A forum for reverse engineering, OS internals and malware analysis 

Close a tcp/udp connection(less)

Ask your beginner questions here.

Close a tcp/udp connection(less)

 #30569  by Carlbyte
 Wed Jul 12, 2017 2:02 am
Hello everyone,

I'm trying to create a function in a TDI driver, to close a tcp/udp connection(less).

Initially, I tried the simpler option to close a udp connectionless, using the obdereferenceobject function and
passing the file_object (tditransportaddress) parameter that was created in irp_create. The result was
status_unsuccessful. Is this procedure wrong?

Re: Close a tcp/udp connection(less)

 #30581  by Carlbyte
 Thu Jul 13, 2017 2:22 pm
I run a program that creates the socket, with a driver, I call the obdereferenceobject function in the fileobject tditransportaddress and nothing happens, when the program closes, blue screen occurs!

Re: Close a tcp/udp connection(less)

 #30582  by Vrtule
 Thu Jul 13, 2017 3:14 pm
Hello,
when the program closes, blue screen occurs
manipulation with data structures belonging to other drivers often has such a consequence. I would be careful especially with file objects, since their semantics is quite complex. Also, part of the sockets implementation is in usermode inside a Winsock Provider DLL (WSP) that can be very unhappy if you start playing with the structures it uses through open handles.

What about blocking all traffic going through that socket/connection? The connection would die after some time by itself (and in kind of a documented manner).

Vrtule

Re: Close a tcp/udp connection(less)

 #30595  by Vrtule
 Fri Jul 14, 2017 3:16 pm
Carlbyte wrote:I tried this procedure https://msdn.microsoft.com/en-us/librar ... s.85).aspx

There are some softwares that close tcp connections, can you tell me what kind of procedure they use? tips...
AFAIR I use probably the same procedure in my driver that communicates via TDI (so it does not do things you need). But it would become definitely unhappy if you would just call ObDereferenceObject on one of its (file) objects, because by that call you remove a reference that is not yours (whis is not the problem, in theory) and my driver does not know that the reference is gone (which is the problem). But I don't know how Winsock works here.
 Return to “Newbie Questions”