How to force a specific process to use a proxy for network communication

Asked 6/1, 2016 at 16:0 Answered 17/10, 2019 at 3:8

There are a few programs like Proxifier that can force an exe to use a proxy. There are a few others, too. But the sites all look a bit shady. I don't even trust Proxifier tbh... So I'd like to know how these programs work. How do they do it? Is there a WinAPI function that can be used to do that? Or do you have to actually inject code into the processes?

I was only able to find functions to change the global proxy of windows. But some programs don't care what the global proxy says, they always try to connect directly, even if it's not possible...

Disenable answered 6/1, 2016 at 16:0 Comment(10)

I think you would use an NDIS filter driver for this sort of thing. But I'm not familiar with the technology. – Impassive 6/1, 2016 at 21:59

I know that wireshark uses some technology that works on the driver level. It is able to capture all network traffic on my PC, but it's too low-level to know which process has sent which packet. So I think that what you suggested won't work. – Disenable 8/1, 2016 at 9:28

Why would you need to know which process had sent a packet? (But I suspect that you can, if you need to; wouldn't the packet's source port uniquely identify the process it came from?) – Impassive 8/1, 2016 at 10:19

It's important because how else would I force a single processes traffic though a proxy? I mean I didn't ask for a way to make the whole system use a proxy. I really like the process identification by port idea, I haven't thought about that before. – Disenable 8/1, 2016 at 10:35

Oh, my mistake. In my environment I would usually want to force everything to use the proxy. Perhaps there's some open source you could look at? Anything that implements a firewall or redirects or manipulates traffic could give you a clue. (I'm afraid you're not likely to get a definitive answer here any time soon; I don't think any of the regulars are experts in this field.) – Impassive 8/1, 2016 at 10:49

This is a tough one. Here's an idea: Host a transparent proxy that consumes the original proxy. Then point the machines at the new transparent proxy machines as the default gateway. See link here. – Kaiulani 15/1, 2016 at 8:26

What do you mean by "original proxy"? What if the application doesn't use a proxy? – Disenable 15/1, 2016 at 8:54

Sorry I'm not explaining all that well. So here is goes. You have applications running on machine A. You want them to use the proxy on machine B. There's something called a transparent proxy. Basically applications will use it without knowing. You can just set the default gateway on the machines and all applications will be using the transparent proxy. My suggestion is to setup a transparent proxy on machine C or a VM that itself uses the proxy on machine B. You then set the default gateway on machine A to be the ip address of machine C. – Kaiulani 15/1, 2016 at 9:0

If you are uncomforable with two proxies (could have all sorts of problems), check out link BadVPN. It seems to have the same functionality as proxifier but this is open source and on github. – Kaiulani 15/1, 2016 at 9:7

@Just1689, that BadVPN link is interesting. I see the Tun2socks part of it is supposed to work on Windows too, so that's cool. – Icebreaker 15/1, 2016 at 18:51

Proxifier is based on LSP (layered service provider), but personally I never liked this technology because of often stability issues. However, besides LSP there are other possible approaches suitable to achieve the same functionality, you can find a short coverage of network filtering methods (including LSP) here: https://www.ntkernel.com/ndis-hooking-drivers-and-legacy-windows-systems/, however the document is a little bit out-of-date, I have written it in times of early Windows XP dawn and it does not cover WFP (Windows Filtering Platform), which replaced TDI, and NDIS Lightweight Filter, which replaced NDIS Intermediate and NDIS-hooking drivers. Both technologies were introduced by Windows Vista along with NDIS 6.0.

Petras answered 5/5, 2016 at 21:41 Comment(1)

Proxifier worked great. Thanks! It was just the thing I needed. – Bula 12/10, 2019 at 5:7

I think Wininet.dll is the canonical method for accessing HTTP from user mode programs on Windows. (The documentation for Windows Networking and Internet support is here. I didn't want to go through all of the doc, but I'm pretty sure Wininet.dll is the right one)

One method for doing a per process proxy, is to write a DLL that acts like Wininet.dll (and sits on top of the Windows' Wininet.dll). Your Wininet would have some sort of mechanism (registry, config file, etc.) to determine whether a particular process is to be proxied or not. If process isn't proxied then all calls go through to original Wininet, but if process is proxied then your Wininet does the redirection.

Another, somewhat similar, injection point is at the winsock layer (ws2_32.dll). (Back in the Windows 3.1, Win95 era, it was fairly common to replace winsock.dll (ws2_32 predecessor) by vendors of TCP/IP stacks.) Here's a case where the same concept is used to capture traffic at winsock layer. The article at the link has a nice diagram that illustrates the concept as well as implementation details of replacing ws2_32.dll.

Stumpage answered 17/1, 2016 at 23:34 Comment(0)

The modern way to do this is to use Windows Filtering Platform.

https://en.wikipedia.org/wiki/Windows_Filtering_Platform

https://learn.microsoft.com/en-us/windows/win32/fwp/windows-filtering-platform-start-page

Windows Filtering Platform (WFP) is a set of API and system services that provide a platform for creating network filtering applications. The WFP API allows developers to write code that interacts with the packet processing that takes place at several layers in the networking stack of the operating system. Network data can be filtered and also modified before it reaches its destination.

Mayne answered 17/10, 2019 at 3:8 Comment(0)

Recommended topics

Hot tags