Vadim Smirnov

Forum Replies Created

Viewing 15 posts - 1,036 through 1,050 (of 1,474 total)
  • Author
    Posts
  • in reply to: winpkflt can’t filter using winpcap library? #6427
    Vadim Smirnov
    Keymaster

      but some network attack tool made by winpcap library.

      If network attack is performed from remote host to the system with WinpkFilter installed you will be able to intercept/block attacker packets sent with winpcap or anything else.

      If you want to block/inspect locally installed winpcap activities than this is also possible to do with simple extension of WinpkFilter (add winpcap to the list of hooked protocols in the NDIS hooking driver, NDIS IM build filters all protocols by default).

      in reply to: TCP/IP Hook – Traffic observing for all IP’s #6398
      Vadim Smirnov
      Keymaster

        The sample above is good for blocking undesired content (not only URL’s). So I don’t think it is applicable for the reversed solution.

        Basically you have several possibilities:

        1) Allow only those IP’s which host permitted URL’s. If outgoing HTTP packet (with destination port 80) is destined to the IP address not in the list then just drop it.
        2) Parse outgoing DNS packets and allow only those queries which are allowed in your URL list.
        3) Parse HTTP GET request for each outgoing HTTP packet and match URL against your URL list.

        in reply to: NDISRD rules #6422
        Vadim Smirnov
        Keymaster

          А не планируются ли какие правила для NDISRD ? Гонять каждый пакет в юзермоду слишком накладно получается

          В принципе ничего сложного нет, в течении дня можно сделать, если на уровне протокол/адрес/порт. Правда не уверен насколько это будет востребовано. Были случаи когда просили что-то подобное для кастом сборки, например когда нужно было ловить только SYN пакеты. Насколько кому-то нужны универсальные фильтры сказать сложно, но над возможностью реализации подумаю. 8)

          in reply to: NDIS + TDI #6421
          Vadim Smirnov
          Keymaster

            Собственно вот какой вопросец, в каком месте нужно получать ПИД процесса, который послал запрос на коннект, что бы при первом же поступлении этого пакета в WinPkFilter можно его отбросить или пропустить. Например я думаю если это сделать в комплит роутине на коннект, то NDIS филттру нечем будет руководствоваться при запросе или разрешении ПЕРВОГО пакета, т.к. такой инфы еще не будет.

            Можно в запросе на коннет например…

            Когда делаю IoCallDriver с параметром TDI_QUERY_ADDRESS_INFO, то возвращается ошибка STATUS_CANCELLED ((NTSTATUS)0xC0000120L)
            В чем тут проблема то?

            Судя по статусу IRP отменили… Может не на тот обьект был запрос?

            in reply to: listadapters.exe doesnt work… #6420
            Vadim Smirnov
            Keymaster

              Xp Sp2, yes i rebooted after the installation…and edited the reg’s files according to the installation in the help file.

              Installer creates required registry entries itself and you don’t have to manually edit anything. The instructions are given for those who create their own installer which includes WinpkFilter. So may be editing the registry caused the observed behavior.

              Another possible reason is installed third-party firewall/VPN/NAT software.

              in reply to: listadapters.exe doesnt work… #6418
              Vadim Smirnov
              Keymaster

                What operating system do you have? Have you rebooted after installation?

                in reply to: IP-Adress Redirect? #6415
                Vadim Smirnov
                Keymaster

                  How can i modify the destination MAC?

