Forum Replies Created
-
Posts
-
An example, every registered COM DLL have a relative registry entry. It may happen that the COM DLL is removed from disk but the registry entry still exists. So you take the registry entry and check if it points to the existing DLL, if not then this registry entry is invalid.
Probably you are right and the mentioned tool monitors the process behavior and imported/used Win32 API. An example, not every normal process uses CreateRemoteThread.
Hmm, you can bypass Win32 and use native API. You can even rewrite some Winn32 APIs through another ones. However, there is no way for user mode application to do anything without somehow calling the kernel.
Though you don’t really need to import ntdll.dll functions, but use INT 2E (SYSCALL/SYSENTER) directly to call kernel services. Probably this is what mentioned in the quote you posted.
If the file was opened in non shared mode then you won’t be able to access it from another process using Win32 API. However, you still can open the volume device in raw mode (bypassing the filesystem) and read sectors containing file data.
You can use file system filter driver to monitor all file operations. However, in case of Windows message you have mentioned – it rather implemented in the Windows Explorer and you will be able to remove those files through the command line or another file manager.
Since officially MS does provide tools for extending Windows with new subsystems the task looks very non trivial (if possible at all without having the access to the complete source code).
Among VB samples in WinpkFilter package you can find PassThru. This is basic sample to filter (drop, pass, modify) the network packets.
May be the reason is in the loopback packet indication. You see packet twice, one time when it is sent and second time when it is indicated back by NDIS (loopback indication) to installed protocols. This is just a version, because I have no idea how you emulate packets on VirtNet.
Internet Gateway can be installed on Windows XP in two variants, with NDIS hooking driver or NDIS IM driver. As I can see from log you have chosen to install NDIS IM driver, however have not you installed WinpkFilter run time before on this system? Or Internet Gateway with NDIS hooking driver selected?
Testing WinpkFilter 3.0.4 on Windows Vista x64 SP1 have not discovered any problems.
Probably you have experienced some software conflict or installation went wrong because of Driver Signing policy.
What do you actually mean under “access”? Address? If so then you have to parse PE header as usual to get imports table address.
Since this is a virtual network interface you can’t connect two systems with it, but you can emulate the connection between two VirtNet adapters with WinpkFilter. However, you will need some real transport between you computers (another network adapter, direct cable connection, bluetooth or etc…)
1. How can we redirect the ip which is browsing the restricted websites to the desired page. Though our program blocks the website but it is unable to redirect the page.
You can’t redirect connections using existing LNM API, it would require an additional kernel level extension. Actually redirects are far easier implemented using WinpkFilter.
2. We connected two PC via LAN wire and gave internet connection to one of them(gateway). We are accessing the internet on another PC via the previous one. But the data of the non-gateway PC is encrypted and hence we are unable to monitor its requests.
The only correct way I can see is installing your software on gateway system and monitoring the Internet connection with WinpkFilter. LNM API does not have access to the routed packets.
