The Dark Side of Winsock

Presented at DEF CON 13 (2005), July 30, 2005, 6 p.m. (50 minutes)

The Winsock SPI, or Service Provider Interface, has been a part of Winsock since the advent of version 2.0. It enables providers to extend the Winsock API transparently, by installing their own hooks and chains to application API calls. However, its formidable capabilities are not put to widespread use... aside from spyware (remember Kazaa's "sporder.dll"?). The talk will discuss (and demonstrate) some of the more insidious uses of the SPI. From collecting connection statistics, through eavesdropping on data, or rerouting connections, with the application remaining totally oblivious!


  • Jonathan Levin
    Jonathan Levin has been involved with Information Security since the mid '90's. He has consulted for over 8 years (mostly in Israel), and trained numerous IT and security related courses, in academic as well as technical fora. Johnny is an independent security consultant and trainer, and has worked closely with many companies, e.g. Checkpoint, NDS and M-Systems. He has first encountered the Winsock SPI back in '98 (and got to know all too intimately by writing device driver hooks over it...), but is surprised to see that, even after almost 7 years, it has gotten little attention, despite its potent features.


Similar Presentations: