Forum Replies Created
-
Posts
-
Please refer WWWCensor sample which do filter on all available network interfaces.
//
// Get system installed network interfaces
//
api.GetTcpipBoundAdaptersInfo ( &AdList );
//
// Initialize common ADAPTER_MODE structure (all network interfaces will operate in the same mode)
//
ADAPTER_MODE Mode;
Mode.dwFlags = MSTCP_FLAG_SENT_TUNNEL|MSTCP_FLAG_RECV_TUNNEL;
//
// Create notification events and initialize the driver to pass packets thru us
//
for (dwAdIndex = 0; dwAdIndex < AdList.m_nAdapterCount; ++dwAdIndex)
{
hEvent[dwAdIndex] = CreateEvent(NULL, TRUE, FALSE, NULL);
if (!hEvent[dwAdIndex])
{
printf("Failed to create notification event for network interface n");
return 0;
}
Mode.hAdapterHandle = (HANDLE)AdList.m_nAdapterHandle[dwAdIndex];
//
// Set MSTCP_FLAG_SENT_TUNNEL|MSTCP_FLAG_RECV_TUNNEL for the network interface
//
api.SetAdapterMode(&Mode);
//
// Set packet notification event for the network interface
//
api.SetPacketEvent((HANDLE)AdList.m_nAdapterHandle[dwAdIndex], hEvent[dwAdIndex]);
}
// Initialize common part of ETH_REQUEST
ZeroMemory ( &Request, sizeof(ETH_REQUEST) );
ZeroMemory ( &PacketBuffer, sizeof(INTERMEDIATE_BUFFER) );
Request.EthPacket.Buffer = &PacketBuffer;
//
// Go into the endless loop (this is just a sample application)
//
while (TRUE)
{
//
// Wait before any of the interfaces is ready to indicate the packet
//
dwAdIndex = WaitForMultipleObjects ( AdList.m_nAdapterCount, hEvent, FALSE, INFINITE ) - WAIT_OBJECT_0;
//
// Complete initialization of ETH_REQUEST
//
Request.hAdapterHandle = (HANDLE)AdList.m_nAdapterHandle[dwAdIndex];
//
// Read packet from the interface until there are any
//
while(api.ReadPacket(&Request))
{
//
// Get Ethernet header
//
pEthHeader = (ether_header_ptr)PacketBuffer.m_IBuffer;
//
// Check if Ethernet frame contains IP packet
//
if(ntohs(pEthHeader->h_proto) == ETH_P_IP)
{
//
// Get IP header
//
pIpHeader = (iphdr_ptr)(pEthHeader + 1);
//
// Check if IP packet contains TCP packet
//
if (pIpHeader->ip_p == IPPROTO_TCP)
{
//
// Get TCP header pointer
//
pTcpHeader = (tcphdr_ptr)((PUCHAR)pIpHeader + pIpHeader->ip_hl*4);
//
// Check if this HTTP packet (destined to remote system port 80, or received from it)
//
if (((pTcpHeader->th_dport == htons (80))&&(PacketBuffer.m_dwDeviceFlags == PACKET_FLAG_ON_SEND))||
((pTcpHeader->th_sport == htons (80))&&(PacketBuffer.m_dwDeviceFlags == PACKET_FLAG_ON_RECEIVE)))
{
//
// Get data size in the packet and pointer to the data
//
DWORD dwDataLength = PacketBuffer.m_Length - (sizeof(ether_header) + pIpHeader->ip_hl*4 + pTcpHeader->th_off*4);
PCHAR pData = (PCHAR)pEthHeader + (sizeof(ether_header) + pIpHeader->ip_hl*4 + pTcpHeader->th_off*4);
// If packet contains any data - process it
if (dwDataLength)
{
//
// Copy packet payload into the temporary string, replace all 0 bytes with 0x20, convert string to upper case and place � at the end
//
memcpy (szTempString, pData, dwDataLength);
for (unsigned t = 0; t < dwDataLength; ++t)
{
if (szTempString[t] == 0)
szTempString[t] = 0x20;
if (isalpha((UCHAR)szTempString[t]))
szTempString[t] = (char)toupper((UCHAR)szTempString[t]);
}
szTempString[dwDataLength] = 0;
//
// Check if this packet payload contains user supplied pattern in ASCII code
//
if (strstr ( szTempString, szPattern ))
bDrop = TRUE;
}
}
}
}
if(bDrop)
{
printf ("TCP %d.%d.%d.%d:%d -> %d.%d.%d.%d:%d pattern found & packet dropped n",
pIpHeader->ip_src.S_un.S_un_b.s_b1, pIpHeader->ip_src.S_un.S_un_b.s_b2, pIpHeader->ip_src.S_un.S_un_b.s_b3, pIpHeader->ip_src.S_un.S_un_b.s_b4, ntohs(pTcpHeader->th_sport),
pIpHeader->ip_dst.S_un.S_un_b.s_b1, pIpHeader->ip_dst.S_un.S_un_b.s_b2, pIpHeader->ip_dst.S_un.S_un_b.s_b3, pIpHeader->ip_dst.S_un.S_un_b.s_b4, ntohs (pTcpHeader->th_dport));
bDrop = FALSE;
}
else
if (PacketBuffer.m_dwDeviceFlags == PACKET_FLAG_ON_SEND)
{
// Place packet on the network interface
api.SendPacketToAdapter(&Request);
}
else
{
// Indicate packet to MSTCP
api.SendPacketToMstcp(&Request);
}
}
//
// Reset signalled event
//
ResetEvent(hEvent[dwAdIndex]);
}
VirtNet is easy to build for x64, but I had not yet time to update INF file to allow installation on x64 systems. I will add x64 version when have got some spare time.
