Hi, I'm trying to create a graphical shell for an online IRC game, and I was wondering how I could see what what exactly was being sent and recieved by mIRC, and I want to know how to do a simple program that would do that, but could you explain to me how to do this?

Correction: Oh, this kind of program is called a "sniffer". Also, I noticed that hitchhikr had created a program that did this job (look here.) and I was wondering if it came with source code (the program was removed. :mad:) and if it did, could someone point me to it?

P.S. Please don't point me to some site explaining the IRC protocol, I want to have a learning tool.? ;)

Posted on 2005-07-08 14:00:45 by SecretSwampert67
For your task, the IRC protocol would be the best reference.

But you might want to have a look at http://www.winpcap.org/misc/links.htm
Posted on 2005-07-08 14:09:01 by f0dder
Err... If I didn't specify it well enough, I'm just trying to create my own sniffer. I _don't_ want to have to install any drivers/files/etc to do that job. I just want to create my own.

If that's not possible in Win32Asm without installing some kind of extra file, you can just tell me it's impossible.
Posted on 2005-07-09 15:41:17 by SecretSwampert67
Yes it is possible with Assembler.
Posted on 2005-07-09 17:47:57 by James_Ladd
"everything" is possible in win32 assembly. What you want to do is possible in C or C++ as well. What you need to do is tell us WHAT exactly you want to do, and WHY you want to do it. There's too many script kiddies around, and we don't want to help those. What protocol level do you want to sniff? All ethernet, or just IP traffic?
Posted on 2005-07-09 21:05:15 by f0dder
Here's a small example for raw socket for 2000/XP systems. It shows only download/upload speed.
Something like this I've used in a bigger project to prevent browser connections with ad-servers, this look like real sniffer but has a "ban/unban" option :D

language syntax: nasm :)
standard include file not attached
Attachments:
Posted on 2005-07-09 22:52:55 by sapero
Hello Sapero,

That's a really cool program  ;) Thanks for sharing
Posted on 2005-07-09 23:48:26 by roticv
That is interesting and nice-looking coding style, sapero. Could you post the ams.inc (et cetera) includes you are using, or if it's part of some bigger package, the link to the package?
Posted on 2005-07-10 01:09:18 by f0dder
sorry for the time, I had problem with dns
Uploaded all neccesary files for compilling this example; including nasm and linker :)
Posted on 2005-07-10 06:18:59 by sapero
Man, am I slow.? :O

Awesome work sapero, I'm looking through your source code, maybe I could use that to make my sniffer.

I was pretty sure that saying that it wouldn't be possible in Assembler might get a few posts.? ;)

Alright, to explain:
Ok, I want to see inbound and outbound traffic being set to and from mIRC. I personally guess that it would have something to do with pipes, although that might not be it. Anyway, I want the data to be saved to two separate files, input and output (probably in TXT format). Also, I only want data from the IP Traffic.

I want to do this because I want to create a graphical IRC application, and therefore need to understand at least the following...

Signing in, Personal Messages, and the Server's User list.

Whenever I saw a IRC application, it would only be able to sign in, but I need the other two functions as well. (Automated Bots take commands by personal messages and speaking on the server was disabled, and I need to know which bots are on.)

I'd give you the server and channel, but you guys wouldn't be interested. :P
Posted on 2005-07-10 09:29:56 by SecretSwampert67
so, what's wrong with internet today? I cannot update this example on freenet server, too many lags.
http://rapidshare.de/files/2954902/RawSocket_demo_all.zip.html
Received/sent data is splitted into two text files 8)
I leave the rest for you. Let me known all bugs ;)

case (src_ip<>LOCAL_IP) and (dst_ip<>LOCAL_IP) is not handled (message not from/for you)
Posted on 2005-07-10 16:27:17 by sapero

Hi sapero,

The program works as supposed on my Win2k SP4 regarding trafic monitoring, but when i click on the combo to choose the interface or on "Stop" button it crashes every time (it may be because of my Kerio firewall ..? )

Eugen
Posted on 2005-07-12 18:01:56 by Eugen
Eugen,

try to debug this proggy, here on xp home/pro i have clean, no exceptions
Maybe memory access from thread to global variables schould be changed to Interlocked*()
The firewall has nothing to do with this proggy (99%), the name of raw socket handle is \Device\RawIp\0

And try to compile with new import libraries (use libtool, alib from nagoa...)
or break the while loop in ThreadProc() - remove jmp .receive
do not run timer TIMER_UPDATESPEED in RawCreate()
change image base in make.bat
Posted on 2005-07-12 19:49:49 by sapero
Sapero,

I have the same problem with your program as Eugen does, on Win2K SP4. If my analysis is correct, then one of your macros has a built-in error. Look at a disassembly of the dialog procedure:


00401278                    off_00401278:              ; Xref 00401254
00401278 55                    push    ebp
00401279 89E5                  mov    ebp,esp
0040127B 53                    push    ebx
0040127C 57                    push    edi
0040127D 56                    push    esi
0040127E 81EC08000000          sub    esp,8
00401284 817D0C10010000        cmp    dword ptr ,110h


That part of the code sets up a stack frame, pushes EBX, EDI, and ESI, and then reserves 8 bytes for local variables. Note that the local variables are thus located at , i.e., at .

Later in the code, the local variables are accessed. However, they are addressed with the wrong offset from EBP:


004012FF                    loc_004012FF:              ; Xref 004012DA
004012FF 817D0C11010000        cmp    dword ptr ,111h
00401306 0F853B000000          jne    loc_00401347
0040130C 8B4510                mov    eax,
0040130F 89C2                  mov    edx,eax
00401311 C1EA10                shr    edx,10h
00401314 8955F8                mov    ,edx        ; <== this overwrites the saved value of EDI
00401317 25FFFF0000            and    eax,0FFFFh
0040131C 8945FC                mov    ,eax        ; <== this overwrites the saved value of EBX
0040131F 817DFCF3030000        cmp    dword ptr ,3F3h
00401326 0F8516000000          jne    loc_00401342
0040132C 817DF800000000        cmp    dword ptr ,0
00401333 7508                  jnz    loc_0040133D


and would be the correct addresses if EBX / ESI / EDI had not been pushed. However, they have been pushed, and the pushed values on the stack get overwritten now. Which leads to problems on Win2K when later restoring EBX / ESI / EDI from the stack. WinXP is much more forgiving in that respect.

Regards

    Frank
Posted on 2005-07-13 10:51:16 by Frank
Not for me. *has XP SP2*

Crashes whenever I click that bugger. X_X
Posted on 2005-07-13 11:04:38 by SecretSwampert67
sub esp,8 - this must be macro SUB with folloved UINT (local variable)
Here is other macro PROC fn_name, stack_size {, parameters}, it uses only enter x,y; the "sub esp" is not applyed

I've replaced all SUB's (with local variables) with PROC macro, and fixed the if*equal macro :)
The SUB macro is good if you do not use local variables, in PROC macro you must specify the stack frame size

http://www.qfile.de/dl/83301/rawsocket_demo_all.zip.html
Posted on 2005-07-13 12:48:48 by sapero