Hi, I'm trying to create a graphical shell for an online IRC game, and I was wondering how I could see what what exactly was being sent and recieved by mIRC, and I want to know how to do a simple program that would do that, but could you explain to me how to do this?
Correction: Oh, this kind of program is called a "sniffer". Also, I noticed that hitchhikr had created a program that did this job (look here.) and I was wondering if it came with source code (the program was removed. :mad:) and if it did, could someone point me to it?
P.S. Please don't point me to some site explaining the IRC protocol, I want to have a learning tool.? ;)
Correction: Oh, this kind of program is called a "sniffer". Also, I noticed that hitchhikr had created a program that did this job (look here.) and I was wondering if it came with source code (the program was removed. :mad:) and if it did, could someone point me to it?
P.S. Please don't point me to some site explaining the IRC protocol, I want to have a learning tool.? ;)
For your task, the IRC protocol would be the best reference.
But you might want to have a look at http://www.winpcap.org/misc/links.htm
But you might want to have a look at http://www.winpcap.org/misc/links.htm
Err... If I didn't specify it well enough, I'm just trying to create my own sniffer. I _don't_ want to have to install any drivers/files/etc to do that job. I just want to create my own.
If that's not possible in Win32Asm without installing some kind of extra file, you can just tell me it's impossible.
If that's not possible in Win32Asm without installing some kind of extra file, you can just tell me it's impossible.
Yes it is possible with Assembler.
"everything" is possible in win32 assembly. What you want to do is possible in C or C++ as well. What you need to do is tell us WHAT exactly you want to do, and WHY you want to do it. There's too many script kiddies around, and we don't want to help those. What protocol level do you want to sniff? All ethernet, or just IP traffic?
Here's a small example for raw socket for 2000/XP systems. It shows only download/upload speed.
Something like this I've used in a bigger project to prevent browser connections with ad-servers, this look like real sniffer but has a "ban/unban" option :D
language syntax: nasm :)
standard include file not attached
Something like this I've used in a bigger project to prevent browser connections with ad-servers, this look like real sniffer but has a "ban/unban" option :D
language syntax: nasm :)
standard include file not attached
Hello Sapero,
That's a really cool program ;) Thanks for sharing
That's a really cool program ;) Thanks for sharing
That is interesting and nice-looking coding style, sapero. Could you post the ams.inc (et cetera) includes you are using, or if it's part of some bigger package, the link to the package?
sorry for the time, I had problem with dns
Uploaded all neccesary files for compilling this example; including nasm and linker :)
Uploaded all neccesary files for compilling this example; including nasm and linker :)
Man, am I slow.? :O
Awesome work sapero, I'm looking through your source code, maybe I could use that to make my sniffer.
I was pretty sure that saying that it wouldn't be possible in Assembler might get a few posts.? ;)
Alright, to explain:
Ok, I want to see inbound and outbound traffic being set to and from mIRC. I personally guess that it would have something to do with pipes, although that might not be it. Anyway, I want the data to be saved to two separate files, input and output (probably in TXT format). Also, I only want data from the IP Traffic.
I want to do this because I want to create a graphical IRC application, and therefore need to understand at least the following...
Signing in, Personal Messages, and the Server's User list.
Whenever I saw a IRC application, it would only be able to sign in, but I need the other two functions as well. (Automated Bots take commands by personal messages and speaking on the server was disabled, and I need to know which bots are on.)
I'd give you the server and channel, but you guys wouldn't be interested. :P
Awesome work sapero, I'm looking through your source code, maybe I could use that to make my sniffer.
I was pretty sure that saying that it wouldn't be possible in Assembler might get a few posts.? ;)
Alright, to explain:
Ok, I want to see inbound and outbound traffic being set to and from mIRC. I personally guess that it would have something to do with pipes, although that might not be it. Anyway, I want the data to be saved to two separate files, input and output (probably in TXT format). Also, I only want data from the IP Traffic.
I want to do this because I want to create a graphical IRC application, and therefore need to understand at least the following...
Signing in, Personal Messages, and the Server's User list.
Whenever I saw a IRC application, it would only be able to sign in, but I need the other two functions as well. (Automated Bots take commands by personal messages and speaking on the server was disabled, and I need to know which bots are on.)
