Discussion:
monitoring "network" system calls
(too old to reply)
AG
2010-07-13 09:10:28 UTC
Permalink
Hello,

I am working on a taint tracing tool, and I for this I would like to
intercept socket opening and closing, and reads from sockets.

On linux, this can be done in intercepting system calls
(SYS_socketcall, SYS_read, SYS_close) but on windows, how can I
monitor such things ? In the system call table (given by metasploit),
I don't see the equivalent calls. Though, monitoring the system calls
during a simple client/server communication, I have identified the
following function calls:

NtCreateFile (for socket opening ?)
NtDeviceIoControlFile (for controling the socket ?)
NtRequestWaitReplyPort
NtWaitForSingleObject
NtQueryInformationProcess
NtClose
NtUnmapViewOfSection
NtAllocatevirtualMemory
NtTerminateProcess

I tried to display some of their buffers, without being able to find
any of the transmitted data of the communication.

Is there a way to intercept the data buffers in use during read/write
through a socket if I monitor system calls, or is it useless because
things does not go like I imagine?

Thanks in advance for your help,

AG.
Günter Prossliner
2010-07-13 09:40:05 UTC
Permalink
Hello AG!
Post by AG
I am working on a taint tracing tool, and I for this I would like to
intercept socket opening and closing, and reads from sockets.
On linux, this can be done in intercepting system calls ...
Hooking System Calls is not the way things are implemented in Windows (at
least for current Versions).

Take a look at:

[Windows Filtering Platform]
http://www.microsoft.com/whdc/device/network/wfp.mspx



GP
Krzysztof Uchronski
2010-07-13 09:44:53 UTC
Permalink
Hooking is bad approach. Try Windows Filtering Platform (>= Vista) or
something like NDIS protocol driver (you will be able to monitor network
traffic).

Kris

-----Original Message-----
From: AG [mailto:***@gmail.com]
Posted At: Tuesday, July 13, 2010 10:10 AM
Posted To: microsoft.public.win32.programmer.kernel
Conversation: monitoring "network" system calls
Subject: monitoring "network" system calls

Hello,

I am working on a taint tracing tool, and I for this I would like to
intercept socket opening and closing, and reads from sockets.

On linux, this can be done in intercepting system calls
(SYS_socketcall, SYS_read, SYS_close) but on windows, how can I
monitor such things ? In the system call table (given by metasploit),
I don't see the equivalent calls. Though, monitoring the system calls
during a simple client/server communication, I have identified the
following function calls:

NtCreateFile (for socket opening ?)
NtDeviceIoControlFile (for controling the socket ?)
NtRequestWaitReplyPort
NtWaitForSingleObject
NtQueryInformationProcess
NtClose
NtUnmapViewOfSection
NtAllocatevirtualMemory
NtTerminateProcess

I tried to display some of their buffers, without being able to find
any of the transmitted data of the communication.

Is there a way to intercept the data buffers in use during read/write
through a socket if I monitor system calls, or is it useless because
things does not go like I imagine?

Thanks in advance for your help,

AG.
AG
2010-07-13 10:19:06 UTC
Permalink
Hello Krzysztof,

On Jul 13, 11:44 am, "Krzysztof Uchronski"
Post by Krzysztof Uchronski
Hooking is bad approach. Try Windows Filtering Platform (>= Vista) or
something like NDIS protocol driver (you will be able to monitor network
traffic).
I will look into NDIS protocol driver, but what I want is not hooking,
it is monitoring for taint tracing purposes. Basically I want to trace
data coming from a socket read() throughout an application. I do that
with binary instrumentation. And this is why I need the address of the
input buffers in memory, which is a different information compared to
the data themselves.

I am fine if I can achieve this with an NDIS protocol driver, but I
wonder if this is not too far (in the protocol stack) from the
applications I am studying, and therefore if it won't provide wrong
buffer addresses.

For the time being, I am working on an XP machine.

AG.
Krzysztof Uchronski
2010-07-13 15:22:24 UTC
Permalink
I'm not sure if I understand what "taint tracing purpose" is and binary
instrumentation in this particular case but nevermind.
I can only suggest to look at winpcap project and maybe TDI filter
drivers (IIRC they should be higher in the network stack - above NDIS,
but I think you can't use them on Win7 and higher).

Kris

-----Original Message-----
From: AG [mailto:***@gmail.com]
Posted At: Tuesday, July 13, 2010 11:19 AM
Posted To: microsoft.public.win32.programmer.kernel
Conversation: monitoring "network" system calls
Subject: Re: monitoring "network" system calls

Hello Krzysztof,

On Jul 13, 11:44 am, "Krzysztof Uchronski"
Post by Krzysztof Uchronski
Hooking is bad approach. Try Windows Filtering Platform (>= Vista) or
something like NDIS protocol driver (you will be able to monitor network
traffic).
I will look into NDIS protocol driver, but what I want is not hooking,
it is monitoring for taint tracing purposes. Basically I want to trace
data coming from a socket read() throughout an application. I do that
with binary instrumentation. And this is why I need the address of the
input buffers in memory, which is a different information compared to
the data themselves.

I am fine if I can achieve this with an NDIS protocol driver, but I
wonder if this is not too far (in the protocol stack) from the
applications I am studying, and therefore if it won't provide wrong
buffer addresses.

For the time being, I am working on an XP machine.

AG.
m
2010-07-13 22:32:53 UTC
Permalink
look at Detours in MSDN
Post by AG
Hello,
I am working on a taint tracing tool, and I for this I would like to
intercept socket opening and closing, and reads from sockets.
On linux, this can be done in intercepting system calls
(SYS_socketcall, SYS_read, SYS_close) but on windows, how can I
monitor such things ? In the system call table (given by metasploit),
I don't see the equivalent calls. Though, monitoring the system calls
during a simple client/server communication, I have identified the
NtCreateFile (for socket opening ?)
NtDeviceIoControlFile (for controling the socket ?)
NtRequestWaitReplyPort
NtWaitForSingleObject
NtQueryInformationProcess
NtClose
NtUnmapViewOfSection
NtAllocatevirtualMemory
NtTerminateProcess
I tried to display some of their buffers, without being able to find
any of the transmitted data of the communication.
Is there a way to intercept the data buffers in use during read/write
through a socket if I monitor system calls, or is it useless because
things does not go like I imagine?
Thanks in advance for your help,
AG.
AG
2010-07-15 18:09:01 UTC
Permalink
Post by m
look at Detours in MSDN
Hello m,

I have difficulties to access the web page on Microsoft web site. But
I have seen that it is dated from 1999, and I assume it does the same
thing than PIN (from Intel) which I am using for this.

But I will definitly try to have a look as well as at the TDI filters.
And come back if it is not what I need.

Thank you all.

AG.

Loading...