Home page logo
/

nmap-dev logo Nmap Development mailing list archives

RE: [PATCH] WinPcap Installer x64 Support
From: "Rob Nicholls" <robert () everythingeverything co uk>
Date: Mon, 16 Jun 2008 22:28:08 +0100

Hi Kris,

There is just one issue that I want to ask you about: is it really
necessary that you disable/reenable the Wow64 stuff when deleting the
npf.sys?

Yes, I'm afraid it is necessary. If you don't disable the redirection then
the uninstaller tries to delete npf.sys from system32 and Windows redirects
it to the SysWOW64 folder (and it's obviously not in there, so silently
fails). When you don't disable the redirection, the uninstaller's actions
lists at the end:

...
Delete file: C:\Windows\system32\wpcap.dll
Remove folder: C:\Program Files (x86)\WinPcap\
Completed

It has really deleted wpcap.dll from the SysWOW64 folder and doesn't list
the failed deletion of npf.sys (which remains in system32). Which is a
little misleading of the uninstaller, I know, but I think it's just going on
what Windows tells it so you can't blame NSIS too much.

I would think it should still uninstall properly without it,
especially since the other $SYSDIR files apparently uninstall
correctly.

The other $SYSDIR files need to be redirected (or placed directly) into
SysWOW64 on x64 systems as they're 32-bit files; which is also why they
uninstall okay.
 
On XP x64 you end up with:
C:\Program Files (x86)\WinPcap\rpcapd.exe
C:\Windows\system32\drivers\npf.sys (AMD64 NT5/6)
C:\Windows\SysWOW64\Packet.dll (NT5)
C:\Windows\SysWOW64\pthreadVC.dll
C:\Windows\SysWOW64\WanPacket.dll
C:\Windows\SysWOW64\Wpcap.dll

On 2008 x64 you end up with:
C:\Program Files (x86)\WinPcap\rpcapd.exe
C:\Windows\system32\drivers\npf.sys (AMD64 NT5/6)
C:\Windows\SysWOW64\Packet.dll (Vista)
C:\Windows\SysWOW64\pthreadVC.dll
C:\Windows\SysWOW64\Wpcap.dll

I disable the redirection in the uninstaller section as the uninstaller only
runs that section of the script (i.e. it doesn't go through the installer's
section to disable the redirection). Even if I disabled the redirection in
the .onInit function, I'd still need to duplicate it in an un.onInit for the
uninstaller. Disabling it that early would mean the 32-bit files end up
in/are deleted from system32 when they should be in SysWOW64 on x64
machines.

Also, from the MSDN docs[1], it seems that you don't need to reenable
the Wow64 stuff unless you want any redirection again because it's
thread-specific and won't effect anything else.

I wanted to quickly get something out that supported x64 with minimal
changes to the existing script (partly to avoid messing anything else up,
partly to make the modification easier to understand). I was lucky that the
original script had npf.sys after all of the 32-bit files, so I probably
could have gotten away with just disabling the redirection at that point in
the script as there doesn't appear to be anything afterwards that would
break if the redirection were left disabled, but this might cause some
confusion if someone other than me were to add (32-bit) files afterwards.

If you want to, I think you could get away with removing the lines that
re-enable the redirection.

Equally, if people want me to, I could disable the redirection in the two
.onInit sections, or in the installer/uninstaller sections, and rewrite the
script to reflect the actual locations of the files. It would probably be
less confusing to newcomers, but there could be a slight maintenance
overhead with the script copying the same file into one of two locations
(although I doubt the WinPcap files will change that much).

If you are able to make the changes I've mentioned and you verify that
it indeed still works, or let me know that it's really required, I'll
be happy to apply this to SVN.

I think it's really required, and I hope this clarified things. I probably
should have explained it a bit better while submitting the patch as I know
few of us here have access to Windows x64 systems. I probably could have
explained it better here too ;-) 


Rob



_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault