Method for intercepting network packets in a computing device
First Claim
1. A method for intercepting and processing network packets in a computer system, where network packets are communicated between a first network adapter and a first protocols entity, of which said first network adapter implements a first network interface, the method comprising the steps ofproviding a set of three or more replacement functions within a packet interceptor software component, said replacement functions capable of processing said network packets in a desired way or receiving status information about a network interface;
- hooking at least a first original function used for transmitting network packets from said first protocols entity to said first network adapter into a first replacement function;
hooking at least a second original function used for transmitting network packets from said first network adapter to said first protocols entity into a second replacement function; and
hooking at least a third original function used for receiving information about the status of the network interface implemented by said first network adapter into a third replacement function;
and wherein hooking is defined as redirecting function calls to all said original functions to corresponding replacement functions so that said replacement functions are invoked by said redirected function calls.
14 Assignments
0 Petitions
Accused Products
Abstract
A method is provided for intercepting network packets in a computer system, where a number of functions are used to communicate network packets between a network adapter and a protocols entity. A first network adapter and a first protocols entity installed in the computer system are identified. A set of replacement functions is provided within a packet interceptor module. At least one function used for transmitting network packets from said first protocols entity to said first network adapter is hooked into a first replacement function. At least one function used for transmitting network packets from said first network adapter to said first protocols entity is hooked into a second replacement function. At least one function used for receiving information about the status of the network interface implemented by said first network adapter is hooked into a third replacement function.
193 Citations
47 Claims
-
1. A method for intercepting and processing network packets in a computer system, where network packets are communicated between a first network adapter and a first protocols entity, of which said first network adapter implements a first network interface, the method comprising the steps of
providing a set of three or more replacement functions within a packet interceptor software component, said replacement functions capable of processing said network packets in a desired way or receiving status information about a network interface; -
hooking at least a first original function used for transmitting network packets from said first protocols entity to said first network adapter into a first replacement function;
hooking at least a second original function used for transmitting network packets from said first network adapter to said first protocols entity into a second replacement function; and
hooking at least a third original function used for receiving information about the status of the network interface implemented by said first network adapter into a third replacement function;
and wherein hooking is defined as redirecting function calls to all said original functions to corresponding replacement functions so that said replacement functions are invoked by said redirected function calls. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35)
determining, whether or not a dynamic IP address has been allocated for the network interface implemented by said first network adapter; - and
in a case where a dynamic IP address has been allocated for the network interface implemented by said first network adapter, determining what said dynamic IP address is;
and wherein each said hooking step is further defined as accomplishing said redirection by altering at least some pointers or addresses in a function call table of an application programmatic interface that point to at least some of said original functions so as to point to corresponding replacement functions.
-
-
3. A method according to claim 1, additionally comprising a step of identifying a first network adapter and a first protocols entity installed in the computer system, so arranged that this step comprises first the substep of
hooking a registration function and used by network adapters and protocols entities to register themselves to the computer system, into a certain replacement registration function; -
and after that without any specific order the substeps of identifying said first network adapter when it uses said replacement registration function to register itself to the computer system and identifying said first protocols entity when it uses said replacement function to register itself to the computer system, and wherein hooking is further defined as processing a network packet when said replacement function is invoked by a redirected function call, and, after said processing is completed, returning said network packet to said original function whose function call was redirected for further processing.
-
-
4. A method according to claim 3, wherein the step of hooking said registration function used by network adapters and protocols entities to register themselves comprises, without any specific order, the substeps of
loading an interface module that determines said registration function; -
loading a packet interceptor module that determines said replacement registration function; and
performing said hooking by redirecting predetermined function calls made to said registration function to predetermined function calls of said replacement registration mechanism.
-
-
5. A method according to claim 4, wherein the step of loading an interface module that determines said registration function comprises the step of loading an NDIS interface module, and the step of redirecting function calls to said registration function to predetermined function calls of said replacement registration mechanism comprises the substeps of
hooking the NdisRegisterProtocol function determined by said NDIS interface module into a replacement protocol registering function determined by said packet interceptor module; - and
hooking the NdisOpenAdapter function determined by said NDIS interface module into a replacement network adapter opening function determined by said packet interceptor module.
