I’ve seen many developers asking for “How to intercept in/out HTTP packets “, “How to modify them on the fly”. The most “clean” answer I’ve seen is to make a kernel-mode-driver filter from the scratch (TDI for XP and earlier winx9 or NDIS for NT systems).
An other way, is to use a user-mode-driver like Windivert, also Komodia has a great solution (without writing any single code).
The idea behind this introduction is just I want to know is API Hooking can be considered as alternative of writing of whole of driver-filter? writing a driver from the scratch is not an easy task, why just not Hooking the HttpSendRequest or any other API used by the browser? There are many free/commercial libraries to do this in a safe manner (eg: EasyHook, Mhook, Nektra..).
I’m not the first who ask, there already Sockscap that uses Hook(DLL injection) to change behavior to other applications and force them to use a Socks proxy, also Form grabbing attack ‘used by keylogger..
3
Depending on your needs (specifically wanting to filter packets and block sites) the most clean option is definitely not to attempt to roll your own security tools. Instead use a tool specifically made for the job that allows you to put a network level job entirely out of reach of the client. Installation, configuration and maintenance are much simpler than coding your own filters and having to deploy them and manage them.
Squid has a range of ways to do what you want to do (including rewriting http headers and even html content.) If necessary it can be installed ‘transparently’ on a network to ensure that nobody can get around it even if they are aware it is present. It can even work with SSL if needed.
It also has some other positives which include lists of known proxy servers which are regularly updated to stop people using those to get around your filters.
2
In most cases, using an API hook is good enough. But for the socket calls, the wininet API hook is not enough to make a workable network filter.
I believe that API hook technique could be used to make a pass-thru wrapper. But
it is difficult to give you a sample due to the complexity involved. For example, you need to consider DLL injection, code injection, etc…
4