Authored and Presented by - PowerPoint PPT Presentation

1 / 59
About This Presentation
Title:

Authored and Presented by

Description:

Microsoft use LSP in ISA Server 2004 Firewall Client, ISA Server FW, ... Network Programming for Microsoft Windows by Anthony Jones and Jim Ohlund ... – PowerPoint PPT presentation

Number of Views:355
Avg rating:3.0/5.0
Slides: 60
Provided by: Ark5
Category:

less

Transcript and Presenter's Notes

Title: Authored and Presented by


1
Microsoft Layered Service Provider
Authored and Presented by Arkady Frenkel, MS MV
P Windows SDK
2
http//www.microsoft.com/communities/mvp/mvp.mspx
(Windows SDK)
3
Agenda
LSP Layered Service Provider in Microsoft
Network Architecture History of LSP from NT4 till
Vista CastleCops site Non-IFS and IFS LSP PSDK
Examples Compiling/Running/Debugging
Installation/ Removing Tools Sporder, LSPFix L
SP for Vista LSP Types LSP Cat
egorization UAC LSP Dev
elopment test suite LSP for Windows CE Reso
urces
4
LSP Layered Service Provider in Microsoft
Network Architecture
LSP can be used to implement
Monitoring and filtering data Modifying data (
including cryptography) Redirection of data Re
direction of URL ( proxy ) Firewall ( due to the
context )
Implementation of WOSA ( Windows Open System
Architecture )
There are two kinds of service providers LSP
and BSP
5
Socket Architecture
6
(No Transcript)
7
From www.ndis.com ( www.pcausa.com )
8
Networking API
  • )Windows Sockets (Winsock
  • Remote procedure call (RPC)
  • Web access APIs (HTTP)
  • Named pipes and mailslots
  • Common Internet File System (CIFS)
  • NetBIOS
  • Other networking APIs

9
Winsock implementation
From Windows Internals by David Solomon and Mark
Russinovich (this and 4 next)
10
RPC implementation
11
QoS schema
12
Netbios API implementation ( LSP cant be used
here )
13
Named pipe and mailslot implementation( LSP
cant be used here )

14
History of LSP from NT4 till Vista
LSP was integrated part of winsock 2 ( appears in
NT 4 ) and added to Win9x Always was of two tim
es IFS and non-IFS but up to last year only
non-IFS example was published in Platform SDK and
appeared at the beginning in Microsoft Journal
(May 1999 ) in the article
Unraveling the Mysteries of Writing a Winsock 2
Layered Service Provider By ByWei Hua, Jim Ohlun
d, Barry Butterklee From those days that code
supported in MSFT by Anthony Jones
Author of Network Programming for Microsoft
Windows with JimOhlund His is the author of Ne
twork Programming for the Microsoft .NET
Framework with Jim Ohlund and Lance Olson
Be aware that up to NT SP4 LSP have to run in ad
min context because WPUCreateSocketHandle() could
be done only in admin context.
15
XP SP2 LSP additions
  • From http//technet.microsoft.com/en-us/library/bb
    457156.aspx
  • Winsock self-healing
  • Detailed description
  • Winsock, Windows network socket facility for
    applications, is extensible by a mechanism known
    as a Layered Service Provider (LSP). Winsock LSPs
    are available for a wide range of useful
    purposes, including internet parental controls,
    and web content filtering. In previous versions
    of Windows XP, removing a malformed (also known
    as buggy) LSP could result in corruption of the
    Winsock catalog in the registry, potentially
    resulting in a loss of all network connectivity.
    Winsock now has the ability to self-heal after a
    user uninstalls such an LSP.
  • Two new Netsh commands are available in Windows
    XP Service Pack
  • netsh winsock reset catalog
  • This command resets the Winsock catalog to the
    default configuration. This can be
  • useful if a malformed LSP is installed that
    results in loss of network connectivity. While
    use of this
  • command can restore network connectivity, it
    should be used with care because any previously-
  • installed LSPs will need to be re-installed.
  • Netsh winsock show catalog
  • This command displays the list of Winsock LSPs
    that are installed on the computer.