- and
-
6. A method according to claim 5, wherein the step of hooking the NdisRegisterProtocol function comprises the step of replacing a plurality of the functions in the NDIS_PROTOCOL_CHARACTERISTICS structure determined by said NDIS interface module.
-
7. A method according to claim 6, wherein the step of replacing a plurality of the functions in the NDIS_PROTOCOL_CHARACTERISTICS structure comprises the step of replacing the ReceiveHandler, ReceiveCompleteHandler and TransferDataCompleteHandler functions determined by said NDIS interface module.
-
8. A method according to claim 7, wherein the step of replacing a plurality of the functions in the NDIS_PROTOCOL_CHARACTERISTICS structure comprises additionally the step of replacing the SendCompleteHandler and RequestCompleteHandler functions determined by said NDIS interface module.
-
9. A method according to claim 5, additionally comprising the step of determining, which bindings connect said first network adapter and said first protocols entity, by calling said replacement adapter opening function.
-
10. A method according to claim 1, additionally comprising the steps of
loading said first network adapter and said first protocols entity and determining, which bindings connect said first network adapter and said first protocols entity, by analyzing data structures after said first network adapter and said first protocols entity have been loaded. -
11. A method according to claim 10, wherein said step of analyzing data structures after said first network adapter and said first protocols entity have been loaded comprises the step of reading a piece of system configuration information from a memory.
-
12. A method according to claim 11, wherein said step of reading a piece of system configuration information comprises the step of reading a registry.
-
13. A method according to claim 1, additionally comprising the step of identifying the first network adapter and the first protocols entity, so that this step comprises the substep of reading a piece of system configuration information from a memory.
-
14. A method according to claim 13, wherein the substep of reading a piece of system configuration information from a memory comprises the reading of a registry.
-
15. A method according to claim 1, additionally comprising the steps of
loading said first network adapter and said first protocols entity and identifying the first network adapter and the first protocols entity by traversing data structures after adapters and protocols have been loaded into the computer system. -
16. A method according to claim 15, comprising first without any specific order the steps of
loading said first protocols entity into the computer system; - and
loading said first network adapter into the computer system;
and after that, in the following order, the steps of loading a dynamically loadable packet interceptor module into the computer system; and
traversing data structures to identify said first network adapter and said first protocols entity.
- and
-
17. A method according to claim 1, wherein at least one of said hooking steps comprises the substeps of
locating the beginning of the executable program code of a certain first function that is to be hooked into a certain first replacement function; -
saving a copy of a certain passage of executable program code starting from said beginning; and
replacing said certain passage of executable program code starting from said beginning with another passage of executable program code that transfers execution to said first replacement function.
-
-
18. A method according to claim 1, wherein at least one of said hooking steps comprises the substeps of
locating, in a data structure, a function pointer that points to a certain first function that is to be hooked into a certain first replacement function; -
saving a copy of said function pointer; and
replacing said function pointer with another function pointer that points to said first replacement function.
-
-
19. A method according to claim 1, wherein at least one of said hooking steps comprises the substeps of
locating a dispatch table in a dynamically loaded module; - and
modifying said dispatch table.
- and
-
20. A method according to claim 1, wherein at least one of said hooking steps comprises the substep of calling a system function that installs a hook for a system service.
-
21. A method according to claim 1, wherein at least one of said hooking steps comprises the substep of adding a first replacement function into which a certain first function is hooked to a system-provided hook list.
-
22. A method according to claim 1, wherein at least one of said hooking steps comprises the substep of redirecting an interrupt vector that vectors processing to a function so as to redirect processing to a replacement function.
