Authored and Presented by

1
Microsoft Layered Service Provider
Authored and Presented by Arkady Frenkel, MS MV
P Windows SDK
2
http//www.microsoft.com/communities/mvp/mvp.mspx
(Windows SDK)
3
Agenda
LSP Layered Service Provider in Microsoft
Network Architecture History of LSP from NT4 till
Vista CastleCops site Non-IFS and IFS LSP PSDK
Examples Compiling/Running/Debugging
Installation/ Removing Tools Sporder, LSPFix L
SP for Vista LSP Types LSP Cat
egorization UAC LSP Dev
elopment test suite LSP for Windows CE Reso
urces
4
LSP Layered Service Provider in Microsoft
Network Architecture
LSP can be used to implement
Monitoring and filtering data Modifying data (
including cryptography) Redirection of data Re
direction of URL ( proxy ) Firewall ( due to the
context )
Implementation of WOSA ( Windows Open System
Architecture )
There are two kinds of service providers LSP
and BSP
5
Socket Architecture
6
(No Transcript)
7
From www.ndis.com ( www.pcausa.com )
8
Networking API

• )Windows Sockets (Winsock
• Remote procedure call (RPC)
• Web access APIs (HTTP)
• Named pipes and mailslots
• Common Internet File System (CIFS)
• NetBIOS
• Other networking APIs

9
Winsock implementation
From Windows Internals by David Solomon and Mark
Russinovich (this and 4 next)
10
RPC implementation
11
QoS schema
12
Netbios API implementation ( LSP cant be used
here )
13
Named pipe and mailslot implementation( LSP
cant be used here )

14
History of LSP from NT4 till Vista
LSP was integrated part of winsock 2 ( appears in
NT 4 ) and added to Win9x Always was of two tim
es IFS and non-IFS but up to last year only
non-IFS example was published in Platform SDK and
appeared at the beginning in Microsoft Journal
(May 1999 ) in the article
Unraveling the Mysteries of Writing a Winsock 2
Layered Service Provider By ByWei Hua, Jim Ohlun
d, Barry Butterklee From those days that code
supported in MSFT by Anthony Jones
Author of Network Programming for Microsoft
Windows with JimOhlund His is the author of Ne
twork Programming for the Microsoft .NET
Framework with Jim Ohlund and Lance Olson
Be aware that up to NT SP4 LSP have to run in ad
min context because WPUCreateSocketHandle() could
be done only in admin context.
15
XP SP2 LSP additions

• From http//technet.microsoft.com/en-us/library/bb
  457156.aspx
  
• Winsock self-healing
• Detailed description
• Winsock, Windows network socket facility for
  applications, is extensible by a mechanism known
  as a Layered Service Provider (LSP). Winsock LSPs
  are available for a wide range of useful
  purposes, including internet parental controls,
  and web content filtering. In previous versions
  of Windows XP, removing a malformed (also known
  as buggy) LSP could result in corruption of the
  Winsock catalog in the registry, potentially
  resulting in a loss of all network connectivity.
  Winsock now has the ability to self-heal after a
  user uninstalls such an LSP.
• Two new Netsh commands are available in Windows
  XP Service Pack
  
• netsh winsock reset catalog
• This command resets the Winsock catalog to the
  default configuration. This can be
  
• useful if a malformed LSP is installed that
  results in loss of network connectivity. While
  use of this
  
• command can restore network connectivity, it
  should be used with care because any previously-
  
• installed LSPs will need to be re-installed.
• Netsh winsock show catalog
• This command displays the list of Winsock LSPs
  that are installed on the computer.
  

16
www.castlecops.com/lsps.html
17
Microsoft use LSP in ISA Server 2004 Firewall
Client, ISA Server FW, MSN Parental Controls, L
DAP RnR, Windows Rsvp Service Provider
Big guys using it Intel, IBM, Google, Yahoo,
McAfee, Citrix, Novell, CheckPoint ( ZoneLabs ),
WinGate, SyGate
18
Layered Service Providers
19
(No Transcript)
20
IFS and Non-IFS LSP
Installable File System (IFS) handle is a file
handle returned by IFS and can be used in file
I/O operations. Socket handles can be either IFS
handles or not. When a socket has an IFS handle,
it can be used in file I/O functions to perform
Winsock recv and send calls. On Windows NT and
above, IFS handles can be added to I/O completion
ports (IOCP) to achieve scalability.
Providers (BSPs) with IFS handles indicate this
via the XP1_IFS_HANDLES attribute bit in the
dwServiceFlags1 field of the WSAPROTOCOL_INFOW
structure). C\Program Files\Microsoft Platfor
m SDK for Windows Server 2003 R2\Samples\NetDS\Win
Sock\LSP\ifslsp C\Program Files\Microsoft Plat
form SDK for Windows Server 2003
R2\Samples\NetDS\WinSock\LSP\nonifslsp
21

• 
  Pros and Cons of IFS based LSP
  
• Pros
• IFS LSP base on the handles built for it
  by BSP.
  
