пятница, 6 июля 2012 г.

NPI clients & providers

Some good introduction about NPI can be found here
The main question is how to enumerate all registered NPI clients & providers ? It seems that windbg does not have any plugin for netio.sys support

Lets check some code in disasm - function NmrpFindOrAddRegisteredNpiId called from NmrpGetModule & NmrpRegisterModuleAndGetBindableCandidates:

    mov esi, [ebp+arg_0]
    mov ebx, [esi]
    and ebx, 1                          ; 2 items
    imul ebx, 30h                       ; with length 0x30
    add ebx, offset _NmrRegisteredNpiIdTable
loc_1D65B:
    push esi
    lea eax, [ebx+4]                    ; offset 4 - NpiId
    push eax
    call _NmrpIsEqualNpiId@8
    test al, al
    jnz short loc_1D6BE
    mov [ebp+arg_0], ebx
    mov ebx, [ebx]
    test ebx, ebx
    jnz short loc_1D65B
    cmp [ebp+arg_4], bl
    jz  short loc_1D6BE
    push 6E524D4Eh                      ; Tag - 'nRMN'
    push 30h                            ; NumberOfBytes
    push ebx                            ; PoolType
    call ds:__imp__ExAllocatePoolWithTag@12
    mov ebx, eax
    test ebx, ebx
    jz  short loc_1D6BE
    push edi
    push 30h                            ; size_t
    push 0                              ; int
    push ebx                            ; void *
    call _memset
    lea edi, [ebx+4]                    ; offset 4 - GUID NpiId
    movsd
    movsd
    movsd
    movsd
    lea eax, [ebx+14h]                  ; offset 14 - list_entry
    mov [eax+4], eax
    mov [eax], eax
    lea eax, [ebx+1Ch]                  ; offset 1C - list_entry
    mov [eax+4], eax
    mov [eax], eax
    lea eax, [ebx+24h]                  ; offset 24 - list_entry
    mov [eax+4], eax
    mov [eax], eax


We (o`k, at least I) can see here that non exported data NmrRegisteredNpiIdTable used as hash table with 2 slots and store linked list to some other structure with size 0x30 byte. netio.pdb does not contain any usefull info besides names but recovering of this structure is easy:

struct NpiIdItem
{
/* win32 win64 offsets */
/*   0x0   0x0 */  NpiIdItem *Next;
/*   0x4   0x8 */  GUID       Id;
/*  0x14  0x18 */  LIST_ENTRY clients;
/*  0x1c  0x28 */  LIST_ENTRY providers;
/*  0x24  0x38 */  LIST_ENTRY filters;
/*  0x2c  0x48 */  DWORD      flags;
};


So now we can traverse all NpiIdItem from both NmrRegisteredNpiIdTable slots and for each NpiIdItem also traverse clients & providers linked list.