                  MAC header is right before IP header.

                  in reply to: IP-Adress Redirect? #6413
                  Vadim Smirnov
                  Keymaster

                    That depends from proxy, if it is HTTP proxy there is no problem since HTTP GET request contains the exact URL.

                    in reply to: IP-Adress Redirect? #6411
                    Vadim Smirnov
                    Keymaster

                      1) In addition to IP address you also have to change the destination MAC address if proxy is located in the same network segment as you are.
                      2) You have to memorize the connection {source IP, source port, original remote IP, original remote port, new remote IP, new remote port}. When receiving a response on the redirected packet you have to find the connection in your connections table by destination IP/port which in your table should match source IP/port and substitute source IP/port in the packet.

                      in reply to: signed x64 driver for winpkfilter? #6417
                      Vadim Smirnov
                      Keymaster

                        Taking into account that WinpkFilter is a development library but not an end user software we don’t find its drivers signing really necessary. When it is used for evaluation or private/non-commercial purposes it can be loaded on Vista x64 by choosing the “Enforce unsigned drivers loading” option in the boot menu. In case of commercial usage WinpkFilter custom build should be signed by the end vendor by its own signature.

                        Our current point of view may change once Vista x64 becomes more popular when it is now.

                        in reply to: How to manage (Proxy) Re-Routing Packages? #6405
                        Vadim Smirnov
                        Keymaster

                          it is possible to capture packes from a specific port an re-route it to an other ip?

                          Can i change the dest. & src IP-Address in the IP-Header?

                          Which stuff has to be modified?

                          Yes this is possible and it is as simple as changing IP/TCP/UDP header and recalculating the checksums. Also if this is sort of redirect the reversed operation should be performed in reversed packets.

                          Internet Gateway sample http://www.ntkernel.com/w&p.php?id=31demonstrates the usage of WinpkFilter for implementing NAT solution.

                          in reply to: Problem On Filter (Delphi) #6403
                          Vadim Smirnov
                          Keymaster

                            Looks like your single thread services both winpkfilter and TServerSocket so you got a dead lock. Try to create a dedicated thread for winpkfilter or TServerSocket .

                            in reply to: Problem On Filter (Delphi) #6401
                            Vadim Smirnov
                            Keymaster

                              Hmm, I’m not sure that I understand what you have really implemented. Do you use WinpkFilter and Windows Sockets in the same application? If yes then probably your application design has got a synchronization problem (if socket and winpkfilter are used in the same single thread an example).

                              The general operation flow looks like the following:

                              Data sent to socket -> Data intercepted by WinpkFilter -> Data indicated back to application -> Application processes and returns data to the stack -> Socket send operation completed

                              in reply to: WinpkFilter – capture local packages? #6399
                              Vadim Smirnov
                              Keymaster

                                Data sent from local computer to local computer (localhost) even never wrapped with packets and processed inside TCP/IP without passing them to levels below.

                                This data can be intercepted only with LSP or TDI filter driver.

                                in reply to: TCP/IP Hook – Traffic observing for all IP’s #6395
                                Vadim Smirnov
                                Keymaster

                                  The code below tracks incoming HTTP packets (port 80) and blocks if finds a particular string pattern in the packet. This is a simple sample for porno filter or URL blocking, you should be able easily adopt it for you needs:


                                  /*************************************************************************/
                                  /* Copyright (c) 2000-2007 NT Kernel Resources. */
                                  /* All Rights Reserved. */
                                  /* http://www.ntkernel.com */
                                  /* ndisrd@ntkernel.com */
                                  /* */
                                  /* Module Name: wwwcensor.cpp */
                                  /* */
                                  /* Abstract: Defines the entry point for the console application */
                                  /* */
                                  /*************************************************************************/

                                  #include "stdafx.h"

                                  USHORT ntohs( USHORT netshort )
                                  {
                                  PUCHAR pBuffer;
                                  USHORT nResult;

                                  nResult = 0;
                                  pBuffer = (PUCHAR )&netshort;

                                  nResult = ( (pBuffer[ 0 ] << 8) & 0xFF00 )
                                  | ( pBuffer[ 1 ] & 0x00FF );

                                  return( nResult );
                                  }

                                  #define htons ntohs

                                  int main(int argc, char* argv[])
                                  {
                                  TCP_AdapterList AdList;
                                  CNdisApi api;
                                  ETH_REQUEST Request;
                                  INTERMEDIATE_BUFFER PacketBuffer;
                                  ether_header_ptr pEthHeader = NULL;
                                  iphdr_ptr pIpHeader = NULL;
                                  tcphdr_ptr pTcpHeader = NULL;
                                  HANDLE hEvent[256];
                                  DWORD dwAdIndex = 0;
                                  char szTempString[1500];
                                  char szPattern[256];
                                  BOOL bDrop = FALSE;


