Is it possible to intercept dns queries using LSP/SPI?

Question

I wrote my own LSP which is working fine. However, I can not catch dns queries. For example there is no function like WSPGetHostByName or WSPGetAddrInfo.

My lsp also supports UDP protocol but it is not working. If I run nslookup from console (cmd.exe) it seems working but i can not catch gethostbyname. Does anyone know how to do that? I don't think writing NSP (Name Service Provider) is a solution. But I might be wrong.

Thanks

Answer 1

We have developed a LSP that can "intercept" DNS queries. The only way to do it is by hooking into all of the DNS functions, keep in mind there are a few challenges you need to solve:

1. You need to use a good hooking library that will support both 32bit and 64bit code.
2. The library license must be right for your application, there are some free libraries, but can be used freely only with free projects.
3. When you hook the functions, you need to make sure not to modify certain values that are not IP based and defer the query to the real function.

Intercepting UDP will not work since the queries are going out from MS DNS client, so unless you write a low level driver like: TDI, NDIS or WFP you must hook the functions (or write a NSP). NSLookup works for you because it creates the DNS queries itself.

Answer 2

My solution would be as follows:

1. Take the well known web browser: firefox.exe

2. copy it into a new name: icefoxy.exe

3. modify the EXE so it will load a custom DLL.

I have already done this a few months ago, but since Firefox is constantly getting updates, that means:

EITHER: keep one version and do not update (at your own risk, may cause security problems since that means vulnerabilities will not be fixed)

OR: Update your modification every time firefox.exe changes.

The DLL can easily be written using Delphi.

The Firefox modification needs assembly language, unless you know how to download all necessary files to compile firefox yourself, have access to a C/C++ compiler (likely mingw-gcc), and be prepared of the fact that there are 2 mutually exclusive standards of C++, and if your g++ (part of the gcc suite) is incompatible with your Firefox source, then your attempt will fail.

I am not a C++ expert myself, so I took the (for me, at least) easier route using machine language, that way I do not need to be a C/C++ expert to get the job done.

Some relative points:

1. What functions must be hooked to intercept all Firefox's access to dns server(s) ?

2. I noticed, that if you load a Delphi DLL into Icefoxy.exe (a renamed copy of Firefox.exe) then a Delphi form's colors are missing, eg. if you set (either in object ispector or in code):

Label1.Color := clLime;

you still see a label withOUT lime background color. I do not know the exact reason, but it seems that Delphi VCL is relying to be used in an EXE, and when you use Delphi VCL components inside a DLL instead of an EXE, some things (such as color) does not work as intended.

I'd be happy to post my code (both assembly language modifications to Firefox and the Delphi DLL source code) , but how/where can I post it so it is publicly viewable ?

I used Delphi 7 to make the DLL.

if you use Delphi 2009 or later, you need to take extra care that any string data passed between the Delphi code and any non-Delphi code has the correct encoding, due to the fact that In Delphi 2009 and all newer versions, the type String is an alias to unicodestring, where in older Delphi versions, the type String is an alias to AnsiString.

At the time I did this, it was just a small experiment to find out if I can force Firefox to load my own DLL inti it's process address space.

Another interesting idea would be to get access to the DOM (Document Object Model) of Firefox from a Delphi DLL, that would give a working alternative to using TWebBrowser (based on ActiveX version of Microsoft's Internet Explorer).

I know there have been components like TWebBrowser based on Firefox, but their problem is that nobody cared to update them for a very long time, so they are compatible only with some very outdated version of Firefox.