Zone Labs: Anatomy of a Coverup

How angels stay clean and scandals stay silent.

Part Three - How It Doesn't Work II

Gregor Freund filed for US patent 5,987,611, 'System and methodology for managing internet access on a per application basis for client computers connected to the internet', on November 16, 1999. It's a very long-winded application (as all good patent applications must be) but in a nutshell it outlines a methodology later known as True Vector Technology for limiting and/or stopping all traffic between a computer and an outside network such as the Internet.

Crucial to this technology is its implementation, and Gregor developed his technology on a 16-bit Windows machine (claiming the method was similar on a 32-bit Windows machine which it of course was not). These are the pertinent paragraphs.

9. Intercepting communication messages (e.g., WinSock messages)

FIGS. 15A-B illustrate a method 1500 for intercepting communication driver (e.g., WinSock) messages. The following method description focuses on a Windows 95 implementation with the following standard Microsoft WinSock component: Wsock32.dll and Wsock.vxd. The implementation is similar under Windows NT and other operating systems.

The method operates as follows. At step 1501, the Client Monitor loads the Client VxD (Windows virtual driver file). At step 1502, the Client VxD loads the WinSock virtual driver file, Wsock.vxd, and redirects the WinSock DeviceIOControl code pointer of Wsock.vxd to its own interception routine. At step 1503, the application calls the WinSock function in the WinSock dynamic link library, Wsock32.dll, that requires Internet access. At step 1504, Wsock32.dll processes the parameters and calls Wsock.vxd via the the Windows Win32 DeviceIoControl.oval-hollow. function call. At step 1505, the Client VxD looks up the call via an 'intercept before' dispatch table. At step 1506, if the dispatch table requires an intercept, the Client VxD creates an interception message and calls the Client Monitor. At step 1507, if the Client Monitor allows the call to go forward, the Client VxD calls the original Wsock.vxd routine, otherwise it returns Wsock32.dll and the Application. At step 1508, the Client VxD looks up the call via the 'intercept after' dispatch table. If the dispatch table requires an intercept, the Client VxD creates an interception message and calls the Client Monitor at step 1509. At step 1510, the Client VxD returns to Wsock32.dll with either the original return results or results modified by the Client Monitor.

And what's crucial here is the method of determining if traffic exists: Gregor hooks into the Microsoft Winsock libraries.

Prev | TOC | Next