                                  if (argc < 2)
                                  {
                                  printf ("Command line syntax:ntwwwcensor.exe pattern ntpattern - phrase or word to block HTTP packets with.n");
                                  return 0;
                                  }

                                  if(!api.IsDriverLoaded())
                                  {
                                  printf ("Driver not installed on this system of failed to load.n");
                                  return 0;
                                  }

                                  if ( strlen(argv[1]) > 255 )
                                  {
                                  printf ("Pattern is too,long, please use one with maximum of 255 characters.n");
                                  return 0;
                                  }

                                  //
                                  // Get pattern in upper case
                                  //
                                  ZeroMemory ( szPattern, 256 );
                                  strcpy ( szPattern, argv[1] );
                                  for ( unsigned i = 0; i < strlen (szPattern); ++i )
                                  {
                                  if (isalpha(((UCHAR)szPattern)))
                                  szPattern
                                  = (char)toupper((UCHAR)szPattern);
                                  }

                                  //
                                  // Get system installed network interfaces
                                  //
                                  api.GetTcpipBoundAdaptersInfo ( &AdList );

                                  //
                                  // Initialize common ADAPTER_MODE structure (all network interfaces will operate in the same mode)
                                  //
                                  ADAPTER_MODE Mode;
                                  Mode.dwFlags = MSTCP_FLAG_SENT_TUNNEL|MSTCP_FLAG_RECV_TUNNEL;

                                  //
                                  // Create notification events and initialize the driver to pass packets thru us
                                  //
                                  for (dwAdIndex = 0; dwAdIndex < AdList.m_nAdapterCount; ++dwAdIndex)
                                  {
                                  hEvent[dwAdIndex] = CreateEvent(NULL, TRUE, FALSE, NULL);

                                  if (!hEvent[dwAdIndex])
                                  {
                                  printf("Failed to create notification event for network interface n");
                                  return 0;
                                  }

                                  Mode.hAdapterHandle = (HANDLE)AdList.m_nAdapterHandle[dwAdIndex];

                                  //
                                  // Set MSTCP_FLAG_SENT_TUNNEL|MSTCP_FLAG_RECV_TUNNEL for the network interface
                                  //
                                  api.SetAdapterMode(&Mode);

                                  //
                                  // Set packet notification event for the network interface
                                  //
                                  api.SetPacketEvent((HANDLE)AdList.m_nAdapterHandle[dwAdIndex], hEvent[dwAdIndex]);
                                  }


                                  // Initialize common part of ETH_REQUEST
                                  ZeroMemory ( &Request, sizeof(ETH_REQUEST) );
                                  ZeroMemory ( &PacketBuffer, sizeof(INTERMEDIATE_BUFFER) );
                                  Request.EthPacket.Buffer = &PacketBuffer;

                                  //
                                  // Go into the endless loop (this is just a sample application)
                                  //
                                  while (TRUE)
                                  {
                                  //
                                  // Wait before any of the interfaces is ready to indicate the packet
                                  //
                                  dwAdIndex = WaitForMultipleObjects ( AdList.m_nAdapterCount, hEvent, FALSE, INFINITE ) - WAIT_OBJECT_0;

                                  //
                                  // Reset signalled event
                                  //
                                  ResetEvent(hEvent[dwAdIndex]);

                                  //
                                  // Complete initialization of ETH_REQUEST
                                  //

                                  Request.hAdapterHandle = (HANDLE)AdList.m_nAdapterHandle[dwAdIndex];

                                  //
                                  // Read packet from the interface until there are any
                                  //
                                  while(api.ReadPacket(&Request))
                                  {
                                  //
                                  // Get Ethernet header
                                  //
                                  pEthHeader = (ether_header_ptr)PacketBuffer.m_IBuffer;

