Vadim Smirnov

Forum Replies Created

Viewing 15 posts - 916 through 930 (of 1,486 total)
  • Author
    Posts
  • in reply to: WinpkFilter 3.0: Wireless Access Failure #6653
    Vadim Smirnov
    Keymaster

      We are not aware about any problems with wireless adapters and WinpkFilter. However, please ensure that you are using the latest version of WinpkFilter.

      Driver conflict with some other network software is possible and most usual problem of misbehave, details depend from what other third party low level network software you have installed on those systems.

      in reply to: Signing Winpkfilter for vista x64 #6652
      Vadim Smirnov
      Keymaster

        I’d recommend to sign both CAT file and driver image.

        in reply to: winpkfilter disable #6647
        Vadim Smirnov
        Keymaster

          INetCfg provides programming interface for network components management.

          in reply to: winpkfilter disable #6645
          Vadim Smirnov
          Keymaster

            You can uncheck WinpkFilter Service checkbox in the connection properties to disable it (by default the service is not hidden, but in can be hidden in the custom builds).

            in reply to: Small IP address problem? #6643
            Vadim Smirnov
            Keymaster

              pIPHeader.DestIp := htonl(NewDestIP.S_addr);

              Don’t do this, you already have IP address in the correct byte order.

              in reply to: Detecting of application component name #6638
              Vadim Smirnov
              Keymaster

                I had not sad that this is easy, but there is no other way to track the module which actually called the system service.

                Luckily for the actual winsock calls the stack is easy to restore (number and types of parameters are known) up to the calling module.

                in reply to: WinpkFilter static filters #6641
                Vadim Smirnov
                Keymaster

                  Ну это то как раз очень даже понятно, адрес/порт источника/назначения зависят от направления пакета. Можно было бы сделать более сложные правила (в том числе двунаправленные), но чем проще тем быстрее работает, да и в любом случае сложное правило можно записать как композицию простых.

                  in reply to: WinpkFilter static filters #6639
                  Vadim Smirnov
                  Keymaster

                    Ну как-то вот так:


                    //**************************************************************************************
                    // 1. Outgoing HTTP requests filter: PASS OUT TCP packets with destination IP 64.251.25.36 PORT 80 (http://www.ntkernel.com)
                    // Common values
                    pFilters->m_StaticFilters[0].m_Adapter.QuadPart = 0; // applied to all adapters
                    pFilters->m_StaticFilters[0].m_ValidFields = NETWORK_LAYER_VALID | TRANSPORT_LAYER_VALID;
                    pFilters->m_StaticFilters[0].m_FilterAction = FILTER_PACKET_PASS;
                    pFilters->m_StaticFilters[0].m_dwDirectionFlags = PACKET_FLAG_ON_SEND;

                    // Network layer filter
                    in_addr address;
                    in_addr mask;

                    // IP address 64.251.25.36
                    address.S_un.S_un_b.s_b1 = 64;
                    address.S_un.S_un_b.s_b2 = 251;
                    address.S_un.S_un_b.s_b3 = 25;
                    address.S_un.S_un_b.s_b4 = 36;

                    // Network mask 255.255.255.255
                    mask.S_un.S_un_b.s_b1 = 255;
                    mask.S_un.S_un_b.s_b2 = 255;
                    mask.S_un.S_un_b.s_b3 = 255;
                    mask.S_un.S_un_b.s_b4 = 255;

                    pFilters->m_StaticFilters[0].m_NetworkFilter.m_dwUnionSelector = IPV4;
                    pFilters->m_StaticFilters[0].m_NetworkFilter.m_IPv4.m_ValidFields = IP_V4_FILTER_PROTOCOL | IP_V4_FILTER_DEST_ADDRESS;
                    pFilters->m_StaticFilters[0].m_NetworkFilter.m_IPv4.m_DestAddress.m_AddressType = IP_SUBNET_V4_TYPE;
                    pFilters->m_StaticFilters[0].m_NetworkFilter.m_IPv4.m_DestAddress.m_IpSubnet.m_Ip = address.S_un.S_addr; // IP address
                    pFilters->m_StaticFilters[0].m_NetworkFilter.m_IPv4.m_DestAddress.m_IpSubnet.m_IpMask = mask.S_un.S_addr; // network mask
                    pFilters->m_StaticFilters[0].m_NetworkFilter.m_IPv4.m_Protocol = IPPROTO_TCP;

                    // Transport layer filter
                    pFilters->m_StaticFilters[0].m_TransportFilter.m_dwUnionSelector = TCPUDP;
                    pFilters->m_StaticFilters[0].m_TransportFilter.m_TcpUdp.m_ValidFields = TCPUDP_DEST_PORT;
                    pFilters->m_StaticFilters[0].m_TransportFilter.m_TcpUdp.m_DestPort.m_StartRange = 80; // HTTP
                    pFilters->m_StaticFilters[0].m_TransportFilter.m_TcpUdp.m_DestPort.m_EndRange = 80;

                    //******************************************************************************************
                    // 2. Incoming HTTP responses filter: PASS IN TCP packets with source IP 64.251.25.36 PORT 80 (http://www.ntkernel.com)
                    // Common values
                    pFilters->m_StaticFilters[1].m_Adapter.QuadPart = 0; // applied to all adapters
                    pFilters->m_StaticFilters[1].m_ValidFields = NETWORK_LAYER_VALID | TRANSPORT_LAYER_VALID;
                    pFilters->m_StaticFilters[1].m_FilterAction = FILTER_PACKET_PASS;
                    pFilters->m_StaticFilters[1].m_dwDirectionFlags = PACKET_FLAG_ON_RECEIVE;

                    pFilters->m_StaticFilters[1].m_NetworkFilter.m_dwUnionSelector = IPV4;
                    pFilters->m_StaticFilters[1].m_NetworkFilter.m_IPv4.m_ValidFields = IP_V4_FILTER_PROTOCOL | IP_V4_FILTER_SRC_ADDRESS;
                    pFilters->m_StaticFilters[1].m_NetworkFilter.m_IPv4.m_SrcAddress.m_AddressType = IP_SUBNET_V4_TYPE;
                    pFilters->m_StaticFilters[1].m_NetworkFilter.m_IPv4.m_SrcAddress.m_IpSubnet.m_Ip = address.S_un.S_addr; // IP address
                    pFilters->m_StaticFilters[1].m_NetworkFilter.m_IPv4.m_SrcAddress.m_IpSubnet.m_IpMask = mask.S_un.S_addr; // network mask
                    pFilters->m_StaticFilters[1].m_NetworkFilter.m_IPv4.m_Protocol = IPPROTO_TCP;

                    // Transport layer filter
                    pFilters->m_StaticFilters[1].m_TransportFilter.m_dwUnionSelector = TCPUDP;
                    pFilters->m_StaticFilters[1].m_TransportFilter.m_TcpUdp.m_ValidFields = TCPUDP_SRC_PORT;
                    pFilters->m_StaticFilters[1].m_TransportFilter.m_TcpUdp.m_SourcePort.m_StartRange = 80; // HTTP
                    pFilters->m_StaticFilters[1].m_TransportFilter.m_TcpUdp.m_SourcePort.m_EndRange = 80;

                    //***************************************************************************************
                    // 3. Drop all packets (skipped by previous filters) without processing in user mode
                    // Common values
                    pFilters->m_StaticFilters[2].m_Adapter.QuadPart = 0; // applied to all adapters
                    pFilters->m_StaticFilters[2].m_ValidFields = 0;
                    pFilters->m_StaticFilters[2].m_FilterAction = FILTER_PACKET_DROP;
                    pFilters->m_StaticFilters[2].m_dwDirectionFlags = PACKET_FLAG_ON_RECEIVE | PACKET_FLAG_ON_SEND;

                    Правда, при таком наборе фильтров, к ntkernel.com можно будет достучаться только по адресу http://64.251.25.36, потому что DNS пакеты буду блокироваться. Для того чтобы работала DNS нужно добавить правило разрешающее DNS пакеты. Роутер добавлять необязательно (если конечно он выполняет роль DNS сервера, то можно разрешить к нему полный доступ, и заморачиваться специфическими DNS правилами).

                    in reply to: Detecting of application component name #6636
                    Vadim Smirnov
                    Keymaster

                      The task is very similar to what debugger does when it shows you the call stack. You can try to search for open source debugging tools. Also debugging relative books should be helpful. Personally I like this one http://www.amazon.com/Advanced-Debugging-Addison-Wesley-Microsoft-Technology/dp/0321374460

                      in reply to: Detecting of application component name #6634
                      Vadim Smirnov
                      Keymaster

                        You can parse the user mode stack of the calling thread. On the top of the stack is usually ntdll.dll and so on.

                        However, if you are trying to detect Trojan module then it can be a bit complex. It is possible to work with TDI directly thus bypassing most of the user mode network modules. It is event possible to bypass ntdll.dll by replicating necessary system calls in Trojan module. In this case Trojan DLL will be on top of the stack. This makes the task of parsing the call stack quite complex.

                        in reply to: how to capture packets of all adapters #6632
                        Vadim Smirnov
                        Keymaster

                          Please refer WWWCensor sample which do filter on all available network interfaces.