Example from vista 32bit:

Nmr[0]: 8386EB68
 IID: 2227E802-8D8B-11D4-ABAD-009027719E09 flags 20007
 clients: 8473B304 - 89D22D5C
  Client 0 87D771C0 \SystemRoot\system32\DRIVERS\tunnel.sys:
    AttachClient: 87D74B1E \SystemRoot\system32\DRIVERS\tunnel.sys
    DetachClient: 87D74BCA \SystemRoot\system32\DRIVERS\tunnel.sys
    CleanupBindingContext: 87D74C00 \SystemRoot\system32\DRIVERS\tunnel.sys
  Client 1 87D771E4 \SystemRoot\system32\DRIVERS\tunnel.sys:
    AttachClient: 87D74B1E \SystemRoot\system32\DRIVERS\tunnel.sys
    DetachClient: 87D74BCA \SystemRoot\system32\DRIVERS\tunnel.sys
    CleanupBindingContext: 87D74C00 \SystemRoot\system32\DRIVERS\tunnel.sys
  Client 2 89B322BC \SystemRoot\System32\drivers\tcpip.sys:
    AttachClient: 89A80643 \SystemRoot\System32\drivers\tcpip.sys
    DetachClient: 89B1C78E \SystemRoot\System32\drivers\tcpip.sys
    CleanupBindingContext: 89B04012 \SystemRoot\System32\drivers\tcpip.sys
  Client 3 89B3251C \SystemRoot\System32\drivers\tcpip.sys:
    AttachClient: 89A80643 \SystemRoot\System32\drivers\tcpip.sys
    DetachClient: 89B1C78E \SystemRoot\System32\drivers\tcpip.sys
    CleanupBindingContext: 89B04012 \SystemRoot\System32\drivers\tcpip.sys
  Client 4 89B326FC \SystemRoot\System32\drivers\tcpip.sys:
    AttachClient: 89A80643 \SystemRoot\System32\drivers\tcpip.sys
    DetachClient: 89B1C78E \SystemRoot\System32\drivers\tcpip.sys
    CleanupBindingContext: 89B04012 \SystemRoot\System32\drivers\tcpip.sys
  Client 5 89B35220 \SystemRoot\System32\drivers\tcpip.sys:
    AttachClient: 89A7ED20 \SystemRoot\System32\drivers\tcpip.sys
    DetachClient: 89B14042 \SystemRoot\System32\drivers\tcpip.sys
    CleanupBindingContext: 89B13FDE \SystemRoot\System32\drivers\tcpip.sys
  Client 6 89B35680 \SystemRoot\System32\drivers\tcpip.sys:
    AttachClient: 89A7ED20 \SystemRoot\System32\drivers\tcpip.sys
    DetachClient: 89B14042 \SystemRoot\System32\drivers\tcpip.sys
    CleanupBindingContext: 89B13FDE \SystemRoot\System32\drivers\tcpip.sys
 providers: 89D2BABC - 89D38EDC
  Provider 0 89B27ACC \SystemRoot\System32\drivers\tcpip.sys:
    AttachClient: 89A7DDE6 \SystemRoot\System32\drivers\tcpip.sys
    DetachClient: 89B0CC06 \SystemRoot\System32\drivers\tcpip.sys
    CleanupBindingContext: 89B04012 \SystemRoot\System32\drivers\tcpip.sys
  Provider 1 89B2AB94 \SystemRoot\System32\drivers\tcpip.sys:
    AttachClient: 89A7DDE6 \SystemRoot\System32\drivers\tcpip.sys
    DetachClient: 89B0CC06 \SystemRoot\System32\drivers\tcpip.sys
    CleanupBindingContext: 89B04012 \SystemRoot\System32\drivers\tcpip.sys
Nmr[1]: 8386EAF8
 IID: 2227E804-8D8B-11D4-ABAD-009027719E09 flags 30002
 clients: 89D65854 - 89CD82D4
  Client 0 89A5244C \SystemRoot\system32\DRIVERS\tdx.sys:
    AttachClient: 89A4F7F8 \SystemRoot\system32\DRIVERS\tdx.sys
    DetachClient: 89A4F73A \SystemRoot\system32\DRIVERS\tdx.sys
