public override bool HandleSession(IPSession session) { logger.AddMessage(String.Format("session.LocalEndpoint.Port={0}, session.RemoteEndpoint.Port={1}", session.LocalEndpoint.Port, session.RemoteEndpoint.Port)); if (session.RemoteEndpoint.Port == MSN_SB_PORT) { return(HandleSwitchboardSession(session)); } PacketStream stream = session.GetNextStreamDirection(); if (stream.GetBytesAvailable() < 8) { return(false); } List <PacketSlice> lenSlices = new List <PacketSlice>(1); UInt32 len = stream.ReadU32LE(lenSlices); if (len != 4) { return(false); } List <PacketSlice> contentSlices = new List <PacketSlice>(1); string str = stream.ReadCStringASCII((int)len, contentSlices); if (str != "foo") { return(false); } TransactionNode magicNode = new TransactionNode("MSNP2PDirectMagic"); magicNode.Description = magicNode.Name; magicNode.AddField("Length", len, "Magic length.", lenSlices); magicNode.AddField("Magic", str, "Magic string.", contentSlices); TransactionNode requestNode = ReadNextP2PDirectMessage(stream, "Request"); stream = session.GetNextStreamDirection(); TransactionNode responseNode = ReadNextP2PDirectMessage(stream, "Response"); TransactionNode handshakeNode = new TransactionNode("MSNP2PDirectHandshake"); handshakeNode.Description = handshakeNode.Name; handshakeNode.AddChild(requestNode); handshakeNode.AddChild(responseNode); session.AddNode(magicNode); session.AddNode(handshakeNode); ReadAllP2PDirectMessages(session, session.GetNextStreamDirection()); ReadAllP2PDirectMessages(session, session.GetNextStreamDirection()); return(true); }
public override bool HandleSession(IPSession session) { //List<Configuration.Setting> settings = Configuration.ParserConfiguration.Settings[Name()]; //foreach(Configuration.Setting setting in settings) // logger.AddMessage("Using property {0} with value {1}", setting.Property, setting.Value); PacketStream stream = session.GetNextStreamDirection(); if ((session.RemoteEndpoint.Port == 1521) || (session.RemoteEndpoint.Port == redirPort)) { //we're either connected to the standard Oracle port or the redirected port } else { return(false); } while (true) { try { TransactionNode transaction = new TransactionNode("OracleTransaction"); transaction.Description = transaction.Name; TransactionNode tnsNode = ExtractTNSData(stream, StreamDirection.OUT); if (tnsNode != null) { transaction.AddChild(tnsNode); } //response stream stream = session.GetNextStreamDirection(); if (stream.GetBytesAvailable() != 0) { tnsNode = ExtractTNSData(stream, StreamDirection.IN); if (tnsNode != null) { transaction.AddChild(tnsNode); } } if (transaction.Children.Count > 0) { session.AddNode(transaction); } //request stream (if exists) stream = session.GetNextStreamDirection(); if (stream.GetBytesAvailable() == 0) { break; } } catch (EndOfStreamException) { break; } } return(true); }
private void ReadAllP2PDirectMessages(IPSession session, PacketStream stream) { while (stream.GetBytesAvailable() > 0) { try { TransactionNode node = ReadNextP2PDirectMessage(stream, "MSNP2PDirectMessage"); session.AddNode(node); } catch (EndOfStreamException e) { logger.AddMessage(String.Format("MSNP2PDirect: EOS at {0} ({1})", stream.Position, e)); break; } } }
private bool HandleSwitchboardSession(IPSession session) { List <PacketSlice> slices = new List <PacketSlice>(1); logger.AddMessage(String.Format("\r\n\r\nparsing session with remote endpoint: {0}\r\n", session.RemoteEndpoint)); while (true) { PacketStream stream = session.GetNextStreamDirection(); if (stream.GetBytesAvailable() == 0) { stream = session.GetNextStreamDirection(); if (stream.GetBytesAvailable() == 0) { break; } } IPPacket pkt = stream.CurPacket; PacketDirection direction = pkt.Direction; try { string line = stream.PeekLineUTF8(); // Split the line up into CMD and the rest (being arguments, if any) string[] tokens = line.Split(new char[] { ' ' }, 2); logger.AddMessage(String.Format("{0} parsing command '{1}' (line: {2})", (direction == PacketDirection.PACKET_DIRECTION_INCOMING) ? "<<" : ">>", tokens[0], line)); // Set cmd and create an array of arguments if present string cmd = tokens[0]; string[] arguments = new string[0]; if (tokens.Length > 1) { arguments = tokens[1].Split(new char[] { ' ' }); } // Create command node TransactionNode node = new TransactionNode("MSNSBCommand"); node.Description = cmd; // Command field stream.ReadBytes(StaticUtils.GetUTF8ByteCount(tokens[0]), slices); node.AddField("Command", tokens[0], "Switchboard command.", slices); if (arguments.Length > 0) { // Skip space between command and arguments stream.ReadByte(); stream.ReadBytes(StaticUtils.GetUTF8ByteCount(tokens[1]), slices); // Arguments fields node.AddField("Arguments", tokens[1], "Arguments to command.", slices); } // Skip CRLF stream.ReadBytes(2); // Is there a payload? bool hasPayload = false; if (arguments.Length > 0) { List <string> payloadCommands = (direction == PacketDirection.PACKET_DIRECTION_OUTGOING) ? payloadCommandsFromClient : payloadCommandsFromServer; hasPayload = payloadCommands.Contains(cmd); } if (hasPayload) { int payloadLength = -1; try { payloadLength = (int)Convert.ToUInt32(arguments[arguments.Length - 1]); } catch (FormatException) { } if (payloadLength > 0) { TransactionNode payloadNode = new TransactionNode(node, "Payload"); logger.AddMessage(String.Format("Parsing {0} bytes of payload", payloadLength)); PayloadFormat format = PayloadFormat.TEXT; string cmdUpper = cmd.ToUpper(); if (payloadCommandFormats.ContainsKey(cmdUpper)) { format = payloadCommandFormats[cmdUpper]; } if (format == PayloadFormat.MESSAGE) { SBParseMSG(stream, payloadNode, payloadLength); } else { string body = stream.ReadStringUTF8(payloadLength, slices); switch (format) { case PayloadFormat.SLP: payloadNode.AddTextField("MSNSLP", body, "MSNSLP data.", slices); break; case PayloadFormat.XML: payloadNode.AddXMLField("XML", body, "XML data.", slices); break; default: payloadNode.AddTextField("Text", body, "Text.", slices); break; } } } } session.AddNode(node); } catch (EndOfStreamException e) { logger.AddMessage(String.Format("MSNSwitchboard: EOS at {0} ({1})", stream.Position, e)); break; } } logger.AddMessage("done with session\r\n\r\n"); return(true); }
private void HandleRapiHandshake() { RAPIConnectionState state = RAPIConnectionState.HANDSHAKE; List <PacketSlice> slices = new List <PacketSlice>(); TransactionNode parentNode, node; string str; UInt32 val; // Read and verify the initial request UInt32 initialRequest = stream.ReadU32LE(slices); if (initialRequest != NOTIFY_INITIAL_HANDSHAKE && initialRequest != NOTIFY_CONNECTION_READY) { logger.AddMessage("RAPI protocol error, unknown initial request {0}", initialRequest); return; } node = new TransactionNode((initialRequest == 0) ? "RAPIInitialHandshake" : "RAPIConnectionStart"); node.Description = node.Name; node.AddField("InitialRequest", (initialRequest == NOTIFY_INITIAL_HANDSHAKE) ? "NOTIFY_INITIAL_HANDSHAKE" : "NOTIFY_CONNECTION_READY", "Initial request.", slices); // Now it's our turn stream = session.GetNextStreamDirection(); if (initialRequest == NOTIFY_INITIAL_HANDSHAKE) { UInt32 firstPing = stream.ReadU32LE(slices); node.AddField("FirstPing", firstPing, "First ping, should be 3.", slices); // And the first pong stream = session.GetNextStreamDirection(); UInt32 firstPong = stream.ReadU32LE(slices); node.AddField("FirstPong", firstPong, "First pong, should be 4 for older WM5, 6 for newer versions.", slices); if (firstPong == 6) { // Now we're supposed to send 4 DWORDs stream = session.GetNextStreamDirection(); UInt32 secondPing = stream.ReadU32LE(slices); node.AddField("SecondPingValue1", secondPing, "Second ping value #1, should be 7.", slices); secondPing = stream.ReadU32LE(slices); node.AddField("SecondPingValue2", secondPing, "Second ping value #2, should be 8.", slices); secondPing = stream.ReadU32LE(slices); node.AddField("SecondPingValue3", secondPing, "Second ping value #3, should be 4.", slices); secondPing = stream.ReadU32LE(slices); node.AddField("SecondPingValue4", secondPing, "Second ping value #4, should be 1.", slices); // And the device should reply stream = session.GetNextStreamDirection(); UInt32 secondPong = stream.ReadU32LE(slices); node.AddField("SecondPong", secondPong, "Second pong, should be 4.", slices); } // Got it session.AddNode(node); parentNode = new TransactionNode("RAPIDeviceInfo"); parentNode.Description = parentNode.Name; UInt32 deviceInfoLen = stream.ReadU32LE(slices); UInt32 remainingDevInfoLen = deviceInfoLen; parentNode.AddField("Length", deviceInfoLen, "Device info length.", slices); if (deviceInfoLen > MAX_DEVICE_INFO_LENGTH) { logger.AddMessage("RAPI protocol error, length of the device info package should be below {0}, was {1}", MAX_DEVICE_INFO_LENGTH, deviceInfoLen); return; } node = new TransactionNode(parentNode, "DeviceInfo"); Guid guid = new Guid(stream.ReadBytes(16, slices)); str = String.Format("{{0}}", guid.ToString()); node.AddField("DeviceGUID", str, "Device GUID.", slices); remainingDevInfoLen -= 16; val = stream.ReadU32LE(slices); node.AddField("OsVersionMajor", val, "OS