I'd give you the server and channel, but you guys wouldn't be interested. :P
so, what's wrong with internet today? I cannot update this example on freenet server, too many lags.
http://rapidshare.de/files/2954902/RawSocket_demo_all.zip.html
Received/sent data is splitted into two text files 8)
I leave the rest for you. Let me known all bugs ;)
case (src_ip<>LOCAL_IP) and (dst_ip<>LOCAL_IP) is not handled (message not from/for you)
http://rapidshare.de/files/2954902/RawSocket_demo_all.zip.html
Received/sent data is splitted into two text files 8)
I leave the rest for you. Let me known all bugs ;)
case (src_ip<>LOCAL_IP) and (dst_ip<>LOCAL_IP) is not handled (message not from/for you)
Hi sapero,
The program works as supposed on my Win2k SP4 regarding trafic monitoring, but when i click on the combo to choose the interface or on "Stop" button it crashes every time (it may be because of my Kerio firewall ..? )
Eugen
Eugen,
try to debug this proggy, here on xp home/pro i have clean, no exceptions
Maybe memory access from thread to global variables schould be changed to Interlocked*()
The firewall has nothing to do with this proggy (99%), the name of raw socket handle is \Device\RawIp\0
And try to compile with new import libraries (use libtool, alib from nagoa...)
or break the while loop in ThreadProc() - remove jmp .receive
do not run timer TIMER_UPDATESPEED in RawCreate()
change image base in make.bat
try to debug this proggy, here on xp home/pro i have clean, no exceptions
Maybe memory access from thread to global variables schould be changed to Interlocked*()
The firewall has nothing to do with this proggy (99%), the name of raw socket handle is \Device\RawIp\0
And try to compile with new import libraries (use libtool, alib from nagoa...)
or break the while loop in ThreadProc() - remove jmp .receive
do not run timer TIMER_UPDATESPEED in RawCreate()
change image base in make.bat
Sapero,
I have the same problem with your program as Eugen does, on Win2K SP4. If my analysis is correct, then one of your macros has a built-in error. Look at a disassembly of the dialog procedure:
That part of the code sets up a stack frame, pushes EBX, EDI, and ESI, and then reserves 8 bytes for local variables. Note that the local variables are thus located at , i.e., at .
Later in the code, the local variables are accessed. However, they are addressed with the wrong offset from EBP:
and would be the correct addresses if EBX / ESI / EDI had not been pushed. However, they have been pushed, and the pushed values on the stack get overwritten now. Which leads to problems on Win2K when later restoring EBX / ESI / EDI from the stack. WinXP is much more forgiving in that respect.
Regards
Frank
I have the same problem with your program as Eugen does, on Win2K SP4. If my analysis is correct, then one of your macros has a built-in error. Look at a disassembly of the dialog procedure:
00401278 off_00401278: ; Xref 00401254
00401278 55 push ebp
00401279 89E5 mov ebp,esp
0040127B 53 push ebx
0040127C 57 push edi
0040127D 56 push esi
0040127E 81EC08000000 sub esp,8
00401284 817D0C10010000 cmp dword ptr ,110h
That part of the code sets up a stack frame, pushes EBX, EDI, and ESI, and then reserves 8 bytes for local variables. Note that the local variables are thus located at , i.e., at .
Later in the code, the local variables are accessed. However, they are addressed with the wrong offset from EBP:
004012FF loc_004012FF: ; Xref 004012DA
004012FF 817D0C11010000 cmp dword ptr ,111h
00401306 0F853B000000 jne loc_00401347
0040130C 8B4510 mov eax,
0040130F 89C2 mov edx,eax
00401311 C1EA10 shr edx,10h
00401314 8955F8 mov ,edx ; <== this overwrites the saved value of EDI
00401317 25FFFF0000 and eax,0FFFFh
0040131C 8945FC mov ,eax ; <== this overwrites the saved value of EBX
0040131F 817DFCF3030000 cmp dword ptr ,3F3h
00401326 0F8516000000 jne loc_00401342
0040132C 817DF800000000 cmp dword ptr ,0
00401333 7508 jnz loc_0040133D
and would be the correct addresses if EBX / ESI / EDI had not been pushed. However, they have been pushed, and the pushed values on the stack get overwritten now. Which leads to problems on Win2K when later restoring EBX / ESI / EDI from the stack. WinXP is much more forgiving in that respect.
Regards
Frank
Not for me. *has XP SP2*
Crashes whenever I click that bugger. X_X
Crashes whenever I click that bugger. X_X
sub esp,8 - this must be macro SUB with folloved UINT (local variable)
Here is other macro PROC fn_name, stack_size {, parameters}, it uses only enter x,y; the "sub esp" is not applyed
I've replaced all SUB's (with local variables) with PROC macro, and fixed the if*equal macro :)
The SUB macro is good if you do not use local variables, in PROC macro you must specify the stack frame size
http://www.qfile.de/dl/83301/rawsocket_demo_all.zip.html
Here is other macro PROC fn_name, stack_size {, parameters}, it uses only enter x,y; the "sub esp" is not applyed
I've replaced all SUB's (with local variables) with PROC macro, and fixed the if*equal macro :)
The SUB macro is good if you do not use local variables, in PROC macro you must specify the stack frame size
http://www.qfile.de/dl/83301/rawsocket_demo_all.zip.html