In my kernel extension I am currently supporting, I communicate with user spaces using sockets. So, I subscribe to some callbacks and correctly process them
reg.ctl_send = ctl_handle_send;
reg.ctl_getopt = ctl_handle_getopt;
reg.ctl_setopt = ctl_handle_setopt;
reg.ctl_connect = ctl_handle_connect;
reg.ctl_disconnect = ctl_handle_disconnect;
Everything works as expected. Only one problem - I can not unload my kernel extension if there are user space clients that are connected (ctl_deregister(kctlref) returns errors)
Is there a way to override it in kernel extension? I would like to disconnect from ALL clients and successfully unregister myself
Related
I am using Windows Bluetooth LE GATT library to connect to and pair with a BLE-supporting device, D. Since D has a limited amount of storage space, if more than N Clients bond with it, then it will remove the first Long Term Key pair that was created during bonding.
Let's say that the device for which this key-pair was removed was a Windows Enabled machine. Let's call this W. The next time W attempts to connect with D, when it receives the LTK_Request_Event from W, it responds with Long_Term_Key_Requested_Negative_Reply, and W terminates the connection.
But here's where things get really exasperating. Even though the Windows BLE Stack seems to be aware of this response (because it disconnects), this does not seem to be communicated downstream to applications using the Bluetooth LE GATT library. In fact, from the application's side, a pairing request will return with "Already Paired", and does not indicate that anything went wrong. Of course, once the application tries to access protected characteristics, it won't be able to, and that, so far, is the only indication that Pairing was not successful. Even worse, the errors it receives aren't consistent. Sometimes, it gets "Unreachable". Sometimes, it gets protocol errors. Other times, it receives ABORTs.
Now, as a heuristic, I could use detection of this case as criteria for attempting to re-pair. Unfortunately, this is not ideal, since none of these errors actually imply that the device no longer honored the LTKs, and could, instead, indicate other issues, like that the device is out of range.
Is there any way to detect that existing LTKs have been rejected by the device?
Let's see what the Bluetooth specification says about this.
Bluetooth Core version 5.2, Vol 3 (Host), Part C (Generic Access Profile)
Section 10.3.2 Initiating a service request:
In this section the local device is the device initiating a service request to a
remote device. In the L2CAP protocol the local device sends the connection
request and the remote device sends the connection response. In GATT, the
local device is the GATT client and the remote device is the GATT server.
When a local device initiates a service request to a remote device it shall
behave according to the following rules:
[...]
If an LTK is available and encryption is required (LE security mode 1) then
encryption shall be enabled before the service request proceeds as defined proceed. If encryption fails either the bond no longer exists on the remote
device, or the wrong device has been connected. The local device must,
after user interaction to confirm the remote device, re-bond, perform service
discovery and re-configure the remote device. [...]
If Windows's BLE stack doesn't allow for what the specification mandates, it is not specification compliant, in my eyes, so please file an issue report at Microsoft.
The reason for requiring user interaction and not blindly re-bond is to avoid a situation where a hacker can simply spoof the bluetooth device address, indicate it has lost the bond and automatically re-bond without the user noticing anything.
EDIT:
The Security Manager chapter also has a table of actions to do when encryption fails due to deleted keys. See section 2.4.4.2 of Vol 3, Part H.
It specifically says when the devices were bonded before that the action to take when enabling encryption fails is to "Notify user of security failure."
How do I close tcp v4 and tcp v6 connections on Windows? I don't want to kill the entire process that has the open connection as this obviously will kick everyone else off that process. I need to do this from a separate process, and so will not have access to socket handles, etc. I am using Windows API to get tcp table, etc. so I know which connections are active.
One way might be to enumerate all open handles on the system, or at least the open handles of a given target process, until you find the SOCKET handle you are interested in (see HOWTO: Enumerate handles, Socket Handles, and C++ Get Handle of Open Sockets of a Program - though I'm not sure how you would be able to retrieve the IP/Port pairs of a SOCKET to compare to the active connection you are interested in, without injecting remote getsockname()/getpeername() calls into the owning process of the SOCKET).
Once you have found the SOCKET handle you want, you can then close it by using DuplicateHandle() with the DUPLICATE_CLOSE_SOURCE flag 1.
1: This is how the "Close Handle" feature in Process Explorer works.