version, major.", slices); remainingDevInfoLen -= 4; val = stream.ReadU32LE(slices); node.AddField("OsVersionMinor", val, "OS version, minor.", slices); remainingDevInfoLen -= 4; val = stream.ReadU32LE(slices); node.AddField("DeviceNameLength", val, "Device name length (in characters, not bytes).", slices); remainingDevInfoLen -= 4; // calculate the string size in unicode, with terminating NUL word val = (val + 1) * 2; str = stream.ReadCStringUnicode((int)val, slices); node.AddField("DeviceName", str, "Device name.", slices); remainingDevInfoLen -= val; val = stream.ReadU32LE(slices); node.AddField("DeviceVersion", StaticUtils.FormatFlags(val), "Device version.", slices); remainingDevInfoLen -= 4; val = stream.ReadU32LE(slices); node.AddField("DeviceProcessorType", StaticUtils.FormatFlags(val), "Device processor type.", slices); remainingDevInfoLen -= 4; val = stream.ReadU32LE(slices); node.AddField("Unknown1", StaticUtils.FormatFlags(val), "Counter or a flag? ANDed with 0xFFFFFFFE in the code (should take a closer look at this).", slices); remainingDevInfoLen -= 4; val = stream.ReadU32LE(slices); node.AddField("CurrentPartnerId", StaticUtils.FormatFlags(val), "Current partner id.", slices); remainingDevInfoLen -= 4; val = stream.ReadU32LE(slices); node.AddField("DeviceId", StaticUtils.FormatFlags(val), "Current device id. Lives in HKCU\\Software\\Microsoft\\Windows CE Services\\Partners\\<DeviceIdentifier>.", slices); remainingDevInfoLen -= 4; /* * dw = stream.ReadU32LE(slices); * node.AddField("PlatformNameLength", dw, "Platform name length.", slices); * remainingDevInfoLen -= 4;*/ // Don't swallow the 4 last remainingDevInfoLen -= 4; byte[] bytes = stream.ReadBytes((int)remainingDevInfoLen, slices); node.AddField("UnknownData1", StaticUtils.FormatByteArray(bytes), "Unknown device info data.", slices); val = stream.ReadU32LE(slices); node.AddField("PasswordMask", StaticUtils.FormatFlags(val), "Password mask. Non-zero if a password is set.", slices); remainingDevInfoLen -= 4; state = (val != 0) ? RAPIConnectionState.AUTH : RAPIConnectionState.SESSION; // Now it's our turn stream = session.GetNextStreamDirection(); node = parentNode; } else { state = RAPIConnectionState.SESSION; } // Add the last node for each case session.AddNode(node); while (state == RAPIConnectionState.AUTH) { parentNode = new TransactionNode("RAPIAuthAttempt"); parentNode.Description = parentNode.Name; node = new TransactionNode(parentNode, "Request"); val = stream.ReadU16LE(slices); node.AddField("Length", val, "Authentication data length.", slices); byte[] bytes = stream.ReadBytes((int)val, slices); node.AddField("Data", StaticUtils.FormatByteArray(bytes), "Authentication data.", slices); stream = session.GetNextStreamDirection(); node = new TransactionNode(parentNode, "Response"); val = stream.ReadU16LE(slices); node.AddField("Success", (val != 0) ? "TRUE" : "FALSE", "Whether the authentication attempt was successful.", slices); session.AddNode(parentNode); stream = session.GetNextStreamDirection(); if (val != 0) { state = RAPIConnectionState.SESSION; } } }
public override bool HandleSession(IPSession session) { PacketStream stream = session.GetNextStreamDirection(); string line; try { line = stream.PeekLineUTF8(); } catch (EndOfStreamException) { return(false); } string[] tokens = line.Split(new char[] { ' ' }); if (!tokens[tokens.Length - 1].StartsWith("HTTP/1.")) { return(false); } // At this point it should be safe enough to assume we're // dealing with an HTTP session. while (true) { try { TransactionNode transaction = new TransactionNode("HTTPTransaction"); TransactionNode request = ExtractHttpData(stream, HTTPTransactionType.REQUEST); transaction.AddChild(request); string desc = request.Description; stream = session.GetNextStreamDirection(); if (stream.GetBytesAvailable() != 0) { TransactionNode response = ExtractHttpData(stream, HTTPTransactionType.RESPONSE); transaction.AddChild(response); if (response.Fields.ContainsKey("Result") && ((string)response.Fields["Result"]).StartsWith("100 ")) { response = ExtractHttpData(stream, HTTPTransactionType.RESPONSE, "Response2"); transaction.AddChild(response); } desc += " => " + response.Description; } transaction.Description = desc; session.AddNode(transaction); stream = session.GetNextStreamDirection(); if (stream.GetBytesAvailable() == 0) { break; } } catch (EndOfStreamException) { logger.AddMessage("HTTP premature EOF"); break; } catch (ProtocolError) { logger.AddMessage("HTTP protocol error"); break; } } return(true); }