I need some help in a design issue, I’m not sure where to begin or if
this is possible.
Here’s what I want to do:
Whenever a specific url is opened I would like to pass the PID of the
application
that opened that address to my FSF. Can this be done at the kernel
level, or are
urls non-existent at this level?
I’m trying to stay away from LSP and hooking, and I don’t see any
usermode api’s
that could implement a callback for a specific url.
Any suggestions or idea’s?
Thanks,
Matt
On 6/6/06 6:16 AM, “MM” wrote:
> Whenever a specific url is opened I would like to pass the PID of the
> application
> that opened that address to my FSF. Can this be done at the kernel
> level, or are
> urls non-existent at this level?
Well, lots of things open “urls”. There is a different protocol for each
scheme (usually) - i.e. the following are different:
http://google.com
https://etrade.com
ftp://download.microsoft.com
Assuming you meant “web” URLs, you have to get http and https and whatever
other madness is out there. FTP urls are still common.
Further assuming you only want HTTP URLs, that reduces to “dest port
80/tcp” connections, so you could do a TDI filter looking for connections
like these. BUT, remember, the “URL” is a) embedded in the HTTP data that
flows on that connection, and b) is not (usually) presented as a URL. For
example, for google:
[http/0.9]
GET /\r\n
-or-
[http/1.0]
GET / HTTP/1.0\r\n
\r\n
-or-
[http/1.0 with a Host header]
GET / HTTP/1.0\r\n
Host: www.googe.com\r\n
\r\n
-or-
[http/1.1]
GET / HTTP/1.1\r\n
Host: www.google.com\r\n
\r\n
There are many other cases you have to worry about, too. For example, if the
browser knows it’s retrieving the document through a proxy server, the
entire URL is sent in the GET line. If the box is a proxy, you will get
extra headers (platform and protocol-version variable) that might be of some
use.
Oh yeah, and you can have URLs like this:
http://www.google.com:16591/index.html
Those will result in TCP connections to non-80 ports. That makes your
filtering job dramatically harder.
The good news is that you’d have to do this at any level, so the job isn’t
particularly more difficult as a TDI filter in the kernel than as an LSP or
a usermode hook DLL. I don’t know much about browser helper objects, but you
might look in that direction. But beware: every piece of antispyware
software (and lots of spyware too, come to that) in the known world will
cause havoc by uninstalling you (occasionally in creatively broken ways).
BHOs are IE-only; I assume you care about capturing things like Firefox or
you wouldn’t have asked how to find the originating program.
One last word on LSPs - avoid them. They’re hard to do right, even with the
SDK sample, and even if you do yours right, the next guy can come along and
ruin your installation. It’s been several years since I seriously
investigated doing one, but when I did, it was basically unsupportable on a
commercially reasonable scale. If you do this, get familiar with LSPFix. 
Oh yeah, and LSPs have the same spyware problem that BHOs have.
There are other issues in play here - IP-based URLs, schemeless URLs (i.e.
“//slashdot.org”), redirections (try manually walking the HTTP protocol to
google.com using telnet to see what I mean - it’ll redirect a couple of
times) - and, of course, spyware that breaks web surfing in creative ways.
Difficult project; sounds like fun though. What’s it for?
-Steve
> I’m trying to stay away from LSP and hooking, and I don’t see any
> usermode api’s
> that could implement a callback for a specific url.
Hi;
Have a look at
http://blogs.msdn.com/wndp/archive/2006/05/03/Winhec_blog_wfp.aspx
Thanks & Regards
Faraz.
On 6/6/06, MM wrote:
>
> I need some help in a design issue, I’m not sure where to begin or if
> this is possible.
>
> Here’s what I want to do:
>
> Whenever a specific url is opened I would like to pass the PID of the
> application
> that opened that address to my FSF. Can this be done at the kernel
> level, or are
> urls non-existent at this level?
>
> I’m trying to stay away from LSP and hooking, and I don’t see any
> usermode api’s
> that could implement a callback for a specific url.
>
> Any suggestions or idea’s?
>
> Thanks,
>
> Matt
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
Steve,
Thanks for the response and sorry for the slow reply, you gave me a lot
to contemplate. As of now,
I’m just tinkering around. I have a working LSP dll, just don’t want to
go that route for reasons you
pointed out. Adaware has a pluggin that does nothing but ‘go after’ LSPs’.
Thanks
m
Steve Dispensa wrote:
On 6/6/06 6:16 AM, “MM” wrote:
>
>
>>Whenever a specific url is opened I would like to pass the PID of the
>>application
>>that opened that address to my FSF. Can this be done at the kernel
>>level, or are
>>urls non-existent at this level?
>>
>>
>
>Well, lots of things open “urls”. There is a different protocol for each
>scheme (usually) - i.e. the following are different:
>
>http://google.com
>https://etrade.com
>ftp://download.microsoft.com
>
>Assuming you meant “web” URLs, you have to get http and https and whatever
>other madness is out there. FTP urls are still common.
>
>Further assuming you only want HTTP URLs, that reduces to “dest port
>80/tcp” connections, so you could do a TDI filter looking for connections
>like these. BUT, remember, the “URL” is a) embedded in the HTTP data that
>flows on that connection, and b) is not (usually) presented as a URL. For
>example, for google:
>
>[http/0.9]
>
>GET /\r\n
>
>
>-or-
>
>[http/1.0]
>
>GET / HTTP/1.0\r\n
>\r\n
>
>
>-or-
>
>[http/1.0 with a Host header]
>
>GET / HTTP/1.0\r\n
>Host: www.googe.com\r\n
>\r\n
>
>
>-or-
>
>[http/1.1]
>
>GET / HTTP/1.1\r\n
>Host: www.google.com\r\n
>\r\n
>
>
>There are many other cases you have to worry about, too. For example, if the
>browser knows it’s retrieving the document through a proxy server, the
>entire URL is sent in the GET line. If the box is a proxy, you will get
>extra headers (platform and protocol-version variable) that might be of some
>use.
>
>Oh yeah, and you can have URLs like this:
>
>http://www.google.com:16591/index.html
>
>Those will result in TCP connections to non-80 ports. That makes your
>filtering job dramatically harder.
>
>The good news is that you’d have to do this at any level, so the job isn’t
>particularly more difficult as a TDI filter in the kernel than as an LSP or
>a usermode hook DLL. I don’t know much about browser helper objects, but you
>might look in that direction. But beware: every piece of antispyware
>software (and lots of spyware too, come to that) in the known world will
>cause havoc by uninstalling you (occasionally in creatively broken ways).
>BHOs are IE-only; I assume you care about capturing things like Firefox or
>you wouldn’t have asked how to find the originating program.
>
>One last word on LSPs - avoid them. They’re hard to do right, even with the
>SDK sample, and even if you do yours right, the next guy can come along and
>ruin your installation. It’s been several years since I seriously
>investigated doing one, but when I did, it was basically unsupportable on a
>commercially reasonable scale. If you do this, get familiar with LSPFix.
>
>Oh yeah, and LSPs have the same spyware problem that BHOs have.
>
>There are other issues in play here - IP-based URLs, schemeless URLs (i.e.
>“//slashdot.org”), redirections (try manually walking the HTTP protocol to
>google.com using telnet to see what I mean - it’ll redirect a couple of
>times) - and, of course, spyware that breaks web surfing in creative ways.
>
>Difficult project; sounds like fun though. What’s it for?
>
> -Steve
>
>
>
>
>>I’m trying to stay away from LSP and hooking, and I don’t see any
>>usermode api’s
>>that could implement a callback for a specific url.
>>
>>
>
>
>
>—
>Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256
>
>To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
>
>
>