STATIC FILTER using VB

Home Forums Discussions Support Portal STATIC FILTER using VB

This topic contains 7 replies, has 2 voices, and was last updated by  couttsj 3 years, 4 months ago.

Viewing 8 posts - 1 through 8 (of 8 total)
  • Author
    Posts
  • #5394

    couttsj
    Participant

    I have a working DNS monitoring program using WinpkFilter. It presently analyzes every packet and breaks down and records only outbound DNS traffic. In an attempt to make it more efficient, I tried converting your “C” code example to VB.

    Code:
    Dim pFilters As STATIC_FILTER_TABLE
    pFilters.m_TableSize = 2
    ‘ 1. Outgoing DNS requests filter: REDIRECT OUT UDP packets with destination PORT 53
    ‘ Common values
    pFilters.m_StaticFilters(0).m_Adapter.High = 0 ‘applied to all adapters
    pFilters.m_StaticFilters(0).m_Adapter.Low = 0 ‘applied to all adapters
    pFilters.m_StaticFilters(0).m_ValidFields = NETWORK_LAYER_VALID + TRANSPORT_LAYER_VALID
    pFilters.m_StaticFilters(0).m_FilterAction = FILTER_PACKET_REDIRECT
    pFilters.m_StaticFilters(0).m_dwDirectionFlags = PACKET_FLAG_ON_SEND

    ‘ Network layer filter
    pFilters.m_StaticFilters(0).m_NetworkFilter.m_dwUnionSelector = IPV4
    pFilters.m_StaticFilters(0).m_NetworkFilter.m_IPv4.m_ValidFields = IP_V4_FILTER_PROTOCOL
    pFilters.m_StaticFilters(0).m_NetworkFilter.m_IPv4.m_Protocol = IPPROTO_UDP

    ‘ Transport layer filter
    pFilters.m_StaticFilters(0).m_TransportFilter.m_dwUnionSelector = TCPUDP
    pFilters.m_StaticFilters(0).m_TransportFilter.m_TcpUdp.m_ValidFields = TCPUDP_DST_PORT
    pFilters.m_StaticFilters(0).m_TransportFilter.m_TcpUdp.m_DestPort.m_StartRange = 53 ‘ DNS
    pFilters.m_StaticFilters(0).m_TransportFilter.m_TcpUdp.m_DestPort.m_EndRange = 53

    ‘2. Pass all packets (skipped by previous filters) without processing in user mode
    ‘ Common values
    pFilters.m_StaticFilters(1).m_Adapter.High = 0 ‘applied to all adapters
    pFilters.m_StaticFilters(1).m_Adapter.Low = 0 ‘applied to all adapters
    pFilters.m_StaticFilters(1).m_ValidFields = 0
    pFilters.m_StaticFilters(1).m_FilterAction = FILTER_PACKET_PASS
    pFilters.m_StaticFilters(1).m_dwDirectionFlags = PACKET_FLAG_ON_RECEIVE + PACKET_FLAG_ON_SEND
    SetPacketFilterTable nHandle, pFilters

    It doesn’t give me any errors, but it also doesn’t filter out any traffic. What am I doing wrong?

    J.A. Coutts

    #7144

    couttsj
    Participant

    I forgot that I was operating in promiscuous mode, and I suspect that is the problem.

    J.A. Coutts

    #7145

    couttsj
    Participant

    Promiscuous mode was causing me some problems, but unfortunately my filtering code is still not filtering anything.

    Let me supply a little more info. Our DNS server is being used as an attack vector against a number of Chinese servers. I needed a quick and dirty solution to eliminate repetitive DNS requests, and indeed I have achieved that. But I believe that it would be more efficient if I only had to process incoming DNS queries.

    Any help would be appreciated.

    J.A. Coutts

    #7146

    Vadim Smirnov
    Moderator

    Hi,

    I nearly have no experience in VB, but there is a C sample filter.cpp which has a scenario to redirect only DNS packets for processing by WinpkFilter application.

