Socket Spy question

Discussion in 'Port Explorer' started by Phil, Nov 28, 2002.

Thread Status:
Not open for further replies.
  1. Phil

    Phil Registered Member

    Joined:
    Oct 24, 2002
    Posts:
    248
    Hey Jason

    I've been thinking again -- yeah, that's a dangerous thing but I couldn't help myself.

    Would it be possible to add a feature in Socket Spy to sniff an exe *before* it is loaded and assigned a PID? "Say, WHAT", you said. OK, say you just installed a new program but have not loaded the process. Some programs transmit data (registration, etc) *only* on the first run when connected to the 'net. In those instances, by the time you find the PID and add it to Socket Spy, it's too late. Being on dial-up, I can control the order by running the app prior to connecting and getting the PID. But those on cable or DSL (as I soon will be) have problems doing that. So, would it be possible to have Socket Spy be watching for an exe to load and sniff the entire process?

    Just a little something else to think about while you're working on the logging. :D :D

    Phil
     
  2. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Phil.....what kind of .exe file (program) were you thinking about? The reason i as is, where you said this:

    i was wondering about the Operating System's exe programs.....example, when i do a "search" for a file, the minute i click on the Start-->Search, Port Explorer shows a connection to sa.windows....it's gone within seconds though, but i am unable to catch it in time to see what it has sent during that brief connection.

    Would something like that be similar to what you mean?
    Or am i way off base (yep...i have a sorta blank look on my face)
    :D

    snap
     
  3. Phil

    Phil Registered Member

    Joined:
    Oct 24, 2002
    Posts:
    248
    Snap,

    Not off base at all. That's precisely the kind of stuff I am talking about -- or anything else for that matter. A lot of apps send reg info on first run. Are they sending only the reg info or are they sneaking around getting email addys, other installed software, or anything else not pertinent to *their* install. Apps already installed -- I have seen modem activity when first starting an app if connected and *only* then. What is it sending? If it is encrypted there's not a lot you can read but you can sure ask some very pointed questions. It's all about who controls what is sent from my machine, me or the installed software. As "they" say -- knowledge is power! ;)

    That said, my firewall will not allow a new app to make a call without permission so I can control it somewhat. Being able to sniff an app not yet running is just another level of control -- a valuable level, IMO.

    Phil
     
  4. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    i agree Phil! i wasn't even aware of the connection to sa.windows when i did a search for a file on my system; not until i saw all the blocked incoming and outgoing in my firewall's packet log and wouldn't have made the connection to it being explorer.exe that was doing the connection....(see screencapture below)....i am sure that is related somehow to the "Help" thingie but i thought i had that disabled with XP-antispy.

    now i am wondering what if i wasn't able to block it with a software firewall...say i only had a hardware firewall (like some use XP's internal firewall that only blocks incoming)....or a firewall that didn't log packets sent and received?? It would be a nice feature with Port Explorer to be able to see what was sent and received by an executable file before it disappeared within seconds. Or, is there a way now and i am just not seeing it yet? :doubt:

    Good example of a program causing modem activity before the application is actually "started" by the user would be ICQ. ;)

    snap
     

    Attached Files:

  5. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    This is Sygate firewall blocking explorer.exe

    at least this one showed up where i could have Sygate block it....but i have seen ICQ's files pop up in Port Explorer if i am quick enough to open PE just after boot-up, even if i have not opened ICQ....that program i do have the socket spy on....just don't understand it yet. :rolleyes:
     

    Attached Files:

  6. Phil

    Phil Registered Member

    Joined:
    Oct 24, 2002
    Posts:
    248
    Just FYI (and a bit OT -- but related :D), XP Help checks Windows.sa for any updated XML files on every execution and will dl any needed new to your system. You can block it to no ill effect. Still, this is *exactly* the type unauthorized call I am wanting to monitor but can't unless Socket Spy can be set to watch an exe.

    Phil
     
  7. Jason_DiamondCS

    Jason_DiamondCS Former DCS Moderator

    Joined:
    Nov 11, 2002
    Posts:
    1,046
    Location:
    Perth, Western Australia
    Phil you came up with one of my initial limitations of Socket Spy capturing before a process starts. It would be a little difficult to do it accurately as well unless I made a full blown "process catcher" which hooks into some windows function when a process is loaded, otherwise it would have to be "snapshots" of when processes are loaded which gives possibly inaccurate results. Thats why it isn't done at the moment and might not be until Port Explorer v2.0 (whenever that is) when I will be adding probably a process explorer style plugin to Port Explorer.
    -Jason-
     
  8. Phil

    Phil Registered Member

    Joined:
    Oct 24, 2002
    Posts:
    248
    Thanks for the great info, Jason. I did have a feeling this is not something easily done. At least I know it is on your "wishlist" as well as mine.

    Phil
     
Thread Status:
Not open for further replies.