16
www.castlecops.com/lsps.html
17
Microsoft use LSP in ISA Server 2004 Firewall
Client, ISA Server FW, MSN Parental Controls, L
DAP RnR, Windows Rsvp Service Provider
Big guys using it Intel, IBM, Google, Yahoo,
McAfee, Citrix, Novell, CheckPoint ( ZoneLabs ),
WinGate, SyGate
18
Layered Service Providers
19
(No Transcript)
20
IFS and Non-IFS LSP
Installable File System (IFS) handle is a file
handle returned by IFS and can be used in file
I/O operations. Socket handles can be either IFS
handles or not. When a socket has an IFS handle,
it can be used in file I/O functions to perform
Winsock recv and send calls. On Windows NT and
above, IFS handles can be added to I/O completion
ports (IOCP) to achieve scalability.
Providers (BSPs) with IFS handles indicate this
via the XP1_IFS_HANDLES attribute bit in the
dwServiceFlags1 field of the WSAPROTOCOL_INFOW
structure). C\Program Files\Microsoft Platfor
m SDK for Windows Server 2003 R2\Samples\NetDS\Win
Sock\LSP\ifslsp C\Program Files\Microsoft Plat
form SDK for Windows Server 2003
R2\Samples\NetDS\WinSock\LSP\nonifslsp
21

  • Pros and Cons of IFS based LSP
  • Pros
  • IFS LSP base on the handles built for it
    by BSP.
  • IFS LSP code is much less complicated
    than non-IFS LSP.
  • It does not need to handle the various
    complicated I/O models associated with
    WSPAsyncSelect and overlapped I/O since an IFS
    LSP cannot be on the completion path of I/O
    operations. Secondly, an IFS LSP only needs to
    implement those Winsock SPI functions that it is
    interested in capturing.
  • E.g. Proxy LSP only need to intercept
    WSPConnect, WSPSocket, WSPSendTo, WSPGetpeerName
    and ConnectEx.
  • Cons
  • An IFS based LSP cannot post-process
    overlapped I/O using WSPSend (WriteFile),
    WSPSendTo, WSPRecv (ReadFile), WSPRecvFrom, or
    WSPIoctl (or any of the Microsoft specific
    extension functions which may be called using
    ovelappedI/O). To allow additional processing in
    the LSP after an overlapped I/O completes in any
    of the above calls, an LSP must be non-IFS LSP.
  • IFS LSP use BSP to create sockets with
    WPUModifyIFSHandle() before returning handle to
  • winsock ( ws2_32.dll )

22
What have to be implemented
  • Non-IFS LSP have to implement
  • blocking, non-blocking ( WSPAsyncSelect() create
    hidden window on the thread to treat message and
    return message to user with WPUPostMessage() )
  • and overlapped modes , if WSA_FLAG_
    OVERLAPPED flag set (use WPUQueueApc() ( for
    thread in alertable state ) or WPUCompleteOverlapp
    edRequest() from NT SP4 Winsock 2 rev.2.2.2 )
  • Sources
  • spi.cpp, lspguid.cpp, extention.cpp,sockinfo.cpp,
  • overlapped.cpp, asyncselect.cpp.
  • IFS LSP rely in implement on base provider
  • Sources
  • spi.cpp, lspguid.cpp, extention.cpp,sockinfo.cpp
  • Common source for both provider.cpp

23
How IFS implementation done
  • WPUModifyIFSHandle() used to ask provider
  • to make it ifs handle in ifslsp spi.cpp
    WSPsocket(), WSPAccept()
  • SPI.CPP use next Helper functions ( not exist in
    nonifslsp)
  • FindDestinationAddress() used in WSPConnect(),
  • FindURL() used in WSPSend() to parse HTTP GET,
  • FreeLspProviders() used in WSPCleanup()
  • As opposite
  • Non IFS spi.cpp use WPUCreateSocketHandle() to
    ask for handle but that
  • with create handle without flag XP1_IFS_HANDLES
    in
  • dwServiceFlags1 member of provider information
  • structure WSAPROTOCOL_INFOW

24
Winsock 2 SPI Prefixes
25
WSAPROTOCOL_INFOW Structure
26
Ws2spi.h (Windows XP)
27
(No Transcript)
28
(No Transcript)
29
Exceptions in direct mapping Between Winsock API
and SPI Functions
  • In most cases, when an application calls a
    Winsock 2 function, Ws2_32.dll calls a
    corresponding Winsock 2 SPI function to carry out
    the requested functionality using a specific
    service provider. For example, select maps to
    WSPSelect, WSAConnect maps to WSPConnect, and
    WSAAccept maps to WSPAccept. However, not all
    Winsock functions have a corresponding SPI
    function. The following list details these
    exceptions.
  • Support functions such as htonl, htons, ntohl,
    and ntohs are implemented within Ws2_32.dll and
    aren't passed down to a service provider. The
    same holds true for the WSA versions of these
    functions.
  • IP conversion functions such as inet_addr and
    inet_ntoa are implemented only within Ws2_32.dll.

  • All of the IP-specific name conversion and
    resolution functions in Winsock 1.1 such as
    getXbyY, WSAAsyncGetXByY, and WSACancelAsyncReques
    t, as well as gethostname, are implemented within
    Ws2_32.dll.
  • Winsock service provider enumeration and the
    blocking hook_related functions are implemented
    within Ws2_32.dll. Thus WSAEnumProtocols,
    WSAIsBlocking, WSASetBlockingHook, and
    WSAUnhookBlockingHook do not appear as SPI
    functions.
  • Winsock error codes are managed within
    Ws2_32.dll. WSAGetLastError and WSASetLastError
    aren't needed in the SPI.
  • The event object manipulation and wait
    functionsincluding WSACreateEvent,
    WSACloseEvent, WSASetEvent, WSAResetEvent, and
    WSAWaitForMultipleEventsare mapped directly to
    native Win32 operating system calls and aren't
    present in the SPI.

30
Non-IFS complications
  • It have to implement all modes of winsock
  • Blocked
  • Non-blocked (WSPSelect, WSPAsyncSelect)
  • Overlapped ( used flag WSA_FLAG_ OVERLAPPED ,
    WSPGetOverlappedResult
    )
  • Create handles and treat them
  • Intercept all WSP calls

31
Code from spi.cpp Non-IFS LSP
32
Continued from previous page
33
(No Transcript)
34
Code from WSPStartup() in spi.cpp IFS LSP
35
Functions need be intercept in proxy TCP client
36
PSDK Examples Compiling/Running/DebuggingLabs

37
Installation/ Removing
  • WSCEnumProtocols()
  • WSCInstallProvider(64_32)()
  • WSCInstallProviderAndChains(64_32)() instead
    previous for Vista
  • WSCWriteProviderOrder(32)()
  • WSCDeInstallProvider(32)()
  • WSCGetProviderPath() ( new added )
  • WSCUpdateProvider(32)() ( new added )
  • 32 postfix used for 32 bit catalog on 64 bit OS,
    without it for 32 on 32 bit OS
  • And 64 for 64 bit OS

38
Installer use WINNT.H
  • Installer use doubly linked list and singly
    linked list linked from WINNT.h, where doubly
    linked list entry ( LIST_ENTRY ) used for
    protocol catalog items and outstanding I/O and
    singly linked list (SINGLE_LIST_ENTRY ) for
    preallocated INTERBALOVERLAPPEDSTRUCT structs

To find the address, next macro from WINNT.H used
39
Using of instlsp.exe
40
  • Adding IFS LSP set next installation rules
  • Non-IFS LSPs have to be higher in the stack that
    IFS LSPs
  • Non-IFS LSP, which modify data have to be set on
    the end of the protocol chain, but before first
    IFS
  • Monitoring LSP have to be at the top of the
    protocol chain
  • Another requirement for installing an IFS LSP is
    each layered protocol chain belonging to the IFS
    LSP must be installed under its own GUID.
  • IFS LSP have h param for that in
    instlsp.exe

41
Tools Sporder ( Platform SDK) , LSPFix ( )
Sporder.exe sporder.dll on C\Program Files\M
icrosoft Platform SDK for Windows Server 2003
R2\Bin\winnt
42
(No Transcript)
43
Supported Name spaces
44

www.cexx.org/lspfix.htm
45
LSP in Vista
  • LSP Categorization
  • LSP Types
  • UAC
  • LSP Development test suite
  • NDF ( Network Diagnostic Framework )
  • Check LSPs installed

46
Why we need categorization
  • This functionality was added for the following
    reasons
  • System critical processes such as WinLogon and
    LSASS create sockets but do not send any traffic
    on the network so most LSPs should not be loaded.
    A significant percentage of the system failures
    experienced by Windows users is due to an LSP
    malfunctioning when operating in the context of a
    system critical service. A side affect of these
    system processes loading LSPs is that such
    processes never exit, so when an LSP is installed
    or removed, a reboot is required.
  • There are cases where applications may not want
    to load certain LSPs. For example, some
    applications may not want to load cryptography
    LSPs so they can communicate with other machines
    that do not have the cryptography LSP installed.
  • The LSP categories can be used by other LSPs to
    determine where in the Winsock protocol chain
    they should install themselves. For years,
    various LSP developers have wanted a way of
    knowing how an LSP will behave. For example, an
    LSP that inspects the data stream would want to
    be above an LSP that encrypts the data. This
    method does rely on 3rd party LSPs to categorize
    themselves appropriately, but, the security
    enhancements in Vista will help prevent users
    from unintentionally installing malicious LSPs.

