Click here to Skip to main content
Click here to Skip to main content

Internet Traffic Firewall and Sniffer

, 23 Oct 2007 GPL3
Rate this:
Please Sign up or sign in to vote.
The article demonstrates internet packets interception with firewall capabilities based on IpFilterDriver driver and sending TCP/UDP/ICMP packets using raw sockets with IP spoofing support.

Introduction

Some time ago, I developed a Sniffer/Firewall GUI application which allows monitoring internet traffic, sending raw TCP/UDP/ICMP packets with any source IP you'd like using raw sockets. It is based on IpFilterDriver. I used Developing Firewalls for Windows 2000/XP article when studying how to intercept internet traffic and wrote a simple driver with Windows 2000 DDK for that purpose. I developed and used it successfully under WinXP. However, I recently migrated to Vista and it is not able to intercept internet traffic under that OS but is executing all functions without error. The Vista firewall does not use IpFilterDriver as it is disabled and I do not use any additional ones. However I tried to turn off Vista's firewall but the interception still did not occur.

Background

You need to have an understanding of TCP/IP for sending raw packets and interpreting intercepted traffic contents. If you'd like to extend the developed driver and figure out why it does not capture packets under Vista, you should have experience with DDK.

Using the Code

The MFC application is developed with SDI Document/View architecture. Go to FireWall menu and click IPhookON. This will start the userdrv.sys driver and IpFilterDriver. The first one is developed by me to intercept packets using ipfltdrv.sys windows driver. If no errors are encountered you'll notice IpFilter: ON displayed at the status bar right corner. To stop interception click IPhookOFF. The same procedure applies if you want to enable raw sockets, click Packs->StartRAW. After rawsock: ON notification in the status bar you'll be able to send raw sockets. Just go to Packs->IP4 menu and choose TCP, UDP or ICMP one. The two wide edit boxes in the middle of the dialog are source and destination IPs in text format like 127.0.0.1. The same for the ports, first is the source and second edit box is the destination one. The bottom large edit box is for the text message you want to send (currently supports only text data, just meddle with the code to add binary).

Through the Settings... menu you can control FireWall parameters sent to userdrv.sys.

firewall settings

Drop TCP SYN and drop TCP RST enable it to drop incoming TCP SYN packets and outgoing TCP RST packets. The latter is useful if you initiate connection with raw sockets and prevent windows from sending reset packets to the remote host. Drop ICMP * tells the driver to drop incoming ICMP packets of the corresponding type. UDP range is the allowed interval of incoming UDP packets ports. You can also log packets to windows\pmyfire.log file by checking the bottom box.

You may also use promiscuous mode to track the packets using FireWall->PromiscON but without controlling the traffic.

The additional helper classes I developed in the project are:

  • CPacket
  • CDriver

With CPacket class you can send TCP, UDP and ICMP raw packets.

int sendudp(SOCKET s, ip4_header *, 
    udp_header *, char *data = 0, int size = 0);

int sendtcp(SOCKET s, ip4_header *, 
    tcp_header *, char *data = 0, int size = 0);

int sendicmp(SOCKET s, ip4_header *, icmp_header *);

With CDriver class you can start, stop, send IOCTL codes to system drivers and remove them from the registry.

bool drvStart(LPCTSTR, LPCTSTR servpath = 0, 
    LPCTSTR linkname = 0, LPCTSTR info = 0);

DWORD drvIOCTL(DWORD code, LPVOID in = 0, DWORD inlen = 0, 
    LPVOID out = 0, DWORD outlen = 0);

bool drvStop(LPCTSTR servname = 0, DWORD timeout = 30000);

bool drvDelete(LPCTSTR servname = 0);

Just have a look at the CSnifferDoc class on how to use them properly.

Points of Interest

The nice feature you may find in the context menu clicking on a particular packet. You may actually create a fake connection by using CSnifferDoc::Onsynack, CSnifferDoc::Onack, CSnifferDoc::OnPshack, CSnifferDoc::OnFinack. Do not forget to drop outgoing TCP reset packets. The intruder thinks you have got a lot of open ports (depends on which SYN you reply ACK) to his delight and rubs his hands! You may confuse him quite a lot by sending fake data also. Works fine in text messages after he got himself 'connected' to port 80.

License

This article, along with any associated source code and files, is licensed under The GNU General Public License (GPLv3)

Share

About the Author

Chesnokov Yuriy
Engineer
Russian Federation Russian Federation
No Biography provided

Comments and Discussions

 
QuestionCan you send sniffer.rc2 file? PinmemberMember 26884814-Nov-11 1:03 
GeneralRejecting outgoing ip connections Pinmemberseer_tenedos22-Jun-10 13:08 
GeneralRe: Rejecting outgoing ip connections PinmemberChesnokov Yuriy2-Jun-10 23:15 
Generalbad word filter to protect my kids. with [***********] 's PinmemberZUPERKOOL7-Feb-10 10:13 
AnswerRe: bad word filter to protect my kids. with [***********] 's PinmemberChesnokov Yuriy7-Feb-10 21:23 
General[Message Deleted] Pinmemberit.ragester2-Apr-09 22:55 
Generalres folder has been missed Pinmemberhakem13-Feb-09 8:30 
AnswerRe: res folder has been missed PinmemberChesnokov Yuriy19-Feb-09 21:17 
GeneralDRIVER_IRQL_NOT_LESS_OR_EQUAL PinmemberKerem Guemruekcue29-Jun-08 8:22 
Hi,
 
i got this from your driver. Maybe you are interested in the message.
My System is XP Pro, with SP3 up2date. Here is a bugcheck "!analyse -v" for you from kernel code:
 
....................
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
 
Use !analyze -v to get detailed debugging information.
 
