top of page
Search
alainewm0xm
Aug 17, 20235 min read

Atheros Security Ndis 6.0 Filter Driver Download: Best Practices and Recommendations



The Ndislwf sample is a do-nothing pass-through NDIS 6 filter driver that demonstrates the basic principles underlying an NDIS 6.0 Filter driver. The sample replaces the NDIS 5 Sample Intermediate Driver (Passthrough driver).


Although this sample filter driver is installed as a modifying filter driver, it doesn't modify any packets; it only repackages and sends down all OID requests. You can modify this filter driver to change packets before passing them along. Or you can use the filter to originate new packets to send or receive. For example, the filter could encrypt/compress outgoing and decrypt/decompress incoming data.




Atheros Security Ndis 6.0 Filter Driver Download



In the Install from Disk dialog, browse to the DriverTest\Drivers directory. Highlight the netlwf.inf file and click Open, then click OK. This should show NDIS Sample LightWeight Filter in a list of Network Services. Highlight NDIS Sample LightWeight Filter and click OK. Click OK. Click Close. Click Close. This installs the Ndislwf filter driver service.


Browse to the installation directory. Highlight the netlwf.inf file and click Open, then click OK. This should show NDIS Sample LightWeight Filter in a list of Network Services. Highlight this and click OK. Click OK. This installs the Ndislwf filter driver.


In the context of FilterAttach Handler, the filter driver calls NdisFSetAttributes to register its filter module context with NDIS. After that, the filter driver can read its own setting in registry by calling NdisOpenConfigurationEx, and call other NdisXxx functions.


After FilterAttach successfully returns, NDIS restarts the filter later by calling its FilterRestart handler. FilterRestart should prepare to handle send/receive data. After restart return successfully, filter driver should be able to process send/receive.


NDIS calls the filter's FilterPause handler when NDIS needs to detach the filter from the stack or there is some configuration changes in the stack. In processing the pause request from NDIS, the Ndislwf driver waits for all its own outstanding requests to be completed before it completes the pause request.


NDIS calls the Ndislwf driver's FilterDetach entry point when NDIS needs to detach a filter module from NDIS stack. The FilterDetach handler should free all the memory allocation done in FilterAttach, and undo the operations it did in FilterAttach Handler.


Because Npcap is a NDIS 6 LWF filter driver it is designed to run at system boot, so software will generally not need to start it, unlike WinPcap which was often installed in a demand-start configuration.


