Wednesday, February 09, 2005

Promqry, revisited

Okay, I think I've figured out how promqry.exe works. If you see my previous blog entry on the subject, I mentioned that promqry.exe uses WMI to see if the NIC on a machine is in promiscuous mode; i.e., if there's sniffing going on. Well, I like to see how things work, so...

I did some looking around, specifically at the classes WMI uses to interface with Windows Driver Model (WDM) and found the MSNdis_CurrentPacketFilter class. Nice! The class provides three properties...Active (which is a boolean...basically, "yes" or "no"), the InstanceName of the class (a string), and NdisCurrentPacketFilter (a 32-bit integer). So, you can get the name of the interface, and it's current packet filter settings.

To see these classes on your Windows system (I'm on XP), go to the 'Run' box in the Start menu and type "wbemtest". When the WMI Tester window appears, click on "Connect", and type "root\wmi" into the first box, and click on "Connect". This takes you back to the WMI Tester window...from there, click on "Enum Classes". Click the "Recursive" radio button, and then "OK". Scroll down in the Query Result dialog window until you find "MSNdis_CurrentPacketFilter". Double click this to see the properties of the class.

So, what do you do with this? Well, to see what's encoded in the OID_GEN_CURRENT_PACKET_FILTER, go here or here. We know that if the value for NDIS_PACKET_TYPE_PROMISCUOUS is set, that the NIC is in promiscuous mode. Since this value is 0x0020, we know that basically, the 6th bit of the 32-bit packet filter is set. Neat, eh?

So, using this information, we can write a nice little Perl script that implements WMI, and retrieves the current packet filter for all active interfaces. I did so (I added a little code to report only unique interface names, and skip over the "WAN Miniport" blah blah blah), and simply had the script check to see if the returned current packet filter was greater than 36. I did some initial testing with this and Ethereal, and it seemed to work just fine.

So what does all this mean? Well, in the big scheme of things...not a whole lot. Yeah, I like to see how things work and drill down as far as I'm able. And yes, there are other tools that will let you do this, such as promsicdetect.exe and promqry.exe...but sometimes it's just fun to see what you can do.

Want to see some really cool examples of the use of WMI and WDM? Check out Beetle's (of Shmoo fame) presentation materials on Wireless Weapons of Mass Destruction for Windows. He's got some VBScripts included in the package that, at some point, I'd like to convert to Perl and play around with.

No comments: