Overview of NDIS Specification Drivers

Network drivers

Network drivers can be divided into 2 categories: TDI drivers (Transport Driver Interface) and NDIS drivers (Network Driver Interface Specification). TDI drivers are high-level drivers, for example, SMB client, SMB server, SMB wrappers (NFFS, MSFS), etc. We will consider the NDIS driver. NDIS is a special driver (it corresponds to the ndis.sys file), which contains functions used by low-level network drivers. NDIS envelops low-level network drivers, as it were, and mediates their communication with each other and with hardware. In fact, NDIS can be considered the third core of Windows. To clarify more clearly what NDIS is, you can look at the following picture:




As you can see from this illustration, NDIS drivers come in three types:

• Miniport drivers (adapter drivers)
• Intermediate drivers (for example, psched.sys)
• Protocol drivers (for example, tcpip.sys)

Consider each of them separately.
')

Miniport drivers

Each network piece of hardware has its own miniport driver. Through NDIS, the miniport driver receives some commands. The functions of the miniport driver can be described as follows:

• initializes its device (adapter)
• create / enable / disable / delete network connections
• issuing to the client or changing adapter parameters
• sending packages
• receiving packages
• OS notification of adapter status
• reboot and stop the adapter

The miniport driver contains 22 standard callback functions with which it notifies about various events (some of these functions can be NULL, then the driver is not notified of the corresponding events). NDIS exports about 150 functions for use by miniport drivers.

Miniport drivers are “Connectionless” (for example, an Ethernet adapter driver) and “Connection-oriented” (for example, a modem driver). With the Connection-oriented drivers, the callback system is a bit more complicated, it includes event handlers related to connecting to the communication channel, disconnecting from the channel, choosing a channel (for wireless adapters), etc. For some operations, connection-oriented drivers call special NDIS functions that have the “Co” prefix in the name (for example, the driver must call NdisMColndicateReceivePacket instead of NdisMIndicateReceivePacket.

Each callback performs its task: issuing information, sending data, receiving data, etc. More information can be found in the help to the WDK (DDK). There you can get full information about callbacks.

Protocol drivers can reassign the miniport driver (assuming that the miniport driver can do this - either itself or the adapter can do it at the hardware level) some of its functions (for example, to delineate the checksum or digital signature of an IP packet or decide how fragment a large TCP packet). This greatly enhances the network manufacturer.

There are various additional advanced interfaces that the miniport driver can support, for example:

1. LBFO (Load Balancing and Fail Over) - allows adapters that understand it to distribute outgoing traffic and correct each other's errors. However, what makes sense only on backbone routers (central routers of large networks) that Windows rarely installs on
2. FFP (Fast Forwarding Path) - allows adapters that understand its adapters to route / filter packets purely in hardware, without OS at all and without loading the main processors of the computer

Intermediate drivers

The intermediate driver is visible from above as a miniport driver (we look at the picture), i.e. as if a virtual adapter, and from below - as a protocol driver (again we look at the picture), as if a virtual protocol. As a special case, it is possible that the intermediate driver is visible only from above.

Intermediate drivers usually do one of:

• organize "fair" access of different client programs to adapters so that programs do not interfere with each other
• filter and intercept traffic
• route packets from one network to another if these networks differ (for example, Ethernet and WI-FI)

Intermediate drivers are used by sniffers to scan network traffic. Intermediate drivers can sit on top of one another if the virtual protocol of one intermediate driver binds to the virtual adapter of another intermediate driver. But they do this rarely because it reduces productivity.

Protocol drivers

Protocol drivers are the highest level of NDIS specification. These drivers are committed to allocating resources for the relevant packages, copying application data into packages and transferring them to lower-level drivers. Protocol drivers also provide an interface for receiving packets from downstream drivers.

Protocol drivers also include transport drivers that implement the network protocol stack, such as TCP / IP (tspip.sys).

If the post will be interesting to readers, then in the following posts you can write your sniffer-like intermediate driver using the example or also describe how to write each type of driver (miniport, intermediate or protocol).

Thanks for attention.