Attached is a patch to take kernel32/ntdll ReadFile and WriteFile requests on sockets and pass them to WSARecv and WSASend. This patch is part of a series I'm working on for the infamous C&C networking bug (Bug #7929). The functionality added by this patch was requested by a previous RFC response so that ReadFile and WriteFile requests will have all the same filtering as WSARecv and WSASend. Any and all feedback is greatly appreciated.
Erich Hoover ehoover@mines.edu
Erich Hoover ehoover@mines.edu writes:
Attached is a patch to take kernel32/ntdll ReadFile and WriteFile requests on sockets and pass them to WSARecv and WSASend. This patch is part of a series I'm working on for the infamous C&C networking bug (Bug #7929). The functionality added by this patch was requested by a previous RFC response so that ReadFile and WriteFile requests will have all the same filtering as WSARecv and WSASend. Any and all feedback is greatly appreciated.
You don't want to be calling up to ws2_32 from ntdll. And I still think bug 7929 will have to be fixed in the kernel, you really can't do that properly in user space.
-
Alexandre Julliard -
Erich Hoover