• IFS LSP code is much less complicated
  than non-IFS LSP.
  
• It does not need to handle the various
  complicated I/O models associated with
  WSPAsyncSelect and overlapped I/O since an IFS
  LSP cannot be on the completion path of I/O
  operations. Secondly, an IFS LSP only needs to
  implement those Winsock SPI functions that it is
  interested in capturing.
• E.g. Proxy LSP only need to intercept
  WSPConnect, WSPSocket, WSPSendTo, WSPGetpeerName
  and ConnectEx.
  
• Cons
• An IFS based LSP cannot post-process
  overlapped I/O using WSPSend (WriteFile),
  WSPSendTo, WSPRecv (ReadFile), WSPRecvFrom, or
  WSPIoctl (or any of the Microsoft specific
  extension functions which may be called using
  ovelappedI/O). To allow additional processing in
  the LSP after an overlapped I/O completes in any
  of the above calls, an LSP must be non-IFS LSP.
• IFS LSP use BSP to create sockets with
  WPUModifyIFSHandle() before returning handle to
  
• winsock ( ws2_32.dll )

22
What have to be implemented

• Non-IFS LSP have to implement
• blocking, non-blocking ( WSPAsyncSelect() create
  hidden window on the thread to treat message and
  return message to user with WPUPostMessage() )
  
• and overlapped modes , if WSA_FLAG_
  OVERLAPPED flag set (use WPUQueueApc() ( for
  thread in alertable state ) or WPUCompleteOverlapp
  edRequest() from NT SP4 Winsock 2 rev.2.2.2 )
• Sources
• spi.cpp, lspguid.cpp, extention.cpp,sockinfo.cpp,
  
• overlapped.cpp, asyncselect.cpp.
• IFS LSP rely in implement on base provider
• Sources
• spi.cpp, lspguid.cpp, extention.cpp,sockinfo.cpp
• Common source for both provider.cpp

23
How IFS implementation done

• WPUModifyIFSHandle() used to ask provider
• to make it ifs handle in ifslsp spi.cpp
  WSPsocket(), WSPAccept()
  
• SPI.CPP use next Helper functions ( not exist in
  nonifslsp)
  
• FindDestinationAddress() used in WSPConnect(),
• FindURL() used in WSPSend() to parse HTTP GET,
• FreeLspProviders() used in WSPCleanup()
• As opposite
• Non IFS spi.cpp use WPUCreateSocketHandle() to
  ask for handle but that
  
• with create handle without flag XP1_IFS_HANDLES
  in
  
• dwServiceFlags1 member of provider information
• structure WSAPROTOCOL_INFOW

24
Winsock 2 SPI Prefixes
25
WSAPROTOCOL_INFOW Structure
26
Ws2spi.h (Windows XP)
27
(No Transcript)
28
(No Transcript)
29
Exceptions in direct mapping Between Winsock API
and SPI Functions

• In most cases, when an application calls a
  Winsock 2 function, Ws2_32.dll calls a
  corresponding Winsock 2 SPI function to carry out
  the requested functionality using a specific
  service provider. For example, select maps to
  WSPSelect, WSAConnect maps to WSPConnect, and
  WSAAccept maps to WSPAccept. However, not all
  Winsock functions have a corresponding SPI
  function. The following list details these
  exceptions.
• Support functions such as htonl, htons, ntohl,
  and ntohs are implemented within Ws2_32.dll and
  aren't passed down to a service provider. The
  same holds true for the WSA versions of these
  functions.
• IP conversion functions such as inet_addr and
  inet_ntoa are implemented only within Ws2_32.dll.
  
  
• All of the IP-specific name conversion and
  resolution functions in Winsock 1.1 such as
  getXbyY, WSAAsyncGetXByY, and WSACancelAsyncReques
  t, as well as gethostname, are implemented within
  Ws2_32.dll.
• Winsock service provider enumeration and the
  blocking hook_related functions are implemented
  within Ws2_32.dll. Thus WSAEnumProtocols,
  WSAIsBlocking, WSASetBlockingHook, and
  WSAUnhookBlockingHook do not appear as SPI
  functions.
• Winsock error codes are managed within
  Ws2_32.dll. WSAGetLastError and WSASetLastError
  aren't needed in the SPI.
  
