private void SetFunctionsAndActionsWithBitMask(FilterActions actions, FilterCaptureFuncs functions)
{
chkBlock.Checked = actions.HasFlag(FilterActions.Block);
chkWatch.Checked = actions.HasFlag(FilterActions.Watch);
chkIgnore.Checked = actions.HasFlag(FilterActions.Ignore);
chkBreak.Checked = actions.HasFlag(FilterActions.Break);
chkWSSend.Checked = functions.HasFlag(FilterCaptureFuncs.WSSend);
chkWSSendTo.Checked = functions.HasFlag(FilterCaptureFuncs.WSSendTo);
chkWSRecv.Checked = functions.HasFlag(FilterCaptureFuncs.WSRecv);
chkWSRecvFrom.Checked = functions.HasFlag(FilterCaptureFuncs.WSRecvFrom);
chkWS2Send.Checked = functions.HasFlag(FilterCaptureFuncs.WS2Send);
chkWS2SendTo.Checked = functions.HasFlag(FilterCaptureFuncs.WS2SendTo);
chkWS2Recv.Checked = functions.HasFlag(FilterCaptureFuncs.WS2Recv);
chkWS2RecvFrom.Checked = functions.HasFlag(FilterCaptureFuncs.WS2RecvFrom);
chkWSASend.Checked = functions.HasFlag(FilterCaptureFuncs.WSASend);
chkWSASendTo.Checked = functions.HasFlag(FilterCaptureFuncs.WSASendTo);
chkWSARecv.Checked = functions.HasFlag(FilterCaptureFuncs.WSARecv);
chkWSARecvFrom.Checked = functions.HasFlag(FilterCaptureFuncs.WSARecvFrom);
chkPRSend.Checked = functions.HasFlag(FilterCaptureFuncs.PRSend);
chkPRRecv.Checked = functions.HasFlag(FilterCaptureFuncs.PRRecv);
chkPRRead.Checked = functions.HasFlag(FilterCaptureFuncs.PRRead);
chkPRWrite.Checked = functions.HasFlag(FilterCaptureFuncs.PRWrite);
chkSSLEncryptPacket.Checked = functions.HasFlag(FilterCaptureFuncs.SSLEncryptPacket);
chkSSLDecryptPacket.Checked = functions.HasFlag(FilterCaptureFuncs.SSLDecryptPacket);
chkEncryptMessage.Checked = functions.HasFlag(FilterCaptureFuncs.EncryptMessage);
chkDecryptMessage.Checked = functions.HasFlag(FilterCaptureFuncs.DecryptMessage);
chkSSLRead.Checked = functions.HasFlag(FilterCaptureFuncs.SSLRead);
chkSSLWrite.Checked = functions.HasFlag(FilterCaptureFuncs.SSLWrite);
}
private static bool CheckBlockIgnoreWatchBreak(byte[] data, UInt16 size, FilterCaptureFuncs functionFlag, FilterActions checkType)
{
foreach (var filter in _filterList)
{
switch (checkType)
{
case FilterActions.Block:
if (!filter.Actions.HasFlag(FilterActions.Block))
{
continue;
}
break;
case FilterActions.Ignore:
if (!filter.Actions.HasFlag(FilterActions.Ignore))
{
continue;
}
break;
case FilterActions.Watch:
if (!filter.Actions.HasFlag(FilterActions.Watch))
{
continue;
}
break;
case FilterActions.Break:
if (!filter.Actions.HasFlag(FilterActions.Break))
{
continue;
}
break;
default:
throw new IndexOutOfRangeException();
}
if (filter.Searches.Count == 0) // Filtro sin search? No vamos a blockear, watchear o ignorar todoo...
