Vadim Smirnov

Forum Replies Created

Viewing 11 posts - 1,411 through 1,421 (of 1,421 total)
  • Author
    Posts
  • in reply to: WinpkFilter #5454
    Vadim Smirnov
    Keymaster

      But I will buy the source anyway, because I need a customized device-object-name.

      Just FYI: If you order Developer license you can request free custom build with costomized device-object-name.

      By the way: ICMP is also diffcult to catch by a TDI-filter.

      Yes this is correct, however PING request an example can be intercepted by filter over the DeviceIp.

      in reply to: WinpkFilter #5452
      Vadim Smirnov
      Keymaster

        There is no way to determine PID at the NDIS level, and actually some packets have not associated PID (packets destined to other systems which to be routed and packets generated by TCP/IP stack ARP, IGMP and others).

        The only way to match packet against process is having LSP or TDI filter driver and keeping active connections table with associated PIDs. However, I should also note that LSP can be bypassed by direct acess to the TDI and itself TDI not always called in the correct process context (but it is in the most cases).

        in reply to: how to make data readable #5450
        Vadim Smirnov
        Keymaster

          Tha depends of what do you mean under readable form. Packet itself is an array of bytes and not all of them have a printable representation. If you take any network sniffer it will parse packet headers and will show you binary dump of the packet and string representation of each byte (if it is printable, otherwise it will be substituted with “.”). Is this is the readable form you’d like to get?

          in reply to: Modify Packet #5441
          Vadim Smirnov
          Keymaster

            Sorry but I can’t advise because I have not enough informaton. You are right, packet is not a PRINTABLE string but this is a BINARY string and if there is a SEX word on the web-page then it’s ASCII codes should be in that string.

            As for the header, you should pass the header prior seeking the word (the code I have posted seeks the word starting from the TCP payload so it can’t modify the header).

            in reply to: Modify Packet #5439
            Vadim Smirnov
            Keymaster

              You should use something like the code below. Also if modify IP header you should recalculate IP checksum, if modify UDP packet you should recalculate UDP checksum…

              VOID
              RecalculateTCPChecksum (
              PINTERMEDIATE_BUFFER pPacket
              )
              {
              tcphdr_ptr pTcpHeader = NULL;
              unsigned short word16, padd = 0;
              unsigned int i, sum = 0;
              PUCHAR buff;
              DWORD dwTcpLen;

              iphdr_ptr pIpHeader = (iphdr_ptr)&pPacket->m_IBuffer[sizeof(ether_header)];

              // Sanity check
              if (pIpHeader->ip_p == IPPROTO_TCP)
              {
              pTcpHeader = (tcphdr_ptr)(((PUCHAR)pIpHeader) + sizeof(DWORD)*pIpHeader->ip_hl);
              }
              else
              return;

              dwTcpLen = ntohs(pIpHeader->ip_len) - pIpHeader->ip_hl*4;//pPacket->m_Length - ((PUCHAR)(pTcpHeader) - pPacket->m_IBuffer);

              if ( (dwTcpLen/2)*2 != dwTcpLen )
              {
              padd=1;
              pPacket->m_IBuffer[dwTcpLen + pIpHeader->ip_hl*4 + sizeof(ether_header)] = 0;
              }

              buff = (PUCHAR)pTcpHeader;
              pTcpHeader->th_sum = 0;

              // make 16 bit words out of every two adjacent 8 bit words and
              // calculate the sum of all 16 vit words
              for (i=0; i< dwTcpLen+padd; i=i+2){
              word16 =((buff<<8)&0xFF00)+(buff[i+1]&0xFF);
              sum = sum + (unsigned long)word16;
              }

              // add the TCP pseudo header which contains:
              // the IP source and destination addresses,

              sum = sum + ntohs(pIpHeader->ip_src.S_un.S_un_w.s_w1) + ntohs(pIpHeader->ip_src.S_un.S_un_w.s_w2);
              sum = sum + ntohs(pIpHeader->ip_dst.S_un.S_un_w.s_w1) + ntohs(pIpHeader->ip_dst.S_un.S_un_w.s_w2);

              // the protocol number and the length of the TCP packet
              sum = sum + IPPROTO_TCP + (unsigned short)dwTcpLen;

              // keep only the last 16 bits of the 32 bit calculated sum and add the carries
              while (sum>>16)
              sum = (sum & 0xFFFF)+(sum >> 16);

              // Take the one's complement of sum
              sum = ~sum;

              pTcpHeader->th_sum = ntohs((unsigned short)sum);
              }
              in reply to: Modify Packet #5437
              Vadim Smirnov
              Keymaster

                You should do something like the code below does, but don’t forget to recalculate TCP checksum after doing this:

                PINTERMEDIATE_BUFFER ParsePacketHeaders   ( PINTERMEDIATE_BUFFER pBuffer )
                {
                ether_header_ptr pEthernet = (ether_header_ptr)&pBuffer->m_IBuffer;

                if(ntohs(pEthernet->h_proto) == ETH_P_IP){

                iphdr_ptr pIp = NULL;
                tcphdr_ptr pTcp = NULL;
                pIp = (iphdr_ptr)&pBuffer->m_IBuffer[MHdrSize];
                //printf("%i", MHdrSize);
                UCHAR IpProto = pIp->ip_p;

                if(IpProto == IPPROTO_TCP){
                pTcp = (tcphdr_ptr)(((PUCHAR)pIp) + sizeof(DWORD)*pIp->ip_hl);
                in_addr IP = pIp->ip_src;
                PUCHAR pTcpData = (PUCHAR)pTcp + pTcp->th_off*4;

                if(ntohs(pTcp->th_sport) == 80){

                string foo = (char *)pTcpData;

                while(foo.find("sex") != string::npos){
                foo.replace(foo.find(sought), sought.size(), replacement);
                }

                const char* final = foo.c_str();
                memcpy(pTcpData, final, foo.length());
                printf("Dest Data: %snAddress of pTcpData: %x", pTcpData, &pTcpData);
                }//port 80?

                }//tcp??

                } //IP Packet?


                return pBuffer;

                }
                in reply to: how to use WinpkFilter source code #5434
                Vadim Smirnov
                Keymaster

                  The command line should be “PacketSniffer 1 -promisc” but not “PacketSniffer index 1 -promisc”. Also are you sure that there are packets available from interface with index 1? Usually (for Windows 2000/XP/2003) this is dial-up interface (NDISWANIP) for which there is no sense to use promiscuous mode (it is point-to-point connection), and it can evemn affect interface normal functionality.

                  in reply to: how to use WinpkFilter source code #5432
                  Vadim Smirnov
                  Keymaster

                    If you give more details of what you are trying to do I can try to help.

                    in reply to: to drop packet #5435
                    Vadim Smirnov
                    Keymaster

                      Use PassThru sample as a base and just don’t return to the stack the packet you would like to drop.

                      in reply to: Can NTKernal Server Firwall 1.2 be run on a server? #5429
                      Vadim Smirnov
                      Keymaster

                        Yes, it can be running on server…

                        in reply to: NT Personal Firewall #5425
                        Vadim Smirnov
                        Keymaster

                          This feature (running firewall as a service) will be avalable in the next release (expected in January 2004).

                          Thank you for your interest.

                        Viewing 11 posts - 1,411 through 1,421 (of 1,421 total)