4

In the past I have written C++ plugins that detoured the recvfrom() function in Winsock and dropped/manipulated incoming traffic from the primary application.

I now wish to write a stand-alone application that listens on all interfaces, reads incoming UDP packets, and drops them if the packet structure matches that of a known exploit being used to target us.

What would be the best way to do this? This will be used on Windows Server 2008 machines, which have large quantities of static IPv4 addresses assigned to the NIC. I was considering possibly detouring Winsock, but as this isn't a feature rich application, whatever is the easiest way to implement this would be great.

Note I started implementing this using Pcap.Net but realized I can't drop packets that way, so I am not really sure how to approach this.

  • Try Windows Filtering Platform http://www.codeproject.com/Articles/29026/Firewall-using-Vista-s-Windows-Filtering-Platform – user629926 Mar 05 '12 at 11:07

2 Answers2

3

It may not be an easiest task in C# as filtering network will probably bound you to low-level code operating withing OS kernel.

There are also some APIs in Windows Server 2008 for setting up your custom packet filters.

While probably wrappable in p/invoke, I suggest going for C++ and native code rather.

Additional reading which may be interesting to you is on here on codeproject.

Krizz
  • 11,362
  • 1
  • 30
  • 43
  • I actually just downloaded that application a few minutes ago, but it didn't seem to function at all when running it on Windows 7 so I was assuming whatever methods were used are outdated now. I was trying to find more info (preferably an example) on doing this with WPF, but so far not a lot of luck. –  Mar 04 '12 at 14:36
  • Actually nevermind, it was a different one on codeproject that looked similar. I will read this and give it a shot. Is there not really any methods that are possible with the installation of an extra driver? –  Mar 04 '12 at 14:39
1

You want to use EasyHook. If you say that it's really only one primary application you need to worry about, you can create a simple user-mode hook that hooks send() and receive(). You can look at how oSpy does this (though oSpy's project is quite large). EasyHook makes hooking pretty easy.

Jason
  • 6,878
  • 5
  • 41
  • 55