{
continue;
}
if (!FilterMeetConditions(filter, size, functionFlag))
{
continue;
}
int pos = 0;
bool allOffsetMatch = AllSearchOffsetMatch(data, size, filter, ref pos);
if (allOffsetMatch)
{
return(true); // Todos los offset de search machean con el valor en data, la accion del filtro se aplica
}
}
return(false);
}
private static bool FilterMeetConditions(Filter filter, UInt16 packetSize, FilterCaptureFuncs functionFlag)
{
if ((filter.Active) &&
(CheckIfBetweenLength(filter, packetSize)) && // If the filter has length, it must be between lengthMin and lengthMax
(filter.Functions.HasFlag(functionFlag)) && // The packet's function flag must be actived in the filter
(filter.Searches.Count == 0 || filter.Searches.Last().Key < packetSize)) // Latest search offset position must be less than packet Size
{
return(true);
}
return(false);
}
public Filter(bool ac, FilterModes m, FilterCaptureFuncs f, FilterActions a, string n, uint plMin, uint plMax, uint nta, Dictionary <int, byte> s, Dictionary <int, byte> r)
{
Active = ac;
Mode = m;
Functions = f;
Actions = a;
Name = n;
PacketLengthMin = plMin;
PacketLengthMax = plMax;
NumTimesApply = nta;
Searches = s;
Replaces = r;
}
private void frmSettings_Load(object sender, EventArgs e)
{
txtStartCaptureHotKey.Text = GetTextForKeyData(Settings.HotKeyStartCapture);
txtStopCaptureHotKey.Text = GetTextForKeyData(Settings.HotKeyStopCapture);
txtNormalFilterHotKey.Text = GetTextForKeyData(Settings.HotKeyNormalFilter);
txtCustomFilterHotKey.Text = GetTextForKeyData(Settings.HotKeyCustomFilter);
txtSelectProcessHotKey.Text = GetTextForKeyData(Settings.HotKeySelectProcess);
txtInjectLastHotKey.Text = GetTextForKeyData(Settings.HotKeyInjectLast);
FilterCaptureFuncs logFunctions = (FilterCaptureFuncs)Settings.LogFunctions;
chkWSSend.Checked = logFunctions.HasFlag(FilterCaptureFuncs.WSSend);
chkWSSendTo.Checked = logFunctions.HasFlag(FilterCaptureFuncs.WSSendTo);
chkWSRecv.Checked = logFunctions.HasFlag(FilterCaptureFuncs.WSRecv);
chkWSRecvFrom.Checked = logFunctions.HasFlag(FilterCaptureFuncs.WSRecvFrom);
chkWS2Send.Checked = logFunctions.HasFlag(FilterCaptureFuncs.WS2Send);
chkWS2SendTo.Checked = logFunctions.HasFlag(FilterCaptureFuncs.WS2SendTo);
chkWS2Recv.Checked = logFunctions.HasFlag(FilterCaptureFuncs.WS2Recv);
chkWS2RecvFrom.Checked = logFunctions.HasFlag(FilterCaptureFuncs.WS2RecvFrom);
chkWSASend.Checked = logFunctions.HasFlag(FilterCaptureFuncs.WSASend);
chkWSASendTo.Checked = logFunctions.HasFlag(FilterCaptureFuncs.WSASendTo);
chkWSARecv.Checked = logFunctions.HasFlag(FilterCaptureFuncs.WSARecv);
chkWSARecvFrom.Checked = logFunctions.HasFlag(FilterCaptureFuncs.WSARecvFrom);
chkPRRead.Checked = logFunctions.HasFlag(FilterCaptureFuncs.PRRead);
chkPRWrite.Checked = logFunctions.HasFlag(FilterCaptureFuncs.PRWrite);
chkPRSend.Checked = logFunctions.HasFlag(FilterCaptureFuncs.PRSend);
chkPRRecv.Checked = logFunctions.HasFlag(FilterCaptureFuncs.PRRecv);
chkSSLEncryptPacket.Checked = logFunctions.HasFlag(FilterCaptureFuncs.SSLEncryptPacket);
chkSSLDecryptPacket.Checked = logFunctions.HasFlag(FilterCaptureFuncs.SSLDecryptPacket);
