LSP hook is a term that refers to the way Winsock LSP intercepts traffic. This should not be confused with Winsock hook which is another way to perform network interception.
Barak
LSP hook
Leave a reply
Tag Archives: Winsock LSP
How to intercept data on Internet
How to intercept data on Internet? This can be done using number of technologies:
- Winsock LSP – Is good when you want to operate at user level and inspect streams and not packets.
- TDI – Soon to be phased out, it’s a driver like technology that can be used either in packet or stream level.
- NDIS – Kernel driver that inspects packets and has total control over the network.
- WFP – Microsoft new filterting platform, but until Windows XP is phased out, I forsee it will not gain momentum.
Barak
Network traffic monitor Windows
Network traffic monitor Windows can be done with various methods and technologies like: Winsock LSP, NDIS Passthru or NDIS IM, TDI Filter or TDI Driver, WFP and more.
Barak
Layered Service Provider
Layered Service Provider or its more known form is Winsock LSP is used to perform various packet interception/manipulation tasks. The main advantage of Winsock LSP is that it works on stream level and it’s implemented in user level.
Barak
On fly modify HTTP traffic
On fly modify HTTP traffic can be easily be done with Komodia’s Network Redirection SDK which uses Winsock LSP as the base for its operations. It also has many optional modules, one of the most popular is the SSL Decryption module.
Barak
What is LSP
What is LSP? LSP stand for Layered Service Provider and in a nutshell it’s a component that intercepts all Winsock API calls and allows the programmer to inspect the data and even modify it.
You can read about more LSP resources on Komodia’s web site.
Barak
NDIS Filter
NDIS Filter is used to perform packet filtering, modification and inspection, unlike other technologies like LSP and TDI which operate on streams.
NDIS Filter is actually a NDIS IM driver which receives packets (to send or receive), can perform processing on them and then send them to the next layer or drop them, that’s why NDIS IM drivers are used for: Firewalls, corporate firewalls, custom network solutions and more.
When stream operations is requires, NDIS IM is sometimes a bad choice because it imposes additional work to convert packets to streams, which can be avoided if using TDI or LSP.
Barak
Firewall application layer Winsock2
There are several ways to implement a firewall:
- Winsock LSPÂ – Can be used for an application layer firewall, but it’s mostly not used for various reasons.
- TDI Driver – Mostly used for personal firewalls, according to Microsoft it will be phased out in the next OS.
- Ndis IM – Mostly used for gateway firewalls.
- WFP – The new plaform Microsoft is promoting, in my opinion that until XP is retired this will not gain momentum.
Barak
API interception via DLL redirection
API interception via DLL redirection is a method that can be used to modify the default behaviour of an application that you don’t have the source code to.
Since this Blog is about network interception, I’ll address that point. It’s possible to intercept the Winsock API via DLL injection (also called detouring). This method has advantages and disadvantages (at Komodia we use Winsock LSP to do that), the main advantages of network DLL injection:
- Doesn’t require installation of any kind (unless you want to intercept services on Vista/7 which is another story)
- Easy to code
Disadvantages are:
- Need a detouring library, if you are going for a commercial project it will cost you, also for 64bit you only have Microsoft Detours and Komodia Detours (and that’s it)
- Will not work with all apps.
- Some apps are protected against detouring.
- Need special code for Vista/7 if you want to intercept services and normal apps from a single service.
Barak
Windows XP LSP sample
Each time a Platform SDK comes out for a specific OS it comes with a new LSP sample for the latest OS, the Windows XP one was the first decent sample, but then came Vista and the default installer for Vista isn’t the best one – and that’s an understatement.
Like mentioned before we packed the Windows XP LSP sample to be easily compiled, and as we always remind that the default samples will work perfect in the lab, but will fail miserably in real computers. We have a nice article just about why you should outsource your LSP development.
Barak