Category Archives: Winsock LSP

NDIS Filter

Leave a reply

NDIS Filter is used to perform packet filtering, modification and inspection, unlike other technologies like LSP and TDI which operate on streams.

NDIS Filter is actually a NDIS IM driver which receives packets (to send or receive), can perform processing on them and then send them to the next layer or drop them, that’s why NDIS IM drivers are used for: Firewalls, corporate firewalls, custom network solutions and more.

When stream operations is requires, NDIS IM is sometimes a bad choice because it imposes additional work to convert packets to streams, which can be avoided if using TDI or LSP.

Barak

API interception via DLL redirection

Leave a reply

API interception via DLL redirection is a method that can be used to modify the default behaviour of an application that you don’t have the source code to.

Since this Blog is about network interception, I’ll address that point. It’s possible to intercept the Winsock API via DLL injection (also called detouring). This method has advantages and disadvantages (at Komodia we use Winsock LSP to do that), the main advantages of network DLL injection:

  • Doesn’t require installation of any kind (unless you want to intercept services on Vista/7 which is another story)
  • Easy to code

Disadvantages are:

  • Need a detouring library, if you are going for a commercial project it will cost you, also for 64bit you only have Microsoft Detours and Komodia Detours (and that’s it)
  • Will not work with all apps.
  • Some apps are protected against detouring.
  • Need special code for Vista/7 if you want to intercept services and normal apps from a single service.

Barak

Windows XP LSP sample

Leave a reply

Each time a Platform SDK comes out for a specific OS it comes with a new LSP sample for the latest OS, the Windows XP one was the first decent sample, but then came Vista and the default installer for Vista isn’t the best one – and that’s an understatement.

Like mentioned before we packed the Windows XP LSP sample to be easily compiled, and as we always remind that the default samples will work perfect in the lab, but will fail miserably in real computers. We have a nice article just about why you should outsource your LSP development.

Barak

LSP programming tutorial

Leave a reply

When I first started to learn LSP it was about nine years ago when Winsock LSP was an obscured hard to learn technology, but today there are more resources available, if it’s in Microsoft web sites, other people web site, or Komodia’s web site.

If someone would approach me today and ask me for a recommendations on where to start to learn LSP, my first question would be:  “why?” usually people want to learn LSP to develop some sort of product or for fun, if it’s for fun then I recommend to go ahead and learn it using the resources on Komodia’s site, but if it’s to develop a commercial application I’m against it because what looks easy to do with LSP will be a loosing deal on the long run.

The reason I’m saying this is because I know that Komodia’s products are developed for 3 years now full time and I’m (Barak Weichselbaum) a world’s expert in the field of LSPs and we still get bug reports for the things we could never foresee upfront, so for someone to start from scratch (expert or not) may appear to have lower cost but in reality they will have very high TCO.

Barak

Intercepting DNS queries LSP

Leave a reply

It is possible to intercept DNS queries, usually it is done for anonymizers for two reasons:

  1. Even if the session is anonymized the DNS query reveals the destination.
  2. Some countries have their DNS servers censored.

Because of these two reasons when you intercept the DNS you are able to use the domain name via a proxy you tunnel the data to (still assuming we are writing an anonymizer).

What are the ways to do it:

  • Winsock LSP or any other network interception ability like TDI, WFP, NDIS.
  • Use NSP (it’s very rare)
  • Hooking, detours.

Each method has it’s advantage and disadvantage and making the wrong choice can later means starting all over, for example, what works perfect on 32bit may not work at all under 64bit or even worse can’t work on 64bit, or it may not be compatible with all current OS.

We at Komodia’s has an optional module for: “Intercepting DNS queries LSP” which works on Windows 2000 and up to 7 and 2008 including all 64 bit flavors.

Barak

Winsock sample lsp

Leave a reply

Microsoft is giving their Winsock LSP sample back from 1995 when Winsock LSP was first used with Windows 95, up until 2005 or so the quality of their default sample was lacking and much work needed to be done to make it work without any issues.

At our web site you can download Winsock sample lsp which is basically a repacked MS sample, we took the XP sample and put it inside a VS6 project which makes it easier to learn Winsock LSP, but we didn’t include all the modifications for our LSP which is so far ahead from the default sample in terms of features.

Barak

Windows socket hijack outgoing data port 80

Leave a reply

When someone wants to write a program that “hijacks” a windows socket he needs to know which technology to use, there are number of technologies, each with it’s advantages and disadvantages and the programmer needs to make the correct choice, otherwise he will find himself in a world of problems down the road.

In the Winsock LSP page we talk a bit on NDIS, TDI, WFP, and when the new web site design will be up we will also have a more detailed discussion on each technology.

Our flagship product, which allows you to:  “Windows socket hijack outgoing data port 80” which is of course Komodia’s Redirector.

Barak

Winsock lsp ssl trace

Leave a reply

Winsock LSP and SSL is a complex and simple issue 🙂 basically the Winsock LSP sees the SSL session encrypted and can’t see the decrypted content of the session. It’s possible to decrypt SSL sessions, but that’s a topic for another post.

Winsock LSP can be used to trace SSL sessions to their root, you can easily get the following information about a SSL session by using LSP:

  • Originating application.
  • Source Address/Port.
  • Destination address/Port.
  • Certificate.

Barak