WinSock application: hook or driver?
WinSock application: hook or driver?
I need to write a program to filter internet traffic. Now I have 2 options: use madCodeHook to hook winsock api, or to write a driver using the NDIS/SPI technologies.
I think I would like to use madCodeHook because it will be simpler than writing a driver. However, is there any pitfalls? Could anyone compare these 2 solutions and tell me the pros and cons?
Thank you!
Shannon
I think I would like to use madCodeHook because it will be simpler than writing a driver. However, is there any pitfalls? Could anyone compare these 2 solutions and tell me the pros and cons?
Thank you!
Shannon
-
- Posts: 380
- Joined: Sat Dec 11, 2004 2:11 am
- Location: San Francisco Bay Area, CA USA
- Contact:
Use madCodeHook
Using madCodeHook is easier. For example, would an NDIS driver intercept dial-up modem traffic as well as Ethernet traffic? With madCodeHook, it doesn't matter the source of the Internet traffic.
Also, bugs in drivers can cause blue screens. If your madCodeHook code has problems, it will only affect the hooked apps, not the entire system.
-- David
Also, bugs in drivers can cause blue screens. If your madCodeHook code has problems, it will only affect the hooked apps, not the entire system.
-- David
Re: Use madCodeHook
Of course I know madCodeHook is easier..., I don't know that NDIS can't handle dialup ... My only concern is that, is there some thing that apihooking is not capable of, but driver can do it?
For example, I have an idea of anti-hacker. My hook or driver program should record inbound connection request to local UNLISTENED ports, if it found these request, it is very possible that the inbound connection is a port scanner. Then, the program will block all subsequent connection from the same IP, even it is to a listened port. Could I do this in madCodeHook?
For example, I have an idea of anti-hacker. My hook or driver program should record inbound connection request to local UNLISTENED ports, if it found these request, it is very possible that the inbound connection is a port scanner. Then, the program will block all subsequent connection from the same IP, even it is to a listened port. Could I do this in madCodeHook?
dcsoft wrote:Using madCodeHook is easier. For example, would an NDIS driver intercept dial-up modem traffic as well as Ethernet traffic? With madCodeHook, it doesn't matter the source of the Internet traffic.
Also, bugs in drivers can cause blue screens. If your madCodeHook code has problems, it will only affect the hooked apps, not the entire system.
-- David
API hooks can be detected quite easily. Furthermore WinSock doesn't like some kinds of hooks (it has a built in hook protection). If someone else has already hooked WinSock by using a different API hooking technique, madCodeHook might not be able to hook WinSock, anymore.
Also I don't know whether you can really effectively block incoming scanners. I think there's a lot of stuff going on in driver land before incoming requests reach application level (where madCodeHook runs).
So all in all using a driver is the better approach for building a real firewall or something like that. However, it's much more difficult, I guess. And it might have its own limitations, as dcsoft hinted. So it's a difficult decision what to use. I'm glad that I don't have to decide it...
Also I don't know whether you can really effectively block incoming scanners. I think there's a lot of stuff going on in driver land before incoming requests reach application level (where madCodeHook runs).
So all in all using a driver is the better approach for building a real firewall or something like that. However, it's much more difficult, I guess. And it might have its own limitations, as dcsoft hinted. So it's a difficult decision what to use. I'm glad that I don't have to decide it...
Well, that's also a really interesting topic!madshi wrote:API hooks can be detected quite easily. Furthermore WinSock doesn't like some kinds of hooks (it has a built in hook protection). If someone else has already hooked WinSock by using a different API hooking technique, madCodeHook might not be able to hook WinSock, anymore.
1. How can I detect that some other program already placed a hook on the API I want to hook?
2. If I placed a hook prior to someone else, how can I detect a hook attempt on my Callback function?
Thanks!
You can compare the import and export table of all modules in your process with how they should look like to detect IAT/EAT patching. And you can check the first 5 bytes of a function to detect code overwriting hooks. If those 5 first bytes are identical to those of the original file on harddisk, then no code overwriting hook is currently installed.
The theory is easy, actually doing this is a bit more complicated, though.
The theory is easy, actually doing this is a bit more complicated, though.