Since I'm using C#, I cannot PInvoke SetTcpEntry, even as administrator with an app.manifest file, it always sends a 317 error. So I created a C++ .exe to close a comma separated list of ipv4 addresses on the command line using SetTcpEntry, works fine even without an app.manifest file. That solves kicking ipv4 connections.
I tried using the get handles approach with NtQuerySystemInformation but never could get it working quite right, and it is a private mostly undocumented API and seems unsafe to use.
So, for ipv6, I am using windivert and injecting RST flag to ipv6 packets with certain ip addresses. It is as simple as setting the RST flag of an incoming packet before sending it on through with windivert. The downside is, if the client never sends another packet, the ipv6 socket still stays open indefinitely.
Perhaps someday Microsoft will add a SetTcpEntry6 function, but until then this appears to be the only realistic way.
UPDATE 2022-05-01, found this gem at https://www.x86matthew.com/view_post?id=settcpentry6
I have been trying to find some way of redirecting outbound TCP packets under windows.
from from : https://github.com/basil00/Divert/blob/master/doc/windivert.html
"The WinDivert driver is automatically (and silently) installed on demand whenever
your application calls WinDivertOpen(). The calling application must have Administrator privileges."
Am a newbie in windows service programming. I want my Windows service to call the function WinDivertOpen().
Can someone just give a lead sample on how to go about it.
Thanks
I am using the 32feet bluetooth library to connect to a device that supports Serial Port Profile (SPP). I try to connect like this:
using (BluetoothClient client = new BluetoothClient())
{
var address = new BluetoothAddress(0xecfe7e11c3af);
BluetoothEndPoint endPoint = new BluetoothEndPoint(address, BluetoothService.SerialPort);
client.Connect(endPoint);
var stream = client.GetStream();
System.Threading.Thread.Sleep(10000);
}
Everything is great until the Connect method is called. At this point, Windows interrupts the program flow with a bubble alert that says
"A bluetooth device is trying to connect -- click to allow this"
At which point the user is led through a wizard that ends up installing drivers and a Bluetooth virtual COM port shows up in Device Manager. I don't want this to happen -- I want to simply access the stream and communicate directly with the device without windows intervening. Is this possible? What can be done to tell Windows to keep out of my business?
I'm attempting to connect to a Bluetooth 4.0 device. I've done something similar in the past with a 2.0 device and Windows does not interfere in this case.
Have a look at http://SimpleBluetooth4Win.SourceForge.net
It's a small wrapper library that uses the windows bluetooth networking API that could help you.
https://msdn.microsoft.com/en-us/library/windows/desktop/aa362932%28v=vs.85%29.aspx
In particular if your bluetooth USB dongle or bluetooth device has been correctly recognized by the appropriate drivers and the remote bluetooth device is already paired with the PC, you don't need to install a bluetooth virtual COM port that shows up in Device Manager but you simply use the write or read calls to access directly the stream for communicating with the paired device.
On a Windows Mobile 6 device we are trying to open an internet connection. This usually works but sometimes we get a return code of 0x80004005 with a status of CONNMGR_STATUS_NOPATHTODESTINATION. When this happens it will keep happening but if you launch IE on the device, it will connect and then our call to ConnMgrEstablishConnectionSync works. We have not been able to isolate what causes this to happen, it currently appears to be random (though I suspect it isn't). Any hints?
Our code looks basically like this:
CONNMGR_CONNECTIONINFO connInfo;
DWORD dwStatus = 0;
memset(&connInfo, 0, sizeof(connInfo));
connInfo.cbSize = sizeof(connInfo);
connInfo.dwParams = CONNMGR_PARAM_GUIDDESTNET;
connInfo.dwFlags = CONNMGR_FLAG_NO_ERROR_MSGS;
connInfo.dwPriority = CONNMGR_PRIORITY_HIPRIBKGND;
connInfo.guidDestNet = IID_DestNetInternet; /* Connect to the "Internet" network */
hr = ConnMgrEstablishConnectionSync(&connInfo, &s_hConnection, 120 * 1000, &dwStatus);
Windows Mobile connection manager is a huge PITA. Do you get the same error if you specify the network address by IP (e.g. "255.255.255.255/whatever") instead of by server name?
My guess is you could reproduce the lack-of-connection on demand with one of these methods:
Clearing the history in IE on the WM device
Closing IE from the running programs screen (in other words, really removing it from memory)
Soft resetting the device