如何捕获来自某些进程的所有 HTTP 请求？

Question

I've searched for this, I came to know WinPCap , but I still didn't get the answer I needed. WinPCap can monitor packets, and seems not to give a track to processes (I don't know much about it).

I want my application to listen to every HTTP request made from certain processes (usually the ones from browsers which I will define later), and modify them if necessary.

My application is originally written in Delphi , but any help in C++ would also be cool. Can anyone help me with this?

Edit 1 : Of course I don't expect you to give me an answer according to winPcap necessarily!

Answer 1

WinPCap allows you to access the source and destination IP/Port pairs for each captured packet. You can iterate the OS's TCP tables (on Windows, you can use GetTcpTable2() and GetTcp6Table2() ) looking for those pairs, and when you find a match then you will know the process ID that owns that connection. From that ID, you can then extract further information about that process from the OS (filename, etc).

Answer 2

There are a number of ideas I can think of, depending on how low-level you need to get and other parameters of your requirements

• Set up an HTTP proxy of some kind. This could be something you write yourself and configure the browser to use. Or it could be something like Fiddler - I'm not sure if Fiddler allows you to plug in your own functionality...if not and if it's open source, then you can do whatever you like.

• Look into existing browser plug-in mechanisms. For example for IE there are BHOs (Browser Helper Objects). TBH I'm not sure what exactly the various plug-in mechanisms allow. If you get native code executing in the browser, maybe you can hook arbitrary APIs (see Detours below)

• Use the MS user-level hooking mechanism to inject code (a .dll) into the target processes. You can configure the hook to only load into processes with a certain name (eg iexplore.exe) and maybe other attributes as well. Worst-case, you can hook all processes and then in your DllLoad bail out if the process is not one you want to hook. In your hook's DllLoad, use an entry-point hooking mechanism like Detours to hook a set of network APIs with your own functions. Then whenever the process calls those network APIs it will be the function in your DLL that is called. It can do whatever it wants (eg modify the data being sent) and then call through to the real method. For example, IE uses WinHTTP (I think) which uses wininet which uses winsock. I have done this (not for networking but other APIs) many times and the mechanism itself is straightforward.

• Write a network driver of some kind to filter all traffic. Without thinking through the details right now, you should be able to figure out what process the traffic is for even from kernel mode. I can't remember exactly but I think Window's (which is to say, NT's) network stack has user-mode drivers as well.

Lots of software like VPNs have to do what you are talking about. It's definitely possible, including per-process filtering. One thing to always keep in mind, if you have control of the OS you want to do this on (Administrator rights), you can do anything you want. Unlike certain mobile OSes, in desktop OSes you own the OS and the hardware and don't have to beg permission to do what you want with your own property. It's only a matter of how hard it is and how long it will take...

Answer 3

Try SnoopSpy3 application. http://www.snoopspy.com/778 I hope it will help you.

Answer 4

In Windows I've used Sysinternals ProcMon to achieve this filtering by the PID and then Tools -> Network Summary

https://docs.microsoft.com/en-us/sysinternals/downloads/procmon