Hello everyone:
I want to redirect the traffic of curl.exe to my proxy process proxy.exe through the WFP driver. On the way, I encountered a problem, that is, WFP cannot intercept the DNS package of curl.exe. Later I found out that curl.exe is actually a DNS packet sent by a system process agent called svchost.exe, so my WFP driver can only intercept the packets sent by svchost.exe.
Later, I also tried to use the WFP driver to intercept the DNS request sent by svchost.exe and proxy it out through my proxy.exe, but it didn’t seem to have any effect.
Later, I tried to use the WFP driver to intercept the DNS request sent by nslookup.exe and proxy it out through my proxy.exe, but it was successful again.
So my question is: My WFP program can successfully obtain correct domain name resolution by intercepting nslookup.exe and proxy.exe, but cannot successfully obtain correct domain name resolution by intercepting svchost.exe through proxy.exe.
This is probably expected behaviour. IIRC nslookup created DNS UDP packets in UM and sends them out onto the network directly. This sort of traffic is exactly what WFP is designed to handle
But curl.exe probably uses getaddrinfo, GetNameInfo or other Winsock functions to resolve the hostname into an IP address. This will not produce UDP traffic directly, but instead rely on the DNS resolver. The DNS resolver returns most of its answers from cached data, but for domains that are not yet known, will send out UDP DNS queries. These queries can’t be directly attributed to a single UM process like curl.exe as you have discovered. These queries are also vital for proper system function and are likely protected from tampering as much as possible. DNS is vital to find things like domain controllers, network time etc. and DNS poisoning is a well known attack
@MBond2
Thank you very much!
I now use WFP to judge that as long as the target port is 53, it will be redirected to my proxy process, but this also seems to be a problem, svchost.exe seems to have also verified, as long as the target IP of DNS is found to be different from the original IP. will fail. Is there any good solution for this?