Is there any way in C++ on windows to monitor a program and redirect any outgoing requests it makes on a specific port? I have a simple C++ http proxy and want it to be able to automatically redirect all browser requests on port 80 through itself.
The simple way to do it is to create a Windows kernel hook to trap socket requests and reroute them to your proxy.
Some useful documentation on this is:
http://www.internals.com/articles/apispy/apispy.htm
If you're using Windows Vista or better, consider Windows Filtering Platform (WFP):
http://www.microsoft.com/whdc/device/network/wfp.mspx
Also consider looking at Detours (commercial) and EasyHook (free). They significantly simplify the process of writing hooks and redirecting API calls (both Win32 and Application).
The program would have to be run with administrative privileges in kernel mode of the host OS.
While I don't have extensive experience with windows kernel hooks, in BSD and linux its trivial to install a kernel module that over-writes the system calls for creating sockets and could easily redirect all sockets to a proxy socket of choice.
If you mean [any destination port] to [one port] then you will have to rely on special drivers. The problem with windows is the inability to natively block [drop] packets. For example a common solution is winpcap. However, while you can monitor traffic, you cannot stop the traffic or modify it in a useful way.
On windows the only solution I've seen would be to use some open TUN/TAP adapter. With that, you would be able to modify every packet that leaves your system.
If you know beforehand the destination port you will be using then it gets rather simple. Simply write a passthrough c++ socket program that will only change the destination port.
If you want to redirect browser requests then you can simply edit the settings in your browser.
Related
I have a solution that acts as client service and does some background work. This application requires some settings (that are read from an xml file) to be done at installation time and which are periodically revised. For convenience (as this service is installed on multiple machines) I wanted to control these settings remotely from a central server application. This works fine if the server and client are inside the LAN but I would like to control these settings even if the client is outside the network or the server is behind a firewall. What could be the solutions to do this?
Clearly, the solution depends on exactly what you want to achieve. But if I understand it right, the reason you have "problems" with a firewall is that you simply access the file that contains the XML over the network using standard network file access. Which is typically (for good reason) blocked by the firewall.
So, the solution then would be to use a standard protocol and a "non-standard service". For example, if the machine is allowed incomming HTTP requests, you could use HTTP-based post messages to update the XML content, either send the entire file as a file upload, or make up your own remote access protocol. If HTTP is not allowed, then you have to look at what other "holes" there are in the firewall, and do something similar with another of the "holes".
The other, less obscure solution, is of course to simply use a remote-desktop or secure shell connection to remotely access the machine. Of course, again, assuming this sort of connection is allowed.
There is no magical "bypass firewall" solution - you have to work within the rules of the firewall in some way.
I am writing a Desktop application for professional users using C++. My current design relies on a third-party C++ component whose API is based on TCP/IP. To integrate this component might involve modifying it to replace the networking code with a conventional C++ API.
It would be a lot easier if I could leave the component unmodified and communicate with it in the way it expects - over the network. To do so I would need to run the component as a server listening on some high port for loopback connections.
I have two concerns with this loopback approach. Can anyone allay or confirm my fears?
Reliability and performance
The loopback connection might fail, be blocked or intercepted by antivirus software. Something like this: Loopback connections working in user's context but not working from Local System account
Security
I am not too concerned about someone sniffing my loopback packets but I don't want my server to become a security risk itself. Is it risky to have a process listening on some high port?
Do many desktop applications operate like this?
I am initially developing on Windows but may move to Mac and Linux in future so this question applies to all the common desktop OSs.
Reliability: if component itself is reliable then there's no problem with listening to loopback interface. If component is not reliable then it's better to talk with it via loopback interface instead of calling it's functions directly. You can easily handle disconnects and restart component to continue working, but if you would link to the component and component will fail - your app will fail too.
Performance: There's some performance penalty. Not really big with current CPU power. It should be acceptable for most applications.
Security: component should bind to localhost address to avoid security issues. But local 3-d party software (virus) software with sufficient access level can intercept or even modify communication streams. Same for any other method of communication.
Loopback connections are widly used (java uses it for intercommunication, named used it for master service control, etc.)
I have an application which communicates over the local area network. However, I want to instead make it communicate over the internet. To do this I propose making an intermediate program which will read the network traffic generated from the application on one computer and send it to the application on another computer.
This involves:
Reading the outgoing network traffic of the application
Sending a copy of this traffic over the internet to another computer
Giving this copy to the application on the other computer
Instead of this:
Application on computer A <-LAN-> Application on computer B
I want to achieve this:
Application on A <--> My Program on A <-INTERNET-> My program on B <--> Application on B
I can accomplish (2), but with (1) and (3) my problem is that I have very little experience with networking and I do not know where to start. I can program in python but would be willing to use c++ to accomplish this.
(Hamachi does not work for this application, I do not know why.)
In response to comments
I do not intend to manipulate any data unless it is necessary to make the connection work. I have no control over the application itself and it does not provide me with any methods to configure the connection with the exception of a port number.
TCP and UDP are both used on the port 6112. The IP addresses used are first 255.255.255.255 for a generic broadcast used to discover other applications on the LAN (with UDP), then a TCP connection is established.
The term you are missing in your original question is proxy. You specifically need a transparent forwarding proxy.
Here is a link to some source code in Python that will get you started with writing a proxy.
That said, if you search around you should be able to find a transparent forwarding proxy that you don't have to write yourself.
