SIGINT10 - final10

Konferenz für Netzbewohner, Hacker und Aktivisten


The overall idea is using architecture of NDIS intermediate driver to intercept and analysis malicious network traffic such as malware, virus and shellcode. The source code will be provided and demonstrate how the NDIS intermediate driver interpret within data link layer and network layer.

Network Driver Interface Specification (NDIS) is a specification for network driver architecture that allows transport protocols to communicate with network interface cards (NICs) or other hardware device in a device-independent manner. The NDIS library implements the NDIS boundary that exists between network layer 2 (Data Link Layer) and layer 3 (Network Layer) of the Open Systems Interconnection (OSI) model. This library is a helper library which NDIS driver clients use to format commands that communicate with NDIS driver. The NDIS driver interface’s library will act as receiving and sending between the request and response activities. There are different types of NDIS driver which allow the transport protocols to communicate with the hardware layer and implement in different configuration. Interception mechanism is implemented by the technology of NDIS Intermediate Driver where this embedded system method is recommended by the Microsoft Company as it provides maximum compatibility both with different OS’s versions and other applications and drivers. This paper clearly describes the interception and analysis of malicious network traffic through the NDIS intermediate driver. The concept of NIDS intermediate driver has been used to intercept network traffic before it reaches to higher OSI model. Auto analysis of the intercept network traffic will be conducted if the traffic consists of malicious functions. Source codes that act as an interception-driver for network packets will be described.