locked
Tracking CONNECT_REDIRECT sockets on Windows 7 RRS feed

  • Question

  • Hello

    I need to connect_redirect every socket with destination port = 80 i.e http traffic to a local process(local webserver). This local process takes decision whether to allow the webpage to continue or redirect it to a different webpage.

    Now I am redirecting every webpage(sockets associated with it) to the process(for such decision making) and if the process redirects the webpage to a different destination, my filter would still catch the redirected page(which it should allow to pass through without redirection or else it will be caught into an infinite loop). How do I detect that I have previously redirected the page when the redirected page's sockets try to Connect()

    Thanks in Advance


    ___________ Regards Umar Yaqoob ___________

    Thursday, July 17, 2014 3:15 PM

All replies

  • Proxy connection tracking. The docs are here

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    • Proposed as answer by Brian Catlin Thursday, July 17, 2014 6:13 PM
    • Unproposed as answer by Umar Yaqoob Thursday, July 17, 2014 10:38 PM
    Thursday, July 17, 2014 6:13 PM
  • 1. Thanks for the reply Brian but as I have already mentioned in the post I want to do it for windows 7 as this inbuilt tracking is only available for windows 8 & +. 

    2. Moreover will it be the same socket(used before redirection) that will be used for loading the redirected webpage?


    ___________ Regards Umar Yaqoob ________


    • Edited by Umar Yaqoob Thursday, July 17, 2014 10:42 PM
    Thursday, July 17, 2014 10:38 PM
  • You might be able to do it with packet (NBL) tagging, which is supported on Win7+ The docs are here

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    Thursday, July 17, 2014 10:57 PM
  • 1. Aaa! I have been looking at this doc and perhaps I will have to leave  the comfort of Connect_Redirect layer and go back proxying on per packet basis

    OR

    Could it be used with Connect_Redirect?

    2. How about the flowcontext parameter that I receive in the Connect classify function?Could a separate context be associated for every Connect_Redirect(i.e for each socket)  such that It could be recognised the next time it comes back in ?



    ___________ Regards Umar Yaqoob ___________


    • Edited by Umar Yaqoob Thursday, July 17, 2014 11:31 PM
    Thursday, July 17, 2014 11:27 PM
  • You can use as many contexts as you like; they are just LUIDs, so practically speaking, they cannot run out (if you allocated a LUID once every nanosecond, you wouldn't run out for 584 years, and I'm pretty sure you'd have to reboot before then ;-). I haven't used it with connect_redirect, so I don't know. Please let me know if it works

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    Friday, July 18, 2014 12:28 AM