ComboFix 13-09-14.01 - user 15-09-2013 20:39:16.1.2 - x86Microsoft Windows 7 Ultimate 6.1.7600.0.1252.91.1033.18.3002.1798 [GMT 5.5:30]Running from: c:\users\user\Desktop\ComboFix.exeAV: Quick Heal Total Security 13.00 *Enabled/Updated* D8418B0E-EE80-1320-B172-3D5DEB3CE14FFW: Quick Heal Firewall *Enabled* E07A0A2B-A4EF-1278-9A2D-946815EFA634SP: Quick Heal Total Security 13.00 *Enabled/Updated* 63206AEA-C8BA-1CAE-8BC2-062F90BBABF2SP: Windows Defender *Disabled/Updated* D68DDC3A-831F-4fae-9E44-DA132C1ACF46..((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))..c:\users\Pitney Bowes MapInfo Professional v9.5_+_Example_Data\MIPro_v9.5_TrialData.exec:\users\user\AppData\Local\Google\Chrome\User Data\Default\Preferencesc:\users\user\Documents\WRL0005.tmpc:\users\user\Documents\WRL0006.tmpc:\users\user\Documents\WRL0241.tmpc:\users\user\Documents\WRL0412.tmpc:\users\user\Documents\WRL0513.tmpc:\users\user\Documents\WRL0693.tmpc:\users\user\Documents\WRL0743.tmpc:\users\user\Documents\WRL0858.tmpc:\users\user\Documents\WRL1060.tmpc:\users\user\Documents\WRL1089.tmpc:\users\user\Documents\WRL1107.tmpc:\users\user\Documents\WRL1138.tmpc:\users\user\Documents\WRL1233.tmpc:\users\user\Documents\WRL1475.tmpc:\users\user\Documents\WRL1512.tmpc:\users\user\Documents\WRL1999.tmpc:\users\user\Documents\WRL2150.tmpc:\users\user\Documents\WRL2406.tmpc:\users\user\Documents\WRL2419.tmpc:\users\user\Documents\WRL3090.tmpc:\users\user\Documents\WRL3102.tmpc:\users\user\Documents\WRL3191.tmpc:\users\user\Documents\WRL3224.tmpc:\users\user\Documents\WRL3375.tmpc:\users\user\Documents\WRL3487.tmpc:\users\user\Documents\WRL3520.tmpc:\users\user\Documents\WRL3643.tmpc:\users\user\Documents\WRL3685.tmpc:\users\user\Documents\WRL3831.tmpc:\users\user\Documents\WRL3867.tmpc:\users\user\Documents\WRL3876.tmpc:\users\user\Documents\WRL4020.tmp..((((((((((((((((((((((((( Files Created from 2013-08-15 to 2013-09-15 )))))))))))))))))))))))))))))))..2013-09-15 15:15 . 2013-09-15 15:15 -------- d-----w- c:\users\Default\AppData\Local\temp2013-09-12 09:00 . 2013-09-12 09:00 -------- d-----w- c:\users\user\AppData\Roaming\Malwarebytes2013-09-12 08:59 . 2013-09-12 08:59 -------- d-----w- c:\programdata\Malwarebytes2013-09-12 08:59 . 2013-09-12 15:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware2013-09-11 16:28 . 2013-09-11 16:28 -------- d-----w- c:\users\user\AppData\Roaming\337 Wallpaper2013-09-11 16:20 . 2013-09-12 04:11 -------- d-----w- c:\programdata\Freemake2013-09-11 16:20 . 2013-09-12 04:11 -------- d-----w- c:\program files\Freemake2013-09-11 15:46 . 2013-09-11 15:46 -------- d-----w- c:\users\user\AppData\Roaming\EurekaLog2013-09-11 15:46 . 2013-09-11 15:46 -------- d-----w- c:\program files\FDRLab2013-09-11 08:01 . 2013-09-11 08:01 -------- d-----w- c:\users\user\AppData\Local\Programs2013-08-23 06:51 . 2013-08-23 06:55 -------- d-----w- c:\program files\USBAntivirus...(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2013-07-11 07:53 . 2013-07-11 07:53 94632 ----a-w- c:\windows\system32\WindowsAccessBridge.dll2013-07-11 07:53 . 2012-08-27 11:20 867240 ----a-w- c:\windows\system32\npDeployJava1.dll2013-07-11 07:53 . 2010-11-09 07:56 789416 ----a-w- c:\windows\system32\deployJava1.dll..((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shownREGEDIT4.[HKEY_LOCAL_MACHINE\SOFTWARE\\Browser Helper Objects\30F9B915-B755-4826-820B-08FBA6BD249D]2010-12-09 07:21 3911776 ----a-w- c:\program files\ConduitEngine\ConduitEngine.dll.[HKEY_LOCAL_MACHINE\SOFTWARE\\Browser Helper Objects\bf7380fa-e3b4-4db2-af3e-9d8783a45bfc]2010-12-09 07:21 3911776 ----a-w- c:\program files\uTorrentBar\tbuTor.dll.[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]"bf7380fa-e3b4-4db2-af3e-9d8783a45bfc"= "c:\program files\uTorrentBar\tbuTor.dll" [2010-12-09 3911776]"30F9B915-B755-4826-820B-08FBA6BD249D"= "c:\program files\ConduitEngine\ConduitEngine.dll" [2010-12-09 3911776].[HKEY_CLASSES_ROOT\clsid\bf7380fa-e3b4-4db2-af3e-9d8783a45bfc].[HKEY_CLASSES_ROOT\clsid\30f9b915-b755-4826-820b-08fba6bd249d].[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]"BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC"= "c:\program files\uTorrentBar\tbuTor.dll" [2010-12-09 3911776]"30F9B915-B755-4826-820B-08FBA6BD249D"= "c:\program files\ConduitEngine\ConduitEngine.dll" [2010-12-09 3911776].[HKEY_CLASSES_ROOT\clsid\bf7380fa-e3b4-4db2-af3e-9d8783a45bfc].[HKEY_CLASSES_ROOT\clsid\30f9b915-b755-4826-820b-08fba6bd249d].[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"Skype"="c:\program files\Skype\Phone\Skype.exe" [2013-06-21 19875432].