private void SetFunctionsAndActionsWithBitMask(FilterActions actions, FilterCaptureFuncs functions) { chkBlock.Checked = actions.HasFlag(FilterActions.Block); chkWatch.Checked = actions.HasFlag(FilterActions.Watch); chkIgnore.Checked = actions.HasFlag(FilterActions.Ignore); chkBreak.Checked = actions.HasFlag(FilterActions.Break); chkWSSend.Checked = functions.HasFlag(FilterCaptureFuncs.WSSend); chkWSSendTo.Checked = functions.HasFlag(FilterCaptureFuncs.WSSendTo); chkWSRecv.Checked = functions.HasFlag(FilterCaptureFuncs.WSRecv); chkWSRecvFrom.Checked = functions.HasFlag(FilterCaptureFuncs.WSRecvFrom); chkWS2Send.Checked = functions.HasFlag(FilterCaptureFuncs.WS2Send); chkWS2SendTo.Checked = functions.HasFlag(FilterCaptureFuncs.WS2SendTo); chkWS2Recv.Checked = functions.HasFlag(FilterCaptureFuncs.WS2Recv); chkWS2RecvFrom.Checked = functions.HasFlag(FilterCaptureFuncs.WS2RecvFrom); chkWSASend.Checked = functions.HasFlag(FilterCaptureFuncs.WSASend); chkWSASendTo.Checked = functions.HasFlag(FilterCaptureFuncs.WSASendTo); chkWSARecv.Checked = functions.HasFlag(FilterCaptureFuncs.WSARecv); chkWSARecvFrom.Checked = functions.HasFlag(FilterCaptureFuncs.WSARecvFrom); chkPRSend.Checked = functions.HasFlag(FilterCaptureFuncs.PRSend); chkPRRecv.Checked = functions.HasFlag(FilterCaptureFuncs.PRRecv); chkPRRead.Checked = functions.HasFlag(FilterCaptureFuncs.PRRead); chkPRWrite.Checked = functions.HasFlag(FilterCaptureFuncs.PRWrite); chkSSLEncryptPacket.Checked = functions.HasFlag(FilterCaptureFuncs.SSLEncryptPacket); chkSSLDecryptPacket.Checked = functions.HasFlag(FilterCaptureFuncs.SSLDecryptPacket); chkEncryptMessage.Checked = functions.HasFlag(FilterCaptureFuncs.EncryptMessage); chkDecryptMessage.Checked = functions.HasFlag(FilterCaptureFuncs.DecryptMessage); chkSSLRead.Checked = functions.HasFlag(FilterCaptureFuncs.SSLRead); chkSSLWrite.Checked = functions.HasFlag(FilterCaptureFuncs.SSLWrite); }
private static bool CheckBlockIgnoreWatchBreak(byte[] data, UInt16 size, FilterCaptureFuncs functionFlag, FilterActions checkType) { foreach (var filter in _filterList) { switch (checkType) { case FilterActions.Block: if (!filter.Actions.HasFlag(FilterActions.Block)) { continue; } break; case FilterActions.Ignore: if (!filter.Actions.HasFlag(FilterActions.Ignore)) { continue; } break; case FilterActions.Watch: if (!filter.Actions.HasFlag(FilterActions.Watch)) { continue; } break; case FilterActions.Break: if (!filter.Actions.HasFlag(FilterActions.Break)) { continue; } break; default: throw new IndexOutOfRangeException(); } if (filter.Searches.Count == 0) // Filtro sin search? No vamos a blockear, watchear o ignorar todoo... { continue; } if (!FilterMeetConditions(filter, size, functionFlag)) { continue; } int pos = 0; bool allOffsetMatch = AllSearchOffsetMatch(data, size, filter, ref pos); if (allOffsetMatch) { return(true); // Todos los offset de search machean con el valor en data, la accion del filtro se aplica } } return(false); }
