Vadim Smirnov

Forum Replies Created

Viewing 15 posts - 1,066 through 1,080 (of 1,500 total)
  • Author
    Posts
  • in reply to: listadapters.exe doesnt work… #6420
    Vadim Smirnov
    Keymaster

      Xp Sp2, yes i rebooted after the installation…and edited the reg’s files according to the installation in the help file.

      Installer creates required registry entries itself and you don’t have to manually edit anything. The instructions are given for those who create their own installer which includes WinpkFilter. So may be editing the registry caused the observed behavior.

      Another possible reason is installed third-party firewall/VPN/NAT software.

      in reply to: listadapters.exe doesnt work… #6418
      Vadim Smirnov
      Keymaster

        What operating system do you have? Have you rebooted after installation?

        in reply to: IP-Adress Redirect? #6415
        Vadim Smirnov
        Keymaster

          How can i modify the destination MAC?

          MAC header is right before IP header.

          in reply to: IP-Adress Redirect? #6413
          Vadim Smirnov
          Keymaster

            That depends from proxy, if it is HTTP proxy there is no problem since HTTP GET request contains the exact URL.

            in reply to: IP-Adress Redirect? #6411
            Vadim Smirnov
            Keymaster

              1) In addition to IP address you also have to change the destination MAC address if proxy is located in the same network segment as you are.
              2) You have to memorize the connection {source IP, source port, original remote IP, original remote port, new remote IP, new remote port}. When receiving a response on the redirected packet you have to find the connection in your connections table by destination IP/port which in your table should match source IP/port and substitute source IP/port in the packet.

              in reply to: signed x64 driver for winpkfilter? #6417
              Vadim Smirnov
              Keymaster

                Taking into account that WinpkFilter is a development library but not an end user software we don’t find its drivers signing really necessary. When it is used for evaluation or private/non-commercial purposes it can be loaded on Vista x64 by choosing the “Enforce unsigned drivers loading” option in the boot menu. In case of commercial usage WinpkFilter custom build should be signed by the end vendor by its own signature.

                Our current point of view may change once Vista x64 becomes more popular when it is now.

                in reply to: How to manage (Proxy) Re-Routing Packages? #6405
                Vadim Smirnov
                Keymaster

                  it is possible to capture packes from a specific port an re-route it to an other ip?

                  Can i change the dest. & src IP-Address in the IP-Header?

                  Which stuff has to be modified?

                  Yes this is possible and it is as simple as changing IP/TCP/UDP header and recalculating the checksums. Also if this is sort of redirect the reversed operation should be performed in reversed packets.

                  Internet Gateway sample http://www.ntkernel.com/w&p.php?id=31demonstrates the usage of WinpkFilter for implementing NAT solution.

                  in reply to: Problem On Filter (Delphi) #6403
                  Vadim Smirnov
                  Keymaster

                    Looks like your single thread services both winpkfilter and TServerSocket so you got a dead lock. Try to create a dedicated thread for winpkfilter or TServerSocket .

                    in reply to: Problem On Filter (Delphi) #6401
                    Vadim Smirnov
                    Keymaster

                      Hmm, I’m not sure that I understand what you have really implemented. Do you use WinpkFilter and Windows Sockets in the same application? If yes then probably your application design has got a synchronization problem (if socket and winpkfilter are used in the same single thread an example).

                      The general operation flow looks like the following:

                      Data sent to socket -> Data intercepted by WinpkFilter -> Data indicated back to application -> Application processes and returns data to the stack -> Socket send operation completed

                      in reply to: WinpkFilter – capture local packages? #6399
                      Vadim Smirnov
                      Keymaster

                        Data sent from local computer to local computer (localhost) even never wrapped with packets and processed inside TCP/IP without passing them to levels below.

                        This data can be intercepted only with LSP or TDI filter driver.

                        in reply to: TCP/IP Hook – Traffic observing for all IP’s #6395
                        Vadim Smirnov
                        Keymaster

                          The code below tracks incoming HTTP packets (port 80) and blocks if finds a particular string pattern in the packet. This is a simple sample for porno filter or URL blocking, you should be able easily adopt it for you needs:


                          /*************************************************************************/
                          /* Copyright (c) 2000-2007 NT Kernel Resources. */
                          /* All Rights Reserved. */
                          /* http://www.ntkernel.com */
                          /* [email protected] */
                          /* */
                          /* Module Name: wwwcensor.cpp */
                          /* */
                          /* Abstract: Defines the entry point for the console application */
                          /* */
                          /*************************************************************************/

                          #include "stdafx.h"

                          USHORT ntohs( USHORT netshort )
                          {
                          PUCHAR pBuffer;
                          USHORT nResult;

