Closed Miracle-doctor closed 4 years ago
Process context is not available on the NDIS level, moreover some packets don't have associated PID (e.g. routed ones). However, you can use IP Helper API for this purpose. For the TCP protocol it can be done with the following steps: 1) Use GetExtendedTcpTable and GetOwnerModuleFromTcpEntry to build the mapping from the local (IP address, TCP port) to process executable. 2) Extract IP and port information from the packet and use the mapping built on previous step to look up the process executable. 3) Update the mapping periodically or when you can’t lookup process for the certain packet.
For the UDP just use GetExtendedUdpTable and GetOwnerModuleFromUdpEntry instead.
Thanks a lot.
How to get requestor process PID address