NDIS Hook sendPacketsHandler - c

I use NdisRegisterProtocol() to register a protocol driver, and use _NDIS_OPEN_BLOCK and _NDIS_PROTOCOL_BLOCK structures to hook the ReceivePacketHandler successful, use MyRecivePacket() to instead of NDIS receive packet functions, when I open a website, MyRecievePacket() will be run.
My question is:
When I open a website(like www.stackoverflow.com) using IE, how can I hook the SendPacketsHandler to get this packet and get the url www.stackoverflow.com string. In other words, how to capture the url in kernel mode. thanks

That's not something you should normally do, URL data belongs to the application layer of network stack and shouldn't be accessed by the lower layers which reside in Kernel space. See more here on protocol driver layering inside Windows network architecture: http://msdn.microsoft.com/en-us/library/windows/hardware/ff571073(v=vs.85).aspx
However, it might be possible by removing the headers that where added to packets on the way down to your protocol driver by the protocols sitting on top of it, such as HTTP, TCP, IP etc. You need to know the exact protocols that where applied to your data packet on the way to your protocol driver. The headers are added incrementally, for each underlying layer the input from the above layer is an opaque block of data (which consists of the upper layer data and header). E.g., your packet may start as a pure data, to which HTTP header was added at start, TCP header after that, and IP header after that. You need to remove the headers in the opposite order to restore the original data.
Note, this is not always possible as the protocols on the way down may change the data, e.g. by encrypting it. In this case you won't be able to extract the original data with doing the reverse operation (such as decryption).

There are tools and techniques that called Deep Packet Inspection(DPI) which used to unpacked the transfered packet upon rich its application layer , there are libraries like openDPI which can be used even on kernel land to track the packets content.
When you can unpack the network packets up-to application layer then you can change its content. You should be award that its not easy to capture and unpack each packets which throw your NIC.

First of all, I have not really clear what you want to do... My main doubt:
¿are you registering a Protocol Driver, or hooking the ReceivePacketHandler of a previously existing driver? It's something really different.
I'll assume that your target is just to intercept URL's, not hooking an exising protocol driver. As #icepack comments, using a procol driver it's not 'the easy way' beacause you should track all TCP connections to extract HTTP stuff.
But, if it's mandatory for you to use NDIS, you should check the PassThru example[1] of the DDK, or the NDIS Filter driver [2] example, and implement the necessary logic to parse TCP protocol and HTTP headers.
If NDIS it's not mandatory there are easier techniques like using a TDI (deprecated but still functionally[3]) or a WFP driver [4] to intercept communications in a higher level than TCP stack.
[1] http://code.msdn.microsoft.com/windowshardware/NDISLWFSYS-Sample-NDIS-60-42b76875
[2] http://msdn.microsoft.com/en-us/library/windows/hardware/ff565501(v=vs.85).aspx
[3] http://technet.microsoft.com/en-us/library/cc939977.aspx
[4] http://msdn.microsoft.com/en-us/library/windows/hardware/gg463267.aspx

Related

What's the easiest way to send 802.11 frames using C?

I'm a beginner to C, I've recently decided to make migrate this project to C from using Scapy/Python, solely because I want better performance. I wish to send layer 2 data, specifically beacon frames to advertise an access point.
So far I have found that I need to (or rather could) use libpcap and a Linux header called ieee80211.h that pre-defines packets, that's all I could gather from the other questions. I've found other information which says I should use raw sockets instead of libpcap? I'm not sure if this is all I need. Most of the information and tutorials I have found on Google refer to packet sniffing, not sending.
How do I define a custom frame and/or packet (e.g. a beacon frame or association request) and then simply send it to wlan0 etc.?
Thought I might update this. I used libpcap.
You just need to create a handle with your device, set it to monitor mode successfully (important), check the data link type (e.g. 802.11 with Radiotap for layer 2) then use pcap_sendpacket(handle, packetArrayContainingHex, size);. Hard part is forming legal packets that aren't rejected or dropped, taking a look in wireshark helps.
This link might help. It basically opens the driver at raw packet level and creates the whole packet to send over the wire, as your question suggests.

