Proxocket

From Knowledge Database

Jump to: navigation, search

Contents

Overview

Proxocket is a dll proxy project for the main Winsock functions which allows to capture any type of packet and data sent/received by a specific software of your choice and optionally modifying its content or the connect, bind and accept functions through a custom dll very easy to create. Proxocket handles the following functions for both ws2_32.dll and wsock32.dll: WSAStartup, socket, WSASocketA, WSASocketW, closesocket, connect, WSAConnect, bind, accept, WSAAccept, recv, recvfrom, WSARecv, WSARecvFrom, WSARecvEx, send, sendto, WSASend, WSASendTo. it has also specific support for TCP, UDP, ICMP, IGMP and RAW packets with handling of SOCK_STREAM, SOCK_DGRAM and SOCK_RAW on both incoming and outgoing data. the project is divided in two parts:

  • monitoring/sniffing: a CAP file in tcpdump format will be generated for any captured packet, this is the default operation
  • user's custom manipulation of the captured data: through a custom myproxocket.dll edited and created by the same user is possible to have control over the captured data like creating a rudimental firewall for a specific software or editing the data which will be passed to the main program on the fly or creating a decompressor/decrypter/protocol_analyzer and so on

read the text file inside for more informations and if you want to write a plugin take a look at the source code of my myproxocket.c example. the following are some "example plugins" I wrote for proxyfying the main program and or doing some things:

  1. web proxy forcer 0.1: works like a classical web proxyfier
  2. web proxy forcer mode2 0.1: works like a classical web proxyfier
  3. connect proxy forcer 0.1: works like a CONNECT proxyfier
  • note: if you have Vista and the local ws2_32/wsock32 dlls are not loaded try to set the registry key "HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Image File Execution Options\DevOverrideEnable" to 1
  • note: the exported functions of myproxocket.dll MUST be declared as CDECL, this is default on Mingw but not on other compilers.


Introduction

Proxocket is a dll proxy project for the main Winsock functions which allows to capture any type of packet and data sent/received by a specific software of your choice and optionally modifying its content through a custom dll easy to develop.

Proxocket handles the following functions for both ws2_32.dll and wsock32.dll: WSAStartup, socket, WSASocketA, WSASocketW, closesocket, connect, WSAConnect, bind, accept, WSAAccept, recv, recvfrom, WSARecv, WSARecvFrom, WSARecvEx, send, sendto, WSASend, WSASendTo.

Note that the handling of the WSARecv* and WSASend* functions is still experimental and overlapping is not supported.


Capturing the packets

  • Get the WS2_32.DLL and "optionally" WSOCK32.DLL files located in the

Proxocket package and copy it or them in the folder of the software you want to monitor. anyway remember that is better if you use only one of the two dlls to avoid problems.

  • When you will start that program will be generated a proxocket_DATE.cap

file which will contain all the packets sent and received by the main program. This CAP file is in tcpdump format so you can use any sniffer to open and read it, like Wireshark: http://www.wireshark.org

  • Proxocket is able to handle and dump any TCP, UDP, ICMP, IGMP and RAW

packet with automatic handling of the SOCK_STREAM, SOCK_DGRAM and SOCK_RAW type in both sending and receiving.


Notes, problems and solutions It has been reported that on Vista the dll proxying could not work properly, in that case "seems" possible to override the problem by setting the following registry key to 1 with regedit:

 HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Image File Execution Options\DevOverrideEnable
  • If the program you want to monitor crashes when started, remove the

Proxocket WSOCK32.DLL file from its folder leaving only WS2_32.DLL and it should work. An example of programs that don't accept both these files are Firefox, Filezilla and Pidgin.

  • If you have doubts if the program you want to monitor uses ws2_32 or

wsock32 simply open it with a hex editor or search one of these two strings in the executable... or more simply if the CAP file is not generated with the Proxocket WS2_32.DLL remove it and place WSOCK32.DLL.

  • If the CAP file is not generated in any case means that the program uses

a direct link to the original file located in the Windows directory or other advanced solutions... very rare cases.


Custom handling / modification of the packets

  • Proxocket has also an additional feature, it can be used for modifying

and/or handling the sending and receiving of the data and even the incoming and outgoing connections.

  • This feature is customly made by the user who must get the

src/myproxocket.c code (and src/proxocket_defines.h too which contains some needed variables and defines in it), modifying it where he wants and he needs or rewriting it from scratch using my one only as quick reference and example, recompiling it as MYPROXOCKET.DLL and placing it in the folder of the program to hook with the other WS2_32.DLL or WSOCK32.DLL files.

  • So, for example, if we want that all the incoming UDP packets to be

composed only by 'A' chars, it's enough to place a memset(buf,'A',len); in the myrecvfrom function. Or if we want we can create a custom MYPROXOCKET.DLL which is able to decrypt or decompress in real time a specific protocol (for example for Ventrilo or the compression of some Doom ports and so on for anything else).

required to modify and use it correctly, the comments and examples contained there are everything is needed to start with the programming of this useful component of Proxocket.