Since the dissassembler can’t locate the functions in the dissassembly, please suggest some other way of reversing the dll ?
The DLL can be packed and disassembler can’t decode it without additional effort. However, many things depends from the disassembler you use and particular BHO.
Any further info on this method of attack, that is, how can someone remotely inject BHOs(browser helper objects) into my browser ?
BHO is an in-process COM object and it should be registered as any normal COM object plus it has to create several registry entries specific to BHO. So if the particular BHO was not installed by you, then someone has managed to remotely execute installation code on your system.
Hmm, you mean that HL server reports its IP addresses to master server? If so then probably VirtNet adapter with assigned external IP address is a solution. In any case you will also need the correct port mapping on NAT device.
The problem may appear if HL server reports only one IP address (from which it communicate to master server).
– Must i set MAC address identical to physical network card ? i think yes
I think no, MAC address for VirtNet does not really makes sense because this adapter never really sends/receives packets.
– How frames are routed/dispatch between the 2 addresses
If you have got configured port mapping on NAT device you will receive packets to 192.168.2.200 and you don’t really need to care about routing.
– Is the Virtual IP is knowne from router. In this case have i to forward incoming frames to Virtual IP rather than 192.168.2.200
Don’t understand what you mean.
– Have i set new routes on server and/or router
I have already mentioned port mapping required on NAT device.
And the wwwcensor.exe doesn’t works in my computer to block a url. It doens’t stop the navigate.
It worked fine for me and not only for me. Do other samples work fine on your system? How do you actually use use it?
Could you send me a sample how to do this?
wwwcensor demonstrates URL/content filtering for HTTP protocol. It blocks any HTTP packets containing the command line specified keyword. An example, to block access to yahoo.com it should be used as below:
D:…dsntkvpnsamplesMSVCbinamd64>wwwcensor.exe
Command line syntax:
wwwcensor.exe pattern
pattern – phrase or word to block HTTP packets with.D:…dsntkvpnsamplesMSVCbinamd64>wwwcensor.exe yahoo
TCP 192.168.1.179:29627 -> 87.248.113.14:80 pattern found & packet dropped
TCP 192.168.1.179:29627 -> 87.248.113.14:80 pattern found & packet dropped
TCP 192.168.1.179:29627 -> 87.248.113.14:80 pattern found & packet dropped
TCP 192.168.1.179:29627 -> 87.248.113.14:80 pattern found & packet droppedNote, that it also blocks any packet containing “yahoo” word, not only packets to/from yahoo.com.
If ONLY URL filtering is required then you have two options:
1) Block DNS requests for the forbidden sites (this does not allow your system to figure out the IP address and access the site).
2) Parse HTTP packets for GET request and block packet if it requests the forbidden URL.An example, every registered COM DLL have a relative registry entry. It may happen that the COM DLL is removed from disk but the registry entry still exists. So you take the registry entry and check if it points to the existing DLL, if not then this registry entry is invalid.
Probably you are right and the mentioned tool monitors the process behavior and imported/used Win32 API. An example, not every normal process uses CreateRemoteThread.
Hmm, you can bypass Win32 and use native API. You can even rewrite some Winn32 APIs through another ones. However, there is no way for user mode application to do anything without somehow calling the kernel.
Though you don’t really need to import ntdll.dll functions, but use INT 2E (SYSCALL/SYSENTER) directly to call kernel services. Probably this is what mentioned in the quote you posted.
If the file was opened in non shared mode then you won’t be able to access it from another process using Win32 API. However, you still can open the volume device in raw mode (bypassing the filesystem) and read sectors containing file data.
You can use file system filter driver to monitor all file operations. However, in case of Windows message you have mentioned – it rather implemented in the Windows Explorer and you will be able to remove those files through the command line or another file manager.
Since officially MS does provide tools for extending Windows with new subsystems the task looks very non trivial (if possible at all without having the access to the complete source code).
Among VB samples in WinpkFilter package you can find PassThru. This is basic sample to filter (drop, pass, modify) the network packets.
May be the reason is in the loopback packet indication. You see packet twice, one time when it is sent and second time when it is indicated back by NDIS (loopback indication) to installed protocols. This is just a version, because I have no idea how you emulate packets on VirtNet.
Internet Gateway can be installed on Windows XP in two variants, with NDIS hooking driver or NDIS IM driver. As I can see from log you have chosen to install NDIS IM driver, however have not you installed WinpkFilter run time before on this system? Or Internet Gateway with NDIS hooking driver selected?