[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-08 141848]"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-08 174104]"Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-08 151064]"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-07-28 7625248]"PLFSetI"="c:\windows\PLFSetI.exe" [2008-07-29 200704]"VitaKeyPdtWzd"="c:\program files\Acer Bio Protection\PdtWzd.exe" [2009-09-05 3570176]"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-06-04 186904]"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2009-08-07 225280]"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-09-03 1557800]"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]"NeroCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-14 71216]"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-08 52256]"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-07-31 38872]"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-11 919008]"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-03-21 1230704]"Quick Heal Core UI"="c:\program files\Quick Heal\Quick Heal Total Security\strtupap.exe" [2011-08-06 161224]"UIExec"="c:\program files\Reliance 3G\UIExec.exe" [2011-08-09 153424]"SonicWALLNetExtender"="c:\program files\SonicWALL\SSL-VPN\NetExtender\NEGui.exe" [2010-06-22 1103744]"Autodesk Sync"="c:\program files\Autodesk\Autodesk Sync\AdSync.exe" [2012-02-05 383424].c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-12-23 113664]HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-9-23 275768].[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]"ConsentPromptBehaviorAdmin"= 5 (0x5)"ConsentPromptBehaviorUser"= 3 (0x3)"EnableUIADesktopToggle"= 0 (0x0).[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]"aux"=wdmaud.drv.[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]Notification Packages REG_MULTI_SZ c:\program files\Acer Bio Protection\PwdFilter.[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\keyboard layouts\e0200445] Ime File REG_SZ GoogleInputTools.ime.[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]@="Driver".R0 mscank;mscank;c:\windows\system32\DRIVERS\mscank.sys [2011-08-06 33096]R2 Core Scanning ServerEx;Core Scanning ServerEx;c:\program files\Quick Heal\Quick Heal Total Security\SAPISSVC.EXE [2011-08-06 206280]R2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [2013-06-21 162408]R3 ew_hwusbdev;Huawei MobileBroadband USB PNP Device;c:\windows\system32\DRIVERS\ew_hwusbdev.sys [x]R3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\DRIVERS\ewusbnet.sys [x]R3 huawei_enumerator;huawei_enumerator;c:\windows\system32\DRIVERS\ew_jubusenum.sys [x]R3 ivusb;Initio Driver for USB Default Controller;c:\windows\system32\DRIVERS\ivusb.sys [2010-07-28 25112]R3 massfilter;Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [2011-03-26 9216]R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [2009-09-02 174592]R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-03-13 1343400]R3 wsnf;Network Filter Service;c:\windows\system32\DRIVERS\wsnf.sys [2011-08-06 44616]R4 ggc;ggc;c:\windows\system32\DRIVERS\ggc.sys [2011-07-29 49864]R4 Online Protection System;Online Protection System;c:\program files\Quick Heal\Quick Heal Total Security\opssvc.exe [2011-08-06 24520]S1 wstif;wstif;c:\windows\system32\drivers\wstif.sys [2012-04-10 67136]S2 ATService;AuthenTec Fingerprint Service;c:\program files\Fingerprint Sensor\AtService.exe [2009-08-04 1807608]S2 Autodesk Content Service;Autodesk Content Service;c:\program files\Autodesk\Content Service\Connect.Service.ContentService.exe [2012-01-31 19232]S2 catflt;catflt;c:\windows\system32\DRIVERS\catflt.sys [2011-08-06 39880]S2 Core Mail Protection;Core Mail Protection;c:\program files\Quick Heal\Quick Heal Total Security\EMLPROXY.EXE [2011-08-06 29640]S2 Core Scanning Server;Core Scanning Server;c:\program files\Quick Heal\Quick Heal Total Security\SAPISSVC.EXE [2011-08-06 206280]S2 EMLSS;EMLSS;c:\windows\system32\drivers\emltdi.sys [2011-08-06 29384]S2 GoogleInputService;GoogleInputService;c:\program files\Google\Google Input Tools\GoogleInputService.exe [2012-11-07 164888]S2 IGBASVC;EgisTec Service;c:\program files\Acer Bio Protection\BASVC.exe [2009-09-05 3449856]S2 Quick Update Service;Quick Update Service;c:\program files\Quick Heal\Quick Heal Total Security\quhlpsvc.exe [2011-08-06 90568]S2 Skype C2C Service;Skype C2C Service;c:\programdata\Skype\Toolbars\Skype C2C Service\c2c_service.exe [2013-05-14 3289208]S2 TeamViewer7;TeamViewer 7;c:\program files\TeamViewer\Version7\TeamViewer_Service.exe [2012-01-19 3027840]S2 