Forum Replies Created
-
Posts
-
Not sure what exactly code you need, but this question was already discussed here http://www.ntkernel.com/forum/viewtopic.php?t=19 along with some code postings.
That can be a problem, dynamic hooking into system stack (with dynamically loadable NDIS IM driver under Windows 2000+ and dynamic hooking driver for earlier Windows versions) can be implemented bu it less reliable and more complex than static (in case of IM driver reboot still can be required in some cases).
How can I do the same ?
Packet data follow the packet header.
If I change the data and recalculate the chksum; what special care does the code have to take ?
If you don’t modify packet length then checksums (IP/TCP/UDP) recalculation is enough. If you do modify packet length (an example change “sex” to “fofo”) for TCP protocol you also have to care about Sequence and Acknowledgement numbers.
А эти данные из перехваченных send’ов у тебя каким-то образом обрабатываются или ждут до лучших времен пока стартанет ответственное за их обработку приложение?
Если ждут то причина понятна, сеть фактически заморожена отсюда и тормоза… Если обрабатываются то причину искать нужно в чем-то еще, если при высокой сетевой загрузке твой драйвер не дает тормозов то и на старте системы не должен.
is it possible to get that port redirect dynamically upon startup of “my_app”?
WinpkFilter driver should be installed on the system before hand. But in any case you start filtering/redirecting packets only when your application is active and stop this when your application is terminated. So the answer is YES.
is there a chance to configure windows’ firewall to redirect data sent from an external interface to port 25 to our port 10025?
Windows built-in firewall does not support port redirecting services.
does anyone have an idea how to solve this EXCEPT using custom LSP/TDI/NDIS drivers?
Regretfully there is no other way. You can use WinpkFilter library (http://www.ntkernel.com/w&p.php?id=7) to implement port redirector solution though.
can I paste a link here that would be for a Simple Stupid Firewall that I made using winpkfilter example (PacketSniffer and PassThru)
Sure, you can.
Проблема в том, что это драйвер-фильтр
В смысле Intermediate?
Где можно выполнять запросы OID, в OnSend, OnReceive, OnInitialize, OnHalt?
В общем случае запросы можно делать как только нижележащий драйвер готов их обрабатывать и до того как он перестает это делать (то есть OnInitialize и OnHalt использовать пожалуй не очень разумно).
В общем случае нужно следить только за IRQL “Callers of NdisRequest can be running at IRQL <= DISPATCH_LEVEL" и руководстоваться тем когда эта самая статистика нужна.
Anyway, is it ok to have an Article on the subject we treat here with my Application as a solution and a link to the WinpkFilter run-time libraries that are presented on
http://www.ntkernel.com/w&p.php?id=7
or it is in violation of the license agreement?
It is OK to do so. Good luck with your article and hope you will post a link to it here. If you are interested we can also publish it on this web-site.
This is TCP checksum in C, I suppose you should be able to translate to Delphi
//
// Function recalculates TCP checksum
//
VOID
RecalculateTCPChecksum (
PINTERMEDIATE_BUFFER pPacket
)
{
tcphdr_ptr pTcpHeader = NULL;
unsigned short word16, padd = 0;
unsigned int i, sum = 0;
PUCHAR buff;
DWORD dwTcpLen;
iphdr_ptr pIpHeader = (iphdr_ptr)&pPacket->m_IBuffer[sizeof(ether_header)];
// Sanity check
if (pIpHeader->ip_p == IPPROTO_TCP)
{
pTcpHeader = (tcphdr_ptr)(((PUCHAR)pIpHeader) + sizeof(DWORD)*pIpHeader->ip_hl);
}
else
return;
dwTcpLen = ntohs(pIpHeader->ip_len) - pIpHeader->ip_hl*4;//pPacket->m_Length - ((PUCHAR)(pTcpHeader) - pPacket->m_IBuffer);
if ( (dwTcpLen/2)*2 != dwTcpLen )
{
padd=1;
pPacket->m_IBuffer[dwTcpLen + pIpHeader->ip_hl*4 + sizeof(ether_header)] = 0;
}
buff = (PUCHAR)pTcpHeader;
pTcpHeader->th_sum = 0;
// make 16 bit words out of every two adjacent 8 bit words and
// calculate the sum of all 16 vit words
for (i=0; i< dwTcpLen+padd; i=i+2){
word16 =((buff<<8)&0xFF00)+(buff[i+1]&0xFF);
sum = sum + (unsigned long)word16;
}
// add the TCP pseudo header which contains:
// the IP source and destination addresses,
sum = sum + ntohs(pIpHeader->ip_src.S_un.S_un_w.s_w1) + ntohs(pIpHeader->ip_src.S_un.S_un_w.s_w2);
sum = sum + ntohs(pIpHeader->ip_dst.S_un.S_un_w.s_w1) + ntohs(pIpHeader->ip_dst.S_un.S_un_w.s_w2);
// the protocol number and the length of the TCP packet
sum = sum + IPPROTO_TCP + (unsigned short)dwTcpLen;
// keep only the last 16 bits of the 32 bit calculated sum and add the carries
while (sum>>16)
sum = (sum & 0xFFFF)+(sum >> 16);
// Take the one's complement of sum
sum = ~sum;
pTcpHeader->th_sum = htons((unsigned short)sum);
}i’ve tried to change destination ip of ipheader, then recalculate checksum but it didn’t work
You should modify destination IP address in the potgoing packet to redirect address and recalculate packet checksums (both IP and TCP). You should do the reverse operation in the incoming packet associated with the connection you modify.
Is it possible to unaccept a certain kind of packet(e.g. packets with the same source IP addr) just using the use-mode APIs provided in WinpkFilter?
You mean drop these packets? If so then yes you can just skip reinjecting into the stack API calls (SendPacketToMstcp, SendPacketToAdapter) for these packets.
I wonder if the Net Firewall supports a simple one to many NAT.
One to many NAT is not implemented in the current version of NeT Firewall.
if we detect some harmful site(http packet) in winpkfilter we redirect alert site.
Since connection to the harmful site already established it can’t be easily redirected (normally redirection should occure during connection establishment). However, you can terminate connection to the harmful site and drop all packet to/from it, alert user about harmful site, redirect all newly established HTTP user sessions from the registered harmful site to the alert site and etc…