chkEncryptMessage.Checked = logFunctions.HasFlag(FilterCaptureFuncs.EncryptMessage);
chkDecryptMessage.Checked = logFunctions.HasFlag(FilterCaptureFuncs.DecryptMessage);
chkSSLWrite.Checked = logFunctions.HasFlag(FilterCaptureFuncs.SSLWrite);
chkSSLRead.Checked = logFunctions.HasFlag(FilterCaptureFuncs.SSLRead);
txtDLL.Text = Settings.DLL;
txtScript.Text = Settings.DLLEx;
chkLogEnabled.Checked = Settings.LogEnabled;
chkLocalIp.Checked = Settings.LocalIpChecked;
chkLocalPort.Checked = Settings.LocalPortChecked;
chkRemoteIp.Checked = Settings.RemoteIpChecked;
chkRemotePort.Checked = Settings.RemotePortChecked;
byte[] bytes = BitConverter.GetBytes(Settings.LocalIp);
Array.Reverse(bytes); // flip little-endian to big-endian(network order)
txtLocalIp.Text = new IPAddress(bytes).ToString();
numLocalPort.Value = Settings.LocalPort;
bytes = BitConverter.GetBytes(Settings.RemoteIp);
Array.Reverse(bytes); // flip little-endian to big-endian(network order)
txtRemoteIp.Text = new IPAddress(bytes).ToString();
numRemotePort.Value = Settings.RemotePort;
}
public static void EditFilter(int index, bool active, FilterModes mode, FilterCaptureFuncs functions, FilterActions actions, string name, uint packetLenghtMin, uint packetLengthMax, uint numTimesApply, Dictionary <int, byte> searches, Dictionary <int, byte> replaces)
{
var filter = _filterList.ElementAt(index);
filter.Active = active;
filter.Mode = mode;
filter.Functions = functions;
filter.Actions = actions;
filter.Name = name;
filter.PacketLengthMin = packetLenghtMin;
filter.PacketLengthMax = packetLengthMax;
filter.NumTimesApply = numTimesApply;
filter.Searches = searches;
filter.Replaces = replaces;
}
// Not used for now (implemented in the DLL)
public static bool DoFilteringForPacket(ref byte[] data, UInt16 size, FilterCaptureFuncs functionFlag)
{
bool dataModified = false;
foreach (var filter in _filterList)
{
if (filter.Replaces.Count == 0) // Nothing to filer
{
continue;
}
if (!FilterMeetConditions(filter, size, functionFlag))
{
continue;
}
int pos = 0;
bool allOffsetMatch = AllSearchOffsetMatch(data, size, filter, ref pos);
if (allOffsetMatch) // All search offsets match, let's do the edits
{
if (filter.Mode == FilterModes.SearchAndReplaceFromBegin || filter.Mode == FilterModes.SearchOcurrenceReplaceFromBegin)
{
foreach (KeyValuePair <int, byte> pair in filter.Replaces.TakeWhile(pair => pair.Key <= size - 1))
{
data[pair.Key] = pair.Value;
}
}
else
{
foreach (KeyValuePair <int, byte> pair in filter.Replaces)
{
if (pair.Key - 250 + pos > size - 1 || pair.Key - 250 + pos < 0)
{
continue;
}
data[pair.Key - 250 + pos] = pair.Value;
}
}
dataModified = true;
}
}
return(dataModified);
}
private void SaveLogWinsockFunctions()
{
FilterCaptureFuncs logFuncs = 0;
if (chkWSSend.Checked)
{
logFuncs |= FilterCaptureFuncs.WSSend;
}
if (chkWSSendTo.Checked)
{
logFuncs |= FilterCaptureFuncs.WSSendTo;
}
if (chkWSRecv.Checked)
{
logFuncs |= FilterCaptureFuncs.WSRecv;
}
if (chkWSRecvFrom.Checked)
{
logFuncs |= FilterCaptureFuncs.WSRecvFrom;
}
if (chkWS2Send.Checked)
{
logFuncs |= FilterCaptureFuncs.WS2Send;
}
if (chkWS2SendTo.Checked)
{