                          //
                          // Get system installed network interfaces
                          //
                          api.GetTcpipBoundAdaptersInfo ( &AdList );

                          //
                          // Initialize common ADAPTER_MODE structure (all network interfaces will operate in the same mode)
                          //
                          ADAPTER_MODE Mode;
                          Mode.dwFlags = MSTCP_FLAG_SENT_TUNNEL|MSTCP_FLAG_RECV_TUNNEL;

                          //
                          // Create notification events and initialize the driver to pass packets thru us
                          //
                          for (dwAdIndex = 0; dwAdIndex < AdList.m_nAdapterCount; ++dwAdIndex)
                          {
                          hEvent[dwAdIndex] = CreateEvent(NULL, TRUE, FALSE, NULL);

                          if (!hEvent[dwAdIndex])
                          {
                          printf("Failed to create notification event for network interface n");
                          return 0;
                          }

                          Mode.hAdapterHandle = (HANDLE)AdList.m_nAdapterHandle[dwAdIndex];

                          //
                          // Set MSTCP_FLAG_SENT_TUNNEL|MSTCP_FLAG_RECV_TUNNEL for the network interface
                          //
                          api.SetAdapterMode(&Mode);

                          //
                          // Set packet notification event for the network interface
                          //
                          api.SetPacketEvent((HANDLE)AdList.m_nAdapterHandle[dwAdIndex], hEvent[dwAdIndex]);
                          }


                          // Initialize common part of ETH_REQUEST
                          ZeroMemory ( &Request, sizeof(ETH_REQUEST) );
                          ZeroMemory ( &PacketBuffer, sizeof(INTERMEDIATE_BUFFER) );
                          Request.EthPacket.Buffer = &PacketBuffer;

                          //
                          // Go into the endless loop (this is just a sample application)
                          //
                          while (TRUE)
                          {
                          //
                          // Wait before any of the interfaces is ready to indicate the packet
                          //
                          dwAdIndex = WaitForMultipleObjects ( AdList.m_nAdapterCount, hEvent, FALSE, INFINITE ) - WAIT_OBJECT_0;

                          //
                          // Complete initialization of ETH_REQUEST
                          //

                          Request.hAdapterHandle = (HANDLE)AdList.m_nAdapterHandle[dwAdIndex];

                          //
                          // Read packet from the interface until there are any
                          //
                          while(api.ReadPacket(&Request))
                          {
                          //
                          // Get Ethernet header
                          //
                          pEthHeader = (ether_header_ptr)PacketBuffer.m_IBuffer;

                          //
                          // Check if Ethernet frame contains IP packet
                          //
                          if(ntohs(pEthHeader->h_proto) == ETH_P_IP)
                          {
                          //
                          // Get IP header
                          //
                          pIpHeader = (iphdr_ptr)(pEthHeader + 1);

                          //
                          // Check if IP packet contains TCP packet
                          //
                          if (pIpHeader->ip_p == IPPROTO_TCP)
                          {
                          //
                          // Get TCP header pointer
                          //
                          pTcpHeader = (tcphdr_ptr)((PUCHAR)pIpHeader + pIpHeader->ip_hl*4);

                          //
                          // Check if this HTTP packet (destined to remote system port 80, or received from it)
                          //

                          if (((pTcpHeader->th_dport == htons (80))&&(PacketBuffer.m_dwDeviceFlags == PACKET_FLAG_ON_SEND))||
                          ((pTcpHeader->th_sport == htons (80))&&(PacketBuffer.m_dwDeviceFlags == PACKET_FLAG_ON_RECEIVE)))
                          {
                          //
                          // Get data size in the packet and pointer to the data
                          //

                          DWORD dwDataLength = PacketBuffer.m_Length - (sizeof(ether_header) + pIpHeader->ip_hl*4 + pTcpHeader->th_off*4);
                          PCHAR pData = (PCHAR)pEthHeader + (sizeof(ether_header) + pIpHeader->ip_hl*4 + pTcpHeader->th_off*4);

                          // If packet contains any data - process it
                          if (dwDataLength)
                          {
                          //
                          // Copy packet payload into the temporary string, replace all 0 bytes with 0x20, convert string to upper case and place at the end
                          //
                          memcpy (szTempString, pData, dwDataLength);
                          for (unsigned t = 0; t < dwDataLength; ++t)
                          {
                          if (szTempString[t] == 0)
                          szTempString[t] = 0x20;

                          if (isalpha((UCHAR)szTempString[t]))
                          szTempString[t] = (char)toupper((UCHAR)szTempString[t]);
                          }
                          szTempString[dwDataLength] = 0;

                          //
                          // Check if this packet payload contains user supplied pattern in ASCII code
                          //

                          if (strstr ( szTempString, szPattern ))
                          bDrop = TRUE;
                          }
                          }

