Hi all,
I’ve written a WFP callut driver that redirect specific traffic into a locally listening server. I however also need to add some data into the datastream. Initially I’ve done this at the STREAM layer, but that doesn’t work fine for all protocols. The problem is that the callout at the STREAM layer gets called only when there’s data transfer. I need to inject data before any data transfer, but after the 3-way handshake. This is special data that the local server is waiting for [via recv()] and it must get it BEFORE any other data is transferred.
Since STREAM doesn’t give me enough options I’ve moved ‘back’ a bit into OUTBOUND_TRANSPORT. I intercept the last packet of the handshake (that is the ACK the client sends to the server) and want to inject data here. Since I’m on the transport level I can read/modify the TCP header. However to add data I need to modify the SEQ/ACK numbers manually… This seems a bit to complicated for such a simple task. Maybe I’ve missed something? Gone the wrong way?
If not, I will modify the numbers and see how things behave, but I’d rather use another technique utilising WFP and WinSock.
Thanks for help.
1 Like
> Hi all,
I’ve written a WFP callut driver that redirect specific traffic into a
locally
listening server. I however also need to add some data into the
datastream.
Initially I’ve done this at the STREAM layer, but that doesn’t work
fine for all
protocols. The problem is that the callout at the STREAM layer gets
called
only when there’s data transfer. I need to inject data before any data
transfer, but after the 3-way handshake. This is special data that the
local
server is waiting for [via recv()] and it must get it BEFORE any other
data is
transferred.
Since STREAM doesn’t give me enough options I’ve moved ‘back’ a bit
into
OUTBOUND_TRANSPORT. I intercept the last packet of the handshake (that
is the ACK the client sends to the server) and want to inject data
here. Since
I’m on the transport level I can read/modify the TCP header. However
to add
data I need to modify the SEQ/ACK numbers manually… This seems a bit
to
complicated for such a simple task. Maybe I’ve missed something? Gone
the
wrong way?
If not, I will modify the numbers and see how things behave, but I’d
rather
use another technique utilising WFP and WinSock.
What is the purpose of this driver? It would be great for injecting
malicious javascript into a html stream on a web server
James
@James_Arca said:
Hi all,
I’ve written a WFP callut driver that redirect specific traffic into a locally listening server. I however also need to add some data into the datastream. Initially I’ve done this at the STREAM layer, but that doesn’t work fine for all protocols. The problem is that the callout at the STREAM layer gets called only when there’s data transfer. I need to inject data before any data transfer, but after the 3-way handshake. This is special data that the local server is waiting for [via recv()] and it must get it BEFORE any other data is transferred.
Since STREAM doesn’t give me enough options I’ve moved ‘back’ a bit into OUTBOUND_TRANSPORT. I intercept the last packet of the handshake (that is the ACK the client sends to the server) and want to inject data here. Since I’m on the transport level I can read/modify the TCP header. However to add data I need to modify the SEQ/ACK numbers manually… This seems a bit to complicated for such a simple task. Maybe I’ve missed something? Gone the wrong way?
If not, I will modify the numbers and see how things behave, but I’d rather use another technique utilising WFP and WinSock.
Thanks for help.
Have you found an elegant way to work around this?
Why not use CONNECT_REDIRECT to to send the entire connection to the local service and add whatever “magic data” you where previously sending to the REDIRECT_CONTEXT?
Jason
@Jason_Stephenson said:
Why not use CONNECT_REDIRECT to to send the entire connection to the local service and add whatever “magic data” you where previously sending to the REDIRECT_CONTEXT?
Jason
Because REDIRECT_CONTEXT is not supported in Win7.
It’s fairly easy to implement yourself using a GenericTable, the tcp source address and a custom IOCTL. The usermode code would then be:
`
SOCKET s = accept(…, sourceAdress);
auto x = originalDestination;
pMyDevice->ioctl(MY_CUSTOM_IOCTL, sourceAddress, &originalDestination);
//establish onward connection & do as you wish
`