monitoring "network" system calls
in [Win32 Kernel]
|
From: AG on 13 Jul 2010 05:10 Hello, I am working on a taint tracing tool, and I for this I would like to intercept socket opening and closing, and reads from sockets. On linux, this can be done in intercepting system calls (SYS_socketcall, SYS_read, SYS_close) but on windows, how can I monitor such things ? In the system call table (given by metasploit), I don't see the equivalent calls. Though, monitoring the system calls during a simple client/server communication, I have identified the following function calls: NtCreateFile (for socket opening ?) NtDeviceIoControlFile (for controling the socket ?) NtRequestWaitReplyPort NtWaitForSingleObject NtQueryInformationProcess NtClose NtUnmapViewOfSection NtAllocatevirtualMemory NtTerminateProcess I tried to display some of their buffers, without being able to find any of the transmitted data of the communication. Is there a way to intercept the data buffers in use during read/write through a socket if I monitor system calls, or is it useless because things does not go like I imagine? Thanks in advance for your help, AG.
From: G�nter Prossliner on 13 Jul 2010 05:40 Hello AG! > I am working on a taint tracing tool, and I for this I would like to > intercept socket opening and closing, and reads from sockets. > > On linux, this can be done in intercepting system calls ... Hooking System Calls is not the way things are implemented in Windows (at least for current Versions). Take a look at: [Windows Filtering Platform] http://www.microsoft.com/whdc/device/network/wfp.mspx GP
From: Krzysztof Uchronski on 13 Jul 2010 05:44 Hooking is bad approach. Try Windows Filtering Platform (>= Vista) or something like NDIS protocol driver (you will be able to monitor network traffic). Kris -----Original Message----- From: AG [mailto:heyji2(a)gmail.com] Posted At: Tuesday, July 13, 2010 10:10 AM Posted To: microsoft.public.win32.programmer.kernel Conversation: monitoring "network" system calls Subject: monitoring "network" system calls Hello, I am working on a taint tracing tool, and I for this I would like to intercept socket opening and closing, and reads from sockets. On linux, this can be done in intercepting system calls (SYS_socketcall, SYS_read, SYS_close) but on windows, how can I monitor such things ? In the system call table (given by metasploit), I don't see the equivalent calls. Though, monitoring the system calls during a simple client/server communication, I have identified the following function calls: NtCreateFile (for socket opening ?) NtDeviceIoControlFile (for controling the socket ?) NtRequestWaitReplyPort NtWaitForSingleObject NtQueryInformationProcess NtClose NtUnmapViewOfSection NtAllocatevirtualMemory NtTerminateProcess I tried to display some of their buffers, without being able to find any of the transmitted data of the communication. Is there a way to intercept the data buffers in use during read/write through a socket if I monitor system calls, or is it useless because things does not go like I imagine? Thanks in advance for your help, AG.
From: AG on 13 Jul 2010 06:19 Hello Krzysztof, On Jul 13, 11:44 am, "Krzysztof Uchronski" <krzysztof.uchron...(a)biglasagne.com> wrote: > Hooking is bad approach. Try Windows Filtering Platform (>= Vista) or > something like NDIS protocol driver (you will be able to monitor network > traffic). I will look into NDIS protocol driver, but what I want is not hooking, it is monitoring for taint tracing purposes. Basically I want to trace data coming from a socket read() throughout an application. I do that with binary instrumentation. And this is why I need the address of the input buffers in memory, which is a different information compared to the data themselves. I am fine if I can achieve this with an NDIS protocol driver, but I wonder if this is not too far (in the protocol stack) from the applications I am studying, and therefore if it won't provide wrong buffer addresses. For the time being, I am working on an XP machine. AG.
From: Krzysztof Uchronski on 13 Jul 2010 11:22 I'm not sure if I understand what "taint tracing purpose" is and binary instrumentation in this particular case but nevermind. I can only suggest to look at winpcap project and maybe TDI filter drivers (IIRC they should be higher in the network stack - above NDIS, but I think you can't use them on Win7 and higher). Kris -----Original Message----- From: AG [mailto:heyji2(a)gmail.com] Posted At: Tuesday, July 13, 2010 11:19 AM Posted To: microsoft.public.win32.programmer.kernel Conversation: monitoring "network" system calls Subject: Re: monitoring "network" system calls Hello Krzysztof, On Jul 13, 11:44�am, "Krzysztof Uchronski" <krzysztof.uchron...(a)biglasagne.com> wrote: > Hooking is bad approach. Try Windows Filtering Platform (>= Vista) or > something like NDIS protocol driver (you will be able to monitor network > traffic). I will look into NDIS protocol driver, but what I want is not hooking, it is monitoring for taint tracing purposes. Basically I want to trace data coming from a socket read() throughout an application. I do that with binary instrumentation. And this is why I need the address of the input buffers in memory, which is a different information compared to the data themselves. I am fine if I can achieve this with an NDIS protocol driver, but I wonder if this is not too far (in the protocol stack) from the applications I am studying, and therefore if it won't provide wrong buffer addresses. For the time being, I am working on an XP machine. AG.
|
Next
|
Last
Pages: 1 2 Prev: In case this group is gone from MS News Server Next: Expand.exe failure on WS08-R2 |