Inspecting the mode of your network interface cards

This is one way to inspect locally whether your NICs are promiscuous mode or not. The procedure is enumerating network devices, opening them and getting their status.

1. Enumerate network devices

Names of network devices are in the Registry. Open the "\System\CurrentControlSet\Control\Class\
{4D36E972-E325-11CE-BFC1-08002BE10318}" key. There are several numeral keys for each network device. We need the value of "\RootDevice" under the "\Linkage" key like the following.

{A1A2A3A4-B5B6-C7C8-D9D0-E1E2E3E4E5E6}

2. Open a network device

CreateFile() API can be used to open network devices.

  hDevice = CreateFile(
    L"\\\\.\\{A1A2A3A4-B5B6-C7C8-D9D0-E1E2E3E4E5E6}",
    GENERIC_READ,
    FILE_SHARE_READ | FILE_SHARE_WRITE,
    NULL,
    OPEN_EXISTING,
    NULL,
    NULL);

3. Get the mode of a network device

  NDIS_OID OidCode = OID_GEN_CURRENT_PACKET_FILTER;
  ULONG     OidData;

  DeviceIoControl(
    hDevice,
    IOCTL_NDIS_QUERY_GLOBAL_STATS,
    &OidCode,
    sizeof(OidCode),
    &OidData,
    sizeof(OidData),
    &byteReturned,
    NULL);

4. Examine the value of OidData with "Ndis Packet Filter Bits" in ntddndis.h

#define NDIS_PACKET_TYPE_DIRECTED        0x0001
#define NDIS_PACKET_TYPE_MULTICAST       0x0002
#define NDIS_PACKET_TYPE_ALL_MULTICAST   0x0004
#define NDIS_PACKET_TYPE_BROADCAST       0x0008
#define NDIS_PACKET_TYPE_SOURCE_ROUTING  0x0010
#define NDIS_PACKET_TYPE_PROMISCUOUS     0x0020
#define NDIS_PACKET_TYPE_SMT             0x0040
#define NDIS_PACKET_TYPE_ALL_LOCAL       0x0080
#define NDIS_PACKET_TYPE_MAC_FRAME       0x8000
#define NDIS_PACKET_TYPE_FUNCTIONAL      0x4000
#define NDIS_PACKET_TYPE_ALL_FUNCTIONAL  0x2000
#define NDIS_PACKET_TYPE_GROUP           0x1000

Note: I don't know whether those APIs are hooked by any rootkit or not.

(Feb. 2003)

References:

WinPcap: http:/www.winpcap.org

Windows NT DDK: MACADDR sample (Not included in Windows 2000 DDK)