HTTPS DNS interception with module: ClassifyFunctions_ProxyCallouts.cpp

tope_awolowo · August 16, 2017, 6:04am

Good day forum

My programming environment is Visual Studio 2015.

My environment is Windows 10.

Am writing a DNS redirection application with a module:
ClassifyFunctions_ProxyCallouts.cpp from
https://github.com/Microsoft/Windows-driver-samples/blob/master/network/trans/WFPSampler/sys/ClassifyFunctions_ProxyCallouts.cpp.

What i want to achieve is to intercept certain DNS queries e.g
those starting with HTTPS not HTTP i.e https://www.yahoo.com., then
redirect it to www. mydomain.com.

My application main aim (WHAT I WANT TO ACHIEVE) is to monitor
traffic flow in my area network.

My question is this where in the module
ClassifyFunctions_ProxyCallouts.cpp, do i specify the specific
HTTPS/HTTP to intercept and redirext.

OSR_Community_User · August 16, 2017, 9:32am

DNS look-up doesn’t really work like that. A browser doesn’t look up http://www.yahoo.com or https://www.yahoo.com in DNS. It looks up the domain name www.yahoo.com, and then opens an appropriate port (80 and 443 are the defaults) to the returned IP.

In general, I don’t believe you can, as you seem to wish, distinguish between HTTPS and HTTP content at the transport layer level. There are clues (such as the destination port, IFF the default port is being used), but you would have to inspect the data payload within the packets, not just the transport routing information.

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of tope awolowo
Sent: 16 August 2017 11:04
To: Windows System Software Devs Interest List
Subject: [ntdev] HTTPS DNS interception with module: ClassifyFunctions_ProxyCallouts.cpp

Good day forum

My programming environment is Visual Studio 2015.

My environment is Windows 10.

Am writing a DNS redirection application with a module:
ClassifyFunctions_ProxyCallouts.cpp from
https://github.com/Microsoft/Windows-driver-samples/blob/master/network/trans/WFPSampler/sys/ClassifyFunctions_ProxyCallouts.cpp.

What i want to achieve is to intercept certain DNS queries e.g those starting with HTTPS not HTTP i.e https://www.yahoo.com., then redirect it to www. mydomain.com.

My application main aim (WHAT I WANT TO ACHIEVE) is to monitor traffic flow in my area network.

My question is this where in the module ClassifyFunctions_ProxyCallouts.cpp, do i specify the specific HTTPS/HTTP to intercept and redirext.

—
NTDEV is sponsored by OSR

Visit the list online at: http:

MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
Details at http:

To unsubscribe, visit the List Server section of OSR Online at http:</http:></http:></http:>

tope_awolowo · August 16, 2017, 9:44am

Good day sir.

Thank you for the insight

In my research work am applying Callout Driver :
https://docs.microsoft.com/en-us/windows-hardware/drivers/network/windows-filtering-platform-callout-drivers2

The implementation is actually Microsoft Filtration Platform
https://msdn.microsoft.com/en-us/library/windows/desktop/aa363967

Am actually writing a Callout Driver.

My question is this : How do i implement this Callout Driver for Redirection.

Your response is highly anticipated.

Thank you

Tim_Roberts · August 16, 2017, 1:40pm

tope awolowo wrote:

Am writing a DNS redirection application with a module:
ClassifyFunctions_ProxyCallouts.cpp from
https://github.com/Microsoft/Windows-driver-samples/blob/master/network/trans/WFPSampler/sys/ClassifyFunctions_ProxyCallouts.cpp.

What i want to achieve is to intercept certain DNS queries e.g
those starting with HTTPS not HTTP i.e https://www.yahoo.com., then
redirect it to www. mydomain.com.

Honestly, you are wasting so much of our time, because you won’t tell us
what you are actually trying to do. You keep dropping little bits and
pieces, each of which changes the job dramatically. Your second
paragraph defines a VERY different problem from the proposed solution in
your first paragraph.

You need to do a lot more reading about how networking actually works.
What you’re describing is not DNS redirection. With DNS redirection,
every reference to www.yahoo…com (whether web or email or FTP or even
ping) is redirected to a new web site. It isn’t until after the domain
has been converted to an IP address that you start to worry about what
port is being referenced (80 for HTTP or 443 for HTTPS, in this case).

And that makes what you want to do almost impossible. Consider the
processing of a request for http://www.yahoo.com. Each of these are
separate steps:

Make DNS request to convert www.yahoo.com to an IP address (say
98.138.252.30).
Convert the service “http” to a port number (80).
Open a TCP connection to IP 98.138.252.30, port 80.
Send HTTP request.

OK, now consider the processing of a request for https://www.yahoo.com:

Make DNS request to convert www.yahoo.com to an IP address (say
98.138.252.30).
Convert the service “https” to a port number (443).
Open a TCP connection to IP 98.138.252.30, port 443.
Send HTTP request.

Notice that, by the time the network stack sees whether this is port 80
or port 443, all you have is an IP address. There is no longer any
record of the fact that the IP address belongs to yahoo.com. Even if
you were monitoring packets, you couldn’t do the redirect.

But wait, there’s more! The HTTP request includes the web site that is
being queried, so you might think you could read that request to tell
the difference. But you can’t do that, because all HTTPS traffic is
encrypted. You cannot proxy HTTPS traffic. That’s the point of HTTPS
– it’s secure, so no one can interfere with the request.

My application main aim (WHAT I WANT TO ACHIEVE) is to monitor
traffic flow in my area network.

You can do that today with an application like Wireshark, without
writing applications or drivers of any kind. Wireshark uses a library
called libpcap, which you could also use to write a monitoring app.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

Tim_Roberts · August 16, 2017, 1:52pm

tope awolowo wrote:

What i want to achieve is to intercept certain DNS queries e.g
those starting with HTTPS not HTTP i.e https://www.yahoo.com., then
redirect it to www. mydomain.com.

Based on your questions, I’m wondering if you have ever actually written
a socket application. If you haven’t, then you cannot possibly have the
slightest clue about the layering and traffic flow. You should go write
a simple C or C++ application to make an HTTP request. Start with a
URL, do the name lookup, create a socket, connect it, and exchange
traffic. That will give you a much better feel for how separate all the
steps are. Once you’ve done that, then maybe you’ll be able to restate
the problem you want to solve.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.