Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Yang's Status Report - #6 of 17

From: 食肉大灰兔V5 <hsluoyz () gmail com>
Date: Mon, 8 Jun 2015 23:18:05 +0800
Hi all,



Accomplishments:

* Preliminarily finished one of our goals: "change the function entry
point and external variable names of NPcap". However, Nmap and
Wireshark still need some accommodations before using NPcap. Because
Nmap hard-coded the "npf.sys" driver name, we need to add the
"npcap.sys" string in our next release. I will discuss this with my
mentor in next meetup. And, Wireshark hard-coded the DLL search path,
so they cannot find NPcap's DLLs, even we put them in PATH environment
variable. I have sent Wireshark's dev mailing list a mail applying for
improving their DLL searching logic as
(https://marc.info/?l=wireshark-dev&m=143352509705303&w=2), but still
no reply.


* NPcap has been tested with WinDump (x86) and WinDump (x64) at the
same time and they turn out to be running well.


* Clues for Nmap's not supporting NPcap:


https://svn.nmap.org/nmap/mswin32/winfix.cc
static bool start_npf() {
  SC_HANDLE scm, npf;
  SERVICE_STATUS service;
  bool npf_running;
  int ret;

  scm = NULL;
  npf = NULL;

  scm = OpenSCManager(NULL, NULL, 0);
  if (scm == NULL) {
    error("Error in OpenSCManager");
    goto quit_error;
  }
 * npf = OpenService(scm, "npf", SC_MANAGER_CONNECT |
SERVICE_QUERY_STATUS);
<----------------------------------------------------------------
hard-coded npf driver name*
  if (npf == NULL) {
    error("Error in OpenService");
    goto quit_error;
  }
  if (!QueryServiceStatus(npf, &service)) {
    error("Error in QueryServiceStatus");
    goto quit_error;
  }
  npf_running = (service.dwCurrentState & SERVICE_RUNNING) != 0;
  CloseServiceHandle(scm);
  CloseServiceHandle(npf);

  if (npf_running) {
    if (o.debugging > 1)
      log_write(LOG_PLAIN, "NPF service is already running.\n");
    return true;
  }

  /* NPF is not running. Try to start it. */

  if (o.debugging > 1)
    log_write(LOG_PLAIN, "NPF service is not running.\n");

 * ret = (int) ShellExecute(0, "runas", "net.exe", "start npf", 0,
SW_HIDE);** <----------------------------------------------------------------**
hard-coded npf driver name*
  if (ret <= 32) {
    error("Unable to start NPF service: ShellExecute returned %d.\n\
Resorting to unprivileged (non-administrator) mode.", ret);
    return false;
  }

  return true;

quit_error:
  if (scm != NULL)
    CloseHandle(scm);
  if (npf != NULL)
    CloseHandle(npf);

  return false;
}


* Clues for Wireshark's not supporting NPcap:


https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob;f=caputils/capture-wpcap.c;h=33422765699f4c0b22b09adaf8db1bf60ff6d720;hb=HEAD
 200 
<https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob;f=caputils/capture-wpcap.c;h=33422765699f4c0b22b09adaf8db1bf60ff6d720;hb=HEAD#l200>
        GModule         *wh; /* wpcap handle */
 201 
<https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob;f=caputils/capture-wpcap.c;h=33422765699f4c0b22b09adaf8db1bf60ff6d720;hb=HEAD#l201>
        const symbol_table_t    *sym;
 202 
<https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob;f=caputils/capture-wpcap.c;h=33422765699f4c0b22b09adaf8db1bf60ff6d720;hb=HEAD#l202>
 203 
<https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob;f=caputils/capture-wpcap.c;h=33422765699f4c0b22b09adaf8db1bf60ff6d720;hb=HEAD#l203>
        *wh = ws_module_open("wpcap.dll", 0);
<----------------------------------------------------------------------
Load the wpcap.dll*
 204 
<https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob;f=caputils/capture-wpcap.c;h=33422765699f4c0b22b09adaf8db1bf60ff6d720;hb=HEAD#l204>
 205 
<https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob;f=caputils/capture-wpcap.c;h=33422765699f4c0b22b09adaf8db1bf60ff6d720;hb=HEAD#l205>
        if (!wh) {
 206 
<https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob;f=caputils/capture-wpcap.c;h=33422765699f4c0b22b09adaf8db1bf60ff6d720;hb=HEAD#l206>
                return;
 207 
<https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob;f=caputils/capture-wpcap.c;h=33422765699f4c0b22b09adaf8db1bf60ff6d720;hb=HEAD#l207>
        }

