Title: Authored and Presented by
1Microsoft Layered Service Provider
Authored and Presented by Arkady Frenkel, MS MV
P Windows SDK
2http//www.microsoft.com/communities/mvp/mvp.mspx
(Windows SDK)
3Agenda
LSP Layered Service Provider in Microsoft
Network Architecture History of LSP from NT4 till
Vista CastleCops site Non-IFS and IFS LSP PSDK
Examples Compiling/Running/Debugging
Installation/ Removing Tools Sporder, LSPFix L
SP for Vista LSP Types LSP Cat
egorization UAC LSP Dev
elopment test suite LSP for Windows CE Reso
urces
4 LSP Layered Service Provider in Microsoft
Network Architecture
LSP can be used to implement
Monitoring and filtering data Modifying data (
including cryptography) Redirection of data Re
direction of URL ( proxy ) Firewall ( due to the
context )
Implementation of WOSA ( Windows Open System
Architecture )
There are two kinds of service providers LSP
and BSP
5Socket Architecture
6(No Transcript)
7From www.ndis.com ( www.pcausa.com )
8Networking API
- )Windows Sockets (Winsock
- Remote procedure call (RPC)
- Web access APIs (HTTP)
- Named pipes and mailslots
- Common Internet File System (CIFS)
- NetBIOS
- Other networking APIs
9Winsock implementation
From Windows Internals by David Solomon and Mark
Russinovich (this and 4 next)
10RPC implementation
11QoS schema
12Netbios API implementation ( LSP cant be used
here )
13Named pipe and mailslot implementation( LSP
cant be used here )
14History of LSP from NT4 till Vista
LSP was integrated part of winsock 2 ( appears in
NT 4 ) and added to Win9x Always was of two tim
es IFS and non-IFS but up to last year only
non-IFS example was published in Platform SDK and
appeared at the beginning in Microsoft Journal
(May 1999 ) in the article
Unraveling the Mysteries of Writing a Winsock 2
Layered Service Provider By ByWei Hua, Jim Ohlun
d, Barry Butterklee From those days that code
supported in MSFT by Anthony Jones
Author of Network Programming for Microsoft
Windows with JimOhlund His is the author of Ne
twork Programming for the Microsoft .NET
Framework with Jim Ohlund and Lance Olson
Be aware that up to NT SP4 LSP have to run in ad
min context because WPUCreateSocketHandle() could
be done only in admin context.
15XP SP2 LSP additions
- From http//technet.microsoft.com/en-us/library/bb
457156.aspx
- Winsock self-healing
- Detailed description
- Winsock, Windows network socket facility for
applications, is extensible by a mechanism known
as a Layered Service Provider (LSP). Winsock LSPs
are available for a wide range of useful
purposes, including internet parental controls,
and web content filtering. In previous versions
of Windows XP, removing a malformed (also known
as buggy) LSP could result in corruption of the
Winsock catalog in the registry, potentially
resulting in a loss of all network connectivity.
Winsock now has the ability to self-heal after a
user uninstalls such an LSP. - Two new Netsh commands are available in Windows
XP Service Pack
- netsh winsock reset catalog
- This command resets the Winsock catalog to the
default configuration. This can be
- useful if a malformed LSP is installed that
results in loss of network connectivity. While
use of this
- command can restore network connectivity, it
should be used with care because any previously-
- installed LSPs will need to be re-installed.
- Netsh winsock show catalog
- This command displays the list of Winsock LSPs
that are installed on the computer.
16www.castlecops.com/lsps.html
17Microsoft use LSP in ISA Server 2004 Firewall
Client, ISA Server FW, MSN Parental Controls, L
DAP RnR, Windows Rsvp Service Provider
Big guys using it Intel, IBM, Google, Yahoo,
McAfee, Citrix, Novell, CheckPoint ( ZoneLabs ),
WinGate, SyGate
18Layered Service Providers
19(No Transcript)
20IFS and Non-IFS LSP
Installable File System (IFS) handle is a file
handle returned by IFS and can be used in file
I/O operations. Socket handles can be either IFS
handles or not. When a socket has an IFS handle,
it can be used in file I/O functions to perform
Winsock recv and send calls. On Windows NT and
above, IFS handles can be added to I/O completion
ports (IOCP) to achieve scalability.
