Some time ago, I developed a Sniffer/Firewall GUI application which allows monitoring internet traffic, sending raw TCP/UDP/ICMP packets with any source IP you'd like using raw sockets. It is based on
IpFilterDriver. I used Developing Firewalls for Windows 2000/XP article when studying how to intercept internet traffic and wrote a simple driver with Windows 2000 DDK for that purpose. I developed and used it successfully under WinXP. However, I recently migrated to Vista and it is not able to intercept internet traffic under that OS but is executing all functions without error. The Vista firewall does not use
IpFilterDriver as it is disabled and I do not use any additional ones. However, I tried to turn off Vista's firewall but the interception still did not occur.
You need to have an understanding of TCP/IP for sending raw packets and interpreting intercepted traffic contents. If you'd like to extend the developed driver and figure out why it does not capture packets under Vista, you should have experience with DDK.
Using the Code
The MFC application is developed with SDI Document/View architecture. Go to FireWall menu and click IPhookON. This will start the userdrv.sys driver and
IpFilterDriver. The first one is developed by me to intercept packets using ipfltdrv.sys windows driver. If no errors are encountered, you'll notice
IpFilter: ON displayed at the status bar right corner. To stop interception, click IPhookOFF. The same procedure applies if you want to enable raw sockets, click Packs->StartRAW. After
rawsock: ON notification in the status bar, you'll be able to send raw sockets. Just go to Packs->IP4 menu and choose TCP, UDP or ICMP one. The two wide edit boxes in the middle of the dialog are source and destination IPs in text format like 127.0.0.1. The same for the ports, first is the source and second edit box is the destination one. The bottom large edit box is for the text message you want to send (currently supports only text data, just meddle with the code to add binary).
Through the Settings... menu, you can control FireWall parameters sent to userdrv.sys.
Drop TCP SYN and drop TCP RST, enable it to drop incoming TCP SYN packets and outgoing TCP RST packets. The latter is useful if you initiate connection with raw sockets and prevent windows from sending reset packets to the remote host. Drop ICMP * tells the driver to drop incoming ICMP packets of the corresponding type. UDP range is the allowed interval of incoming UDP packets ports. You can also log packets to windows\pmyfire.log file by checking the bottom box.
You may also use promiscuous mode to track the packets using FireWall->PromiscON but without controlling the traffic.
The additional helper classes I developed in the project are:
CPacket class, you can send TCP, UDP and ICMP raw packets.
int sendudp(SOCKET s, ip4_header *,
udp_header *, char *data = 0, int size = 0);
int sendtcp(SOCKET s, ip4_header *,
tcp_header *, char *data = 0, int size = 0);
int sendicmp(SOCKET s, ip4_header *, icmp_header *);
CDriver class, you can start, stop, send IOCTL codes to system drivers and remove them from the registry.
bool drvStart(LPCTSTR, LPCTSTR servpath = 0,
LPCTSTR linkname = 0, LPCTSTR info = 0);
DWORD drvIOCTL(DWORD code, LPVOID in = 0, DWORD inlen = 0,
LPVOID out = 0, DWORD outlen = 0);
bool drvStop(LPCTSTR servname = 0, DWORD timeout = 30000);
bool drvDelete(LPCTSTR servname = 0);
Just have a look at the
CSnifferDoc class on how to use them properly.
Points of Interest
The nice feature you may find in the context menu clicking on a particular packet. You may actually create a fake connection by using
CSnifferDoc::OnFinack. Do not forget to drop outgoing TCP reset packets. The intruder thinks you have got a lot of open ports (depends on which SYN you reply ACK) to his delight and rubs his hands! You may confuse him quite a lot by sending fake data also. Works fine in text messages after he got himself 'connected' to port 80.
- 24th October, 2007: Initial version