If you want to do this the most robust way, you can do it in hardware and setup a managed router/switch/firewall to route things to where ever you need without having to write anything.
Why re-engineer the wheel? Why not just use OpenVPN, n2n or vtun etc etc.
Please tell me is it possile to know when a program is trying to download a file ( like in Internet Download Manager ). I want to catch that event (hook it), get the download url, and then destroy the event.
Thanks in advance..
#Jerry Coffin:Sr, I forgot to tell you that this feature of IDM is not active by default. It is only turned on when you enable the "Use advance browser integration" option at "Download/Options" of IDM menu.
Like here :
http://files.myopera.com/UenX/files/Detect.jpg
+ Check the (1) options, OK, then reboot.
+ After reboot, the (2) option will appear, check it, OK, and now run your software. You should see some thing likes (3)
( this appear when I run the msgr9us.exe ( Yahoo! Messenger setup file) )
Give it a try..
For a specific program such as Internet Explorer, doing this is quite reasonable (IE includes hooks to invoke your code under the right circumstances). For most programs it's not possible though -- they simply don't generate any "event" for you to hook and "destroy".
To make a long story short, to get anywhere with this, you'll almost certainly need to handle the situation on a case-by-base basis, writing code specific to each application you want to deal with -- and know that any other application and even newer versions of the applications you've dealt with will probably break what you're trying to do.
Not really. Consider how a browser typically downloads a file: it opens a TCP socket connection to a remote server, either on port 23 or 80, and using the FTP protocol or HTTP protocol on that connection. These things you can detect, intercept and modify with high reliability. But there are other programs that use other mthods. for instance, P2P filesharing programs such as BitTorrent do not use HTTP or FTP, nor do they download a file from a single server.
So, while you don't need to understand every program, you must be able to detect and understand every file download protocol instead.
you could hook the network stream and filter for http download requests.
you'll need some library to capture network traffic (e.g. http://en.wikipedia.org/wiki/Pcap).
Then you'll have to parse the network packets for the appropriate HTTP messages (sorry, I can't give them to you, I don't know them). I don't know if you can actually prevent packets from being sent though.
Another (easier) way would be to implement a proxy server (or modify an existing one) to do what you want. Then you just have to connect the IE to your proxy using the proxy server settings. Check for example Privoxy, which already does some kind of filtering.
What would be the simplest way for an application I'm writing to block all Internet access on a Windows machine?
More details:
Windows: XP or higher
Application: A basic Win32 app written in C/C++.
Blocking: It needs to be able to block and unblock at will, ideally in a way that the user can't easily reverse. (By, say, right clicking on a network connection icon in the system tray.) Also, ideally, I'd like the method it uses to allow access to be restored should the user restart Windows or reset the machine, though I'd also be willing to have the app auto launch with Windows and unblock access upon startup if the machine was reset while in a blocked state.
Internet access: Primarily, I'd like to block conventional browsers from hitting conventional http/https sites. Secondarily, it would be nice to block IM clients and client-side social networking apps. It would also be nice, but not required, to still allow local networking for file sharing, etc. (Note that only the first requirement is absolute.)
Final notes: This is not meant to be a security utility, nor will its relationship to the user be adversarial (as, for example, with a parental control utility) so it's not important for it to use a scheme that can't be worked around by a determined user. (Consider that I intend for a reboot or reset to clear the blocking. This means that any workaround a user might discover that would take more effort than this is okay.)
Thanks!
p.s. I suspect that the Windows Firewall API won't work for me because this needs to work for users that haven't enabled the firewall or don't have admin privileges, but I'll be thrilled if I'm corrected on this.
It sounds like you're intending to run applications that you don't want to access the internet. Perhaps you could run them inside a virtual machine such as VirtualBox with networking disabled.
You could do it with a Winsock SPI. The Windows SDK has a sample (under Samples\netds\winsock\lsp) which implements what is called a layered service provider which allows you to hook all the user mode functions provided by Winsock and reject/modify the calls to block network access or redirect traffic to different locations. All installed winsock applications will be affected, so in your code you could have policys for what applications can go out and the like and disabled/enable on the fly. Now a determined person could find ways around this but it would be a pain.
That said this isn't trivial to do but the sample should get you most of the way there.
You cannot effectively or practically write your tool with only a user mode application.
What you need to write is a network I/O stack filter driver. This done by writing a Windows Driver. This is different from a Windows Win32 application. Drivers run in kernel mode and applications run in user mode.
On Windows Vista and later, the kernel mode Network Programming Interface (NPI) is designed for this. This is the same API that Windows Firewalls use. These are sometimes called the Winsock kernel (WSK) APIs.
In effect, you are writing a network firewall (more or less)
here are some links
Introduction to Winsock Kernel (WSK)
Windows Core Networking Blog
The Network Programming Interface Docs on MSDN
Note, your will likely need at least two components
Your driver
A Graphical application that a person can use to control your tool
If you want to do any monitoring, you will likely need a user mode service that collects data from your driver. This works better than trying to do this in the driver. In general, you should do the minimal amount of work in the driver.
A few notes:
You need to be very conscious of security when writing this kind of software. This is very much non trivial. Software that is network facing has the highest security requirements.
Be cognizant of performance.
Your driver and/or service must be aware of the context of a calling application. This is also a security boundary. For example, an application not running as administrator should not be able to control your driver.
take a look at firewall sourcecodes