Hello
I found on Iczelions homepage the Netmon Source (Thanks) and would like to add one function to terminate a selected connection.But how to insert such function i had no exact ideas.
Can someone help me please?
Posted on 2001-12-06 10:16:40 by Max
Hello

it seams no like to help me on this ,i think not that people dont know how to do this.
Possible someone like to help me making a port block function or take the time to explain me how the terminate connection works so i dont need to learn tcip.
Or if it not works or cant made by a newbie then please tell me this too :-)
Is this Page not for People like me too ,people who like to spend Time by asking the Prof. ?

Im shure i dont have to learn full ASM or Win Networking to make a simple Portblock or Terminate Connection function so please help me.

I found enough Postings about sending ICMP Ping or how to code keyloggers ,on Iczelions Homepage i found a Trojan Source Code.
When i browse the archiv i found a lot postings closed because of virus or trojan questions but no help to code security stuff.

People please help me to code a simple security tool ,share what you know and dont speak about security only.

Thanks

Or are at last noone who code ever a security tool for himself in asm ?
only Gibson?

Cant be !
Posted on 2001-12-08 21:59:01 by Max
nobody owes you anything, sometimes people know the answer sometimes they don't. Sometimes the question needs to be clearer, sometimes.... it's a messageboard, not a holy grail of answers.


Study == the art of finding answers yourself.
Posted on 2001-12-09 06:25:48 by Hiroshimator
Here's something I found out:
There's a function called SetTcpEntry in the IP helper api (see my other post in the networking forum). SetTcpEntry can set the state of one TCP connection.. Currently the only state that a connection can actually be set to is MIB_TCP_STATE_DELETE_TCB. I don't know exactly what this one means but when I tried it killed the connection.

Here are some constants you may need


; only the DELETE_TCB is supported by SetTcpEntry
MIB_TCP_STATE_CLOSED equ 1
MIB_TCP_STATE_LISTEN equ 2
MIB_TCP_STATE_SYN_SENT equ 3
MIB_TCP_STATE_SYN_RCVD equ 4
MIB_TCP_STATE_ESTAB equ 5
MIB_TCP_STATE_FIN_WAIT1 equ 6
MIB_TCP_STATE_FIN_WAIT2 equ 7
MIB_TCP_STATE_CLOSE_WAIT equ 8
MIB_TCP_STATE_CLOSING equ 9
MIB_TCP_STATE_LAST_ACK equ 10
MIB_TCP_STATE_TIME_WAIT equ 11
MIB_TCP_STATE_DELETE_TCB equ 12


MIB_TCPROW STRUCT
dwState DWORD ?
dwLocalAddr DWORD ?
dwLocalPort DWORD ?
dwRemoteAddr DWORD ?
dwRemotePort DWORD ?
MIB_TCPROW ENDS


TcpSetEntry has one parameter: a pointer to a MIB_TCPROW struct. This struct contains the local port & ip and the remote port & ip, as well as the new state (MIB_TCP_STATE_*) to set the connection to. When I tried this by looking at some connection with netstat, using the right values in the struct I was able to kill the connection.

I hope this helps, I don't know much about this I just tried it for the first time...
Another interesting function is GetTcpTable, it can return a full table of TCP connections like netstat does. Look it up at msdn. Also download the files in my other post about the IP helper api (networking forum).

Thomas

edit/P.S.
Don't forget that IPs and ports are in network byte order, i.e. big endian, most significant byte first. An IP like 192.168.0.1 is stored in memory as: db 192,168,0,1. A port number is 16-bits (although the dwLocalPort structure member is a dword, I think only the lower word is used). A port number like 6789 (=1A85 in hex) is stored in memory as: db 1A, 85 (which as an intel word would mean 851Ah)
Posted on 2001-12-09 09:12:50 by Thomas
Hossa

hehe i know its a messageboard.
but to say it loud and clear :

i personal think here is the elite of all asm coders or the best of the best win32 coders *bg*

before i post here i read all pages i can get my hands on ,the search function is for members only and im not shure if i should register myself here as a beginner.
often there are more then 2 people who can help when one ask a question ,so i think my posting looks like a question for a malicous program.

but now to my question :-)

thanks alot thomas for taking the time to write some helpfull text !

after reading your text i start searching with some words and i found this :

InetChkS.dll documentation

This document is a simple reference on using the InetChKs.dll dynamic link libray. Contains some explanations with examples on passing arguments properly to the functions of this DLL.
.

1 - ip_checksum function
2 - tcp_checksum function
3 - udp_checksum function
4 - icmp_checksum function
5 - ppp_checksum function
6 - ???

1 - ip_checksum function

Prototype:
ip_checksum PROTO addr_ip_hdr:DWORD

This is one of the simplest functions of InetChkS. Receives just one argument: a pointer to a structure like the the following:

;IP Header Structure
ip_hdr STRUCT
ip_hlv BYTE ?
ip_tos BYTE ?
ip_len WORD ?
ip_id WORD ?
ip_off WORD ?
ip_ttl BYTE ?
ip_p BYTE ?
ip_cksum WORD ? ;Must be zero before being computed.
ip_src DWORD ?
ip_dest DWORD ?
ip_hdr ENDS

You can find the definition of the ip_hdr structure in the Windows.inc file (for those who use Masm32, the path to Windows.inc is C:\masm32\include). ip_checksum will return the computed checksum value in AX.

NOTE: Remember that the Checksum field for most of the protocols (IP, TCP, UDP, ICMP, etc) MUST BE ZERO before being computed.


Example

Given the following escaped PPP packet:

7E FF 03 00 21 45 00 00 2C 00 07 00 00 FF 06 67
FE C8 31 83 8F C8 2F 3F D6 04 8F 00 50 5D 72 00
00 00 00 00 01 60 02 40 00 A2 0D 00 00 02 04 05
B4 AD F4 7E

(Escaped PPP packet taken from Trumpet Winsock 5.0)

? IP Header


ip_header ip_hdr <> ;ip_header variable declaration

;ip_hdr fields are assigned their respective values:
MOV ip_header. ip_hlv, 45h
MOV ip_header.ip_tos, 0
MOV ip_header.ip_len, 2Ch
MOV ip_header.ip_id, 07
MOV ip_header.ip_off, 0
MOV ip_header.ip_ttl, 0FFh
MOV ip_header.ip_p, 6
MOV ip_header.ip_cksum, 0 ;The Checksum field must be zero before being computed.
MOV ip_header.ip_src, 0C831838Fh
MOV ip_header.ip_dest, 0C82F3FD6h

;Then, the ip_checksum function is called
INVOKE ip_checksum, ADDR ip_header

After the call, the register AX will store 67FEh (the computed Checksum value). Finally:

MOV ip_header.ip_cksum, AX ;The IP datagram is complete now.


2 - tcp_checksum function

Prototype:
tcp_checksum PROTO addr_tcp_hdr:DWORD, addr_tcp_options_data:DWORD, len_options_data:DWORD, addr_ip_hdr:DWORD

The TCP checksum calculation is a bit more complex since others structures apart from the TCP header are used. They can be enumerated as follows:

1 - TCP Header
2 - TCP Options-Data (Opcional)
3 - Pseudo Header *

* the tcp_checksum function extracts and calculates the Pseudo Header by receiving a pointer to an ip_hdr structure.
Therefore, the tcp_checksum function receives the following arguments:

1 - Pointer to a tcp_hdr structure. The tcp_hdr structure has the following fields:

tcp_hdr STRUCT
tcp_sourc_port WORD ?
tcp_dest_port WORD ?
tcp_seq DWORD ?
tcp_ack DWORD ?
tcp_len BYTE ?
tcp_flag BYTE ?
tcp_win WORD ?
tcp_cksum WORD ?
tcp_urgent WORD ?
tcp_hdr ENDS

2 - Pointer to the TCP Options-Data. The TCP Options-Data must be store in an array of bytes

3 - Length Options-Data. Here, the length of the TCP Option-Data in the array of bytes is specified .

4 - Pointer to an ip_hdr structure. The Pseudo Header will be extracted from here.

Example

Given the following escaped PPP packet:

7E FF 03 00 21 45 00 00 2C E8 CC 00 00 3F 06 3F 39 C8 2F
3F D6 C8 31 83 8F 00 50 04 8F 15 B9 17 BD 5D 72 00 01 60
12 20 00 94 A3 00 00 02 04 05 98 7C EA 7E

(Escaped PPP packet taken from Trumpet Winsock 5.0)

? IP Header
? TCP Header
? TCP Options-Data

;Variables declarations:
tcp_header tcp_hdr <>
options_data 100 DUP (0)
ip_header ip_hdr <>

;tcp_hdr fields are assigned their respective values:
MOV tcp_header. tcp_sourc_port, 50h
MOV tcp_header.tcp_dest_port, 48Fh
MOV tcp_header.tcp_seq, 15B917BDh
MOV tcp_header.tcp_ack, 5D720001h
MOV tcp_header.tcp_len, 60h
MOV tcp_header.tcp_flag, 12h
MOV tcp_header.tcp_win, 2000h
MOV tcp_header.tcp_cksum, 0 ;The Checksum field must be zero before being computed.
MOV tcp_header.tcp_urgent, 0

;Options-Data fields are assigned their respective values:
MOV options_data, 2
MOV options_data[1], 4
MOV options_data[2], 5
MOV options_data[3], 98h

;ip_hdr fields are assigned their respective values:
MOV ip_header. ip_hlv, 45h
MOV ip_header.ip_tos, 0
MOV ip_header.ip_len, 2Ch
MOV ip_header.ip_id, 0E8CCh
MOV ip_header.ip_off, 0
MOV ip_header.ip_ttl, 03Fh
MOV ip_header.ip_p, 6
MOV ip_header.ip_cksum, 0
MOV ip_header.ip_src, 0C82F3FD6h
MOV ip_header.ip_dest, 0C831838Fh

;Then, the tcp_checksum function is called
INVOKE tcp_checksum, ADDR tcp_header, ADDR options_data, 4, ADDR ip_header

After the call, the register AX will store 94A3h (the computed Checksum value). Finally:

MOV tcp_header.tcp_cksum, AX ;The TCP segment is complete now.

In case the TCP segment does not include Options-Data, a null value must be specified in place of the Pointer to the TCP Options-Data argument. Example:

Given the following escaped PPP packet:

7E FF 03 00 21 45 00 00 28 EC 5E 00 00 3F 06 3B AB C8 2F
3F D6 C8 31 83 8F 00 50 04 8F 15 B9 18 4A 5D 72 00 08 50
11 20 00 AB B0 00 00 C3 F6 7E

(Escaped PPP packet taken from Trumpet Winsock 5.0)

? IP Header
? TCP Header

;Varables declarations
tcp_header tcp_hdr <>
ip_header ip_hdr <>

;tcp_hdr fields are assigned their respective values:
MOV tcp_header. tcp_sourc_port, 50h
MOV tcp_header.tcp_dest_port, 48Fh
MOV tcp_header.tcp_seq, 15B9184Ah
MOV tcp_header.tcp_ack, 5D720008h
MOV tcp_header.tcp_len, 50h
MOV tcp_header.tcp_flag, 11h
MOV tcp_header.tcp_win, 2000h
MOV tcp_header.tcp_cksum, 0 ;The Checksum field must be zero before being computed.
MOV tcp_header.tcp_urgent, 0

;ip_hdr fields are assigned their respective values:
MOV ip_header. ip_hlv, 45h
MOV ip_header.ip_tos, 0
MOV ip_header.ip_len, 28h
MOV ip_header.ip_id, 0EC5Eh
MOV ip_header.ip_off, 0
MOV ip_header.ip_ttl, 03Fh
MOV ip_header.ip_p, 6
MOV ip_header.ip_cksum, 0
MOV ip_header.ip_src, 0C82F3FD6h
MOV ip_header.ip_dest, 0C831838Fh

;Then, the tcp_checksum function is called
INVOKE tcp_checksum, ADDR tcp_header, NULL, NULL, ADDR ip_header

After the call, the register AX will store ABB0h (the computed Checksum value). Finally:

MOV tcp_header.tcp_cksum, AX

3 - udp_checksum function

Prototype:
udp_checksum PROTO addr_udp_hdr:DWORD, addr_udp_data:DWORD, len_udp_data:DWORD, addr_ip_hdr:DWORD

The way the udp_checksum function calculates the checksum for udp segments is almost the same as the tcp_checksum function does. The only difference lies in the UDP header structure:

udp_hdr STRUCT
udp_sourc_port WORD ?
udp_dest_port WORD ?
udp_len WORD ?
udp_cksum WORD ?
udp_hdr ENDS

Like TCP, UDP segments may include optional data; if so, the data must be stored in an array of bytes. Also, the UDP checksum calculation requires the Pseudo Header. Therefore, the udp_checksum function receives the same arguments in the same order as tcp_checksum function does. In case the UDP segment does not include Options-Data, a null value must be specified in place of the Pointer to the UDP Options-Data argument.

Example

Given the following esacped PPP packet:

7E FF 03 00 21 45 00 00 1C ED 5A 00 00 0A 11 D0 13 C8
48 29 A1 C8 31 39 48 04 00 1A 04 00 08 EE 76 96 F5 7E

(Escaped PPP packet taken from the Net)

? Encabezado IP
? Encabezado UDP


;Variables declarations
udp_header tcp_hdr <>
ip_header ip_hdr <>

;udp_hdr fields are assigned their respective values:
MOV udp_header. udp_sourc_port, 400h
MOV udp_header.udp_dest_port, 1A04h
MOV udp_header.udp_len, 8
MOV udp_header.udp_cksum, 0 ;The Checksum field must be zero before being computed.

;ip_hdr fields are assigned their respective values:
MOV ip_header. ip_hlv, 45h
MOV ip_header.ip_tos, 0
MOV ip_header.ip_len, 1Ch
MOV ip_header.ip_id, 0ED5Ah
MOV ip_header.ip_off, 0
MOV ip_header.ip_ttl, 0Ah
MOV ip_header.ip_p, 11h
MOV ip_header.ip_cksum, 0
MOV ip_header.ip_src, 0C84829A1h
MOV ip_header.ip_dest, 0C8313948h
...
INVOKE udp_checksum, ADDR udp_header, NULL, NULL, ADDR ip_header

After the call, the register AX will store EE76h (the computed Checksum value). Finally:
MOV udp_header.udp_cksum, AX


4 - icmp_checksum function

Prototype:
icmp_checksum PROTO addr_icmp_hdr:DWORD, addr_icmp_data:DWORD, len_icmp_data:DWORD

This function calculates the chekcsum for ICMP datagrams. Receives three arguments:

1 - Pointer to the ICMP header structure. The ICMP header structure can be found in the Windows.inc file.

icmp_hdr STRUCT
icmp_type BYTE ?
icmp_code BYTE ?
icmp_cksum WORD ?
icmp_id WORD ?
icmp_seq WORD ?
icmp_data BYTE ?
icmp_hdr ENDS

2 - Pointer to the ICMP datagram data. This arguments is a pointer to the optional data the ICMP datagram may included. Like tcp_checksum and udp_checksum functions, if the ICMP datagrams includes data, it must be stored in an array of bytes.
In case the UDP segment does not include data, a null value must be specified in place of this argument.

3 - Length of the ICMP datagram data. Here the size in bytes of the ICMP datagram data is specified.

Ejemplo

Given the following PPP escaped packet:

7E FF 03 00 21 45 00 00 38 6F DF 00 00 80 01 B4 12
0A 00 01 0B 0A 00 01 C9 03 03 C2 D2 00 00 00 00 45
00 00 47 07 F0 00 00 80 11 1B E3 0A 00 01 C9 0A 00
01 0B 08 A7 79 19 00 33 B8 36 17 78 7E

(PPP escaped packet taken from the Net)

? Encabezado ICMP
? Datos ICMP

;Varables declarations
icmp_header icmp_hdr <>
icmp_data 100 DUP (0)

;icmp_header fields are assigned their respective values:
MOV icmp_header. icmp_type, 3
MOV icmp_header.icmp_code, 3
MOV icmp_header.icmp_cksum, 0 ;The checksum field must be zero before being computed.
MOV icmp_header.icmp_id, 0
MOV icmp_header.icmp_seq, 0
MOV icmp_header.icmp_data, 45h

MOV icmp_data, 0
MOV icmp_data[1], 0
MOV icmp_data[2], 47h
...
MOV icmp_data[26], 36h

;Then
INVOKE icmp_checksum, ADDR icmp_header, ADDR icmp_data, 27

After the call, the register AX will store C2D2h (the computed Checksum value). Finally:
MOV icmp_header.icmp_cksum, AX


5 - ppp_checksum function

Prototipo:
ppp_checksum PROTO addr_ppp_data:DWORD, len_ppp_data:DWORD

This is another of the simplest function in this DLL. Just receives two arguments:

1 - Pointer to PPP data. This is a pointer to an array of bytes with the PPP data.
2 - Longitud datos PPP. Here, the length of the PPP Data in the array of bytes is specified .

The PPP data in the array of bytes must not include the checksum bytes when calling the ppp_checksum function.

Example

Given the following PPP escaped packet:

7E FF 03 00 21 45 00 00 28 00 0A 00 00 FF 06 67
FF C8 31 83 8F C8 2F 3F D6 04 8F 00 50 5D 72 00
08 15 B9 18 4A 50 10 3F 74 8C 3D 00 00 40 8E 7E

(PPP escaped packet taken from Trumpet Winsock 5.0)

? PPP Data
? PPP Checksum value (must not be included when calling the ppp_checksum function)

;Declarations
ppp_data 1000 DUP (0)

;The elements of the array of bytes are assigned the respectives values.
MOV ppp_data, 0FFh
MOV ppp_data[1], 3
MOV ppp_data[2], 0
...
MOV ppp_data[40], 8Ch
MOV ppp_data[41], 3Dh
MOV ppp_data[42], 0
MOV ppp_data[43], 0

;Then
INVOKE ppp_checksum, ADDR ppp_data, 44

After the call, the register AX will store 408Eh (the computed Checksum value). Finally:
MOV ppp_data[44], AH ;AH = 40h
MOV ppp_data[45], AL ;AL = 8Eh


6- Bonus function!!!!: ppp_encapsulate_data

Prototype:
ppp_encapsulate_data PROTO p_ppp_data:DWORD, len_ppp_data:DWORD

This function encapsulates PPP data. Receives two arguments:

1 - Pointer to an array of bytes with the PPP data.
2 - Length of the PPP data in the array.

