, but I'm not sure as to the first way to go about this.
>
> -Jay
> (patelj27b at gmail dot com)
>


Top

Re: SSL, Kernel, and NDIS by patelj27b

patelj27b
Fri Mar 10 08:37:49 CST 2006

Hey There,
Thanks for your reply. Unfortunately, I have to do this in
kernel-mode. I need to implement and NDIS IM driver that will emulate a
vpn in the sense that when a user goes to a specific site "http://xyz"
then the NDIS IM driver will automatically create an SSL connection
with that site, connect through the SSL port, and transmit and receive
via "https://xyz". Would TSL under the OpenSSL project be used for that
purpose?

Thanks for your help,
Jay
(patelj27b at gmail dot com)

Top

Re: SSL, Kernel, and NDIS by Vipin

Vipin
Fri Mar 10 08:47:25 CST 2006

There are already vendors who have already done what you are trying to
do and well placed in the market. Why do you want to reinvent the wheel?

--
Vipin Aravind
http://www.explorewindows.com


<patelj27b@gmail.com> wrote in message
news:1142001469.744259.231110@j52g2000cwj.googlegroups.com...
> Hey There,
> Thanks for your reply. Unfortunately, I have to do this in
> kernel-mode. I need to implement and NDIS IM driver that will emulate a
> vpn in the sense that when a user goes to a specific site "http://xyz"
> then the NDIS IM driver will automatically create an SSL connection
> with that site, connect through the SSL port, and transmit and receive
> via "https://xyz". Would TSL under the OpenSSL project be used for that
> purpose?
>
> Thanks for your help,
> Jay
> (patelj27b at gmail dot com)
>


Top

Re: SSL, Kernel, and NDIS by patelj27b

patelj27b
Fri Mar 10 08:55:03 CST 2006

This needs to be specifically implemented a certain way, and I need
control over the source code. Does anyone have any ideas where I can go
to see documentation or source examples on this subject?
-Jay

Top

Re: SSL, Kernel, and NDIS by Skywing

Skywing
Fri Mar 10 11:50:12 CST 2006

You really do not want to do this in kernel mode. Now you need to do things
like handle certificate revocation checking, trusted root certificated
authorities, etc etc in kernel mode. You really do not want to have to deal
with all of that.

What about just redirecting the request to some secondary user mode app that
does the SSL connection and passes the decrypted data back up to the NDIS
driver (and vice versa for the send path)?

<patelj27b@gmail.com> wrote in message
news:1142001469.744259.231110@j52g2000cwj.googlegroups.com...
> Hey There,
> Thanks for your reply. Unfortunately, I have to do this in
> kernel-mode. I need to implement and NDIS IM driver that will emulate a
> vpn in the sense that when a user goes to a specific site "http://xyz"
> then the NDIS IM driver will automatically create an SSL connection
> with that site, connect through the SSL port, and transmit and receive
> via "https://xyz". Would TSL under the OpenSSL project be used for that
> purpose?
>
> Thanks for your help,
> Jay
> (patelj27b at gmail dot com)
>


Top

Re: SSL, Kernel, and NDIS by Cat

Cat
Fri Mar 10 18:35:09 CST 2006

Another idea is to create a Winsock wrapper which transparently
redirects whatever traffic you need, while still being in user-mode
(here's an example: http://vv.carleton.ca/~cat/code/TorCap2-src.zip).
This would also allow you to use any pre-installed SSL libraries, such
as WinInet. There's many ways to inject this into target processes, but
if you need this system-wide, you might look at AppInit_DLLs
(http://support.microsoft.com/default.aspx?scid=kb;en-us;197571).

You can probably also accomplish this network-wide using a packet
mangling gateway. Squid (http://www.squid-cache.org/) comes to mind,
I'm sure it's very customizable so that you can perform any
modifications you need. This also has the benefits of enforcing this on
all your client computers without worrying about the client component
being circumvented, BSODs or distributed configuration.

Good luck!

-Cat

Top