Is it possible to detect if some serial port is being sniffed by another process running on Windows?
We have an application that receives some sensitive data that cannot be read by other people. So, before opening the serial port, we need to check if the port is being monitored.
We can use the CreateFile Windows API function to open the serial port with exclusive access rights, but if the monitor runs before our call, it can read all the communication (it opens the serial port with shared access rights, so we can open the port at the same time). To avoid this, the attempt is to check if the port is being monitored and raise an exception, warning the user. Is it possible to do this?
Port sniffing requires a filter driver, like SysInternals' PortMon utility. You are taking the wrong kind of approach to secure your application. When somebody can install a filter driver, the attacker has more than enough privileges to completely disable your app and replace it with something else of his own making. Trying to detect and prevent information loss through your app is pointless, the system itself has to be secured. A serial port is probably the first thing you'll have to lose, it is trivial to tap its wires.
Rather than lose the serial port why not encrypt your data. This assumes that both the DTE and DCE are programmable.
Related
How do I close tcp v4 and tcp v6 connections on Windows? I don't want to kill the entire process that has the open connection as this obviously will kick everyone else off that process. I need to do this from a separate process, and so will not have access to socket handles, etc. I am using Windows API to get tcp table, etc. so I know which connections are active.
One way might be to enumerate all open handles on the system, or at least the open handles of a given target process, until you find the SOCKET handle you are interested in (see HOWTO: Enumerate handles, Socket Handles, and C++ Get Handle of Open Sockets of a Program - though I'm not sure how you would be able to retrieve the IP/Port pairs of a SOCKET to compare to the active connection you are interested in, without injecting remote getsockname()/getpeername() calls into the owning process of the SOCKET).
Once you have found the SOCKET handle you want, you can then close it by using DuplicateHandle() with the DUPLICATE_CLOSE_SOURCE flag 1.
1: This is how the "Close Handle" feature in Process Explorer works.
Since I'm using C#, I cannot PInvoke SetTcpEntry, even as administrator with an app.manifest file, it always sends a 317 error. So I created a C++ .exe to close a comma separated list of ipv4 addresses on the command line using SetTcpEntry, works fine even without an app.manifest file. That solves kicking ipv4 connections.
I tried using the get handles approach with NtQuerySystemInformation but never could get it working quite right, and it is a private mostly undocumented API and seems unsafe to use.
So, for ipv6, I am using windivert and injecting RST flag to ipv6 packets with certain ip addresses. It is as simple as setting the RST flag of an incoming packet before sending it on through with windivert. The downside is, if the client never sends another packet, the ipv6 socket still stays open indefinitely.
Perhaps someday Microsoft will add a SetTcpEntry6 function, but until then this appears to be the only realistic way.
UPDATE 2022-05-01, found this gem at https://www.x86matthew.com/view_post?id=settcpentry6
I discovered almost accidentally that my machine was sending and receiving UDP packets to a machine in Poland. Not that I have any problem with Poland, I just don't know why my laptop has the need to communicate with a server there. Reverse DNS shows just the ISP providing the address to some end user. Using Wireshark, I can monitor the messages, which were indecipherable as they were probably encrypted. All packets sent from my machine had the same source port, so clearly the application that sent them opened this UDP socket to use it. I am searching for ways to:
1) enumerate all current sockets open in the system, including the process that created it and, for both TCP and UDP, what ports and addresses they are current bound to.
2) because applications can open these sockets, use them, and close them right away, I would love to find (or perhaps even write) a program that once started would somehow get notification each time a socket gets created, or really more importantly when bound to a source and/or destination address and port. For UDP, I would love to also be able to monitor/keep track of the destination IP addresses and ports that socket has sent messages to.
I don't want to monitor the traffic itself, I have Wireshark if I want to view the traffic. I want to be able to then cross reference to discover what application is generating the packets. I want to know if it is from a process I trust, or if it is something I need to investigate further.
Does anybody know of any applications (for the Windows platform) that can do this? If not, any ideas about a .NET or Windows API that provides this capability, should I want to write it myself?
