Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Making a program that intercepts network traffic in Windows

Sort of what I'm asking is "how to make a software firewall for Windows," but something not so complex. I'm surprised I can find so little when searching for this, only the occasional mention of hooks. So it'd be much appreciated if someone could point me in the right direction.

I expect to do this with C (though if there's another language you think would work better, I'm all ears). I want to make an application that watches network traffic, can extract the IP address (source for incoming, destination for outgoing), and can block said network activity.

This seems like something that would be much easier to do in the kernel, but I don't want to be mucking around in there, nor do I even have access to do that in Windows anyway. I'm not worried about efficiency, nor am I looking to make a personal firewall. This is just for an experiment regarding IP addresses.

Any pointers?

Note: It's important that I be able to block network certain network activity too, not just monitor it

like image 320
cost Avatar asked Apr 15 '11 22:04

cost


2 Answers

The DIY way would be going in kernel mode, using filter-hook drivers (for Windows 2000-XP) or WFP Callout Drivers.

If you want to let others do the dirty work in kernel-mode, the WinPcap driver/library sports lots of low-level network features, including the ones you need, that you can use from user-mode (notice that using WinPcap you can't drop packets).

like image 177
Matteo Italia Avatar answered Sep 28 '22 09:09

Matteo Italia


It sounds like what you're looking for is a Winsock Service Provider Interface (SPI) Layered Service Provider (LSP). From what you've said, if you're dealing with Vista or newer, you probably want to implement an instance of the LSP_INSPECTOR class. For older versions of Windows, that class doesn't apply exactly, but the same general idea does. On Vista/7, you set the category (class) for your application with WSCSetApplicationCategory. To install your provider, you fill out a WSAPROTOCOL_INFO structure, then register it by calling WSCInstallProvider.

like image 21
Jerry Coffin Avatar answered Sep 28 '22 10:09

Jerry Coffin