                          nResult = 0;
                          pBuffer = (PUCHAR )&netshort;

                          nResult = ( (pBuffer[ 0 ] << 8) & 0xFF00 )
                          | ( pBuffer[ 1 ] & 0x00FF );

                          return( nResult );
                          }

                          #define htons ntohs

                          int main(int argc, char* argv[])
                          {
                          TCP_AdapterList AdList;
                          CNdisApi api;
                          ETH_REQUEST Request;
                          INTERMEDIATE_BUFFER PacketBuffer;
                          ether_header_ptr pEthHeader = NULL;
                          iphdr_ptr pIpHeader = NULL;
                          tcphdr_ptr pTcpHeader = NULL;
                          HANDLE hEvent[256];
                          DWORD dwAdIndex = 0;
                          char szTempString[1500];
                          char szPattern[256];
                          BOOL bDrop = FALSE;


                          if (argc < 2)
                          {
                          printf ("Command line syntax:ntwwwcensor.exe pattern ntpattern - phrase or word to block HTTP packets with.n");
                          return 0;
                          }

                          if(!api.IsDriverLoaded())
                          {
                          printf ("Driver not installed on this system of failed to load.n");
                          return 0;
                          }

                          if ( strlen(argv[1]) > 255 )
                          {
                          printf ("Pattern is too,long, please use one with maximum of 255 characters.n");
                          return 0;
                          }

                          //
                          // Get pattern in upper case
                          //
                          ZeroMemory ( szPattern, 256 );
                          strcpy ( szPattern, argv[1] );
                          for ( unsigned i = 0; i < strlen (szPattern); ++i )
                          {
                          if (isalpha(((UCHAR)szPattern)))
                          szPattern
                          = (char)toupper((UCHAR)szPattern);
                          }

                          //
                          // Get system installed network interfaces
                          //
                          api.GetTcpipBoundAdaptersInfo ( &AdList );

                          //
                          // Initialize common ADAPTER_MODE structure (all network interfaces will operate in the same mode)
                          //
                          ADAPTER_MODE Mode;
                          Mode.dwFlags = MSTCP_FLAG_SENT_TUNNEL|MSTCP_FLAG_RECV_TUNNEL;

                          //
                          // Create notification events and initialize the driver to pass packets thru us
                          //
                          for (dwAdIndex = 0; dwAdIndex < AdList.m_nAdapterCount; ++dwAdIndex)
                          {
                          hEvent[dwAdIndex] = CreateEvent(NULL, TRUE, FALSE, NULL);

                          if (!hEvent[dwAdIndex])
                          {
                          printf("Failed to create notification event for network interface n");
                          return 0;
                          }

                          Mode.hAdapterHandle = (HANDLE)AdList.m_nAdapterHandle[dwAdIndex];

                          //
                          // Set MSTCP_FLAG_SENT_TUNNEL|MSTCP_FLAG_RECV_TUNNEL for the network interface
                          //
                          api.SetAdapterMode(&Mode);

                          //
                          // Set packet notification event for the network interface
                          //
                          api.SetPacketEvent((HANDLE)AdList.m_nAdapterHandle[dwAdIndex], hEvent[dwAdIndex]);
                          }


                          // Initialize common part of ETH_REQUEST
                          ZeroMemory ( &Request, sizeof(ETH_REQUEST) );
                          ZeroMemory ( &PacketBuffer, sizeof(INTERMEDIATE_BUFFER) );
                          Request.EthPacket.Buffer = &PacketBuffer;

                          //
                          // Go into the endless loop (this is just a sample application)
                          //
                          while (TRUE)
                          {
                          //
                          // Wait before any of the interfaces is ready to indicate the packet
                          //
                          dwAdIndex = WaitForMultipleObjects ( AdList.m_nAdapterCount, hEvent, FALSE, INFINITE ) - WAIT_OBJECT_0;

                          //
                          // Reset signalled event
                          //
                          ResetEvent(hEvent[dwAdIndex]);

                          //
                          // Complete initialization of ETH_REQUEST
                          //

                          Request.hAdapterHandle = (HANDLE)AdList.m_nAdapterHandle[dwAdIndex];

                          //
                          // Read packet from the interface until there are any
                          //
                          while(api.ReadPacket(&Request))
                          {
                          //
                          // Get Ethernet header
                          //
                          pEthHeader = (ether_header_ptr)PacketBuffer.m_IBuffer;

                          //
                          // Check if Ethernet frame contains IP packet
                          //
                          if(ntohs(pEthHeader->h_proto) == ETH_P_IP)
                          {
                          //
                          // Get IP header
                          //
                          pIpHeader = (iphdr_ptr)(pEthHeader + 1);

