locked
how to get original destination address from proxied packet RRS feed

  • Question

  • I need to find orginal destination address from proxied packet and block that network transfer. Can this be done in WFP driver? Which WFP layers are good places to inspect proxied packet and find the orignal destination address?
    Tuesday, June 12, 2012 4:25 PM

Answers

  • There are multiple ways that packets can be proxied.  If the proxy is happening using injection, then you'd need to inspect what is being done at whatever layer the proxying occurs (if using injection for proxying, we recommend using FWPM_LAYER_{INBOUND | OUTBOUND}_TRANSPORT_V{4 | 6}).

    In Win7, we introduced FWPM_LAYER_CONNECT_REDIRECT_V{4 | 6} and FWPM_LAYER_BIND_REDIRECT_V{4 | 6}, which are the recommended method for redirecting.  The former redirects the connection, while the latter redirects the socket. Again you would need to inspect at these layers to see what is being done (and likely more inspection at FWPM_LAYER_AUTH_CONNECT_V{4 | 6} to correlate the original with the new).

    In Win8, we added REDIRECT_RECORDS which can be queried and walked to find the original tuples.  At FWPM_LAYER_ALE_AUTH_CONNECT_V{4 | 6}, if the connection was redirected via the redirect layers, you are indicated a redirectRecordHandle in the metadata, and can call FwpsQueryConnectionSioFormatRedirectRecords().  Additionally you will be indicated the original AppID.

    Hope this helps,


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------


    Friday, June 15, 2012 5:31 PM
    Moderator

All replies

  • There are multiple ways that packets can be proxied.  If the proxy is happening using injection, then you'd need to inspect what is being done at whatever layer the proxying occurs (if using injection for proxying, we recommend using FWPM_LAYER_{INBOUND | OUTBOUND}_TRANSPORT_V{4 | 6}).

    In Win7, we introduced FWPM_LAYER_CONNECT_REDIRECT_V{4 | 6} and FWPM_LAYER_BIND_REDIRECT_V{4 | 6}, which are the recommended method for redirecting.  The former redirects the connection, while the latter redirects the socket. Again you would need to inspect at these layers to see what is being done (and likely more inspection at FWPM_LAYER_AUTH_CONNECT_V{4 | 6} to correlate the original with the new).

    In Win8, we added REDIRECT_RECORDS which can be queried and walked to find the original tuples.  At FWPM_LAYER_ALE_AUTH_CONNECT_V{4 | 6}, if the connection was redirected via the redirect layers, you are indicated a redirectRecordHandle in the metadata, and can call FwpsQueryConnectionSioFormatRedirectRecords().  Additionally you will be indicated the original AppID.

    Hope this helps,


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------


    Friday, June 15, 2012 5:31 PM
    Moderator
  • Thanks for your help Dusty.

    I'll try what you suggested.

    Monday, June 18, 2012 12:24 PM
  • hi,have you solve your question?please give me some help,I also want to get the original address of redirected connect,my Email lxf20054658@163.com,thanks!
    Friday, June 5, 2015 1:44 AM