Modify Incoming TCP Packet Sent to the Browser

All off-topic discussion goes here.
Post Reply
Victor43
Posts: 60
Joined: Thu Dec 15, 2011 7:34 am
Location: Canada

Modify Incoming TCP Packet Sent to the Browser

Post by Victor43 » Sun Dec 10, 2017 12:51 am

In kernel mode speaking where can I intercept TCP data sent to the browser and modify the data based on set of rules. I need to be able to see everything that is all TCP traffic at the highest layer (application) possible. How can this be done ? Since this is a security product I don't want to miss any traffic.

User avatar
Vrtule
Posts: 459
Joined: Sat Mar 13, 2010 9:14 pm
Location: Czech Republic
Contact:

Re: Modify Incoming TCP Packet Sent to the Browser

Post by Vrtule » Sun Dec 10, 2017 11:51 am

It should be possible to achieve this via Windows Filtering Platform. When the communication beings, you receive a callout at connect/rect_accept layers that also tell you the application information (that it is a browser or not). Then, you can use the tuple of (source_ip, source_port, dest_ip, dest_port, protocol) to identify (and possibly modify) packets at inbound and outbound transport layers (where the information about the sending/receiving application is not directly available).

Victor43
Posts: 60
Joined: Thu Dec 15, 2011 7:34 am
Location: Canada

Re: Modify Incoming TCP Packet Sent to the Browser

Post by Victor43 » Sun Dec 10, 2017 7:53 pm

Thank you for the response. May I ask what if I wanted to develop for the Windows XP platform as well ?

User avatar
Vrtule
Posts: 459
Joined: Sat Mar 13, 2010 9:14 pm
Location: Czech Republic
Contact:

Re: Modify Incoming TCP Packet Sent to the Browser

Post by Vrtule » Sun Dec 10, 2017 10:19 pm

For XP, you probably need to develop a TDI filter driver (attach over devices of the Tdx driver and filter/modify their communication). It also kind of works on newer versions of Windows (Vista+) but it is deprecated there so it is best not to rely on it.

Victor43
Posts: 60
Joined: Thu Dec 15, 2011 7:34 am
Location: Canada

Re: Modify Incoming TCP Packet Sent to the Browser

Post by Victor43 » Mon Dec 11, 2017 9:41 pm

Vrtule wrote:For XP, you probably need to develop a TDI filter driver (attach over devices of the Tdx driver and filter/modify their communication). It also kind of works on newer versions of Windows (Vista+) but it is deprecated there so it is best not to rely on it.
Thank you again. Would a NDIS intermediate miniport driver be a possibility for XP ?

User avatar
Vrtule
Posts: 459
Joined: Sat Mar 13, 2010 9:14 pm
Location: Czech Republic
Contact:

Re: Modify Incoming TCP Packet Sent to the Browser

Post by Vrtule » Tue Dec 12, 2017 12:36 pm

Yes (version < 6), but it is placed too low to see what application is sending/receiving the data. Also (but I am not sure of that), it may be too low to see through IPSec.

Victor43
Posts: 60
Joined: Thu Dec 15, 2011 7:34 am
Location: Canada

Re: Modify Incoming TCP Packet Sent to the Browser

Post by Victor43 » Thu Dec 14, 2017 12:22 am

Vrtule thank you again.

Victor43
Posts: 60
Joined: Thu Dec 15, 2011 7:34 am
Location: Canada

Re: Modify Incoming TCP Packet Sent to the Browser

Post by Victor43 » Sat Dec 30, 2017 4:32 am

In the comments listed (see TLInspectALEConnectClassify function) within the inspect.c file has the following statements as seen below:

Can anyone tell me what is re-auth in the inspect MSDN sample ? What is the meaning of this terminology ?

// The classify is the re-authorization for an existing connection, it
// could have been triggered for one of the three cases --
//
// 1) The re-auth is triggered by a FwpsCompleteOperation call to
// complete a ALE_AUTH_CONNECT classify pended earlier.
// 2) The re-auth is triggered by an outbound packet sent immediately
// after a policy change at ALE_AUTH_CONNECT layer.
// 3) The re-auth is triggered by an inbound packet received
// immediately after a policy change at ALE_AUTH_CONNECT layer.
//

Post Reply