CryptoPing
NDIS IM Sample Notes
CryptoPing takes the Active PassThru sample and extends it to illustrate a NDIS IM
driver that performs modification to transmitted and received network packets.
The sample performs simple in-place "encryption" of transmitted ICMP
Echo Request ("ping" requests) packets and an inverse decryption of
received ICMP Echo Reply packets.
Without CryptoPing installed the ping packets observed on the network look
similar to the following HEX dump representation:
Packet No.: 0000000030 Time: 0252892873 msec Length: 74/74
Ethernet Dest: 00.40.95.49.03.5F Src: 00.50.DA.03.4D.DF Type: 0x0800
000000: 00 40 95 49 03 5F 00 50 : DA 03 4D DF 08 00 45 00 .@.I._.P..M...E.
000010: 00 3C 07 46 00 00 80 01 : AF 9C C0 A8 01 6E C0 A8 .<.F.........n..
000020: 01 20 08 00 48 5C 03 00 : 02 00 61 62 63 64 65 66 . ..H\....abcdef
000030: 67 68 69 6A 6B 6C 6D 6E : 6F 70 71 72 73 74 75 76 ghijklmnopqrstuv
000040: 77 61 62 63 64 65 66 67 : 68 69 wabcdefghi......
Packet No.: 0000000031 Time: 0252892873 msec Length: 74/74
Ethernet Dest: 00.50.DA.03.4D.DF Src: 00.40.95.49.03.5F Type: 0x0800
000000: 00 50 DA 03 4D DF 00 40 : 95 49 03 5F 08 00 45 00 .P..M..@.I._..E.
000010: 00 3C E5 15 00 00 80 01 : D1 CC C0 A8 01 20 C0 A8 .<........... ..
000020: 01 6E 00 00 50 5C 03 00 : 02 00 61 62 63 64 65 66 .n..P\....abcdef
000030: 67 68 69 6A 6B 6C 6D 6E : 6F 70 71 72 73 74 75 76 ghijklmnopqrstuv
000040: 77 61 62 63 64 65 66 67 : 68 69 wabcdefghi......
The ICMP Option Data is shown in bold letters.
CryptoPing encodes transmitted ICMP Echo Requests by simply changing the case
of odd-numbered ICMP Option Data. Received ICMP Echo Reply packets are decrypted
using the inverse operation. With CryptoPing installed the ping packets observed
on the network look similar to the following HEX dump representation:
Packet No.: 0000000005 Time: 0253034683 msec Length: 74/74
Ethernet Dest: 00.40.95.49.03.5F Src: 00.20.18.D6.41.E7 Type: 0x0800
000000: 00 40 95 49 03 5F 00 20 : 18 D6 41 E7 08 00 45 00 .@.I._. ..A...E.
000010: 00 3C 56 AD 00 00 80 01 : 60 3D C0 A8 01 66 C0 A8 .<V.....`=...f..
000020: 01 20 08 00 A3 07 02 00 : AA 54 61 42 63 44 65 46 . .......TaBcDeF
000030: 67 48 69 4A 6B 4C 6D 4E : 6F 50 71 52 73 54 75 56 gHiJkLmNoPqRsTuV
000040: 77 41 62 43 64 45 66 47 : 68 49 wAbCdEfGhI......
Packet No.: 0000000006 Time: 0253034683 msec Length: 74/74
Ethernet Dest: 00.20.18.D6.41.E7 Src: 00.40.95.49.03.5F Type: 0x0800
000000: 00 20 18 D6 41 E7 00 40 : 95 49 03 5F 08 00 45 00 . ..A..@.I._..E.
000010: 00 3C F2 15 00 00 80 01 : C4 D4 C0 A8 01 20 C0 A8 .<........... ..
000020: 01 66 00 00 AB 07 02 00 : AA 54 61 42 63 44 65 46 .f.......TaBcDeF
000030: 67 48 69 4A 6B 4C 6D 4E : 6F 50 71 52 73 54 75 56 gHiJkLmNoPqRsTuV
000040: 77 41 62 43 64 45 66 47 : 68 49 wAbCdEfGhI......
Implementation of CryptoPing involved changes to only one module from the
baseline PassThru sample.
The changes involved primarily:
- Selection of the packets to modify.
- Modification of selected packets.
The selection process made use of the Un*x-style IP-related header structures
and definitions provided in the NetINet directory. Use of these headers provides
one systematic way to access information in IP packets.
Modification of selected packets is fairly easy since the machinery provided
in the active PassThru sample already builds "clone" NDIS packets that
include a private "flattened" that contains a copy of the original
packet data. This private flattened buffer can be modified using ordinary
pointer arithmetic. After the modification the ICMP message checksum is recomputed.
The sample has limitations. It does not perform re-assembly or fragmentation.
It only operates on request and reply packets that are contained on one packet;
if they are longer, then they are ignored.
| 
