Windows Filtering Platform to filter HTTPS from managed code

StackOverflow https://stackoverflow.com/questions/23151135

  •  05-07-2023
  •  | 
  •  

質問

I want to develop a host-based firewall for Windows mainly to filter URLs starting with HTTPS ! I know that Microsoft is presenting WFP as a substitution to the deprecated old techniques such as firewall/filter hooks, NDIS, TDI, WSA and Winsock 2 (LSP). But WFP does not currently support filters with hostname or URL. Also, WFP is only in C/C++ and there is no available C# wrappers in .NET.

I tried @basil 's WinDivert demo app webfilter which parses packets in outbound traffic for IPv4 on TCP port 80 (default HTTP), reset server connection (TCP RST) and send a HTML response to the client (browser) followed by a TCP FIN in case the URL matches any of the blacklisted entries given in a text file as command line argument and re inject them otherwise...

 handle = WinDivertOpen(
        "outbound && "              // Outbound traffic only
        "ip && "                    // Only IPv4 supported
        "tcp.DstPort == 80 && "     // HTTP (port 80) only
        "tcp.PayloadLength > 0",    // TCP data packets only
        WINDIVERT_LAYER_NETWORK, priority, 0
    );

My question is : can I change this code to support HTTPS (change port to default 443) and also IPv6 ? If so, I'm willing to write a P\Invoke wrapper class to call it from managed C# code.

Extra : This solution can be bypassed using SSH tunneling, is there another way to bypass it ?

役に立ちましたか?

解決

HTTPS uses encryption to stop third parties intercepting and modifying the HTTP stream. So the short answer is "no".

In principle you could use WinDivert to launch a man-in-the-middle attack to gain access to the unencrypted HTTP stream. However, this will be detected, and the web browser will sternly warn the user that they are under attack and not to continue.

他のヒント

You would need to produce

  1. a proxy service like you find on GitHub, then be a "man-in-the-middle" and capture https handshakes and replay them with your own to decrypt all https traffic, usually done using a certificate that

  2. you need to install on the server/pc so that the browser can (be tried into) trust(ing) it.

Then you can sit between two parties and record, block, allow communication between any 2 endpoints on the device.

Have a look at: https://github.com/matt-dot-net/HttpProxy

And the implementation: https://www.codeproject.com/Messages/3952869/Which-Options-do-I-need-to-use-to-make-the-certifi

ライセンス: CC-BY-SA帰属
所属していません StackOverflow
scroll top