• The event object manipulation and wait
  functionsincluding WSACreateEvent,
  WSACloseEvent, WSASetEvent, WSAResetEvent, and
  WSAWaitForMultipleEventsare mapped directly to
  native Win32 operating system calls and aren't
  present in the SPI.

30
Non-IFS complications

• It have to implement all modes of winsock
• Blocked
• Non-blocked (WSPSelect, WSPAsyncSelect)
• Overlapped ( used flag WSA_FLAG_ OVERLAPPED ,
  WSPGetOverlappedResult
  )
  
• Create handles and treat them
• Intercept all WSP calls

31
Code from spi.cpp Non-IFS LSP
32
Continued from previous page
33
(No Transcript)
34
Code from WSPStartup() in spi.cpp IFS LSP
35
Functions need be intercept in proxy TCP client
36
PSDK Examples Compiling/Running/DebuggingLabs

37
Installation/ Removing

• WSCEnumProtocols()
• WSCInstallProvider(64_32)()
• WSCInstallProviderAndChains(64_32)() instead
  previous for Vista
  
• WSCWriteProviderOrder(32)()
• WSCDeInstallProvider(32)()
• WSCGetProviderPath() ( new added )
• WSCUpdateProvider(32)() ( new added )
• 32 postfix used for 32 bit catalog on 64 bit OS,
  without it for 32 on 32 bit OS
  
• And 64 for 64 bit OS

38
Installer use WINNT.H

• Installer use doubly linked list and singly
  linked list linked from WINNT.h, where doubly
  linked list entry ( LIST_ENTRY ) used for
  protocol catalog items and outstanding I/O and
  singly linked list (SINGLE_LIST_ENTRY ) for
  preallocated INTERBALOVERLAPPEDSTRUCT structs

To find the address, next macro from WINNT.H used
39
Using of instlsp.exe
40

• Adding IFS LSP set next installation rules
• Non-IFS LSPs have to be higher in the stack that
  IFS LSPs
  
• Non-IFS LSP, which modify data have to be set on
  the end of the protocol chain, but before first
  IFS
  
• Monitoring LSP have to be at the top of the
  protocol chain
  
• Another requirement for installing an IFS LSP is
  each layered protocol chain belonging to the IFS
  LSP must be installed under its own GUID.
  
• IFS LSP have h param for that in
  instlsp.exe

41
Tools Sporder ( Platform SDK) , LSPFix ( )
Sporder.exe sporder.dll on C\Program Files\M
icrosoft Platform SDK for Windows Server 2003
R2\Bin\winnt
42
(No Transcript)
43
Supported Name spaces
44

www.cexx.org/lspfix.htm
45
LSP in Vista

• LSP Categorization
• LSP Types
• UAC
• LSP Development test suite
• NDF ( Network Diagnostic Framework )
• Check LSPs installed

46
Why we need categorization

• This functionality was added for the following
  reasons
  
• System critical processes such as WinLogon and
  LSASS create sockets but do not send any traffic
  on the network so most LSPs should not be loaded.
  A significant percentage of the system failures
  experienced by Windows users is due to an LSP
  malfunctioning when operating in the context of a
  system critical service. A side affect of these
  system processes loading LSPs is that such
  processes never exit, so when an LSP is installed
  or removed, a reboot is required.
• There are cases where applications may not want
  to load certain LSPs. For example, some
  applications may not want to load cryptography
  LSPs so they can communicate with other machines
  that do not have the cryptography LSP installed.
• The LSP categories can be used by other LSPs to
  determine where in the Winsock protocol chain
  they should install themselves. For years,
  various LSP developers have wanted a way of
  knowing how an LSP will behave. For example, an
  LSP that inspects the data stream would want to
  be above an LSP that encrypts the data. This
  method does rely on 3rd party LSPs to categorize
  themselves appropriately, but, the security
  enhancements in Vista will help prevent users
  from unintentionally installing malicious LSPs.

47
WS2SPI.H ( Vista )
48
LSP Categorization

• WSCGetProviderInfo
• WSCSetProviderInfo
• WSCGetApplicationCategory
• WSCSetAplicationCategory

49
LSP Types

• nine different LSP types defined in ws2spi.h (
  Vista )
  
• LSP_SYSTEM LSP for system critical processes
• LSP_INSPECTOR an LSP that simply monitors the
  inbound and outbound traffic but does not the
  data. An HTTP content filterer is an example of
  an inspector (as it will deny the request).
• LSP_REDIRECTOR this type of LSP simply modifies
  the addresses used in Winsock calls.
  
