Jump to content
begood

[A++] Proxocket - dll proxy project - saves a .cap dump for any exe (Luigi Auriemma)

Recommended Posts

Posted (edited)

Citeam http://rstcenter.com/forum/26064-encrypted-obfuscated-your-p2p-protocol-can-still-ided.rst si am dat peste documentul (PDF) in care era explicata toata procedura.

La pagina 10 vad un nume cunoscut : Luigi Auriemma.

Pe scurt ce face "programul" (e un singur dll) :

Stocheaza tot traficul facut de un program intr-un fisier .pcap (Wireshark).

Iar asta doar cu un dll ce trebuie introdus in acelasi folder cu executabilul pe care dorim sa-l analizam.

*Trebuie sa aveti winpcap instalat.

Luigi Auriemma

Proxocket is a dll proxy project for the main Winsock functions which allows to capture any type of packet and data sent/received by a specific software of your choice and optionally modifying its content or the connect, bind and accept functions through a custom dll very easy to create.

Proxocket handles the following functions for both ws2_32.dll and wsock32.dll: WSAStartup, socket, WSASocketA, WSASocketW, closesocket, connect, WSAConnect, bind, accept, WSAAccept, recv, recvfrom, WSARecv, WSARecvFrom, WSARecvEx, send, sendto, WSASend, WSASendTo.

it has also specific support for TCP, UDP, ICMP, IGMP and RAW packets with handling of SOCK_STREAM, SOCK_DGRAM and SOCK_RAW on both incoming and outgoing data.

the project is divided in two parts:

  • monitoring/sniffing: a CAP file in tcpdump format will be generated for any captured packet, this is the default operation
  • user's custom manipulation of the captured data: through a custom myproxocket.dll edited and created by the same user is possible to have control over the captured data like creating a rudimental firewall for a specific software or editing the data which will be passed to the main program on the fly or creating a decompressor/decrypter/protocol_analyzer and so on

read the text file inside for more informations and if you want to write a plugin take a look at the source code of my myproxocket.c example.

the following are some "example plugins" I wrote for proxyfying the main program and or doing some things:

- web proxy forcer 0.1: works like a classical web proxyfier

- web proxy forcer mode2 0.1: works like a classical web proxyfier

- connect proxy forcer 0.1: works like a CONNECT proxyfier

note: if you have Vista and the local ws2_32/wsock32 dlls are not loaded try to set the registry key "HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Image File Execution Options\DevOverrideEnable" to 1.

note: the exported functions of myproxocket.dll MUST be declared as CDECL, this is default on Mingw but not on other compilers.

note: do NOT use Cygwin for compiling the myproxocket plugins.

nota personala : presupun ca se foloseste de dll hijacking :)

LE: da, am avut dreptate

============================================

4) How it works and advantages/disadvantages

============================================

The idea of Proxocket is the one of the dll proxies, so it's

constituited by a ws2_32.dll and wsock32.dll which are used between the

main program and the real ws2_32.dll and wsock32.dll files:

program <-> Proxocket ws2_32.dll <-> real ws2_32.dll

This is possible because the dlls used by the programs are first

searched in their current folder and if these dlls are not found will be

searched in c:\windows\system32 and so on.

Edited by begood

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...