Providers (BSPs) with IFS handles indicate this
via the XP1_IFS_HANDLES attribute bit in the
dwServiceFlags1 field of the WSAPROTOCOL_INFOW
structure). C\Program Files\Microsoft Platfor
m SDK for Windows Server 2003 R2\Samples\NetDS\Win
Sock\LSP\ifslsp C\Program Files\Microsoft Plat
form SDK for Windows Server 2003
R2\Samples\NetDS\WinSock\LSP\nonifslsp
21-
Pros and Cons of IFS based LSP
- Pros
- IFS LSP base on the handles built for it
by BSP.
- IFS LSP code is much less complicated
than non-IFS LSP.
- It does not need to handle the various
complicated I/O models associated with
WSPAsyncSelect and overlapped I/O since an IFS
LSP cannot be on the completion path of I/O
operations. Secondly, an IFS LSP only needs to
implement those Winsock SPI functions that it is
interested in capturing. - E.g. Proxy LSP only need to intercept
WSPConnect, WSPSocket, WSPSendTo, WSPGetpeerName
and ConnectEx.
- Cons
- An IFS based LSP cannot post-process
overlapped I/O using WSPSend (WriteFile),
WSPSendTo, WSPRecv (ReadFile), WSPRecvFrom, or
WSPIoctl (or any of the Microsoft specific
extension functions which may be called using
ovelappedI/O). To allow additional processing in
the LSP after an overlapped I/O completes in any
of the above calls, an LSP must be non-IFS LSP. - IFS LSP use BSP to create sockets with
WPUModifyIFSHandle() before returning handle to
- winsock ( ws2_32.dll )
22What have to be implemented
- Non-IFS LSP have to implement
- blocking, non-blocking ( WSPAsyncSelect() create
hidden window on the thread to treat message and
return message to user with WPUPostMessage() )
- and overlapped modes , if WSA_FLAG_
OVERLAPPED flag set (use WPUQueueApc() ( for
thread in alertable state ) or WPUCompleteOverlapp
edRequest() from NT SP4 Winsock 2 rev.2.2.2 ) - Sources
- spi.cpp, lspguid.cpp, extention.cpp,sockinfo.cpp,
- overlapped.cpp, asyncselect.cpp.
- IFS LSP rely in implement on base provider
- Sources
- spi.cpp, lspguid.cpp, extention.cpp,sockinfo.cpp
- Common source for both provider.cpp
23How IFS implementation done
- WPUModifyIFSHandle() used to ask provider
- to make it ifs handle in ifslsp spi.cpp
WSPsocket(), WSPAccept()
- SPI.CPP use next Helper functions ( not exist in
nonifslsp)
- FindDestinationAddress() used in WSPConnect(),
- FindURL() used in WSPSend() to parse HTTP GET,
- FreeLspProviders() used in WSPCleanup()
- As opposite
- Non IFS spi.cpp use WPUCreateSocketHandle() to
ask for handle but that
- with create handle without flag XP1_IFS_HANDLES
in
- dwServiceFlags1 member of provider information
- structure WSAPROTOCOL_INFOW
-
-
24Winsock 2 SPI Prefixes
25WSAPROTOCOL_INFOW Structure
26Ws2spi.h (Windows XP)
27(No Transcript)
28(No Transcript)
29Exceptions in direct mapping Between Winsock API
and SPI Functions
- In most cases, when an application calls a
Winsock 2 function, Ws2_32.dll calls a
corresponding Winsock 2 SPI function to carry out
the requested functionality using a specific
service provider. For example, select maps to
WSPSelect, WSAConnect maps to WSPConnect, and
WSAAccept maps to WSPAccept. However, not all
Winsock functions have a corresponding SPI
function. The following list details these
exceptions. - Support functions such as htonl, htons, ntohl,
and ntohs are implemented within Ws2_32.dll and
aren't passed down to a service provider. The
same holds true for the WSA versions of these
functions. - IP conversion functions such as inet_addr and
inet_ntoa are implemented only within Ws2_32.dll.
- All of the IP-specific name conversion and
resolution functions in Winsock 1.1 such as
getXbyY, WSAAsyncGetXByY, and WSACancelAsyncReques
t, as well as gethostname, are implemented within
Ws2_32.dll. - Winsock service provider enumeration and the
blocking hook_related functions are implemented
within Ws2_32.dll. Thus WSAEnumProtocols,
WSAIsBlocking, WSASetBlockingHook, and
WSAUnhookBlockingHook do not appear as SPI
functions. - Winsock error codes are managed within
Ws2_32.dll. WSAGetLastError and WSASetLastError
aren't needed in the SPI.