UI Assistant Service;UI Assistant Service;c:\program files\Reliance 3G\AssistantServices.exe [2011-08-09 270672]S3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\Drivers\ATSwpWDF.sys [2009-08-04 659328]S3 IntcHdmiAddService;Intel High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2009-07-10 122880]S3 L1C;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller (NDIS 6.20);c:\windows\system32\DRIVERS\L1C62x86.sys [2009-07-27 51712]S3 netw5v32;Intel Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168]S3 NxDrv;SonicWALL NetExtender Adapter;c:\windows\system32\DRIVERS\NxDrv.sys [2009-10-21 22600]S3 wsnfmp;Network Filter Miniport;c:\windows\system32\DRIVERS\wsnf.sys [2011-08-06 44616]..[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12HPService REG_MULTI_SZ HPSLPSVChpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc.Contents of the 'Scheduled Tasks' folder.2013-09-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job- c:\program files\Google\Update\GoogleUpdate.exe [2011-02-04 06:22].2013-09-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job- c:\program files\Google\Update\GoogleUpdate.exe [2011-02-04 06:22].2013-09-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-108519296-852325044-3339374726-1000Core.job- c:\users\user\AppData\Local\Google\Update\GoogleUpdate.exe [2010-04-01 15:11].2013-09-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-108519296-852325044-3339374726-1000UA.job- c:\users\user\AppData\Local\Google\Update\GoogleUpdate.exe [2010-04-01 15:11].2013-09-15 c:\windows\Tasks\Resume Quickup Download.job- c:\program files\Quick Heal\Quick Heal Total Security\ACAPPAA.EXE [2011-08-06 17:50]..------- Supplementary Scan -------.IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html.- - - - ORPHANS REMOVED - - - -.HKCU-Run-Ekolurc - c:\users\user\AppData\Roaming\Avwyor\ernen.exeHKLM-Run-AutorunRemover.exe - c:\program files\AutorunRemover\AutorunRemover.exeHKLM-Run-USBAntivirus.exe - c:\program files\USBAntivirus\USBAntivirus.exe...--------------------- LOCKED REGISTRY KEYS ---------------------.[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\4D36E96D-E325-11CE-BFC1-08002BE10318\0000\AllUserSettings]@Denied: (A) (Users)@Denied: (A) (Everyone)@Allowed: (B 1 2 3 4 5) (S-1-5-20)"BlindDial"=dword:00000000"MSCurrentCountry"=dword:000000b5.[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\4D36E96D-E325-11CE-BFC1-08002BE10318\0001\AllUserSettings]@Denied: (A) (Users)@Denied: (A) (Everyone)@Allowed: (B 1 2 3 4 5) (S-1-5-20)"BlindDial"=dword:00000000.[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\4D36E96D-E325-11CE-BFC1-08002BE10318\0004\AllUserSettings]@Denied: (A) (Users)@Denied: (A) (Everyone)@Allowed: (B 1 2 3 4 5) (S-1-5-20)"BlindDial"=dword:00000000.[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\4D36E96D-E325-11CE-BFC1-08002BE10318\0005\AllUserSettings]@Denied: (A) (Users)@Denied: (A) (Everyone)@Allowed: (B 1 2 3 4 5) (S-1-5-20)"BlindDial"=dword:00000000.[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\4D36E96D-E325-11CE-BFC1-08002BE10318\0006\AllUserSettings]@Denied: (A) (Users)@Denied: (A) (Everyone)@Allowed: (B 1 2 3 4 5) (S-1-5-20)"BlindDial"=dword:00000000.[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]@Denied: (Full) (Everyone).--------------------- DLLs Loaded Under Running Processes ---------------------.- - - - - - - > 'lsass.exe'(564)c:\program files\Acer Bio Protection\PwdFilter.DLL.- - - - - - - > 'Explorer.exe'(3624)c:\windows\System32\wer.dllc:\windows\System32\SyncCenter.dll.------------------------ Other Running Processes ------------------------.c:\program files\Acer Bio Protection\CompPtcVUI.exec:\program files\Quick Heal\Quick Heal Total Security\SCANWSCS.EXEc:\program files\SonicWALL\SSL-VPN\NetExtender\NEService.exec:\windows\system32\sppsvc.exec:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exec:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exec:\windows\system32\taskhost.exec:\program files\Google\Google Input Tools\GoogleInputHandler.exec:\windows\system32\conhost.exec:\windows\System32\rundll32.exec:\program files\Windows Media Player\wmpnetwk.exe.**************************************************************************.Completion time: 2013-09-15 20:50:54 - machine was rebootedComboFix-quarantined-files.txt 2013-09-15 15:20.Pre-Run: 9,033,334,784 bytes freePost-Run: 8,792,068,096 bytes free.- - End Of File - - 41B9412D053C3E1E9602147CA5354DA0A36C5E4F47E84449FF07ED3517B43A31 2ff7e9595c


0 views0 comments

Recent Posts

See All

Comments

bottom of page