Home page logo

nmap-dev logo Nmap Development mailing list archives

Re: [PATCH] WinPcap Installer x64 Support
From: "Kris Katterjohn" <katterjohn () gmail com>
Date: Tue, 17 Jun 2008 01:13:22 +0530

Hi Rob,

On Wed, Jun 11, 2008 at 10:44 PM, Rob Nicholls
<robert () everythingeverything co uk> wrote:
The official WinPcap setup file contains 3 npf.sys files if you open up
their exe using 7-zip:

 - npf.sys (NT5/6 x86) Kernel Driver (the one we already provide)
 - npf.sys (NT5/6 AMD64) Kernel Driver (the one we need to provide for x64
 - npf.sys (NT4) Kernel Driver (no one's mentioned the lack of NT4 support
so far, I'm not sure it's worth adding this to our installer?)

We need to check if we're on x64 and (at least temporarily) disable
Wow64FsRedirection. Without disabling the redirection we can't get the x64
version of npf.sys into the system32\drivers folder as it currently gets
redirected into the SysWOW64 folder. This has to be done using some Windows
API calls.

My patch installs the x64 (NT5/6 AMD64) version of npf.sys in a similar way
to how we install the Vista/2008 specific version of Packet.dll - I placed
the 39.5KB x64 version of npf.sys in a new folder at "mswin32\winpcap\x64",
which will need to be added to SVN along with this patch.

I've been reviewing this patch for inclusion, and have already set up
an x64 directory containing the npf.sys waiting for committment.  I
cannot test this since I don't have an x64 system, so I'm going on
what I see (and your successful attempts).

There is just one issue that I want to ask you about: is it really
necessary that you disable/reenable the Wow64 stuff when deleting the
npf.sys?  It uses $SYSDIR to find the npf.sys to delete, but does the
installer really remember that you did the Wow64 stuff when installing
it?  I would think it should still uninstall properly without it,
especially since the other $SYSDIR files apparently uninstall

But, of course, I haven't been able to test this and I'm unfamiliar
with the Wow64FsRedirection stuff.

Also, from the MSDN docs[1], it seems that you don't need to reenable
the Wow64 stuff unless you want any redirection again because it's
thread-specific and won't effect anything else.  So maybe it'd be
better to not enable it again, especially if the Wow64 disabling is
required for deletion?  Would that work?  Do we want redirection for

So, overall, not too painful. It appears to work on Windows XP x64 (which
should be close enough to Windows Server 2003 x64 as it's the same codebase)
and Windows Server 2008 x64. It also still appears to work fine on my x86
clean install of XP Pro SP2.

If you are able to make the changes I've mentioned and you verify that
it indeed still works, or let me know that it's really required, I'll
be happy to apply this to SVN.


Kris Katterjohn

[1] http://msdn.microsoft.com/en-us/library/aa365743(VS.85).aspx

Sent through the nmap-dev mailing list
Archived at http://SecLists.Org

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]