Welcome, guest! Login / Register - Why register?
Psst.. new poll here.
[email protected] webmail now available. Want one? Go here.
Cannot use outlook/hotmail/live here to register as they blocking our mail servers. #microsoftdeez
Obey the Epel!

Paste

Pasted as C++ by Bitnik ( 12 years ago )
#include "stdafx.h"

USHORT ntohs( USHORT netshort )
{
 PUCHAR pBuffer;
 USHORT nResult;

 nResult = 0;
 pBuffer = (PUCHAR )&netshort;

 nResult = ( (pBuffer[ 0 ] << 8) & 0xFF00 )
  | ( pBuffer[ 1 ] & 0x00FF );

 return( nResult );
}

#define htons ntohs

int main(int argc, char* argv[])
{
 TCP_AdapterList  AdList;
 CNdisApi   api;
 ETH_REQUEST   Request;
 INTERMEDIATE_BUFFER PacketBuffer;
 ether_header_ptr pEthHeader = NULL;
 iphdr_ptr   pIpHeader = NULL;
 tcphdr_ptr   pTcpHeader = NULL;
 HANDLE    hEvent[256];
 DWORD    dwAdIndex = 0;
 char    szTempString[1500];
 char    szPattern[256];
 BOOL    bDrop = FALSE;


// Main code

if (argc < 2)
{
return 0;
}

if(!api.IsDriverLoaded())
{
return 0;
}

if ( strlen(argv[1]) > 255 )
{
return 0;
}

printf ("Testing...\n\n");


// Get pattern in upper case

ZeroMemory ( szPattern, 256 );
strcpy ( szPattern, argv[1] );
for ( unsigned i = 0; i < strlen (szPattern); ++i )
{
if (isalpha(((UCHAR)szPattern[i])))
szPattern[i] = (char)toupper((UCHAR)szPattern[i]);
}

// Get system installed network interfaces

api.GetTcpipBoundAdaptersInfo ( &AdList; );

// Initialize common ADAPTER_MODE structure (all network interfaces will operate in the same mode)

ADAPTER_MODE Mode;
Mode.dwFlags = MSTCP_FLAG_SENT_TUNNEL|MSTCP_FLAG_RECV_TUNNEL;

// Create notification events and initialize the driver to pass packets thru us

for (dwAdIndex = 0; dwAdIndex < AdList.m_nAdapterCount; ++dwAdIndex)
{
hEvent[dwAdIndex] = CreateEvent(NULL, TRUE, FALSE, NULL);
if (!hEvent[dwAdIndex])
{
printf("Failed to create notification event for network interface \n");
return 0;
}

Mode.hAdapterHandle = (HANDLE)AdList.m_nAdapterHandle[dwAdIndex];

// Set MSTCP_FLAG_SENT_TUNNEL|MSTCP_FLAG_RECV_TUNNEL for the network interface

api.SetAdapterMode(&Mode;);

// Set packet notification event for the network interface

api.SetPacketEvent((HANDLE)AdList.m_nAdapterHandle[dwAdIndex], hEvent[dwAdIndex]);
}
 
// Initialize common part of ETH_REQUEST

ZeroMemory ( &Request;, sizeof(ETH_REQUEST) );
ZeroMemory ( &PacketBuffer;, sizeof(INTERMEDIATE_BUFFER) );
Request.EthPacket.Buffer = &PacketBuffer;

// Go into the endless loop (this is just a sample application)

while (TRUE)
{

// Wait before any of the interfaces is ready to indicate the packet

dwAdIndex = WaitForMultipleObjects ( AdList.m_nAdapterCount, hEvent, FALSE, INFINITE ) - WAIT_OBJECT_0;

// Complete initialization of ETH_REQUEST

Request.hAdapterHandle = (HANDLE)AdList.m_nAdapterHandle[dwAdIndex];
  
// Read packet from the interface until there are any

while(api.ReadPacket(&Request;))
{

// Get Ethernet header

pEthHeader = (ether_header_ptr)PacketBuffer.m_IBuffer;
   
// Check if Ethernet frame contains IP packet

if(ntohs(pEthHeader->h_proto) == ETH_P_IP)
{
// Get IP header

pIpHeader = (iphdr_ptr)(pEthHeader + 1);

// Check if IP packet contains TCP packet

if (pIpHeader->ip_p == IPPROTO_TCP)
{

// Get TCP header pointer

pTcpHeader = (tcphdr_ptr)((PUCHAR)pIpHeader + pIpHeader->ip_hl*4);

// Check if this HTTP packet (destined to remote system port 80, or received from it)

if (((pTcpHeader->th_dport == htons (80))&&(PacketBuffer.m_dwDeviceFlags == PACKET_FLAG_ON_SEND))|| 
((pTcpHeader->th_sport == htons (80))&&(PacketBuffer.m_dwDeviceFlags == PACKET_FLAG_ON_RECEIVE)))
{

// Get data size in the packet and pointer to the data

DWORD dwDataLength = PacketBuffer.m_Length - (sizeof(ether_header) + pIpHeader->ip_hl*4 + pTcpHeader->th_off*4);
PCHAR pData = (PCHAR)pEthHeader + (sizeof(ether_header) + pIpHeader->ip_hl*4 + pTcpHeader->th_off*4);

// If packet contains any data - process it

if (dwDataLength)
{

// Copy packet payload into the temporary string, replace all 0 bytes with 0x20, convert string to upper case and place \0 at the end

memcpy (szTempString, pData, dwDataLength);
for (unsigned t = 0; t < dwDataLength; ++t)
{
if (szTempString[t] == 0)
szTempString[t] = 0x20;

if (isalpha((UCHAR)szTempString[t]))
szTempString[t] = (char)toupper((UCHAR)szTempString[t]);
}
szTempString[dwDataLength] = 0;
//if (strstr ( szTempString, szPattern))
//bDrop = TRUE;

// Check if this packet payload contains user supplied pattern in ASCII code

if (strstr(szTempString, "http://GOOGLE.COM"                  )) bDrop = TRUE;


// =============================================================================

}
}

}
}
if(bDrop)
{
printf ("TCP %d.%d.%d.%d:%d  ->  %d.%d.%d.%d:%d pattern found & packet dropped \n", 
pIpHeader->ip_src.S_un.S_un_b.s_b1, pIpHeader->ip_src.S_un.S_un_b.s_b2, pIpHeader->ip_src.S_un.S_un_b.s_b3, pIpHeader->ip_src.S_un.S_un_b.s_b4, ntohs(pTcpHeader->th_sport),
pIpHeader->ip_dst.S_un.S_un_b.s_b1, pIpHeader->ip_dst.S_un.S_un_b.s_b2, pIpHeader->ip_dst.S_un.S_un_b.s_b3, pIpHeader->ip_dst.S_un.S_un_b.s_b4, ntohs (pTcpHeader->th_dport));
bDrop = FALSE;
}
else
if (PacketBuffer.m_dwDeviceFlags == PACKET_FLAG_ON_SEND)
{
// Place packet on the network interface
api.SendPacketToAdapter(&Request;);
}
else
{
// Indicate packet to MSTCP
api.SendPacketToMstcp(&Request;);
}
}
// Reset signalled event
ResetEvent(hEvent[dwAdIndex]); 
}
return 0;
}

 

Revise this Paste

Your Name: Code Language: