21929 total geeks with 3247 solutions

Recent challengers:

Caesum reverser 7 - 11:14PM
Caesum level 12 - 10:43PM
Caesum level 11 - 10:42PM

Welcome, you are an anonymous user! [register] [login]

	GEEK
Challenge Bonus Levels Geek Reverser View Solutions Test Centre Hall of Brain Hall of Bonus Hall of Reverse Geek or Freak

User's box

Username:

Password:

Forgot password?
New account

Shoutbox

	redore o noes the webserver was acting up earlier and it was spewing out all those full path disclosures ..
	DnD Tks, I'm checking my code.
	CodeX are you thinking of level 4? I'm sure there's been plenty of people who were dismayed after calculating the answer
	MaxMouse Also... Level5 lol, when you get the answer you'll shout at your computer, guaranteed.
	MaxMouse DnD, none of the challenges have been changed in a long time, i can assure you, none of them have a bug (Except level13, and it's more of a quirk than a bug)

Donate

Donate and help us fund new challenges

Due Date:	Feb 28
February Goal:	$30.00
Gross:	$0.00
Net Balance:	$0.00
Left to go:	$30.00

Contributors

News Feeds

The Register

	Ex-Intel exec pleads guilty to insider trading
	Adobe apologizes for festering Flash crash bug
	Conficker outbreak infects Leeds hospital servers
	Intel "Tukwila" born after long and painful labor
	SourceForge reverses ban on US foes
	Oracle issues emergency security patch for WebLogic
	Microsoft tests show no Win 7 battery flaw
	Microsoft kills FAST"s Linux and Unix search biz
	Linus Torvalds doesn"t hate the Googlephone
	Sweden to prosecute alleged Cisco, NASA hacker

Slashdot

	Virtualizing a Supercomputer
	Study Says OOXML Unsuitable For Norwegian Government
	Virus-Detecting "Lab On a Chip" Developed At BYU
	Google Shooting For Smartphone Universal Translator
	New Material Transforms Car Bodies Into Batteries
	Verizon Blocking 4chan
	A Reflection On Sun Executive Payouts For Failure
	Turns Out You Actually Can Be Bored To Death
	Cacti 0.8 Network Monitoring
	What Are the Best Valentine"s Day Stunts?

Article viewer

Raw Ethernet Packet Manipulation - Part 1

Written by:	miahrugger
Published by:	Nightscript
Published on:	2006-10-06 15:56:35
Topic:	Windows

Search OSI about Windows.

More articles by miahrugger.

viewed 26050 times

This purpose of this article is to explain how to send a raw Ethernet packet using C# on a Microsoft platform. A raw Ethernet packet is the complete Layer 2 network frame that is sent to the physical wire. Sending a frame like this allows you to manipulate the target and source MAC addresses and the Layer 3 protocol fields.

Background

You may be thinking, "Why would anyone want to do this?". Well, I was trying to create an application (using C#) that would make a typical Windows computer with 2 NICs act as a Layer 2 Network device. My goal was to listen for packets on a network interface and send the exact same packet out of the opposite interface, basically a packet repeater. To do this, I needed to be able to read a raw Ethernet packet (easy) and then write that same raw Ethernet packet (difficult). The sent packet needed to be exactly like the read packet, Ethernet header and all. I did a great deal of research online, and did not find a whole lot of info, just a few hints here and there.

The first problem was that Windows does not include a way to programmatically send a raw Ethernet packet. After some research, I realized that I needed to create a NDIS Protocol Driver (PassThru and Intermediate drivers will also work) to interface with the network adapters at a very low level. Luckily, the Windows Driver Development Kits (DDKs) included samples that would accomplish this for me. Great, the hard part down right......yeah, that is what I thought too. Now I had to interface with the driver from managed C# code.

Well, enough of the background.....on to the code.....

Part 1 - NDIS Protocol Driver

So, like I said, the DDK provides a suitable NDIS driver for sending raw packets. I compiled this, creating the .inf and .sys files for the driver (I have included the compiled driver, altered to fit my needs, in the attached zip file). After running a few test, I found that I could:

1. Only receive packets destined for me and
2. I could only send packets with a source address of my adapter.

Well, this was not acceptable. I needed to receive any packets on my LAN segment, and send those same packets regardless of the source address. So after looking through the driver code, I figured out how to accomplish that.