    This sample scenario can be easily modified to intercept only DNS queries destined to local DNS server this way:


    pFilters->m_TableSize = 2;


    // 1. Incoming DNS requests filter: REDIRECT IN UDP packets with destination PORT 53
    // Common values
    pFilters->m_StaticFilters[0].m_Adapter.QuadPart = 0; // applied to all adapters
    pFilters->m_StaticFilters[0].m_ValidFields = NETWORK_LAYER_VALID | TRANSPORT_LAYER_VALID;
    pFilters->m_StaticFilters[0].m_FilterAction = FILTER_PACKET_REDIRECT;
    pFilters->m_StaticFilters[0].m_dwDirectionFlags = PACKET_FLAG_ON_RECEIVE;

    // Network layer filter
    pFilters->m_StaticFilters[0].m_NetworkFilter.m_dwUnionSelector = IPV4;
    pFilters->m_StaticFilters[0].m_NetworkFilter.m_IPv4.m_ValidFields = IP_V4_FILTER_PROTOCOL;
    pFilters->m_StaticFilters[0].m_NetworkFilter.m_IPv4.m_Protocol = IPPROTO_UDP;

    // Transport layer filter
    pFilters->m_StaticFilters[0].m_TransportFilter.m_dwUnionSelector = TCPUDP;
    pFilters->m_StaticFilters[0].m_TransportFilter.m_TcpUdp.m_ValidFields = TCPUDP_SRC_PORT;
    pFilters->m_StaticFilters[0].m_TransportFilter.m_TcpUdp.m_DestPort.m_StartRange = 53; // DNS
    pFilters->m_StaticFilters[0].m_TransportFilter.m_TcpUdp.m_DestPort.m_EndRange = 53;

    //***************************************************************************************
    // 2. Pass all packets (skipped by previous filters) without processing in user mode
    // Common values
    pFilters->m_StaticFilters[1].m_Adapter.QuadPart = 0; // applied to all adapters
    pFilters->m_StaticFilters[1].m_ValidFields = 0;
    pFilters->m_StaticFilters[1].m_FilterAction = FILTER_PACKET_PASS;
    pFilters->m_StaticFilters[1].m_dwDirectionFlags = PACKET_FLAG_ON_RECEIVE | PACKET_FLAG_ON_SEND;

    break;

    The filter you showed in your initial post should select only outgoing DNS queries, not incoming ones.

    #7147

    couttsj
    Participant

    Thank you for the reply SerpentFly. I used Outbound DNS for the initial testing, but converted it to Inbound DNS for the final product, both with the same results. It will do for now until I can figure it out.

    But I ran into another problem (server crashed) when I attempted to move it to a Server 2000. Server 2000 is not specifically listed as a supported OS, but the driver loaded without a problem and it is of the same vintage as XP/2000. Is it supported?

    J.A. Coutts

    #7148

    Vadim Smirnov
    Moderator

    Yes, Windows 2000 is supported, although the driver installed for that OS is different from the one used for XP or Vista and later.

    If you can collect the crash dump (kernel or full) we could check what has happened. I suspect this could we a sort of software conflict if you have firewalling/AV software installed.

    #7149

    couttsj
    Participant

    Sorry it took so long to reply, but this server is remote and the guy on the other end is not that technical. It turns out that the problem was with an incompatible or corrupt version of IPHLPAPI.DLL. I had to wait for the other guy to be available, because when I tried to do it remotely I would lose connectivity.

    Thanks

    J.A. Coutts

    #7150

    couttsj
    Participant

    I finally got around to looking at this issue, and I have located the problem with the filter. In VB, the lower array boundary defaults to 0, unless the programmer specifically sets the lower boundary to 1 with the Option Base Statement in each and every module. The VB example “modDecl_Ndisapi.bas” defines the Type IP_V4_FILTER as:

    Public Type IP_V4_FILTER
    m_ValidFields As Long
    m_SrcAddress As IP_ADDRESS_V4
    m_DestAddress As IP_ADDRESS_V4
    m_Protocol As Byte
    Padding(3) As Byte
    End Type

    Because the lower limit is zero, “Padding” is defined as a 4 byte array. It should be defined as:

    Public Type IP_V4_FILTER
    m_ValidFields As Long
    m_SrcAddress As IP_ADDRESS_V4
    m_DestAddress As IP_ADDRESS_V4
    m_Protocol As Byte
    Padding(1 To 3) As Byte
    End Type

    The same is true of Type ETH_802_3_FILTER:

    Public Type ETH_802_3_FILTER
    m_ValidFields As Long
    m_SrcAddress(1 To ETHER_ADDR_LENGTH) As Byte
    m_DestAddress(1 To ETHER_ADDR_LENGTH) As Byte
    m_Protocol As Integer
    Padding As Integer
    End Type

    The end result was that each filter was 3 bytes too long (119 instead of 116).

    J.A. Coutts

Viewing 8 posts - 1 through 8 (of 8 total)

You must be logged in to reply to this topic.