-
23. A method according to claim 1, wherein each hooking step comprises handling a network packet or doing any other processing such as receiving status information about a network interface using a replacement function and doing so without passing said network packet to back to said original function which is hooked into said replacement function thereby completely bypassing said original function.
-
24. A method according to claim 1, additionally comprising the step of calling a certain first function from a certain first replacement function into which said first function is hooked.
-
25. A method according to claim 1, additionally comprising, in the following order, the steps of
modifying a network packet with said first replacement function and passing the modified network packet to said function which is hooked into said first replacement function. -
26. A method according to claim 1, additionally comprising the step of copying a network packet by applying a replacement function.
-
27. A method according to claim 1, additionally comprising the step of calling a certain first function, which is hooked into a certain first replacement function, without first calling said first replacement function.
-
28. A method according to claim 1, additionally comprising the steps of
determining whether a dial-up link is up or down; - and
providing information about said dial-up link being up or down to said packet interceptor module.
- and
-
29. A method according to claim 1, additionally comprising the steps of
determining at least one network address used for said first network interface; - and
providing information about determined network addresses to said packet interceptor module.
- and
-
30. A method according to claim 29, wherein the step of determining at least one network address comprises the substep of examining link-layer protocol packets.
-
31. A method according to claim 30, wherein the step of examining link-layer protocol packets comprises the substep of examining IPCP packets where IPCP is a subprotocol of PPP.
-
32. A method according to claim 30, wherein the step of examining link-layer protocol packets comprises the substep of examining ARP protocol packets.
-
33. A method according to claim 29, wherein the step of determining at least one network address comprises the substep of examining the DHCP protocol.
-
34. A method according to claim 29, wherein the step of determining at least one network address comprises the substeps of
hooking a function that is to be called when there is a change in the address information into a replacement function; -
traversing a number of predetermined data structures at the time of calling said replacement function; and
comparing information read from said traversed data structures against a predetermined piece of earlier saved corresponding information.
-
-
35. A method according to claim 1, further comprising the step of
modifying information passed between said first network adapter and said first protocols entity about link-layer characteristics; - and
as a result of said modification of information, reducing the maximum transmitted packet size known to said first protocols entity on a link.
- and
-
36. A method for intercepting network packets in a computer system, where a plurality of original functions are used to communicate network packets between a plurality of network adapters and a plurality of protocols entities, of which the network adapters implement certain network interfaces, the method comprising the steps of
providing a set of replacement functions within a packet interceptor module; -
hooking a plurality of original functions used for transmitting network packets from protocols entities to network adapters into a first set of replacement functions, said hooking occurring at a programmatic interface of said original functions, and wherein said original functions are incapable of performing at least some of said functions of said replacement function and are incapable of being modified to reliably perform said at least some of said functions performed by said replacement function;
hooking a plurality of original functions used for transmitting network packets from network adapters to protocols entities into a second set of replacement functions, said hooking occurring at a programmatic interface of said original functions, and wherein said original functions are incapable of performing at least some of said functions of said replacement function and are incapable of being modified to reliably perform said at least some of said functions performed by said replacement function; and
hooking a plurality of original functions used for receiving information about the status of the network interfaces implemented by network adapters into a third set of replacement functions, said hooking occurring at a programmatic interface of said original functions, and wherein said original functions are incapable of performing at least some of said functions of said replacement function and are incapable of being modified to reliably perform said at least some of said functions performed by said replacement function; and
wherein hooking, as the term is used herein, means redirection in any way of function calls to said original functions to cause each said redirected function call to be redirected so as to call a corresponding replacement function. - View Dependent Claims (37, 38)
-
-
39. A method for intercepting network packets in a computer system, where a certain first operating system module is used to implement network functionality using a plurality of original functions and said first operating system module implements a certain programming interface with a plurality of entry points by which said original functions in said operating system module can be invoked by making a function call to said entry point, but wherein said first operating system module is not capable of performing one or more desired functions and is not capable of being modified to reliably perform said one or more desired functions, the method comprising the steps of
without removing said first operating system module, functionally replacing said first operating system module with a first replacement module that has replacment functions therein which can be called to perform said one or more desired functions said first replacement module implementing a programming interface equal to said programming interface of said first operating system module and which receives at least some function calls to said first operating system module to invoke one or more original functions and cause one or more corresponding replacement functions to be invoked instead, said functionally replacing without removing step comprising the substeps: -
moving said first operating system module aside, reading the entry point table of said first operating system module, reading the entry point table of said first replacement module, dynamically creating a new software module that contains the same entry points as said first operating system module originally had, forwarding each function call to an entry point of said first operating system module to a corresponding entry point of said first replacement module if there is one but forwarding each function call to an entry point of said first operating system module to the new entry point of said first operating system module if there is no corresponding entry point of said first replacement module;
using said replacement module to identify at least a first network adapter and at least a first protocols entity installed in the computer system;
using said replacement module to replace without removing at least one original function used for transmitting network packets from said first protocols entity to said first network adapter;
using said replacement module to replace without removing at least one original function used for transmitting network packets from said first network adapter to said first protocols entity;
using said replacement module to replace without removing at least one original function used for receiving information about the status of a network interface implemented by said first network adapter;
using said replacement module to determine, whether or not a dynamic Internet Protocol (P) address has been allocated for said network interface implemented by said first network adapter; and
in a case where a dynamic IP address has been allocated for said network interface implemented by said first network adapter, using said replacement module to determine, what said dynamic IP address is. - View Dependent Claims (40, 41, 42, 43, 44)
moving said first operating system module aside at installation time when an operating system is booting and replacing said first operating system module with said first replacement module until said operating system has completed booting, and then removing said first replacement module and said new software module and moving said first operating system module back to its original position in memory. -
42. A method according to claim 39, wherein said step of replacing said first operating system module with said replacement module is performed when the computer system boots but before said first operating system module is loaded.
-
43. A method according to claim 42, additionally comprising the step of undoing the replacing by said replacement module after said first operating system module has been loaded.
-
44. A method according to claim 39, additionally comprising the step of automatically generating said replacement module based on the said first operating system module.
-
-
45. A computer system for handling network packets, comprising
a first network adapter arranged to implement a network interface; -
a first protocols entity;
a number of predetermined functions for communicating network packets between said network adapter and said protocols entity;
a packet interceptor module for implementing a set of replacement functions;
within said packet interceptor module, means for hooking at least one function used for transmitting network packets from said first protocols entity to said first network adapter into a first replacement function such that each function call to an original function used for transmitting a network packet from a protocols entity to a network adapter is redirected to an appropriate replacement function which processes said network packet in a desired way;
within said packet interceptor module, means for hooking at least one function used for transmitting network packets from said first network adapter to said first protocols entity into a second replacement function such that each function call to a function used for transmitting a network packet from a network adapter to a protocols entity is redirected to an appropriate replacement function which processes said network packet in a desired way; and
within said packet interceptor module, means for hooking at least one function used for receiving information about the status of the network interface implemented by said first network adapter into a third replacement function such that each function call to a function used for receiving status of a network adapter is redirected to an appropriate replacement function. - View Dependent Claims (46)
-
-
47. A packet interceptor module for intercepting network packets in a computer system which comprises a first network adapter, a first protocols entity and a number of predetermined functions having a programmatic interface, said functions for communicating network packets between said network adapter and said protocols entity, said packet interceptor module comprising
the definition of a set of replacement functions; -
means for hooking at least one function used for transmitting network packets from said first protocols entity to said first network adapter into a first replacement function;
means for hooking at least one function used for transmitting network packets from said first network adapter to said first protocols entity into a second replacement function; and
means for hooking at least one function used for receiving information about the status of the network interface implemented by said first network adapter into a third replacement function;
and wherein each said means for hooking performs a function of redirecting at least some of said function calls to original functions to corresponding replacement functions by altering address or pointer data in a programmatic interface of said original functions.
-
Specification