Create Your Sniffer / FireWall / Parental control / SpyWare / Client for computer Club. LSP technology

Create Your Sniffer / FireWall / Parental control / SpyWare / Client for computer Club. LSP technology

Provider).

Recently, a friend revealed a desire that he needed for the E-Hall (library) a program that will control access to computers and automatically count what and how much.
Since there was no money in the budget for 2012, the friend gave up. But the idea of ​​access control is already lit. Began to think how to do it.
I was most worried about one question. How to block HTTP traffic if the user pays only for renting a computer, and not for renting a computer with the Internet?
On the Internet, I found an interesting article on LSP and now I present its translation with some changes.
')
Who cares please under the cat.

HTTP sniffer based on LSP (Layered Service Provider)

This article describes how to create the simplest sniffer to monitor HTTP traffic on Windows. This program is based on open technology provided by Microsoft, its name is LSP (Layered Service Provider).
This technology is used by various software. These are mainly Antiviruses, Firewalls and traffic filtering programs.
In order to create this software package, I used an example from the Microsoft Platform SDK (Program Files \ Microsoft Platform SDK \ Samples \ NetDS \ WinSock \ LSP \) and added an additional feature to filter HTTP traffic and collect the results into a separate repository.

Concept
Basic Scheme
We begin
Conclusions and Tips
Useful links.

Concept.

The main idea of ​​LSP is to create a provider that will be included in the chain of existing providers. Something like the Hook principle in Windows.



During the installation of the provider, you can specify a place in the provider chain. And the chain will be rebuilt according to the new settings. In our case, the provider is installed on top of the [TCP / IP] provider. Be careful when installing on a real machine. If the installation fails, it will add a lot of problems - the loss of the network, the Internet and the failure of some network applications.
To get around debugging problems and creating an LSP provider, test it on a Virtual Machine.
In the LSP provider, you must replace all the methods of the winsock library. In general, the replacement logic is already enabled in the Platform SDK example, it only remains to add logic to intercept, block URLs, or save HTTP traffic.
LSPs use both legal programs and SpyWare / AdWare.
For example:
Legal programs:

• Sygate firewall
• Mcafee Personal Firewall
• E-safe
• Dr.Web Security Space 6 uses LSP as a Parental Control module.

AdWare:

• Webhancer
• New.net
• NewDotNet

LSP in action.

Basic Scheme

This is the basic scheme of the software package.



After installing the software package, many programs will use our provider (in general, our provider is a simple DLL file that is loaded into every application that uses the Winsock library). But we only need to define HTTP traffic. Below is the line of code (our provider) with a hard-coded port, which will be monitored (HTTP protocol uses port 80 by default).

if((namelen >= sizeof(sockaddr_in)) && (((sockaddr_in*)name)->sin_port == htons(HTTPPort))) { SocketContext->intercept = TRUE; } 

You can improve this tool and make more elegant program logic for saving your settings, rather than hard-coded constants as in the example.
In addition, we must define HTTP requests. HTTP GET requests are defined by a simple comparison with the string “GET”. POST requests can be defined in the same way.
We also have a Service that collects all the information that is filtered - the service was created in order to prevent data corruption, it can happen if we monitor several applications, and not one. All captured information from the browser will be transmitted to this service. This service is a Socket server (listens on port 4004) so ​​there should be no problems with the synchronization of data collection. In this case, the data storage is just a text file, but you can easily replace it with a more convenient and stable option (for example, use a DBMS).

We begin

The test package contains the following projects.
1.Project LSP (folder LSP)

This project contains an overload of basic Winsock methods. It is in this place that we have to add our changes. In my case, this project contains an example from the Platform SDK, where I added the logic for defining the connection to port 80 and marked it as intercepted in the Connect method:

 if((namelen >= sizeof(sockaddr_in)) && (((sockaddr_in*)name)->sin_port == htons(HTTPPort))) { SocketContext->intercept = TRUE; } 

Thus, in future calls to the Send method, we find that this socket is used by the HTTP protocol. We also established a connection with the Traffic Collecting Service in the Connect method. In the SEND method, we implemented the logic to detect HTTP requests and redirect them to our service:

 if (IsHTTPRequest(lpBuffers->buf) && SocketContext->intercept) { SetBlockingProvider(SocketContext->Provider); ret = SocketContext->Provider->NextProcTable.lpWSPSend( serviceConnection.GetSocket(), lpBuffers, dwBufferCount, lpNumberOfBytesSent, dwFlags, lpOverlapped, lpCompletionRoutine, lpThreadId, lpErrno ); SetBlockingProvider(NULL); } 

I created a specialized class that holds one constant connection for each loaded DLL file.

 class ServiceConnectionKeeper; 

Its role is to keep the socket connected. Thus, only one connection is established with the storage service.

