Nmap Development mailing list archives
Yang's Status Report - #6 of 17
From: 食肉大灰兔V5 <hsluoyz () gmail com>
Date: Mon, 8 Jun 2015 23:18:05 +0800
Hi all, Accomplishments: * Preliminarily finished one of our goals: "change the function entry point and external variable names of NPcap". However, Nmap and Wireshark still need some accommodations before using NPcap. Because Nmap hard-coded the "npf.sys" driver name, we need to add the "npcap.sys" string in our next release. I will discuss this with my mentor in next meetup. And, Wireshark hard-coded the DLL search path, so they cannot find NPcap's DLLs, even we put them in PATH environment variable. I have sent Wireshark's dev mailing list a mail applying for improving their DLL searching logic as (https://marc.info/?l=wireshark-dev&m=143352509705303&w=2), but still no reply. * NPcap has been tested with WinDump (x86) and WinDump (x64) at the same time and they turn out to be running well. * Clues for Nmap's not supporting NPcap: https://svn.nmap.org/nmap/mswin32/winfix.cc static bool start_npf() { SC_HANDLE scm, npf; SERVICE_STATUS service; bool npf_running; int ret; scm = NULL; npf = NULL; scm = OpenSCManager(NULL, NULL, 0); if (scm == NULL) { error("Error in OpenSCManager"); goto quit_error; } * npf = OpenService(scm, "npf", SC_MANAGER_CONNECT | SERVICE_QUERY_STATUS); <---------------------------------------------------------------- hard-coded npf driver name* if (npf == NULL) { error("Error in OpenService"); goto quit_error; } if (!QueryServiceStatus(npf, &service)) { error("Error in QueryServiceStatus"); goto quit_error; } npf_running = (service.dwCurrentState & SERVICE_RUNNING) != 0; CloseServiceHandle(scm); CloseServiceHandle(npf); if (npf_running) { if (o.debugging > 1) log_write(LOG_PLAIN, "NPF service is already running.\n"); return true; } /* NPF is not running. Try to start it. */ if (o.debugging > 1) log_write(LOG_PLAIN, "NPF service is not running.\n"); * ret = (int) ShellExecute(0, "runas", "net.exe", "start npf", 0, SW_HIDE);** <----------------------------------------------------------------** hard-coded npf driver name* if (ret <= 32) { error("Unable to start NPF service: ShellExecute returned %d.\n\ Resorting to unprivileged (non-administrator) mode.", ret); return false; } return true; quit_error: if (scm != NULL) CloseHandle(scm); if (npf != NULL) CloseHandle(npf); return false; } * Clues for Wireshark's not supporting NPcap: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob;f=caputils/capture-wpcap.c;h=33422765699f4c0b22b09adaf8db1bf60ff6d720;hb=HEAD 200 <https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob;f=caputils/capture-wpcap.c;h=33422765699f4c0b22b09adaf8db1bf60ff6d720;hb=HEAD#l200> GModule *wh; /* wpcap handle */ 201 <https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob;f=caputils/capture-wpcap.c;h=33422765699f4c0b22b09adaf8db1bf60ff6d720;hb=HEAD#l201> const symbol_table_t *sym; 202 <https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob;f=caputils/capture-wpcap.c;h=33422765699f4c0b22b09adaf8db1bf60ff6d720;hb=HEAD#l202> 203 <https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob;f=caputils/capture-wpcap.c;h=33422765699f4c0b22b09adaf8db1bf60ff6d720;hb=HEAD#l203> *wh = ws_module_open("wpcap.dll", 0); <---------------------------------------------------------------------- Load the wpcap.dll* 204 <https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob;f=caputils/capture-wpcap.c;h=33422765699f4c0b22b09adaf8db1bf60ff6d720;hb=HEAD#l204> 205 <https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob;f=caputils/capture-wpcap.c;h=33422765699f4c0b22b09adaf8db1bf60ff6d720;hb=HEAD#l205> if (!wh) { 206 <https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob;f=caputils/capture-wpcap.c;h=33422765699f4c0b22b09adaf8db1bf60ff6d720;hb=HEAD#l206> return; 207 <https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob;f=caputils/capture-wpcap.c;h=33422765699f4c0b22b09adaf8db1bf60ff6d720;hb=HEAD#l207> } https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob;f=wsutil/file_util.c;h=50f4fff4119bf2db8a62ce5233b9553c91ab7ceb;hb=HEAD 550 <https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob;f=wsutil/file_util.c;h=50f4fff4119bf2db8a62ce5233b9553c91ab7ceb;hb=HEAD#l550> ws_module_open(gchar *module_name, GModuleFlags flags) 551 <https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob;f=wsutil/file_util.c;h=50f4fff4119bf2db8a62ce5233b9553c91ab7ceb;hb=HEAD#l551> { 552 <https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob;f=wsutil/file_util.c;h=50f4fff4119bf2db8a62ce5233b9553c91ab7ceb;hb=HEAD#l552> gchar *full_path; 553 <https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob;f=wsutil/file_util.c;h=50f4fff4119bf2db8a62ce5233b9553c91ab7ceb;hb=HEAD#l553> GModule *mod; 554 <https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob;f=wsutil/file_util.c;h=50f4fff4119bf2db8a62ce5233b9553c91ab7ceb;hb=HEAD#l554> 555 <https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob;f=wsutil/file_util.c;h=50f4fff4119bf2db8a62ce5233b9553c91ab7ceb;hb=HEAD#l555> if (!init_dll_load_paths() || !module_name) 556 <https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob;f=wsutil/file_util.c;h=50f4fff4119bf2db8a62ce5233b9553c91ab7ceb;hb=HEAD#l556> return NULL; 557 <https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob;f=wsutil/file_util.c;h=50f4fff4119bf2db8a62ce5233b9553c91ab7ceb;hb=HEAD#l557> 