Vadim Smirnov

Forum Replies Created

Viewing 15 posts - 1 through 15 (of 1,050 total)
  • Author
    Posts
  • in reply to: WinPacketFilter – determine packet owner app #11951
    Vadim Smirnov
    Moderator

    The only thing you need is a couple of IPHELPER API functions, GetExtendedTcpTable and GetExtendedUdpTable. Then just match IP/port information against information extracted from the packet.

    If you need to do that in C# then here is the sample code https://www.codeproject.com/Articles/14423/Getting-the-active-TCP-UDP-connections-using-the-G

    in reply to: WinPacketFilter – determine packet owner app #11949
    Vadim Smirnov
    Moderator

    Hi,

    The only sample which demonstrates process lookup (using IP Helper API) is Socksify, and it is in C++:

    https://github.com/wiresock/ndisapi/tree/master/examples/cpp/socksify

    However, it is not a big deal to integrate process_lookup.h into .NET C++/CLI mixed class library (ndisapi.net) and use it there.

    in reply to: Blocking all network traffic works for a few minutes only #11947
    Vadim Smirnov
    Moderator

    You can send your code to support(at)ntkernel.com

    in reply to: command socksify #11944
    Vadim Smirnov
    Moderator

    Socksify was designed to be easy to understand, and it implements only a limited number of features. SOCKS5 password authentication is not supported, but it is not a big deal to add it if needed.

    in reply to: Driver signing and contact #11938
    Vadim Smirnov
    Moderator

    Yes, sure, I can sign your custom drivers build and as well as generate and sign MSI installers for Windows 7 and higher.

    You can send e-mail to support(at)ntkernel.com if you have any further questions.

    Vadim Smirnov
    Moderator

    An interesting idea, probably it would really be possible to use a SOCKS5 proxy (e.g. Dante which supports UDP) for this purpose.

    I will try to make some tests or even working demo over the weekend.

    Vadim Smirnov
    Moderator

    But what if we try to get rid of windscribe at all and replace it with simple obfuscation service?

    For example, I could add another parameter to wiresock config file:

    HandshakeFwd = test.sshvpn.me:52220

    If this parameter is present in the config file then:

    1. Wiresock client instead of sending handshake packet to Warp server will obfuscate it (add random size header for example) and send to test.sshvpn.me:52220 instead Warp server.

    2. Service listening test.sshvpn.me:52220 extracts original handshake and forwards it to Warp+ server. Here we have two options, if DPI blocks only handshake packets we can preserve source IP address and UDP port of the packet so that Warp+ server will send the handshake response directly to the wiresock skipping step 3.

    3. If DPI also blocks handshake responses then service forwards handshake from its IP address, receives handshake response from Warp, obfuscates it and forwards to wiresock.

    4. Wiresock receives handshake response, optionally de-obfuscates it and sets the tunnel up.

    Building such a service application and extending wiresock to use it is not that difficult. If you’re interested, we can try this approach.

    Vadim Smirnov
    Moderator

    It is possible to bind to a specific network adapter, but in this case it will not be enough, because wiresock depends on handshake and response intercepted at the NDIS layer, and this will not happen if they are sent over a different network interface. I will think if I can change the design to avoid this dependency.

    If I understand correctly, you have no server side control as it is a Warp server and therefore cannot use traffic obfuscation like https://github.com/dndx/phantun?

    P.S. Just an idea and I’m not sure if it will work out of the box. But what if we configure another server/service to forward obfuscated handshake/response packets between wiresock and Warp+? This is what your secondary VPN service does…

    Vadim Smirnov
    Moderator

    Since Wiresock client is implemented very similar to Windows version of Warp then I think it should be feasible. But I need a better understanding on what is going on. Could you post a link to the wstunnel you have used? There are at least two different wstunnel projects on github…

    Vadim Smirnov
    Moderator

    Hmm, sounds interesting, however, could you provide some more details about your configuration? I’m not sure I understand how it works… For example, if first handshake packet is discarded by DPI then why the subsequent handshakes (sent every two minutes) are not? Or all outgoing handshakes are dropped, but once tunnel is established the subsequent handshakes sent by the remote peer while DPI does not expect this behavior?

    Although, if it works, I think it is a matter of time before the DPI starts dropping handshakes in both directions. And maybe we could come up with a better way to avoid blocking…

    in reply to: Blocking all network traffic works for a few minutes only #11874
    Vadim Smirnov
    Moderator

    Another possibility is that Windows tries to repair WiFi connection by disabling and re-enabling it. This operations effectively switch off filtering, so you have to monitor the network adapters changes by setting an adapter list change event and reconfiguring filtering.

    I think it will be easier to discuss if you post your code here, may be you are doing something wrong.

    in reply to: Blocking all network traffic works for a few minutes only #11872
    Vadim Smirnov
    Moderator

    Neither ndisapi nor the NDIS driver have no time limit.

    Of course, I cannot guess what exactly happens on your PC, however, for example, it can happen if you have LAN and WiFi (or LTE, or etc..) network interfaces on your computer and both are connected to your router. My laptop is configured this way. Now lets assume that your application is filtering (and blocking packets) on wired network adapter only. By default, Windows uses a wired network adapter, so once you start blocking packets, it looses connectivity as expected. However, Windows detects that the Internet is not available through the default adapter, and after a while it switches to Wi-Fi Connection and you are able to browse Internet again.

    in reply to: Socksify or Wiresock #11870
    Vadim Smirnov
    Moderator

    Good question,since both can be used for the similar purposes. Although, I would advise WireSock because if SSH tunneling is TCP only then wireguard tunnel also supports UDP and it worth to note that some online games (e.g. Fortnite) use UDP for the transport. And for example, WireSock is used in this GPN.

    in reply to: command socksify #11868
    Vadim Smirnov
    Moderator

    Socksify is just a sample code which I created to forward selected application through the SSH session disposing the dynamic port (-D 8888). So,

    1. It can be any unused local TCP port. Local transparent proxy will use it to listen for incoming connections.
    2. This is the local SOCKS5 proxy port (for example, 8888 for ssh hostname -D 8888). Application always (hardcoded) assumes that you have SOCKS5 proxy running on 127.0.0.1.

    If you would like to use SOCKS5 proxy running on the different host then just change the 127.0.0.1 in socksify.cpp:143 to the IP address of your SOCKS proxy ( 198.xxx.xxx.xxx) or make it an input parameter.

    in reply to: VPN Demo #11836
    Vadim Smirnov
    Moderator

    Sorry, I’m afraid I have missed your post. But better late than never…

    GRETUNNEL is very simple console application. Technically you could just create a new console application in VS2019, copy the gretunnel.cpp code into it and add linkage to ndisapi.dll.

    By the way, you might be interested to look at WinpkFilter based WireGuard VPN client released recently.

Viewing 15 posts - 1 through 15 (of 1,050 total)