Random (stack) walk. Continues ... wsk provider
So what is a wsk provider ?
Well, at a high level, it is a kernel mode socket provider. And it is mainly a broker service in the NETIO kernel module. When a client try to capture the interface, it provides dispatchtable from the afd.sys.
Currently we can see the following relevant functions of NETIO -
0: kd> x NETIO!wsk*
86f0693c NETIO!WSKLIB_WSK_CLIENT_MODULEID = <no type information>
86f03f18 NETIO!WskRegister = <no type information>
86f03cab NETIO!WskDeregister = <no type information>
86f03ec0 NETIO!WsklibNmrCallbackDetachProvider = <no type information>
86f03df7 NETIO!WsklibNmrCallbackAttachProvider = <no type information>
86f03d73 NETIO!WskQueryProviderCharacteristics = <no type information>
86f03d26 NETIO!WskReleaseProviderNPI = <no type information>
86f03fe5 NETIO!WskCaptureProviderNPI = <no type information>
86f03ee3 NETIO!WsklibNmrCallbackCleanupProviderContext = <no type information>
And after capturing the provider interface we see the socket related calls are in afd.sys
0: kd> dt wskProviderNpi
Local var @ 0x941f0d14 Type _WSK_PROVIDER_NPI
+0x000 Client : 0x8461a210
+0x004 Dispatch : 0x8ae62dd8 _WSK_PROVIDER_DISPATCH
0: kd> dt _WSK_PROVIDER_DISPATCH 0x8ae62dd8
echosrv!_WSK_PROVIDER_DISPATCH
+0x000 Version : 0x101
+0x002 Reserved : 0
+0x004 WskSocket : 0x8ae5947e long afd!WskProAPISocket+0
+0x008 WskSocketConnect : 0x8ae5e3cc long afd!WskProAPISocketConnect+0
+0x00c WskControlClient : 0x8ae5b5da long afd!AfdWskControlClient+0
+0x010 WskGetAddressInfo : 0x8ae68a50 long afd!WskProAPIGetAddressInfo+0
+0x014 WskFreeAddressInfo : 0x8ae68602 void afd!WskProAPIFreeAddressInfo+0
+0x018 WskGetNameInfo : 0x8ae72bf8 long afd!WskProAPIGetNameInfo+0
Prokash Sinha
Post a Comment
1 Reference
References (1)
-
Response: celeb networth post
Reader Comments