    CleanupBindingContext: 89A4CA5A \SystemRoot\system32\DRIVERS\tdx.sys
  Client 1 89FC9940 \SystemRoot\system32\drivers\afd.sys:
    AttachClient: 89FBF088 \SystemRoot\system32\drivers\afd.sys
    DetachClient: 89FC08A5 \SystemRoot\system32\drivers\afd.sys
    CleanupBindingContext: 89FC088C \SystemRoot\system32\drivers\afd.sys
 providers: 89D12A3C - 89D1677C
  Provider 0 89B3228C \SystemRoot\System32\drivers\tcpip.sys:
    AttachClient: 89A807A2 \SystemRoot\System32\drivers\tcpip.sys
    DetachClient: 89B1C7A9 \SystemRoot\System32\drivers\tcpip.sys
    CleanupBindingContext: 89B04012 \SystemRoot\System32\drivers\tcpip.sys
  Provider 1 89B324EC \SystemRoot\System32\drivers\tcpip.sys:
    AttachClient: 89A807A2 \SystemRoot\System32\drivers\tcpip.sys
    DetachClient: 89B1C7A9 \SystemRoot\System32\drivers\tcpip.sys
    CleanupBindingContext: 89B04012 \SystemRoot\System32\drivers\tcpip.sys
  Provider 2 89B326CC \SystemRoot\System32\drivers\tcpip.sys:
    AttachClient: 89A807A2 \SystemRoot\System32\drivers\tcpip.sys
    DetachClient: 89B1C7A9 \SystemRoot\System32\drivers\tcpip.sys
    CleanupBindingContext: 89B04012 \SystemRoot\System32\drivers\tcpip.sys
Nmr[2]: 8386EA88
 IID: 2227E806-8D8B-11D4-ABAD-009027719E09 flags B0001
 clients: 8386E814 - 8386E814
  Client 0 806B5450 \SystemRoot\system32\drivers\NETIO.SYS:
    AttachClient: 8069A77C \SystemRoot\system32\drivers\NETIO.SYS
    DetachClient: 806AA2EB \SystemRoot\system32\drivers\NETIO.SYS
    CleanupBindingContext: 806AA3BE \SystemRoot\system32\drivers\NETIO.SYS
 providers: 8386E754 - 89D895F4
  Provider 0 806B52B0 \SystemRoot\system32\drivers\NETIO.SYS:
    AttachClient: 8069CB6E \SystemRoot\system32\drivers\NETIO.SYS
    DetachClient: 806A872A \SystemRoot\system32\drivers\NETIO.SYS
    CleanupBindingContext: 806961AC \SystemRoot\system32\drivers\NETIO.SYS
  Provider 1 81731018 \SystemRoot\system32\drivers\ndis.sys:
    AttachClient: 81714386 \SystemRoot\system32\drivers\ndis.sys
    DetachClient: 81719C68 \SystemRoot\system32\drivers\ndis.sys
    CleanupBindingContext: 81719CD7 \SystemRoot\system32\drivers\ndis.sys
  Provider 2 89B32300 \SystemRoot\System32\drivers\tcpip.sys:
    AttachClient: 89A75D8D \SystemRoot\System32\drivers\tcpip.sys
    DetachClient: 89B1D279 \SystemRoot\System32\drivers\tcpip.sys
    CleanupBindingContext: 89B04012 \SystemRoot\System32\drivers\tcpip.sys
  Provider 3 89B32560 \SystemRoot\System32\drivers\tcpip.sys:
    AttachClient: 89A75D8D \SystemRoot\System32\drivers\tcpip.sys
    DetachClient: 89B1D279 \SystemRoot\System32\drivers\tcpip.sys
    CleanupBindingContext: 89B04012 \SystemRoot\System32\drivers\tcpip.sys
  Provider 4 89B32740 \SystemRoot\System32\drivers\tcpip.sys:
    AttachClient: 89A75D8D \SystemRoot\System32\drivers\tcpip.sys
