Description for InjectSOCKS
---------------------------
InjectSOCKS is an open source utility for Microsoft Windows. It forces
foreign software to create any TCP connection through a SOCKS V5 tunnel
like Tor. It also covers DNS requests of the foreign software in a way
that they aren't leaked. The implemented technology is independent from
the used protocols on TCP, so it works for HTTP, HTTPS, passive FTP, SMTP,
etc.
InjectSOCKS combines several well known techniques. For covering the DNS
requests I'm not sure if the idea is new or not, but that idea gave me the
impulse to develop the software as I liked that idea. It's described
below.
As some of the used techniques are really "bad" (see below), some virus
scanners might show false alarms on InjectSOCKS. Sorry for that. I can
only tell you that InjectSOCKS is no malware. Anybody can check the source
code and re-compile it to see that it contains no virus or anything
harmful. To use the tool you might have to put it on the exclude list of
the virus scanner. However, please read this text carefully, especially
the warnings below.
Usage of the tool:
Download InjectSOCKS_Vx.x.zip which contains the source code as well as
the compiled binaries in the contained folder "Release". There are two
executables in that folder InjectSOCKS32.exe and InjectSOCKS64.exe.
InjectSOCKS64.exe is for 64 bit Windows only and InjectSOCKS32.exe is for
32 and 64 bit Windows. However, on 64 bit Windows you can always use
InjectSOCKS64.exe as it automatically switches to InjectSOCKS32.exe if
necessary. In the end, the 32 bit variant gets used for 32 bit foreign
software and the 64 bit variant for 64 bit software.
You need to call it the following way (replace ?? by 32 or 64):
InjectSOCKS?? [/a] SocksServerIP[:Port] ForeignExecutablePath [Parameters]
The best way is to create a Windows link with that call where you can even
specify the icon of the original software. InjectSOCKS opens a dialog for
creating a link like that when calling it with no arguments.
The optional /a argument allows the usage of other protocols than TCP and
local traffic for the foreign process. It reduces the security a little
bit but some software doesn't work without it.
"SocksServerIP" is the IP address of the SOCKS server you use. If the
SOCKS server is running locally, you can use 127.0.0.1 here. Currently
InjectSOCKS only supports IPv4 for connecting the SOCKS server, but it
might handle IPv6 traffic if the SOCKS exit server supports this (not
tested). After that you can specify the TCP port of the SOCKS server
separated by colon. If you don't specify it, InjectSOCKS uses 9050 (Tor's
current default port). After this parameter please specify the path to the
executable of the software you want to manipulate. Don't forget the
quotation marks in case of space characters in the path. After that you
can specify additional parameters you want to pass to that foreign
executable. When running this, the foreign software should start like
always, but all TCP connections it opens should be tunneled through the
SOCKS server.
Warnings: Currently InjectSOCKS only supports TCP and not UDP. Additionally
I can't test it for every existing Windows software and Windows version.
InjectSOCKS influences the behavior of the foreign software. So it might
show unexpected behavior or not work at all with InjectSOCKS. Additionally
it could happen, that the foreign software doesn't use the standard way
on Windows for DNS+TCP, so this all might not work. You should test it
extensively before doing serious work. Also a personal firewall (like the
Windows firewall) can help you while checking if there are really no
leaking connections which aren't using the SOCKS server.
If you have no luck with the 64 bit variant of a software (e.g.
InjectSOCKS reports an error at start-up), you can try the 32 bit variant.
Also please make sure that the "Internet Options" of Windows have no Proxy
settings in case your foreign software uses these settings. Or if your
software has own Proxy settings, disable them. InjectSOCKS makes the
foreign software believe that it can connect any server directly. Having
any Proxy settings disturbs this.
Please be aware that all this only works for outgoing TCP connections and
not for incoming ones.
Additional warning: In case your foreign software starts other processes,
InjectSOCKS ensures to inject these other processes as well. Otherwise it
wouldn't work with the modern browsers. However while doing this
InjectSOCKS currently needs to start these other processes using the same
credentials as the initially started process. So this might lower the
overall security of the foreign software.
