Find and drop a packet with myproxocket.dll

regacct2 · **Joined:** 06 Mar 2010 09:00 **Posts:** 10

Hello everyone. I've been reading the forums for weeks now (on and off) and I'm really impressed with what myproxocket can do. 1st off, thanks aluigi for making it, and especially for the amount of support I've seen you give on your forums.

With that said, I have found a couple things mentioning close to what I"m looking for but haven't found it quite yet, so I'm looking to see if anyone can help me with a short code sippet.

Essentially, I would like to have myproxocket drop a packet if it contains a specific hex string. This is the string...

04:00:00:00:00:00:00:00:00:00:00:00:00:00:00:20

What would be the string I need to use to have it find this, and drop the whole packet. I found a couple posts about it but one said you can't use find_replace_string with \x00, but then went on to modify the find_replace_string function.

Sorry, I'll also add that I'm really new to C programming. I know some programming like vb.net (yet I'm not expert) so programming concepts I do understand for the most part, or can learn.

Again, thanks for any help you can be, you are an amazing guy Aluigi for helping people the way you do.

Trevor

aluigi · **Posted:** 15 Mar 2010 11:39

the following code sets to zero the length of any udp packet containing (beginning, middle or end) the sequence of 16 bytes you posted:

Code:

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <winsock.h>
#include <windows.h>



u_char *find_replace_string(u_char *buf, int *len, u_char *old, int oldlen, u_char *new, int newlen) {
    int     i,
            tlen,
            //oldlen,
            //newlen,
            found;
    u_char  *nbuf,
            *p;

    found  = 0;
    //oldlen = strlen(old);
    tlen   = *len - oldlen;

    for(i = 0; i <= tlen; i++) {
        if(!memcmp(buf + i, old, oldlen)) found++;
    }
    if(!found) return(buf); // nothing to change: return buf or a positive value

    if(!new) return(NULL);  // if we want to know only if the searched string has been found, we will get NULL if YES and buf if NOT!!!
    //newlen = strlen(new);

    if(newlen <= oldlen) {  // if the length of new string is equal/minor than the old one don't waste space for another buffer
        nbuf = buf;
    } else {                // allocate the new size
        nbuf = malloc(*len + ((newlen - oldlen) * found));
    }

    p = nbuf;
    for(i = 0; i <= tlen;) {
        if(!memcmp(buf + i, old, oldlen)) {
            memcpy(p, new, newlen);
            p += newlen;
            i += oldlen;
        } else {
            *p++ = buf[i];
            i++;
        }
    }
    while(i < *len) {
        *p++ = buf[i];
        i++;
    }
    *len = p - nbuf;
    return(nbuf);
}



int __cdecl myrecvfrom(SOCKET s, u_char *buf, int len, int flags, struct sockaddr *from, int *fromlen) {
    if(!find_replace_string(buf, &len, "\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x20", 16, NULL, 0)) {
        return(0);
    }
    return(len);
}



BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved) {
    switch(fdwReason) {
        case DLL_PROCESS_ATTACH: {
            DisableThreadLibraryCalls(hinstDLL);
            break;
        }
        default: break;
    }
    return(TRUE);
}

I have also attached the pre-compiled dll in case of problems

regacct2 · **Joined:** 06 Mar 2010 09:00 **Posts:** 10

Thanks very much. I'll play with that a bit. The reason I'm doing this is because I'm helping run a Counterstrike Source server and one way to crash it is to use a program that's been called "crash3". It uses your proxocket application and, I can only guess, modify the packets. The server crashes instantly, before the client even finishes the connection.

I'm using this as a way to learn how to use your program. I'm trying to stop whatever packets it's sending to the server to stop it from crashing it.

So, just thought I would let you know. I know you aren't interested in Halflife/Counterstrike so I'm not asking you to start that again.

Thanks for the help.

regacct2 · **Joined:** 06 Mar 2010 09:00 **Posts:** 10

Update...

I got it working. Thanks for the help Aluigi. I had the wrong packet from the capture, but I found the correct one and your code is blocking it 100%. Love it. You are saving us a LOT of pain. Thanks again.

Trevor

aluigi · **Posted:** 16 Mar 2010 11:13

oh I guess you refer to that recent vulnerability which involves (if I understood correctly) the certificate, right?
(I'm not in the community so I have been aware about these new bugs only because some admins reported them to me).

good that proxocket has been useful in the patching/work-around and I hope it's also not so complex to be programmed :)

regacct2 · **Joined:** 06 Mar 2010 09:00 **Posts:** 10

While it wasn't hard at all with proxocket, I'm hoping steam will be able to fix it also. Hopefully they can have some validation of those packets before thwy get processed and cause errors.

But, we know how much they are really trying to patch their program.

I do have another question in relation to this though. I'm building in a log portion to this so when it picks up the bad packets, it will record the users ip address and time. We ban these users ip addresses from our actual server so they can't touch it at all. Can I pull the ip address from within myrecvfrom or do I need to call/import another function to do it?

Thanks again.

Trevor

aluigi · **Posted:** 16 Mar 2010 15:39

for the log I would use a global FILE descriptor opened in DllMain in append mode with a fflush after each write, like:

Code:

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <winsock.h>
#include <windows.h>



FILE *fdlog = NULL;
u_char *ip2str(u_int ip) {
    static u_char  data[16];

    sprintf(data, "%u.%u.%u.%u",
        (ip & 0xff), ((ip >> 8) & 0xff), ((ip >> 16) & 0xff), ((ip >> 24) & 0xff));
    return(data);
}



u_char *find_replace_string(u_char *buf, int *len, u_char *old, int oldlen, u_char *new, int newlen) {
    //...cut...
}



int __cdecl myrecvfrom(SOCKET s, u_char *buf, int len, int flags, struct sockaddr *from, int *fromlen) {
    if(!find_replace_string(buf, &len, "\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x20", 16, NULL, 0)) {
        fprintf(fdlog, "attacker IP: %s\n", ip2str(((struct sockaddr_in *)from)->sin_addr.s_addr));
        fflush(fdlog);
        return(0);
    }
    return(len);
}



BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved) {
    switch(fdwReason) {
        case DLL_PROCESS_ATTACH: {
            DisableThreadLibraryCalls(hinstDLL);
            fdlog = fopen("attacker.log", "ab");
            break;
        }
        default: break;
    }
    return(TRUE);
}

regacct2 · **Joined:** 06 Mar 2010 09:00 **Posts:** 10

That's awesome. I've implimented it and added a date and time snippet to log that info with it. Thanks again.

One question about it though. Why did you impliment the fopen in the dllmain section? From what I can tell, it holds the file open. Is there a specific reason you don't open and close the file within the myrecvfrom function?

aluigi · **Posted:** 17 Mar 2010 10:24

no particular reason, I was probably thinking to a "frequent" logging and forgot that instead in this case the logging of the attacker should be enough "sporadic".
so yes a fopen+fprintf+fclose directly in myrecvfrom is probably better for this particular case.

regacct2 · **Joined:** 06 Mar 2010 09:00 **Posts:** 10

Awesome. Thanks a bunch. We are extremely happy with the way its working. Great program. Now I'm going to mess around with sending packets, but I think that's a bit off topic and I haven't had a chance to search your forums for it yet.

Thanks for all your help aluigi.

Luigi Auriemma

Find and drop a packet with myproxocket.dll