Page 1 of 4

PureBasic Interface to WinDivert

Posted: Mon Nov 03, 2014 7:18 pm
by JHPJHP

Re: PureBasic Interface to WinDivert

Posted: Tue Nov 04, 2014 6:01 am
by Thunder93
Great stuff! Indeed a fun project.

After extraction I went to test an example and it thrown link errors because I'm using PB x64. I had to replace \binaries\WinDivert.dll and \binaries\WinDivert.lib with its x64 counterparts. Might be better way to support two different platforms straight out of the box. With WinDivert latest release.. it now searches for the driver files in the application's directory (as opposed to the current directory .. like previously).

Re: PureBasic Interface to WinDivert

Posted: Tue Nov 04, 2014 9:46 am
by JHPJHP
Hi Thunder93,
After extraction I went to test an example and it thrown link errors because I'm using PB x64. I had to replace \binaries\WinDivert.dll and \binaries\WinDivert.lib with its x64 counterparts.
Thanks, I knew I forgot to mention something. :)
Might be better way to support two different platforms straight out of the box. With WinDivert latest release.. it now searches for the driver files in the application's directory
Are you referring to the programs application directory or Windows' Application directory? If the former - did you get a working configuration between 32bit and 64bit systems OOTB that can be applied to the package?

---------------------------------------------------

Updated:
- added: pb_procedures.pbi (includes\)
-- moved Procedure: TestForError (from examples)
-- added Procedure: URL2IP

I added the Procedure: URL2IP because WinDivert requires the use of IP addresses, and some of the examples stopped working due to a website changing their IP address.

Re: PureBasic Interface to WinDivert

Posted: Tue Nov 04, 2014 11:44 pm
by Thunder93
With your second update. When I now go to create the required 64bit start_service executable, there's a error saying that TestForError() procedure has already been declared. :p

The start_service steps I would like to avoid. When I run wd_sniffing.pb and if the WinDivert driver hasn't been loaded. The first WinDivertOpen() call always fails because it's looking for the driver where the compiled executable is created. Which is %Temp% location unless 'Create temporary executable in the source directory' compiler option is enabled. As a last resort the start_service executable found in \binaries\ location is used where it is able to load WinDivert driver. Then have to re-run the example again for it to be successful.


.. I haven't done much work with WinDivert, been busy with another project. Then I was out AFK mostly, outside enjoying summer weather that has now passed. :evil:

Re: PureBasic Interface to WinDivert

Posted: Wed Nov 05, 2014 12:34 am
by JHPJHP
Hi Thunder93,

All good suggestions. I moved some things around in the code that should make a difference.

Thank you.

--------------------------------------------------------------

Some minor changes have been made to the package, based on suggestions by Thunder93.

If you haven't already done so, check out the WinDivert site to see its full potential: http://reqrypt.org/windivert.html.

Re: PureBasic Interface to WinDivert

Posted: Wed Nov 05, 2014 12:53 am
by Thunder93
That makes a difference. Good job. :)

Re: PureBasic Interface to WinDivert

Posted: Thu Nov 06, 2014 3:43 am
by Thunder93
Hi JHPJHP.

The timeSetEvent API is using too small of a delay. 9/10 times I can't get the sniffing information.

PureBasic Interface to WinDivert

Posted: Thu Nov 06, 2014 4:11 am
by JHPJHP
Hi Thunder93,

I'm glad you pointed that out, I originally set the timeout parameter to the lowest value that worked on my system. I've updated all the examples to 3 times the previous value, from 500 milliseconds to 1500, including lowering the resolution from 10 to 0 (most accurate, but highest CPU usage).

Thank you.

--------------------------------------------------------------

For anyone interested in WinDivert

With a slight modification to the examples:
- removing the timeout parameter, adjusting the filter, etc.
- incorporating a service (framework for creating one: http://www.purebasic.fr/english/viewtop ... 12&t=60881)

You'll have the beginnings of a powerful tool.

Re: PureBasic Interface to WinDivert

Posted: Thu Nov 06, 2014 4:25 am
by Thunder93
I had to up it to 5000 to ensure it'll always capture when running via PB compiler.

Re: PureBasic Interface to WinDivert

Posted: Thu Nov 06, 2014 11:28 pm
by JHPJHP
Hi Thunder93,
I had to up it to 5000 to ensure it'll always capture when running via PB compiler.
The additional information is good. I'm going to leave the timeout at 1500 milliseconds, but I added the following extra lines of information to the readme.txt file.
- adjust an examples timeout parameter if the desired result in not received
-- currently set to 1500 milliseconds: timeSetEvent_(1500, ...)