    DetachClient: 89B1D279 \SystemRoot\System32\drivers\tcpip.sys
    CleanupBindingContext: 89B04012 \SystemRoot\System32\drivers\tcpip.sys
  Provider 5 89B29FC8 \SystemRoot\System32\drivers\tcpip.sys:
    AttachClient: 89A739D8 \SystemRoot\System32\drivers\tcpip.sys
    DetachClient: 89B04296 \SystemRoot\System32\drivers\tcpip.sys
    CleanupBindingContext: 89B04012 \SystemRoot\System32\drivers\tcpip.sys
  Provider 6 89B2D090 \SystemRoot\System32\drivers\tcpip.sys:
    AttachClient: 89A739D8 \SystemRoot\System32\drivers\tcpip.sys
    DetachClient: 89B04296 \SystemRoot\System32\drivers\tcpip.sys
    CleanupBindingContext: 89B04012 \SystemRoot\System32\drivers\tcpip.sys
  Provider 7 89B2DEA0 \SystemRoot\System32\drivers\tcpip.sys:
    AttachClient: 89A757CB \SystemRoot\System32\drivers\tcpip.sys
    DetachClient: 89B1ABF1 \SystemRoot\System32\drivers\tcpip.sys
    CleanupBindingContext: 89B04012 \SystemRoot\System32\drivers\tcpip.sys
  Provider 8 89B2DD48 \SystemRoot\System32\drivers\tcpip.sys:
    AttachClient: 89A757CB \SystemRoot\System32\drivers\tcpip.sys
    DetachClient: 89B1ABF1 \SystemRoot\System32\drivers\tcpip.sys
    CleanupBindingContext: 89B04012 \SystemRoot\System32\drivers\tcpip.sys
  Provider 9 89B2E150 \SystemRoot\System32\drivers\tcpip.sys:
    AttachClient: 89A757CB \SystemRoot\System32\drivers\tcpip.sys
    DetachClient: 89B1ABF1 \SystemRoot\System32\drivers\tcpip.sys
    CleanupBindingContext: 89B04012 \SystemRoot\System32\drivers\tcpip.sys
  Provider 10 89A52334 \SystemRoot\system32\DRIVERS\tdx.sys:
    AttachClient: 89A4CAEE \SystemRoot\system32\DRIVERS\tdx.sys
    DetachClient: 89A4CB4E \SystemRoot\system32\DRIVERS\tdx.sys
    CleanupBindingContext: 89A4CA5A \SystemRoot\system32\DRIVERS\tdx.sys
Nmr[3]: 8386EA18
 IID: 2227E808-8D8B-11D4-ABAD-009027719E09 flags 10001
 clients: 89CE958C - 89CE958C
  Client 0 89A52370 \SystemRoot\system32\DRIVERS\tdx.sys:
    AttachClient: 89A4CC3C \SystemRoot\system32\DRIVERS\tdx.sys
    DetachClient: 89A4CCCC \SystemRoot\system32\DRIVERS\tdx.sys
    CleanupBindingContext: 89A4AD2E \SystemRoot\system32\DRIVERS\tdx.sys
 providers: 89D37B8C - 89D37B8C
  Provider 0 89B24A20 \SystemRoot\System32\drivers\tcpip.sys:
    AttachClient: 89A74D4F \SystemRoot\System32\drivers\tcpip.sys
    DetachClient: 89B14794 \SystemRoot\System32\drivers\tcpip.sys
    CleanupBindingContext: 89B04012 \SystemRoot\System32\drivers\tcpip.sys
Nmr[4]: 8386E9A8
 IID: 2227E80A-8D8B-11D4-ABAD-009027719E09 flags 0
Nmr[5]: 89D093A8
 IID: 2227E80C-8D8B-11D4-ABAD-009027719E09 flags 10001
 clients: 89D092B4 - 89D092B4
  Client 0 89B1EAA0 \SystemRoot\System32\drivers\tcpip.sys:
    AttachClient: 89A7B51F \SystemRoot\System32\drivers\tcpip.sys
    DetachClient: 89AF65B1 \SystemRoot\System32\drivers\tcpip.sys
    CleanupBindingContext: 89B04012 \SystemRoot\System32\drivers\tcpip.sys
 providers: 89D093EC - 89D093EC
