Modify Packet

Home Forums Discussions Support Modify Packet

Viewing 14 posts - 1 through 14 (of 14 total)
  • Author
    Posts
  • #4822
    sanjeev
    Participant

      Hello,

      I want to modify a packet based on the contents of a packet. Like If I want to remove the word what should I do. There is no example of reading the data. Only example on reading headers data is available. I want to read the exact data which is in printable format. and modify this. Can anyone please tell me the syntex to modify this data.

      Thanks in advance
      Regards
      Sanjeev

      #5437
      Vadim Smirnov
      Keymaster

        You should do something like the code below does, but don’t forget to recalculate TCP checksum after doing this:

        PINTERMEDIATE_BUFFER ParsePacketHeaders   ( PINTERMEDIATE_BUFFER pBuffer )
        {
        ether_header_ptr pEthernet = (ether_header_ptr)&pBuffer->m_IBuffer;

        if(ntohs(pEthernet->h_proto) == ETH_P_IP){

        iphdr_ptr pIp = NULL;
        tcphdr_ptr pTcp = NULL;
        pIp = (iphdr_ptr)&pBuffer->m_IBuffer[MHdrSize];
        //printf("%i", MHdrSize);
        UCHAR IpProto = pIp->ip_p;

        if(IpProto == IPPROTO_TCP){
        pTcp = (tcphdr_ptr)(((PUCHAR)pIp) + sizeof(DWORD)*pIp->ip_hl);
        in_addr IP = pIp->ip_src;
        PUCHAR pTcpData = (PUCHAR)pTcp + pTcp->th_off*4;

        if(ntohs(pTcp->th_sport) == 80){

        string foo = (char *)pTcpData;

        while(foo.find("sex") != string::npos){
        foo.replace(foo.find(sought), sought.size(), replacement);
        }

        const char* final = foo.c_str();
        memcpy(pTcpData, final, foo.length());
        printf("Dest Data: %snAddress of pTcpData: %x", pTcpData, &pTcpData);
        }//port 80?

        }//tcp??

        } //IP Packet?


        return pBuffer;

        }
        #5438
        sanjeev
        Participant

          Many thanks for your help. It would be great help if you can tell how to do TCP checksum. Once again thanks a lot for your help.

          #5439
          Vadim Smirnov
          Keymaster

            You should use something like the code below. Also if modify IP header you should recalculate IP checksum, if modify UDP packet you should recalculate UDP checksum…

            VOID
            RecalculateTCPChecksum (
            PINTERMEDIATE_BUFFER pPacket
            )
            {
            tcphdr_ptr pTcpHeader = NULL;
            unsigned short word16, padd = 0;
            unsigned int i, sum = 0;
            PUCHAR buff;
            DWORD dwTcpLen;

            iphdr_ptr pIpHeader = (iphdr_ptr)&pPacket->m_IBuffer[sizeof(ether_header)];

            // Sanity check
            if (pIpHeader->ip_p == IPPROTO_TCP)
            {
            pTcpHeader = (tcphdr_ptr)(((PUCHAR)pIpHeader) + sizeof(DWORD)*pIpHeader->ip_hl);
            }
            else
            return;

            dwTcpLen = ntohs(pIpHeader->ip_len) - pIpHeader->ip_hl*4;//pPacket->m_Length - ((PUCHAR)(pTcpHeader) - pPacket->m_IBuffer);

            if ( (dwTcpLen/2)*2 != dwTcpLen )
            {
            padd=1;
            pPacket->m_IBuffer[dwTcpLen + pIpHeader->ip_hl*4 + sizeof(ether_header)] = 0;
            }

            buff = (PUCHAR)pTcpHeader;
            pTcpHeader->th_sum = 0;

            // make 16 bit words out of every two adjacent 8 bit words and
            // calculate the sum of all 16 vit words
            for (i=0; i< dwTcpLen+padd; i=i+2){
            word16 =((buff<<8)&0xFF00)+(buff[i+1]&0xFF);
            sum = sum + (unsigned long)word16;
            }

            // add the TCP pseudo header which contains:
            // the IP source and destination addresses,

            sum = sum + ntohs(pIpHeader->ip_src.S_un.S_un_w.s_w1) + ntohs(pIpHeader->ip_src.S_un.S_un_w.s_w2);
            sum = sum + ntohs(pIpHeader->ip_dst.S_un.S_un_w.s_w1) + ntohs(pIpHeader->ip_dst.S_un.S_un_w.s_w2);

            // the protocol number and the length of the TCP packet
            sum = sum + IPPROTO_TCP + (unsigned short)dwTcpLen;

            // keep only the last 16 bits of the 32 bit calculated sum and add the carries
            while (sum>>16)
            sum = (sum & 0xFFFF)+(sum >> 16);

            // Take the one's complement of sum
            sum = ~sum;

            pTcpHeader->th_sum = ntohs((unsigned short)sum);
            }
            #5440
            sanjeev
            Participant

              Thanks for your gr8 help. But sorry I’m still not able to modify the contents. As all the packet data is not in proper format. when I try to modify the word “SEX” it didnt generate any error but still I got the page with word SEX. Then I saved all the data in a log file. Then I found there is no word SEX. but in my page it was showing. I think problem is due to raw data. The packet data is not in string fromat. So its not replacing that. Also I dont want to modify other data. I just want to replace the data part of packet. By the above aproach it can modify the header part as well. Please help….

