Winsock and low-level filtering
Winsock and low-level filtering
Hi all,
I am working on a project for which I need to grab all HTTP and FTP requests in every client machine (independent of any browser/application, ie. independent from browsers and Delphi/VB/Java/VC applications), and drop the connection whenever a specific "string" is found.
I.e. suppose I wanted to block downloading/uploading of wav files, I would filter all transfers containing the "wav marker" (string: 'RIFF' #0 #$12 #0 #0 'WAVEfmt').
I guess I should hook Winsock calls using MadShi's excellent library, but I don't know how to drop the connections. Any ideas, code samples, etc. are welcome!
(Btw, *thanks* MadShi for your library! )
I am working on a project for which I need to grab all HTTP and FTP requests in every client machine (independent of any browser/application, ie. independent from browsers and Delphi/VB/Java/VC applications), and drop the connection whenever a specific "string" is found.
I.e. suppose I wanted to block downloading/uploading of wav files, I would filter all transfers containing the "wav marker" (string: 'RIFF' #0 #$12 #0 #0 'WAVEfmt').
I guess I should hook Winsock calls using MadShi's excellent library, but I don't know how to drop the connections. Any ideas, code samples, etc. are welcome!
(Btw, *thanks* MadShi for your library! )
I have found a RST packet generator in the Firewall project on the iamaphex.net website (delphi section), but it only shows how to drop a connection that I'm listening to (ie. one needs to know parameters like source/dest port and ip, Seq, etc. of the packet.)
But perhaps if I cannot tear down the connection, I could at least shut down the application that is using that specific connection (I'd still prefer RST'ing the session though...)
However, I hope you can help me with the "simpler" part. I need to do system-wide API hooking for Winsock send/recv functions (for all applications that are started before and after my "analyzer" program.)
Since I need to know when a client is receiving or transmitting data which contain a specific marker, I wanted to use IPC for communications between the dll hook and the main program. But I also need to know which application that session is linked to (so I can grab that process and "talk" to it.)
Again, I'd appreciate any suggestion, pointers, and source code especially!
Thanks all
But perhaps if I cannot tear down the connection, I could at least shut down the application that is using that specific connection (I'd still prefer RST'ing the session though...)
However, I hope you can help me with the "simpler" part. I need to do system-wide API hooking for Winsock send/recv functions (for all applications that are started before and after my "analyzer" program.)
Since I need to know when a client is receiving or transmitting data which contain a specific marker, I wanted to use IPC for communications between the dll hook and the main program. But I also need to know which application that session is linked to (so I can grab that process and "talk" to it.)
Again, I'd appreciate any suggestion, pointers, and source code especially!
Thanks all
Hi Iridium!
All you have to do is:
If the application is sending a request containing that specific string, all you have to do is not to process the next Send function, otherwise you process it.
For example:
All you have to do is:
If the application is sending a request containing that specific string, all you have to do is not to process the next Send function, otherwise you process it.
For example:
Code: Select all
if Containing_that_string_in_the_buffer then
Result := False
else
Result := SendNext( s, buf, len, flags )