-
Notifications
You must be signed in to change notification settings - Fork 37
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
add local-redirect/windows blog post
- Loading branch information
Showing
2 changed files
with
71 additions
and
0 deletions.
There are no files selected for viewing
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,71 @@ | ||
| --- | ||
| title: "Intercepting Windows Applications" | ||
| date: 2024-12-24 | ||
| weight: 10 | ||
| tags: [ tech ] | ||
| author: | ||
| name: Maximilian Hils | ||
| twitter: maximilianhils | ||
| --- | ||
|
|
||
| We're excited to share that local redirect mode is now available on Windows! This allows users | ||
| to seamlessly intercept local applications without configuring proxy settings. | ||
|
|
||
| <!--more--> | ||
|
|
||
| ## Local Redirect Mode, One Platform at a Time | ||
|
|
||
| While mitmproxy's traditional proxying modes are all relatively platform-independent, | ||
| our new effort to transparently redirect traffic from the local machine is not. | ||
| After debuting [local redirect mode for macOS]({{< relref "./macos" >}}) earlier this month, | ||
| we're happy to report that our Windows functionality is now ready for testing, too! | ||
|
|
||
| While limited to CLI invocations for now, this paves the path for significant usability improvements | ||
| going forward. As on macOS, you can try out local redirect mode as follows: | ||
|
|
||
| ```shell | ||
| # Capture all local traffic | ||
| mitmproxy --mode local | ||
| # Capture cURL only | ||
| mitmproxy --mode local:curl | ||
| ``` | ||
|
|
||
| ## How it works | ||
|
|
||
| {{< | ||
| figure src="architecture.png" | ||
| caption="Packet Redirection on Windows" | ||
| width="90%" | ||
| >}} | ||
|
|
||
| While macOS provided us with relatively nice system APIs | ||
| for traffic redirection (let's not get into the associated code-signing nightmares here), | ||
| Windows does not have an equivalent to this. Instead of handling TCP streams as on macOS, | ||
| we capture individual packets and need to handle TCP reassembly ourselves. | ||
|
|
||
| To capture packets, mitmproxy spawns a privileged redirector process that makes use of [WinDivert], | ||
| a user-mode packet capture library, via the excellent [windivert-rust] crate. | ||
| This allows us to target specific PIDs while avoiding memory-unsafe code on our end. | ||
|
|
||
| When the redirector has determined that a particular packet needs to be intercepted, | ||
| it is passed through a named pipe to mitmproxy_rs. Here we re-use our existing user-space | ||
| TCP/IP stack to transform packets into streams, and then pass them on to mitmproxy. | ||
|
|
||
| [WinDivert]: https://reqrypt.org/windivert.html | ||
| [windivert-rust]: https://github.com/Rubensei/windivert-rust | ||
|
|
||
| ## Next Steps | ||
|
|
||
| As with the macOS version, local redirect mode for Windows is already available for users in mitmproxy 10.1.5+. | ||
| We still intend to extend it with automated certificate installation, and more importantly a UI | ||
| integration into mitmweb. If you are curious about contributing, please join us on [GitHub]! | ||
|
|
||
| [GitHub]: https://github.com/mitmproxy/mitmproxy/issues/6531 | ||
|
|
||
| ## Acknowledgements | ||
|
|
||
| This work supported by the [NGI0 Entrust fund] established by [NLnet]. | ||
|
|
||
| [NGI0 Entrust fund]: https://nlnet.nl/entrust/ | ||
| [NLnet]: https://nlnet.nl/ |