PureBasic Interface to WinDivert

[JHPJHP]

Updated:
- updated folder: services
-- WindowsServices.pbi
-- BlockService_x86.pb
-- RedirectService_x86.pb
- added folder: services/executables
-- WinDivertService_EXE.pb
-- WinDivertBlock_EXE.pb
-- WinDivertRedirect_EXE.pb

I've extended the service improvements made in the post Services, Stuff, and Shellhook to the service examples in this post.

Added an additional service example.
- RedirectService_x86.pb: redirects all http traffic to: http://duckduckgo.com (https traffic not affected)
- run the file a second time to delete the service

NB*: If the URL being redirected includes a sub-domain, a byproduct of redirecting to a search page is that the sub-domain may become the search parameter.

------------------------------------------------------------------------------

The following only applies to the previous update:

Fixed a path issue in the file WinDivertRedirect_EXE.pb : WinDivertRedirect.exe.
- may need to reboot your system to delete the incorrect WinDivert service (file not found message)

[JHPJHP]

I've optimized the scripts with an improvement pointed out by Thunder93.
- I was allocating / freeing memory within a Repeat / Loop, but it wasn't necessary because the Function: WinDivertRecv handled the memory once it was allocated

Thank you Thunder93.

-------------------------------------------

Updated:
- updated the WinDivert binaries
-- from v1.1.6 to v1.1.7

[Thunder93]

Updates ... music to my ears!

You certainly welcome. You doing great interesting work!

[JHPJHP]

The 3 "replace" examples have been rewritten to improve stability and packet integrity.

There are still a couple issues that need to be addressed:
- combining multiple packets to form a webpage; there's a gap of 1460 spaces
-- HTML for the most part handles this visually
- at times packet corruption occurs and the page is in a perpetual state of loading
-- close the page and re-run the example

NB*: All other examples / services have been updated with minor improvements.

--------------------------------------------------

Updated:
- added: Constants
- added Procedure: UnsignedLong

- at times packet corruption occurs and the page is in a perpetual state of loading
-- close the page and re-run the example

Packets needs to be sorted before assembling them.
- I'll update the 3 "replace" examples in the next few days
- still need to figure out the gap of 1460 spaces

--------------------------------------------------

Some minor changes have been made to the examples, most notably extending the timeout parameter.

[JHPJHP]

Updated
- deleted: wd_replace3.pb
-- example was referencing: http://reqrypt.org/windivert.html, but the site is now using CloudFlare and the current method won't work

---------------------------------------------------------

Updated the 2 "replace" examples to sort the packets first.
- includes numerous changes to the other examples, but nothing worth documenting

NB*: Still need to figure out the gap of 1460 spaces where packets are merged.

---------------------------------------------------------

Updated the 2 "replace" examples.
- fixed the issue of 1460 spaces where packets are merged

Thanks to a suggestion by Thunder93 I was pointed in a direction that led to the solution.

[Thunder93]

Good stuff JHPJHP! Keep it coming!

[JHPJHP]

Updated:
- Address-Direction, Control-Bits
- BuildPayload Procedure

I'm in the process of figuring out when the last fragmented packet was sent without having to reassemble first. This should speed up the injection process by removing the need for the current timeout method, which will remain as a fail-safe.

NB*: Waiting for packets with the "Fin" bit set is not feasible for injection.

-----------------------------------------------------------------------

Solved (last fragmented packet):
- wd_inflate.pb
- wd_replace1.pb
- wd_replace2.pb

Requirements:
- webpage was compressed using gzip
- the header packet includes "Content-Length"
-- transfer encoding is not Chunked

[JHPJHP]

Updated:
- added 2 examples
-- wd_htmfile1.pb
-- wd_htmfile2.pb
- added folder: htmfiles
-- iTunes.htm
-- PureBasic.htm

To create additional *.htm files: Load the desired site to your browser (Internet Explorer), from the Page menu-option choose Save as... Webpage, HTML only.

The following restrictions may apply:
- packet size (use additional injections)
- https not supported (possible work around)

NB*: Update also includes numerous improvements to various examples.

[JHPJHP]

Updated:
- moved Procedure: EndPacketLoop (from examples)
- added Structure: BROWSER_INFO
- added Procedure: LoadBrowser
- added 6 examples
-- wd_htmdata1.pb
-- wd_htmdata2.pb
-- wd_htmfile3.pb
-- wd_htmfile4.pb
-- wd_replace3.pb
-- wd_replace4.pb

All examples have been updated improving stability and functionality.

