C++/CLI Packet sniffer

[donn]

I've started working on this:



As I said, it's made in C++/CLI, it will first be just a packet sniffer, it can turn into anything else later on. It's undetected, since it involves no hooking to Conquer process at all.

For the beginning, I need a few ideas on how to organize the packets output, so it would be easier to read and analyze.

Any further questions or suggestions are welcomed. The only thing that I'm keeping secret for now is the method used for intercepting the packets.

[Best Coder 2014]

Am I getting warmer or colder?

[donn]

Cooler. You know you can't decrypt CO2 packets without injecting your own DH key exchange. So just a sniffer is not enough, you also need to re-write those packets.

[Best Coder 2014]

Quote:

Originally Posted by donn

Cooler. You know you can't decrypt CO2 packets without injecting your own DH key exchange. So just a sniffer is not enough, you also need to re-write those packets.

If the client can decrypt the packets, so can a third party program. But okay, is colder or warmer then?

[donn]

Warmer. It's WFP indeed.

Quote:

Originally Posted by Best Coder 2014

If the client can decrypt the packets, so can a third party program.

Still, I need to own the private key if I want to send my own packets.

[Best Coder 2014]

Quote:

Originally Posted by donn

Warmer. It's WFP indeed.



Still, I need to own the private key if I want to send my own packets.

[donn]

And since it's a packet sniffer, does anyone knows what packet is that:

 Spoiler

Code:

Type : 2711 | Length : 815 |

	27 03 97 0A 1C 03 00 00 B7 F1 93 4F 2E 90 8B 42 E1 19 FB E1 	|	'..........O...B....
	BF 84 64 8D 1F 5A E3 31 DE 53 0A B1 DB 40 5F 19 E3 90 EE 6C 	|	..d..Z.1.S...@_....l
	20 20 C4 7B 67 9E A0 FF 57 B5 79 7F 26 2E 25 A1 04 A9 41 C1 	|	  .{g...W.y.&.%...A.
	49 18 D0 28 03 07 3D 7B 4D B1 B8 61 4A FE 93 CF 7E 80 F6 CD 	|	I..(..={M..aJ...~...
	A1 F9 22 01 96 68 17 4E D9 08 46 1C 48 8C D7 B3 62 76 BF 4E 	|	.."..h.N..F.H...bv.N
	A3 FA 06 87 7E 25 CC 68 4C 23 50 AB B8 CC 23 11 46 DD 92 45 	|	....~%.hL#P...#.F..E
	54 31 EC 2C EF 5E 79 2B 5A 13 77 76 22 E2 30 C0 D1 E4 29 EE 	|	T1.,.^y+Z.wv".0...).
	8B 7F 36 58 9D 87 5F EA B1 E9 A5 56 3E 0B CB 0D 60 7C A6 B0 	|	..6X.._....V>...`|..
	79 58 7A 82 6F BF 00 E4 EA 0B 8C DE B9 10 FA 0A D8 C7 BE 66 	|	yXz.o..............f
	62 51 FF 5E 81 83 6F 33 03 95 AA 0E 42 EE 8A 08 00 0E 06 31 	|	bQ.^..o3....B......1
	2A C1 4F C3 94 7F EF 84 1B 40 4A FF F0 71 CA 40 D6 04 EF 98 	|	*[email protected].@....
	54 41 CC 81 ED 82 6C 93 17 2B DD 53 DD 5F 18 8E 7E DB 4C F1 	|	TA....l..+.S._..~.L.
	E5 96 6E 30 4E 24 CE 20 6E 5E D5 E9 D5 08 56 33 63 DA 14 F7 	|	..n0N$. n^....V3c...
	ED DB 6F 4C FE 70 4E 75 8C 33 AC CC 64 94 65 75 95 D1 E2 D9 	|	..oL.pNu.3..d.eu....
	D5 EC CA 75 E3 F0 B9 F7 22 74 2F 5A 41 2A 31 F9 46 F2 83 AD 	|	...u...."t/ZA*1.F...
	DA 82 0F A4 FB 2C F1 E8 DE 01 6F E3 CF 0B 14 FA 9B C1 35 46 	|	.....,....o.......5F
	32 AC 40 E0 55 69 51 B5 20 65 B3 16 5C E4 7D 7C 3C 85 5B 17 	|	[email protected]. e..\.}|<.[.
	CD CD 52 55 48 AB F1 3B 7A CD D4 83 79 AF 4E 6D 3B 24 A5 5C 	|	..RUH..;z...y.Nm;$.\
	C3 8D 0C 27 34 14 C8 58 D6 D6 92 C0 4E 83 76 B5 1E 8A 2F A4 	|	...'4..X....N.v.../.
	96 17 95 22 7F EB 0A 44 74 E3 87 CA 91 83 72 C6 F3 B6 C6 6C 	|	..."...Dt.....r....l
	C3 93 25 09 CF 49 6B 2A EA 08 48 2E C2 E1 2C 5E 20 11 51 09 	|	..%..Ik*..H...,^ .Q.
	69 02 26 0D 02 05 ED B8 A8 E7 77 CE F1 FD 5F 0B 09 23 C1 56 	|	i.&.......w..._..#.V
	43 0B D4 8B D1 5B 5B 88 40 FE 84 35 06 42 64 36 E4 2E 4A 32 	|	C....[[[email protected]
	95 F7 61 2F 9F 14 E0 09 33 BD E4 CA 73 C2 60 F4 43 85 E3 E7 	|	..a/....3...s.`.C...
	47 19 7C 1A D0 EF AC 8E 7E B4 78 27 1D BD 31 68 4C EC 64 26 	|	G.|.....~.x'..1hL.d&
	A1 AC 6A 68 8E 0C 4D F1 01 5E 4F BC F0 57 9B 1B EC DE F7 1E 	|	..jh..M..^O..W......
	AA 6F AC 8A 22 4C 42 FA 9B F4 C0 9A 8B 73 0F 70 1D B9 06 32 	|	.o.."LB......s.p...2
	DE F4 AF D9 19 3A 47 67 30 DC 2C 92 33 C4 5D 92 18 2D 03 68 	|	.....:Gg0.,.3.]..-.h
	BA DB 13 2A 35 9F 03 59 B0 B5 CE F7 57 DE B1 80 FF DA 83 80 	|	...*5..Y....W.......
	CC 64 45 A2 B7 29 F6 7A 5A 2C C8 A6 F3 1B 49 41 18 5E 5D C7 	|	.dE..).zZ,....IA.^].
	22 63 99 1A 34 AB 5B DF 17 10 DC FA 8F CD 6B 8F 81 02 EB 0C 	|	"c..4.[.......k.....
	AE 2F E0 13 51 EE F6 00 A1 E6 17 4A E6 B8 57 20 87 C3 EB AD 	|	./..Q......J..W ....
	6F 52 A6 9A EF 78 21 9F EB 10 06 92 9B 7C 5D 7B 60 D8 8B A7 	|	oR...x!......|]{`...
	5D 96 C2 7C B8 FA DE C8 6E BE 76 4D 92 38 03 5C 26 8C 5C 38 	|	]..|....n.vM.8.\&.\8
	12 7B F3 3F 22 0B 68 D0 9E 21 AD BB DE 24 EC 43 01 9C C3 E7 	|	.{.?".h..!...$.C....
	07 B6 84 31 FB 2E 54 EE A6 5E F3 0F 34 EF B5 9E 47 0B 88 9E 	|	...1..T..^..4...G...
	A5 26 69 9E 24 2B 70 13 5B 5C 47 FD 7C CD 7D E8 BF 31 93 2D 	|	.&i.$+p.[\G.|.}..1.-
	80 36 66 0F A9 FF C9 FF 1F 69 F6 28 54 78 35 1F 31 26 36 1E 	|	.6f......i.(Tx5.1&6.
	2B C2 74 2C 6E 2B F6 BF 3D DC 35 A0 7C 3E EA 03 0E BA C3 56 	|	+.t,n+..=.5.|>.....V
	35 3E F4 8F 03 A5 0A 0C 12 EC D9 E2 E8 DF 67 38 F2 36 4B 74 	|	5>............g8.6Kt
	C0 D4 C5 A3 00 00 00 54 51 43 6C 69 65 6E 74                	|	.......TQClient

