I would like to hook into certain windows network events, such as new incoming and outgoing connections.
What are the options? wmic, windows API?
You could take a look at WinPcap:
http://www.winpcap.org/
"WinPcap is an open source library for packet capture and network analysis for the Win32 platforms."
http://www.winpcap.org/docs/docs_412/html/main.html
This is the library that programs like Wireshark uses to do all it's capturing with. http://www.winpcap.org/misc/features.htm
You could inject a DLL that hooks send() and recv() into every process. The DLL would then also hook CreateProcess to inject itself into processes created in the future.
Here is some tools to filter,modify,read packet in windows:
WinDivert Free open source project work on Windows 7, 2008 or
upper. network layer.
WinpkFilter 3.0 Commercial, Windows XP and upper. datalink
layer
pcausa, Commercial. datalink layer
Windows Filtering Platform Packet Modification Sample A sample
to create callout driver that WinDivert use, you should now to
implement kernel driver. network layer.
Related
I am developing a TCP protocol fuzzing software under Windows 7. I wanna to send self constructed TCP packet using Raw Sockets. But it seems that Microsoft forbid this for some security reasons. (http://msdn.microsoft.com/en-us/library/windows/desktop/ms740548(v=vs.85).aspx)
I know WinPcap can also send custom packets. But I don't want to build a packet from the Ethernet level. The parameters for Ethernet and IPv4 are so complex and drive me crazy. I only cares about the TCP above parts. Are there any solutions to workaround this? All I can think out is to change my Win7 to Windows 2008 R2, but it's a big project to do. I hope there are better ways?
After Windows XP Service Pack 1, the ability to send raw sockets has been disabled, however you can still read them.
You can modify the source code example provided by Microsoft in the WDK to enable raw sends again. For more information, check the link.
PCAUSA - How To Access To NIC Drivers From A Win32 Application
Alternatively, you may use WinPcap to inject packets into the network.
WinPcap
I am using the Windows Filtering Platform. I want to create a traffic filter, security manager, which monitors packets and network events or blocks urls... I know most of the WFP functions can be called from either user mode or kernel mode. I am wondering whether to write my filter by using kernel-mode functions or user-mode ones?? Is there any kind of network actions that can only be captured by using kernel-mode driver? Please help me in this regard.
Thanks in advance for any help on the matter
WFP Callouts can only be deployed using kernel mode drivers. As far as I know modifying packets (NAT, port forwarding, etc) can only be done using callouts on kernel mode drivers.
UPDATE:
User-mode application may be used to do shallow packet inspecting and some simple stream operations as well as control kernel mode drivers.
Kernel mode drivers may do deep and shallow packet inspection and all kinds of stream manipulation, but cannot interact with common applications without the use of user mode applications implementing the WFP API.
Alexandre is correct, some things can only be done with kernel mode WFP callout drivers.
However, you might also want to look at my project WinDivert (LGPL) which lifts some WFP kernel-mode functionality (i.e. intercepting and modifying packets) into a user-mode API. WinDivert provides the callout driver for you.
I have an Arduino application talking over USB to an application on Windows 8 using the MAVLINK protocol. The connection appears as COM3.
Is there a Windows application that can spy on this connection and display the traffic going in both directions? Raw bytes are fine, I don't need the protocol decoded.
You could log serial port activity using Portmon. (Edit: You need to first connect to the local computer via the Computer menu, and you must start capture on the port before a program opens it.)
You may not want to log USB traffic. Such a log would include a lot of extra information relating to the USB to serial adapter which is providing COM3. Portmon would only give you the bytes transferred over COM3, and the Mavlink protocol is entirely contained within that data stream. If you're sure you want to log all USB traffic to and from that device, then I recommend SnoopyPro. In Windows 7, you need to run it as administrator.
If you can use Windows XP in your environment, USB sniff should work for you. If you need something more powerful (and are willing to pay a fee for it) then USBLyzer might be a viable option.
The answer is SnoopyPro, and you can download it at:
SnoopyPro Sourceforge
This tool allows you to get USB information and also USB communication data. I used it in the past to know how a USB device worked in order to do its driver on Linux. I used this tool as a sniffer.