View - but not intercept - all IPv4 traffic to Linux computer

Is there a way to view all the IPv4 packets sent to a Linux computer?
I know I can capture the packets at the ethernet level using libpcap. This can work, but I don't really want to defragment the IPv4 packets. Does libpcap provide this functionality and I'm just missing it?
One thing that kinda works is using a tun device. I can capture all the IPv4 traffic by routing all traffic to the tun device via something like ip route add default via $TUN_IP dev $TUNID. This also stops outbound traffic though, which is not what I want.
I just want to see the IPv4 packets, not intercept them. (Or, even better, optionally intercept them.)
Edit: I'm specifically looking for a programmatic interface to do this. E.g. something I can use from within a C program.
Yes, you can see all the packets that arrive at your network interface. There are several options to access or view them. Here a small list of possible solutions, where the first one is the easiest and the last one the hardest to utilize:
Wireshark
I'd say this is pretty much the standard when it comes to protocol analyzers with a GUI (uses libpcap). It has tons of options, a nice GUI, great filtering capabilities and reassembles IP datagrams. It uses libpcap and can also show the raw ethernet frame data. For example it allows you to see layer 2 packets like ARP. Furthermore you can capture the complete data arriving at your network interface in a file that can later be analyzed (also in Wireshark).
tcpdump
Very powerful, similar features like Wireshark but a command line utility, which also uses libpcap. Can also capture/dump the complete interface traffic to a file. You can view the dumped data in Wireshark since the format is compatible.
ngrep
This is known as the "network grep" and is similar to tcpdump but supports regular expressions (regex) to filter the payload data. It allows to save captured data in the file format supported by Wireshark and tcpdump (also uses libpcap).
libnids
Quotation from the official git repository:
"Libnids is a library that provides a functionality of one of NIDS
(Network Intrusion Detection System) components, namely E-component. It means
that libnids code watches all local network traffic [...] and provides convenient information on them to
analyzing modules of NIDS. Libnids performs:
assembly of TCP segments into TCP streams
IP defragmentation
TCP port scan detection"
libpcap
Of course you can also write your own programs by using the library directly. Needless to say, this requires more efforts.
Raw or Packet Sockets
In case you want to do all the dirty work yourself, this is the low level option, which of course also allows you to do everything you want. The tools listed above use them as a common basis. Raw sockets operate on OSI layer 3 and packet sockets on layer 2.
Note: This is not meant to be a complete list of available tools or options. I'm sure there are much more but these are the most common ones I can think of.
Technically you have to make a copy of the received packet via libpcap. To be more specific, what you can do is to get packets with libpcap, that way the packets will be kind of blocked, so you need to re send them to the destination. Lets say that you want to make a Fire-Wall or something, what you should do is to have a layer that can work like getting the package and then send it to the destination, in between you can make a copy of what you got for further processes. In order to make the intercept option, you need to create some predefined rules, i.e. the ones that violates the rules will not be send again to their destination.
But that needs a lot of efforts and I don't think you want to waist your life on it.
Wire-shark as mentioned by #Barmar can do the job already.
If you need some kind of command line interface option I would say that "tcpdump" is one of the best monitoring tools. for example for capturing all ipv4 HTTP packets to and from port 80 the command will be:
tcpdump 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'
for more information and options see tcpdump
Please be specific if you need to write a program for it, then we can help about how to do it.

How to drop packet before full download

I'm creating a personal app for network filtering using C. I already know that you can log and analyze a downloaded packet's info using this code:
tcpPacket = recvfrom(raw_socket , buffer , 65536 , 0 , &serverAddress , &serverAddressSize);
but this requires that the tcp packet be downloaded first. What I need is that the filter will be acted out even before it is downloaded, let's say it examines the source IP and based on that, it either accepts or rejects it.
Note: Yes I am aware of iptables, but I do not want to use it because I want to learn how to do it using raw sockets.
In a packet-oriented network (like TCP/IP is), the each packet contains both address information and actual payload.
So it doesn't make sense to say that you want to drop the packet before it's downloaded, based on data that is in the packet.
It would perhaps be imaginable if you could stop the actual (hardware) receiver mid-packet, but I don't think any "normal" networking hardware or APIs expose such functionality.
I've got what I needed now. I need to call getpeername(2) after accepting a connection http://man7.org/linux/man-pages/man2/getpeername.2.html.

Kernel bypass for UDP and TCP on Linux- what does it involve?

Per http://www.solacesystems.com/blog/kernel-bypass-revving-up-linux-networking:
[...]a network driver called OpenOnload that use “kernel bypass” techniques to run the application and network driver together in user space and, well, bypass the kernel. This allows the application side of the connection to process many more messages per second with lower and more consistent latency.
[...]
If you’re a developer or architect who has fought with context switching for years kernel bypass may feel like cheating, but fortunately it’s completely within the rules.
What are the functions needed to do such kernel bypassing?
A TCP offload engine will "just work", no special application programming needed. It doesn't bypass the whole kernel, it just moves some of the TCP/IP stack from the kernel to the network card, so the driver is slightly higher level. The kernel API is the same.
TCP offload engine is supported by most modern gigabit interfaces.
Alternatively, if you mean "running code on a SolarFlare network adapter's embedded processor/FPGA 'Application Onload Engine'", then... that's card-specific. You're basically writing code for an embedded system, so you need to say which kind of card you're using.
Okay, so the question is not straight forward to answer without knowing how the kernel handles the network stack.
In generel the network stack is made up of a lot of layers, with the lowest one being the actual hardware, typically this hardware is supported by means of drivers (one for each network interface), the nic's typically provide very simple interfaces, think recieve and send raw data.
On top of this physical connection, with the ability to recieve and send data is a lot of protocols, which are layered as well, near the bottem is the ip protocol, which basically allows you to specify the reciever of your information, while at the top you'll find TCP which supports stable connections.
So in order to answer your question, you most first figure out which part of the network stack you'll need to replace, and what you'll need to do. From my understanding of your question it seems like you'll want to keep the original network stack, and then just sometimes use your own, and in that case you should really just implement the strategy pattern, and make it possible to state which packets should be handled by which toplevel of the network stack.
Depending on how the network stack is implemented in linux, you may or may not be able to achieve this, without kernel changes. In a microkernel architecture, where each part of the network stack is implemented in its own service, this would be trivial, as you would simply pipe your lower parts of the network stack to your strategy pattern, and have this pipe the input to the required network toplevel layers.
Do you perhaps want to send and recieve raw IP packets?
Basically you will need to fill in headers and data in a ip-packet.
There are some examples here on how to send raw ethernet packets:
:http://austinmarton.wordpress.com/2011/09/14/sending-raw-ethernet-packets-from-a-specific-interface-in-c-on-linux/
To handle TCP/IP on your own, i think that you might need to disable the TCP driver in a custom kernel, and then write your own user space server that reads raw ip.
It's probably not that efficient though...

Can I make a "TCP packet modifier" using tun/tap and raw sockets?

I have a Linux application that talks TCP, and to help with analysis and statistics, I'd like to modify the data in some of the TCP packets that it sends out. I'd prefer to do this without hacking the Linux TCP stack.
The idea I have so far is to make a bridge which acts as a "TCP packet modifier". My idea is to connect to the application via a tun/tap device on one side of the bridge, and to the network card via raw sockets on the other side of the bridge.
My concern is that when you open a raw socket it still sends packets up to Linux's TCP stack, and so I couldn't modify them and send them on even if I wanted to. Is this correct?
A pseudo-C-code sketch of the bridge looks like:
tap_fd = open_tap_device("/dev/net/tun");
raw_fd = open_raw_socket();
for (;;) {
select(fds = [tap_fd, raw_fd]);
if (FD_ISSET(tap_fd, &fds)) {
read_packet(tap_fd);
modify_packet_if_needed();
write_packet(raw_fd);
}
if (FD_ISSET(raw_fd, &fds)) {
read_packet(raw_fd);
modify_packet_if_needed();
write_packet(tap_fd);
}
}
Does this look possible, or are there other better ways of achieving the same thing? (TCP packet bridging and modification.)
There were some apps I used years ago to do some TCP/IP packet manipulation for testing a firewall: fragoute and fragtest. Looks like they haven't been touched in years, but they might give you some ideas of what to do in your code.
You might want to consider using a LD_PRELOAD library to hook the functions that it uses to send the data out (send(), write() etc).
That wouldn't involve any kernel messing-around at all.
Another option is to NAT the outbound connections to a local proxy which can read the data, make whatever modifications, and send it all out to the real destination (with some options to prevent it being NAT'd again and going round in circles)
You can use the click modular router. It is a software router implemented entirely in C++. Click allows you to capture packets as they pass through elements in the router where you can modify or collect statistics as needed. As a kernel module, you completely override the linux routing mechanism and as a userland binary you simply get a duplicate (as you mention in your post) of each packet from the interface. Packets can be directed through the Click graph by way of pcap filters and a variety of other mechanisms.
If you are headed down the bridge route, I think this provides the most direct support for what you are looking to do as you can use tun/tap, to/from host or to/from device capture methods as you require.

Resources