To receive any packets, the driver had to be set to Promiscuous mode. The following code segment was what was altered to accomplish this.

// ndisprot.h
// line 177
// Add NDIS_PACKET_TYPE_PROMISCUOUS to support promiscuous mode reading

#define NUIOO_PACKET_FILTER (NDIS_PACKET_TYPE_DIRECTED| \
                              NDIS_PACKET_TYPE_MULTICAST| \
                              NDIS_PACKET_TYPE_BROADCAST| \
                              NDIS_PACKET_TYPE_PROMISCUOUS) // **Added**

To send any packets, the following code segment had to be commented out

// send.c
// line 136
// Comment out to support sending packets from any MAC source address

     // To prevent applications from sending packets with spoofed
     // mac address, we will do the following check to make sure the source
     // address in the packet is same as the current MAC address of the NIC.
     //
     if ((pIrp->RequestorMode == UserMode) &&
          !NPROT_MEM_CMP(pEthHeader->SrcAddr,
          pOpenContext->CurrentAddress, NPROT_MAC_ADDR_LEN))
     {
            DEBUGP(DL_WARN, ("Write: Failing with invalid Source address"));
            NtStatus = STATUS_INVALID_PARAMETER;
            break;
     }

Once those changes were made, the NDIS Driver performed perfect for what I needed.

Part 2 - C# RawEthernet Application

The code for the RawEthernet application is commented fairly well, so I am not going to go into a lot of detail on the code here. I am just going to highlight the important steps in the code.

Writing information to a device driver is somewhat similar to writing to a file. We open the driver file by calling the CreateFile API. This returns a handle that we can use to write to and read from the driver. Next, we can bind the driver handle to a specific adapter by using the DeviceIoControl API. Binding the adapter lets us access the NDIS Driver on a specific network adapter. After all this, the writing is simple. We use the WriteFile API. The ReadFile API can be used in a similar manner to read incoming network data as well.

To send a packet, we have to create a byte representation on the packet that we want to send. The following shows the Ethernet header (first 14 bytes of packet) in byte format

DD DD DD DD DD DD SS SS SS SS SS SS PP PP <data follows>

* D = Destination MAC Address
* S = Source MAC Address
* P = Next Layer Protocol (0800 = IP)

You can use a packet sniffer (Ethereal, Snoop, EtherPeeks) to verify that you are sending a raw data packet on the network medium. The packet that this application currently sends is a very simple data packet that served no purpose other than to show the concept. This can easily be changed to reflect a real packet, such as a ping or anything else that you can think of.

Running the Sample NDIS Driver

You can install the NDIS Driver by opening your network adapter properties and clicking the "Install" button, selecting "Protocol", and then choosing "Have Disk". Then browse to the .inf file and click "OK". This will then load the driver onto every adapter that you have in your system.

Important - Make sure that it is enabled, there should be a check in the box next to "Raw Packet NDIS Protocol Driver".

Important - Open a command prompt and type "net start ndisprot" to start the driver service.

Note - The beauty of having this driver is that you can disable every other protocol in the Adapter's protocol list (i.e. Internet Protocol) and you will still be able to send and receive packets. Your machine will not even have an address, but because we are working at Layer 2, you don't need one. (This driver will work even if you keep all of the other protocols enabled)

RawEthernet Application

The zip file contains the source and compiled binary for the RawEthernet application. Once the driver is installed and enabled, simply run the EXE to see the packets being sent.

Did you like this article? There are hundreds more.

Comments:

miahrugger
2006-10-07 01:48:49

Forgot to mention, the NDIS Protocol Driver was built using the XP DDK, so it will work on XP and likely 2003. However, if you plan to use it on 2000, it might fail. It will have to be rebuilt using the 2000 DDK.

bb
2006-10-08 05:09:43

I'd love to elaborate on this subject as I think its really interesting.

I did some work on a C# firewall which used a C++ NDIS driver just like you. Some of the stuff I was doing is in this article. I was using driver code I inherited from another project which was quite painful to work with. I was loading a list of ip's for which packets were to be dropped into the driver. The driver then notified the system when a packet was granted or dropped and the C# app was used to list the granted/dropped packets as they came flying past.

