Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTDEV

Before Posting...

Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


Question about DNS proxy

liangdodoliangdodo Member Posts: 15

Hello everyone:
I want to redirect the traffic of curl.exe to my proxy process proxy.exe through the WFP driver. On the way, I encountered a problem, that is, WFP cannot intercept the DNS package of curl.exe. Later I found out that curl.exe is actually a DNS packet sent by a system process agent called svchost.exe, so my WFP driver can only intercept the packets sent by svchost.exe.

Later, I also tried to use the WFP driver to intercept the DNS request sent by svchost.exe and proxy it out through my proxy.exe, but it didn't seem to have any effect.

Pic: https://drive.google.com/file/d/1x1Lrn27fI_8hUBZ9_487hiEUxlG-05hR/view?usp=sharing

Later, I tried to use the WFP driver to intercept the DNS request sent by nslookup.exe and proxy it out through my proxy.exe, but it was successful again.

Pic:https://drive.google.com/file/d/1x1Lrn27fI_8hUBZ9_487hiEUxlG-05hR/view?usp=sharing

So my question is: My WFP program can successfully obtain correct domain name resolution by intercepting nslookup.exe and proxy.exe, but cannot successfully obtain correct domain name resolution by intercepting svchost.exe through proxy.exe.

Comments

  • MBond2MBond2 Member Posts: 477

    This is probably expected behaviour. IIRC nslookup created DNS UDP packets in UM and sends them out onto the network directly. This sort of traffic is exactly what WFP is designed to handle

    But curl.exe probably uses getaddrinfo, GetNameInfo or other Winsock functions to resolve the hostname into an IP address. This will not produce UDP traffic directly, but instead rely on the DNS resolver. The DNS resolver returns most of its answers from cached data, but for domains that are not yet known, will send out UDP DNS queries. These queries can't be directly attributed to a single UM process like curl.exe as you have discovered. These queries are also vital for proper system function and are likely protected from tampering as much as possible. DNS is vital to find things like domain controllers, network time etc. and DNS poisoning is a well known attack

  • liangdodoliangdodo Member Posts: 15

    @MBond2
    Thank you very much!
    I now use WFP to judge that as long as the target port is 53, it will be redirected to my proxy process, but this also seems to be a problem, svchost.exe seems to have also verified, as long as the target IP of DNS is found to be different from the original IP. will fail. Is there any good solution for this?

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. Sign in or register to get started.

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Writing WDF Drivers 12 September 2022 Live, Online
Internals & Software Drivers 23 October 2022 Live, Online
Kernel Debugging 14 November 2022 Live, Online
Developing Minifilters 5 December 2022 Live, Online