Open ErcinDedeoglu opened 1 year ago
Windows or Linux?
@kayoub5 For first stage, Windows
@ErcinDedeoglu you usually can force the whole OS, by using a tuntap device and making a VPN from it.
Or use the WinDivert or WinPktFilter driver to alter packets.
Npcap can also be used to alter packets, but it requires some registry changes.
The most difficult part is figuring out what process each packet belong to.
Thank you, @kayoub5.
I was trying to reverse engineer what the ProxyCap application is doing. After you pointed to the registry change, I realized that ProxyCap made a couple of changes to the Windows registry:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64\000000000001] "PackedCatalogItem"=hex:70,63,61,70,77,73,70,2e,64,6c,6c,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,66,00,02,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,08,00,00,00,53,c1,b5,20,ee,1a,be,4c,bd,f1,0b,0e,e4,\ 4d,71,16,fa,03,00,00,02,00,00,00,f9,03,00,00,f1,03,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,02,00,00,00,02,00,00,00,10,00,00,\ 00,10,00,00,00,01,00,00,00,06,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,50,00,52,00,4f,00,58,00,59,00,43,00,41,00,50,00,20,\ 00,4d,00,53,00,41,00,46,00,44,00,20,00,54,00,63,00,70,00,69,00,70,00,20,00,\ 5b,00,54,00,43,00,50,00,2f,00,49,00,50,00,5d,00,00,00,2e,00,64,00,6c,00,6c,\ 00,2c,00,2d,00,36,00,30,00,31,00,30,00,30,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 "ProtocolName"="PROXYCAP MSAFD Tcpip [TCP/IP]"
As I can see, it's easy for device-level proxy, and there are a lot of examples, most of them open-source.
What I understand from your reply; To accomplish this on a process level, I need to interrupt communication and check packet content to understand the packet belongs to which process and redirect them to over proxy? For this case, can I use WinDivert or WinPktFilter as your suggestion? But one more thing I read is that WinDivert is recognized as malware by the Windows Driver signing service. For expand it to other clients who don't know me will create a trust problem.
Could you advise me for direction, please?
@ErcinDedeoglu
To accomplish this on a process level, I need to interrupt communication and check packet content to understand the packet belongs to which process and redirect them to over proxy?
Yes
For this case, can I use WinDivert or WinPktFilter as your suggestion? But one more thing I read is that WinDivert is recognized as malware by the Windows Driver signing service. For expand it to other clients who don't know me will create a trust problem.
Another solution you can try, is to perform Socket hooking, using for example https://github.com/thenameless314159/SocketHook
@ErcinDedeoglu just out of curiosity, where did quest lead you?
did you ever get it to work?
Hello, I'm researching this topic. I checked StackOverflow, and almost all issues redirected me to this project.
Please give me a hand if this is the correct place to ask.
I want to make a simple application that will take PID and force that PID's owner process to communicate via a proxy/socks.
Like ProxyCap or Proxifier... Can I use this library to make it happen? If not, could you teach me the terminology and what should I look for? So I can Google it more comfortably.
I appreciate any help you can provide.