Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Forcing a process to communicate through the proxy #434

Open
ErcinDedeoglu opened this issue Nov 14, 2022 · 6 comments
Open

Forcing a process to communicate through the proxy #434

ErcinDedeoglu opened this issue Nov 14, 2022 · 6 comments

Comments

@ErcinDedeoglu
Copy link

Hello,
I'm researching this topic. I checked StackOverflow, and almost all issues redirected me to this project.

Please give me a hand if this is the correct place to ask.

I want to make a simple application that will take PID and force that PID's owner process to communicate via a proxy/socks.

Like ProxyCap or Proxifier... Can I use this library to make it happen? If not, could you teach me the terminology and what should I look for? So I can Google it more comfortably.

I appreciate any help you can provide.

@kayoub5
Copy link
Collaborator

kayoub5 commented Nov 14, 2022

Windows or Linux?

@ErcinDedeoglu
Copy link
Author

@kayoub5 For first stage, Windows

@kayoub5
Copy link
Collaborator

kayoub5 commented Nov 14, 2022

@ErcinDedeoglu you usually can force the whole OS, by using a tuntap device and making a VPN from it.

Or use the WinDivert or WinPktFilter driver to alter packets.

Npcap can also be used to alter packets, but it requires some registry changes.

The most difficult part is figuring out what process each packet belong to.

@ErcinDedeoglu
Copy link
Author

Thank you, @kayoub5.
I was trying to reverse engineer what the ProxyCap application is doing. After you pointed to the registry change, I realized that ProxyCap made a couple of changes to the Windows registry:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64\000000000001] "PackedCatalogItem"=hex:70,63,61,70,77,73,70,2e,64,6c,6c,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,66,00,02,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,08,00,00,00,53,c1,b5,20,ee,1a,be,4c,bd,f1,0b,0e,e4,\ 4d,71,16,fa,03,00,00,02,00,00,00,f9,03,00,00,f1,03,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,02,00,00,00,02,00,00,00,10,00,00,\ 00,10,00,00,00,01,00,00,00,06,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,50,00,52,00,4f,00,58,00,59,00,43,00,41,00,50,00,20,\ 00,4d,00,53,00,41,00,46,00,44,00,20,00,54,00,63,00,70,00,69,00,70,00,20,00,\ 5b,00,54,00,43,00,50,00,2f,00,49,00,50,00,5d,00,00,00,2e,00,64,00,6c,00,6c,\ 00,2c,00,2d,00,36,00,30,00,31,00,30,00,30,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\ 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 "ProtocolName"="PROXYCAP MSAFD Tcpip [TCP/IP]"

As I can see, it's easy for device-level proxy, and there are a lot of examples, most of them open-source.

What I understand from your reply;
To accomplish this on a process level, I need to interrupt communication and check packet content to understand the packet belongs to which process and redirect them to over proxy?
For this case, can I use WinDivert or WinPktFilter as your suggestion? But one more thing I read is that WinDivert is recognized as malware by the Windows Driver signing service. For expand it to other clients who don't know me will create a trust problem.

Could you advise me for direction, please?

@kayoub5
Copy link
Collaborator

kayoub5 commented Nov 15, 2022

@ErcinDedeoglu

To accomplish this on a process level, I need to interrupt communication and check packet content to understand the packet belongs to which process and redirect them to over proxy?

Yes

For this case, can I use WinDivert or WinPktFilter as your suggestion? But one more thing I read is that WinDivert is recognized as malware by the Windows Driver signing service. For expand it to other clients who don't know me will create a trust problem.

  • It can be done with Npcap, WinDivert or WinPktFilter, but out of those three, WinDivert is the only fully open source one.
  • Those libraries will provide the packet itself, and the means to alter it, but not the means to know to what process it belongs to.

Another solution you can try, is to perform Socket hooking, using for example https://github.com/thenameless314159/SocketHook

@kayoub5
Copy link
Collaborator

kayoub5 commented Oct 9, 2023

@ErcinDedeoglu just out of curiosity, where did quest lead you?

did you ever get it to work?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants