Intercepting custom communication protocols in Windows 7

Actually, the title should have been: “Don’t feel lucky and go beyond the first result in a Google search”.

I’ve been using EchoMirage for some time but apparently I’ve been using the wrong one. Because when you search for it in Google you normally click the first link. Right? Wrong!


The first link is for the older version from BindShell which works decent under Windows XP and very poorly under Windows 7. Under W7 you’ll get a lot of crashes, fails to inject and a general poor experience. Even when run with XP compatibility enabled.

Now, if you’re smart enough, you may want to check the second link which will direct you to the newer version which supports Windows 7. And to quote, “the primary goal of Echo Mirage 3 was to ensure full Windows 7 support”.

Great, now it works. But what’s the usage?

When dealing with intercepting communication from a web application, the process is really easy. Since it’s only using HTTP, you’ll just fire up an intercepting proxy and point your browser to that proxy. You can intercept, modify on the fly, replay requests, etc.

Now, in the case of a thick client the situation is more complicated. Sometimes the thick client is using a standard protocol like HTTP to communicate but it’s not always the case. So you need a tool to intercept and modify requests.

We can identify 5 different communication situations and ways to tackle the communication:

  1. Standard protocol, standard (or no) encryption – intercepting proxy like Burp, Fiddler, OWASP ZAP, Charles, etc.
  2. Standard protocol, custom encryption – rather uncommon
  3. Custom protocol, no encryption -here we use EchoMirage or TCP proxying with Mallory
  4. Custom protocol, standard encryption – TCP proxying with Mallory
  5. Custom protocol, custom encryption

When I say standard I usually refer to HTTP and for standard encryption I mean SSL.

So, install EchoMirage, fire it up and inject or execute a new process and have fun. You can customize rules for automatic replacement of data, highlight the data you’re interested in and other cool stuff.

There is a general tendency to move everything towards thin clients with standard protocols and standard encryption but we’re going to have fun with thick clients for a while and we’re still going to need tools to have fun.