WFP tcp inject data

I want to inject data into TCP stream .

In the WDK WFPSample, it demonstrates how driver injects data to TCP stream while filter engine call the callout function, but I hope to inject data at any time .

That is my driver inject data to TCP stream proactively at any time even if Filter engine does not call the callout function.

How can I do this ?

Is there a use for this other than malware?

Sent from Mailhttps: for Windows 10

________________________________
From: weilin_jiang
Sent: Wednesday, October 10, 2018 4:46:53 AM
To: MBond
Subject: [NTDEV] WFP tcp inject data

OSR https://community.osr.com/
weilin_jiang started a new discussion: WFP tcp inject data

I want to inject data into TCP stream .

In the WDK WFPSample, it demonstrates how driver injects data to TCP stream while filter engine call the callout function, but I hope to inject data at any time .

That is my driver inject data to TCP stream proactively at any time even if Filter engine does not call the callout function.

How can I do this ?</https:>

Is there a use for this other than malware?

Remote host emulation by a user process running on the same machine is the very first, but definitely not the only, example that gets into my head. Implementing a network tap or a virtual switch may be another one. In fact, I don’t see anything even remotely malicious about the OP’s question. If the OP was asking about making his software unkillable/unremovable/undetectable by the Admins, I would be the first one to give him the hard time. However, what he is asking about seems (at least to me) to be a perfectly legitimate thing .

Concerning the OP’s actual question, I would rather do the whole thing at the level of NDIS library, rather than WFP one - NDIS LWF seems (at least to me) to be the right way to go here…

Anton Bassov

You don

WFP can do this better :slight_smile: It does have the facilities to do that, IIRC. NDIS is more invasive.

For the malicious use, main thing is the signature trust. If someone can steal a signature all bets are off.

People in the security industries does this quite often. An example use is hold a connection ( before timeout occurs), verify and later insert into the stream…

-Pro

@Prokash_Sinha-2 said:
WFP can do this better :slight_smile: It does have the facilities to do that, IIRC. NDIS is more invasive.

For the malicious use, main thing is the signature trust. If someone can steal a signature all bets are off.

People in the security industries does this quite often. An example use is hold a connection ( before timeout occurs), verify and later insert into the stream…

-Pro

Does it require Filter Engine call callout function firstly ?

@anton_bassov said:

Is there a use for this other than malware?

Remote host emulation by a user process running on the same machine is the very first, but definitely not the only, example that gets into my head. Implementing a network tap or a virtual switch may be another one. In fact, I don’t see anything even remotely malicious about the OP’s question. If the OP was asking about making his software unkillable/unremovable/undetectable by the Admins, I would be the first one to give him the hard time. However, what he is asking about seems (at least to me) to be a perfectly legitimate thing .

Concerning the OP’s actual question, I would rather do the whole thing at the level of NDIS library, rather than WFP one - NDIS LWF seems (at least to me) to be the right way to go here…

Anton Bassov

Thanks, anton_bassov!

@MBond said:
You don

Hi, MBond, This is not a malware.

@weilin_jiang said:

Does it require Filter Engine call callout function firstly ?

Yes, it does. If you never used it, read the doc, and use the monitor example from DDK example…

-Pro

Well, I$B!G(Bm glad to know that you say so. I am unconvinced that there are any legitimate uses for injecting arbitrary data into a TCP stream owned by another application

Sent from Mailhttps: for Windows 10

________________________________
From: weilin_jiang
Sent: Friday, October 12, 2018 4:12:03 AM
To: MBond
Subject: Re: [NTDEV] WFP tcp inject data

OSR https://community.osr.com/
weilin_jiang mentioned you in WFP tcp inject data

> @MBond said:
>
> You don

Hi$B!$(B MBond, This is not a malware.</https:>

Marion,

I am unconvinced that there are any legitimate uses for injecting arbitrary data into a TCP stream owned by another application

You should realise that ABSOLUTELY ANY activity that somehow modifies (or even passively monitors) data that is owned by other applications may be potentially construed as a malicious one. Therefore, your argument may be applied to any PF, firewall or FS filter in existence.

On my books, the only types of activity that allow one to classify a piece of a software as an undoubtedly malicious one are:

  1. Hiding. Any piece of software that attempts to avoid the detection by hiding its files, registry entries, processes or modules is definitely a malicious one
  2. Perseverance. Any software that tries to resist termination or removal attempts by the Admin user is, again, most certainly a malicious one

However, the OP does not seem to be asking us how to avoid the detection, termination or removal, does he…

Therefore, as I have said already, given the information that we have at this moment, I cannot see ABSOLUTELY anything malicious about his “endeavours” in so far…

Anton Bassov

Anton, there are many legit software that tried to hide their existence too :smile: It goes by the name of hardening. It’s more like flu shot. It’s a flu virus (anti-dote). Most any platform I know about, does have these for obvious reasons ( perf being one, debug a stack being another one, and finally help provide ISV to add value). There are many ways virus or malicious software could be crufted, but I doubt someone would come here to learn how to do that !!!
-Pro

Pro,

Anton, there are many legit software that tried to hide their existence too

Well, assuming that it is you who owns the machine, any software that is not a part of the OS (i.e. any third-party one) just cannot have any legitimate right either to hide from you or to resist your termination/removal requests by the very definition,don’t you think…

perf being one, debug a stack being another one,

If you don’t mind,could you please explain to me how a debugger, let alone performance analysis framework ( a KM part of which, BTW, happens to be a part of the official kernel tree) tries to hide itself from the machine owner…

Anton Bassov

Anton,
I’m sorry it would go in trolling mode…
So I will stop after this note …
I’m not a legal person, but I just told you the reality that those techniques have been used for ages…
Way back when TCP/IP was being implemented on platforms there were two big questions to be answered (1) How to debug the stack (2) How can I just debug the Interface hardware. One gave tcpdump, then incarnation of BF ( Barkley filtering ) (2) gave SOCK_RAW. For the external perf measurement those callout points are used to capture so called latencies…

-Pro

Pro,

I’m sorry it would go in trolling mode…

Well, taking into consideration the “scary” functionality of this hosting platform it would be pretty unwise for us to provoke
“The Hanging Judge’s” wrath, don’t you think (although I still have my “lucky coin” that I haven’t yet used up in so far)…

'm not a legal person, but I just told you the reality that those techniques have been used for ages…
Way back when TCP/IP was being implemented on platforms there were two big questions to be answered
(1) How to debug the stack (2) How can I just debug the Interface hardware. One gave tcpdump, then incarnation of BF
( Barkley filtering ) (2) gave SOCK_RAW. For the external perf measurement those callout points are used to capture so called latencies…

Are you sure you are arguing with me and not with Marion? Look - everything mentioned above relies upon capturing and monitoring apps data, i.e. the technique(s) that Marion for some reason finds dubious and I consider perfectly legitimate per se (although they may be, indeed, quite useful for malware writers). They have ABSOLUTELY nothing to do with hiding from Admins, which is generally associated only with
the term “rootkit” . In fact, this very term owes its name to the theoretical possibility of certain admin tools getting out of root user’s control
and doing something that he is blissfully unaware of…

Anton Bassov

The above comment very profound and I am a noob in windows driver. :smiley: It seems that there are no way to inject TCP data into stream when Filter Engine not call Callout Function.

WFP has all the bells & whistles to just that. But its a fairly big framework to sit back and learn
-Pro

@Prokash_Sinha-2 said:
WFP has all the bells & whistles to just that. But its a fairly big framework to sit back and learn
-Pro

:wink: Thanks, Sinha