Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Windows network packet modification

I'm looking to write a small program which will intercept network packets (on the local machine) and modify them before they go out on the network. I need to be able to modify the headers as well, not just the data.

I've already looked through several possibilities but am unsure which one is best to pursue. There are open source packet filters out there, but filtering only seems to be able to either allow or reject packets, not much else.

The other solution would be to write an NDIS intermediate driver, but writing drivers is a beyond me. Even the simple pass-thru example in the WinDDK is thousands of lines. I'm also not looking forward to having to constantly reinstall a driver and reboot to test my code.

I'd ideally like the program to be self contained, and not rely on the installation of 3rd party drivers/software/whatever.

So if you people could point me in the right direction, throw some helpful links my way, whatever, I'd appreciate it.

like image 829
jay.lee Avatar asked Dec 22 '22 06:12

jay.lee


2 Answers

Depends what kind of packets do you want to filter/modify.

If you're after application-level filtering, and want to get your hands on HTTP or similar packets, your best bet would probably be an LSP. Note however, following this path has certain disadvantages. First MS seems to be trying to get rid of this technology, and IIRC a part of Windows 7 logo requirements is "no LSP in your product", they seem to be promoting the Windows Filtering Platform. Second, you'd be very surprised with how much trouble you're getting into in terms of 3rd party LSP compatibility. Third, a very dummy LSP is still around 2 KLOC :)

If you're after an IP level packet filtering you'd need to go for a driver.

Windows Filtering Platform provides you with functionality needed in either case. However, it's only available on Windows Vista and later products, so no XP there. Another thing to take into consideration, WFP was only capable of allow/reject packets in user-land, and if you need to modify them, you'd need to go kernel-mode. (At least that what the situation was at the time it appeared, maybe they've improved something by now).

like image 108
Dmitry Avatar answered Jan 03 '23 18:01

Dmitry


IMHO, If you want to modify packets you'll need something to talk to the hardware, a driver of some kind. If you do not want to use your own, you should get a 3rd party driver to inter-operate with.

For filtering there's libraries like: winpcap or libpcap.

Also have a look here: http://www.ntkernel.com/w&p.php?id=7

Another link: http://bittwist.sourceforge.net/

Hope this helps!

like image 40
Tony The Lion Avatar answered Jan 03 '23 20:01

Tony The Lion