WinSock application: hook or driver?

c++ / delphi package - dll injection and api hooking
Post Reply
xrfang
Posts: 68
Joined: Mon Feb 28, 2005 7:29 am

WinSock application: hook or driver?

Post by xrfang »

I need to write a program to filter internet traffic. Now I have 2 options: use madCodeHook to hook winsock api, or to write a driver using the NDIS/SPI technologies.

I think I would like to use madCodeHook because it will be simpler than writing a driver. However, is there any pitfalls? Could anyone compare these 2 solutions and tell me the pros and cons?

Thank you!

Shannon
dcsoft
Posts: 380
Joined: Sat Dec 11, 2004 2:11 am
Location: San Francisco Bay Area, CA USA
Contact:

Use madCodeHook

Post by dcsoft »

Using madCodeHook is easier. For example, would an NDIS driver intercept dial-up modem traffic as well as Ethernet traffic? With madCodeHook, it doesn't matter the source of the Internet traffic.

Also, bugs in drivers can cause blue screens. If your madCodeHook code has problems, it will only affect the hooked apps, not the entire system.

-- David
xrfang
Posts: 68
Joined: Mon Feb 28, 2005 7:29 am

Re: Use madCodeHook

Post by xrfang »

Of course I know madCodeHook is easier..., I don't know that NDIS can't handle dialup :oops: ... My only concern is that, is there some thing that apihooking is not capable of, but driver can do it?

For example, I have an idea of anti-hacker. My hook or driver program should record inbound connection request to local UNLISTENED ports, if it found these request, it is very possible that the inbound connection is a port scanner. Then, the program will block all subsequent connection from the same IP, even it is to a listened port. Could I do this in madCodeHook? :crazy:
dcsoft wrote:Using madCodeHook is easier. For example, would an NDIS driver intercept dial-up modem traffic as well as Ethernet traffic? With madCodeHook, it doesn't matter the source of the Internet traffic.

Also, bugs in drivers can cause blue screens. If your madCodeHook code has problems, it will only affect the hooked apps, not the entire system.

-- David
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Post by madshi »

API hooks can be detected quite easily. Furthermore WinSock doesn't like some kinds of hooks (it has a built in hook protection). If someone else has already hooked WinSock by using a different API hooking technique, madCodeHook might not be able to hook WinSock, anymore.

Also I don't know whether you can really effectively block incoming scanners. I think there's a lot of stuff going on in driver land before incoming requests reach application level (where madCodeHook runs).

So all in all using a driver is the better approach for building a real firewall or something like that. However, it's much more difficult, I guess. And it might have its own limitations, as dcsoft hinted. So it's a difficult decision what to use. I'm glad that I don't have to decide it... :D
xrfang
Posts: 68
Joined: Mon Feb 28, 2005 7:29 am

Post by xrfang »

madshi wrote:API hooks can be detected quite easily. Furthermore WinSock doesn't like some kinds of hooks (it has a built in hook protection). If someone else has already hooked WinSock by using a different API hooking technique, madCodeHook might not be able to hook WinSock, anymore.
Well, that's also a really interesting topic! :crazy:

1. How can I detect that some other program already placed a hook on the API I want to hook?

2. If I placed a hook prior to someone else, how can I detect a hook attempt on my Callback function?

Thanks!
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Post by madshi »

You can compare the import and export table of all modules in your process with how they should look like to detect IAT/EAT patching. And you can check the first 5 bytes of a function to detect code overwriting hooks. If those 5 first bytes are identical to those of the original file on harddisk, then no code overwriting hook is currently installed.

The theory is easy, actually doing this is a bit more complicated, though.
periklis
Posts: 1
Joined: Mon Apr 11, 2005 9:11 pm

Post by periklis »

Hi madshi,

do you have any reference about hook detection code ?

Thank you
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Post by madshi »

Nope, sorry.
Post Reply