                          }
                          }

                          if(bDrop)
                          {
                          printf ("TCP %d.%d.%d.%d:%d -> %d.%d.%d.%d:%d pattern found & packet dropped n",
                          pIpHeader->ip_src.S_un.S_un_b.s_b1, pIpHeader->ip_src.S_un.S_un_b.s_b2, pIpHeader->ip_src.S_un.S_un_b.s_b3, pIpHeader->ip_src.S_un.S_un_b.s_b4, ntohs(pTcpHeader->th_sport),
                          pIpHeader->ip_dst.S_un.S_un_b.s_b1, pIpHeader->ip_dst.S_un.S_un_b.s_b2, pIpHeader->ip_dst.S_un.S_un_b.s_b3, pIpHeader->ip_dst.S_un.S_un_b.s_b4, ntohs (pTcpHeader->th_dport));
                          bDrop = FALSE;
                          }
                          else
                          if (PacketBuffer.m_dwDeviceFlags == PACKET_FLAG_ON_SEND)
                          {
                          // Place packet on the network interface
                          api.SendPacketToAdapter(&Request);
                          }
                          else
                          {
                          // Indicate packet to MSTCP
                          api.SendPacketToMstcp(&Request);
                          }
                          }

                          //
                          // Reset signalled event
                          //
                          ResetEvent(hEvent[dwAdIndex]);

                          }
                          in reply to: VirtNet on WXP x64 #6623
                          Vadim Smirnov
                          Keymaster

                            VirtNet is easy to build for x64, but I had not yet time to update INF file to allow installation on x64 systems. I will add x64 version when have got some spare time.

                            in reply to: Injecting Browser Helper Objects Remotely ==? #6622
                            Vadim Smirnov
                            Keymaster

                              Since the dissassembler can’t locate the functions in the dissassembly, please suggest some other way of reversing the dll ?

                              The DLL can be packed and disassembler can’t decode it without additional effort. However, many things depends from the disassembler you use and particular BHO.

                              Any further info on this method of attack, that is, how can someone remotely inject BHOs(browser helper objects) into my browser ?

                              BHO is an in-process COM object and it should be registered as any normal COM object plus it has to create several registry entries specific to BHO. So if the particular BHO was not installed by you, then someone has managed to remotely execute installation code on your system.

                              in reply to: Using VirtNet HELP !!! #6618
                              Vadim Smirnov
                              Keymaster

                                Hmm, you mean that HL server reports its IP addresses to master server? If so then probably VirtNet adapter with assigned external IP address is a solution. In any case you will also need the correct port mapping on NAT device.

                                The problem may appear if HL server reports only one IP address (from which it communicate to master server).

                                – Must i set MAC address identical to physical network card ? i think yes

                                I think no, MAC address for VirtNet does not really makes sense because this adapter never really sends/receives packets.

                                – How frames are routed/dispatch between the 2 addresses

                                If you have got configured port mapping on NAT device you will receive packets to 192.168.2.200 and you don’t really need to care about routing.

                                – Is the Virtual IP is knowne from router. In this case have i to forward incoming frames to Virtual IP rather than 192.168.2.200

                                Don’t understand what you mean.

                                – Have i set new routes on server and/or router

                                I have already mentioned port mapping required on NAT device.

                                in reply to: WinpkFilter sample in Visual Basic 6.0 #6617
                                Vadim Smirnov
                                Keymaster

                                  And the wwwcensor.exe doesn’t works in my computer to block a url. It doens’t stop the navigate.

                                  It worked fine for me and not only for me. Do other samples work fine on your system? How do you actually use use it?

                                  Could you send me a sample how to do this?

                                  wwwcensor demonstrates URL/content filtering for HTTP protocol. It blocks any HTTP packets containing the command line specified keyword. An example, to block access to yahoo.com it should be used as below:

                                  D:…dsntkvpnsamplesMSVCbinamd64>wwwcensor.exe
                                  Command line syntax:
                                  wwwcensor.exe pattern
                                  pattern – phrase or word to block HTTP packets with.

                                  D:…dsntkvpnsamplesMSVCbinamd64>wwwcensor.exe yahoo
                                  TCP 192.168.1.179:29627 -> 87.248.113.14:80 pattern found & packet dropped
                                  TCP 192.168.1.179:29627 -> 87.248.113.14:80 pattern found & packet dropped
                                  TCP 192.168.1.179:29627 -> 87.248.113.14:80 pattern found & packet dropped
                                  TCP 192.168.1.179:29627 -> 87.248.113.14:80 pattern found & packet dropped

                                  Note, that it also blocks any packet containing “yahoo” word, not only packets to/from yahoo.com.

                                  If ONLY URL filtering is required then you have two options:
                                  1) Block DNS requests for the forbidden sites (this does not allow your system to figure out the IP address and access the site).
                                  2) Parse HTTP packets for GET request and block packet if it requests the forbidden URL.

                                Viewing 15 posts - 916 through 930 (of 1,486 total)