Free Winsock LSP guide

Online Winsock LSP resources content index

What is Winsock LSP?

LSP stands for Layered Service Provider. In order to understand how it works, we must understand how the Windows network operates: the highest entry point of Windows network is Winsock, which is a user-level network API. 99% of network applications use Winsock to communicate over the network (an example of an application that does not use Winsock is NetBIOS, which is more of a protocol, but uses TDI-based communication). All Winsock API calls are redirected to ws2_32.dll, the Winsock API handling DLL. From there, all calls go to the kernel, which routes the network calls to the relevant communication interfaces via a technology called NDIS. Winsock LSP is a technology that allows us to inject our code between the user network calls and the Winsock API, thus allowing us to inspect, modify, or block those network calls. Another aspect of LSP is its ability to allow for additional namespace resolves. However, this is rarely used and will not be covered here.

How does Winsock LSP works?

Winsock LSP is a DLL that is loaded when a process uses Winsock API, the LSP is loaded inside the context of the process that loads the LSP. When a user calls “connect” (a Winsock function to connect a socket to a remote peer), the LSP intercepts that function and performs any number of tasks with the call. These need to be added to the LSP by the developer, and may include:

• Report request to another process.
• Pass request to next layer as is.
• Modify information in the request.
• Drop request altogether.

Basic outline of LSP architecture:

Network without LSP: User process -> Winsock2 -> Kernel

Network with LSP: User process -> LSP -> Winsock2 -> Kernel In the above outline, the user process is oblivious to the LSP.

Using LSP, real life examples of Winsock LSP usage

Among its many uses, LSP can be used for the following common tasks:

• Connection redirection – Redirecting a connection request to another address (Winsock HTTP redirection). For example: Internet Explorer asks to connect to our site, www.komodia.com. With the help of LSP the request can be altered to connect to another address, such as localhost or any arbitrarily chosen Internet address. This is mostly used to create email scanners, web anonymizers (redirecting the traffic to a 3rd party proxy server).
• Content inspection and modification. The LSP can process, inspect, and modify all data sent to the client before it reaches the client. Ideal for content inspection and filtering.
• HTTP Redirection – Used to block users from accessing certain web sites, mostly used inside A network filter.
• Winsock tracing. LSP can be used to trace Winsock calls and debug Winsock applications.
• Firewall. LSP can act as firewall (application and network level). This, however, is not recommended.
• Stream sniffer – Unlike normal sniffers that needs to perform statefull inspection to build the TCP stream, Winsock LSP sniffs at the stream level without any need to perform such rebuild. You can check out our free stream HTTP/HTTPS sniffer.

We at Komodia has developed LSP SDK (Komodia’s Redirector) which performs all of these and saves you precious develoment time.

When should a developer choose Winsock LSP over other technologies?

To answer this question we must first examine the two other technologies that can achieve similar results:

• TDI – a kernel mode driver based technology that can view a network either as a stream or as packets (depending on the developer). Has very little documentation. Used mostly for anti-virus network scanners and firewalls.
• NDIS – a kernel mode driver that sees only packets and can be seen as a protocol/service in the network properties. NDIS has two modes, listed below.
• Passthru – an NDIS-based service that intercepts all packets received/sent from/to a network interface, and has the ability to block/modify them.
• Protocol – an NDIS-based protocol that only inspects every packet received/sent from/to a network interface but cannot modify the traffic.
• Winsock hooking – Is a viable approach to mimic LSP functionality, the drawback (or advantage) is that you must use DLL injection to perform the hooking.
• WFP – Windows Filtering Platform, which is available from Vista and above with the intent to eventualy replace all existing filtering technologies.

When is it best to use Winsock LSP?

Winsock LSP is best used when the developer needs to manipulate stream level communication. As LSP operates at the user level, it receives all the TCP stream already assembled, unlike NDIS and some TDI implementations which receive packets that the programmer must assemble into a TCP stream. Modifying the stream at the packet level is an extremely complex task, but is easily accomplished with LSP.

When using Winsock LSP is not recommended?

