Capturing outgoing packet, changing it a bit and sending forward

[VixinG]

I wanted to start working on a small script which will scan the chosen process and capture every outgoing packet in that process (or on specified port) which contains "74 65 73 74" (hex 'test').

Then it will automatically change the "74 65 73 74" in that packet to "54 45 53 54" (hex 'TEST').

It's just an example. Do I need to inject the Windows Socket 2.0 DLL (ws2_32.dll) and call it functions somehow with DLLCall()?

Process -> Script [modifying packet] -> Server

I found that somewhere on the forums, and that's all what I got for now. I don't know where to start

Func SendData()
$v_Data= "54455354" ;TEST
$v_Buffer = DllStructCreate("byte[4]")

For $n = 1 to 4
$val = StringMid($v_Data,1+($n-1)*2,2)
DllStructSetData($v_Buffer,1,Dec($val),$n);struct,element,data,index
Next

And this for injecting the DLL:

#include '_DLLInjection.au3'

Local $sProcess,$iProcessID,$sDLLToInject,$hInjectedDLL,$bLoadedProc=False
$sProcess='Test.exe'
$sDLLToInject='ws2_32.dll'
$iProcessID=ProcessExists($sProcess)
If $iProcessID Then
$bLoadedProc=True
Else
$iProcessID=Run($sProcess)
If $iProcessID=0 Then Exit
Local $hProcess=_ProcessOpen($iProcessID,$PROCESS_QUERY_LIMITED_INFO)
; Wait for the process to 'settle'
_ProcessWaitForInputIdle($hProcess,3000)
_ProcessCloseHandle($hProcess)
EndIf
MsgBox(0,"Ready!","Ready to inject! ('"&$sDLLToInject&"')")
$hInjectedDLL=_DLLInject($iProcessID,$sDLLToInject)
If @error Then Exit MsgBox(0,"DLL Injection Failed","Injection failed, Return: "&$hInjectedDLL&"@error="&@error&", @extended="&@extended)

Any help will be greatly appreciated!

Edit: I can use something like that:

If StringInStr($packet,Hex('test')) Then
Local $mod_packet = StringReplace($packet,Hex('test'),Hex('TEST'))
;and here the function to send that packet forward
EndIf

WSASend function? (http://msdn.microsoft.com/en-us/library/windows/desktop/ms742203(v=vs.85).aspx)

PacketX? ARP Packet? ()

Edited July 14, 2012 by VixinG

[VixinG]

I got this so far:

expandcollapse popup

#include <Winpcap.au3>
#include <Array.au3>

Global $pcap, $AdapterName = 0
Global $iScan = 0
Global $iAlive = 0
Global $aData, $mData
Dim $aIPSendArray[2] = [1, 0]
Dim $aAliveHosts[1] = [0]
Global $sProcess,$iProcessID
$winpcap = _PcapSetup()
If ($winpcap = -1) Then
Exit
EndIf
$pcap_devices = _PcapGetDeviceList()
If ($pcap_devices = -1) Then
Exit
EndIf
$sIPReso = '192.168.1.109'
For $i = 0 To UBound($pcap_devices) - 1
If $pcap_devices[$i][7] = $sIPReso Then
$AdapterName = $pcap_devices[$i][7]
ExitLoop
EndIf
Next
If $AdapterName = 0 Then Exit
;--------
$sProcess='xchat.exe'
$iProcessID=ProcessExists($sProcess)
If $iProcessID Then
$bLoadedProc=True
Else
Exit
EndIf
$pcap = _PcapStartCapture($AdapterName,"tcp")
While 1
$packet = _PcapGetPacket($pcap)
If IsArray($packet) Then
$aData = StringTrimLeft($packet[3],2)
If StringInStr($aData,Hex('test')) Then
$mData = StringReplace($aData,Hex('test'),Hex('TEST'))
EndIf
WEnd

Can you help me a little? I'm missing functions to block the outgoing packet with "test" and sending stuff...

And btw this script doesn't work. I don't know why. It should monitor packets and it's not.

I do that for educational purposes only and I don't know where to look for help :|

Edited July 14, 2012 by VixinG

[VixinG]

Sorry for bumping again, but if anyone knows how to help me with it...

I'm not really good in all this packet stuff, so I don't have a clue how to do that / how it should function step by step.

C'mon

[kylomas]

VixinG,

You may find a more responsive audience by explaining exactly what you are doing and why you are doing it.

kylomas

[Maffe811]

And wait 24 hours before bumping.

[VixinG]

And wait 24 hours before bumping.

That's why I said I'm sorry for bumping

I will wait next time I swear.

VixinG,

You may find a more responsive audience by explaining exactly what you are doing and why you are doing it.

kylomas

Of course, kylomas. I'm explaining.

What: I want to capture an outgoing packet which contains eg. 70 0C 2B A1, modify it to eg. 22 4A 1C 08 and send forward.

Why: I want to learn how to write something like that. It can be helpful, like everything else what I found here on forums. I very appreciate everyone's work and I study every interesting source code. It's all for education. I'm not ready yet to learn any 'serious' language like C++/C#, and I like AutoIt and I would like to learn as much as I can. I'm not lying now. I want to achieve something. I want to know at least one programming language and I choose this.

[kylomas]

VixinG,

I understand your desire to learn and appreciate that English is not your native language so your "WHY" expanation may be losing somehting in translation. However, your "WHAT" is very specific and I cannot think of a non-malicious reason to do something like this.

If this is my misunderstanding then I apologize and Good Luck...

kylomas

[VixinG]

VixinG,

I understand your desire to learn and appreciate that English is not your native language so your "WHY" expanation may be losing somehting in translation. However, your "WHAT" is very specific and I cannot think of a non-malicious reason to do something like this.

If this is my misunderstanding then I apologize and Good Luck...

kylomas

Thanks for reply. I can see I won't get any help here about that, so I will just leave it and start doing something other