[schacka2]

did u decrypth the packets?

[KraHen]

This seems really similar to what Fang was working on. Good job nonetheless!

[donn]

Well, I had no idea about what Fang was working on.
Thanks for appreciating it.

[donn]

Question: is there some public private server source available, working on the last patch, so I can extract some packets info from it? I'm loosing a lot of time trying to find the new offsets for them, maybe there are already out there.

I searched, but failed to find one.

Nevermind, I'm slowly structuring them all.

[donn]

If anyone is curios, I reached this point in development:



and I decided to dump C++/CLI and go fully native C++ (thanks to CptSky support) so I'm re-coding it entirely.

GUI will be made in Qt (also using signals/slots for events processing).

[KraHen]

Great success. TBH in your place I`d go with a service-based app for the routing, which would communicate through WebSockets with a web-based GUI application.

[donn]

There's a slight problem going this way. Since I'm intercepting (in the real sense of the word), the packets sent from client to server or from server to client are actually stopped at the filter level.

At that point I'm decrypting/reading/interpreting/encrypting them and pass them forward.

If those steps are not done in a timely fashion, the packet TTL is exceeded, which in turn would cause the sender (either client or the server) to re-send those packets (it's how TCP works). If I go to a service app based implementation and web-based GUI, I'm afraid doing all those steps in a timely fashion will be close to impossible (or I might not be seeing the things correctly and I might be wrong).

[KraHen]

Quote:

Originally Posted by donn

There's a slight problem going this way. Since I'm intercepting (in the real sense of the word), the packets sent from client to server or from server to client are actually stopped at the filter level.

At that point I'm decrypting/reading/interpreting/encrypting them and pass them forward.

If those steps are not done in a timely fashion, the packet TTL is exceeded, which in turn would cause the sender (either client or the server) to re-send those packets (it's how TCP works). If I go to a service app based implementation and web-based GUI, I'm afraid doing all those steps in a timely fashion will be close to impossible (or I might not be seeing the things correctly and I might be wrong).

Maybe remotely, locally with a ping of ~0 there should me minimal to no overhead, maybe 70ms max, although that could be a problem in these circumstances, I haven `t looked into it.