  Provider 0 89B1EAF8 \SystemRoot\System32\drivers\tcpip.sys:
    AttachClient: 89A7B67E \SystemRoot\System32\drivers\tcpip.sys
    DetachClient: 89AF6650 \SystemRoot\System32\drivers\tcpip.sys
    CleanupBindingContext: 89B04012 \SystemRoot\System32\drivers\tcpip.sys
Nmr[0]: 8386EB30
 IID: 2227E803-8D8B-11D4-ABAD-009027719E09 flags 10004
 clients: 89C2314C - 84BA75E4
  Client 0 89C22154 UNKNOWN:
    AttachClient: 8069BE21 \SystemRoot\system32\drivers\NETIO.SYS
    DetachClient: 806B2773 \SystemRoot\system32\drivers\NETIO.SYS
    CleanupBindingContext: 806B2796 \SystemRoot\system32\drivers\NETIO.SYS
  Client 1 88497220 \SystemRoot\system32\DRIVERS\rasl2tp.sys:
    AttachClient: 8848717A \SystemRoot\system32\DRIVERS\rasl2tp.sys
    DetachClient: 884949F8 \SystemRoot\system32\DRIVERS\rasl2tp.sys
    CleanupBindingContext: 88494A09 \SystemRoot\system32\DRIVERS\rasl2tp.sys
  Client 2 9214B6DC \SystemRoot\system32\drivers\HTTP.sys:
    AttachClient: 92137789 \SystemRoot\system32\drivers\HTTP.sys
    DetachClient: 9212CD24 \SystemRoot\system32\drivers\HTTP.sys
    CleanupBindingContext: 92143214 \SystemRoot\system32\drivers\HTTP.sys
  Client 3 920F9254 \SystemRoot\System32\DRIVERS\srvnet.sys:
    AttachClient: 920EF071 \SystemRoot\System32\DRIVERS\srvnet.sys
    DetachClient: 920F46D3 \SystemRoot\System32\DRIVERS\srvnet.sys
    CleanupBindingContext: 920F46DD \SystemRoot\System32\DRIVERS\srvnet.sys
 providers: 89CE3C5C - 89CE3C5C
  Provider 0 89FC9968 \SystemRoot\system32\drivers\afd.sys:
    AttachClient: 89FBE891 \SystemRoot\system32\drivers\afd.sys
    DetachClient: 89FC09CD \SystemRoot\system32\drivers\afd.sys
    CleanupBindingContext: 89FC0AAE \SystemRoot\system32\drivers\afd.sys
Nmr[1]: 8386EAC0
 IID: 2227E805-8D8B-11D4-ABAD-009027719E09 flags 0
Nmr[2]: 8386EA50
 IID: 2227E807-8D8B-11D4-ABAD-009027719E09 flags 10006
 clients: 84784E44 - 8AB233E4
  Client 0 884980F8 \SystemRoot\system32\DRIVERS\rasl2tp.sys:
    AttachClient: 884873DF \SystemRoot\system32\DRIVERS\rasl2tp.sys
    DetachClient: 88495C03 \SystemRoot\system32\DRIVERS\rasl2tp.sys
    CleanupBindingContext: 88495BEA \SystemRoot\system32\DRIVERS\rasl2tp.sys
  Client 1 88473110 \SystemRoot\system32\DRIVERS\ndiswan.sys:
    AttachClient: 8845BE3C \SystemRoot\system32\DRIVERS\ndiswan.sys
    DetachClient: 8847028D \SystemRoot\system32\DRIVERS\ndiswan.sys
    CleanupBindingContext: 88470274 \SystemRoot\system32\DRIVERS\ndiswan.sys
  Client 2 88453260 \SystemRoot\system32\DRIVERS\raspptp.sys:
    AttachClient: 88448A8C \SystemRoot\system32\DRIVERS\raspptp.sys
    DetachClient: 884516D4 \SystemRoot\system32\DRIVERS\raspptp.sys
    CleanupBindingContext: 884516BB \SystemRoot\system32\DRIVERS\raspptp.sys
  Client 3 89A52304 \SystemRoot\system32\DRIVERS\tdx.sys:
    AttachClient: 89A4B290 \SystemRoot\system32\DRIVERS\tdx.sys