  • When the Proxocket dlls (ws2_32/wsock32) find MYPROXOCKET.DLL in the

same folder all the functions in this dll will be automatically loaded and used when required, so if you need to hook only the recvfrom function you can delete all the mysocket, myconnect, mybind, myaccept and other functions that you don't use.

  • When the myproxocket feature is enabled the capturing function will be

automatically disabled, so will be created no CAP files.

How it works and advantages / disadvantages

  • The idea of Proxocket is the one of the dll proxies, so it's

constituited by a ws2_32.dll and wsock32.dll which are used between the main program and the real ws2_32.dll and wsock32.dll files:

 program <-> Proxocket ws2_32.dll <-> real ws2_32.dll
  • This is possible because the dlls used by the programs are first

searched in their current folder and if these dlls are not found will be searched in c:\windows\system32 and so on.

  • So if Firefox is in c:\programs\Firefox and you start firefox.exe or one

of its links it will get the ws2_32.dll located in c:\programs\Firefox and then will switch to the other system paths if the file is not found.

  • The advantages of this method are that it's not needed to hook the

functions with a dll hooker/injector at loading/runtime, everything is transparent for the main program allowing to proxify also programs that use anti-debugging techniques or particular executables, works also on localhost, differently to a sniffer the generated CAP file is exactly in the order and with the packets as they have been generated/received, and the myproxocket.dll feature allows anyone to have full control over the data in real-time (so is possible to create other derived projects like minimalistic firewalls or socket patches for specific bugged programs/games and so on, without losing performances).

  • The only disadvantage I can see happens if the program to monitor/modify

prevents the usage of dlls from its same folder but this is very rare.

  • Note: when using the main monitoring feature of Proxocket (the dumping

of the packets in the tcpdump file) sometimes with multi-threaded programs could happen an incorrect generation of the CAP file, anyway it's a rare event.

  • The tool initializes itself (capturing and myproxocket) when WSAStartup

is called by the main program.


Functions of myproxocket

  • or so called commented header of myproxocket.c
  • Example of myproxocket.dll by Luigi Auriemma

if you don't know it, myproxocket.dll is a dll read by proxocket (ws2_32.dll/wsock32.dll) and used to control some functions like send, recv, connect and so on. all you need to do is just creating a myproxocket.dll file exporting the CDECL functions explained below

The following are all the available functions under your control:

myfunction <- original functions execution BEFORE or AFTER the original functions and return value


  • mysocket <- socket, WSASocket BEFORE >= 0: returns your value: INVALID_SOCKET: returns INVALID_SOCKET, any_other_value: calls the original function
  • myconnect <- connect, WSAConnect BEFORE 0: calls real connect, SOCKET_ERROR: returns SOCKET_ERROR, any_other_value: bypasses the real connect and returns 0
  • myaccept <- accept, WSAAccept AFTER the main program will receive the same return value returned by you
  • mybind <- bind BEFORE 0: calls real bind, SOCKET_ERROR: returns SOCKET_ERROR, any_other_value: bypasses the real bind and returns 0
  • myclose <- closesocket AFTER the main program will receive the same return value returned by you
  • myrecv <- recv, WSARecv AFTER the main program will receive the same return value returned by you
  • myrecvfrom <- recvfrom, WSARecvFrom AFTER the main program will receive the same return value returned by you
  • mysend <- send, WSASend BEFORE >= 0: calls real send, SOCKET_ERROR: returns SOCKET_ERROR, any_other_value: bypasses the real send/WSASend and returns the original len
  • mysendto <- sendto, WSASendTo BEFORE >= 0: calls real sendto, SOCKET_ERROR: returns SOCKET_ERROR, any_other_value: bypasses the real sendto/WSASendTo and returns the original len

in the AFTER functions remember that, obviously, they are called only if the original function succeded so if the real recv() returned SOCKET_ERROR myrecv() will be NOT called.

  • note: in case you are asking what is the value of SOCKET_ERROR/INVALID_SOCKET it's -1

as visible in this code, all the my* functions have the same prototype of the original homonym functions (except mysend and mysendto due to technical reasons) so there are no possibilities of errors or misunderstandings. for example, in myrecv and myrecvfrom the len value is the one returned by recv/recvfrom and buf contains the data received, while in myaccept the s value is the socket returned by accept().so, if the original recv failed (connection lost) myrecv will be not called. in mysend, instead, you can control the content and length of the data before the real sending, and the return value will be used as length for the original function, if you return a value which is not SOCKET_ERROR and is minor than 0 (for example -0x77777777) the original send() will be NOT called allowing you to drop a packet or to generate a socket error visible by the main program.

