The Dark Side of Winsock

The Winsock SPI, or Service Provider Interface, has been a part of Winsock since the advent of version 2.0. It enables providers to extend the Winsock API transparently, by installing their own hooks and chains to application API calls. However, its formidable capabilities are not put to widespread use... aside from spyware.

This lecture begins with a brief overview of the Windows TCP/IP Stack - reviewing the terminology, From NDIS to Winsock 2. We then delve further to explore Winsock, recapping the standard (Berkeley-Derived) API calls and their semantics.

Going "Under the Hood" of Winsock, we next explore the Service Provider Interface, and its potent use to extend (or spy on) the Winsock calls. We next show the unbearable lightness of intercepting DNS lookups and UDP/TCP based communication by a hidden DLL.

Finally, we conclude by trying to discuss countermeasures to this insidious channel.


Interested in Information Security since the mid '90's, Jonathan Levin has over 8 years of consulting experience, and has trained numerous IT and security related courses, in academic as well as technical fora. Jonathan first encountered the Winsock SPI back in '98 (and wrote a device driver over it...), and is surprised to see that even after almost 7 years it has gotten little attention, despite its formidable capabilities.