I keep meaning to resurect the project - as it was mainly finished just need a decent UI building and some tweaks with the driver.

One problem was a pain in the as regarding the installer for the driver. I tried installing it programmatically and using the DDK installutil and with both the driver never seemed to get installed right - it always required the user to manually do the steps you descrive above to add the driver.... if anyone has any tips on that i'd love to hear them.

sefo
2006-10-08 07:02:35

Not sure if it will help in your case but I developped a driver in asm and it's possible to register it using the windows API:

invoke OpenSCManager, NULL, NULL, SC_MANAGER_ALL_ACCESS

If the function doesn't return null:

invoke GetFullPathName, $CTA0("drivername.sys"), sizeof acModulePath, addr acModulePath, esp

The you can install the service

invoke CreateService, hSCManager, $CTA0("drivername"), $CTA0("OSIX challenge driver"), \
            SERVICE_START + SERVICE_STOP + DELETE, SERVICE_KERNEL_DRIVER, SERVICE_DEMAND_START, \
            SERVICE_ERROR_IGNORE, addr acModulePath, NULL, NULL, NULL, NULL, NULL

If the function doesn't return NULL
start the service

invoke StartService, hService, 0, NULL

if return value is not 0

; the driver can receive I/O request packet (IRP) of type IRP_MJ_CREATE

invoke CreateFile, $CTA0("\\\\.\\driver name"), GENERIC_READ + GENERIC_WRITE, \
                                0, NULL, OPEN_EXISTING, 0, NULL

oh well, it's too long to explain and the textbox here is to small ;)

miahrugger
2006-10-11 16:48:38

bb, I seem to remember a way to programatically install it, but I can't recall from the top of my head. I will look through my old stuff and see if I can find it for you...

Anonymous
2006-10-19 14:56:21

I also tried to play with this protocol driver and I didn't find the way to do a properties dialog box. Do you have any idea where to look for ?

niazi587
2007-09-03 10:25:56

I seem to remember a way to programatically install it, but I can't recall from the top of my head. I will look through my old stuff and see if I can find it for you...

http://www.sysexecutive.com/dynamic-data-entry.html

Anonymous
2008-01-29 08:05:14

Hi,

I just wanna read raw ethernets packet from my C program, and reached this article (which is excellent), can someone please direct me to the place where I can find the source code mentioned in this "RawEthernet Apllication" section? [The zip file turned to be empty]

Anonymous
2008-01-31 02:12:13

http://www.logodesignerscompany.com

I am also having trouble reading raw ethernet packets - i tried to find a way to do this from the properties dialog but could not

Anonymous
2009-04-22 08:49:16

I seem to remember a way to programatically install it, but I can't recall from the top of my head. I will look through my old stuff and see if I can find it for you. flash games

tycho
2009-06-02 08:14:52

There is nothing in the zip file

Anonymous
2009-10-25 15:46:14

CodeX
2009-10-25 17:36:29

looks like the zip with the article has been lost to the perilous OSIDrive, if all you want to do is read the packets floating around then you can use Wireshark

Anonymous
2010-01-19 07:34:31

http://www.bagscabin.com/mulberry bags

Anonymously add a comment: (or register here)
(registration is really fast and we send you no spam)

BB Code is enabled.

Captcha Number:

Blogs: (People who have posted blogs on this subject..)

greengrub22

Blog entry for Mon 24th Dec 11pm on Mon 24th Dec 11pm
I am trying to make a batch file that will open the run menu. My problem is that I do not know the source for the run menu. I know this is probly something simple. Here is what I got... ........................................ ....... @echo off star

SVN as windows service calling post-commit hanging as not asynchronous on Wed 19th Dec 1pm
As any script you put inside post-commit.bat seems to be called synchronously, and doesnt inform the svn client that the commit has finished until the script has finished. I had to write a calling application which just starts the script in a new thread.

shmad123

Blog entry for Thu 1st Mar 6am on Thu 1st Mar 6am
Hi my name is adam LOL

Test Yourself: (why not try testing your skill on this subject? Clicking the link will start the test.)

Microsoft by abhijangda

Quiz based on the Microsoft Operating System

Reverse Engineering basics by sefo

I tried to cover the range of skills you will need to understand a win32 executable. Some of the following questions will take some time to answer. Do the test when you have enough free time.