InjectSOCKS only affects the process and child processes stared via it.
It doesn't ensure SOCKS tunneling for any other running process.
I've tested InjectSOCKS successfully with several browsers: Opera,
Chromium, and Firefox - also with passive FTP. Only Internet Explorer
causes some trouble - I don't know why yet.
I could also force my mail client to use SOCKS and some other software.
It didn't work for a Java software. Additionally InjectSOCKS doesn't work
on Windows XP. I didn't test it on Windows Vista. It's working fine on
Windows 7 SP1 32/64 bit, Windows 8.1 64 bit and Windows 10 64 bit.
If you think that InjectSOCKS is not the right tool for you, but you want
to route DNS request through a SOCKS tunnel, you might want to try my
tool DNS2SOCKS. However, the advantage of InjectSOCKS is, that it forces
the foreign software to do the DNS part like the Tor developers suggest
it. The domain name gets passed textually to the SOCKS server and the
exit server resolves it via its own settings. Instead of that DNS2SOCKS
connects a DNS server through a SOCKS tunnel for resolving a name and
the used foreign software passes the already resolved IP address to the
SOCKS server. The Tor developers say that this might be bad concerning
anonymity. I'm no expert for that.
Additionally InjectSOCKS helps using software that doesn't support SOCKS
at all together with Tor and you can use it per process whereas DNS2SOCKS
influences DNS of the whole operating system. You can also use both tools
at the same time.
Now about some technical details:
InjectSOCKS uses a well known DLL injection method to inject its own DLL
into the foreign process when starting it (CreateRemoteThread+
LoadLibrary). When InjectSOCKS's DLL starts in the foreign process, it
overwrites a lot of functions of Microsoft DLLs. There are two function
types to distinguish:
a) The 1st type are functions for starting new processes: CreateProcess
and CreateProcessAsUser. This way InjectSOCKS ensures to inject itself
into newly started child processes. Here are some weaknesses:
InjectSOCKS replaces CreateProcessAsUser by CreateProcess in the end, so
any security stuff you have with CreateProcessAsUser gets overwritten.
Currently I didn't manage to do the DLL injection while using
CreateProcessAsUser. Maybe somebody has a hint on how to fix this.
And there are other Windows functions to start new processes like
ShellExecute(Ex) - if the foreign software uses them: bad luck.
b) The 2nd type are functions of ws2_32.dll that do the TCP communication
and the DNS look-up. Now about the DNS trick: InjectSOCKS overwrites
several ws2_32.dll functions for DNS look-up like "gethostbyname" and
"getaddrinfo". When the foreign software requests the IP address for
a domain name, InjectSOCKS stores the name and returns a unique fake IPv4
address of the private range 10.x.x.x. When the foreign software calls
"connect" with such a fake address, InjectSOCKS connects the SOCKS server
instead and passes the original domain name to it. After that there
is an indirect connection to the original requested server via the SOCKS
tunnel and the work is done for InjectSOCKS. This is the idea that gave
me the impulse to develop InjectSOCKS.
While developing InjectSOCKS I faced several challenges. First of all
ws2_32.dll has much more functions for DNS request and connecting than I
thought at the beginning. InjectSOCKS has to simulate the original
behavior for all of them. Currently InjectSOCKS doesn't do this for all
of them, e.g. "WSAConnectByList" is missing. However, I didn't find any
software using anything else than the standard "connect" command.
Additionally I had to develop simulations for the connect behavior in
case the software calls "WSAEventSelect", "WSAAsyncSelect" or "select".
In case of non-blocking "connect" calls, InjectSOCKS creates a new thread
in a thread pool for handling the SOCKS connection in the background.
Another challenge was 64 bit Windows. Overwriting functions is much harder
there then on 32 bit Windows as the x64 commands at the beginning of the
commands vary a lot in opposite to x86; and the injection code for x64 is
much longer. So I had to count the bytes used by some of the x64 commands
as InjectSOCKS needs to store the commands when it wants to call the
original function while simulating the behavior.
