NDIS Intermediate driver interface to C#

I'm developing what is essentially a specialized firewall application. The solution needs to be 32 and 64-bit compatible. My company wants to keep the current program interface, which is written in C#.

What I need is this: a way to monitor and manipulate all network traffic on the system. My research has led me to believe that a NDIS (Network Driver Interface Specification) Intermediate driver is the way to go. If I can write this kind of driver in C#, great, but I'm not sure that's possible. At the very least, I need an interface in C# to a driver written in any language.

I found a great resource online for creating one in a series of articles entitled "Extending the Microsoft PassThru NDIS Intermediate Driver":

However, it is dated (2003). Before I invest in reading and learning what it has to say, I want to make sure I'm not wasting my time.

Is there a better way to do this? Are there any open source projects or articles that explain the process better than the articles above? Am I even in the ballpark? Help please.

I don't necessarily want to *manipulate* all network traffic, but the solution must be *able* to. This is not an option, it is a project requirement.

Andrew 2009-05-15 18:43:25

All traffic, or for example only all Internet Protocol traffic?

ChrisW 2009-05-15 19:01:36

Ah, I see what you mean. Sorry. All IP traffic. By all network traffic, I meant from/to any network device.

Andrew 2009-05-15 19:05:00

If you only need to filter IP traffic then a filter that's higher up the protocol stack (e.g. a TDI driver instead of an NDIS driver) might be better for you. The next question then is, can your filter be even higher than the TDI level: do you need to filter IP traffic seen by kernel-mode code (e.g. the file system implementation), or do you only need to filter IP traffic seen by user-mode code (e.g. Win32 applications)? Because in the latter case, a user-mode filter might suffice.

ChrisW 2009-05-15 19:23:39

From this conversation, I'm finding I don't know a lot. I'm not sure whether kernel-mode code would need to be filtered. I need to catch any network communications of any program on the system, so maybe Win32 applications only?

Andrew 2009-05-15 19:39:47

You haven't said why you need to filter (except to say "specialized firewall application") so I can't guess or tell you what you need to filter. If you do only need to filter user-mode applications, that may be an easier job than writing a filter device driver that would run in the kernel.

ChrisW 2009-05-15 19:55:40

Sorry, I'm not trying to be ambiguous. I guess I'm just that clueless. My requirement is that I must be able to *at least* intercept all web requests (http, https, etc.). However, I will need to be able block certain other protocols and communications (like proxies, torrent, p2p, etc.) at some point as well.

Andrew 2009-05-15 20:18:26

Maybe you're right: http://msdn.microsoft.com/en-us/library/aa504964.aspx says that an NDIS Intermediate Driver is recommended instead of a Firewall-Hook Drivers. *But* http://msdn.microsoft.com/en-us/library/aa504969.aspx says that starting with Vista use "Windows Filtering Platform Callout Drivers" instead.

ChrisW 2009-05-15 21:03:41

*sigh* Ok, I guess I'll do some research and ask another question in a while.

Andrew 2009-05-15 21:06:09

One problem with drivers is that the driver architecture is less stable over the years: it changes more often than the Win32/user-mode APIs do, from one O/S release to the next. It's fairly stable but you're right that it can change over 5 years.

ChrisW 2009-05-15 21:33:09

ansaurus

tags:

views:

answers:

NDIS Intermediate driver interface to C#

related questions