Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.More Info on Driver Writing and Debugging
The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.
Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/
[WFP] How to add data just after TCP handshake
James_Arca
Member Posts: 15
in NTDEV
Hi all,
I've written a WFP callut driver that redirect specific traffic into a locally listening server. I however also need to add some data into the datastream. Initially I've done this at the STREAM layer, but that doesn't work fine for all protocols. The problem is that the callout at the STREAM layer gets called only when there's data transfer. I need to inject data before any data transfer, but after the 3-way handshake. This is special data that the local server is waiting for [via recv()] and it must get it BEFORE any other data is transferred.
Since STREAM doesn't give me enough options I've moved 'back' a bit into OUTBOUND_TRANSPORT. I intercept the last packet of the handshake (that is the ACK the client sends to the server) and want to inject data here. Since I'm on the transport level I can read/modify the TCP header. However to add data I need to modify the SEQ/ACK numbers manually... This seems a bit to complicated for such a simple task. Maybe I've missed something? Gone the wrong way?
If not, I will modify the numbers and see how things behave, but I'd rather use another technique utilising WFP and WinSock.
Thanks for help.
I've written a WFP callut driver that redirect specific traffic into a locally listening server. I however also need to add some data into the datastream. Initially I've done this at the STREAM layer, but that doesn't work fine for all protocols. The problem is that the callout at the STREAM layer gets called only when there's data transfer. I need to inject data before any data transfer, but after the 3-way handshake. This is special data that the local server is waiting for [via recv()] and it must get it BEFORE any other data is transferred.
Since STREAM doesn't give me enough options I've moved 'back' a bit into OUTBOUND_TRANSPORT. I intercept the last packet of the handshake (that is the ACK the client sends to the server) and want to inject data here. Since I'm on the transport level I can read/modify the TCP header. However to add data I need to modify the SEQ/ACK numbers manually... This seems a bit to complicated for such a simple task. Maybe I've missed something? Gone the wrong way?
If not, I will modify the numbers and see how things behave, but I'd rather use another technique utilising WFP and WinSock.
Thanks for help.
Howdy, Stranger!
| Upcoming OSR Seminars | ||
|---|---|---|
| OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead! | ||
| Internals & Software Drivers | 19-23 June 2023 | Live, Online |
| Writing WDF Drivers | 10-14 July 2023 | Live, Online |
| Kernel Debugging | 16-20 October 2023 | Live, Online |
| Developing Minifilters | 13-17 November 2023 | Live, Online |
Comments
>
> I've written a WFP callut driver that redirect specific traffic into a
locally
> listening server. I however also need to add some data into the
datastream.
> Initially I've done this at the STREAM layer, but that doesn't work
fine for all
> protocols. The problem is that the callout at the STREAM layer gets
called
> only when there's data transfer. I need to inject data before any data
> transfer, but after the 3-way handshake. This is special data that the
local
> server is waiting for [via recv()] and it must get it BEFORE any other
data is
> transferred.
>
> Since STREAM doesn't give me enough options I've moved 'back' a bit
into
> OUTBOUND_TRANSPORT. I intercept the last packet of the handshake (that
> is the ACK the client sends to the server) and want to inject data
here. Since
> I'm on the transport level I can read/modify the TCP header. However
to add
> data I need to modify the SEQ/ACK numbers manually... This seems a bit
to
> complicated for such a simple task. Maybe I've missed something? Gone
the
> wrong way?
>
> If not, I will modify the numbers and see how things behave, but I'd
rather
> use another technique utilising WFP and WinSock.
>
What is the purpose of this driver? It would be great for injecting
malicious javascript into a html stream on a web server
James
Have you found an elegant way to work around this?
Why not use CONNECT_REDIRECT to to send the entire connection to the local service and add whatever "magic data" you where previously sending to the REDIRECT_CONTEXT?
Jason
Because REDIRECT_CONTEXT is not supported in Win7.
It's fairly easy to implement yourself using a GenericTable, the tcp source address and a custom IOCTL. The usermode code would then be:
`
SOCKET s = accept(..., sourceAdress);
auto x = originalDestination;
pMyDevice->ioctl(MY_CUSTOM_IOCTL, sourceAddress, &originalDestination);
//establish onward connection & do as you wish
`