public void NewStream(TcpRecon recon)
{
TreeNode n = tv.Nodes.Add(recon.HashCode, Path.GetFileName(recon.dumpFile));
n.Tag = recon;
tv.Refresh();
}
private void TvNodeClick(TreeNode n)
{
TcpRecon tr = null;
bool viewOnly = true;
if (curdb != null)
{
curdb.FreeData(); curdb = null;
}
if (n.Tag is TcpRecon)
{
tr = (TcpRecon)n.Tag;
if (he.LoadedFile != tr.dumpFile)
{
he.LoadFile(ref tr.dumpFile, ref viewOnly);
}
}
else
{
DataBlock db = (DataBlock)n.Tag;
curdb = db;
if (he.LoadedFile != db.recon.dumpFile)
{
he.LoadFile(ref db.recon.dumpFile, ref viewOnly);
}
he.scrollTo(db.startOffset);
he.set_SelStart(ref db.startOffset);
he.set_SelLength(ref db.length);
tabs_SelectedIndexChanged(null, null);
}
}
private void AddNewNode(TcpRecon recon)
{
int startAt = (int)recon.LastSavedOffset;
int endAt = (int)recon.PreviousPacketEndOffset;
if (recon.isComplete)
{
endAt = (int)recon.CurrentOffset;
}
DataBlock db = new DataBlock(recon.dumpFile, startAt, endAt - startAt, recon);
db.EpochTimeStamp = curPacketTime.Seconds.ToString() + "." + curPacketTime.MicroSeconds.ToString();
/*string fu = firstTimeStamp_s.ToString() + "." + firstTimeStamp_ms.ToString();
* string fu2 = firstpacketTimeStamp_s.ToString() + "." + firstpacketTimeStamp_ms.ToString();
* decimal tmp = decimal.Parse(fu);
* decimal temp2 = decimal.Parse(fu2);
* decimal x = temp2 - tmp;
* db.relativeTimeStamp = x.ToString();
* firstpacketTimeStamp_s = 0;*/
/*long hi = (long)curPacket.PcapHeader.Seconds - firstTimeStamp_s;
* long low = (long)curPacket.PcapHeader.MicroSeconds - firstTimeStamp_ms;
* db.relativeTimeStamp = hi.ToString() + "." + low.ToString();
*/
owner.Invoke(NewNode, db);
recon.LastSavedOffset = recon.PreviousPacketEndOffset;
}
public DataBlock(string pFile, int start, int len, TcpRecon pRecon)
{
parentFile = pFile;
startOffset = start;
length = len;
endOffset = start + len;
recon = pRecon;
}
public void NewStream(TcpRecon recon)
{
TreeNode n = null;
string nText = getParentNodeName(recon);
n = tv.Nodes.Add(recon.HashCode, nText);
n.Tag = recon;
tv.Refresh();
}
// The callback function for the SharpPcap library
private void device_PcapOnPacketArrival(object sender, Packet packet)
{
if (packet is UDPPacket)
{
HandleDNS(packet);
return;
}
if (!(packet is TCPPacket))
{
return;
}
TCPPacket tcpPacket = (TCPPacket)packet;
Connection c = new Connection(tcpPacket);
TcpRecon recon = null;
if (!sharpPcapDict.ContainsKey(c))
{
c.generateFileName(outDir);
recon = new TcpRecon(c.fileName);
recon.LastSourcePort = tcpPacket.SourcePort;
sharpPcapDict.Add(c, recon);
if (!IPExists("tcp: " + tcpPacket.DestinationAddress))
{
ips.Add("tcp: " + tcpPacket.DestinationAddress);
}
if (!IPExists("tcp: " + tcpPacket.SourceAddress))
{
ips.Add("tcp: " + tcpPacket.SourceAddress);
}
owner.Invoke(NewStream, recon);
}
else
{
recon = sharpPcapDict[c];
}
recon.ReassemblePacket(tcpPacket); //can contain fragments and out of order packets
if (recon.PacketWritten) //reassembly/reordering complete data was saved this time..
{
if (recon.LastSourcePort != tcpPacket.SourcePort) //previous entry is now complete so lets add it.
{
AddNewNode(recon);
recon.LastSourcePort = tcpPacket.SourcePort;
}
}
}
private void AddNewNode(TcpRecon recon)
{
int startAt = (int)recon.LastSavedOffset;
int endAt = (int)recon.PreviousPacketEndOffset;
if (recon.isComplete)
{
endAt = (int)recon.CurrentOffset;
}
DataBlock db = new DataBlock(recon.dumpFile, startAt, endAt - startAt, recon);
owner.Invoke(NewNode, db);
recon.LastSavedOffset = recon.PreviousPacketEndOffset;
}
//#region reconManager callbacks
private string getParentNodeName(TcpRecon recon)
{
string nText = Path.GetFileName(recon.dumpFile);
return(getParentNodeName(nText));
}
// The callback function for the SharpPcap library
private void device_PcapOnPacketArrival(object sender, CaptureEventArgs e)
{
Packet packet;
try
{
packet = PacketDotNet.Packet.ParsePacket(e.Packet.LinkLayerType, e.Packet.Data);
}
catch (Exception ex)
{
//System.Console.Write(ex.Message); //todo: sometimes get error raw packet not implemented?