private static bool FilterMeetConditions(Filter filter, UInt16 packetSize, FilterCaptureFuncs functionFlag) { if ((filter.Active) && (CheckIfBetweenLength(filter, packetSize)) && // If the filter has length, it must be between lengthMin and lengthMax (filter.Functions.HasFlag(functionFlag)) && // The packet's function flag must be actived in the filter (filter.Searches.Count == 0 || filter.Searches.Last().Key < packetSize)) // Latest search offset position must be less than packet Size { return(true); } return(false); }
public Filter(bool ac, FilterModes m, FilterCaptureFuncs f, FilterActions a, string n, uint plMin, uint plMax, uint nta, Dictionary <int, byte> s, Dictionary <int, byte> r) { Active = ac; Mode = m; Functions = f; Actions = a; Name = n; PacketLengthMin = plMin; PacketLengthMax = plMax; NumTimesApply = nta; Searches = s; Replaces = r; }
private void frmSettings_Load(object sender, EventArgs e) { txtStartCaptureHotKey.Text = GetTextForKeyData(Settings.HotKeyStartCapture); txtStopCaptureHotKey.Text = GetTextForKeyData(Settings.HotKeyStopCapture); txtNormalFilterHotKey.Text = GetTextForKeyData(Settings.HotKeyNormalFilter); txtCustomFilterHotKey.Text = GetTextForKeyData(Settings.HotKeyCustomFilter); txtSelectProcessHotKey.Text = GetTextForKeyData(Settings.HotKeySelectProcess); txtInjectLastHotKey.Text = GetTextForKeyData(Settings.HotKeyInjectLast); FilterCaptureFuncs logFunctions = (FilterCaptureFuncs)Settings.LogFunctions; chkWSSend.Checked = logFunctions.HasFlag(FilterCaptureFuncs.WSSend); chkWSSendTo.Checked = logFunctions.HasFlag(FilterCaptureFuncs.WSSendTo); chkWSRecv.Checked = logFunctions.HasFlag(FilterCaptureFuncs.WSRecv); chkWSRecvFrom.Checked = logFunctions.HasFlag(FilterCaptureFuncs.WSRecvFrom); chkWS2Send.Checked = logFunctions.HasFlag(FilterCaptureFuncs.WS2Send); chkWS2SendTo.Checked = logFunctions.HasFlag(FilterCaptureFuncs.WS2SendTo); chkWS2Recv.Checked = logFunctions.HasFlag(FilterCaptureFuncs.WS2Recv); chkWS2RecvFrom.Checked = logFunctions.HasFlag(FilterCaptureFuncs.WS2RecvFrom); chkWSASend.Checked = logFunctions.HasFlag(FilterCaptureFuncs.WSASend); chkWSASendTo.Checked = logFunctions.HasFlag(FilterCaptureFuncs.WSASendTo); chkWSARecv.Checked = logFunctions.HasFlag(FilterCaptureFuncs.WSARecv); chkWSARecvFrom.Checked = logFunctions.HasFlag(FilterCaptureFuncs.WSARecvFrom); chkPRRead.Checked = logFunctions.HasFlag(FilterCaptureFuncs.PRRead); chkPRWrite.Checked = logFunctions.HasFlag(FilterCaptureFuncs.PRWrite); chkPRSend.Checked = logFunctions.HasFlag(FilterCaptureFuncs.PRSend); chkPRRecv.Checked = logFunctions.HasFlag(FilterCaptureFuncs.PRRecv); chkSSLEncryptPacket.Checked = logFunctions.HasFlag(FilterCaptureFuncs.SSLEncryptPacket); chkSSLDecryptPacket.Checked = logFunctions.HasFlag(FilterCaptureFuncs.SSLDecryptPacket); chkEncryptMessage.Checked = logFunctions.HasFlag(FilterCaptureFuncs.EncryptMessage); chkDecryptMessage.Checked = logFunctions.HasFlag(FilterCaptureFuncs.DecryptMessage); chkSSLWrite.Checked = logFunctions.HasFlag(FilterCaptureFuncs.SSLWrite); chkSSLRead.Checked = logFunctions.HasFlag(FilterCaptureFuncs.SSLRead); txtDLL.Text = Settings.DLL; txtScript.Text = Settings.DLLEx; chkLogEnabled.Checked = Settings.LogEnabled; chkLocalIp.Checked = Settings.LocalIpChecked; chkLocalPort.Checked = Settings.LocalPortChecked; chkRemoteIp.Checked = Settings.RemoteIpChecked; chkRemotePort.Checked = Settings.RemotePortChecked; byte[] bytes = BitConverter.GetBytes(Settings.LocalIp); Array.Reverse(bytes); // flip little-endian to big-endian(network order) txtLocalIp.Text = new IPAddress(bytes).ToString(); numLocalPort.Value = Settings.LocalPort; bytes = BitConverter.GetBytes(Settings.RemoteIp); Array.Reverse(bytes); // flip little-endian to big-endian(network order) txtRemoteIp.Text = new IPAddress(bytes).ToString(); numRemotePort.Value = Settings.RemotePort; }
public static void EditFilter(int index, bool active, FilterModes mode, FilterCaptureFuncs functions, FilterActions actions, string name, uint packetLenghtMin, uint packetLengthMax, uint numTimesApply, Dictionary <int, byte> searches, Dictionary <int, byte> replaces) { var filter = _filterList.ElementAt(index); filter.Active = active; filter.Mode = mode; filter.Functions = functions; filter.Actions = actions; filter.Name = name; filter.PacketLengthMin = packetLenghtMin; filter.PacketLengthMax = packetLengthMax; filter.NumTimesApply = numTimesApply; filter.Searches = searches; filter.Replaces = replaces; }
// Not used for now (implemented in the DLL) public static bool DoFilteringForPacket(ref byte[] data, UInt16 size, FilterCaptureFuncs functionFlag) { bool dataModified = false; foreach (var filter in _filterList) { if (filter.Replaces.Count == 0) // Nothing to filer { continue; } if (!FilterMeetConditions(filter, size, functionFlag)) { continue; } int pos = 0; bool allOffsetMatch = AllSearchOffsetMatch(data, size, filter, ref pos); if (allOffsetMatch) // All search offsets match, let's do the edits { if (filter.Mode == FilterModes.SearchAndReplaceFromBegin || filter.Mode == FilterModes.SearchOcurrenceReplaceFromBegin) { foreach (KeyValuePair <int, byte> pair in filter.Replaces.TakeWhile(pair => pair.Key <= size - 1)) { data[pair.Key] = pair.Value; } } else { foreach (KeyValuePair <int, byte> pair in filter.Replaces) { if (pair.Key - 250 + pos > size - 1 || pair.Key - 250 + pos < 0) { continue; } data[pair.Key - 250 + pos] = pair.Value; } } dataModified = true; } } return(dataModified); }
private void SaveLogWinsockFunctions() { FilterCaptureFuncs logFuncs = 0; if (chkWSSend.Checked) { logFuncs |= FilterCaptureFuncs.WSSend; } if (chkWSSendTo.Checked) { logFuncs |= FilterCaptureFuncs.WSSendTo; } if (chkWSRecv.Checked) { logFuncs |= FilterCaptureFuncs.WSRecv; } if (chkWSRecvFrom.Checked) { logFuncs |= FilterCaptureFuncs.WSRecvFrom; } if (chkWS2Send.Checked) { logFuncs |= FilterCaptureFuncs.WS2Send; } if (chkWS2SendTo.Checked) { logFuncs |= FilterCaptureFuncs.WS2SendTo; } if (chkWS2Recv.Checked) { logFuncs |= FilterCaptureFuncs.WS2Recv; } if (chkWS2RecvFrom.Checked) { logFuncs |= FilterCaptureFuncs.WS2RecvFrom; } if (chkWSASend.Checked) { logFuncs |= FilterCaptureFuncs.WSASend; } if (chkWSASendTo.Checked) { logFuncs |= FilterCaptureFuncs.WSASendTo; } if (chkWSARecv.Checked) { logFuncs |= FilterCaptureFuncs.WSARecv; } if (chkWSARecvFrom.Checked) { logFuncs |= FilterCaptureFuncs.WSARecvFrom; } if (chkPRRead.Checked) { logFuncs |= FilterCaptureFuncs.PRRead; } if (chkPRWrite.Checked) { logFuncs |= FilterCaptureFuncs.PRWrite; } if (chkPRSend.Checked) { logFuncs |= FilterCaptureFuncs.PRSend; } if (chkPRRecv.Checked) { logFuncs |= FilterCaptureFuncs.PRRecv; } if (chkSSLEncryptPacket.Checked) { logFuncs |= FilterCaptureFuncs.SSLEncryptPacket; } if (chkSSLDecryptPacket.Checked) { logFuncs |= FilterCaptureFuncs.SSLDecryptPacket; } if (chkEncryptMessage.Checked) { logFuncs |= FilterCaptureFuncs.EncryptMessage; } if (chkDecryptMessage.Checked) { logFuncs |= FilterCaptureFuncs.DecryptMessage; } if (chkSSLWrite.Checked) { logFuncs |= FilterCaptureFuncs.SSLWrite; } if (chkSSLRead.Checked) { logFuncs |= FilterCaptureFuncs.SSLRead; } Settings.LogFunctions = (int)logFuncs; PacketManager.LogFunctions = (FilterCaptureFuncs)logFuncs; // para no tener que reiniciar el programa... }
private FilterCaptureFuncs BuildFunctionsBitMask() { FilterCaptureFuncs functions = FilterCaptureFuncs.None; if (chkWSSend.Checked) { functions |= FilterCaptureFuncs.WSSend; } if (chkWSSendTo.Checked) { functions |= FilterCaptureFuncs.WSSendTo; } if (chkWSRecv.Checked) { functions |= FilterCaptureFuncs.WSRecv; } if (chkWSRecvFrom.Checked) { functions |= FilterCaptureFuncs.WSRecvFrom; } if (chkWS2Send.Checked) { functions |= FilterCaptureFuncs.WS2Send; } if (chkWS2SendTo.Checked) { functions |= FilterCaptureFuncs.WS2SendTo; } if (chkWS2Recv.Checked) { functions |= FilterCaptureFuncs.WS2Recv; } if (chkWS2RecvFrom.Checked) { functions |= FilterCaptureFuncs.WS2RecvFrom; } if (chkWSASend.Checked) { functions |= FilterCaptureFuncs.WSASend; } if (chkWSASendTo.Checked) { functions |= FilterCaptureFuncs.WSASendTo; } if (chkWSARecv.Checked) { functions |= FilterCaptureFuncs.WSARecv; } if (chkWSARecvFrom.Checked) { functions |= FilterCaptureFuncs.WSARecvFrom; } if (chkPRRead.Checked) { functions |= FilterCaptureFuncs.PRRead; } if (chkPRWrite.Checked) { functions |= FilterCaptureFuncs.PRWrite; } if (chkPRSend.Checked) { functions |= FilterCaptureFuncs.PRSend; } if (chkPRRecv.Checked) { functions |= FilterCaptureFuncs.PRRecv; } if (chkSSLEncryptPacket.Checked) { functions |= FilterCaptureFuncs.SSLEncryptPacket; } if (chkSSLDecryptPacket.Checked) { functions |= FilterCaptureFuncs.SSLDecryptPacket; } if (chkEncryptMessage.Checked) { functions |= FilterCaptureFuncs.EncryptMessage; } if (chkDecryptMessage.Checked) { functions |= FilterCaptureFuncs.DecryptMessage; } if (chkSSLWrite.Checked) { functions |= FilterCaptureFuncs.SSLWrite; } if (chkSSLRead.Checked) { functions |= FilterCaptureFuncs.SSLRead; } return(functions); }