Basically, SnoopyPro allows you to intercept, display, record and analyze the USB protocol and all transferred data between any USB device connected to your PC and applications. It can be successfully used in application development, USB device driver or hardware development and offers the powerful platform for effective coding, testing and optimization.
I have developed a USB device that communicates with linux over a simple but proprietary interface and some custom Linux drivers. My goal is to port this to Windows without writing windows drivers. What I would like to do is find an open source or inbuilt class driver for windows that would look like a COM port in Windows. Then I would tailor the embedded software to match what ever protocol and descriptors the virtual COM port expects to see.
The idea would be that I could plug my device in to a Windows machine and a relatively high speed COM port would appear with out me having to develop Windows drivers for it.
I have been looking at the USB CDC (Communications Device Class) documentation and it looks promising, but I don't know which sub interface would be best to use so that it would show up as a COM port.
Has anyone here done any work like this before or could provide some insight?
Specifically:
Are there virtual COM drivers "built in" to windows or would I need a 3rd party driver.
Which CDC sub class should I use for simple RS232 emulation (No need for modem AT commands, etc)
Is there a better option to do what I am trying to do.
Thanks
There is a USB-to-serial driver built in to Windows that will do what you want. It is called usbser.sys:
http://support.microsoft.com/kb/837637
You will have to write an INF file and distribute that to your users, but that will not be too hard because it is only a few kilobytes of text and you can find examples online.
I'm not aware of any great documentation for this driver by Microsoft, so my advice would be to find some other device that uses it, such as Pololu Wixel, and copy what they did.
Here are the device descriptors we used and the special control tranfers we had to implement:
https://github.com/pololu/wixel-sdk/blob/master/libraries/src/usb_cdc_acm/usb_cdc_acm.c
You can see our INF file, wixel_serial.inf, by downloading the software and looking in the drivers folder:
http://www.pololu.com/docs/0J46/3.a
(There are other files in there that are not necessary for you.)
You can also look at the Arduino Uno because they use the same driver.
Whatever you do, please don't use our USB Vendor ID in your product! You need to get your own.
Update: In Windows 10, you don't need an INF file anymore because of the new usbser.inf driver that comes with Windows.
If you are using a UART you can easily interface it to a FTDI USB chip like http://www.ftdichip.com/Products/ICs/FT232R.htm or a Prolific like http://www.prolific.com.tw/eng/products.asp?id=59
For development, prototype and testing I have half dozen of these laying around http://www.pololu.com/catalog/product/391
I connect it directly to the UART pins on AVR and 8051 micros.
A question to maybe some who have worked extensively with WinUSB APIs or user mode USB drivers - can the WinUSB API or a user mode driver be used as a passive observer of USB connections, capturing notification of interrupts, control requests, data transfers, etc. without interfering with other applications (such as iTunes) which would obviously require concurrent access to the device at the same time my application is monitoring the connection and displaying data on it?
Or do you pretty much have to write a kernel-mode filter driver and inject yourself in the USB stack in order to make that happen?
In the past, there have been a few credible options (libusb-win32 and usbsnoop to be specific) though both are built around the old DDK, not the Windows Driver Foundation, and are not really supported on a regular basis any more. I'm hesitant to build something significant around them, as a result.
You must write a filter driver. There is no other way to intercept traffic generated by other devices. And you can use newer versions of the DDK, that is, KMDF for this task. It will make your life easier. But I think it will be cheaper and more effective just to get a hardware bus analyzer.
There is a good overview by OSR. You must signed in to read this, but I strongly advice to sign in anyway if you are going to do any kernel mode development.
The core USB drivers in Windows 7 have ETW trace points, so you can sniff traffic that way (blog post ETW in the Windows 7 USB core stack), but it is a bit kludgy and has some limitations like only tracing the first 32 bytes of each packet.
I have made a USB filter driver (KMDF) that is pretty easy to use (IMHO): http://code.google.com/p/busdog/
USB Sniffer allows you to display, record and analyze all the data transferred between any USB device connected to your PC and applications. Also you can recover transferred data (for some file types).
The resulted project includes such components: Driver, Common library, GUI.
http://tellmeword.com/5zu2z5