TDI on Windows 8
TDI can’t intercept Modern UI apps on Windows 8 (formerly known as Metro), you must use WFP to intercept Modern UI apps, you can read more here: TDI Windows 8.
TDI high level overview
TDI is a driver that is used to perform TCP/IP filtering and inspection, it works on either packets level or stream level and is able to modify, inject and drop packets.
When to use TDI?
TDI is mostly used for: Firewalls, and Parental control.
When not to use TDI?
Microsoft has announced that it might not support TDI for Windows 8.
TDI is driver based so it’s an advantage and a disadvantage, it depends on the needs of your software and your programming capabilities.
In Komodia’s Redirector can save you time if you plan to develop an interception component for workstations, save you atleast one year of development time.
TDI detailed info
TDI is an acronym for Transport Driver Interface; a common interface used by drivers, like Windows 2000 server and redirector, in order to communicate with various NTPs (Network Transport Protocols). The major purpose of using the Transport Driver Interface is to have a standard API for the higher-edge of the Microsoft Windows Network Transport Protocol. Although TDI is specifically used for Windows 2000 or later versions, however, Windows 95 too had a version or variation of TDI; but it was meant only for the TCP/IP protocol. The major benefit of using TDI or the Transport Driver Interface is that by using TDI, services become independent of the network transport protocols. There is no driver for the Transport Driver Interface; unlike the NDIS. Hence it can be used to pass on messages within two layers of the network stack.
TDI is developed by Microsoft with the purpose of providing more functionality with flexibility as compared to the existing interfaces like the NetBIOS or the Winsock. In Windows 2000 and later versions, all the transport providers can have direct interface with the TDI or the Transport Driver Interface; hence allowing the Transport Driver Interface to offer a better and more consistent interface with the network transport protocols. The specification for the TDI (not included in this article) discusses all the functions and calling mechanisms that is used by the transport drivers and the Transport Driver Interface clients to communicate with each other.
One important note is that Microsoft plan to phase out support for TDI in the next OS.
What does TDI includes
The TDI specifically defines a kernel-mode network interface. This interface is visible to the upper level of all TPS (transport protocol stack). In every such protocol stack, all the protocol drivers that are at the highest level supports the TDI interface for all the higher level network clients in kernel-mode. The TDI interface includes:
- A complete set of system-supplied TdiBuildXxx macros. TDI also includes system-supplied functions that can be used by transport clients in order to set I/O requests which can be issued to their basic transports.
- TdiXxx functions set that can be used by the clients and the transports in order to communicate with each other. All of these TdiXxx functions are system-supplied functions.
- A complete set of ClientPnPXxx call-back routines that are exported by the Transport Driver Interface clients. These call-back routines can be registered with the Transport driver for the purpose of receiving alerts and notifications about any particular network event, in case they occur.
- A complete set of ClientPnPXxx call-back routines that are exported by the Transport Driver Interface clients. These call-back routines can be registered with the Transport driver interface for the purpose of receiving various notifications like those for network address, dynamic binding or power-state changes. These notifications are usually sent from the PnP aware transports; specifically for Microsoft Windows 2000 or later versions.
- TDI or the Transport Driver Interface also includes structures, parameters, IOCTLs and various procedural rules that are associated with the TDI transport and ClientPnPXxx / ClientEventXxx routines.
- The Transport Driver Interface also includes a set of IM driver (Intermediate Driver) Dispatch routines for standard kernel-mode. These routines are exported by every TDI transport driver. The TDI clients can submit their I/O request (IRPs) by calling or using these routines. An example of such routine is the Zw.File routine or the IOCallDriver routine.
Key features of TDI
There are various features of the Transport Driver Interface, however, some of the major features of TDI are mentioned below:
- Asynchronous Operation: Most of the operations of TDI (kernel mode) are asynchronous operations; means that they use the callback routines, provided by TDI clients, to indicate any asynchronous network events whenever they occur. Moreover, TDI completes most of the operations, which are client-initiated, as IRPs asynchronously.
- Addressing Scheme Flexibility: One of the features and an advantage of using TDI is that it offers flexible addressing scheme. Unlike NetBIOS, TDI has a special and extensible mechanism which can be used to order to support, use and identify various addressing formats. TDI doesn’t require any particular format for addressing. NetBIOS has a mandatory addressing requirement; for instance the 16-character NetBIOS name.
- Event Notification: It is a special feature of TDI in which it defines a scheme using which the transports can alert the clients about any interesting network event; this happens without requiring the clients to explicitly issue an I/O request.
- 32-bit Addressing: Another feature of Transport Driver Interface is that transports and the clients, both are 32-bit code. All kernel-mode components for Microsoft Windows 2000 and later versions. All the structures and parameters that are defined by TDI use 32-bit values and pointers.
- Internal Buffering: This feature allows the TDI transports to buffer all the client’s receives and sends in an internal buffer. This internal buffering of Transport allows the TDI client to query and set the size of the driver’s internal buffer, receiving notification about the buffer space available and looking at the buffered data even before receiving it.
- Event Notification (Plug & Play): The Transport Driver Interface defines a particular scheme under which the transports (in case of Windows 2000 & later versions) can notify the TDI clients about various PnP events like deletion or addition of connections etc.
Here is brief operational information about the Transport Driver Interface. For the purpose of ease-of-reading, the operational information about the TDI is divided into steps:
- The very first step starts when the TDI client formats or allocates an address open TDI IRP. In response, the TDI returns a file object which is also called as the address object; which is quite equivalent to the winsock bind () function
- If the client allocated a connection open TDI IRP, then the TDI returns a connection object which is equivalent to the socket () function.
- The client then issues an associate address TDI IRP; this is done so that the connection object can be associated with the address object.
- The TDI client the issues a listen TDI IRP and then the accept TDI IRP; these are equivalent to winsock listen() and the accept () respectively.