logFuncs |= FilterCaptureFuncs.WS2SendTo;
}
if (chkWS2Recv.Checked)
{
logFuncs |= FilterCaptureFuncs.WS2Recv;
}
if (chkWS2RecvFrom.Checked)
{
logFuncs |= FilterCaptureFuncs.WS2RecvFrom;
}
if (chkWSASend.Checked)
{
logFuncs |= FilterCaptureFuncs.WSASend;
}
if (chkWSASendTo.Checked)
{
logFuncs |= FilterCaptureFuncs.WSASendTo;
}
if (chkWSARecv.Checked)
{
logFuncs |= FilterCaptureFuncs.WSARecv;
}
if (chkWSARecvFrom.Checked)
{
logFuncs |= FilterCaptureFuncs.WSARecvFrom;
}
if (chkPRRead.Checked)
{
logFuncs |= FilterCaptureFuncs.PRRead;
}
if (chkPRWrite.Checked)
{
logFuncs |= FilterCaptureFuncs.PRWrite;
}
if (chkPRSend.Checked)
{
logFuncs |= FilterCaptureFuncs.PRSend;
}
if (chkPRRecv.Checked)
{
logFuncs |= FilterCaptureFuncs.PRRecv;
}
if (chkSSLEncryptPacket.Checked)
{
logFuncs |= FilterCaptureFuncs.SSLEncryptPacket;
}
if (chkSSLDecryptPacket.Checked)
{
logFuncs |= FilterCaptureFuncs.SSLDecryptPacket;
}
if (chkEncryptMessage.Checked)
{
logFuncs |= FilterCaptureFuncs.EncryptMessage;
}
if (chkDecryptMessage.Checked)
{
logFuncs |= FilterCaptureFuncs.DecryptMessage;
}
if (chkSSLWrite.Checked)
{
logFuncs |= FilterCaptureFuncs.SSLWrite;
}
if (chkSSLRead.Checked)
{
logFuncs |= FilterCaptureFuncs.SSLRead;
}
Settings.LogFunctions = (int)logFuncs;
PacketManager.LogFunctions = (FilterCaptureFuncs)logFuncs; // para no tener que reiniciar el programa...
}
private FilterCaptureFuncs BuildFunctionsBitMask()
{
FilterCaptureFuncs functions = FilterCaptureFuncs.None;
if (chkWSSend.Checked)
{
functions |= FilterCaptureFuncs.WSSend;
}
if (chkWSSendTo.Checked)
{
functions |= FilterCaptureFuncs.WSSendTo;
}
if (chkWSRecv.Checked)
{
functions |= FilterCaptureFuncs.WSRecv;
}
if (chkWSRecvFrom.Checked)
{
functions |= FilterCaptureFuncs.WSRecvFrom;
}
if (chkWS2Send.Checked)
{
functions |= FilterCaptureFuncs.WS2Send;
}
if (chkWS2SendTo.Checked)
{
functions |= FilterCaptureFuncs.WS2SendTo;
}
if (chkWS2Recv.Checked)
{
functions |= FilterCaptureFuncs.WS2Recv;
}
if (chkWS2RecvFrom.Checked)
{
functions |= FilterCaptureFuncs.WS2RecvFrom;
}
if (chkWSASend.Checked)
{
functions |= FilterCaptureFuncs.WSASend;
}
if (chkWSASendTo.Checked)
{
functions |= FilterCaptureFuncs.WSASendTo;
}
if (chkWSARecv.Checked)
{
functions |= FilterCaptureFuncs.WSARecv;
}
if (chkWSARecvFrom.Checked)
{
functions |= FilterCaptureFuncs.WSARecvFrom;
}
if (chkPRRead.Checked)
{
functions |= FilterCaptureFuncs.PRRead;
}
if (chkPRWrite.Checked)
{
functions |= FilterCaptureFuncs.PRWrite;
}
if (chkPRSend.Checked)
{
functions |= FilterCaptureFuncs.PRSend;
}
if (chkPRRecv.Checked)
{
functions |= FilterCaptureFuncs.PRRecv;
}
if (chkSSLEncryptPacket.Checked)
{
functions |= FilterCaptureFuncs.SSLEncryptPacket;
}
if (chkSSLDecryptPacket.Checked)
{
functions |= FilterCaptureFuncs.SSLDecryptPacket;
}
if (chkEncryptMessage.Checked)
{
functions |= FilterCaptureFuncs.EncryptMessage;
}
if (chkDecryptMessage.Checked)
{
functions |= FilterCaptureFuncs.DecryptMessage;
}
if (chkSSLWrite.Checked)
{
functions |= FilterCaptureFuncs.SSLWrite;
}
if (chkSSLRead.Checked)
{
functions |= FilterCaptureFuncs.SSLRead;
}
return(functions);
}
private void btnApply_Click(object sender, EventArgs e)
