In the WDK WFPSample, it demonstrates how driver injects data to TCP stream while filter engine call the callout function, but I hope to inject data at any time .
That is my driver inject data to TCP stream proactively at any time even if Filter engine does not call the callout function.
In the WDK WFPSample, it demonstrates how driver injects data to TCP stream while filter engine call the callout function, but I hope to inject data at any time .
That is my driver inject data to TCP stream proactively at any time even if Filter engine does not call the callout function.
Remote host emulation by a user process running on the same machine is the very first, but definitely not the only, example that gets into my head. Implementing a network tap or a virtual switch may be another one. In fact, I don’t see anything even remotely malicious about the OP’s question. If the OP was asking about making his software unkillable/unremovable/undetectable by the Admins, I would be the first one to give him the hard time. However, what he is asking about seems (at least to me) to be a perfectly legitimate thing .
Concerning the OP’s actual question, I would rather do the whole thing at the level of NDIS library, rather than WFP one - NDIS LWF seems (at least to me) to be the right way to go here…
WFP can do this better It does have the facilities to do that, IIRC. NDIS is more invasive.
For the malicious use, main thing is the signature trust. If someone can steal a signature all bets are off.
People in the security industries does this quite often. An example use is hold a connection ( before timeout occurs), verify and later insert into the stream…
@Prokash_Sinha-2 said:
WFP can do this better It does have the facilities to do that, IIRC. NDIS is more invasive.
For the malicious use, main thing is the signature trust. If someone can steal a signature all bets are off.
People in the security industries does this quite often. An example use is hold a connection ( before timeout occurs), verify and later insert into the stream…
-Pro
Does it require Filter Engine call callout function firstly ?
Remote host emulation by a user process running on the same machine is the very first, but definitely not the only, example that gets into my head. Implementing a network tap or a virtual switch may be another one. In fact, I don’t see anything even remotely malicious about the OP’s question. If the OP was asking about making his software unkillable/unremovable/undetectable by the Admins, I would be the first one to give him the hard time. However, what he is asking about seems (at least to me) to be a perfectly legitimate thing .
Concerning the OP’s actual question, I would rather do the whole thing at the level of NDIS library, rather than WFP one - NDIS LWF seems (at least to me) to be the right way to go here…
Well, I$B!G(Bm glad to know that you say so. I am unconvinced that there are any legitimate uses for injecting arbitrary data into a TCP stream owned by another application
I am unconvinced that there are any legitimate uses for injecting arbitrary data into a TCP stream owned by another application
You should realise that ABSOLUTELY ANY activity that somehow modifies (or even passively monitors) data that is owned by other applications may be potentially construed as a malicious one. Therefore, your argument may be applied to any PF, firewall or FS filter in existence.
On my books, the only types of activity that allow one to classify a piece of a software as an undoubtedly malicious one are:
Hiding. Any piece of software that attempts to avoid the detection by hiding its files, registry entries, processes or modules is definitely a malicious one
Perseverance. Any software that tries to resist termination or removal attempts by the Admin user is, again, most certainly a malicious one
However, the OP does not seem to be asking us how to avoid the detection, termination or removal, does he…
Therefore, as I have said already, given the information that we have at this moment, I cannot see ABSOLUTELY anything malicious about his “endeavours” in so far…
Anton, there are many legit software that tried to hide their existence too It goes by the name of hardening. It’s more like flu shot. It’s a flu virus (anti-dote). Most any platform I know about, does have these for obvious reasons ( perf being one, debug a stack being another one, and finally help provide ISV to add value). There are many ways virus or malicious software could be crufted, but I doubt someone would come here to learn how to do that !!!
-Pro
Anton, there are many legit software that tried to hide their existence too
Well, assuming that it is you who owns the machine, any software that is not a part of the OS (i.e. any third-party one) just cannot have any legitimate right either to hide from you or to resist your termination/removal requests by the very definition,don’t you think…
perf being one, debug a stack being another one,
If you don’t mind,could you please explain to me how a debugger, let alone performance analysis framework ( a KM part of which, BTW, happens to be a part of the official kernel tree) tries to hide itself from the machine owner…
Anton,
I’m sorry it would go in trolling mode…
So I will stop after this note …
I’m not a legal person, but I just told you the reality that those techniques have been used for ages…
Way back when TCP/IP was being implemented on platforms there were two big questions to be answered (1) How to debug the stack (2) How can I just debug the Interface hardware. One gave tcpdump, then incarnation of BF ( Barkley filtering ) (2) gave SOCK_RAW. For the external perf measurement those callout points are used to capture so called latencies…
Well, taking into consideration the “scary” functionality of this hosting platform it would be pretty unwise for us to provoke
“The Hanging Judge’s” wrath, don’t you think (although I still have my “lucky coin” that I haven’t yet used up in so far)…
'm not a legal person, but I just told you the reality that those techniques have been used for ages…
Way back when TCP/IP was being implemented on platforms there were two big questions to be answered
(1) How to debug the stack (2) How can I just debug the Interface hardware. One gave tcpdump, then incarnation of BF
( Barkley filtering ) (2) gave SOCK_RAW. For the external perf measurement those callout points are used to capture so called latencies…
Are you sure you are arguing with me and not with Marion? Look - everything mentioned above relies upon capturing and monitoring apps data, i.e. the technique(s) that Marion for some reason finds dubious and I consider perfectly legitimate per se (although they may be, indeed, quite useful for malware writers). They have ABSOLUTELY nothing to do with hiding from Admins, which is generally associated only with
the term “rootkit” . In fact, this very term owes its name to the theoretical possibility of certain admin tools getting out of root user’s control
and doing something that he is blissfully unaware of…
The above comment very profound and I am a noob in windows driver. It seems that there are no way to inject TCP data into stream when Filter Engine not call Callout Function.