558 <https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob;f=wsutil/file_util.c;h=50f4fff4119bf2db8a62ce5233b9553c91ab7ceb;hb=HEAD#l558> /* First try the program directory */ 559 <https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob;f=wsutil/file_util.c;h=50f4fff4119bf2db8a62ce5233b9553c91ab7ceb;hb=HEAD#l559> *full_path = g_module_build_path(program_path, module_name); <---------------------------------------------------------------------- 1. check its installation path* 560 <https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob;f=wsutil/file_util.c;h=50f4fff4119bf2db8a62ce5233b9553c91ab7ceb;hb=HEAD#l560> 561 <https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob;f=wsutil/file_util.c;h=50f4fff4119bf2db8a62ce5233b9553c91ab7ceb;hb=HEAD#l561> if (full_path) { 562 <https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob;f=wsutil/file_util.c;h=50f4fff4119bf2db8a62ce5233b9553c91ab7ceb;hb=HEAD#l562> mod = g_module_open(full_path, flags); 563 <https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob;f=wsutil/file_util.c;h=50f4fff4119bf2db8a62ce5233b9553c91ab7ceb;hb=HEAD#l563> if (mod) { 564 <https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob;f=wsutil/file_util.c;h=50f4fff4119bf2db8a62ce5233b9553c91ab7ceb;hb=HEAD#l564> g_free(full_path); 565 <https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob;f=wsutil/file_util.c;h=50f4fff4119bf2db8a62ce5233b9553c91ab7ceb;hb=HEAD#l565> return mod; 566 <https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob;f=wsutil/file_util.c;h=50f4fff4119bf2db8a62ce5233b9553c91ab7ceb;hb=HEAD#l566> } 567 <https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob;f=wsutil/file_util.c;h=50f4fff4119bf2db8a62ce5233b9553c91ab7ceb;hb=HEAD#l567> } 568 <https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob;f=wsutil/file_util.c;h=50f4fff4119bf2db8a62ce5233b9553c91ab7ceb;hb=HEAD#l568> 569 <https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob;f=wsutil/file_util.c;h=50f4fff4119bf2db8a62ce5233b9553c91ab7ceb;hb=HEAD#l569> /* Next try the system directory */ 570 <https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob;f=wsutil/file_util.c;h=50f4fff4119bf2db8a62ce5233b9553c91ab7ceb;hb=HEAD#l570> *full_path = g_module_build_path(system_path, module_name); <---------------------------------------------------------------------- 2. check system32 (or syswow64) path* 571 <https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob;f=wsutil/file_util.c;h=50f4fff4119bf2db8a62ce5233b9553c91ab7ceb;hb=HEAD#l571> 572 <https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob;f=wsutil/file_util.c;h=50f4fff4119bf2db8a62ce5233b9553c91ab7ceb;hb=HEAD#l572> if (full_path) { 573 <https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob;f=wsutil/file_util.c;h=50f4fff4119bf2db8a62ce5233b9553c91ab7ceb;hb=HEAD#l573> mod = g_module_open(full_path, flags); 574 <https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob;f=wsutil/file_util.c;h=50f4fff4119bf2db8a62ce5233b9553c91ab7ceb;hb=HEAD#l574> if (mod) { 575 <https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob;f=wsutil/file_util.c;h=50f4fff4119bf2db8a62ce5233b9553c91ab7ceb;hb=HEAD#l575> g_free(full_path); 576 <https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob;f=wsutil/file_util.c;h=50f4fff4119bf2db8a62ce5233b9553c91ab7ceb;hb=HEAD#l576> return mod; 577 <https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob;f=wsutil/file_util.c;h=50f4fff4119bf2db8a62ce5233b9553c91ab7ceb;hb=HEAD#l577> } 578 <https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob;f=wsutil/file_util.c;h=50f4fff4119bf2db8a62ce5233b9553c91ab7ceb;hb=HEAD#l578> } 579 <https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob;f=wsutil/file_util.c;h=50f4fff4119bf2db8a62ce5233b9553c91ab7ceb;hb=HEAD#l579> 580 <https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob;f=wsutil/file_util.c;h=50f4fff4119bf2db8a62ce5233b9553c91ab7ceb;hb=HEAD#l580> return NULL; 581 <https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob;f=wsutil/file_util.c;h=50f4fff4119bf2db8a62ce5233b9553c91ab7ceb;hb=HEAD#l581> } * My workaround suggestions: For Nmap: Add the "npcap" driver use option in start_npf() function. either "npcap" comes first or "npf" comes first. As we want to NPcap to coexist with WinPcap, we must use a different driver name instead of original "npf", there's no much other way left for us to solve this problem. For Wireshark: Use the standard Windows DLL search mechanism instead of their customed way. It is their duty to follow the Windows DLL search convension. However, I don't know if they even want to change this for NPcap. Another way out is that we also copied our DLLs to system32 folder if we detected WinPcap is unavailable. So Wireshark can run. But the drawback is obvious, WinPcap installer will recognize our DLLs and view NPcap as another version of WinPcap, because the NSIS script checks the already installed WinPcap software based on the version string of system32\wpcap.dll file. Priorities: * Continue to finish the "change the function entry point and external variable names of NPcap" goal completely. * Have a meeting with fyodor for the next step. Cheers, Yang
_______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Yang's Status Report - #6 of 17 食肉大灰兔V5 (Jun 08)