47
WS2SPI.H ( Vista )
48
LSP Categorization
  • WSCGetProviderInfo
  • WSCSetProviderInfo
  • WSCGetApplicationCategory
  • WSCSetAplicationCategory

49
LSP Types
  • nine different LSP types defined in ws2spi.h (
    Vista )
  • LSP_SYSTEM LSP for system critical processes
  • LSP_INSPECTOR an LSP that simply monitors the
    inbound and outbound traffic but does not the
    data. An HTTP content filterer is an example of
    an inspector (as it will deny the request).
  • LSP_REDIRECTOR this type of LSP simply modifies
    the addresses used in Winsock calls.
  • LSP_PROXY this LSP redirects Winsock calls to a
    proxy server as well as instruct the proxy via a
    control channel to establish outbound
    connections.
  • LSP_FIREWALL an LSP that monitors incoming and
    outbound connection requests. A firewall LSP
    should only inspect data and deny request but not
    actually modify the data.
  • LSP_INBOUND_MODIFY filters inbound data
  • LSP_OUTBOUT_MODIFY filter outbound data
  • LSP_CRYPTO_COMPRESS a crypto or compression LSP
    can modify both inbound and outbound traffic but
    also includes and out of band signing/negotiation
    phase.
  • LSP_LOCAL_CACHE an LSP that inspects the
    contents of a Winsock request and satisfying the
    request by generating the expected response
    without the request actually hitting the intended
    destination.

50
How stack define which LSPs are loaded
  • If the application is not categorized (has
    not defined a permitted LSP category set), allow
    all LSPs. This is the default behavior on
    operating systems prior to Windows Vista where
    categorization is not available.
  • If both the application and the LSP have
    assigned categories, all of the following must be
    true
  • a) AT LEAST ONE OF the LSP categories is
    present in the a
  • applications specified permitted
    categories
  • b) ONLY categories specified in the
    applications specified permitted categories
    are specified in the LSPs categories (i.e. In
    general, the LSPs categories must be a subset of
    the applications permitted category set)
  • c) If LSP_SYSTEM is present in the
    applications permitted category set, it MUST be
    present in the LSPs categories

51
Categorization Example
  • Application Foo.exe has a permitted LSP category
    set equal to
  • LSP_SYSTEM LSP_FIREWALL LSP_CRYPTO_COMPRESS
  • Application Bar.exe has a permitted LSP category
    set equal to
  • LSP_FIREWALL LSP_CRYPTO_COMPRESS
  • There are four LSPs installed on the system with
    the following categorizations
  • LSP1 LSP_SYSTEM
  • LSP2 0 (no category set)
  • LSP3 LSP_FIREWALL
  • LSP4 LSP_SYSTEM LSP_FIREWALL
  • LSP_CRYPTO_COMPRESS
    LSP_INSPECTOR
  • Foo.exe would only load LSP1 while Bar.exe would
    load LSP3

52
UAC
  • Vista demand for executor of LSP installation
    program to have build-in administrator rights and
    not be just member of a administrator group.
  • That can be elevated by manifest
  • ( foo.exe.manifest )
  • or

53
LSP Development test suite
  • Does the LSP properly layer itself in the Winsock
    catalog?
  • Does the LSP leave the Catalog in a consistent
    state after its install/un-install
  • Does the LSP handle all extension functions and
    new WSAIoctls correctly

NDF ( Network Diagnostics Framework )
Check LSPs installed
Different dialog boxes shown in the case of
incorrect LSP behavior
or its old version
54
LSP in Windows CE
  • Introduced in Windows CE 5.0 ( 2004 )
  • Sources can be found in directory
  • C\WINCE\PUBLIC\COMMON\SDK\SAMPLES\TSP\LSP

  • Windows CE LSP is non-IFS, so allowed completion
    operations with overlapped mode.
  • Be aware that winsock dll in windows CE is not
    WS2_32.dll but WS2.dll.

55
(No Transcript)
56
Resources
MSDN
Platform SDK
DDK
http//www.ndis.com/papers/winpktfilter.htm
http//www.sysinternals.com
Windows Internals by David Solomon and Mark
Russinovich
Unraveling the Mysteries of Writing a Winsock 2
Layered Service Wei Hua, Jim Ohlund, Barry Butte
rklee by
www.microsoft.com/msj/0599/LayeredService/LayeredS
ervice.aspx
Network Programming for Microsoft Windows by
Anthony Jones and Jim Ohlund
57
www.ndis.com ( www.pcausa.com by Thomas F. Divine
)
www.castlecops.com/LSPs.html
www.cexx.org/lspfix.htm
http//technet.microsoft.com/en-us/library/bb45715
6.aspx
Before some time ? www.socket2online.com
(winsock2_at_2can. com)
https//connect.microsoft.com/WNDP
58
- Thank you for coming !???? ??? !
59
Notes
  • PSDK Feb 2003 example work with
    OutputDebugString() with its instlsp ( lsp.dll )
  • both the same directory as readme file show
  • Winsock LSP sample ( from wndp )
  • ifslsp ( 100KB ) do work
  • LSP ifslsp ( 18K 1K Manifest ) cant be
  • Installed in retail mode, but in debug mode
    connected to winsock programs show dialog box
    about absence of msvcr80d.dll
Write a Comment
User Comments (0)
About PowerShow.com