- This topic has 6 replies, 4 voices, and was last updated 17 years, 11 months ago by
.
-
Posts
-
Hello.
i have some question.
i want to make block harmful site.
if we detect some harmful site(http packet) in winpkfilter we redirect alert site.
i know about some information.
but i can’t make this with winpkfilter.
anyone have some idea or source code ?
Hi. It is impossible to do or very hard to do to redirect to alert site.
The problem is that when you detect that site is harmful connection is being established between client and harmful site. Bat where is no connection between client and aler site. If you redirect such packet to alert site it simply drop it.
The one easy way to do it is to answer on GET query packet by yourself. Just create packet with answer as any site do.
But it needs some some special knowledges about tcp and http.
Regards,
Andrewif we detect some harmful site(http packet) in winpkfilter we redirect alert site.
Since connection to the harmful site already established it can’t be easily redirected (normally redirection should occure during connection establishment). However, you can terminate connection to the harmful site and drop all packet to/from it, alert user about harmful site, redirect all newly established HTTP user sessions from the registered harmful site to the alert site and etc…
Hi
is it possible to redirect all http packets to a diffrent host ? if yes, canyou give some delphi code for this ? (i’ve tried to change destination ip of ipheader, then recalculate checksum but it didn’t work)i’ve tried to change destination ip of ipheader, then recalculate checksum but it didn’t work
You should modify destination IP address in the potgoing packet to redirect address and recalculate packet checksums (both IP and TCP). You should do the reverse operation in the incoming packet associated with the connection you modify.
I’ve recalculated the Ip checksum.
I’ve tried all the ways told in the forum but I can’t recalculate tcp checksum in delphi. Please help me about this.This is TCP checksum in C, I suppose you should be able to translate to Delphi
//
// Function recalculates TCP checksum
//
VOID
RecalculateTCPChecksum (
PINTERMEDIATE_BUFFER pPacket
)
{
tcphdr_ptr pTcpHeader = NULL;
unsigned short word16, padd = 0;
unsigned int i, sum = 0;
PUCHAR buff;
DWORD dwTcpLen;
iphdr_ptr pIpHeader = (iphdr_ptr)&pPacket->m_IBuffer[sizeof(ether_header)];
// Sanity check
if (pIpHeader->ip_p == IPPROTO_TCP)
{
pTcpHeader = (tcphdr_ptr)(((PUCHAR)pIpHeader) + sizeof(DWORD)*pIpHeader->ip_hl);
}
else
return;
dwTcpLen = ntohs(pIpHeader->ip_len) - pIpHeader->ip_hl*4;//pPacket->m_Length - ((PUCHAR)(pTcpHeader) - pPacket->m_IBuffer);
if ( (dwTcpLen/2)*2 != dwTcpLen )
{
padd=1;
pPacket->m_IBuffer[dwTcpLen + pIpHeader->ip_hl*4 + sizeof(ether_header)] = 0;
}
buff = (PUCHAR)pTcpHeader;
pTcpHeader->th_sum = 0;
// make 16 bit words out of every two adjacent 8 bit words and
// calculate the sum of all 16 vit words
for (i=0; i< dwTcpLen+padd; i=i+2){
word16 =((buff<<8)&0xFF00)+(buff[i+1]&0xFF);
sum = sum + (unsigned long)word16;
}
// add the TCP pseudo header which contains:
// the IP source and destination addresses,
sum = sum + ntohs(pIpHeader->ip_src.S_un.S_un_w.s_w1) + ntohs(pIpHeader->ip_src.S_un.S_un_w.s_w2);
sum = sum + ntohs(pIpHeader->ip_dst.S_un.S_un_w.s_w1) + ntohs(pIpHeader->ip_dst.S_un.S_un_w.s_w2);
// the protocol number and the length of the TCP packet
sum = sum + IPPROTO_TCP + (unsigned short)dwTcpLen;
// keep only the last 16 bits of the 32 bit calculated sum and add the carries
while (sum>>16)
sum = (sum & 0xFFFF)+(sum >> 16);
// Take the one's complement of sum
sum = ~sum;
pTcpHeader->th_sum = htons((unsigned short)sum);
}
- You must be logged in to reply to this topic.