return;
}
if (firstTimeStamp == 0)
{
firstTimeStamp = decimal.Parse(e.Packet.Timeval.Seconds.ToString() + "." + e.Packet.Timeval.MicroSeconds.ToString());
}
totalPackets++;
UdpPacket udpPacket = (UdpPacket)packet.Extract(typeof(UdpPacket));
if (udpPacket != null)
{
HandleDNS(udpPacket);
return;
}
IpPacket ipPacket = (IpPacket)packet.Extract(typeof(IpPacket));
TcpPacket tcpPacket = (TcpPacket)packet.Extract(typeof(TcpPacket));
if (tcpPacket == null)
{
return;
}
totalTCPPackets++;
Connection c = new Connection(tcpPacket);
TcpRecon recon = null;
curPacket = tcpPacket;
curPacketTime = e.Packet.Timeval;
if (!sharpPcapDict.ContainsKey(c))
{
c.generateFileName(outDir);
recon = new TcpRecon(c.fileName);
recon.LastSourcePort = tcpPacket.SourcePort;
recon.StreamStartTimeStamp = e.Packet.Timeval.Seconds.ToString() + "." + e.Packet.Timeval.MicroSeconds.ToString();
decimal curTime = decimal.Parse(recon.StreamStartTimeStamp);
recon.relativeTimeStamp = (curTime - firstTimeStamp).ToString();
sharpPcapDict.Add(c, recon);
if (!IPExists("tcp: " + ipPacket.DestinationAddress))
{
ips.Add("tcp: " + ipPacket.DestinationAddress);
}
if (!IPExists("tcp: " + ipPacket.SourceAddress))
{
ips.Add("tcp: " + ipPacket.SourceAddress);
}
owner.Invoke(NewStream, recon);
}
else
{
recon = sharpPcapDict[c];
}
//can contain fragments and out of order packets
recon.ReassemblePacket(ipPacket.SourceAddress.Address,
ipPacket.DestinationAddress.Address,
tcpPacket, e.Packet.Timeval);
if (recon.PacketWritten) //reassembly/reordering complete data was saved this time..
{
if (recon.LastSourcePort != tcpPacket.SourcePort) //previous entry is now complete so lets add it.
{
AddNewNode(recon);
recon.LastSourcePort = tcpPacket.SourcePort;
}
}
}
public void Run(IScriptableComponent component)
{
int i = 0, j = 0, hits = 0;
Form1 f = component.Parent;
string C2 = f.InputBox("Enter the C2 IP to decode data for (can be partial string but be unique)", "Set C2", "");
if (C2.Length == 0)
{
return;
}
string pDir = Path.GetDirectoryName(f.txtPcap.Text);
string rep = pDir + "\\decoder_x_output.txt";
if (File.Exists(rep))
{
File.Delete(rep);
}
StreamWriter w = File.AppendText(rep);
foreach (TreeNode n in f.tv.Nodes)
{
i++; j = 0;
f.setpb(i, f.tv.Nodes.Count, 1);
TcpRecon recon = (TcpRecon)n.Tag;
//both ips are embedded in dump file name
//you can also use recon.Client[Address|Port] recon.Server[Address|Port]
if (recon.dumpFile.IndexOf(C2) == -1)
{
continue;
}
foreach (TreeNode nn in n.Nodes)
{
j++;
f.setpb(j, n.Nodes.Count, 2);
DataBlock db = (DataBlock)nn.Tag;
w.WriteLine(n.Text + " : " + nn.Text + "\r\n------------------------------------------------");
if (!db.LoadData())
{
w.WriteLine("Failed to load data...\r\n");
continue;
}
byte[] buf = null;
//in this example we will only process raw binary transfers (no http)
if (db.DataType == DataBlock.DataTypes.dtBinary)
{
buf = db.data;
}
/*else if(db.DataType == DataBlock.DataTypes.dtHttpReq) //if you wanted to process http request
* {
* buf = db.GetBinaryBody();
* }*/
//DataBlock Source and Dest addresses are set per packet,
//you can also filter based on db.SourcePort && db.DestPort
//
//example to handle client requests to server port 9000:
// if(db.SourceAddress == recon.ClientAddress && db.DestPort == 9000)
//
//Note: this for loop only runs if we matched target server because of continue above...
if (buf != null && buf.Length > 0)
{
hits++;
decode(buf);
w.WriteLine(HexDumper.HexDump(buf));
w.WriteLine("\r\n");
}
db.FreeData();
}
}
f.pb.Value = 0;
f.pb2.Value = 0;
w.Close();
if (hits > 0)
{
MessageBox.Show(hits.ToString() + " packets decoded.\nSaved as: " + rep);
}
else
{
MessageBox.Show("No binary data packets found from the C2 you entered: " + C2);
}
}