• LSP_PROXY this LSP redirects Winsock calls to a
  proxy server as well as instruct the proxy via a
  control channel to establish outbound
  connections.
• LSP_FIREWALL an LSP that monitors incoming and
  outbound connection requests. A firewall LSP
  should only inspect data and deny request but not
  actually modify the data.
• LSP_INBOUND_MODIFY filters inbound data
• LSP_OUTBOUT_MODIFY filter outbound data
• LSP_CRYPTO_COMPRESS a crypto or compression LSP
  can modify both inbound and outbound traffic but
  also includes and out of band signing/negotiation
  phase.
• LSP_LOCAL_CACHE an LSP that inspects the
  contents of a Winsock request and satisfying the
  request by generating the expected response
  without the request actually hitting the intended
  destination.

50
How stack define which LSPs are loaded

• If the application is not categorized (has
  not defined a permitted LSP category set), allow
  all LSPs. This is the default behavior on
  operating systems prior to Windows Vista where
  categorization is not available.
• If both the application and the LSP have
  assigned categories, all of the following must be
  true
  
• a) AT LEAST ONE OF the LSP categories is
  present in the a
  
• applications specified permitted
  categories
  
• b) ONLY categories specified in the
  applications specified permitted categories
  are specified in the LSPs categories (i.e. In
  general, the LSPs categories must be a subset of
  the applications permitted category set)
• c) If LSP_SYSTEM is present in the
  applications permitted category set, it MUST be
  present in the LSPs categories
  

51
Categorization Example

• Application Foo.exe has a permitted LSP category
  set equal to
  
• LSP_SYSTEM LSP_FIREWALL LSP_CRYPTO_COMPRESS
• Application Bar.exe has a permitted LSP category
  set equal to
  
• LSP_FIREWALL LSP_CRYPTO_COMPRESS
• There are four LSPs installed on the system with
  the following categorizations
  
• LSP1 LSP_SYSTEM
• LSP2 0 (no category set)
• LSP3 LSP_FIREWALL
• LSP4 LSP_SYSTEM LSP_FIREWALL
• LSP_CRYPTO_COMPRESS
  LSP_INSPECTOR
  
• Foo.exe would only load LSP1 while Bar.exe would
  load LSP3

52
UAC

• Vista demand for executor of LSP installation
  program to have build-in administrator rights and
  not be just member of a administrator group.
  
• That can be elevated by manifest
• ( foo.exe.manifest )
• or

53
LSP Development test suite

• Does the LSP properly layer itself in the Winsock
  catalog?
  
• Does the LSP leave the Catalog in a consistent
  state after its install/un-install
  
• Does the LSP handle all extension functions and
  new WSAIoctls correctly

NDF ( Network Diagnostics Framework )
Check LSPs installed
Different dialog boxes shown in the case of
incorrect LSP behavior
or its old version
54
LSP in Windows CE

• Introduced in Windows CE 5.0 ( 2004 )
• Sources can be found in directory
• C\WINCE\PUBLIC\COMMON\SDK\SAMPLES\TSP\LSP
  
  
• Windows CE LSP is non-IFS, so allowed completion
  operations with overlapped mode.
  
• Be aware that winsock dll in windows CE is not
  WS2_32.dll but WS2.dll.

55
(No Transcript)
56
Resources
MSDN
Platform SDK
DDK
http//www.ndis.com/papers/winpktfilter.htm
http//www.sysinternals.com
Windows Internals by David Solomon and Mark
Russinovich
Unraveling the Mysteries of Writing a Winsock 2
Layered Service Wei Hua, Jim Ohlund, Barry Butte
rklee by
www.microsoft.com/msj/0599/LayeredService/LayeredS
ervice.aspx
Network Programming for Microsoft Windows by
Anthony Jones and Jim Ohlund
57
www.ndis.com ( www.pcausa.com by Thomas F. Divine
)
www.castlecops.com/LSPs.html
www.cexx.org/lspfix.htm
http//technet.microsoft.com/en-us/library/bb45715
6.aspx
Before some time ? www.socket2online.com
(winsock2_at_2can. com)
https//connect.microsoft.com/WNDP
58
- Thank you for coming !???? ??? !
59
Notes

• PSDK Feb 2003 example work with
  OutputDebugString() with its instlsp ( lsp.dll )
  
• both the same directory as readme file show
• Winsock LSP sample ( from wndp )
• ifslsp ( 100KB ) do work
• LSP ifslsp ( 18K 1K Manifest ) cant be
• Installed in retail mode, but in debug mode
  connected to winsock programs show dialog box
  about absence of msvcr80d.dll