madshi.net

[yarek]

I have read ALL topics about winsocks hooking in this great forum.
However I still have this quetsion

1) I know it is possible to hook RECV winsock to analyze ingoing traffic. I still do not know if it is possible TO MODIFY THEM or SEND

My PURPOSE is to filter some BAD urls (in IE and Mozilla) and REDIRECT to a safe site if the url is for instance www.hack.com

2) Any precious clues or help (if this is possible) on how to achieve this?

Thanks again

[uall]

Then its better to hook the Connect API (dont know whats the name) and check for the IP which is used.

[yarek]

Given the IP address, how can I get the domain name, since on the same IP adress you can host www.hack.com (forbidden) and www.yahoo.com (allowed) : any clues about this ?
Is onConnect the GOOD solution for what I am trying to do ?

[uall]

Hm you are right, you have to to it with the send/sendto APIs.

[ssiebert]

[quote="yarek"]I have read ALL topics about winsocks hooking in this great forum.
However I still have this quetsion

1) I know it is possible to hook RECV winsock to analyze ingoing traffic. I still do not know if it is possible TO MODIFY THEM or SEND

> On RECV it's too late.

My PURPOSE is to filter some BAD urls (in IE and Mozilla) and REDIRECT to a safe site if the url is for instance www.hack.com

2) Any precious clues or help (if this is possible) on how to achieve this?

>You'll have to hook the connect/Ex rewrite it on the fly. Evtl. you'll have to do a gethostbyaddr if it's already converted or hook the corresponding Winsock Function.

[ssiebert]

[yarek]

You'll have to hook the connect/Ex rewrite it on the fly. Evtl. you'll have to do a gethostbyaddr if it's already converted or hook the corresponding Winsock Function.


the trouble is that with gethostbyaddr you are given a generic name such as 213.186.59.111 - ns31218.ovh.net and NOT the domain names that are virtually hosted on that server such as www.hack.com.

So how can I get the www.hack.com and stop it before it loads ?

[uall]

Hook the send APIs. When there is the GET command you can loogk for the domain which is used.

[yarek]

It sounds great.

But : isn't it TOO LATE to prevent showing the page ? In fact I need to REDIRECT the webpage to a secure website or a local file.
Is this possible hooking the SEND command ?
Thanks

[dcsoft]

You need to hook gethostbyname() and getaddrinfo(). Popular browsers use one or the other. These are called to resolve text url's into the IP address. Here, you can see if the text url is in your database (e.g. www.hack.com). If so, you want to redirect it. In that case, call the original function with "www.yoursafesite.com" to get the IP address for it, and return that to the browser.

Then, you need to hook send(). When the browser gets back the IP address from above, it will then call send() with the "GET" command to access the data on the site. But it will think it's accessing hack.com and not yours. So you have to replace "hack.com" in the packet with "yoursafesite.com". So your send() hook does this replacement, then calls the original send().

That's all you need to do.

-- David

[ercanpolat]

hi dcsoft

how can i intercept and manipulate gethostaddr function params. Can you give me an example. User will enter www.xxx.com then my application my application will redirect this page to http://127.0.0.1/warning.html. I already hook this function and blocking adresses is working. But I cant redirect.

Thanks

[dcsoft]

You need to hook gethostbyname(), and getaddrinfo(), and send().

Did you hook the first 2 yet? Sorry, I can't give you example code.

Thanks,
David

[ercanpolat]

I did it. Thanks.

I put a simple web server on my application and simply change address parameter to "localhost" in the hook function. Everthing works fine now.