Creating a Packet Filter in C#/C++?
https://stackoverflow.com/questions/9555540
-
06-12-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianPregunta
In the past I have written C++ plugins that detoured the recvfrom() function in Winsock and dropped/manipulated incoming traffic from the primary application.
I now wish to write a stand-alone application that listens on all interfaces, reads incoming UDP packets, and drops them if the packet structure matches that of a known exploit being used to target us.
What would be the best way to do this? This will be used on Windows Server 2008 machines, which have large quantities of static IPv4 addresses assigned to the NIC. I was considering possibly detouring Winsock, but as this isn't a feature rich application, whatever is the easiest way to implement this would be great.
Note I started implementing this using Pcap.Net but realized I can't drop packets that way, so I am not really sure how to approach this.
Solución
It may not be an easiest task in C# as filtering network will probably bound you to low-level code operating withing OS kernel.
There are also some APIs in Windows Server 2008 for setting up your custom packet filters.
While probably wrappable in p/invoke, I suggest going for C++ and native code rather.
Additional reading which may be interesting to you is on here on codeproject.
Otros consejos
You want to use EasyHook. If you say that it's really only one primary application you need to worry about, you can create a simple user-mode hook that hooks send() and receive(). You can look at how oSpy does this (though oSpy's project is quite large). EasyHook makes hooking pretty easy.