                                  //
                                  // Check if Ethernet frame contains IP packet
                                  //
                                  if(ntohs(pEthHeader->h_proto) == ETH_P_IP)
                                  {
                                  //
                                  // Get IP header
                                  //
                                  pIpHeader = (iphdr_ptr)(pEthHeader + 1);

                                  //
                                  // Check if IP packet contains TCP packet
                                  //
                                  if (pIpHeader->ip_p == IPPROTO_TCP)
                                  {
                                  //
                                  // Get TCP header pointer
                                  //
                                  pTcpHeader = (tcphdr_ptr)((PUCHAR)pIpHeader + pIpHeader->ip_hl*4);

                                  //
                                  // Check if this HTTP packet (destined to remote system port 80, or received from it)
                                  //

                                  if (((pTcpHeader->th_dport == htons (80))&&(PacketBuffer.m_dwDeviceFlags == PACKET_FLAG_ON_SEND))||
                                  ((pTcpHeader->th_sport == htons (80))&&(PacketBuffer.m_dwDeviceFlags == PACKET_FLAG_ON_RECEIVE)))
                                  {
                                  //
                                  // Get data size in the packet and pointer to the data
                                  //

                                  DWORD dwDataLength = PacketBuffer.m_Length - (sizeof(ether_header) + pIpHeader->ip_hl*4 + pTcpHeader->th_off*4);
                                  PCHAR pData = (PCHAR)pEthHeader + (sizeof(ether_header) + pIpHeader->ip_hl*4 + pTcpHeader->th_off*4);

                                  // If packet contains any data - process it
                                  if (dwDataLength)
                                  {
                                  //
                                  // Copy packet payload into the temporary string, replace all 0 bytes with 0x20, convert string to upper case and place at the end
                                  //
                                  memcpy (szTempString, pData, dwDataLength);
                                  for (unsigned t = 0; t < dwDataLength; ++t)
                                  {
                                  if (szTempString[t] == 0)
                                  szTempString[t] = 0x20;

                                  if (isalpha((UCHAR)szTempString[t]))
                                  szTempString[t] = (char)toupper((UCHAR)szTempString[t]);
                                  }
                                  szTempString[dwDataLength] = 0;

                                  //
                                  // Check if this packet payload contains user supplied pattern in ASCII code
                                  //

                                  if (strstr ( szTempString, szPattern ))
                                  bDrop = TRUE;
                                  }
                                  }

                                  }
                                  }

                                  if(bDrop)
                                  {
                                  printf ("TCP %d.%d.%d.%d:%d -> %d.%d.%d.%d:%d pattern found & packet dropped n",
                                  pIpHeader->ip_src.S_un.S_un_b.s_b1, pIpHeader->ip_src.S_un.S_un_b.s_b2, pIpHeader->ip_src.S_un.S_un_b.s_b3, pIpHeader->ip_src.S_un.S_un_b.s_b4, ntohs(pTcpHeader->th_sport),
                                  pIpHeader->ip_dst.S_un.S_un_b.s_b1, pIpHeader->ip_dst.S_un.S_un_b.s_b2, pIpHeader->ip_dst.S_un.S_un_b.s_b3, pIpHeader->ip_dst.S_un.S_un_b.s_b4, ntohs (pTcpHeader->th_dport));
                                  bDrop = FALSE;
                                  }
                                  else
                                  if (PacketBuffer.m_dwDeviceFlags == PACKET_FLAG_ON_SEND)
                                  {
                                  // Place packet on the network interface
                                  api.SendPacketToAdapter(&Request);
                                  }
                                  else
                                  {
                                  // Indicate packet to MSTCP
                                  api.SendPacketToMstcp(&Request);
                                  }
                                  }

                                  }

                                  return 0;
                                  }

                                Viewing 15 posts - 1,036 through 1,050 (of 1,474 total)