  • use the following instructions for retrieving IP and port from a sockaddr structure:
   u32     ip   = 0;
   u16     port = 0;
   if(name) {
       ip   = ((struct sockaddr_in *)name)->sin_addr.s_addr;
       port = ntohs(((struct sockaddr_in *)name)->sin_port);
   }

remember that you SHOULD delete ALL the my* functions that you don't use, so if you need only to modify the incoming UDP packets you can remove mysocket, myconnect, mybind, myaccept and all the other functions except myrecvfrom (even DllMain can be removed).

as visible, in this example there are already various real socket functions which can be used in any moment without losing time to implement them: socket connect, accept, bind, close, recv, recvfrom, send and sendto.

at the moment this plugin must be considered experimental so any feedback about improving it is highly welcome and needed.

gcc -o myproxocket.dll myproxocket.c -shared

Download


Usage

  • Proxocket must be compiled from the source code into an .dll file in order to use it. source code is modified in order to get the desired effect.
  • MingW can be used to compile proxocket as .dll


Tutorials and code

  • Here are some example codes of what is possible to do with proxocket


Binding specific Network Interface Controller

  • Can be done by compiling the following .c code into myproxocket.dll
  • Also known as NIC or Network Adapter
  • Here is code
  • it has to be put into a .c file, which can be made using notepad or any other text editor, however it is recommended to use notepad++, because of its C language support.
  • here is used "proxocket_bind.c" as filename
/* 

Force binding of local IP address 0.1
by Luigi Auriemma
e-mail: [email protected]
web:    aluigi.org

*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <time.h>
#include <winsock.h>
#include <windows.h>



static char     bindipstr[] = "192.168.1.115"; 
static u_int    bindip  = 0;
static HMODULE wsock = NULL;
static WINAPI SOCKET (*real_socket)(int af, int type, int protocol) = NULL;
static WINAPI int (*real_bind)(SOCKET s, const struct sockaddr *name, int namelen) = NULL;



u_int str2ip(u_char *data) {
   unsigned    a, b, c, d;

   if(!data[0]) return(0);
   sscanf(data, "%u.%u.%u.%u", &a, &b, &c, &d);
   return((a & 0xff) | ((b & 0xff) << 8) | ((c & 0xff) << 16) | ((d & 0xff) << 24));
}



void init_myproxocket(void) {
   char    winpath[MAX_PATH];

   if(wsock) return;   // already set

   GetSystemDirectory(winpath, sizeof(winpath));
   strcat(winpath, "\\ws2_32.dll");

   wsock = LoadLibrary(winpath);
   if(!wsock) return;

   real_socket    = (void *)GetProcAddress(wsock, "socket");
   real_bind      = (void *)GetProcAddress(wsock, "bind");

   bindip = str2ip(bindipstr);
}



void free_myproxocket(void) {
   if(wsock) {
       FreeLibrary(wsock);
       wsock = NULL;
   }
}



SOCKET mysocket(int af, int type, int protocol) {
   struct sockaddr_in  peer;
   int     s,
           on  = 1;

   s = real_socket(af, type, protocol);
   if(s < 0) return(s);

   peer.sin_addr.s_addr = bindip;
   peer.sin_port        = 0;
   peer.sin_family      = af;
//    setsockopt(s, SOL_SOCKET, SO_REUSEADDR, (char *)&on, sizeof(on));
//    bind(s, (struct sockaddr *)&peer, sizeof(struct sockaddr_in));

   return(s);
}



int mybind(SOCKET s, const struct sockaddr *name, int namelen) {
   ((struct sockaddr_in *)name)->sin_addr.s_addr = bindip;
   return(0);
}



BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved) {
   switch(fdwReason) {
       case DLL_PROCESS_ATTACH: {
           DisableThreadLibraryCalls(hinstDLL);
           init_myproxocket();
           break;
       }
       case DLL_PROCESS_DETACH: {
           free_myproxocket();
           break;
       }
       default: break;
   }
   return(TRUE);
}
  • It is needed to replace example IP address with the one that you want to bind.
  • Example
  • if your IP address of NIC is 192.168.1.66, then you must replace
static char     bindipstr[] = "192.168.1.115"; 
  • with this
static char     bindipstr[] = "192.168.1.66"; 
  • and compile
  • Here is same code already as an .c file Media:Myproxocket_bind.rar (need to be extracted into mingw/bin or has to be used full path) which can be compiled using mingw and the following command
gcc -o myproxocket.dll myproxocket_bind.c -shared


Replacing string in an outgoing packet(s)

  • Can be done by compiling the following .c code into myproxocket.dll
  • First must be specified the parts to find and replace
  • Here is example of what to change
buf = find_replace_string(buf, &len, "replace this", "with this");
  • This must be replaced with the string you want to replace
  • here is example of Flashchat exploit, which will give you partial administrator rights if proxocket is used with your web browser
buf = find_replace_string(buf, &len, "5D&t=", "5D&s=7&t=");
  • Media:Myproxocket_replace_send.rar
  • Extract it into mingw/bin folder and then following command can be used to compile "Myproxocket_replace_send.c" (alternatively can be extracted anywhere and used full path instead of myproxocket_replace_send.c. like "C:/myname/proxocket/myproxocket_replace_send.c", quates are needed)
gcc -o myproxocket.dll myproxocket_replace_send.c -shared


  • Article by Sethioz 15:45, 15 May 2010 (UTC)
  • Example code, tool and description by Luigi
Personal tools