Windows network packet modification - c++

I'm looking to write a small program which will intercept network packets (on the local machine) and modify them before they go out on the network. I need to be able to modify the headers as well, not just the data.
I've already looked through several possibilities but am unsure which one is best to pursue. There are open source packet filters out there, but filtering only seems to be able to either allow or reject packets, not much else.
The other solution would be to write an NDIS intermediate driver, but writing drivers is a beyond me. Even the simple pass-thru example in the WinDDK is thousands of lines. I'm also not looking forward to having to constantly reinstall a driver and reboot to test my code.
I'd ideally like the program to be self contained, and not rely on the installation of 3rd party drivers/software/whatever.
So if you people could point me in the right direction, throw some helpful links my way, whatever, I'd appreciate it.

Depends what kind of packets do you want to filter/modify.
If you're after application-level filtering, and want to get your hands on HTTP or similar packets, your best bet would probably be an LSP. Note however, following this path has certain disadvantages. First MS seems to be trying to get rid of this technology, and IIRC a part of Windows 7 logo requirements is "no LSP in your product", they seem to be promoting the Windows Filtering Platform. Second, you'd be very surprised with how much trouble you're getting into in terms of 3rd party LSP compatibility. Third, a very dummy LSP is still around 2 KLOC :)
If you're after an IP level packet filtering you'd need to go for a driver.
Windows Filtering Platform provides you with functionality needed in either case. However, it's only available on Windows Vista and later products, so no XP there. Another thing to take into consideration, WFP was only capable of allow/reject packets in user-land, and if you need to modify them, you'd need to go kernel-mode. (At least that what the situation was at the time it appeared, maybe they've improved something by now).

IMHO, If you want to modify packets you'll need something to talk to the hardware, a driver of some kind. If you do not want to use your own, you should get a 3rd party driver to inter-operate with.
For filtering there's libraries like: winpcap or libpcap.
Also have a look here: http://www.ntkernel.com/w&p.php?id=7
Another link: http://bittwist.sourceforge.net/
Hope this helps!

winpcap is only able to filter packets with precompiled conditions. What you need is to write LSP-level network driver. You won't need to reboot every time you reinstall it, but it can really modify packets before they go out to the network.
More info here: http://blogs.msdn.com/wndp/archive/2006/02/09/529031.aspx or here: http://www.microsoft.com/msj/0599/LayeredService/LayeredService.aspx

I'm no expert but I'm looking to do something similar on my LAN. I want to intercept packets form one single fixed IP and modify them before they go to my router then out onto the internet. I also want to capture and modify the returning packets prior to allowing them through to my host. The method I had envisaged was something like this...
ARP poison the host and router so my sniffing machine was having all packets passed through it.
Analyse the packets that I will want to modify in future and look for unique characteristics to those packets so I can catch just them.
Write a macro/script that looked for said characteristic in real-time and then modified it on the fly before sending it on its' way.
I know Cain&Abel for Windows is able (haha) to ARP poison but I'm not sure if it can provide raw dump of packet contents. Wireshark is able to dump all but not sure if it can ARP poison so as just to get what I'm after, if not then I can easily connect the host I want to intercept to my sniffer machine via ethernet and then share the internet via the sniffer so that all packets will go through the sniffer machine anyway.
So step 1 can be accomplished, I don't know if said programs have the ability to filter based on specifics yet but I'm guessing they do.
That's as far as I am with it. Hope this is of help to someone and maybe someone else can take this further?

Related

Can somebody tell me why i *can* read minecraft server -> client data but not the other way around?

First of all, a big thank you to anyone willing to help!
You can skip the following wall of text if you want.
Background
I am trying to make a proxy program for my own minecraft server network. I wish to use multiple servers to allow people to play creative and survival on separate servers (to reduce serverload and increase my capacity). I am planning on using the transporter plugin for the server side of things, but I'd like to prevent having to install a clientpatch.
I discovered bungeecord, but it didn't do what I needed it to (namely, forge support for a modded server I plan on adding.) for mc 1.4.7 (which I need to use due to the server I plan on adding).
At the moment the system is running using a bungeecord proxy. However, md_5 told me that I'd need to write my own proxy (or mod his) to make it work the way I want. However, I really can't wrap my head around java (I just don't get it). So I decided to write my own.
The problem
After some research I discovered this to be doable. The hardest part would be to parse the packets. So I dug around for a library to do it for me. I came across libmcnet, which seemed to be what I wanted, but all the data it produced was garbled.
Looking over some packet dumps, and referencing it with wiki.vg, I discovered that libmcnet was giving me big-endian. However, my code and computers assume little-endian.
What I have done about it
After some thinking and looking over the code I thought it easier to write my own parser using some defines from libmcnet (namely include/mcnet/packets.h). So I copied the packets.h and read.h/read.c (both of which were heavily modified) and started recoding it. I did well enough, I think, as my system can successfully parse the server's 0xff (kick) packet during the server ping.
New problems
The next hurdle proved to be decrypting the client's data. It doesn't seem to use the same data standards as the server. For instance, the packet id the server transmits is 16 bit while the client's seems to be 8 bit.
So what I want to know:
Why does my code work fine on data from the server, but fail miserably when the client sends data? I'm pretty sure that libmcnet's code (on which I based it) is wrong as well.
Can anybody help me make this code work?
Code: http://pastebin.com/jg26yity (I figured this'd be cleaner)
Thank you all for your help!
*I'll add information if anybody requests more...
PS. First question asked here, so my post is a bit messy...
I figured it out, apparently I can't assume a library written to parse the minecraft protocol actually has proper code to read the protocol...
I was digging around and verifying what was read versus manually reading it... Appearantly a byte isn't a byte with minecraft and I thought the library had it covered.