Thank you.

Re: PureBasic Interface to WinDivert

Posted: Fri Nov 07, 2014 10:46 am
by Kwai chang caine
Hello JHPJHP

Thanks for all your precious sharing 8)
I'm on W7 and i have the msg error "MSVCR110.ddl missing" surely because i'm not administrator ? :oops:

Re: PureBasic Interface to WinDivert

Posted: Fri Nov 07, 2014 11:26 pm
by JHPJHP
Hi Kwai chang caine,

You're correct about the required privileges, see the following quote from the WinDivert site:
1. To use WinDivert please ensure that you use the correct version (i.e. 32-bit WinDivert for 32-bit system, etc.) and that you are running with Administrator privileges. Otherwise WinDivert will fail to load.
2. As of version 1.0.4, the binary WinDivert drivers are signed by Nemea Mjukvaruutveckling (Nemea Software Development). We thank Nemea for their support. Commercial users of WinDivert should sign the driver with their own certificate if possible.
3. The WinDivert.dll and sample executables depend on an appropriate version of the Microsoft Visual C++ Redistributable library. For example, the MSVC WinDivert build depends on MSVCR110.dll. This file is not distributed as part of the WinDivert binary package and must be installed separately.
NB*: I've already included the Microsoft Visual C++ Redistributable: binaries/msvcr120.dll.

Thank you.

Re: PureBasic Interface to WinDivert

Posted: Tue Nov 11, 2014 2:41 am
by JHPJHP
For anyone interested in WinDivert

With a slight modification to the examples:
- removing the timeout parameter, adjusting the filter, etc.
- incorporating a service (framework for creating one: http://www.purebasic.fr/english/viewtop ... 12&t=60881)

You'll have the beginnings of a powerful tool.
Updated:
- added folder: services
-- CreateDeleteService.pb
-- WinDivertBlockHTTP_EXE.pb
-- WinDivertService_EXE.pb
- added: WinDivertBlockHTTP.exe (located in: binaries\)
- added: WinDivertService.exe (located in: binaries\)

*** The new scripts are an amalgamation of WinDivert and some of the other "Tricks 'n' Tips" I've uploaded. ***

Information:
- WinDivertBlockHTTP_EXE.pb : WinDivertBlockHTTP.exe
-- file used by Windows services to block all http sites (encrypted: https sites not affected)
- WinDivertService_EXE.pb : WinDivertService.exe
-- file used by Windows services to execute: WinDivertBlockHTTP.exe

Run the file: services/CreateDeleteService.pb to create / delete the service: WinDivertBlockHTTP. Once the service has been created, all non-encrypted sites should be blocked.
- when creating the service choose the file: binaries/WinDivertService.exe
- run the file a second time to delete the service


NB*: I've only tested the Windows services part of the package using PureBasic 32bit / Windows 7 64bit.

Re: PureBasic Interface to WinDivert

Posted: Wed Nov 12, 2014 10:52 am
by Kwai chang caine
Thanks for your answer and obviously for all your great works in the differents subjects 8)

PureBasic Interface to WinDivert

Posted: Thu Nov 13, 2014 3:00 am
by JHPJHP
Hi Kwai chang caine,

Thank you for your kind words.

---------------------------------------------------------------

Applied some updates to the code, including renaming some files.
- fixed a couple small things not worth mentioning

Updated the file: WinDivertBlockHTTP_EXE.pb (WinDivertBlockHTTP.exe).
- added a logging algorithm (includes a sound)
-- packet-data taken directly from the example: wd_sniffing.pb
-- saves packet information if 5 or more seconds have passed since the last connection attempt
-- log file saved to the folder/file: services/BlockedSites.txt

I added the logging algorithm because in the past I've used a program that monitored hidden outgoing connections that occurred without user interaction, and wondered if this simple example could catch such connections.
- the filter can be widened to include additional ports, etc., but for what I was trying to accomplish it worked

Code: Select all

filter.s = "outbound && ip && tcp.DstPort == 80 && tcp.PayloadLength > 0"
---------------------------------------------------------------

Updated the file: WinDivertBlockHTTP_EXE.pb (WinDivertBlockHTTP.exe).
- added a timeout function to test the service status, otherwise when the service was deleted the file WinDivertBlockHTTP.exe wouldn't know to quit until a website was loaded
-- function: WinDivertRecv holds execution until a packet is received