Forum Replies Created
-
Posts
-
I am a newbie here and I was wondering if you could provide an example of how to read the data contents of a packet using visual basic syntax.
Regretfully I’m not a VB expert, but parsing Ethernet header is shown in the VB samples. You can parse follow up headers (IP, TCP/UDP) just on the same way.
Also is the data in the packet the same as it would be if I were to view the contents at the winsock level.
On WINSOCK level you work mostly with data streams (no packet headers), here you got packets with Ethernet, IP headers and etc… But packet payload contains the data you seen on winsock layer.
I want to get the source IP and Port and then view the data to determine whether to drop the packet or not, is that possible with WinPKFilter samples?
Yes, that is possible.
С HTTP вроде разобрался – имя хоста в исходящем пакете меняю, сумма сходится но какие то проблемы с ACK SEQ. Я так понял что при изменении длины пакета их надо менять. Как?
Если пакет увеличился в длинне (не выходя за границу Ethernet frame), то SEQ надо увеличить (а во входящем потоке уменьшить ACK). Изменение SEQ/ACK затем нужно тянуть до самого закрытия соединения. Аналогично поступаем при уменьшении длинны с точностью до наоборот.
IMHO проще перехватить DNS пакет и подменить в нем IP.
Any kernel module can run a thread in the context of the system process, what integrity do you mean here?
Hmm… And how does TI shape NATted connection!?…
TI developers know for sure. I would try to reverse engineer ICS implementation in Windows and get NAT table.
I would create an event and waited on this event (probably besides few other objects) in the thread routine instead of the KeDelayExecutionThread. Once I need to unload driver I would signal that event so the thread routine left waiting and called PsTerminateSystemThread. At the same time DriverUnload can wait for the thread to exit by waiting on the thread object.
Alternatively (less modifications in your code but not that nice) you can create some global variable and check its state in your Func:
void Func(PVOID a)
{
LARGE_INTEGER delay;
delay.QuadPart = SEC(1);
while(!KeDelayExecutionThread(KernelMode,0,&delay))
{
DbgPrint(">> thread message");
if(g_bLeaveThread)
break;
}
PsTerminateSystemThread();
}
In DriverUnload set the g_bLeaveThread to non-zero value and wait for the thread to exit (KeWaitForSingleObject on the thread object).
Each packet routed outside you intercept twice – first on the internal interface before NAT is applied and second on external interface after NAT is applied and vice versa for packets coming on the external interface. In theory you can match these packets (by IP address information + IP ID + TCP/UDP headers information) and build your own copy of NAT table but collisions are still possible especially if the router is heavily loaded.
I would recommend implementing NAT in the same module which implements shaper, this would save you lots time. NAT is relatively easy to implement (if you are not targeted to support complex protocols like H.323), an example this simple application has taken one day to write http://www.ntkernel.com/w&p.php?id=31
I am running Windows XP on my HP laptop. I installed MioNet which loads the driver NDISRD.SYS. Whenever this driver is loaded and I try to run my Cisco VPN client, the desktop locks up.
Any suggestions?Hmm, basically conflict here can be initiated by MioNet usage of NDISRD (which is a WinpkFilter driver) or by NDISRD directly. So here are some questions:
1) Do you run MioNet at the same time with Cisco VPN client?
2) Could you look at the version of NDISRD.SYS and post it here or e-mail to support(at)ntkernel.com?Also, if it is possible for you then could you please uninstall MioNet and install WinpkFilter package instead and check if problem pops up with WinpkFilter only?
Also, system just hanged? No chance on the crash dump?
Is there a way to unload the ndisrd.sys driver by using a DOS command?
This is not possible.
А с пакетами приходяшими в обратную сторону Вы что делаете? Там по идее нужно подставить обратно адрес источника, чтобы клиент видел что ему сервер ответил, а не кто-то другой…
Суть ясна, варианта можно предложить два:
1) Добавить данные в дополнительный заголовок или в хвост пакета
2) Если решение локальное (адрес источника всегда один и тот же), то можно записать адрес куда изначально был направлен пакет в поле Source IPI have not got ready user mode Ethernet Bridge code I could post here.
The source code for the kernel mode Ethernet Bridge http://www.ntkernel.com/w&p.php?id=20 is available only to WinpkFilter Source Code licensees.
I have never dig deep into file signing, but I’d guess that in case of notepad.exe the signature is not embedded into the executable, but the whole CAT file is signed instead.
How could I determine what catalog file should be used for a specified file?
I think you should use CryptCATXXX functions for this. Probably CryptCATAdminCalcHashFromFileHandle to get the file hash and then enumerate catalogs which contain the specified hash with CryptCATAdminEnumCatalogFromHash.
Basically making bridge is rather straightforward. Just set the promiscuous mode on the bridged adapters (PacketSniffer sample shows how to do this) and repeat packets received from one bridge interface to all other bridged interfaces with NDIS_FLAGS_DONT_LOOPBACK | NDIS_FLAGS_SKIP_LOOPBACK set to avoid loopback packets. These flags combination will work for Windows 2000+, for earlier version you have to track MAC addresses and repeat packets according MAC address table.
Можно как-нибудь быстрее добраться до url’a? Может есть какая-нибуть структура, хранящая его? Т.к. в разных браузерах url в пакете находится разных местах..
RTFM спецификацию HTTP касательно GET.
Вот еще, открываю я страничку, отправляется большой пакет (500-1000 байт) с запросом и отправляются еще штук 10 маленьких пакетиков по 60-80 байт (причем в них не содержатся слова GET или POST)….для чего они? Кто их шлет? Явно не браузер, тк перехватить и посмотреть их не получается…может какая-то проверка соединения…
Кто шлет можно проверить с помощью Local Network Monitor http://www.ntkernel.com/w&p.php?id=24. Если в пакетах нет данных, то LNM их не покажет. Тогда это могут быть подтверждения приема данных, которые шлет стек. RTFM cпецификацию протокола TCP.
If you look inside sigcheck.exe you will find that it works through wintrust.dll exported functions.
.text:00402260 sub_402260 proc near ; CODE XREF: _wmain:loc_402016p .text:00402260 mov al, byte_425860 .text:00402265 push ebx .text:00402266 test al, al .text:00402268 push esi .text:00402269 jnz loc_402339 .text:0040226F mov ebx, ds:LoadLibraryW .text:00402275 push offset aWintrust_dll ; "Wintrust.dll" .text:0040227A mov byte_425860, 1 .text:00402281 call ebx ; LoadLibraryW .text:00402283 mov esi, eax .text:00402285 test esi, esi .text:00402287 jnz short loc_40228E .text:00402289 pop esi .text:0040228A xor al, al .text:0040228C pop ebx .text:0040228D retn .text:0040228E ; <hr class="bbcode_rule" /> .text:0040228E .text:0040228E loc_40228E: ; CODE XREF: sub_402260+27j .text:0040228E push edi .text:0040228F mov edi, ds:GetProcAddress .text:00402295 push offset aWinverifytrust ; "WinVerifyTrust" .text:0040229A push esi ; hModule .text:0040229B call edi ; GetProcAddress .text:0040229D push offset aWthelpergetpro ; "WTHelperGetProvSignerFromChain" .text:004022A2 push esi ; hModule .text:004022A3 mov WinVerifyTrustPtr, eax .text:004022A8 call edi ; GetProcAddress .text:004022AA push offset aWthelperprovda ; "WTHelperProvDataFromStateData" .text:004022AF push esi ; hModule .text:004022B0 mov dword_425834, eax .text:004022B5 call edi ; GetProcAddress .text:004022B7 push offset aCryptcatadminr ; "CryptCATAdminReleaseContext" .text:004022BC push esi ; hModule .text:004022BD mov dword_425838, eax .text:004022C2 call edi ; GetProcAddress .text:004022C4 push offset aCryptcatadmi_0 ; "CryptCATAdminReleaseCatalogContext" .text:004022C9 push esi ; hModule .text:004022CA mov dword_42583C, eax .text:004022CF call edi ; GetProcAddress .text:004022D1 push offset aCryptcatcatalo ; "CryptCATCatalogInfoFromContext" .text:004022D6 push esi ; hModule .text:004022D7 mov dword_42585C, eax .text:004022DC call edi ; GetProcAddress .text:004022DE push offset aCryptcatadmine ; "CryptCATAdminEnumCatalogFromHash" .text:004022E3 push esi ; hModule .text:004022E4 mov dword_425854, eax .text:004022E9 call edi ; GetProcAddress .text:004022EB push offset aCryptcatadminc ; "CryptCATAdminCalcHashFromFileHandle" .text:004022F0 push esi ; hModule .text:004022F1 mov dword_425848, eax .text:004022F6 call edi ; GetProcAddress .text:004022F8 push offset aCryptcatadmina ; "CryptCATAdminAcquireContext" .text:004022FD push esi ; hModule .text:004022FE mov dword_425840, eax .text:00402303 call edi ; GetProcAddress .text:00402305 push offset aCryptcatadmi_1 ; "CryptCATAdminAddCatalog" .text:0040230A push esi ; hModule .text:0040230B mov dword_42584C, eax .text:00402310 call edi ; GetProcAddress .text:00402312 push offset aWinverifytrust ; "WinVerifyTrust" .text:00402317 push esi ; hModule .text:00402318 mov dword_425844, eax .text:0040231D call edi ; GetProcAddress .text:0040231F push offset aCertnametostrw ; "CertNameToStrW" .text:00402324 push offset aCrypt32_dll ; "crypt32.dll" .text:00402329 mov WinVerifyTrustPtr, eax .text:0040232E call ebx ; LoadLibraryW .text:00402330 push eax ; hModule .text:00402331 call edi ; GetProcAddress .text:00402333 mov dword_425858, eax .text:00402338 pop edi .text:00402339 .text:00402339 loc_402339: ; CODE XREF: sub_402260+9j .text:00402339 mov ecx, dword_42584C .text:0040233F xor eax, eax .text:00402341 test ecx, ecx .text:00402343 pop esi .text:00402344 pop ebx .text:00402345 setnz al .text:00402348 retn .text:00402348 sub_402260 endpWinVerifyTrust is called with WINTRUST_ACTION_GENERIC_VERIFY_V2 action ID.