Since Winsock LSP cannot operate at the packet level, all applications that will require packet level inspection are better off not using Winsock LSP. The best example is a firewall which uses either TDI or NDIS. Another pitfall of LSP is its lack of ability to intercept TDI-level communications made without using Winsock (although rare, such applications do exist, e.g. NetBIOS over TCP/IP client used by the OS.)

Winsock LSP sample, guide, source code, and articles

Before approaching LSP programming, it is best to have knowledge in Winsock network programming. Since LSP acts as a foundation for Winsock technology, this makes learning and understanding LSP easier.

Komodia offers the following free LSP downloads:

• Winsock LSP sample, and source code (based on Microsoft’s sample from its platform SDK).
• Winsock LSP sample source code formatted for the web with file information.
• Article: The differences between IFS and Non-IFS LSPs (Tip #1 that you get when downloading the guide talks more about this subject).
• Winsock LSP articles index.

Installing the Winsock LSP

The Winsock LSP sample comes with an LSP installer sample. This sample works well in development environments, but when deploying the LSP on real computers problems start to occur. From our experience, about half of the problems can be attributed to the default LSP installer sample! (there are many reasons but one of them is the way it reorders the winsock provider catalog) There are two ways to solve this: one is to write 10,000 lines of code to fix all of the issues not covered by the default installer. The other is to use Komodia’s Advanced LSP Installer. We have written those 10,000 lines of code for you, in a product used successfully in retail products for installing/uninstalling LSPs.

Known Winsock LSP issues in Windows 2003

In Windows 2003, Winsock LSP is known to destroy IPSec and thus break the functionality of the LDAP and Exchange server. This problem occurs when using the default sample. Komodia has created a solution to this problem, which we integrate into our LSP SDK.

Known Winsock LSP issues in Windows VISTA

In Windows VISTA, Winsock LSP which only supports IPv4 will not receive WSPSelect command when installed on a TCP/IP6 enabled machine, in order to receive WSPSelect on such machines the LSP must support both version 4 and 6 of the TCP/IP protocol and layer over both version 4 and 6 of the TCP/IP base providers, more information can be found here (Tip #4 that you get when downloading the guide talks more about this subject).

Known Winsock LSP issues in Windows 7

In Windows 7, the issue that Vista had but not often encountered is now causing many problems, if you create a Winsock LSP that must intercept WSPSelect you are in trouble (reminder, more info at Tip #4 on the matter), further more the categories mechanism that was introduced with Windows Vista but wasn’t enforced is now strictly enforced, causing problems if you want to intercept system services, more information can be found here (Tip #5 that you get when downloading the guide talks more about this subject).

Winsock LSP on 64 bit platforms

When working under a 64 bit platform (such as XP, Vista and Windows 2008) you have two kind of running applications, 32-bit and 64-bit, each loads a DLL that is compatable with the application, so a 32-bit application loads a 32-bit LSP and a 64-bit application loads a 64-bit LSP.
The OS maintains two kind of catalogs one for 32-bit and one for 64-bit, which means that if you want to support 64-bit platform you must install both 32-bit and 64-bit versions of your LSP on that OS (using two installers, again one for 32-bit and one for 64-bit) (Tip #2 that you get when downloading the guide talks more about this subject).

Winsock LSP and SSL, filtering and decrypting SSL

A question we commonly encounter is how to filter SSL data, and/or decrypt its content with LSP, the bad news is you can’t, LSP can view the SSL stream encrypted and unless you posses the RSA key to decrypt it and a code that is designed to perform such decryption, the only thing you can do is block SSL connection based on their destination IP which is visible. The good news is that we have developed a component that can perform SSL decryption and modification.

How can you help me?

Komodia has implemented over a dozen LSP projects and our customers’ complete satisfaction. Contact us to develop your next LSP project.

How to outsource LSP projects?

Read our guide on finding and outsourcing LSP projects.

LSP support on Windows 8

According to a recent decision by Microsoft, LSPs can’t intercept Metro apps because (according to them): It affected customer experience, mostly with malware and adware, and it’s an easy way to bypass the Metro sandbox.

The solution is to use WFP instead of LSP for Windows8.