Edit:
After further research - looks like the APIs to use are GetExtendedUdpTable and GetExtendedTcpTable, CodeProject.com has some samples wrapping these in .NET (see http://www.codeproject.com/Articles/14423/Getting-the-active-TCP-UDP-connections-using-the-G). So a combination of this API and some sniffer code would be needed to monitor and keep track of what hosts at what ports using what protocol any particular application on your machine is talking to. If I ever get some free time, I'll consider creating this, if you know of an app that does all this, please let me know.
Try SysInternals TCPView. Despite its name, it handles UDP as well.
netstat -b to enumerate all ports along with the process names.
You can try using SysInternals' Process MOnitor (ProcMon.exe or ProcMon64.exe).
It allows for filtering of Processes by "UDP Send" Operation - and provides detailed UDP Connection data, including source and destination addresses(IP) and ports etc.
Is it possible open serial port which already in use?
and send data to it
Or create new one and share it for few applications?
I'm trying to avoid use of port pairs (created by windows driver)
I guess you could use an intemediate program like Hyperterminal and sendkeys to it from other apps, ao that Hyperterminal sends them from multiple sources.
Other than a workaround like that I've never heard of a port beng open in more than one program simultaneously.
So I have a bluetooth device, this device uses SPP to transfer data between the PC and itself. It connects fine through Windows as a bluetooth device. I can find it, enter the paring code and assign it to a COM port. Now I want to be able to send data through the com port using Windows API but it is refusing to do so.
I suspect that I need to setup the COMMCONFIG Structure correctly (see below)
http://msdn.microsoft.com/en-us/library/aa363188(VS.85).aspx
Unfortunately I have no idea what is the proper setting. I know SPP is supposed to emulate the RS-232 communication... so maybe I have to study up on that to figure out the right setting? Or is there some automatic way to set the COMMCONFIG structure.
I seriously doubt it. If it would be used then you'll have no chance at guessing at the custom provider data without docs from the driver author. Pay attention to the handshake signals, serial port devices routinely ignore anything sent to them when the DTR signal is turned off. And not send anything back with DTR off. A driver would emulate that. Use EscapeCommFunction() to turn them on. Also try a serial comm program like HyperTerminal or Putty to test this so you can isolate the source of the problem.
Why not use the Bluetooth sockets API? No need for troublesome (virtual) COM ports then.
If you're using managed code then see my library 32feet.NET
If using native code, use SOCKADDR_BTH with Winsock connect etc, see e.g. Bluetooth and connect (Windows) Then you can use the standard Winsock send/recv API
Ok, I found that you can use the
GetCommConfig and GetCommState functions to figure out the settings.
I'm working on an App that talks to a serial port, and on my development machine, I'm running Vista, and that serial port is a Bluetooth connection. Occasionally, the serial port gets caught in a state where my App can no longer connect to it. In .net I get an IOException with a message reading "Element not found."
I've tried restarting the App, connecting with other Apps (a communications client like HyperTerm) but nothing helps. I can't find any more specific error message, and nothing is logged to the machine's event logs. The device manager tells me the port is "working properly."
Is there any way to find out which process and or .dll has possession of a serial port, and/or force a port closed?
If it makes any difference, my App is in C#, but structurally, it's not convenient to open and close the port with a "using" statement.
Thanks,
Andy
To the best of my knowledge you can't close a serial port that you do not have the handle to. My experience of Bluetooth serial ports is that they can end up getting mapped to different COM port numbers at connection time, and can sometimes leave bogus COM ports when disconnected. For example, I currently have no bluetooth devices connected, but if I go into device manager, I see a total of eleven COM ports listed as Bluetooth serial port The properties on each of these ports show the device as working and available, and I can usually open these ports though I get occasional failures. My work around for this is to force COM port numbers for connected deviced, through properties / advanced / COM port number. I'm not sure if the problem is driver related (IVT corp in this case) or a problem with the way Windows manages blutooth serial ports.
Sorry I couldn't be of any more help.