https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob;f=wsutil/file_util.c;h=50f4fff4119bf2db8a62ce5233b9553c91ab7ceb;hb=HEAD
 550 
<https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob;f=wsutil/file_util.c;h=50f4fff4119bf2db8a62ce5233b9553c91ab7ceb;hb=HEAD#l550>
ws_module_open(gchar *module_name, GModuleFlags flags)
 551 
<https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob;f=wsutil/file_util.c;h=50f4fff4119bf2db8a62ce5233b9553c91ab7ceb;hb=HEAD#l551>
{
 552 
<https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob;f=wsutil/file_util.c;h=50f4fff4119bf2db8a62ce5233b9553c91ab7ceb;hb=HEAD#l552>
      gchar   *full_path;
 553 
<https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob;f=wsutil/file_util.c;h=50f4fff4119bf2db8a62ce5233b9553c91ab7ceb;hb=HEAD#l553>
      GModule *mod;
 554 
<https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob;f=wsutil/file_util.c;h=50f4fff4119bf2db8a62ce5233b9553c91ab7ceb;hb=HEAD#l554>
 555 
<https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob;f=wsutil/file_util.c;h=50f4fff4119bf2db8a62ce5233b9553c91ab7ceb;hb=HEAD#l555>
      if (!init_dll_load_paths() || !module_name)
 556 
<https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob;f=wsutil/file_util.c;h=50f4fff4119bf2db8a62ce5233b9553c91ab7ceb;hb=HEAD#l556>
            return NULL;
 557 
<https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob;f=wsutil/file_util.c;h=50f4fff4119bf2db8a62ce5233b9553c91ab7ceb;hb=HEAD#l557>
 558 
<https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob;f=wsutil/file_util.c;h=50f4fff4119bf2db8a62ce5233b9553c91ab7ceb;hb=HEAD#l558>
      /* First try the program directory */
 559 
<https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob;f=wsutil/file_util.c;h=50f4fff4119bf2db8a62ce5233b9553c91ab7ceb;hb=HEAD#l559>
      *full_path = g_module_build_path(program_path, module_name);
<----------------------------------------------------------------------
1. check its installation path*
 560 
<https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob;f=wsutil/file_util.c;h=50f4fff4119bf2db8a62ce5233b9553c91ab7ceb;hb=HEAD#l560>
 561 
<https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob;f=wsutil/file_util.c;h=50f4fff4119bf2db8a62ce5233b9553c91ab7ceb;hb=HEAD#l561>
      if (full_path) {
 562 
<https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob;f=wsutil/file_util.c;h=50f4fff4119bf2db8a62ce5233b9553c91ab7ceb;hb=HEAD#l562>
            mod = g_module_open(full_path, flags);
 563 
<https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob;f=wsutil/file_util.c;h=50f4fff4119bf2db8a62ce5233b9553c91ab7ceb;hb=HEAD#l563>
            if (mod) {
 564 
<https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob;f=wsutil/file_util.c;h=50f4fff4119bf2db8a62ce5233b9553c91ab7ceb;hb=HEAD#l564>
                  g_free(full_path);
 565 
<https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob;f=wsutil/file_util.c;h=50f4fff4119bf2db8a62ce5233b9553c91ab7ceb;hb=HEAD#l565>
                  return mod;
 566 
<https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob;f=wsutil/file_util.c;h=50f4fff4119bf2db8a62ce5233b9553c91ab7ceb;hb=HEAD#l566>
            }
 567 
<https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob;f=wsutil/file_util.c;h=50f4fff4119bf2db8a62ce5233b9553c91ab7ceb;hb=HEAD#l567>
      }
 568 
<https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob;f=wsutil/file_util.c;h=50f4fff4119bf2db8a62ce5233b9553c91ab7ceb;hb=HEAD#l568>