{
var searches = new Dictionary <int, byte>();
var replaces = new Dictionary <int, byte>();
FilterModes filterMode = FilterModes.SearchAndReplaceFromBegin;
Byte result;
for (var i = 0; i < 501; i++)
{
if (dataGridViewSearch[i, 0].Value != null && Byte.TryParse(dataGridViewSearch[i, 0].Value.ToString(), NumberStyles.HexNumber, CultureInfo.InvariantCulture, out result))
{
searches.Add(i, result);
}
}
if ((radioButton2.Checked || radioButton3.Checked) && (searches.Count == 0 || !searches.ContainsKey(0)))
{
MessageBox.Show(@"The chain to search must start at the offset 0");
return;
}
if (radioButton1.Checked)
{
filterMode = FilterModes.SearchAndReplaceFromBegin;
for (var i = 0; i < 501; i++)
{
if (dataGridViewSearch[i, 1].Value != null && Byte.TryParse(dataGridViewSearch[i, 1].Value.ToString(), NumberStyles.HexNumber, CultureInfo.InvariantCulture, out result))
{
replaces.Add(i, result);
}
}
}
else if (radioButton2.Checked)
{
filterMode = FilterModes.SearchOcurrenceReplaceFromBegin;
for (var i = 0; i < 501; i++)
{
if (dataGridViewReplace[i, 0].Value != null && Byte.TryParse(dataGridViewReplace[i, 0].Value.ToString(), NumberStyles.HexNumber, CultureInfo.InvariantCulture, out result))
{
replaces.Add(i, result);
}
}
}
else if (radioButton3.Checked)
{
filterMode = FilterModes.SearchOcurrenceReplaceFromPosition;
for (var i = 0; i < 501; i++)
{
if (dataGridViewReplace2[i, 0].Value != null && Byte.TryParse(dataGridViewReplace2[i, 0].Value.ToString(), NumberStyles.HexNumber, CultureInfo.InvariantCulture, out result))
{
replaces.Add(i, result);
}
}
}
FilterCaptureFuncs functions = BuildFunctionsBitMask();
FilterActions actions = BuildActionsBitMask();
uint packetLengthMin = 0;
uint packetLengthMax = 0;
if (chkPackeLength.Checked)
{
packetLengthMin = (uint)nudPacketLengthMin.Value;
packetLengthMax = (uint)nudPacketLengthMax.Value;
}
string name = txtFilterName.Text;
if (name == "" && _filterIndex == -1)
{
name = "Filter " + (FilterManager.GetNumberOfFiltersInList() + 1).ToString("D2");
}
if (_filterIndex == -1)
{
FilterManager.NewFilter(chkActive.Checked, filterMode, functions, actions, name, packetLengthMin, packetLengthMax, (uint)nudNumTimesApply.Value, searches, replaces);
}
else
{
FilterManager.EditFilter(_filterIndex, chkActive.Checked, filterMode, functions, actions, name, packetLengthMin, packetLengthMax, (uint)nudNumTimesApply.Value, searches, replaces);
}
Program.mainForm.LoadFilterItems();
Program.mainForm.ActionStartStopFiltering(false);
Close();
}
public static bool CheckPacketBreak(byte[] data, UInt16 size, FilterCaptureFuncs functionFlag)
{
return(CheckBlockIgnoreWatchBreak(data, size, functionFlag, FilterActions.Break));
}
public static void NewFilter(bool active, FilterModes mode, FilterCaptureFuncs functions, FilterActions actions, string name, uint maxPacketLeghtMin, uint maxPacketLeghtMax, uint numTimesApply, Dictionary <int, byte> searches, Dictionary <int, byte> replaces)
{
var filter = new Filter(active, mode, functions, actions, name, maxPacketLeghtMin, maxPacketLeghtMax, numTimesApply, searches, replaces);
_filterList.Add(filter);
}