              #5441
              Vadim Smirnov
              Keymaster

                Sorry but I can’t advise because I have not enough informaton. You are right, packet is not a PRINTABLE string but this is a BINARY string and if there is a SEX word on the web-page then it’s ASCII codes should be in that string.

                As for the header, you should pass the header prior seeking the word (the code I have posted seeks the word starting from the TCP payload so it can’t modify the header).

                #5442
                raj_123k
                Participant

                  hi SerpentFly
                  and thankx for giving help about ParsePacketHeaders but i have doubt in this question. can u clearify MHdrSize mean in the function coz comiler give the error i.e it is undefined.

                  plz clearify my doubt

                  Raj

                  #5443
                  Vadim Smirnov
                  Keymaster

                    This is MAC 802.3 Header Size:

                    #define ETHER_TYPE_LENGTH 2
                    #define ETHER_ADDR_LENGTH 6
                    #define MHdrSize (2*ETHER_ADDR_LENGTH + ETHER_TYPE_LENGTH )

                    #5444
                    raj_123k
                    Participant

                      thankx for to solve my problem
                      but i have again a problem related same function and hope u also solve that.
                      while(foo.find(“sex”) != string::npos){
                      foo.replace(foo.find(sought), sought.size(), replacement);
                      }

                      can u plz clearify what sought and replacement stands there
                      plz also clear my doubt that can i store the return value into another PINTERMEDIATE_BUFFER buffer and then RecalculateTCPChecksum by passing the new buffer. plz solve my problem

                      Raj

                      #5445
                      Vadim Smirnov
                      Keymaster

                        This is just a sample, but you can define them as below:

                        string sought = “sex”;
                        string replacement = “foo”;

                        plz also clear my doubt that can i store the return value into another PINTERMEDIATE_BUFFER buffer and then RecalculateTCPChecksum by passing the new buffer. plz solve my problem

                        I’m not sure I understand your problem here. The function I have provided recalculates checksum for the modified packet. If you want to copy the packet then just copy INTERMEDIATE_BUFFER structure but I can’t find any good reason whay you may need this…

                        #5446
                        david
                        Participant

                          Hello everyone …

                          I’m trying to do something similar, but when I analise the code, I can’t see what MHdrSize means.

                          Any help?.
                          Thanks
                          David

                          @SerpentFly wrote:

                          You should do something like the code below does, but don’t forget to recalculate TCP checksum after doing this:

                          PINTERMEDIATE_BUFFER ParsePacketHeaders   ( PINTERMEDIATE_BUFFER pBuffer )
                          {
                          ether_header_ptr pEthernet = (ether_header_ptr)&pBuffer->m_IBuffer;

                          if(ntohs(pEthernet->h_proto) == ETH_P_IP){

                          iphdr_ptr pIp = NULL;
                          tcphdr_ptr pTcp = NULL;
                          pIp = (iphdr_ptr)&pBuffer->m_IBuffer[MHdrSize];
                          //printf("%i", MHdrSize);
                          UCHAR IpProto = pIp->ip_p;

                          if(IpProto == IPPROTO_TCP){
                          pTcp = (tcphdr_ptr)(((PUCHAR)pIp) + sizeof(DWORD)*pIp->ip_hl);
                          in_addr IP = pIp->ip_src;
                          PUCHAR pTcpData = (PUCHAR)pTcp + pTcp->th_off*4;

                          if(ntohs(pTcp->th_sport) == 80){

                          string foo = (char *)pTcpData;

                          while(foo.find("sex") != string::npos){
                          foo.replace(foo.find(sought), sought.size(), replacement);
                          }

                          const char* final = foo.c_str();
                          memcpy(pTcpData, final, foo.length());
                          printf("Dest Data: %snAddress of pTcpData: %x", pTcpData, &pTcpData);
                          }//port 80?

                          }//tcp??

                          } //IP Packet?


                          return pBuffer;

                          }
                          #5447
                          Vadim Smirnov
                          Keymaster

                            MHdrSize is equal to the size of ethernet header, which is 14 bytes length.

                            #5448
                            krishnabn
                            Participant

                              Thanks a lot for the code snippet. Am using this with the example of passthru. It works with http requests. But its not working with the IM’s like yahoo/gtalk. Can any one please helpe me out.
                              Thanks in advance

                              #5449
                              Vadim Smirnov
                              Keymaster

                                It works with http requests. But its not working with the IM’s like yahoo/gtalk. Can any one please helpe me out.

                                The code above (ParsePacketHeaders) is specific to HTTP packets (TCP port 80) and it is not applicable to IM (which use different port numbers or even UDP instead of TCP) interception unless it uses HTTP as a transport.

                              Viewing 14 posts - 1 through 14 (of 14 total)
                              • You must be logged in to reply to this topic.