2. Common Project (Common folder) - this project contains all the utilities provided in the Platform SDK examples. And also some GUID manipulations from our LSP provider were made.
The Installer project (Installer folder) is the LSP installer. We changed its main method - we removed the command line parsing and added a TCP provider search. Now during the installation, we look for the TCP provider ID and rebuild the provider chain. We put our provider on top of TCP.

 if (IsHTTPRequest(lpBuffers->buf) && SocketContext->intercept) { SetBlockingProvider(SocketContext->Provider); ret = SocketContext->Provider->NextProcTable.lpWSPSend( serviceConnection.GetSocket(), lpBuffers, dwBufferCount, lpNumberOfBytesSent, dwFlags, lpOverlapped, lpCompletionRoutine, lpThreadId, lpErrno ); SetBlockingProvider(NULL); } 

3. Service Project (Service folder) is a traffic collector. It is a simple Windows service and methods for installing and uninstalling a service. The MAIN function of our service also implements a socket server. All service manipulation logic was kindly borrowed from MSDN. The server accepts all incoming connections and starts a separate stream for each application. The started stream accepts data separated by the sequential "\ r \ n \ r \ n" (essentially 2 empty lines) and stores them in the storage.

 do { result = recv(clientSocket, buffer, PACKSIZE, 0); if (result > 0) { response += std::string(buffer, result); do { position = response.find(messageTerminator); if (std::string::npos != position) { if (!CollectorServer::Instance()->SaveData(std::string(response.begin(), response.begin() + position))) { return -1; } response = response.substr(position + messageTerminator.size()); } } while (std::string::npos != position); } else { break; } } while (SOCKET_ERROR != result); 

In order to start working with this project you need to build the entire Visual studio project. After that, put the NSI script in the build result folder and compile the Nsi script. We get the installation setup.exe file
During setup.exe installation, all necessary files will be unpacked into their working folders. LSP.DLL will be placed in% SYSTEMROOT% \\ system32 \\ LSP.dll. The service and installer of the provider will be placed in the Program Files folder. Also, the uninstall shortcut will be placed on the desktop. The history file will be in the root of C: //.

Conclusions and tips.

This article describes how to create your own provider and monitor all network traffic. But this is not the only example for using this technology. You can also easily implement logic for:
Block HTTP requests and responses;
Modify and delete traffic;
Block connections (as does the firewall);
Intercept SLL encrypted data (it is even possible to do MITM interception) (Man in the midle)
In the development of the LSP there were a lot of rakes, so as not to regret that the Internet connection was lost and failed, it is better to use the Virtual Machine for tests. It is much more convenient to roll back the VM image to the previous state than to use the Windows recovery system each time.
Most anti-virus software also uses this technology, so you can find them in the chain of installed LSP providers in your OS. Antiviruses can also be a problem for you when testing your LSP provider, because antiviruses also filter traffic.
You can add logic to ignore your chosen applications. So that our LSP-provider does nothing except data transfer if the application is on the ignored list.

This tool was developed for 32-bit applications only. But it can be easily ported to 64-bit applications. You just have to rebuild the project to 64-bit and set the LspCatalog64Only flag during the installation of the provider.

To see the changes in the Platform SDK example that were made to create this tool, you can compare the text with the original example.
I also noted all the code blocks that were added with the comment // ADDED
Also note that you must generate a new GUID for your LSP provider to avoid collisions with other LSP providers.

useful links

Unfortunately, there are not so many references, but they are still there.

0. Original article in English


1. MSDN and Platform SDK documentation.

2. There is also information on the developers LSP website .

The project itself is laid out HERE
Also, the project is posted on GITHAB