private void btnApply_Click(object sender, EventArgs e) { var searches = new Dictionary <int, byte>(); var replaces = new Dictionary <int, byte>(); FilterModes filterMode = FilterModes.SearchAndReplaceFromBegin; Byte result; for (var i = 0; i < 501; i++) { if (dataGridViewSearch[i, 0].Value != null && Byte.TryParse(dataGridViewSearch[i, 0].Value.ToString(), NumberStyles.HexNumber, CultureInfo.InvariantCulture, out result)) { searches.Add(i, result); } } if ((radioButton2.Checked || radioButton3.Checked) && (searches.Count == 0 || !searches.ContainsKey(0))) { MessageBox.Show(@"The chain to search must start at the offset 0"); return; } if (radioButton1.Checked) { filterMode = FilterModes.SearchAndReplaceFromBegin; for (var i = 0; i < 501; i++) { if (dataGridViewSearch[i, 1].Value != null && Byte.TryParse(dataGridViewSearch[i, 1].Value.ToString(), NumberStyles.HexNumber, CultureInfo.InvariantCulture, out result)) { replaces.Add(i, result); } } } else if (radioButton2.Checked) { filterMode = FilterModes.SearchOcurrenceReplaceFromBegin; for (var i = 0; i < 501; i++) { if (dataGridViewReplace[i, 0].Value != null && Byte.TryParse(dataGridViewReplace[i, 0].Value.ToString(), NumberStyles.HexNumber, CultureInfo.InvariantCulture, out result)) { replaces.Add(i, result); } } } else if (radioButton3.Checked) { filterMode = FilterModes.SearchOcurrenceReplaceFromPosition; for (var i = 0; i < 501; i++) { if (dataGridViewReplace2[i, 0].Value != null && Byte.TryParse(dataGridViewReplace2[i, 0].Value.ToString(), NumberStyles.HexNumber, CultureInfo.InvariantCulture, out result)) { replaces.Add(i, result); } } } FilterCaptureFuncs functions = BuildFunctionsBitMask(); FilterActions actions = BuildActionsBitMask(); uint packetLengthMin = 0; uint packetLengthMax = 0; if (chkPackeLength.Checked) { packetLengthMin = (uint)nudPacketLengthMin.Value; packetLengthMax = (uint)nudPacketLengthMax.Value; } string name = txtFilterName.Text; if (name == "" && _filterIndex == -1) { name = "Filter " + (FilterManager.GetNumberOfFiltersInList() + 1).ToString("D2"); } if (_filterIndex == -1) { FilterManager.NewFilter(chkActive.Checked, filterMode, functions, actions, name, packetLengthMin, packetLengthMax, (uint)nudNumTimesApply.Value, searches, replaces); } else { FilterManager.EditFilter(_filterIndex, chkActive.Checked, filterMode, functions, actions, name, packetLengthMin, packetLengthMax, (uint)nudNumTimesApply.Value, searches, replaces); } Program.mainForm.LoadFilterItems(); Program.mainForm.ActionStartStopFiltering(false); Close(); }
public static bool CheckPacketBreak(byte[] data, UInt16 size, FilterCaptureFuncs functionFlag) { return(CheckBlockIgnoreWatchBreak(data, size, functionFlag, FilterActions.Break)); }
public static void NewFilter(bool active, FilterModes mode, FilterCaptureFuncs functions, FilterActions actions, string name, uint maxPacketLeghtMin, uint maxPacketLeghtMax, uint numTimesApply, Dictionary <int, byte> searches, Dictionary <int, byte> replaces) { var filter = new Filter(active, mode, functions, actions, name, maxPacketLeghtMin, maxPacketLeghtMax, numTimesApply, searches, replaces); _filterList.Add(filter); }