About | Buy Stuff | News | Products | Rants | Search | Security
Home » Resources » Software » Reviews » ZoneAlarm Pro 3.0

16 Nov 1999

Gregor Freund receives US patent 5,987,611, 'System and methodology for managing internet access on a per application basis for client computers connected to the internet [sic]'.

9. Intercepting communication messages (e.g., WinSock messages)

FIGS. 15A-B illustrate a method 1500 for intercepting communication driver (e.g., WinSock) messages. The following method description focuses on a Windows 95 implementation with the following standard Microsoft WinSock component: Wsock32.dll and Wsock.vxd. The implementation is similar under Windows NT and other operating systems.

The method operates as follows. At step 1501, the Client Monitor loads the Client VxD (Windows virtual driver file). At step 1502, the Client VxD loads the WinSock virtual driver file, Wsock.vxd, and redirects the WinSock DeviceIOControl code pointer of Wsock.vxd to its own interception routine. At step 1503, the application calls the WinSock function in the WinSock dynamic link library, Wsock32.dll, that requires Internet access. At step 1504, Wsock32.dll processes the parameters and calls Wsock.vxd via the the Windows Win32 DeviceIoControl function call [sic]. At step 1505, the Client VxD looks up the call via an 'intercept before' dispatch table. At step 1506, if the dispatch table requires an intercept, the Client VxD creates an interception message and calls the Client Monitor. At step 1507, if the Client Monitor allows the call to go forward, the Client VxD calls the original Wsock.vxd routine, otherwise it returns Wsock32.dll and the Application. At step 1508, the Client VxD looks up the call via the 'intercept after' dispatch table. If the dispatch table requires an intercept, the Client VxD creates an interception message and calls the Client Monitor at step 1509. At step 1510, the Client VxD returns to Wsock32.dll with either the original return results or results modified by the Client Monitor.

As verified by other parts of the application, Freund dismisses low-level packet filtering as 'impractical', preferring to concentrate only on intercepting Winsock. But as shall also be seen, Winsock is only one of any number of 'known and unknown' methods for crafting packets - and Freund (and ZoneAlarm) have chosen by definition to ignore them.

Prev | TOC | Next

About | Buy | News | Products | Rants | Search | Security
Copyright © Radsoft. All rights reserved.