3

In my app (not a malware) I inspect browsers' network traffic by hooking Windows API calls.

Works fine in all browsers in all Windows versions... Except Internet Explorer 11 under Windows 10.

The problem is that WSARecv returns WSA_IO_PENDING, but none of known by me methods to get notified about the operation completion are used.

  • WSAOVERLAPPED::hEvent set to 0.
  • lpCompletionRoutine is 0 also.
  • WSAGetOverlappedResult is never called.
  • GetQueuedCompletionStatus and GetQueuedCompletionStatusEx are not called also.
  • CreateThreadpoolIo is not called.

So, what does IE11 use under Windows 10?

theB
  • 6,450
  • 1
  • 28
  • 38
Alexander Dyagilev
  • 1,139
  • 1
  • 15
  • 43
  • 3
    Why not use [winpcap](http://www.winpcap.org) instead of hooking APIs? – Remy Lebeau Sep 08 '15 at 06:31
  • "*So, what does IE11 use under Windows 10?*" - you would have to ask Microsoft. Or maybe Raymond Chen will chime in with one of his famous insights about the internal details. – Remy Lebeau Sep 08 '15 at 06:44
  • As far as I know winpcap requires admin rights. – Alexander Dyagilev Sep 09 '15 at 05:35
  • Only to install the driver. After that, any user can use winpcap for capturing packets without needing admin rights. This was covered on the Winpcap-users mailing list: [Running as non-admin](http://www.winpcap.org/pipermail/winpcap-users/2009-January/002997.html) – Remy Lebeau Sep 09 '15 at 06:05
  • I'll consider switching to winpcap (or something) else in case I fail to fix the problem in the current solution. It's unwanted thing, btw. It will require more time, etc. – Alexander Dyagilev Sep 10 '15 at 15:18
  • Hmm... Winpcap is not suitable at all. Because it seems it does not allow to know which packets belongs to which process. I want to inspect only a target browser's process. Not all processes. Not all browsers. – Alexander Dyagilev Sep 10 '15 at 15:23
  • The header of each packet will tell you the transport protocols (IPv4, IPv6, TCP, UDP) and source/destination IP/Port pairs. For TCP packets, you can find the associated process ID by looking for the IP/Port pairs in Windows' TCP tables via [`GetTcpTable2()`](https://msdn.microsoft.com/en-us/library/windows/desktop/bb408406.aspx) (IPv4) and [`GetTcp6Table2()`](https://msdn.microsoft.com/en-us/library/windows/desktop/bb408405.aspx) (IPv6). There are UDP tables available via `GetUdpTable()` (IPv4) and `GetUdp6Table()` (IPv6) but they do not provide process IDs. Browsers do not use UDP anyway. – Remy Lebeau Sep 10 '15 at 18:19
  • @AlexanderDyagilev, Did you get the solution? – Ajay Dec 02 '16 at 10:00
  • @Ajay, No, I did not. – Alexander Dyagilev Dec 02 '16 at 10:12
  • @AlexanderDyagilev, Did you get the solutin now? – 郑福真 Apr 15 '18 at 08:17

0 Answers0