Tag Archives: Winsock LSP

How to intercept data on Internet

How to intercept data on Internet? This can be done using number of technologies:

  • Winsock LSP – Is good when you want to operate at user level and inspect streams and not packets.
  • TDI – Soon to be phased out, it’s a driver like technology that can be used either in packet or stream level.
  • NDIS – Kernel driver that inspects packets and has total control over the network.
  • WFP – Microsoft new filterting platform, but until Windows XP is phased out, I forsee it will not gain momentum.


NDIS Filter

NDIS Filter is used to perform packet filtering, modification and inspection, unlike other technologies like LSP and TDI which operate on streams.

NDIS Filter is actually a NDIS IM driver which receives packets (to send or receive), can perform processing on them and then send them to the next layer or drop them, that’s why NDIS IM drivers are used for: Firewalls, corporate firewalls, custom network solutions and more.

When stream operations is requires, NDIS IM is sometimes a bad choice because it imposes additional work to convert packets to streams, which can be avoided if using TDI or LSP.


Firewall application layer Winsock2

There are several ways to implement a firewall:

  • Winsock LSP – Can be used for an application layer firewall, but it’s mostly not used for various reasons.
  • TDI Driver – Mostly used for personal firewalls, according to Microsoft it will be phased out in the next OS.
  • Ndis IM – Mostly used for gateway firewalls.
  • WFP – The new plaform Microsoft is promoting, in my opinion that until XP is retired this will not gain momentum.


API interception via DLL redirection

API interception via DLL redirection is a method that can be used to modify the default behaviour of an application that you don’t have the source code to.

Since this Blog is about network interception, I’ll address that point. It’s possible to intercept the Winsock API via DLL injection (also called detouring). This method has advantages and disadvantages (at Komodia we use Winsock LSP to do that), the main advantages of network DLL injection:

  • Doesn’t require installation of any kind (unless you want to intercept services on Vista/7 which is another story)
  • Easy to code

Disadvantages are:

  • Need a detouring library, if you are going for a commercial project it will cost you, also for 64bit you only have Microsoft Detours and Komodia Detours (and that’s it)
  • Will not work with all apps.
  • Some apps are protected against detouring.
  • Need special code for Vista/7 if you want to intercept services and normal apps from a single service.


Windows XP LSP sample

Each time a Platform SDK comes out for a specific OS it comes with a new LSP sample for the latest OS, the Windows XP one was the first decent sample, but then came Vista and the default installer for Vista isn’t the best one – and that’s an understatement.

Like mentioned before we packed the Windows XP LSP sample to be easily compiled, and as we always remind that the default samples will work perfect in the lab, but will fail miserably in real computers. We have a nice article just about why you should outsource your LSP development.