help with existing code

[ADoozer]

this is a windows App (through VC++)

i have an application written in C which is a basic packet sniffer. (it wasnt written by me)

for my purposes i have modified it to look for IPs that are banned and send via a pipe (CreateNamedPipe) to my particular program.

this is all well and good... however i have learned that the program i am sending data too can be crashed by a mal-formed packet

unfortunately i have no access to the network code (as this is a game engine code) and can only "see" the malformed packet.

question time: im using <winsock2.h> and im clearly intercepting the packets (because if i set a breakpoint in my sniffer my server doesnt crash) is it possible to DROP a packet?

i can provide a copy of the logger and a copy of the program that is crashing it, if neccessary. but basically this is my code (theres obviously a bit more to it but i dont want to clutter the thread)

WSABUF wsb;
char rcvbuf[MAX_IP_SIZE];	

wsb.buf = rcvbuf;	

while (bThreadActive) {
   wsb.len = MAX_IP_SIZE;
   memset(wsb.buf, 0x0, MAX_IP_SIZE);
   GetPacket(&wsb);
   CheckFilter(rcvbuf);
}


int GetPacket(WSABUF *wbuf)
{
DWORD dwBytesRet = 0, dwFlags = 0;

    if (SOCKET_ERROR == WSARecv(sock, wbuf, 1, &dwBytesRet, &dwFlags, NULL, NULL))
		fprintf(stderr,"WSARecv failed. Code %u\n",WSAGetLastError());
	wbuf->len=dwBytesRet;
   
	return 0;
}

now in checkFilter i can look at the protocol, packet type etc etc....

but i need to see if the packet is too big

dwPktLen = (DWORD)ntohs(*(WORD *)(wsb + 2))[code]

and drop/delete it if it is.

hope someone can help

If somethings hard to do, its not worth doing - Homer Simpson

 

[Salem]

So write a validate function.

while (bThreadActive) {
   wsb.len = MAX_IP_SIZE;
   memset(wsb.buf, 0x0, MAX_IP_SIZE);
   GetPacket(&wsb);
   if ( ValidatePacket(&wsb) ) {
      CheckFilter(rcvbuf);
   } else {
      // log bad packet perhaps
   }
}

Say for example

bool ValidatePacket(WSABUF *wsb) {
  return wbuf->len == (DWORD)ntohs(*(WORD *)(wsb + 2));
}

--

 

[ADoozer]

hi salem

i already look for the packet being to long in checkfilter.

i need a way of deleting/dropping the packet completely, as it is deliberately mal-formed and causes my other program to crash. (buffer over-run, and i dont have access to make the buffer bigger)

If somethings hard to do, its not worth doing - Homer Simpson

 

[Salem]

So simply not passing on the malformed packet doesn't count as dropping it?

Or do you mean "drop" at some protocol level?

--

 

[ADoozer]

i think we have our wires crossed.

i dont know how to not pass it on.

the sniffer thread is launched by CreateThread(...
where the "pointer to thread function" is the following function

DWORD _stdcall SniffThread(void *param)
{
WSABUF wsb;
char rcvbuf[MAX_IP_SIZE];    

wsb.buf = rcvbuf;    

while (bThreadActive) {
   wsb.len = MAX_IP_SIZE;
   memset(wsb.buf, 0x0, MAX_IP_SIZE);
   GetPacket(&wsb);
   CheckFilter(rcvbuf);
   //if we detected an oversize package nuke it or modify it
   //????
}

now, if i detect a mal-formed packet, i need to know how to
a)modify it the packet (possibly change the size)
or
b)delete/drop it

hope that clarrifies my situation a bit better

If somethings hard to do, its not worth doing - Homer Simpson

 

[marsd]

Doesn't really sound like this is the job of a sniffer.
It sounds like something that should be done with a
firewall and in kernel space.
For instance if there is a specific length packet that
causes this behavior and the packets are icmp based, an
(linux) iptables rule like:

iptables -A INPUT -s 0/0 -p icmp -m length --length 1133 -j DROP

For windows, I'm not quite sure what your options are.
The windows firewall and packet filter are not quite so granular afaik.

 

[ADoozer]

ok, my server admin guy says he can add a script to the firewall (i assume along the lines of what marsd has sugested.)

however im still looking for a way to do this in windows.

can anybody point me in the direction of a tutorial using WSA calls (WSASocket,WSAIoctl etc) as im clearly not understanding the msdn documentation.

all i can assume is that the data im recieving in my app is no more than a copy of the packet (as resetting the buffer does nothing) which makes me wonder. IS it actualy possible to intercept packets in windows with WSArecv.

thanks for the input so far.

If somethings hard to do, its not worth doing - Homer Simpson

 

[Salem]

> all i can assume is that the data im recieving in my app is no more than a copy of the packet
Yeah, that's the impression I'm getting now (finally).

If you're using a sniffer, there is nothing you can do.

Your arrangement looks like this (I imagine)

IP Stack -------+-------> Game
                |
                |
                |
                +-------> Sniffer

Nothing you do in the sniffer will affect what the game sees. You may determine in the sniffer that a bad packet was received, but there's nothing you can do about it.

In order to actually change the outcome, you need to be a firewall (of sorts).

IP Stack -------->Filter->-------> Game

In this arrangement, you see all the packets before they get to the game, and can determine whether (or not) to forward the packet onto it's final destination.

--

 

[ADoozer]

hmmm... what as i was expecting, but not the news i wanted

o well it looks like my only option is to log the IP of the sender, wait for an admin to reset the server and add the IP to the firewall.

thnx.

If somethings hard to do, its not worth doing - Homer Simpson

 

[Salem]

So why not create a filter.

If the game is set up to read from xxx.xxx.xxx.xxxort, then all you need to is create an application which does this.

Listens on 127.0.0.1ort for a connection
On connection, connects itself to xxx.xxx.xxx.xxxort
After that, just forwards messages in both directions.
Or filters them based on your rules.

The game iself now connects to 127.0.0.1ort

--

 

[ADoozer]

gah.

im going to try your suggestion on a filter (if just to say ive done it)

however crisis is over. the guy who wrote and released the crash app has also released a bug fix for the game engine.

turns out hes well known for digging up exploits releasing them, then fixing them (wish id have known that 2 months ago!!!!!)

thnx ever so much for the patience.

If somethings hard to do, its not worth doing - Homer Simpson