Forum Replies Created
-
Posts
-
There is no way to determine PID at the NDIS level, and actually some packets have not associated PID (packets destined to other systems which to be routed and packets generated by TCP/IP stack ARP, IGMP and others).
The only way to match packet against process is having LSP or TDI filter driver and keeping active connections table with associated PIDs. However, I should also note that LSP can be bypassed by direct acess to the TDI and itself TDI not always called in the correct process context (but it is in the most cases).
Tha depends of what do you mean under readable form. Packet itself is an array of bytes and not all of them have a printable representation. If you take any network sniffer it will parse packet headers and will show you binary dump of the packet and string representation of each byte (if it is printable, otherwise it will be substituted with “.”). Is this is the readable form you’d like to get?
Sorry but I can’t advise because I have not enough informaton. You are right, packet is not a PRINTABLE string but this is a BINARY string and if there is a SEX word on the web-page then it’s ASCII codes should be in that string.
As for the header, you should pass the header prior seeking the word (the code I have posted seeks the word starting from the TCP payload so it can’t modify the header).
You should use something like the code below. Also if modify IP header you should recalculate IP checksum, if modify UDP packet you should recalculate UDP checksum…
VOID
RecalculateTCPChecksum (
PINTERMEDIATE_BUFFER pPacket
)
{
tcphdr_ptr pTcpHeader = NULL;
unsigned short word16, padd = 0;
unsigned int i, sum = 0;
PUCHAR buff;
DWORD dwTcpLen;
iphdr_ptr pIpHeader = (iphdr_ptr)&pPacket->m_IBuffer[sizeof(ether_header)];
// Sanity check
if (pIpHeader->ip_p == IPPROTO_TCP)
{
pTcpHeader = (tcphdr_ptr)(((PUCHAR)pIpHeader) + sizeof(DWORD)*pIpHeader->ip_hl);
}
else
return;
dwTcpLen = ntohs(pIpHeader->ip_len) - pIpHeader->ip_hl*4;//pPacket->m_Length - ((PUCHAR)(pTcpHeader) - pPacket->m_IBuffer);
if ( (dwTcpLen/2)*2 != dwTcpLen )
{
padd=1;
pPacket->m_IBuffer[dwTcpLen + pIpHeader->ip_hl*4 + sizeof(ether_header)] = 0;
}
buff = (PUCHAR)pTcpHeader;
pTcpHeader->th_sum = 0;
// make 16 bit words out of every two adjacent 8 bit words and
// calculate the sum of all 16 vit words
for (i=0; i< dwTcpLen+padd; i=i+2){
word16 =((buff<<8)&0xFF00)+(buff[i+1]&0xFF);
sum = sum + (unsigned long)word16;
}
// add the TCP pseudo header which contains:
// the IP source and destination addresses,
sum = sum + ntohs(pIpHeader->ip_src.S_un.S_un_w.s_w1) + ntohs(pIpHeader->ip_src.S_un.S_un_w.s_w2);
sum = sum + ntohs(pIpHeader->ip_dst.S_un.S_un_w.s_w1) + ntohs(pIpHeader->ip_dst.S_un.S_un_w.s_w2);
// the protocol number and the length of the TCP packet
sum = sum + IPPROTO_TCP + (unsigned short)dwTcpLen;
// keep only the last 16 bits of the 32 bit calculated sum and add the carries
while (sum>>16)
sum = (sum & 0xFFFF)+(sum >> 16);
// Take the one's complement of sum
sum = ~sum;
pTcpHeader->th_sum = ntohs((unsigned short)sum);
}You should do something like the code below does, but don’t forget to recalculate TCP checksum after doing this:
PINTERMEDIATE_BUFFER ParsePacketHeaders ( PINTERMEDIATE_BUFFER pBuffer )
{
ether_header_ptr pEthernet = (ether_header_ptr)&pBuffer->m_IBuffer;
if(ntohs(pEthernet->h_proto) == ETH_P_IP){
iphdr_ptr pIp = NULL;
tcphdr_ptr pTcp = NULL;
pIp = (iphdr_ptr)&pBuffer->m_IBuffer[MHdrSize];
//printf("%i", MHdrSize);
UCHAR IpProto = pIp->ip_p;
if(IpProto == IPPROTO_TCP){
pTcp = (tcphdr_ptr)(((PUCHAR)pIp) + sizeof(DWORD)*pIp->ip_hl);
in_addr IP = pIp->ip_src;
PUCHAR pTcpData = (PUCHAR)pTcp + pTcp->th_off*4;
if(ntohs(pTcp->th_sport) == 80){
string foo = (char *)pTcpData;
while(foo.find("sex") != string::npos){
foo.replace(foo.find(sought), sought.size(), replacement);
}
const char* final = foo.c_str();
memcpy(pTcpData, final, foo.length());
printf("Dest Data: %snAddress of pTcpData: %x", pTcpData, &pTcpData);
}//port 80?
}//tcp??
} //IP Packet?
return pBuffer;
}The command line should be “PacketSniffer 1 -promisc” but not “PacketSniffer index 1 -promisc”. Also are you sure that there are packets available from interface with index 1? Usually (for Windows 2000/XP/2003) this is dial-up interface (NDISWANIP) for which there is no sense to use promiscuous mode (it is point-to-point connection), and it can evemn affect interface normal functionality.
