The main question is how to enumerate all registered NPI clients & providers ? It seems that windbg does not have any plugin for netio.sys support
Lets check some code in disasm - function NmrpFindOrAddRegisteredNpiId called from NmrpGetModule & NmrpRegisterModuleAndGetBindableCandidates:
mov esi, [ebp+arg_0]
mov ebx, [esi]
and ebx, 1 ; 2 items
imul ebx, 30h ; with length 0x30
add ebx, offset _NmrRegisteredNpiIdTable
loc_1D65B:
push esi
lea eax, [ebx+4] ; offset 4 - NpiId
push eax
call _NmrpIsEqualNpiId@8
test al, al
jnz short loc_1D6BE
mov [ebp+arg_0], ebx
mov ebx, [ebx]
test ebx, ebx
jnz short loc_1D65B
cmp [ebp+arg_4], bl
jz short loc_1D6BE
push 6E524D4Eh ; Tag - 'nRMN'
push 30h ; NumberOfBytes
push ebx ; PoolType
call ds:__imp__ExAllocatePoolWithTag@12
mov ebx, eax
test ebx, ebx
jz short loc_1D6BE
push edi
push 30h ; size_t
push 0 ; int
push ebx ; void *
call _memset
lea edi, [ebx+4] ; offset 4 - GUID NpiId
movsd
movsd
movsd
movsd
lea eax, [ebx+14h] ; offset 14 - list_entry
mov [eax+4], eax
mov [eax], eax
lea eax, [ebx+1Ch] ; offset 1C - list_entry
mov [eax+4], eax
mov [eax], eax
lea eax, [ebx+24h] ; offset 24 - list_entry
mov [eax+4], eax
mov [eax], eax
We (o`k, at least I) can see here that non exported data NmrRegisteredNpiIdTable used as hash table with 2 slots and store linked list to some other structure with size 0x30 byte. netio.pdb does not contain any usefull info besides names but recovering of this structure is easy:
struct NpiIdItem
{
/* win32 win64 offsets */
/* 0x0 0x0 */ NpiIdItem *Next;
/* 0x4 0x8 */ GUID Id;
/* 0x14 0x18 */ LIST_ENTRY clients;
/* 0x1c 0x28 */ LIST_ENTRY providers;
/* 0x24 0x38 */ LIST_ENTRY filters;
/* 0x2c 0x48 */ DWORD flags;
};So now we can traverse all NpiIdItem from both NmrRegisteredNpiIdTable slots and for each NpiIdItem also traverse clients & providers linked list.
Example from vista 32bit:
Nmr[0]: 8386EB68
IID: 2227E802-8D8B-11D4-ABAD-009027719E09 flags 20007
clients: 8473B304 - 89D22D5C
Client 0 87D771C0 \SystemRoot\system32\DRIVERS\tunnel.sys:
AttachClient: 87D74B1E \SystemRoot\system32\DRIVERS\tunnel.sys
DetachClient: 87D74BCA \SystemRoot\system32\DRIVERS\tunnel.sys
CleanupBindingContext: 87D74C00 \SystemRoot\system32\DRIVERS\tunnel.sys
Client 1 87D771E4 \SystemRoot\system32\DRIVERS\tunnel.sys:
AttachClient: 87D74B1E \SystemRoot\system32\DRIVERS\tunnel.sys
DetachClient: 87D74BCA \SystemRoot\system32\DRIVERS\tunnel.sys
CleanupBindingContext: 87D74C00 \SystemRoot\system32\DRIVERS\tunnel.sys
Client 2 89B322BC \SystemRoot\System32\drivers\tcpip.sys:
AttachClient: 89A80643 \SystemRoot\System32\drivers\tcpip.sys
DetachClient: 89B1C78E \SystemRoot\System32\drivers\tcpip.sys
CleanupBindingContext: 89B04012 \SystemRoot\System32\drivers\tcpip.sys
Client 3 89B3251C \SystemRoot\System32\drivers\tcpip.sys:
AttachClient: 89A80643 \SystemRoot\System32\drivers\tcpip.sys
DetachClient: 89B1C78E \SystemRoot\System32\drivers\tcpip.sys
CleanupBindingContext: 89B04012 \SystemRoot\System32\drivers\tcpip.sys
Client 4 89B326FC \SystemRoot\System32\drivers\tcpip.sys:
