Monthly Archives: March 2010

Firewall application layer Winsock2

Leave a reply

There are several ways to implement a firewall:

  • Winsock LSP – Can be used for an application layer firewall, but it’s mostly not used for various reasons.
  • TDI Driver – Mostly used for personal firewalls, according to Microsoft it will be phased out in the next OS.
  • Ndis IM – Mostly used for gateway firewalls.
  • WFP – The new plaform Microsoft is promoting, in my opinion that until XP is retired this will not gain momentum.

Barak

DNS server filtering Delphi

Leave a reply

When you need to filter a DNS request, there are number of ways to do it:

  • Add an entry to the hosts file.
  • Intercept the UDP data and modify it.
  • Use NSP (Named Space Provider)
  • Use detour to catch the DNS functions (there’s a post of the drawbacks of detours)

Komodia’s DNS Hijack intercepts all DNS requests before they are leaving the machine and allows the programmer to perform any lookup he desires, this can be done with any language that supports DLLs such as: C/C++, Delphi, .Net, VB

Barak

URL filtering SDK

Leave a reply

URL Filtering SDK are used for programmers or companies that want to develop web content filter, usually for parental control and wants to focus their development on what their clients perceive as advantage: GUI, Support, ease of use. The usage of the SDK frees up development time which is complex and time consuming.

Here at Komodia we developed our URL Filtering SDK for about 3 years. Even you’re going to implement only subset of the functionality, please allow for up to six month of development and QA, and that’s just for the basic functionality.

Barak

API interception via DLL redirection

Leave a reply

API interception via DLL redirection is a method that can be used to modify the default behaviour of an application that you don’t have the source code to.

Since this Blog is about network interception, I’ll address that point. It’s possible to intercept the Winsock API via DLL injection (also called detouring). This method has advantages and disadvantages (at Komodia we use Winsock LSP to do that), the main advantages of network DLL injection:

  • Doesn’t require installation of any kind (unless you want to intercept services on Vista/7 which is another story)
  • Easy to code

Disadvantages are:

  • Need a detouring library, if you are going for a commercial project it will cost you, also for 64bit you only have Microsoft Detours and Komodia Detours (and that’s it)
  • Will not work with all apps.
  • Some apps are protected against detouring.
  • Need special code for Vista/7 if you want to intercept services and normal apps from a single service.

Barak

Windows XP LSP sample

Leave a reply

Each time a Platform SDK comes out for a specific OS it comes with a new LSP sample for the latest OS, the Windows XP one was the first decent sample, but then came Vista and the default installer for Vista isn’t the best one – and that’s an understatement.

Like mentioned before we packed the Windows XP LSP sample to be easily compiled, and as we always remind that the default samples will work perfect in the lab, but will fail miserably in real computers. We have a nice article just about why you should outsource your LSP development.

Barak

TDI firewall source code

Leave a reply

We have wrote a bit on what is TDI. Basically most personal firewall are using TDI for various reasons:

  1. It’s a driver so it has the false sense it’s hard to remove.
  2. It’s been with us since 1995 on Win95.
  3. It has the ability to view traffic as stream or packets.

TDI is being phased out by Microsoft, and according to their documentation the next Windows version might not support it anymore so investing in TDI can be quite risky.

Barak

LSP programming tutorial

Leave a reply

When I first started to learn LSP it was about nine years ago when Winsock LSP was an obscured hard to learn technology, but today there are more resources available, if it’s in Microsoft web sites, other people web site, or Komodia’s web site.

If someone would approach me today and ask me for a recommendations on where to start to learn LSP, my first question would be:  “why?” usually people want to learn LSP to develop some sort of product or for fun, if it’s for fun then I recommend to go ahead and learn it using the resources on Komodia’s site, but if it’s to develop a commercial application I’m against it because what looks easy to do with LSP will be a loosing deal on the long run.

The reason I’m saying this is because I know that Komodia’s products are developed for 3 years now full time and I’m (Barak Weichselbaum) a world’s expert in the field of LSPs and we still get bug reports for the things we could never foresee upfront, so for someone to start from scratch (expert or not) may appear to have lower cost but in reality they will have very high TCO.

Barak

Intercepting DNS queries LSP

Leave a reply

It is possible to intercept DNS queries, usually it is done for anonymizers for two reasons:

  1. Even if the session is anonymized the DNS query reveals the destination.
  2. Some countries have their DNS servers censored.

Because of these two reasons when you intercept the DNS you are able to use the domain name via a proxy you tunnel the data to (still assuming we are writing an anonymizer).

What are the ways to do it:

  • Winsock LSP or any other network interception ability like TDI, WFP, NDIS.
  • Use NSP (it’s very rare)
  • Hooking, detours.

Each method has it’s advantage and disadvantage and making the wrong choice can later means starting all over, for example, what works perfect on 32bit may not work at all under 64bit or even worse can’t work on 64bit, or it may not be compatible with all current OS.

We at Komodia’s has an optional module for: “Intercepting DNS queries LSP” which works on Windows 2000 and up to 7 and 2008 including all 64 bit flavors.

Barak

Winsock sample lsp

Leave a reply

Microsoft is giving their Winsock LSP sample back from 1995 when Winsock LSP was first used with Windows 95, up until 2005 or so the quality of their default sample was lacking and much work needed to be done to make it work without any issues.

At our web site you can download Winsock sample lsp which is basically a repacked MS sample, we took the XP sample and put it inside a VS6 project which makes it easier to learn Winsock LSP, but we didn’t include all the modifications for our LSP which is so far ahead from the default sample in terms of features.

Barak

Windows socket hijack outgoing data port 80

Leave a reply

When someone wants to write a program that “hijacks” a windows socket he needs to know which technology to use, there are number of technologies, each with it’s advantages and disadvantages and the programmer needs to make the correct choice, otherwise he will find himself in a world of problems down the road.

In the Winsock LSP page we talk a bit on NDIS, TDI, WFP, and when the new web site design will be up we will also have a more detailed discussion on each technology.

Our flagship product, which allows you to:  “Windows socket hijack outgoing data port 80” which is of course Komodia’s Redirector.

Barak