I've tested and applied 3 separate methods for loading a webpage to memory:
- DataSection (embedded): Used PureDataConverter by Thomas Schulz (ts-soft)
-- wd_htmdata1.pb, wd_htmdata2.pb
- DataSection (include): HTML file will be auto-created if missing
-- wd_htmfile1.pb, wd_htmfile2.pb
- ReadFile: HTML file will be auto-created if missing
-- wd_htmfile3.pb, wd_htmfile4.pb

The new examples demonstrate a better understanding of how to use WinDivert to handle packet-injection, as well as proof-of-concepts to vulnerabilities in "Browser Security". The examples take into consideration the relatively new HSTS protocol used by some browsers to enhance security.
- HSTS isn't currently supported by Internet Explorer, but is scheduled to be included in its next release

HTTP Strict Transport Security
- answer to SSLStrip (Moxie Marlinspike), and MITM attacks

Additional Documentation:
- https://www.chromium.org/hsts
- https://tools.ietf.org/pdf/rfc6797
- https://hstspreload.appspot.com/

See HSTS in action by running one of the following new examples:
- wd_htmdata1.pb, wd_htmdata2.pb, wd_htmfile3.pb, wd_htmfile4.pb

Run the example a second time, first changing the following parameter from "iexplore" to "chrome":
- Google Chrome must be installed (includes the HSTS protocol)

Code: Select all

dwUser1\Browser = "iexplore"

You should have noticed on the first run using the parameter "iexplore", a fake webpage was injected in place of the real page. But on the second run using the parameter "chrome", the real webpage was loaded and the injection denied; HSTS forcing HTTPS using the Browsers built-in predefined list.

With the advent of HTTPS and now HSTS the user is conditioned to trust secured (HTTPS) webpages as legitimate. Run the example: wd_htmdata1.pb changing the following 2 parameters:
- did you notice the spelling of "Twitter" in the URL, neither would've the average user

Code: Select all

dwUser1\Browser = "chrome"
dwUser1\URL = "-private http://twittter.com/"

Here the intended address was redirected to a URL that closely matched the original, but because the site was HTTP and not HTTPS the injection was successful.

NB*: For educational purposes only, please use responsibility.

[JHPJHP]

Tested the examples on Windows 8:
- added the Complier option: Request Administrator mode for Windows Vista and above
- examples in the "services" folder not currently working (Windows Vista, Windows 7 not affected)

Read the previous post for a review of changes and some general information.

Additional Information (to previous post):
- the example: wd_redirect.pb works for sites that are not redirected internally
- some sites are hosted by a third party that share an IP address across multiple domains, and redirect based on the URL
- the example / service rely on a single-site IP address for the injection to work

[JHPJHP]

Updated the service section of the package to work in Windows 8.
- added executable: WinDivertElevated_EXE.pb | WinDivertElevated.exe
- may not run correctly with UAC enabled

Information: http://mfctips.com/2013/01/04/createpro ... -manifest/

-----------------------------------------------------------

Updated:
- added file: services/SetManifest_x86.pb
- added folder: services/manifests
-- WinDivertBlock.manifest
-- WinDivertRedirect.manifest

SetManifest_x86.pb: was an exercise to see if it made a difference from what PureBasic handles internally when the following Compiler-option was set:
- Request Administrator mode for Windows Vista and above

*** not currently being used, but would become useful when creating a signed binary: [ uiAccess="true" ] ***

Information: http://msdn.microsoft.com/en-us/library ... 85%29.aspx
-- tool to view manifest in binary: http://www.angusj.com/resourcehacker/

-----------------------------------------------------------

Updated:
- fix an issue with the Include files, should now run in PureBasic 5.24 LTS (x86 / x64)

[JHPJHP]

Updated:
- updated the WinDivert binaries
-- from v1.1.7 to v1.2.0 RC

I skipped over v1.1.8 (stable release), see changelog and documentation for more information:
- https://www.reqrypt.org/windivert-changelog.txt
- https://www.reqrypt.org/windivert-doc-v1.2.html

NB*: Update also includes various bug fixes and modifications to accommodate the new binaries and Windows 10.

------------------------------------------------------------

Updated the DataSections, HTM files, and URLs.

Update allows the examples to work with the latest browser changes, mainly the inclusion of the HSTS protocol in Internet Explorer.
- see this earlier post for additional information: http://www.purebasic.fr/english/viewtop ... 76#p457376

[JHPJHP]

Updated:
- renamed 1 example
-- wd_redirect.pb to wd_redirect2.pb
- added 1 example
-- wd_redirect1.pb: redirects a webpage to an alternate address by modifying the (header) packet

*** removed the service examples ***

A couple limitations to the original redirect example (wd_redirect2.pb) was working with subdomains and only supporting redirection to an IP address...

I noticed if I wanted to redirect from:
- www.reqrypt.org to www.purebasic.com
It worked as expected.

But if I wanted to redirect from:
- www.reqrypt.org/windivert.html to www.purebasic.com
It failed.

But testing redirection from:
- www.reqrypt.org/windivert.html to duckduckgo.com
It worked, but was adding the subdomain to the redirected URL: duckduckgo.com/windivert.html
( the search-engine allowed for the added subdomain otherwise loading the page would have failed )

References:
- https://en.wikipedia.org/wiki/List_of_H ... der_fields
- https://en.wikipedia.org/wiki/HTTP_301

NB*: Update also includes numerous improvements to various examples.

[JHPJHP]

Updated:
- added 1 example
- added 1 htm file
- added 1 icon file

wd_session.pb:
- creates an HTTP block or redirect session
- threads are used to manage the sessions through a GUI

Block Session:
- only HTTP sites can be blocked
- blocked packet information saved to the binaries folder: BlockedSites.txt

Redirect Session:
- only HTTP sites can be redirected
- redirected packet information saved to the binaries folder: RedirectedSites.txt

NB*: Stopping the redirect session or closing the window while the redirect session is running takes a few seconds.

[Keya]

looks a lot more fun than winpcap, thanks for sharing!