Winsock and low-level filtering

c++ / delphi package - dll injection and api hooking

Winsock and low-level filtering

Postby iridium » Thu Aug 19, 2004 10:42 am

Hi all,
I am working on a project for which I need to grab all HTTP and FTP requests in every client machine (independent of any browser/application, ie. independent from browsers and Delphi/VB/Java/VC applications), and drop the connection whenever a specific "string" is found.
I.e. suppose I wanted to block downloading/uploading of wav files, I would filter all transfers containing the "wav marker" (string: 'RIFF' #0 #$12 #0 #0 'WAVEfmt').

I guess I should hook Winsock calls using MadShi's excellent library, but I don't know how to drop the connections. Any ideas, code samples, etc. are welcome!

(Btw, *thanks* MadShi for your library! :D )
iridium
 
Posts: 9
Joined: Thu Aug 19, 2004 10:39 am

Postby madshi » Thu Aug 19, 2004 1:52 pm

Well, this is quite a WinSock specific question - and I'm not an expert there. But perhaps someone else can help here.
madshi
Site Admin
 
Posts: 9810
Joined: Sun Mar 21, 2004 5:25 pm

Postby iridium » Fri Aug 20, 2004 8:28 am

I have found a RST packet generator in the Firewall project on the iamaphex.net website (delphi section), but it only shows how to drop a connection that I'm listening to (ie. one needs to know parameters like source/dest port and ip, Seq, etc. of the packet.)
But perhaps if I cannot tear down the connection, I could at least shut down the application that is using that specific connection (I'd still prefer RST'ing the session though...)

However, I hope you can help me with the "simpler" part. I need to do system-wide API hooking for Winsock send/recv functions (for all applications that are started before and after my "analyzer" program.)
Since I need to know when a client is receiving or transmitting data which contain a specific marker, I wanted to use IPC for communications between the dll hook and the main program. But I also need to know which application that session is linked to (so I can grab that process and "talk" to it.)

Again, I'd appreciate any suggestion, pointers, and source code especially! :D

Thanks all
iridium
 
Posts: 9
Joined: Thu Aug 19, 2004 10:39 am

Postby madshi » Fri Aug 20, 2004 8:48 am

Please check out the HookProcessTermination demo. It does what you ask for (sending application information via IPC to the exe).
madshi
Site Admin
 
Posts: 9810
Joined: Sun Mar 21, 2004 5:25 pm

Postby iridium » Fri Aug 20, 2004 10:25 am

thanks madshi, your example has been extremely useful!
btw, both the hooks and the ipc communications are very stable using MadCodeHook. THANKS :wink:
iridium
 
Posts: 9
Joined: Thu Aug 19, 2004 10:39 am

Postby nildo » Mon Aug 23, 2004 2:57 pm

Hi Iridium!
All you have to do is:

If the application is sending a request containing that specific string, all you have to do is not to process the next Send function, otherwise you process it.

For example:

Code: Select all
if Containing_that_string_in_the_buffer then
   Result := False
else
   Result := SendNext( s, buf, len, flags )
nildo
 
Posts: 249
Joined: Mon Mar 22, 2004 11:32 am

Postby iridium » Tue Aug 24, 2004 5:01 am

nildo wrote:If the application is sending a request containing that specific string, all you have to do is not to process the next Send function, otherwise you process it.


Great! Thanks, Nildo!
iridium
 
Posts: 9
Joined: Thu Aug 19, 2004 10:39 am


Return to madCodeHook

Who is online

Users browsing this forum: No registered users and 10 guests