Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Application unable to retrieve redirect data after WFP Connect Redirect with nmap or wireshark. #1529

Open
keithdg opened this Issue Mar 26, 2019 · 4 comments

Comments

Projects
None yet
2 participants
@keithdg
Copy link

keithdg commented Mar 26, 2019

Application unable to retrieve redirect data after WFP Connect Redirect with nmap or wireshark.
The issue occurs when npcap is configured by nmap or wireshark data.

WFP Connect Redirect “SIO_QUERY_WFP_CONNECTION_REDIRECT_CONTEXT” fails to retrieve redirect data when using nmap or wireshark with npcap loopback

Steps to Reproduce using MS WFP Sampler

  1. Get a copy of Windows Driver Kit (WDK) 8.1 Samples
    https://code.msdn.microsoft.com/windowsapps/Windows-Driver-Kit-WDK-81-cf35e953/view/SourceCode

  2. Make sure the 8.1 DDK is installed on the machine

  3. Compile the Windows Filtering Platform Sample

  4. Create a program "testprogram.exe"
    a. Listens to 127.0.0.1:4443
    b. Upon connect accept
    status = WSAIoctl(originalSocket,
    SIO_QUERY_WFP_CONNECTION_REDIRECT_CONTEXT,
    0,
    0,
    (BYTE*)ppRedirectContext,
    REDIRECT_CONTEXT_SIZE,
    (LPDWORD)&redirectContextSize,
    0,
    0);
    if(status != NO_ERROR)
    {
    status = WSAGetLastError();
    print the "status
    }
    else
    {
    print the redirectContext data //you will see the IP address the browser attempts to go to.
    }

  5. Download nmap and make sure it is using npcap loopback driver

  6. On your test system install the WFP Sample driver following the steps in
    the "description.html" in the Windows Filtering Platform Sample directory.

  7. Start your testprogram.exe, get pid of the "testprogram.exe" from task manager.

  8. Configure the WFP Sampler to redirect to your Proxy Program.

    WFPSampler.Exe -s PROXY -l FWPM_LAYER_ALE_CONNECT_REDIRECT_V4 -p TCP -pra 127.0.0.1 -prp 4443 -v -plspid

  9. Run nmap -sV 3128 localhost

Open chrome browser and go to an address 10.10.10.1:520 for example

Expectation:
The testprogram should not receive and error and be able to retrieve redirectContext data.

Actual:
The testprogram receives an error that an invalid arguement error.

Note:
If you do net stop npcap the testprogram will retrieve the redirectContext with out error and the IP Address used in the browser will
be in the redirectContext data

@dmiller-nmap

This comment has been minimized.

Copy link

dmiller-nmap commented Mar 28, 2019

Thanks for this detailed bug report! I admit I don't yet know much about the WFP loopback capture mechanism of Npcap, so it will take a lot of research to bring me up to speed. In the meantime, could you try turning on Windows Driver Verifier with standard settings for npcap.sys as well as the WFP sample driver and re-running your test? This will do introduce some further checks and may produce a BSoD crash dump that we can analyze.

@keithdg

This comment has been minimized.

Copy link
Author

keithdg commented Apr 1, 2019

Thanks Daniel, here are the Verifier results

wfp8.1>verifier /query

Time Stamp: 04/01/2019 11:36:30.359

Verifier Flags: 0x000209bb

Standard Flags:

[X] 0x00000001 Special pool.
[X] 0x00000002 Force IRQL checking.
[X] 0x00000008 Pool tracking.
[X] 0x00000010 I/O verification.
[X] 0x00000020 Deadlock detection.
[X] 0x00000080 DMA checking.
[X] 0x00000100 Security checks.
[X] 0x00000800 Miscellaneous checks.
[X] 0x00020000 DDI compliance checking.

Additional Flags:

[ ] 0x00000004 Randomized low resources simulation.
[ ] 0x00000200 Force pending I/O requests.
[ ] 0x00000400 IRP logging.
[ ] 0x00002000 Invariant MDL checking for stack.
[ ] 0x00004000 Invariant MDL checking for driver.
[ ] 0x00008000 Power framework delay fuzzing.
[ ] 0x00010000 Port/miniport interface checking.
[ ] 0x00040000 Systematic low resources simulation.
[ ] 0x00080000 DDI compliance checking (additional).
[ ] 0x00200000 NDIS/WIFI verification.
[ ] 0x00800000 Kernel synchronization delay fuzzing.
[ ] 0x01000000 VM switch verification.
[ ] 0x02000000 Code integrity checks.

[X] Indicates flag is enabled.

Verifier Statistics Summary

Raise IRQLs:                                     0
Acquire Spin Locks:                              0
Synchronize Executions:                          0
Trims:                                         929

Pool Allocations Attempted:                 747430
Pool Allocations Succeeded:                 747430
Pool Allocations Succeeded SpecialPool:     747430
Pool Allocations With No Tag:                    0
Pool Allocations Not Tracked:               742739
Pool Allocations Failed:                         0
Pool Allocations Failed Deliberately:            0

Driver Verification List

MODULE: wfpsamplercalloutdriver.sys (load: 1 / unload: 0)

  Pool Allocation Statistics: ( NonPaged / Paged )

    Current Pool Allocations:  (     2396 /        0 )
    Current Pool Bytes:        (   606368 /        0 )
    Peak Pool Allocations:     (     2399 /        0 )
    Peak Pool Bytes:           (   606760 /        0 )
    Contiguous Memory Bytes:              0
    Peak Contiguous Memory Bytes:         0

MODULE: npcap.sys (load: 1 / unload: 0)

  Pool Allocation Statistics: ( NonPaged / Paged )

    Current Pool Allocations:  (       26 /        0 )
    Current Pool Bytes:        (   241926 /        0 )
    Peak Pool Allocations:     (       35 /        2 )
    Peak Pool Bytes:           (  1879994 /      236 )
    Contiguous Memory Bytes:              0
    Peak Contiguous Memory Bytes:         0
@dmiller-nmap

This comment has been minimized.

Copy link

dmiller-nmap commented Apr 1, 2019

Thanks for the update. It looks like none of the default checks produced a crash. You could add additional check flags, but we will also be doing more research and manual review to see if we can identify the problem.

@keithdg

This comment has been minimized.

Copy link
Author

keithdg commented Apr 1, 2019

Please let me know what additional checks will help you solve this.

Thanks
Keith

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.