Important: the array of bytes which stores the PPP data must be large enough so that it can support the enlargement in its size when the data is encapsulated. Normally, the size of the array with the ppp data must be twice as large as the size of the array with the non-escaped PPP data. Otherwise, a run-time error will make Windows send your program off the memory.

The new size of the array with the encapsulted ppp data will be returned in EAX.

For example, given the following array:

ppp_data BYTE 20 DUP (0)
len_ppp_data DWORD ?
...
MOV ppp_data, 0FFh
MOV ppp_data[1], 0C0h
MOV ppp_data[2], 21h
MOV ppp_data[3], 1
MOV ppp_data[4], 0
MOV ppp_data[5], 0
MOV ppp_data[6], 4
MOV ppp_data[7], 0Dh
MOV ppp_data[8], 0EFh

...
INVOKE encapsulate_ppp_data, ADDR ppp_data, 9
MOV len_ppp_data, EAX ;EAX = 15

After the call, the the ppp_data array will look like:

ppp_data[0] = 7Eh
ppp_data[1] = 0FFh
ppp_data[2] = 0C0h
ppp_data[3] = 21H
ppp_data[4] = 7Dh
ppp_data[5] = 21h
ppp_data[6] = 7Dh
ppp_data[7] = 20h
ppp_data[8] = 7Dh
ppp_data[9] = 20h
ppp_data[10] = 7Dh
ppp_data[11] = 24h
ppp_data[12] = 7Dh
ppp_data[13] = 2Dh
ppp_data[14] = EFh
ppp_data[15] = 7Eh

and EAX will store 0FH (15 in decimal) which is the new size of the ppp_data array

End of Internet CheksumS Document

-- -------------------

i upload the zip file with asm sample source and all need stuff and post here the link so you and others can use this too.

thanks for help !
Posted on 2001-12-14 09:26:07 by Max
im not shure if i should register myself here as a beginner.

Well, this isn't the apache httpd project. Not like you have to submit a very important part of some project to become relevent.

You should read TCP/IP illiustrated printed by Prentice Hall
Posted on 2001-12-15 04:58:06 by eet_1024
seems to me that one simple way of killing a connection is closing the socket that it's using... and as far as i know you can get that socket... haven't tested this theory but it should work...
Posted on 2001-12-20 16:53:39 by NervGaz
NervGaz :
-----
seems to me that one simple way of killing a connection is closing the socket that it's using... and as far as i know you can get that socket... haven't tested this theory but it should work...
------

lets say i have the ip and the port ,how do i get the socket this connection use ?


Thomas:
-----
When I tried this by looking at some connection with netstat, using the right values in the struct I was able to kill the connection.
-----

can you please post or send me by email a simple example on how do you close the connection with MIB_TCP_STATE_DELETE_TCB ?

im to stupid to follow what you two try to tell me :-(
im reading here http://msdn.microsoft.com/library/en-us/tcpip/ipover_0nqk.asp?frame=true but i dont get it

Thanks
Posted on 2002-01-06 02:40:24 by Max
Here you go.
It is really easy. This is the actual code:



TestRow MIB_TCPROW <MIB_TCP_STATE_DELETE_TCB,\
IPADDR(127,0,0,1),PORTNR(1572),\ ;local
IPADDR(127,0,0,1),PORTNR(9944)> ;remote

.code
start:
invoke SetTcpEntry, addr TestRow
invoke ExitProcess, NULL


Just telnet to some server (or a local open port), open "netstat -an", locate the connection:


TCP 127.0.0.1:1572 127.0.0.1:9944 ESTABLISHED


Fill in those IPs and ports in the TestRow structure and build+run the program. The connection will be lost then.

Thomas
Posted on 2002-01-06 04:23:05 by Thomas
thomas:

unorthodox but cool :)
Posted on 2002-01-06 05:12:55 by clip
Wow !

such easy ???
i fall from my chair when i read your post Thomas.

Ok all others are more then right when they vote you for Network Section admin :-)

and i had much to learn as i see.....
bah to stupid to understand msdn :-(
hobby coder needs new brain !

happy coding and much thanks Thomas
Posted on 2002-01-06 05:24:15 by Max