- The event object manipulation and wait
functionsincluding WSACreateEvent,
WSACloseEvent, WSASetEvent, WSAResetEvent, and
WSAWaitForMultipleEventsare mapped directly to
native Win32 operating system calls and aren't
present in the SPI.
30Non-IFS complications
- It have to implement all modes of winsock
- Blocked
- Non-blocked (WSPSelect, WSPAsyncSelect)
- Overlapped ( used flag WSA_FLAG_ OVERLAPPED ,
WSPGetOverlappedResult
)
- Create handles and treat them
- Intercept all WSP calls
31Code from spi.cpp Non-IFS LSP
32Continued from previous page
33(No Transcript)
34Code from WSPStartup() in spi.cpp IFS LSP
35Functions need be intercept in proxy TCP client
36PSDK Examples Compiling/Running/DebuggingLabs
37Installation/ Removing
- WSCEnumProtocols()
- WSCInstallProvider(64_32)()
- WSCInstallProviderAndChains(64_32)() instead
previous for Vista
- WSCWriteProviderOrder(32)()
- WSCDeInstallProvider(32)()
- WSCGetProviderPath() ( new added )
- WSCUpdateProvider(32)() ( new added )
-
- 32 postfix used for 32 bit catalog on 64 bit OS,
without it for 32 on 32 bit OS
- And 64 for 64 bit OS
38Installer use WINNT.H
- Installer use doubly linked list and singly
linked list linked from WINNT.h, where doubly
linked list entry ( LIST_ENTRY ) used for
protocol catalog items and outstanding I/O and
singly linked list (SINGLE_LIST_ENTRY ) for
preallocated INTERBALOVERLAPPEDSTRUCT structs
To find the address, next macro from WINNT.H used
39Using of instlsp.exe
40- Adding IFS LSP set next installation rules
- Non-IFS LSPs have to be higher in the stack that
IFS LSPs
- Non-IFS LSP, which modify data have to be set on
the end of the protocol chain, but before first
IFS
- Monitoring LSP have to be at the top of the
protocol chain
- Another requirement for installing an IFS LSP is
each layered protocol chain belonging to the IFS
LSP must be installed under its own GUID.
- IFS LSP have h param for that in
instlsp.exe
41Tools Sporder ( Platform SDK) , LSPFix ( )
Sporder.exe sporder.dll on C\Program Files\M
icrosoft Platform SDK for Windows Server 2003
R2\Bin\winnt
42(No Transcript)
43Supported Name spaces
44 www.cexx.org/lspfix.htm
45LSP in Vista
- LSP Categorization
- LSP Types
- UAC
- LSP Development test suite
- NDF ( Network Diagnostic Framework )
- Check LSPs installed
46Why we need categorization
- This functionality was added for the following
reasons
- System critical processes such as WinLogon and
LSASS create sockets but do not send any traffic
on the network so most LSPs should not be loaded.
A significant percentage of the system failures
experienced by Windows users is due to an LSP
malfunctioning when operating in the context of a
system critical service. A side affect of these
system processes loading LSPs is that such
processes never exit, so when an LSP is installed
or removed, a reboot is required. - There are cases where applications may not want
to load certain LSPs. For example, some
applications may not want to load cryptography
LSPs so they can communicate with other machines
that do not have the cryptography LSP installed. - The LSP categories can be used by other LSPs to
determine where in the Winsock protocol chain
they should install themselves. For years,
various LSP developers have wanted a way of
knowing how an LSP will behave. For example, an
LSP that inspects the data stream would want to
be above an LSP that encrypts the data. This
method does rely on 3rd party LSPs to categorize
themselves appropriately, but, the security
enhancements in Vista will help prevent users
from unintentionally installing malicious LSPs.
47WS2SPI.H ( Vista )
48LSP Categorization
- WSCGetProviderInfo
- WSCSetProviderInfo
- WSCGetApplicationCategory
- WSCSetAplicationCategory
49LSP Types
- nine different LSP types defined in ws2spi.h (
Vista )
- LSP_SYSTEM LSP for system critical processes
- LSP_INSPECTOR an LSP that simply monitors the
inbound and outbound traffic but does not the
data. An HTTP content filterer is an example of
an inspector (as it will deny the request). - LSP_REDIRECTOR this type of LSP simply modifies
the addresses used in Winsock calls.
