[A++] Proxocket - dll proxy project - saves a .cap dump for any exe (Luigi Auriemma)

[begood]

Citeam http://rstcenter.com/forum/26064-encrypted-obfuscated-your-p2p-protocol-can-still-ided.rst si am dat peste documentul (PDF) in care era explicata toata procedura.

La pagina 10 vad un nume cunoscut : Luigi Auriemma.

Pe scurt ce face "programul" (e un singur dll) :

Stocheaza tot traficul facut de un program intr-un fisier .pcap (Wireshark).

Iar asta doar cu un dll ce trebuie introdus in acelasi folder cu executabilul pe care dorim sa-l analizam.

*Trebuie sa aveti winpcap instalat.

Luigi Auriemma

Proxocket is a dll proxy project for the main Winsock functions which allows to capture any type of packet and data sent/received by a specific software of your choice and optionally modifying its content or the connect, bind and accept functions through a custom dll very easy to create.

Proxocket handles the following functions for both ws2_32.dll and wsock32.dll: WSAStartup, socket, WSASocketA, WSASocketW, closesocket, connect, WSAConnect, bind, accept, WSAAccept, recv, recvfrom, WSARecv, WSARecvFrom, WSARecvEx, send, sendto, WSASend, WSASendTo.

it has also specific support for TCP, UDP, ICMP, IGMP and RAW packets with handling of SOCK_STREAM, SOCK_DGRAM and SOCK_RAW on both incoming and outgoing data.

the project is divided in two parts:

• monitoring/sniffing: a CAP file in tcpdump format will be generated for any captured packet, this is the default operation
  
• user's custom manipulation of the captured data: through a custom myproxocket.dll edited and created by the same user is possible to have control over the captured data like creating a rudimental firewall for a specific software or editing the data which will be passed to the main program on the fly or creating a decompressor/decrypter/protocol_analyzer and so on
  

read the text file inside for more informations and if you want to write a plugin take a look at the source code of my myproxocket.c example.

the following are some "example plugins" I wrote for proxyfying the main program and or doing some things:

- web proxy forcer 0.1: works like a classical web proxyfier

- web proxy forcer mode2 0.1: works like a classical web proxyfier

- connect proxy forcer 0.1: works like a CONNECT proxyfier

note: if you have Vista and the local ws2_32/wsock32 dlls are not loaded try to set the registry key "HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Image File Execution Options\DevOverrideEnable" to 1.

note: the exported functions of myproxocket.dll MUST be declared as CDECL, this is default on Mingw but not on other compilers.

note: do NOT use Cygwin for compiling the myproxocket plugins.

nota personala : presupun ca se foloseste de dll hijacking

LE: da, am avut dreptate

============================================

4) How it works and advantages/disadvantages

============================================

The idea of Proxocket is the one of the dll proxies, so it's

constituited by a ws2_32.dll and wsock32.dll which are used between the

main program and the real ws2_32.dll and wsock32.dll files:

program <-> Proxocket ws2_32.dll <-> real ws2_32.dll

This is possible because the dlls used by the programs are first

searched in their current folder and if these dlls are not found will be

searched in c:\windows\system32 and so on.

Edited September 22, 2010 by begood

[wpanda]

Ceva extrem de ultil, foarte tare chiar.

Merci Begood

[Guest Nemessis]

Mare om, mare caracter, Luigi A.. Un italian de nota 10.