Re: Intercepting DNS Queries Using LSP
  Home FAQ Contact Sign in
comp.os.mswindows.programmer.networks only
 
Advanced search
POPULAR GROUPS

more...
 Up
Re: Intercepting DNS Queries Using LSP         

Group: comp.os.mswindows.programmer.networks · Group Profile
Author: sarshah20
Date: Mar 13, 2008 09:12

Hi again,

I have done a few additional things since yesterday to find out the
issue.

I have restarted the system after installing the LSP. I did it because
LSP when installed is only effective for those processes that are
executed after the LSP installation. So if i want to intercept network
calls by processes that are already running (like different services
or some other user process) then i would have to restart the system.
Still DNS queries are undetectable.

In order to verify if an LSP can intercept any UDP traffic, i tried to
connect from the machine where LSP is installed to a TFTP server on a
remote machine (on LAN). The connection was successful and LSP
intercepts the data sent over UDP (UDP data dumped in the log file and
compared with the network traffic to verify). From this, i am
suspecting that DNS queries are not sent by a process operating at
user level. I am not sure if this statement is entirely correct.

So far no one has responded to the post. If all the details in the
first post has created ambiguity and i have failed to convey my
question then lets just forget about all the details about what i did
or did not and help me find answer to the following question:

Can an LSP be used to intercept DNS queries? or DNS queries cannot be
intercepted (by LSP) at user level? (LSP operates at user level)

Responses by some of the guys really helped me in one of my posts
related to LSP. If you guys are listening out there........Please help
me.

sarshah.

On Mar 12, 10:04В pm, sarsha...@yahoo.com wrote:
> Hi All,
>
> I was looking (again :)) at the LSP code that comes with Platform SDk
> which i downloaded a couple of months ago. I just wanted to see if an
> LSP traps DNS requests so i modified the WSPSend function by only
> adding the code to dump to a file any data that is passed in LPWSABUF
> lpBuffers param. Before doing something that would send a DNS query, i
> started Ethereal to see any traffic being sent on the wire. After
> that, i started a web browser window and accessed a URL (its not in
> the cache). I found out that WSPSend did not print any data sent on
> UDP even though a DNS request could be seen on the wire (WSPSend does
> get called though multi times). The same code prints data sent on TCP
> (like HTTP traffic of the page i opened). I have debugged the lsp dll
> to see if i am doing something wrong while dumping data to a file but
> the contents of the buffers (being sent as parameters) match dumped
> data. The observation that i made is that every time WSPSend is called
> for UDP data, it shows the length of the buffer (LPWSABUF.len) just
> one byte and the contents (LPWSABUF.buf) as 21 hex (!).
>
> I have also logged whenever calls to other send functions such as
> WSPSendTo and WSPSendDisconnect are made but for accessing a URL (and
> DNS query sent as a result), only WSPSend is called (and i am
> perfectly ok with that). Since these functions were never being called
> so i did not bother logging data being passed as their parameters.
>
> So my question is can LSP be used to trap DNS requests? If yes then
> how it can be done and any idea on why i am seeing the aforementioned
> behavior?
>
> The OS is Windows XP SP2 and I have installed the lsp in two different
> ways using the following commands:
>
> - instlsp -i -a -n "MyLSP"
> - instlsp -i -o 1001 -o 1002 -n "MyLSP"
>
> Thank you for your help,
>
> sarshah.
no comments
diggit! del.icio.us! reddit!