STATIC FILTER using VB

This topic has 7 replies, 2 voices, and was last updated 10 years, 5 months ago by couttsj.

Viewing 8 posts - 1 through 8 (of 8 total)

Author

Posts
October 17, 2013 at 11:07 pm #5394
couttsj
Participant
I have a working DNS monitoring program using WinpkFilter. It presently analyzes every packet and breaks down and records only outbound DNS traffic. In an attempt to make it more efficient, I tried converting your “C” code example to VB.

Code:

Dim pFilters As STATIC_FILTER_TABLE
pFilters.m_TableSize = 2
‘ 1. Outgoing DNS requests filter: REDIRECT OUT UDP packets with destination PORT 53
‘ Common values
pFilters.m_StaticFilters(0).m_Adapter.High = 0 ‘applied to all adapters
pFilters.m_StaticFilters(0).m_Adapter.Low = 0 ‘applied to all adapters
pFilters.m_StaticFilters(0).m_ValidFields = NETWORK_LAYER_VALID + TRANSPORT_LAYER_VALID
pFilters.m_StaticFilters(0).m_FilterAction = FILTER_PACKET_REDIRECT
pFilters.m_StaticFilters(0).m_dwDirectionFlags = PACKET_FLAG_ON_SEND

‘ Network layer filter
pFilters.m_StaticFilters(0).m_NetworkFilter.m_dwUnionSelector = IPV4
pFilters.m_StaticFilters(0).m_NetworkFilter.m_IPv4.m_ValidFields = IP_V4_FILTER_PROTOCOL
pFilters.m_StaticFilters(0).m_NetworkFilter.m_IPv4.m_Protocol = IPPROTO_UDP

‘ Transport layer filter
pFilters.m_StaticFilters(0).m_TransportFilter.m_dwUnionSelector = TCPUDP
pFilters.m_StaticFilters(0).m_TransportFilter.m_TcpUdp.m_ValidFields = TCPUDP_DST_PORT
pFilters.m_StaticFilters(0).m_TransportFilter.m_TcpUdp.m_DestPort.m_StartRange = 53 ‘ DNS
pFilters.m_StaticFilters(0).m_TransportFilter.m_TcpUdp.m_DestPort.m_EndRange = 53

‘2. Pass all packets (skipped by previous filters) without processing in user mode
‘ Common values
pFilters.m_StaticFilters(1).m_Adapter.High = 0 ‘applied to all adapters
pFilters.m_StaticFilters(1).m_Adapter.Low = 0 ‘applied to all adapters
pFilters.m_StaticFilters(1).m_ValidFields = 0
pFilters.m_StaticFilters(1).m_FilterAction = FILTER_PACKET_PASS
pFilters.m_StaticFilters(1).m_dwDirectionFlags = PACKET_FLAG_ON_RECEIVE + PACKET_FLAG_ON_SEND
SetPacketFilterTable nHandle, pFilters

It doesn’t give me any errors, but it also doesn’t filter out any traffic. What am I doing wrong?

J.A. Coutts
October 18, 2013 at 3:54 pm #7144
couttsj
Participant
I forgot that I was operating in promiscuous mode, and I suspect that is the problem.

J.A. Coutts
October 23, 2013 at 4:56 am #7145
couttsj
Participant
Promiscuous mode was causing me some problems, but unfortunately my filtering code is still not filtering anything.

Let me supply a little more info. Our DNS server is being used as an attack vector against a number of Chinese servers. I needed a quick and dirty solution to eliminate repetitive DNS requests, and indeed I have achieved that. But I believe that it would be more efficient if I only had to process incoming DNS queries.

Any help would be appreciated.

J.A. Coutts
October 23, 2013 at 7:06 pm #7146
Vadim Smirnov
Keymaster
Hi,

I nearly have no experience in VB, but there is a C sample filter.cpp which has a scenario to redirect only DNS packets for processing by WinpkFilter application.

