Modify Packet

Home Forums Discussions Support Portal Modify Packet

This topic contains 13 replies, has 5 voices, and was last updated by  Vadim Smirnov 9 years, 11 months ago.

Viewing 14 posts - 1 through 14 (of 14 total)
  • Author
    Posts
  • #4822

    sanjeev
    Participant

    Hello,

    I want to modify a packet based on the contents of a packet. Like If I want to remove the word what should I do. There is no example of reading the data. Only example on reading headers data is available. I want to read the exact data which is in printable format. and modify this. Can anyone please tell me the syntex to modify this data.

    Thanks in advance
    Regards
    Sanjeev

    #5437

    Vadim Smirnov
    Moderator

    You should do something like the code below does, but don’t forget to recalculate TCP checksum after doing this:

    PINTERMEDIATE_BUFFER ParsePacketHeaders   ( PINTERMEDIATE_BUFFER pBuffer )
    {
    ether_header_ptr pEthernet = (ether_header_ptr)&pBuffer->m_IBuffer;

    if(ntohs(pEthernet->h_proto) == ETH_P_IP){

    iphdr_ptr pIp = NULL;
    tcphdr_ptr pTcp = NULL;
    pIp = (iphdr_ptr)&pBuffer->m_IBuffer[MHdrSize];
    //printf("%i", MHdrSize);
    UCHAR IpProto = pIp->ip_p;

    if(IpProto == IPPROTO_TCP){
    pTcp = (tcphdr_ptr)(((PUCHAR)pIp) + sizeof(DWORD)*pIp->ip_hl);
    in_addr IP = pIp->ip_src;
    PUCHAR pTcpData = (PUCHAR)pTcp + pTcp->th_off*4;

    if(ntohs(pTcp->th_sport) == 80){

    string foo = (char *)pTcpData;

    while(foo.find("sex") != string::npos){
    foo.replace(foo.find(sought), sought.size(), replacement);
    }

    const char* final = foo.c_str();
    memcpy(pTcpData, final, foo.length());
    printf("Dest Data: %snAddress of pTcpData: %x", pTcpData, &pTcpData);
    }//port 80?

    }//tcp??

    } //IP Packet?


    return pBuffer;

    }
    #5438

    sanjeev
    Participant

    Many thanks for your help. It would be great help if you can tell how to do TCP checksum. Once again thanks a lot for your help.

    #5439

    Vadim Smirnov
    Moderator

    You should use something like the code below. Also if modify IP header you should recalculate IP checksum, if modify UDP packet you should recalculate UDP checksum…

    VOID
    RecalculateTCPChecksum (
    PINTERMEDIATE_BUFFER pPacket
    )
    {
    tcphdr_ptr pTcpHeader = NULL;
    unsigned short word16, padd = 0;
    unsigned int i, sum = 0;
    PUCHAR buff;
    DWORD dwTcpLen;

    iphdr_ptr pIpHeader = (iphdr_ptr)&pPacket->m_IBuffer[sizeof(ether_header)];

    // Sanity check
    if (pIpHeader->ip_p == IPPROTO_TCP)
    {
    pTcpHeader = (tcphdr_ptr)(((PUCHAR)pIpHeader) + sizeof(DWORD)*pIpHeader->ip_hl);
    }
    else
    return;

    dwTcpLen = ntohs(pIpHeader->ip_len) - pIpHeader->ip_hl*4;//pPacket->m_Length - ((PUCHAR)(pTcpHeader) - pPacket->m_IBuffer);

    if ( (dwTcpLen/2)*2 != dwTcpLen )
    {
    padd=1;
    pPacket->m_IBuffer[dwTcpLen + pIpHeader->ip_hl*4 + sizeof(ether_header)] = 0;
    }

    buff = (PUCHAR)pTcpHeader;
    pTcpHeader->th_sum = 0;

    // make 16 bit words out of every two adjacent 8 bit words and
    // calculate the sum of all 16 vit words
    for (i=0; i< dwTcpLen+padd; i=i+2){
    word16 =((buff< <8)&0xFF00)+(buff[i+1]&0xFF);
    sum = sum + (unsigned long)word16;
    }

    // add the TCP pseudo header which contains:
    // the IP source and destination addresses,

    sum = sum + ntohs(pIpHeader->ip_src.S_un.S_un_w.s_w1) + ntohs(pIpHeader->ip_src.S_un.S_un_w.s_w2);
    sum = sum + ntohs(pIpHeader->ip_dst.S_un.S_un_w.s_w1) + ntohs(pIpHeader->ip_dst.S_un.S_un_w.s_w2);

    // the protocol number and the length of the TCP packet
    sum = sum + IPPROTO_TCP + (unsigned short)dwTcpLen;

    // keep only the last 16 bits of the 32 bit calculated sum and add the carries
    while (sum>>16)
    sum = (sum & 0xFFFF)+(sum >> 16);

    // Take the one's complement of sum
    sum = ~sum;

    pTcpHeader->th_sum = ntohs((unsigned short)sum);
    }
    #5440

    sanjeev
    Participant

    Thanks for your gr8 help. But sorry I’m still not able to modify the contents. As all the packet data is not in proper format. when I try to modify the word “SEX” it didnt generate any error but still I got the page with word SEX. Then I saved all the data in a log file. Then I found there is no word SEX. but in my page it was showing. I think problem is due to raw data. The packet data is not in string fromat. So its not replacing that. Also I dont want to modify other data. I just want to replace the data part of packet. By the above aproach it can modify the header part as well. Please help….