 569 
<https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob;f=wsutil/file_util.c;h=50f4fff4119bf2db8a62ce5233b9553c91ab7ceb;hb=HEAD#l569>
      /* Next try the system directory */
 570 
<https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob;f=wsutil/file_util.c;h=50f4fff4119bf2db8a62ce5233b9553c91ab7ceb;hb=HEAD#l570>
      *full_path = g_module_build_path(system_path, module_name);
<----------------------------------------------------------------------
2. check system32 (or syswow64) path*
 571 
<https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob;f=wsutil/file_util.c;h=50f4fff4119bf2db8a62ce5233b9553c91ab7ceb;hb=HEAD#l571>
 572 
<https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob;f=wsutil/file_util.c;h=50f4fff4119bf2db8a62ce5233b9553c91ab7ceb;hb=HEAD#l572>
      if (full_path) {
 573 
<https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob;f=wsutil/file_util.c;h=50f4fff4119bf2db8a62ce5233b9553c91ab7ceb;hb=HEAD#l573>
            mod = g_module_open(full_path, flags);
 574 
<https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob;f=wsutil/file_util.c;h=50f4fff4119bf2db8a62ce5233b9553c91ab7ceb;hb=HEAD#l574>
            if (mod) {
 575 
<https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob;f=wsutil/file_util.c;h=50f4fff4119bf2db8a62ce5233b9553c91ab7ceb;hb=HEAD#l575>
                  g_free(full_path);
 576 
<https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob;f=wsutil/file_util.c;h=50f4fff4119bf2db8a62ce5233b9553c91ab7ceb;hb=HEAD#l576>
                  return mod;
 577 
<https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob;f=wsutil/file_util.c;h=50f4fff4119bf2db8a62ce5233b9553c91ab7ceb;hb=HEAD#l577>
            }
 578 
<https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob;f=wsutil/file_util.c;h=50f4fff4119bf2db8a62ce5233b9553c91ab7ceb;hb=HEAD#l578>
      }
 579 
<https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob;f=wsutil/file_util.c;h=50f4fff4119bf2db8a62ce5233b9553c91ab7ceb;hb=HEAD#l579>
 580 
<https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob;f=wsutil/file_util.c;h=50f4fff4119bf2db8a62ce5233b9553c91ab7ceb;hb=HEAD#l580>
      return NULL;
 581 
<https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob;f=wsutil/file_util.c;h=50f4fff4119bf2db8a62ce5233b9553c91ab7ceb;hb=HEAD#l581>
}



* My workaround suggestions:

For Nmap:

Add the "npcap" driver use option in start_npf() function. either
"npcap" comes first or "npf" comes first. As we want to NPcap to
coexist with WinPcap, we must use a different driver name instead of
original "npf", there's no much other way left for us to solve this
problem.


For Wireshark:

Use the standard Windows DLL search mechanism instead of their
customed way. It is their duty to follow the Windows DLL search
convension. However, I don't know if they even want to change this for
NPcap. Another way out is that we also copied our DLLs to system32
folder if we detected WinPcap is unavailable. So Wireshark can run.
But the drawback is obvious, WinPcap installer will recognize our DLLs
and view NPcap as another version of WinPcap, because the NSIS script
checks the already installed WinPcap software based on the version
string of system32\wpcap.dll file.



Priorities:

* Continue to finish the "change the function entry point and external
variable names of NPcap" goal completely.

* Have a meeting with fyodor for the next step.



Cheers,

Yang

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: