Need to know what application is associated with a packet

Home Forums Discussions Support Portal Need to know what application is associated with a packet

This topic contains 14 replies, has 3 voices, and was last updated by  Vadim Smirnov 13 years, 2 months ago.

Viewing 15 posts - 1 through 15 (of 15 total)
  • Author
    Posts
  • #4830

    sanjeev
    Participant

    Hello,

    I’m making a firewall with this driver. In my firewall i need to allow packets from specific applications only. can I get this information from the packet header? What application has sent this packet. Or is there a way to do this.

    Also in this firewall I want to block websites with specific names. Is it possible if yes how. Any example will be heighly appriciated.

    Thanks

    #5464

    Vadim Smirnov
    Moderator

    I’m making a firewall with this driver. In my firewall i need to allow packets from specific applications only. can I get this information from the packet header? What application has sent this packet. Or is there a way to do this.

    There is no way to determine application context on the NDIS level. Actually not all packets you see have the associated app (these are routed packets, packets generated by TCP/IP stack). However you can track active connections information with TDI filter or with LSP and use this information to determine each packet associated application.

    Also in this firewall I want to block websites with specific names. Is it possible if yes how. Any example will be heighly appriciated.

    You can track and modify DNS requests for these names an example…

    #5465

    sanjeev
    Participant

    does windpkfilter provides TDI filtering or LSP? I have bought windpkfilter licence for individual. Before buying the source code I want to know is it possible to make such kind of firewall using the same. If no then do you have any other development SDKs or if yes can you please provide me a sample.

    #5466

    sanjeev
    Participant

    @SerpentFly wrote:

    Also in this firewall I want to block websites with specific names. Is it possible if yes how. Any example will be heighly appriciated.

    You can track and modify DNS requests for these names an example…

    example??

    #5467

    Vadim Smirnov
    Moderator

    does windpkfilter provides TDI filtering or LSP? I have bought windpkfilter licence for individual. Before buying the source code I want to know is it possible to make such kind of firewall using the same. If no then do you have any other development SDKs or if yes can you please provide me a sample.

    Please find Localhost Minitor API on this site, which is based on the TDI filter driver for Windows NT/2000/XP/Server2003. There is a sample LSP code avalable in the MSDN (search for SPI.CPP).

    Usually firewalls combine TDI (or LSP) and NDIS level filter in order to provide complete functionality.

    As for the DNS request modification then I can’t provide you the sample code. However, there is no great problem to do this, you should intercept DNS requests/replies and modify the replied IP for the URL you would like to redirect or just block the request (in this case browser will fail to detrmine site IP). I think it makes sense for you to read DNS specs.

    #5468

    sanjeev
    Participant

    Thanks for your reply.

    I need this solution for 98 as well. But Localhost Minitor API is for NT platform. Can you please sugesst a solution for all windows platform.

    I know the DNS requests. But I dont know how to redirect any request to some other domain/IP. Can you please be more specific about this. This redirection has to be done on between MSTCP table and application or in between Network Adeptor and MSTCP? I can drop the connection while reading the MSTCP based on IP or other filter but dont know how to redirect this.

    Thanks

    #5469

    Vadim Smirnov
    Moderator

    I need this solution for 98 as well. But Localhost Minitor API is for NT platform. Can you please sugesst a solution for all windows platform.

    You can also create TDI filter driver for Windows 9x/ME. An example sample code for Windows 9x/ME TDI filter driver can be found in the VToolsD (part of SoftIce Driver Suite and Driver Studio products from http://www.compuware.com) samples.

    Another solution is LSP, it’s a user mode DLL which installed as proxy between Winsock interface and Winsock Service Provider. Please, read MSDN for the details.

    I know the DNS requests. But I dont know how to redirect any request to some other domain/IP. Can you please be more specific about this. This redirection has to be done on between MSTCP table and application or in between Network Adeptor and MSTCP? I can drop the connection while reading the MSTCP based on IP or other filter but dont know how to redirect this.