- LSP_PROXY this LSP redirects Winsock calls to a
proxy server as well as instruct the proxy via a
control channel to establish outbound
connections. - LSP_FIREWALL an LSP that monitors incoming and
outbound connection requests. A firewall LSP
should only inspect data and deny request but not
actually modify the data. - LSP_INBOUND_MODIFY filters inbound data
- LSP_OUTBOUT_MODIFY filter outbound data
- LSP_CRYPTO_COMPRESS a crypto or compression LSP
can modify both inbound and outbound traffic but
also includes and out of band signing/negotiation
phase. - LSP_LOCAL_CACHE an LSP that inspects the
contents of a Winsock request and satisfying the
request by generating the expected response
without the request actually hitting the intended
destination.
50How stack define which LSPs are loaded
- If the application is not categorized (has
not defined a permitted LSP category set), allow
all LSPs. This is the default behavior on
operating systems prior to Windows Vista where
categorization is not available. - If both the application and the LSP have
assigned categories, all of the following must be
true
- a) AT LEAST ONE OF the LSP categories is
present in the a
- applications specified permitted
categories
- b) ONLY categories specified in the
applications specified permitted categories
are specified in the LSPs categories (i.e. In
general, the LSPs categories must be a subset of
the applications permitted category set) - c) If LSP_SYSTEM is present in the
applications permitted category set, it MUST be
present in the LSPs categories
51Categorization Example
- Application Foo.exe has a permitted LSP category
set equal to
- LSP_SYSTEM LSP_FIREWALL LSP_CRYPTO_COMPRESS
- Application Bar.exe has a permitted LSP category
set equal to
- LSP_FIREWALL LSP_CRYPTO_COMPRESS
- There are four LSPs installed on the system with
the following categorizations
- LSP1 LSP_SYSTEM
- LSP2 0 (no category set)
- LSP3 LSP_FIREWALL
- LSP4 LSP_SYSTEM LSP_FIREWALL
- LSP_CRYPTO_COMPRESS
LSP_INSPECTOR
- Foo.exe would only load LSP1 while Bar.exe would
load LSP3
52UAC
- Vista demand for executor of LSP installation
program to have build-in administrator rights and
not be just member of a administrator group.
- That can be elevated by manifest
- ( foo.exe.manifest )
-
-
- or
53LSP Development test suite
- Does the LSP properly layer itself in the Winsock
catalog?
- Does the LSP leave the Catalog in a consistent
state after its install/un-install
- Does the LSP handle all extension functions and
new WSAIoctls correctly
NDF ( Network Diagnostics Framework )
Check LSPs installed
Different dialog boxes shown in the case of
incorrect LSP behavior
or its old version
54LSP in Windows CE
- Introduced in Windows CE 5.0 ( 2004 )
- Sources can be found in directory
- C\WINCE\PUBLIC\COMMON\SDK\SAMPLES\TSP\LSP
- Windows CE LSP is non-IFS, so allowed completion
operations with overlapped mode.
- Be aware that winsock dll in windows CE is not
WS2_32.dll but WS2.dll.
55(No Transcript)
56Resources
MSDN
Platform SDK
DDK
http//www.ndis.com/papers/winpktfilter.htm
http//www.sysinternals.com
Windows Internals by David Solomon and Mark
Russinovich
Unraveling the Mysteries of Writing a Winsock 2
Layered Service Wei Hua, Jim Ohlund, Barry Butte
rklee by
www.microsoft.com/msj/0599/LayeredService/LayeredS
ervice.aspx
Network Programming for Microsoft Windows by
Anthony Jones and Jim Ohlund
57www.ndis.com ( www.pcausa.com by Thomas F. Divine
)
www.castlecops.com/LSPs.html
www.cexx.org/lspfix.htm
http//technet.microsoft.com/en-us/library/bb45715
6.aspx
Before some time ? www.socket2online.com
(winsock2_at_2can. com)
https//connect.microsoft.com/WNDP
58 - Thank you for coming !???? ??? !
59Notes
- PSDK Feb 2003 example work with
OutputDebugString() with its instlsp ( lsp.dll )
- both the same directory as readme file show
- Winsock LSP sample ( from wndp )
- ifslsp ( 100KB ) do work
- LSP ifslsp ( 18K 1K Manifest ) cant be
- Installed in retail mode, but in debug mode
connected to winsock programs show dialog box
about absence of msvcr80d.dll