In kernel mode speaking where can I intercept TCP data sent to the browser and modify the data based on set of rules. I need to be able to see everything that is all TCP traffic at the highest layer (application) possible. How can this be done ? Since this is a security product I don't want to miss any traffic.
A forum for reverse engineering, OS internals and malware analysis
It should be possible to achieve this via Windows Filtering Platform. When the communication beings, you receive a callout at connect/rect_accept layers that also tell you the application information (that it is a browser or not). Then, you can use the tuple of (source_ip, source_port, dest_ip, dest_port, protocol) to identify (and possibly modify) packets at inbound and outbound transport layers (where the information about the sending/receiving application is not directly available).
Thank you for the response. May I ask what if I wanted to develop for the Windows XP platform as well ?
For XP, you probably need to develop a TDI filter driver (attach over devices of the Tdx driver and filter/modify their communication). It also kind of works on newer versions of Windows (Vista+) but it is deprecated there so it is best not to rely on it.
Vrtule wrote:For XP, you probably need to develop a TDI filter driver (attach over devices of the Tdx driver and filter/modify their communication). It also kind of works on newer versions of Windows (Vista+) but it is deprecated there so it is best not to rely on it.Thank you again. Would a NDIS intermediate miniport driver be a possibility for XP ?
Yes (version < 6), but it is placed too low to see what application is sending/receiving the data. Also (but I am not sure of that), it may be too low to see through IPSec.
Vrtule thank you again.
In the comments listed (see TLInspectALEConnectClassify function) within the inspect.c file has the following statements as seen below:
Can anyone tell me what is re-auth in the inspect MSDN sample ? What is the meaning of this terminology ?
// The classify is the re-authorization for an existing connection, it
// could have been triggered for one of the three cases --
//
// 1) The re-auth is triggered by a FwpsCompleteOperation call to
// complete a ALE_AUTH_CONNECT classify pended earlier.
// 2) The re-auth is triggered by an outbound packet sent immediately
// after a policy change at ALE_AUTH_CONNECT layer.
// 3) The re-auth is triggered by an inbound packet received
// immediately after a policy change at ALE_AUTH_CONNECT layer.
//
Can anyone tell me what is re-auth in the inspect MSDN sample ? What is the meaning of this terminology ?
// The classify is the re-authorization for an existing connection, it
// could have been triggered for one of the three cases --
//
// 1) The re-auth is triggered by a FwpsCompleteOperation call to
// complete a ALE_AUTH_CONNECT classify pended earlier.
// 2) The re-auth is triggered by an outbound packet sent immediately
// after a policy change at ALE_AUTH_CONNECT layer.
// 3) The re-auth is triggered by an inbound packet received
// immediately after a policy change at ALE_AUTH_CONNECT layer.
//
