Get IP-Address from DNS without GetHostByName

Question

I am using GetHostByName to get the IP-Address from a Host/DNS. I also have Kaspersky Internet Security 2013 and noticed that GetHostByName gets picked by it. It seems that that my process tries to create a subkey in hklm\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS. This actually means, that I CAN NOT use this function if the user does NOT have any Administrator rights. Is there any other way to resolve a host/dns?

EDIT: Here a screenshot:

enter image description here

EDIT2: I actually used getaddrinfo and KIS did not "detect anything". I would like to use it, but I would still like have support for Win2K.

EDIT3: Added Debug ScreenShot

enter image description here

EDIT4: That's my "Test" code:

program Project2;

{$APPTYPE CONSOLE}

uses
  Winsock;

var
    DummyWSA : WSADATA;

begin
  if WSAStartup($0202, DummyWSA) = 0 then begin
    GetHostByName ('localhost');
  end;
  readln;
end.

EDIT5: GetAddrInfo Version...

program Project2;

{$APPTYPE CONSOLE}

uses
  Winsock;

type
  PAddrInfo = ^TAddrInfo;
  TAddrInfo = packed record
    ai_flags: Integer;
    ai_family: Integer;
    ai_socktype: Integer;
    ai_protocol: Integer;
    ai_addrlen: LongWord;
    ai_canonname: Array of Char;
    ai_addr: PSOCKADDR;
    ai_next: PAddrInfo;
  end;

function getaddrinfo(const nodename: PChar; const servname : PChar; const hints: PAddrInfo; var res: PAddrInfo): Integer; stdcall; external 'ws2_32.dll' name 'getaddrinfo';
procedure freeaddrinfo(ai: PAddrInfo); stdcall; external 'ws2_32.dll' name 'freeaddrinfo';

var
  DummyWSA      : WSADATA;
  SocketHint    : PAddrInfo;
  SocketResult  : PAddrInfo;

begin
  if WSAStartup($0202, DummyWSA) = 0 then begin
    //GetHostByName ('localhost');
    getaddrinfo ('localhost', '80', SocketHint, SocketResult);
    // getaddrinfo ('localhost', NIL, SocketHint, SocketResult); // Not sure if I can NIL the port...
  end;
  readln;
end.

This version seems to not write anything at all to the registry...

If there is, that will probably have the same conflict with Kaspersky. You _should_ be able to call GetHostByName as a non-admin. What does the call stack look like? — 500 - Internal Server Error, Mar 06 '13 at 19:01
Have you *tried* using the function and see that it actually *fails* are you just *assuming* that it will fail based on what you read in this call stack you have? Because I can tell you, `GetHostByName` isn't restricted to admin-only accounts. — Nik Bougalis, Mar 06 '13 at 19:06
I added a screenshot of the "detection". The assume is because you can only write into HKLM if you have admin rights. — Ben, Mar 06 '13 at 19:11
This is one reason why I hate kaspersky. Our software was literally erased (not quarantined) entirely from a client's hard drive entirely because it didn't like its connecting to an FTP site. — Jerry Dodge, Mar 07 '13 at 19:09
Just a suggestion - if you have a digital signature that you're able to add to your application, try that and maybe kaspersky will respect this call from your app. — Jerry Dodge, Mar 07 '13 at 19:17

score 15 · Accepted Answer · answered Mar 06 '13 at 19:01

15

gethostbyname() is the correct way to query a hostname via DNS (getaddrinfo() is a better choice, especially if you need to support IPv6), and it is definitely NOT restricted to admins only. Lots of applications use gethostbyname() (and/or getaddrinfo()) so it is very unlikely that Kaspersky is going to block it.

Why do you think that gethostbyname() is creating a Registry key? What is actually being created? It shouldn't be creating anything. That might suggest that some external code has hooked into gethostbyname().

answered Mar 06 '13 at 19:01

Remy Lebeau

555,201
31
458
770

I used getaddrinfo too, but I need support for Win2K. – Ben Mar 06 '13 at 19:13
1

+1 for "That might suggest that some external code has hooked into gethostbyname()" – kobik Mar 06 '13 at 19:17
I added a screen of OllyDebug. – Ben Mar 06 '13 at 19:18
Since GetHostByName is the correct way, I assume that Kaspersky is hooking the GetHostByName. However it works without a detection with getaddrinfo... – Ben Mar 06 '13 at 19:28
1

If you want to check if the registry key is being created by external code (hook) you can use Process Monitor, double click the event where the registry key is created on watch the stack tab. – Remko Mar 06 '13 at 19:41
3

I can confirm that using RegMonitor with a simple `gethostbyname` project DOES infact triggers a `CreateKey` request on `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters` (WinXP/D5) – kobik Mar 06 '13 at 19:42
Thank you for your research. Is this documented on MSDN too? – Ben Mar 06 '13 at 19:48
@kobik What do you mean by reproduced? Remko I added the ProcMon LOG in the first post. – Ben Mar 06 '13 at 20:01
2

1) I created a sample Delphi project with your code (`gethostbyname`). 2) Run [`RegMon`](http://www.softpedia.com/get/Programming/Other-Programming-Files/Regmon.shtml) 3) Run the sample project. and `RegMon` told me that the process did trigger a `CreateKey` request. – kobik Mar 06 '13 at 20:08
3

@kobik: I found [one article](http://support.microsoft.com/kb/196500) on MSDN that suggests `gethostbyname()` accesses `Tcpip\Parameters` to determine the order in which the IPs are to be returned. Under "normal" conditions, `gethostbyname()` would simply move on if it could not access the Registry key. KIS is hooked into the Registry and is getting in the way. So this is really a KIS issue, not a WinSock issue. – Remy Lebeau Mar 06 '13 at 20:08
3

@kobik: I would file a bug report with KIS. `gethostbyname()` requests read-only access to that Registry key when creating it. I don't see a reason why KIS should be flagging that as suspicious. On the other hand, this is probably also a Microsoft bug, for having `gethostbyname()` (or whatever lower level it invokes) use `RegCreateKeyEx()` instead of `RegOpenKeyEx()`. – Remy Lebeau Mar 06 '13 at 20:17
I actually think it's more of a Microsoft Issue. If GetHostByName uses the CreateKey API then it's Kaspersky's Responsibility to detect the CreateKey API. Like everybody thought/said, GetHostByName is NOT suppose to create any (SUB) keys at all. I will however report it to KIS and mention it with association with GetHostByName. Thank you all for your help. EDIT: Just saw your edit. Thank you very much. – Ben Mar 06 '13 at 20:24

Get IP-Address from DNS without GetHostByName

1 Answers1