Capture and forwarding of network traffic from a particular application on Windows

I need to capture network traffic that is going in/out of a particular application. The main issue is that I would like to do this in a blocking fashion -- i.e. capture the traffic, perform some analysis and encryption/decryption on it and then forward it along its regular route. So, it must use some sort of a blocking mechanism.
Is there some code or a library that makes this easy to do on Windows (Server 2008 or Win7 will do)? Any C++ (or Python/Java) classes or libraries that already exist?
I intend for the solution to also execute on the same machine as the target app and have administrative privileges.
Any pointers to code samples would be greatly appreciated.
Thanks for your help.
p.s.: I have been looking at WinPcap but from my (limited) understanding, it can't filter/block based on specific applications. Is that right, or did I miss something? Any other solutions out there?
For this you should look at WinDivert. Unlike regular packet sniffers (like winpcap), WinDivert also has the ability to block/filter packets, so it might be what you are looking for. Disclosure: WinDivert is my own project.

Dropping Packets By IP With C++

I'm writing a program in C++ that sniffs packets and compares them to a table by IP address. I would ike to know how to "Drop A Packet" if it does not meet the criteria that I setup. Everything is done, the sniffer, the criteria. I just need to know how to drop the packet...
Windows 7, Visual Studio 2010.
In general, packet sniffers don't modify the underlying stream, they just observe it.
It sound like what you really want is some sort of transparent proxy.
However, you should post some sample code or more details on what you are doing, since we have no idea how you actually implemented anything, and thus can't offer any suggestions.

What is the best way to sync computer time with an internet time server?

I need to get the current time from one of internet time server in my desktop application. I suppose I need something like a request string and a regular expression to get time from any site that user wants (may be with several predefined sites).
Or may be there are some free libraries exist?
Thanks.
This is what the Network Time Protocol was built for. But it's probably something best left to your operating system, lest you end up with duelling applications using different, not-quite-synchronised servers.
See the headings in the link above for UNIX and Windows implementations.
There are free libraries and specifications for how to retrieve time, and the format in which you receive it (so REs are generally unnecessary). You choice depends on the level of precision/accuracy you want.
RFC 868 gives time to the second, which is entirely adequate for a lot of people's purposes. If it's good enough, it's a lot simpler to implement than the others listed below.
RFC 5905 defines the Network Time Protocol. As long as you only want to get the time, not provide it for anybody else, NTP is probably overkill though.
RFC 4330 defines SNTP (Simple NTP), which is a simplified version of NTP for computers that act as "leaf nodes" -- i.e., they retrieve time from elsewhere, but nothing else retrieves the time from them.
The NTP project has free NTP libraries for a number of systems.
This feels like something the OS should do on its own...
There is a protocol on the internet called NTP that returns time from timeservers.
You might want to try looking for a library/class that can use NTP to retrieve time for you.
Or you could try looking at the source code for ntpclient.
Usually, most operating systems embeds such a functionality.
Both Windows and Linux can sync with NTP servers.
If really want to let the user change its timezone, you should look for OS specific API's instead of communicating directly with the time servers then changing the system time. This would be way nicer.
Maybe you can take a look at this code and get some inspiration:
http://web.abnormal.com/~thogard/ntp/ntpdate.c

Restrict functionality to a certain computer

I have a program that is using a configuration file.
I would like to tie the configuration file to the PC, so copying the file on another PC with the same configuration won't work.
I know that Windows Activation Mecanism is monitoring hardware to detect changes and that it can tolerates some minor changes to the hardware.
Is there any library that can help me doing that?
My other option is to use WMI to get Hardware configuration and to program my own tolerance mecanism.
Thanks a lot,
Nicolas
Microsoft Software Licensing and Protection Services has functionality to bind a license to hardware. It might be worth looking into. Here's a blog posting that might be of interest to you as well.
If you wish to restrict the use of data to a particular PC you'll have to implement this yourself, or find a third-party solution that can do this. There are no general Windows API's that offer this functionality.
You'll need to define what you currently call a "machine."
If I replace the CPU, memory, and hard drive, is it still the same computer? Network adaptor, video card?
What defines a machine?
There are many, many licensing libraries out there to do this for you, but almost all are for pay (because, ostensibly, you'd only ever want to protect commercial software this way). Check out what RSA, Verisign, and even microsoft have to offer. The windows API does not expose this, ostensibly to prevent hacking.
Alternately, do it yourself. It's not hard to do, the difficult part is defining what you believe a machine to be.
If you decide to track 5 things (HD, Network card, Video card, motherboard, memory sticks) and you allow 3 changes before requiring a new license, then users can duplicate the hard drive, take out two of the above, put them in a new machine, replace them with new parts in the old machine and run your program on the two separate PCs.
So it does require some thought.
-Adam
If the machine has a network card you could always check its mac address. This is supposed to be unique and checking it as part of the program's startup routine should guarantee that it only works in one machine at a time... even if you remove the network card and put it another machine it will then only work in that machine. This will prevent network card upgrades though.
Maybe you could just keep something in the registry? Like the last modification timestamp for this file - if there's no entry in the registry or the timestamps do not match then fall back to defaults - would that work? (there's more then one way to skin a cat ;) )