Winsock LSP

http://www.komodia.com/lsp-sub

What is Winsock LSP?

LSP stands for Layered Service Provider. In order to understand how it works, we must understand how the Windows network operates: the highest entry point of Windows network is Winsock, which is a user-level network API. 99% of network applications use Winsock to communicate over the network (an example of an application that does not use Winsock is NetBIOS, which is more of a protocol, but uses TDI-based communication). All Winsock API calls are redirected to ws2_32.dll, the Winsock API handling DLL. From there, all calls go to the kernel, which routes the network calls to the relevant communication interfaces via a technology called NDIS. Winsock LSP is a technology that allows us to inject our code between the user network calls and the Winsock API, thus allowing us to inspect, modify, or block those network calls. Another aspect of LSP is its ability to allow for additional namespace resolves. However, this is rarely used and will not be covered here.

Using LSP, real life examples of Winsock LSP usage

Among its many uses, LSP can be used for the following common tasks:

• Connection redirection – Redirecting a connection request to another address (Winsock HTTP redirection). For example: Internet Explorer asks to connect to our site, www.komodia.com. With the help of LSP the request can be altered to connect to another address, such as localhost or any arbitrarily chosen Internet address. This is mostly used to create email scanners, web anonymizers (redirecting the traffic to a 3rd party proxy server).
• Content inspection and modification. The LSP can process, inspect, and modify all data sent to the client before it reaches the client. Ideal for content inspection and filtering.
• HTTP Redirection – Used to block users from accessing certain web sites, mostly used inside A network filter.
• Winsock tracing. LSP can be used to trace Winsock calls and debug Winsock applications.
• Firewall. LSP can act as firewall (application and network level). This, however, is not recommended.
• Stream sniffer – Unlike normal sniffers that needs to perform statefull inspection to build the TCP stream, Winsock LSP sniffs at the stream level without any need to perform such rebuild. You can check out our free stream HTTP/HTTPS sniffer.