                          //
                          // Check if IP packet contains TCP packet
                          //
                          if (pIpHeader->ip_p == IPPROTO_TCP)
                          {
                          //
                          // Get TCP header pointer
                          //
                          pTcpHeader = (tcphdr_ptr)((PUCHAR)pIpHeader + pIpHeader->ip_hl*4);

                          //
                          // Check if this HTTP packet (destined to remote system port 80, or received from it)
                          //

                          if (((pTcpHeader->th_dport == htons (80))&&(PacketBuffer.m_dwDeviceFlags == PACKET_FLAG_ON_SEND))||
                          ((pTcpHeader->th_sport == htons (80))&&(PacketBuffer.m_dwDeviceFlags == PACKET_FLAG_ON_RECEIVE)))
                          {
                          //
                          // Get data size in the packet and pointer to the data
                          //

                          DWORD dwDataLength = PacketBuffer.m_Length - (sizeof(ether_header) + pIpHeader->ip_hl*4 + pTcpHeader->th_off*4);
                          PCHAR pData = (PCHAR)pEthHeader + (sizeof(ether_header) + pIpHeader->ip_hl*4 + pTcpHeader->th_off*4);

                          // If packet contains any data - process it
                          if (dwDataLength)
                          {
                          //
                          // Copy packet payload into the temporary string, replace all 0 bytes with 0x20, convert string to upper case and place at the end
                          //
                          memcpy (szTempString, pData, dwDataLength);
                          for (unsigned t = 0; t < dwDataLength; ++t)
                          {
                          if (szTempString[t] == 0)
                          szTempString[t] = 0x20;

                          if (isalpha((UCHAR)szTempString[t]))
                          szTempString[t] = (char)toupper((UCHAR)szTempString[t]);
                          }
                          szTempString[dwDataLength] = 0;

                          //
                          // Check if this packet payload contains user supplied pattern in ASCII code
                          //

                          if (strstr ( szTempString, szPattern ))
                          bDrop = TRUE;
                          }
                          }

                          }
                          }

                          if(bDrop)
                          {
                          printf ("TCP %d.%d.%d.%d:%d -> %d.%d.%d.%d:%d pattern found & packet dropped n",
                          pIpHeader->ip_src.S_un.S_un_b.s_b1, pIpHeader->ip_src.S_un.S_un_b.s_b2, pIpHeader->ip_src.S_un.S_un_b.s_b3, pIpHeader->ip_src.S_un.S_un_b.s_b4, ntohs(pTcpHeader->th_sport),
                          pIpHeader->ip_dst.S_un.S_un_b.s_b1, pIpHeader->ip_dst.S_un.S_un_b.s_b2, pIpHeader->ip_dst.S_un.S_un_b.s_b3, pIpHeader->ip_dst.S_un.S_un_b.s_b4, ntohs (pTcpHeader->th_dport));
                          bDrop = FALSE;
                          }
                          else
                          if (PacketBuffer.m_dwDeviceFlags == PACKET_FLAG_ON_SEND)
                          {
                          // Place packet on the network interface
                          api.SendPacketToAdapter(&Request);
                          }
                          else
                          {
                          // Indicate packet to MSTCP
                          api.SendPacketToMstcp(&Request);
                          }
                          }

                          }

                          return 0;
                          }

                          in reply to: TCP/IP Hook – Traffic observing for all IP’s #6391
                          Vadim Smirnov
                          Keymaster

                            Can someone say me which headers are necessary? (where can i download these?)

                            http://www.ntkernel.com/w&p.php?id=7

                            in reply to: installation NDIS-IM driver failed under winXP 64-bit [rus] #6383
                            Vadim Smirnov
                            Keymaster

                              Гмм, ничего по идее не изменилось с x64. Как я использовал слегка переделанный вариант snetcfg, так и использую с учетом пеерсборки последнего под x64.

                              А представленный код собирается под x64? Если нет, то вероятно это просто ограничение 32 битных процессов какое-то.

                              in reply to: TCP/IP Hook – Traffic observing for all IP’s #6388
                              Vadim Smirnov
                              Keymaster

                                Well, basically you can use WinpkFilter for parsing packets and blocking once quota exceeded.

                                Alternatively you can create you own own driver for this. Here depending of the exact requirement you have several options like LSP, TDI filter, NDIS IM, NDIS hooking, WFP…

                                in reply to: Modify packets #6381
                                Vadim Smirnov
                                Keymaster

                                  Using ndisapi.dll from C# is a bit trickier because you can’t pass managed memory to the driver directly. We have got some C# samples to include in the next WinpkFilter release, you can request pre-release preview of these samples by e-mailing support(at)ntkernel.com.

                                Viewing 15 posts - 1,066 through 1,080 (of 1,500 total)