intercepting winsock

I need to do something as Socket Spy 32.
I want my program to start an application and
then intercept all winsock calls.
How can I do that?

LVL 1
jct052097Asked:
Who is Participating?
 
AlFaConnect With a Mentor Commented:
Get the code of TCPDUMP command of freeBSD (it's unix but sockets have the same philosophy) and do something with it.
You can also get a win tcpdump in a hacker site (do not repeat it!)
0
 
anichiniCommented:
Matt Pietrek did something similar in Microsoft System's Journal Volume 12 Number 9 (September 1997), where he wrote something that could spy the wininet.dll. Check out the Under the Hood article. Perhaps the techniques he uses there are applicable to winsock.

0
 
tflaiCommented:
You can write a Winsock Helper kernel-mode driver that will act as an intermediate driver between Winsock and MSTCP protocol driver.  There is an example in the NT's DDK.  Why do you want to go through all that trouble and actually intercept all Winsock calls.  If you just want to monitor Winsock calls, probably anichini's proposed approach would do.
0
Cloud Class® Course: Certified Penetration Testing

This CPTE Certified Penetration Testing Engineer course covers everything you need to know about becoming a Certified Penetration Testing Engineer. Career Path: Professional roles include Ethical Hackers, Security Consultants, System Administrators, and Chief Security Officers.

 
jct052097Author Commented:
MSCTCP protocol?
where I can find NT's DDK? it's free?
what's anichini proposed approach? where I can find it?

do you know wether Socket Spy 32 uses a Winsock Helper kernel-mode driver?

0
 
jct052097Author Commented:
MSCTCP protocol?
where I can find NT's DDK? it's free?

where I can find the Microsoft System's Journal?

do you know wether Socket Spy 32 uses a Winsock Helper kernel-mode driver?

0
 
tflaiCommented:
MSTCP protocol driver - Microsoft TCP/IP Protocol driver.
NTDDK - Device Driver Kit, get it by subscripting to MSDN.
Microsoft System's Journal - MSJ, on-shelf magazine.
I've looked at Socket Spy 32, it looks like that it uses API spy technique rather than using kernel-mode driver.  It can only monitor IP traffic of applications that were launched from within the program.  A kernel-mode intermediate driver would be able to monitor/intercept any IP traffic.
0
 
jct052097Author Commented:
Not really.
Socket Spy 32 receives the winsock data, look for
a pattern, change for another and then send
the modifed data to the application.

I am just like in the beginning.
I don't know how to monitor and if possible intercept winsock
data for a single application.
Where I can find the microsoft system journal?


0
 
AlFaCommented:
Sorry I 've just sent a comment. what did my mouse has done!..
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.