Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTDEV

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


Before Posting...

Please check out the Community Guidelines in the Announcements and Administration Category.

[WFP] How to add data just after TCP handshake

James_ArcaJames_Arca Member Posts: 15
Hi all,

I've written a WFP callut driver that redirect specific traffic into a locally listening server. I however also need to add some data into the datastream. Initially I've done this at the STREAM layer, but that doesn't work fine for all protocols. The problem is that the callout at the STREAM layer gets called only when there's data transfer. I need to inject data before any data transfer, but after the 3-way handshake. This is special data that the local server is waiting for [via recv()] and it must get it BEFORE any other data is transferred.

Since STREAM doesn't give me enough options I've moved 'back' a bit into OUTBOUND_TRANSPORT. I intercept the last packet of the handshake (that is the ACK the client sends to the server) and want to inject data here. Since I'm on the transport level I can read/modify the TCP header. However to add data I need to modify the SEQ/ACK numbers manually... This seems a bit to complicated for such a simple task. Maybe I've missed something? Gone the wrong way?

If not, I will modify the numbers and see how things behave, but I'd rather use another technique utilising WFP and WinSock.

Thanks for help.

Comments

  • James_HarperJames_Harper Member Posts: 1,615
    > Hi all,
    >
    > I've written a WFP callut driver that redirect specific traffic into a
    locally
    > listening server. I however also need to add some data into the
    datastream.
    > Initially I've done this at the STREAM layer, but that doesn't work
    fine for all
    > protocols. The problem is that the callout at the STREAM layer gets
    called
    > only when there's data transfer. I need to inject data before any data
    > transfer, but after the 3-way handshake. This is special data that the
    local
    > server is waiting for [via recv()] and it must get it BEFORE any other
    data is
    > transferred.
    >
    > Since STREAM doesn't give me enough options I've moved 'back' a bit
    into
    > OUTBOUND_TRANSPORT. I intercept the last packet of the handshake (that
    > is the ACK the client sends to the server) and want to inject data
    here. Since
    > I'm on the transport level I can read/modify the TCP header. However
    to add
    > data I need to modify the SEQ/ACK numbers manually... This seems a bit
    to
    > complicated for such a simple task. Maybe I've missed something? Gone
    the
    > wrong way?
    >
    > If not, I will modify the numbers and see how things behave, but I'd
    rather
    > use another technique utilising WFP and WinSock.
    >

    What is the purpose of this driver? It would be great for injecting
    malicious javascript into a html stream on a web server ;)

    James
  • flycutterflycutter Member Posts: 2

    @James_Arca said:
    Hi all,

    I've written a WFP callut driver that redirect specific traffic into a locally listening server. I however also need to add some data into the datastream. Initially I've done this at the STREAM layer, but that doesn't work fine for all protocols. The problem is that the callout at the STREAM layer gets called only when there's data transfer. I need to inject data before any data transfer, but after the 3-way handshake. This is special data that the local server is waiting for [via recv()] and it must get it BEFORE any other data is transferred.

    Since STREAM doesn't give me enough options I've moved 'back' a bit into OUTBOUND_TRANSPORT. I intercept the last packet of the handshake (that is the ACK the client sends to the server) and want to inject data here. Since I'm on the transport level I can read/modify the TCP header. However to add data I need to modify the SEQ/ACK numbers manually... This seems a bit to complicated for such a simple task. Maybe I've missed something? Gone the wrong way?

    If not, I will modify the numbers and see how things behave, but I'd rather use another technique utilising WFP and WinSock.

    Thanks for help.

    Have you found an elegant way to work around this?

  • Jason_StephensonJason_Stephenson Member Posts: 113

    Why not use CONNECT_REDIRECT to to send the entire connection to the local service and add whatever "magic data" you where previously sending to the REDIRECT_CONTEXT?
    Jason

  • flycutterflycutter Member Posts: 2

    @Jason_Stephenson said:
    Why not use CONNECT_REDIRECT to to send the entire connection to the local service and add whatever "magic data" you where previously sending to the REDIRECT_CONTEXT?
    Jason

    Because REDIRECT_CONTEXT is not supported in Win7.

  • Jason_StephensonJason_Stephenson Member Posts: 113

    It's fairly easy to implement yourself using a GenericTable, the tcp source address and a custom IOCTL. The usermode code would then be:
    `
    SOCKET s = accept(..., sourceAdress);
    auto x = originalDestination;
    pMyDevice->ioctl(MY_CUSTOM_IOCTL, sourceAddress, &originalDestination);

    //establish onward connection & do as you wish
    `

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. Sign in or register to get started.

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Internals & Software Drivers 15 November 2021 Live, Online
Writing WDF Drivers TBD Live, Online
Developing Minifilters 7 February 2022 Live, Online
Kernel Debugging 21 March 2022 Live, Online