BugCheck D1, {e5cbf000, 2, 1, f27e5727}
 
*** ERROR: Module load completed but symbols could not be loaded for userdrv.sys
*** ERROR: Module load completed but symbols could not be loaded for nwfs.sys
PEB is paged out (Peb.Ldr = 7ffd900c). Type ".hh dbgerr001" for details
PEB is paged out (Peb.Ldr = 7ffd900c). Type ".hh dbgerr001" for details
Probably caused by : userdrv.sys ( userdrv+1727 )
 
Followup: MachineOwner
---------
 
kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
 
DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: e5cbf000, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000001, value 0 = read operation, 1 = write operation
Arg4: f27e5727, address which referenced memory
 
Debugging Details:
------------------
 
PEB is paged out (Peb.Ldr = 7ffd900c). Type ".hh dbgerr001" for details
PEB is paged out (Peb.Ldr = 7ffd900c). Type ".hh dbgerr001" for details
 
WRITE_ADDRESS: e5cbf000 Paged pool
 
CURRENT_IRQL: 2
 
FAULTING_IP:
userdrv+1727
f27e5727 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
 
DEFAULT_BUCKET_ID: DRIVER_FAULT
 
BUGCHECK_STR: 0xD1
 
PROCESS_NAME: spamihilator.ex
 
TRAP_FRAME: f27bb670 -- (.trap 0xfffffffff27bb670)
ErrCode = 00000002
eax=00000014 ebx=00000014 ecx=00000002 edx=00000014 esi=8551332c edi=e5cbf000
eip=f27e5727 esp=f27bb6e4 ebp=00000000 iopl=0 nv up ei pl nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010206
userdrv+0x1727:
f27e5727 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
Resetting default scope
 
LAST_CONTROL_TRANSFER: from f27e5727 to 804e187f
 
STACK_TEXT:
f27bb670 f27e5727 badb0d00 00000014 f27e54d6 nt!KiTrap0E+0x233
WARNING: Stack unwind information not available. Following frames may be wrong.
00000000 00000000 00000000 00000000 00000000 userdrv+0x1727
 

STACK_COMMAND: kb
 
FOLLOWUP_IP:
userdrv+1727
f27e5727 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
 
SYMBOL_STACK_INDEX: 1
 
SYMBOL_NAME: userdrv+1727
 
FOLLOWUP_NAME: MachineOwner
 
MODULE_NAME: userdrv
 
IMAGE_NAME: userdrv.sys
 
DEBUG_FLR_IMAGE_TIMESTAMP: 41f74075
 
FAILURE_BUCKET_ID: 0xD1_W_userdrv+1727
 
BUCKET_ID: 0xD1_W_userdrv+1727
 
Followup: MachineOwner
---------
 
kd> .trap 0xfffffffff27bb670
ErrCode = 00000002
eax=00000014 ebx=00000014 ecx=00000002 edx=00000014 esi=8551332c edi=e5cbf000
eip=f27e5727 esp=f27bb6e4 ebp=00000000 iopl=0 nv up ei pl nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010206
userdrv+0x1727:
f27e5727 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
kd> lmvm userdrv
start end module name
f27e4000 f27ec000 userdrv (no symbols)
Loaded symbol image file: userdrv.sys
Image path: \??\C:\Dokumente und Einstellungen\Administrator\Desktop\userdrv.sys
Image name: userdrv.sys
Timestamp: Wed Jan 26 08:02:13 2005 (41F74075)
CheckSum: 00002BF9
ImageSize: 00008000
Translations: 0000.04b0 0000.04e0 0409.04b0 0409.04e0
 

 
Regards
 

Kerem
 
-----------------------
Beste Grüsse / Best regards / Votre bien devoue
Kerem Gümrükcü
Latest Open-Source Projects: codeplex, sourceforge
-----------------------
"This reply is provided as is, without warranty express or implied."

Answerdata compression program to gui Pinmembergeetikasuri10-Dec-07 7:32 
GeneralI'm sorry... PinmemberSlimFast200024-Oct-07 0:06 
GeneralRe: I'm sorry... demo.zip should be uploaded PinmemberChesnokov Yuriy24-Oct-07 1:17 
GeneralRe: I'm sorry... demo.zip should be uploaded PinmemberSlimFast200024-Oct-07 1:59 
Generalsniffer_demo.zip PinmemberChesnokov Yuriy23-Oct-07 23:01 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

| Advertise | Privacy | Terms of Use | Mobile
Web02 | 2.8.141220.1 | Last Updated 24 Oct 2007
Article Copyright 2007 by Chesnokov Yuriy
Everything else Copyright © CodeProject, 1999-2014
Layout: fixed | fluid