Winsock and low-level filtering

c++ / delphi package - dll injection and api hooking
Post Reply
iridium
Posts: 9
Joined: Thu Aug 19, 2004 10:39 am

Winsock and low-level filtering

Post by iridium »

Hi all,
I am working on a project for which I need to grab all HTTP and FTP requests in every client machine (independent of any browser/application, ie. independent from browsers and Delphi/VB/Java/VC applications), and drop the connection whenever a specific "string" is found.
I.e. suppose I wanted to block downloading/uploading of wav files, I would filter all transfers containing the "wav marker" (string: 'RIFF' #0 #$12 #0 #0 'WAVEfmt').

I guess I should hook Winsock calls using MadShi's excellent library, but I don't know how to drop the connections. Any ideas, code samples, etc. are welcome!

(Btw, *thanks* MadShi for your library! :D )
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Post by madshi »

Well, this is quite a WinSock specific question - and I'm not an expert there. But perhaps someone else can help here.
iridium
Posts: 9
Joined: Thu Aug 19, 2004 10:39 am

Post by iridium »

I have found a RST packet generator in the Firewall project on the iamaphex.net website (delphi section), but it only shows how to drop a connection that I'm listening to (ie. one needs to know parameters like source/dest port and ip, Seq, etc. of the packet.)
But perhaps if I cannot tear down the connection, I could at least shut down the application that is using that specific connection (I'd still prefer RST'ing the session though...)

However, I hope you can help me with the "simpler" part. I need to do system-wide API hooking for Winsock send/recv functions (for all applications that are started before and after my "analyzer" program.)
Since I need to know when a client is receiving or transmitting data which contain a specific marker, I wanted to use IPC for communications between the dll hook and the main program. But I also need to know which application that session is linked to (so I can grab that process and "talk" to it.)

Again, I'd appreciate any suggestion, pointers, and source code especially! :D

Thanks all
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Post by madshi »

Please check out the HookProcessTermination demo. It does what you ask for (sending application information via IPC to the exe).
iridium
Posts: 9
Joined: Thu Aug 19, 2004 10:39 am

Post by iridium »

thanks madshi, your example has been extremely useful!
btw, both the hooks and the ipc communications are very stable using MadCodeHook. THANKS :wink:
nildo
Posts: 249
Joined: Mon Mar 22, 2004 11:32 am
Contact:

Post by nildo »

Hi Iridium!
All you have to do is:

If the application is sending a request containing that specific string, all you have to do is not to process the next Send function, otherwise you process it.

For example:

Code: Select all

if Containing_that_string_in_the_buffer then
   Result := False
else
   Result := SendNext( s, buf, len, flags )
iridium
Posts: 9
Joined: Thu Aug 19, 2004 10:39 am

Post by iridium »

nildo wrote:If the application is sending a request containing that specific string, all you have to do is not to process the next Send function, otherwise you process it.
Great! Thanks, Nildo!
Post Reply