    DetachClient: 89A4B302 \SystemRoot\system32\DRIVERS\tdx.sys
    CleanupBindingContext: 89A4AD2E \SystemRoot\system32\DRIVERS\tdx.sys
  Client 4 89F7F4D0 \SystemRoot\system32\DRIVERS\wanarp.sys:
    AttachClient: 89F7D54E \SystemRoot\system32\DRIVERS\wanarp.sys
    DetachClient: 89F7D5DE \SystemRoot\system32\DRIVERS\wanarp.sys
    CleanupBindingContext: 89F7D60C \SystemRoot\system32\DRIVERS\wanarp.sys
  Client 5 92C2B8C8 \SystemRoot\System32\drivers\tcpipreg.sys:
    AttachClient: 92C27DA2 \SystemRoot\System32\drivers\tcpipreg.sys
    DetachClient: 92C27E02 \SystemRoot\System32\drivers\tcpipreg.sys
    CleanupBindingContext: 92C2783A \SystemRoot\System32\drivers\tcpipreg.sys
 providers: 8386E7D4 - 8386E7D4
  Provider 0 806B48AC \SystemRoot\system32\drivers\NETIO.SYS:
    AttachClient: 806976DE \SystemRoot\system32\drivers\NETIO.SYS
    DetachClient: 806A9B16 \SystemRoot\system32\drivers\NETIO.SYS
    CleanupBindingContext: 806961AC \SystemRoot\system32\drivers\NETIO.SYS
Nmr[3]: 8386E9E0
 IID: 2227E809-8D8B-11D4-ABAD-009027719E09 flags 0
Nmr[4]: 83887980
 IID: 2227E80B-8D8B-11D4-ABAD-009027719E09 flags 10005
 clients: 838879C4 - 80FF691C
  Client 0 806B5264 \SystemRoot\system32\drivers\NETIO.SYS:
    AttachClient: 8069B021 \SystemRoot\system32\drivers\NETIO.SYS
    DetachClient: 806A23E4 \SystemRoot\system32\drivers\NETIO.SYS
    CleanupBindingContext: 806961AC \SystemRoot\system32\drivers\NETIO.SYS
  Client 1 89B35040 \SystemRoot\System32\drivers\tcpip.sys:
    AttachClient: 89A7C7B3 \SystemRoot\System32\drivers\tcpip.sys
    DetachClient: 89B037BF \SystemRoot\System32\drivers\tcpip.sys
    CleanupBindingContext: 89B0381A \SystemRoot\System32\drivers\tcpip.sys
  Client 2 89B32330 \SystemRoot\System32\drivers\tcpip.sys:
    AttachClient: 89A7AFFD \SystemRoot\System32\drivers\tcpip.sys
    DetachClient: 89B1D2EA \SystemRoot\System32\drivers\tcpip.sys
    CleanupBindingContext: 89B04012 \SystemRoot\System32\drivers\tcpip.sys
  Client 3 89B32590 \SystemRoot\System32\drivers\tcpip.sys:
    AttachClient: 89A7AFFD \SystemRoot\System32\drivers\tcpip.sys
    DetachClient: 89B1D2EA \SystemRoot\System32\drivers\tcpip.sys
    CleanupBindingContext: 89B04012 \SystemRoot\System32\drivers\tcpip.sys
  Client 4 9214B71C \SystemRoot\system32\drivers\HTTP.sys:
    AttachClient: 9215F7F8 \SystemRoot\system32\drivers\HTTP.sys
    DetachClient: 921747D2 \SystemRoot\system32\drivers\HTTP.sys
    CleanupBindingContext: 9215CA48 \SystemRoot\system32\drivers\HTTP.sys
 providers: 89CE9F5C - 89CE9F5C
  Provider 0 89A236F4 \SystemRoot\system32\DRIVERS\pacer.sys:
    AttachClient: 89A1F928 \SystemRoot\system32\DRIVERS\pacer.sys
    DetachClient: 89A1F9C0 \SystemRoot\system32\DRIVERS\pacer.sys
    CleanupBindingContext: 89A1B5E2 \SystemRoot\system32\DRIVERS\pacer.sys

Комментариев нет:

Отправить комментарий