    #5441

    Vadim Smirnov
    Moderator

    Sorry but I can’t advise because I have not enough informaton. You are right, packet is not a PRINTABLE string but this is a BINARY string and if there is a SEX word on the web-page then it’s ASCII codes should be in that string.

    As for the header, you should pass the header prior seeking the word (the code I have posted seeks the word starting from the TCP payload so it can’t modify the header).

    #5442

    raj_123k
    Participant

    hi SerpentFly
    and thankx for giving help about ParsePacketHeaders but i have doubt in this question. can u clearify MHdrSize mean in the function coz comiler give the error i.e it is undefined.

    plz clearify my doubt

    Raj

    #5443

    Vadim Smirnov
    Moderator

    This is MAC 802.3 Header Size:

    #define ETHER_TYPE_LENGTH 2
    #define ETHER_ADDR_LENGTH 6
    #define MHdrSize (2*ETHER_ADDR_LENGTH + ETHER_TYPE_LENGTH )

    #5444

    raj_123k
    Participant

    thankx for to solve my problem
    but i have again a problem related same function and hope u also solve that.
    while(foo.find(“sex”) != string::npos){
    foo.replace(foo.find(sought), sought.size(), replacement);
    }

    can u plz clearify what sought and replacement stands there
    plz also clear my doubt that can i store the return value into another PINTERMEDIATE_BUFFER buffer and then RecalculateTCPChecksum by passing the new buffer. plz solve my problem

    Raj

    #5445

    Vadim Smirnov
    Moderator

    This is just a sample, but you can define them as below:

    string sought = “sex”;
    string replacement = “foo”;

    plz also clear my doubt that can i store the return value into another PINTERMEDIATE_BUFFER buffer and then RecalculateTCPChecksum by passing the new buffer. plz solve my problem

    I’m not sure I understand your problem here. The function I have provided recalculates checksum for the modified packet. If you want to copy the packet then just copy INTERMEDIATE_BUFFER structure but I can’t find any good reason whay you may need this…

    #5446

    david
    Participant

    Hello everyone …

    I’m trying to do something similar, but when I analise the code, I can’t see what MHdrSize means.

    Any help?.
    Thanks
    David

    @SerpentFly wrote:

    You should do something like the code below does, but don’t forget to recalculate TCP checksum after doing this:

    PINTERMEDIATE_BUFFER ParsePacketHeaders   ( PINTERMEDIATE_BUFFER pBuffer )
    {
    ether_header_ptr pEthernet = (ether_header_ptr)&pBuffer->m_IBuffer;

    if(ntohs(pEthernet->h_proto) == ETH_P_IP){

    iphdr_ptr pIp = NULL;
    tcphdr_ptr pTcp = NULL;
    pIp = (iphdr_ptr)&pBuffer->m_IBuffer[MHdrSize];
    //printf("%i", MHdrSize);
    UCHAR IpProto = pIp->ip_p;

    if(IpProto == IPPROTO_TCP){
    pTcp = (tcphdr_ptr)(((PUCHAR)pIp) + sizeof(DWORD)*pIp->ip_hl);
    in_addr IP = pIp->ip_src;
    PUCHAR pTcpData = (PUCHAR)pTcp + pTcp->th_off*4;

    if(ntohs(pTcp->th_sport) == 80){

    string foo = (char *)pTcpData;

    while(foo.find("sex") != string::npos){
    foo.replace(foo.find(sought), sought.size(), replacement);
    }

    const char* final = foo.c_str();
    memcpy(pTcpData, final, foo.length());
    printf("Dest Data: %snAddress of pTcpData: %x", pTcpData, &pTcpData);
    }//port 80?

    }//tcp??

    } //IP Packet?


    return pBuffer;

    }
    #5447

    Vadim Smirnov
    Moderator

    MHdrSize is equal to the size of ethernet header, which is 14 bytes length.

    #5448

    krishnabn
    Participant

    Thanks a lot for the code snippet. Am using this with the example of passthru. It works with http requests. But its not working with the IM’s like yahoo/gtalk. Can any one please helpe me out.
    Thanks in advance

    #5449

    Vadim Smirnov
    Moderator

    It works with http requests. But its not working with the IM’s like yahoo/gtalk. Can any one please helpe me out.

    The code above (ParsePacketHeaders) is specific to HTTP packets (TCP port 80) and it is not applicable to IM (which use different port numbers or even UDP instead of TCP) interception unless it uses HTTP as a transport.

Viewing 14 posts - 1 through 14 (of 14 total)

You must be logged in to reply to this topic.