application name

TheMSsForum.com: The Microsoft Software Forum

Hello all,

Is there any way to determine what user-mode application caused a trafic
from NDIS IM driver? In other words, I want to get "c:\program
files\internet explorer\iexplore.exe" string when I acceess any website with
IE.

I would appreciate any thoughts about how this can be implemented.

Thanks.

Best regards,
Serge.
Top

Re: application name by Benoît

Benoît
Tue Oct 12 13:46:15 CDT 2004

I don't see how that would be possible. When a packet is at the NDIS level
it is just that - a packet. What you're asking for would require custom and
complex user-kernel interaction as well as parsing of each and every packet
going through the IM driver in order to match TCP and UDP ports with what
IpHlpApi functions report as used. Even then, you would probably see gaping
holes in the logic.

In user-mode this is rather trivial, however.

-BB


"serge" <pserge77@ukr.net> wrote in message
news:ckh18b$2pel$1@news.dg.net.ua...
> Hello all,
>
> Is there any way to determine what user-mode application caused a trafic
> from NDIS IM driver? In other words, I want to get "c:\program
> files\internet explorer\iexplore.exe" string when I acceess any website
with
> IE.
>
> I would appreciate any thoughts about how this can be implemented.
>
> Thanks.
>
> Best regards,
> Serge.
>
>


Top

Re: application name by Maxim

Maxim
Tue Oct 12 17:12:37 CDT 2004

No you cannot. The process context is long ago lost in NDIS.
Looks like the WinSock LSP or TDI filter are the only solutions.

--
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
maxim@storagecraft.com
http://www.storagecraft.com

"serge" <pserge77@ukr.net> wrote in message
news:ckh18b$2pel$1@news.dg.net.ua...
> Hello all,
>
> Is there any way to determine what user-mode application caused a trafic
> from NDIS IM driver? In other words, I want to get "c:\program
> files\internet explorer\iexplore.exe" string when I acceess any website with
> IE.
>
> I would appreciate any thoughts about how this can be implemented.
>
> Thanks.
>
> Best regards,
> Serge.
>
>


Top

Re: application name by serge

serge
Wed Oct 13 19:46:53 CDT 2004

Hello, Benoît.
You wrote on Tue, 12 Oct 2004 14:46:15 -0400:

Thanks for your reply.

BB> I don't see how that would be possible. When a packet is at the NDIS
BB> level it is just that - a packet. What you're asking for would require
BB> custom and complex user-kernel interaction as well as parsing of each
BB> and every packet going through the IM driver in order to match TCP and
BB> UDP ports with what IpHlpApi functions report as used. Even then, you
BB> would probably see gaping holes in the logic.

I found PsGetCurrentProcess and PsGetCurrentProcess functions.
Both return values give nothing while calling GetModuleFileName() in user
mode.

How can I convert PEPROCESS to win32 handle, acceptable by
GetModuleFileName?

Thanks.

Best regards,
Serge.


Top