    Here are two ways:
    1) Intercept DNS request packet, parse the content and check if it queries information for the domain you would like to forbid access. If it is then just drop this packet, system will fail to resolve IP for the domain and it will be unable to connect that host. Blocking can be also done for DNS response packet.
    2) Intercept DNS response, check if it is for the domain you would like to forbid access. If it is then modify IP address information (to the host you would like to redirect to) and pass packet to the stack. On this way you cheat system with your redirect IP address and it will try to connect specified IP (you can place a web-page there like “Access to this site is restricted” or something).

    #5470

    sanjeev
    Participant

    I have downloaded the Localhost Minitor API from this site. But I didnt see where to modify the dns request. I can see a structure _LOG_INFO but in this there is nowhere website address provided.

    With MSTCP (another programme) I can read data but there also I could not see the domain name. Here I can block the packets based on IP but not based on domain name as there is no such information.

    As I want to block all domain starting with y*.com like domain yahoo, ymg, yourdomain etc. Please help.

    #5471

    smilish
    Participant

    You should read serpent’s suggestions more carefully:

    To assign PIDs to IP-packets is one thing. Modifying DNS request is another.

    To modify DNS requests you don’t need his TDI filter. This for keeping track of connections/PIDs only.

    If you want to develop a “Personal Firewall” you need two drivers:

    1. NDIS filter doing the main tasks: Block/Allow ether-packets…Reading/modifying the packets by parsing the underlaying services (e.g. http, dns)
    2. TDI filter for keeping track of local connections and processes.

    #5472

    sanjeev
    Participant

    Thanks a lot Smilish. I have bought the winpkfilter driver and downloaded the trial version of TDI filter for NT platform. I know I’m not so technicaly strong in this area 🙁 . Can you please tell me 2 things.

    1. How to identify underlaying services (e.g. http, dns. as per your sugession I need to trap DNS request only) request and modify the DNS request.

    2. How to compare data in INTERMEDIATE_BUFFER as the data is in other format. In example PassThru we can block the packet based on data contents. But contents are not in readable format. I want to search a specific word within packet data if word found then drop this packet.

    Thanks in advance..

    #5473

    smilish
    Participant

    Readable content? What do you expect? Machines are communicating…not humans! But you may see some readable frazzles.

    For DNS:

    1. Intercept all incoming UDP packets from remote-port 53 (DNS)
    2. Extract the DNS-information from the data-part of the packets (as described in RFC1034 and RFC1035)
    3. Modify the DNS-info
    4. Build new (faked) UDP packets
    5. Send them to your local-port

    That’s it!

    #5474

    sanjeev
    Participant

    Hello,

    I was busy some other project that why I could not continue this. Now I’m back to this. About

    If you want to develop a “Personal Firewall” you need two drivers:

    1. NDIS filter doing the main tasks: Block/Allow ether-packets…Reading/modifying the packets by parsing the underlaying services (e.g. http, dns)
    2. TDI filter for keeping track of local connections and processes.

    Can you please help me in understanding this. I have NDIS filter (winpkfilter SDK) and TDI filter ( Localhost Minitor API ). Now I need to know which packet is associated with which application. Based on application the firewall (Which I’m writting) will decide to drop or continue packet. Can you please provide me a sample for the same.

    Thanks in advance..

    #5475

    Vadim Smirnov
    Moderator

    You can use IP/port/protocol information gathered on the TDI level and match it against information extracted from IP packet. If it is the same then the packet is probably originated from the application you intercepted on the TDI level.

    #5476

    sanjeev
    Participant

    Is this the only way to check the programm associated with a packet? I feel this is not a full proof way to do this. There may be 2 application which are accessing same IP/ port/ protocol like Netscape and Internet explorer accessing yahoo.com same time. Does all the firewall use this method only or there is any unique way to check this? Please advise..

    Thanks a lot for your technical support till now. It is very usefull for me. 😀

    #5477

    Vadim Smirnov
    Moderator

    There may be 2 application which are accessing same IP/ port/ protocol like Netscape and Internet explorer accessing yahoo.com same time.

    Right, destination IP/protocol/port can be the same, but source ports will be different for the case described.

Viewing 15 posts - 1 through 15 (of 15 total)

You must be logged in to reply to this topic.