A piece of code which demonstrates usage of WinVerifyTrust can be found in the Platform SDK samples (vertrust.cpp):
<br /> /////////////////////////////////////////////////////////////////////////////<br /> // IsFileTrusted<br /> //<br /> itvEnum IsFileTrusted(LPCWSTR lpwFile, HWND hwndParent, DWORD dwUIChoice, bool *pfIsSigned, PCCERT_CONTEXT *ppcSigner)<br /> {<br /> char szDebugOutput[MAX_STR_LENGTH] = {0};<br /> <br /> itvEnum itv = itvUnTrusted;<br /> <br /> if (pfIsSigned)<br /> *pfIsSigned = false;<br /> if (ppcSigner)<br /> *ppcSigner = 0;<br /> <br /> GUID guidAction = WINTRUST_ACTION_GENERIC_VERIFY_V2;<br /> <br /> WINTRUST_FILE_INFO sWintrustFileInfo;<br /> WINTRUST_DATA sWintrustData;<br /> HRESULT hr;<br /> <br /> memset((void*)&sWintrustFileInfo, 0x00, sizeof(WINTRUST_FILE_INFO)); // zero out<br /> memset((void*)&sWintrustData, 0x00, sizeof(WINTRUST_DATA)); // zero out<br /> <br /> sWintrustFileInfo.cbStruct = sizeof(WINTRUST_FILE_INFO);<br /> sWintrustFileInfo.pcwszFilePath = lpwFile;<br /> sWintrustFileInfo.hFile = NULL;<br /> <br /> sWintrustData.cbStruct = sizeof(WINTRUST_DATA);<br /> sWintrustData.dwUIChoice = dwUIChoice;<br /> sWintrustData.fdwRevocationChecks = WTD_REVOKE_NONE;<br /> sWintrustData.dwUnionChoice = WTD_CHOICE_FILE;<br /> sWintrustData.pFile = &sWintrustFileInfo;<br /> sWintrustData.dwStateAction = (ppcSigner) ? WTD_STATEACTION_VERIFY : 0;<br /> <br /> HMODULE hWinTrust = LoadLibrary(WINTRUST_DLL);<br /> if (!hWinTrust)<br /> {<br /> // WinTrust is unavailable on the machine<br /> return itvWintrustNotOnMachine;<br /> }<br /> PFnWinVerifyTrust pfnWinVerifyTrust = (PFnWinVerifyTrust)GetProcAddress(hWinTrust, WINTRUSTAPI_WinVerifyTrust);<br /> PFnWTHelperProvDataFromStateData pfnWTHelperProvDataFromStateData= (PFnWTHelperProvDataFromStateData)GetProcAddress(hWinTrust, WINTRUSTAPI_WTHelperProvDataFromStateData);<br /> PFnWTHelperGetProvSignerFromChain pfnWTHelperGetProvSignerFromChain = (PFnWTHelperGetProvSignerFromChain)GetProcAddress(hWinTrust, WINTRUSTAPI_WTHelperGetProvSignerFromChain);<br /> PFnWTHelperGetProvCertFromChain pfnWTHelperGetProvCertFromChain = (PFnWTHelperGetProvCertFromChain)GetProcAddress(hWinTrust, WINTRUSTAPI_WTHelperGetProvCertFromChain);<br /> if (!pfnWinVerifyTrust || !pfnWTHelperProvDataFromStateData || !pfnWTHelperGetProvSignerFromChain || !pfnWTHelperGetProvCertFromChain)<br /> {<br /> // WinTrust is unavailable on the machine<br /> FreeLibrary(hWinTrust);<br /> return itvWintrustNotOnMachine;<br /> }<br /> <br /> hr = pfnWinVerifyTrust(/* UI Window Handle */ (dwUIChoice == WTD_UI_NONE) ? (HWND)INVALID_HANDLE_VALUE : hwndParent, &guidAction, &sWintrustData);<br /> DebugMsg("[WVT] WVT returned 0x%Xn", hr);<br /> <br /> itv = (TRUST_E_PROVIDER_UNKNOWN == hr) ? itvWintrustNotOnMachine : ((S_OK == hr) ? itvTrusted : itvUnTrusted);<br /> <br /> if (itvWintrustNotOnMachine == itv)<br /> {<br /> // release state data<br /> sWintrustData.dwUIChoice = WTD_UI_NONE;<br /> sWintrustData.dwStateAction = WTD_STATEACTION_CLOSE;<br /> pfnWinVerifyTrust((HWND)INVALID_HANDLE_VALUE, &guidAction, &sWintrustData);<br /> <br /> FreeLibrary(hWinTrust);<br /> return itv; // return immediately<br /> }<br /> <br /> if (pfIsSigned)<br /> *pfIsSigned = (TRUST_E_NOSIGNATURE == hr) ? false : true;<br /> <br /> if (TRUST_E_NOSIGNATURE == hr)<br /> {<br /> // release state data<br /> sWintrustData.dwUIChoice = WTD_UI_NONE;<br /> sWintrustData.dwStateAction = WTD_STATEACTION_CLOSE;<br /> pfnWinVerifyTrust((HWND)INVALID_HANDLE_VALUE, &guidAction, &sWintrustData);<br /> <br /> FreeLibrary(hWinTrust);<br /> return itv;<br /> }<br /> <br /> if (ppcSigner)<br /> {<br /> CRYPT_PROVIDER_DATA const *psProvData = NULL;<br /> CRYPT_PROVIDER_SGNR *psProvSigner = NULL;<br /> CRYPT_PROVIDER_CERT *psProvCert = NULL;<br /> <br /> // grab the provider data<br /> psProvData = pfnWTHelperProvDataFromStateData(sWintrustData.hWVTStateData);<br /> if (psProvData)<br /> {<br /> // grab the signer data from the CRYPT_PROV_DATA<br /> psProvSigner = pfnWTHelperGetProvSignerFromChain((PCRYPT_PROVIDER_DATA)psProvData, 0 /*first signer*/, FALSE /* not a counter signer */, 0);<br /> if (psProvSigner)<br /> {<br /> // grab the signer cert from CRYPT_PROV_SGNR (pos 0 = signer cert; pos csCertChain-1 = root cert)<br /> psProvCert = pfnWTHelperGetProvCertFromChain(psProvSigner, 0);<br /> }<br /> }<br /> <br /> if (!psProvCert)<br /> {<br /> // some failure in obtaining the signer cert data<br /> *ppcSigner = 0;<br /> }<br /> else<br /> {<br /> // duplicate the cert<br /> HMODULE hCrypt32 = LoadLibrary(CRYPT32_DLL);<br /> if (hCrypt32)<br /> {<br /> PFnCertDuplicateCertificateContext pfnCertDuplicateCertificateContext = (PFnCertDuplicateCertificateContext)GetProcAddress(hCrypt32, CRYPTOAPI_CertDuplicateCertificateContext);<br /> if (pfnCertDuplicateCertificateContext)<br /> *ppcSigner = pfnCertDuplicateCertificateContext(psProvCert->pCert);<br /> FreeLibrary(hCrypt32);<br /> }<br /> }<br /> <br /> // release state data<br /> sWintrustData.dwUIChoice = WTD_UI_NONE;<br /> sWintrustData.dwStateAction = WTD_STATEACTION_CLOSE;<br /> pfnWinVerifyTrust((HWND)INVALID_HANDLE_VALUE, &guidAction, &sWintrustData);<br /> }<br /> <br /> FreeLibrary(hWinTrust);<br /> return itv;<br /> }<br />Hope it helps…
WinpkFilter 3.0.2 released. This service release includes:
1. Few changes in API DLL required for Windows Vista support
2. Installation scripts are updated to properly install drivers on Windows VistaImportant note:
For Windows Vista and later versions of the Windows family of operating systems, kernel-mode software must have a digital signature to load on x64-based computer systems. WinpkFilter drivers are not signed and in order to test them on Vista x64 you should press F8 during system boot and choose Disable Driver Signature Enforcement option. For the commercial software you’d have to obtain Code Signing certificate from Verysign.If you are eligible for a free update, please send the following details to support@ntkernel.com to receive an update instruction:
1. Your order ID.
2. An approximate date of purchasing.
