my goal is to write a driver which would display open TCP ports in kernel debugger. I made a function which hooks to nsiproxy driver and it waits for an IOCTL_NSI_GETALLPARAM request. If there is such a call, it prints in the debugger all of the TCP ports. But there is a problem, ports that are printed in the debugger don't exist and there is only a little bit of them shown. I am unable to find an issue in my code, because every time when I run a driver, it seems like printed ports are random.
Here is my printing function:
NTSTATUS PrintOpenPorts(IN PDEVICE_OBJECT DeviceObject, IN PIRP pIrp){ ULONG ioctl; PIO_STACK_LOCATION irpStack; ULONG status; irpStack = IoGetCurrentIrpStackLocation(pIrp); ioctl = irpStack->Parameters.DeviceIoControl.IoControlCode; if (ioctl == IOCTL_NSI_GETALLPARAM) { if (irpStack->Parameters.DeviceIoControl.InputBufferLength == sizeof(NSI_PARAM)) { PNSI_PARAM nsiParam = static_cast<PNSI_PARAM>(pIrp->UserBuffer); if (nsiParam->Entries) { PNSI_TCP_ENTRY tcpEntries = (PNSI_TCP_ENTRY)nsiParam->Entries; for(DWORD i = 0; i < nsiParam->Count; i++) { if (nsiParam->Type == NSI_PARAM_TYPE::Tcp) { if (tcpEntries[i].Local.Port != 0) { DbgPrint("[+] Port : %d\n", ntohs(tcpEntries[i].Local.Port)); } } } } } } status = PreviousDispatch(DeviceObject, pIrp); return status;}The ntohs function:
#define ntohs(s) \ (((s >> 8) & 0x00FF) | \ ((s << 8) & 0xFF00))