AttachClient: 89A80643 \SystemRoot\System32\drivers\tcpip.sys
DetachClient: 89B1C78E \SystemRoot\System32\drivers\tcpip.sys
CleanupBindingContext: 89B04012 \SystemRoot\System32\drivers\tcpip.sys
Client 5 89B35220 \SystemRoot\System32\drivers\tcpip.sys:
AttachClient: 89A7ED20 \SystemRoot\System32\drivers\tcpip.sys
DetachClient: 89B14042 \SystemRoot\System32\drivers\tcpip.sys
CleanupBindingContext: 89B13FDE \SystemRoot\System32\drivers\tcpip.sys
Client 6 89B35680 \SystemRoot\System32\drivers\tcpip.sys:
AttachClient: 89A7ED20 \SystemRoot\System32\drivers\tcpip.sys
DetachClient: 89B14042 \SystemRoot\System32\drivers\tcpip.sys
CleanupBindingContext: 89B13FDE \SystemRoot\System32\drivers\tcpip.sys
providers: 89D2BABC - 89D38EDC
Provider 0 89B27ACC \SystemRoot\System32\drivers\tcpip.sys:
AttachClient: 89A7DDE6 \SystemRoot\System32\drivers\tcpip.sys
DetachClient: 89B0CC06 \SystemRoot\System32\drivers\tcpip.sys
CleanupBindingContext: 89B04012 \SystemRoot\System32\drivers\tcpip.sys
Provider 1 89B2AB94 \SystemRoot\System32\drivers\tcpip.sys:
AttachClient: 89A7DDE6 \SystemRoot\System32\drivers\tcpip.sys
DetachClient: 89B0CC06 \SystemRoot\System32\drivers\tcpip.sys
CleanupBindingContext: 89B04012 \SystemRoot\System32\drivers\tcpip.sys
Nmr[1]: 8386EAF8
IID: 2227E804-8D8B-11D4-ABAD-009027719E09 flags 30002
clients: 89D65854 - 89CD82D4
Client 0 89A5244C \SystemRoot\system32\DRIVERS\tdx.sys:
AttachClient: 89A4F7F8 \SystemRoot\system32\DRIVERS\tdx.sys
DetachClient: 89A4F73A \SystemRoot\system32\DRIVERS\tdx.sys
CleanupBindingContext: 89A4CA5A \SystemRoot\system32\DRIVERS\tdx.sys
Client 1 89FC9940 \SystemRoot\system32\drivers\afd.sys:
AttachClient: 89FBF088 \SystemRoot\system32\drivers\afd.sys
DetachClient: 89FC08A5 \SystemRoot\system32\drivers\afd.sys
CleanupBindingContext: 89FC088C \SystemRoot\system32\drivers\afd.sys
providers: 89D12A3C - 89D1677C
Provider 0 89B3228C \SystemRoot\System32\drivers\tcpip.sys:
AttachClient: 89A807A2 \SystemRoot\System32\drivers\tcpip.sys
DetachClient: 89B1C7A9 \SystemRoot\System32\drivers\tcpip.sys
CleanupBindingContext: 89B04012 \SystemRoot\System32\drivers\tcpip.sys
Provider 1 89B324EC \SystemRoot\System32\drivers\tcpip.sys:
AttachClient: 89A807A2 \SystemRoot\System32\drivers\tcpip.sys
DetachClient: 89B1C7A9 \SystemRoot\System32\drivers\tcpip.sys
CleanupBindingContext: 89B04012 \SystemRoot\System32\drivers\tcpip.sys
Provider 2 89B326CC \SystemRoot\System32\drivers\tcpip.sys:
AttachClient: 89A807A2 \SystemRoot\System32\drivers\tcpip.sys
DetachClient: 89B1C7A9 \SystemRoot\System32\drivers\tcpip.sys
CleanupBindingContext: 89B04012 \SystemRoot\System32\drivers\tcpip.sys
Nmr[2]: 8386EA88
IID: 2227E806-8D8B-11D4-ABAD-009027719E09 flags B0001
clients: 8386E814 - 8386E814
Client 0 806B5450 \SystemRoot\system32\drivers\NETIO.SYS:
AttachClient: 8069A77C \SystemRoot\system32\drivers\NETIO.SYS
DetachClient: 806AA2EB \SystemRoot\system32\drivers\NETIO.SYS
CleanupBindingContext: 806AA3BE \SystemRoot\system32\drivers\NETIO.SYS
providers: 8386E754 - 89D895F4
Provider 0 806B52B0 \SystemRoot\system32\drivers\NETIO.SYS:
AttachClient: 8069CB6E \SystemRoot\system32\drivers\NETIO.SYS
DetachClient: 806A872A \SystemRoot\system32\drivers\NETIO.SYS
CleanupBindingContext: 806961AC \SystemRoot\system32\drivers\NETIO.SYS
Provider 1 81731018 \SystemRoot\system32\drivers\ndis.sys:
AttachClient: 81714386 \SystemRoot\system32\drivers\ndis.sys
DetachClient: 81719C68 \SystemRoot\system32\drivers\ndis.sys
CleanupBindingContext: 81719CD7 \SystemRoot\system32\drivers\ndis.sys
Provider 2 89B32300 \SystemRoot\System32\drivers\tcpip.sys:
AttachClient: 89A75D8D \SystemRoot\System32\drivers\tcpip.sys
DetachClient: 89B1D279 \SystemRoot\System32\drivers\tcpip.sys
CleanupBindingContext: 89B04012 \SystemRoot\System32\drivers\tcpip.sys
Provider 3 89B32560 \SystemRoot\System32\drivers\tcpip.sys:
AttachClient: 89A75D8D \SystemRoot\System32\drivers\tcpip.sys
DetachClient: 89B1D279 \SystemRoot\System32\drivers\tcpip.sys
CleanupBindingContext: 89B04012 \SystemRoot\System32\drivers\tcpip.sys
Provider 4 89B32740 \SystemRoot\System32\drivers\tcpip.sys:
AttachClient: 89A75D8D \SystemRoot\System32\drivers\tcpip.sys
DetachClient: 89B1D279 \SystemRoot\System32\drivers\tcpip.sys
CleanupBindingContext: 89B04012 \SystemRoot\System32\drivers\tcpip.sys
Provider 5 89B29FC8 \SystemRoot\System32\drivers\tcpip.sys:
AttachClient: 89A739D8 \SystemRoot\System32\drivers\tcpip.sys
DetachClient: 89B04296 \SystemRoot\System32\drivers\tcpip.sys
CleanupBindingContext: 89B04012 \SystemRoot\System32\drivers\tcpip.sys
Provider 6 89B2D090 \SystemRoot\System32\drivers\tcpip.sys:
AttachClient: 89A739D8 \SystemRoot\System32\drivers\tcpip.sys
DetachClient: 89B04296 \SystemRoot\System32\drivers\tcpip.sys
CleanupBindingContext: 89B04012 \SystemRoot\System32\drivers\tcpip.sys
Provider 7 89B2DEA0 \SystemRoot\System32\drivers\tcpip.sys:
AttachClient: 89A757CB \SystemRoot\System32\drivers\tcpip.sys
DetachClient: 89B1ABF1 \SystemRoot\System32\drivers\tcpip.sys
CleanupBindingContext: 89B04012 \SystemRoot\System32\drivers\tcpip.sys
Provider 8 89B2DD48 \SystemRoot\System32\drivers\tcpip.sys:
AttachClient: 89A757CB \SystemRoot\System32\drivers\tcpip.sys
DetachClient: 89B1ABF1 \SystemRoot\System32\drivers\tcpip.sys
CleanupBindingContext: 89B04012 \SystemRoot\System32\drivers\tcpip.sys
Provider 9 89B2E150 \SystemRoot\System32\drivers\tcpip.sys:
AttachClient: 89A757CB \SystemRoot\System32\drivers\tcpip.sys
DetachClient: 89B1ABF1 \SystemRoot\System32\drivers\tcpip.sys
CleanupBindingContext: 89B04012 \SystemRoot\System32\drivers\tcpip.sys
Provider 10 89A52334 \SystemRoot\system32\DRIVERS\tdx.sys:
AttachClient: 89A4CAEE \SystemRoot\system32\DRIVERS\tdx.sys
DetachClient: 89A4CB4E \SystemRoot\system32\DRIVERS\tdx.sys
CleanupBindingContext: 89A4CA5A \SystemRoot\system32\DRIVERS\tdx.sys
Nmr[3]: 8386EA18
IID: 2227E808-8D8B-11D4-ABAD-009027719E09 flags 10001
clients: 89CE958C - 89CE958C
Client 0 89A52370 \SystemRoot\system32\DRIVERS\tdx.sys:
AttachClient: 89A4CC3C \SystemRoot\system32\DRIVERS\tdx.sys
DetachClient: 89A4CCCC \SystemRoot\system32\DRIVERS\tdx.sys
CleanupBindingContext: 89A4AD2E \SystemRoot\system32\DRIVERS\tdx.sys
providers: 89D37B8C - 89D37B8C
Provider 0 89B24A20 \SystemRoot\System32\drivers\tcpip.sys:
AttachClient: 89A74D4F \SystemRoot\System32\drivers\tcpip.sys
DetachClient: 89B14794 \SystemRoot\System32\drivers\tcpip.sys
CleanupBindingContext: 89B04012 \SystemRoot\System32\drivers\tcpip.sys
Nmr[4]: 8386E9A8
IID: 2227E80A-8D8B-11D4-ABAD-009027719E09 flags 0
Nmr[5]: 89D093A8
IID: 2227E80C-8D8B-11D4-ABAD-009027719E09 flags 10001
clients: 89D092B4 - 89D092B4
Client 0 89B1EAA0 \SystemRoot\System32\drivers\tcpip.sys:
AttachClient: 89A7B51F \SystemRoot\System32\drivers\tcpip.sys
DetachClient: 89AF65B1 \SystemRoot\System32\drivers\tcpip.sys
CleanupBindingContext: 89B04012 \SystemRoot\System32\drivers\tcpip.sys
providers: 89D093EC - 89D093EC
Provider 0 89B1EAF8 \SystemRoot\System32\drivers\tcpip.sys:
AttachClient: 89A7B67E \SystemRoot\System32\drivers\tcpip.sys
DetachClient: 89AF6650 \SystemRoot\System32\drivers\tcpip.sys
CleanupBindingContext: 89B04012 \SystemRoot\System32\drivers\tcpip.sys
Nmr[0]: 8386EB30
IID: 2227E803-8D8B-11D4-ABAD-009027719E09 flags 10004
clients: 89C2314C - 84BA75E4
Client 0 89C22154 UNKNOWN:
AttachClient: 8069BE21 \SystemRoot\system32\drivers\NETIO.SYS
DetachClient: 806B2773 \SystemRoot\system32\drivers\NETIO.SYS
CleanupBindingContext: 806B2796 \SystemRoot\system32\drivers\NETIO.SYS
Client 1 88497220 \SystemRoot\system32\DRIVERS\rasl2tp.sys:
AttachClient: 8848717A \SystemRoot\system32\DRIVERS\rasl2tp.sys
DetachClient: 884949F8 \SystemRoot\system32\DRIVERS\rasl2tp.sys
CleanupBindingContext: 88494A09 \SystemRoot\system32\DRIVERS\rasl2tp.sys
Client 2 9214B6DC \SystemRoot\system32\drivers\HTTP.sys:
AttachClient: 92137789 \SystemRoot\system32\drivers\HTTP.sys
DetachClient: 9212CD24 \SystemRoot\system32\drivers\HTTP.sys
CleanupBindingContext: 92143214 \SystemRoot\system32\drivers\HTTP.sys
Client 3 920F9254 \SystemRoot\System32\DRIVERS\srvnet.sys:
AttachClient: 920EF071 \SystemRoot\System32\DRIVERS\srvnet.sys
DetachClient: 920F46D3 \SystemRoot\System32\DRIVERS\srvnet.sys
CleanupBindingContext: 920F46DD \SystemRoot\System32\DRIVERS\srvnet.sys
providers: 89CE3C5C - 89CE3C5C
Provider 0 89FC9968 \SystemRoot\system32\drivers\afd.sys:
AttachClient: 89FBE891 \SystemRoot\system32\drivers\afd.sys
DetachClient: 89FC09CD \SystemRoot\system32\drivers\afd.sys
CleanupBindingContext: 89FC0AAE \SystemRoot\system32\drivers\afd.sys
Nmr[1]: 8386EAC0
IID: 2227E805-8D8B-11D4-ABAD-009027719E09 flags 0
Nmr[2]: 8386EA50
IID: 2227E807-8D8B-11D4-ABAD-009027719E09 flags 10006
clients: 84784E44 - 8AB233E4
Client 0 884980F8 \SystemRoot\system32\DRIVERS\rasl2tp.sys:
AttachClient: 884873DF \SystemRoot\system32\DRIVERS\rasl2tp.sys
DetachClient: 88495C03 \SystemRoot\system32\DRIVERS\rasl2tp.sys
CleanupBindingContext: 88495BEA \SystemRoot\system32\DRIVERS\rasl2tp.sys
Client 1 88473110 \SystemRoot\system32\DRIVERS\ndiswan.sys:
AttachClient: 8845BE3C \SystemRoot\system32\DRIVERS\ndiswan.sys
DetachClient: 8847028D \SystemRoot\system32\DRIVERS\ndiswan.sys
CleanupBindingContext: 88470274 \SystemRoot\system32\DRIVERS\ndiswan.sys
Client 2 88453260 \SystemRoot\system32\DRIVERS\raspptp.sys:
AttachClient: 88448A8C \SystemRoot\system32\DRIVERS\raspptp.sys
DetachClient: 884516D4 \SystemRoot\system32\DRIVERS\raspptp.sys
CleanupBindingContext: 884516BB \SystemRoot\system32\DRIVERS\raspptp.sys
Client 3 89A52304 \SystemRoot\system32\DRIVERS\tdx.sys:
AttachClient: 89A4B290 \SystemRoot\system32\DRIVERS\tdx.sys
DetachClient: 89A4B302 \SystemRoot\system32\DRIVERS\tdx.sys
CleanupBindingContext: 89A4AD2E \SystemRoot\system32\DRIVERS\tdx.sys
Client 4 89F7F4D0 \SystemRoot\system32\DRIVERS\wanarp.sys:
AttachClient: 89F7D54E \SystemRoot\system32\DRIVERS\wanarp.sys
DetachClient: 89F7D5DE \SystemRoot\system32\DRIVERS\wanarp.sys
CleanupBindingContext: 89F7D60C \SystemRoot\system32\DRIVERS\wanarp.sys
Client 5 92C2B8C8 \SystemRoot\System32\drivers\tcpipreg.sys:
AttachClient: 92C27DA2 \SystemRoot\System32\drivers\tcpipreg.sys
DetachClient: 92C27E02 \SystemRoot\System32\drivers\tcpipreg.sys
CleanupBindingContext: 92C2783A \SystemRoot\System32\drivers\tcpipreg.sys
providers: 8386E7D4 - 8386E7D4
Provider 0 806B48AC \SystemRoot\system32\drivers\NETIO.SYS:
AttachClient: 806976DE \SystemRoot\system32\drivers\NETIO.SYS
DetachClient: 806A9B16 \SystemRoot\system32\drivers\NETIO.SYS
CleanupBindingContext: 806961AC \SystemRoot\system32\drivers\NETIO.SYS
Nmr[3]: 8386E9E0
IID: 2227E809-8D8B-11D4-ABAD-009027719E09 flags 0
Nmr[4]: 83887980
IID: 2227E80B-8D8B-11D4-ABAD-009027719E09 flags 10005
clients: 838879C4 - 80FF691C
Client 0 806B5264 \SystemRoot\system32\drivers\NETIO.SYS:
AttachClient: 8069B021 \SystemRoot\system32\drivers\NETIO.SYS
DetachClient: 806A23E4 \SystemRoot\system32\drivers\NETIO.SYS
CleanupBindingContext: 806961AC \SystemRoot\system32\drivers\NETIO.SYS
Client 1 89B35040 \SystemRoot\System32\drivers\tcpip.sys:
AttachClient: 89A7C7B3 \SystemRoot\System32\drivers\tcpip.sys
DetachClient: 89B037BF \SystemRoot\System32\drivers\tcpip.sys
CleanupBindingContext: 89B0381A \SystemRoot\System32\drivers\tcpip.sys
Client 2 89B32330 \SystemRoot\System32\drivers\tcpip.sys:
AttachClient: 89A7AFFD \SystemRoot\System32\drivers\tcpip.sys
DetachClient: 89B1D2EA \SystemRoot\System32\drivers\tcpip.sys
CleanupBindingContext: 89B04012 \SystemRoot\System32\drivers\tcpip.sys
Client 3 89B32590 \SystemRoot\System32\drivers\tcpip.sys:
AttachClient: 89A7AFFD \SystemRoot\System32\drivers\tcpip.sys
DetachClient: 89B1D2EA \SystemRoot\System32\drivers\tcpip.sys
CleanupBindingContext: 89B04012 \SystemRoot\System32\drivers\tcpip.sys
Client 4 9214B71C \SystemRoot\system32\drivers\HTTP.sys:
AttachClient: 9215F7F8 \SystemRoot\system32\drivers\HTTP.sys
DetachClient: 921747D2 \SystemRoot\system32\drivers\HTTP.sys
CleanupBindingContext: 9215CA48 \SystemRoot\system32\drivers\HTTP.sys
providers: 89CE9F5C - 89CE9F5C
Provider 0 89A236F4 \SystemRoot\system32\DRIVERS\pacer.sys:
AttachClient: 89A1F928 \SystemRoot\system32\DRIVERS\pacer.sys
DetachClient: 89A1F9C0 \SystemRoot\system32\DRIVERS\pacer.sys
CleanupBindingContext: 89A1B5E2 \SystemRoot\system32\DRIVERS\pacer.sys
Комментариев нет:
Отправить комментарий