This sample scenario can be easily modified to intercept only DNS queries destined to local DNS server this way:
```
pFilters->m_TableSize = 2;





// 1. Incoming DNS requests filter: REDIRECT IN UDP packets with destination PORT 53

// Common values

pFilters->m_StaticFilters[0].m_Adapter.QuadPart = 0; // applied to all adapters

pFilters->m_StaticFilters[0].m_ValidFields = NETWORK_LAYER_VALID | TRANSPORT_LAYER_VALID;

pFilters->m_StaticFilters[0].m_FilterAction = FILTER_PACKET_REDIRECT;

pFilters->m_StaticFilters[0].m_dwDirectionFlags = PACKET_FLAG_ON_RECEIVE;



// Network layer filter

pFilters->m_StaticFilters[0].m_NetworkFilter.m_dwUnionSelector = IPV4;

pFilters->m_StaticFilters[0].m_NetworkFilter.m_IPv4.m_ValidFields = IP_V4_FILTER_PROTOCOL;

pFilters->m_StaticFilters[0].m_NetworkFilter.m_IPv4.m_Protocol = IPPROTO_UDP;



// Transport layer filter

pFilters->m_StaticFilters[0].m_TransportFilter.m_dwUnionSelector = TCPUDP;

pFilters->m_StaticFilters[0].m_TransportFilter.m_TcpUdp.m_ValidFields = TCPUDP_SRC_PORT;

pFilters->m_StaticFilters[0].m_TransportFilter.m_TcpUdp.m_DestPort.m_StartRange = 53; // DNS

pFilters->m_StaticFilters[0].m_TransportFilter.m_TcpUdp.m_DestPort.m_EndRange = 53;



//***************************************************************************************

// 2. Pass all packets (skipped by previous filters) without processing in user mode

// Common values

pFilters->m_StaticFilters[1].m_Adapter.QuadPart = 0; // applied to all adapters

pFilters->m_StaticFilters[1].m_ValidFields = 0;

pFilters->m_StaticFilters[1].m_FilterAction = FILTER_PACKET_PASS;

pFilters->m_StaticFilters[1].m_dwDirectionFlags = PACKET_FLAG_ON_RECEIVE | PACKET_FLAG_ON_SEND;



break;
```
The filter you showed in your initial post should select only outgoing DNS queries, not incoming ones.
October 24, 2013 at 4:01 am #7147
couttsj
Participant
Thank you for the reply SerpentFly. I used Outbound DNS for the initial testing, but converted it to Inbound DNS for the final product, both with the same results. It will do for now until I can figure it out.

But I ran into another problem (server crashed) when I attempted to move it to a Server 2000. Server 2000 is not specifically listed as a supported OS, but the driver loaded without a problem and it is of the same vintage as XP/2000. Is it supported?

J.A. Coutts
October 24, 2013 at 10:51 am #7148
Vadim Smirnov
Keymaster
Yes, Windows 2000 is supported, although the driver installed for that OS is different from the one used for XP or Vista and later.

If you can collect the crash dump (kernel or full) we could check what has happened. I suspect this could we a sort of software conflict if you have firewalling/AV software installed.
October 28, 2013 at 7:10 pm #7149
couttsj
Participant
Sorry it took so long to reply, but this server is remote and the guy on the other end is not that technical. It turns out that the problem was with an incompatible or corrupt version of IPHLPAPI.DLL. I had to wait for the other guy to be available, because when I tried to do it remotely I would lose connectivity.

Thanks

J.A. Coutts
November 4, 2013 at 10:25 pm #7150
couttsj
Participant
I finally got around to looking at this issue, and I have located the problem with the filter. In VB, the lower array boundary defaults to 0, unless the programmer specifically sets the lower boundary to 1 with the Option Base Statement in each and every module. The VB example “modDecl_Ndisapi.bas” defines the Type IP_V4_FILTER as:

Public Type IP_V4_FILTER
m_ValidFields As Long
m_SrcAddress As IP_ADDRESS_V4
m_DestAddress As IP_ADDRESS_V4
m_Protocol As Byte
Padding(3) As Byte
End Type

Because the lower limit is zero, “Padding” is defined as a 4 byte array. It should be defined as:

Public Type IP_V4_FILTER
m_ValidFields As Long
m_SrcAddress As IP_ADDRESS_V4
m_DestAddress As IP_ADDRESS_V4
m_Protocol As Byte
Padding(1 To 3) As Byte
End Type

The same is true of Type ETH_802_3_FILTER:

Public Type ETH_802_3_FILTER
m_ValidFields As Long
m_SrcAddress(1 To ETHER_ADDR_LENGTH) As Byte
m_DestAddress(1 To ETHER_ADDR_LENGTH) As Byte
m_Protocol As Integer
Padding As Integer
End Type

The end result was that each filter was 3 bytes too long (119 instead of 116).

J.A. Coutts
Author

Posts

Viewing 8 posts - 1 through 8 (of 8 total)

You must be logged in to reply to this topic.