All in all InjectSOCKS is not perfect yet, but typically works for
"normal" software. Some used techniques might inspire other developers
:-)
By the way, you can open the "InjectSOCKS.sln" file in "Microsoft Visual
Studio Community 2015" to compile the sources.
The file "Doxyfile" helps you generating a source code documentation from
the source code comments via the tool Doxygen.
And if you're a designer, maybe you can paint a better icon for
InjectSOCKS and send it to me as the current one is lousy :-)
Have fun using this software!
ghostmaker
License (3-clause BSD License)
------------------------------
Copyright (c) 2013, ghostmaker
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are
met:
* Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
* Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
* Neither the name of ghostmaker nor the names of its contributors may
be used to endorse or promote products derived from this software
without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL ghostmaker BE LIABLE FOR ANY
DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
SUCH DAMAGE.
Changes of version 1.6 (released on 2016-08-13)
-----------------------------------------------
- Support for Windows 10 Version 1607 (Anniversary Update)
- Increased maximum number of threads in thread pool
- Compiled with Visual Studio Community 2015 Update 3
- SHA256 for InjectSOCKS_V1.6.zip:
868866f3ceaec2f15d173ac68340116acc6aa404414c671b8c584b869b659ce0
Changes of version 1.5 (released on 2015-08-01)
-----------------------------------------------
- Support for Windows 10 (RTM)
- Changed project files to Visual Studio Community 2015
- SHA256 for InjectSOCKS_V1.5.zip:
1b09a83d4bd6cd335b91c90d0175de9c4d351cb88c9928ef1e2f9f5752ffc55a
Changes of version 1.4 (released on 2014-10-04)
-----------------------------------------------
- Support for Windows 10 (Technical Preview)
- Enhanced security for code injection: separate memory page for original
code parts without write privilege
- SHA256 for InjectSOCKS_V1.4.zip:
18ae96c3561711b25590a056092c683c9c4b091858cfa45d16252c2cd1ef2203
Changes of version 1.3 (released on 2014-01-03)
-----------------------------------------------
- Closing a socket doesn't wait anymore if currently a different thread
creates a SOCKS connection using that socket; this results in a better
performance
- SHA256 for InjectSOCKS_V1.3.zip:
019500c81e1850376797465fff0ca5a422d7c47d0b0bfd267784e78bbdb5cdbc
Changes of version 1.2 (released on 2013-12-17)
-----------------------------------------------
- Prevents the creation of any other socket type than TCP for security
- Optional parameter /a to disable this prevention and additionally
allow local traffic
- Switched to the new Windows thread pool API which has a better
performance
- Fixed small memory leak while creating shortcut file when the shortcut
file path wasn't specified or too long in the dialog
- Little tweaks in "select", "gethostbyname", "WSAAsyncGetHostByName"
and "closesocket" simulation
- Shortcut dialog displays the version number
- Added Doxygen style comments for optional document generation
- SHA256 for InjectSOCKS_V1.2.zip:
c82fc9f6bae5b352e60a938f34426aefbc3b2c21302692106111599ee86a408e
Changes of version 1.1 (released on 2013-12-08)
-----------------------------------------------
- Starting InjectSOCKS with less than 2 command line arguments opens a
dialog for creating a shortcut file that helps calling InjectSOCKS
correctly
- Added BSD license text to ReadMe.txt
- SHA256 for InjectSOCKS.zip:
85c7faf672fb50bf22a0b984ec73fa7427c4b1aa287358a3b6501bfae2118ad8
Version 1.0 (released on 2013-12-02)
------------------------------------
- SHA256 for InjectSOCKS.zip:
abdec623beac04c753f5aa863f4b0a7d740f80e5aca6306856a40c90cb839603
Download Latest Version
InjectSOCKS_V1.6.zip (286.2 kB)
