2010-07-13 09:10:28 UTC
I am working on a taint tracing tool, and I for this I would like to
intercept socket opening and closing, and reads from sockets.
On linux, this can be done in intercepting system calls
(SYS_socketcall, SYS_read, SYS_close) but on windows, how can I
monitor such things ? In the system call table (given by metasploit),
I don't see the equivalent calls. Though, monitoring the system calls
during a simple client/server communication, I have identified the
following function calls:
NtCreateFile (for socket opening ?)
NtDeviceIoControlFile (for controling the socket ?)
I tried to display some of their buffers, without being able to find
any of the transmitted data of the communication.
Is there a way to intercept the data buffers in use during read/write
through a socket if I monitor system calls, or is it useless because
things does not go like I imagine?
Thanks in advance for your help,