Hollis Technology Solutions IpHook Version 1 Release Notes

Introduction

IpHook is a very simple TCP/IP monitor developed to demonstrate the built-in but poorly documented hook facility in the windows 2000 TCP/IP protocol stack.

This package includes source code, and is freely distributed. The source code can be freely re-used, including re-use for commercial applications. However, there is of course ABSOLUTELY NO WARRANTY THAT THIS SOFTWARE IS SUITABLE FOR ANY PURPOSE. IT IS DISTRIBUTED “AS IS” AND “WITH ALL DEFECTS”.

IpHook requires a Windows 2000 platform.

Installation

There are no manual steps required to install the IpHook monitor application (IpMonitor) and the associated kernel mode driver (IpHook.sys). If you are reading this file then you have already installed all required components.

Operation

Starting the application starts the associated kernel driver. Normal termination of the application stops the associated kernel driver. If you kill the IpMonitor application then you will have to either reboot or execute the command line “net stop iphook” in order to stop the kernel driver.

UnInstalling IpHook

Please use the control panel Add/Remove Progams applet to uninstall IpHook. No other method is supported.

Source Distribution

What’s Where?

The setup program installed the IpMonitor at a location of your choice. That installation directory also contains the source distribution for the IpMonitor application and the IpHook driver.

The directory structure is as follows:

   Inc

Global include files used by both the application and the driver.

   Sys

All kernel mode components (i.e. the driver) are in this path.

   Usr

All user mode components (i.e. the application) are in this path.

 

At the top level of the source distribution there is a file named projectfile.def used by the kernel driver build process to control global build options. This file may have to be modified to reflect your systems configuration.

 

The Inc directory contains a single include file: iphook.h used by both the IpMonitor application and the IpHook driver.

 

The Sys directory contains a single subdirectory named driver, that in turns contains all the source and include files for the IpHook driver.

 

The Usr directory contains a single subdirectory named IpMonitor that contains all the source and include files for the IpMonitor application.

 

The source organization is a bit over-complicated for this particular project, but it is the standard format used by all Hollis Technology Solutions NT projects.

 

Building the Driver

The driver requires the Windows 2000 DDK. It also requires our HtsCpp runtime library. This library can be downloaded from our website, http://www.hollistech.com/.

 

Once the HtsCpp library is installed you must modify the build for the kernel driver IpHook.sys so that it can find the c++ runtime library. This can be done by editing the file projectfile.def  in the installation directory. (There is also a projectfile.def in the sys\driver directory, however that file need not be modified.)

 

Change the line in projectfile.def that looks like this:

GLOBALLIBS=$(PROJECTROOT)\..\lib$(TARG_SUFFIX)

To reflect the location where HtsCpp was installed.

 

By default, this file reflects the build system where IpHook was originally built. On that system HtsCpp is a folder at the same level as IpHook, both of which are in a parent folder called Win2Kprojects. The setting $(PROJECTROOT)\..\lib$(TARG_SUFFIX) reflects this organization, as the file htscpp.lib is found in Win2Kprojects\libchk\i386.

 

One simple option to specify where htscpp.lib can be found is to simply place an absolute path here to the installation, as in:

GLOBALLIBS=D:\htscpp\lib$(TARG_SUFFIX)

Crude, but effective.

 

Note that if both IpHook and HtsCpp are installed in the same location, they share a common directory structure (no coincidence that) and consequently the installation would look as follows:

 

├───inc

├───libChk

│   └───i386

├───libFre

│   └───i386

├───sys

│   ├───cpplib

│   ├───driver

│   │   ├───obj

│   │   └───objchk

│   │       └───i386

│   ├───inc

│   └───testDrv

└───usr

    └───IpMonitor

        ├───hlp

        └───res

 

The debug version of htscpp.lib would be located at libchk\i386\htscpp.lib, and the specification for GlobalLibs would be:

GLOBALLIBS=..\..\lib$(TARG_SUFFIX)

 

Building the Application

The IpMonitor application is a standard Visual Studio Ô version 6 MFC application. If you don’t have Visual Studion version 6 installed, you should probably not try to build the application. Otherwise, simply double click the project file or open the project from within the Visual Studio IDE and build it like any other MFC application.

Note that the application and the driver executable must be located in the same directory or the application will not operate successfully.

Problems?

 

Please remember that this is freeware to be used for research into operating systems internals. It is not intended for commercial use and should never be deployed on a system that contains anything of value, or that is used for any purpose other than testing and debugging operating systems.

 

If you do encounter technical problems, please report them to:

support@hollistech.com.