Code: Select all
(ipHdr_FragsOff & $0020)
(ipHdr_FragsOff & $0040)
(ipHdr_FragsOff & $0080)Windows Filtering Platform
Re: Windows Filtering Platform
I think I have it?
ʽʽSuccess is almost totally dependent upon drive and persistence. The extra energy required to make another effort or try another approach is the secret of winning.ʾʾ --Dennis Waitley
Re: Windows Filtering Platform
Code: Select all
ipHdr_Length = PeekA(@*ppIpHdr\HdrLength) & %1111
ipHdr_Version = (PeekA(@*ppIpHdr\Version) >> 4)
ipHdr_TOS = htons_(PeekA(@*ppIpHdr\TOS))
ipHdr_TotalLength = htons_(PeekU(@*ppIpHdr\Length))
ipHdr_Id = htons_(PeekU(@*ppIpHdr\Id))
ipHdr_FragsOff = PeekU(@*ppIpHdr\FragOff0)
FlagMF = ipHdr_FragsOff & $0020
FlagDF = ipHdr_FragsOff & $0040
FlagReseverd = ipHdr_FragsOff & $0080
ipHdr_TTL = PeekA(@*ppIpHdr\TTL)
ipHdr_Protocol = PeekA(@*ppIpHdr\Protocol)
ipHdr_Checksum = PeekU(@*ppIpHdr\Checksum)
ipHdr_SrcAddr.s = IPString(PeekL(@*ppIpHdr\SrcAddr)) ;Dropped htonl_(), Native PB command sufficient.
ipHdr_DstAddr.s = IPString(PeekL(@*ppIpHdr\DstAddr))
Debug "ppIpHdr\HdrLength: " + ipHdr_Length
Debug "ppIpHdr\Version: " + ipHdr_Version
Debug "ppIpHdr\TOS: " + ipHdr_TOS
Debug "ppIpHdr\Length: " + ipHdr_TotalLength
Debug "ppIpHdr\Id: " + ipHdr_Id
Debug "ppIpHdr\FragOff0: " + ipHdr_FragsOff
If FlagReseverd : Debug "Reserved" : EndIf
If FlagDF : Debug " Don't Fragment (DF) set" : EndIf
If FlagMF : Debug " More Fragments (MF) set" : EndIf
Debug "-"ʽʽSuccess is almost totally dependent upon drive and persistence. The extra energy required to make another effort or try another approach is the secret of winning.ʾʾ --Dennis Waitley
Re: Windows Filtering Platform
Nice - looks like you have a good understanding of packets.
- good for a Macro / Procedure:
NB*: Updated my previous post (including link) - finished IPv6 stuff.
- what is the first one for: 0xFF1F?
- good for a Macro / Procedure:
NB*: Updated my previous post (including link) - finished IPv6 stuff.
- what is the first one for: 0xFF1F?
#define DIVERT_IPHDR_GET_FRAGOFF(hdr)
(((hdr)->FragOff0) & 0xFF1F)
Last edited by JHPJHP on Mon Sep 23, 2013 1:26 pm, edited 5 times in total.
If you're not investing in yourself, you're falling behind.
My PureBasic Stuff ➤ FREE STUFF, Scripts & Programs.
My PureBasic Forum ➤ Questions, Requests & Comments.
Re: Windows Filtering Platform
I noticed that on the both accounts. That you updated your previous post to include all IPv6 stuff, and that get / set Frags are done using Macro.
ʽʽSuccess is almost totally dependent upon drive and persistence. The extra energy required to make another effort or try another approach is the secret of winning.ʾʾ --Dennis Waitley
Re: Windows Filtering Platform
Fragment Offset field... almost forgot about that.JHPJHP wrote:Nice - looks like you have a good understanding of packets.
NB*: Updated my previous post (including link) - finished IPv6 stuff.
Found this in the documentation (divert.h) get / set FragOff0 - good for a Macro:
- what is the first one for: 0xFF1F?
ʽʽSuccess is almost totally dependent upon drive and persistence. The extra energy required to make another effort or try another approach is the secret of winning.ʾʾ --Dennis Waitley
Re: Windows Filtering Platform
Sorry about this posting thing... not sure if you noticed - it takes me 3 or 4 times to get it right, and some times I don't even realize that you've already responded. 
If you're not investing in yourself, you're falling behind.
My PureBasic Stuff ➤ FREE STUFF, Scripts & Programs.
My PureBasic Forum ➤ Questions, Requests & Comments.
Re: Windows Filtering Platform
Added:
FragOffset = ipHdr_FragsOff & $FF1F
&
Debug "Frag Offset: " + FragOffset
FragOffset = ipHdr_FragsOff & $FF1F
&
Debug "Frag Offset: " + FragOffset
Code: Select all
ipHdr_Length = PeekA(@*ppIpHdr\HdrLength) & %1111
ipHdr_Version = (PeekA(@*ppIpHdr\Version) >> 4)
ipHdr_TOS = htons_(PeekA(@*ppIpHdr\TOS))
ipHdr_TotalLength = htons_(PeekU(@*ppIpHdr\Length))
ipHdr_Id = htons_(PeekU(@*ppIpHdr\Id))
ipHdr_FragsOff = PeekU(@*ppIpHdr\FragOff0)
FlagMF = ipHdr_FragsOff & $0020
FlagDF = ipHdr_FragsOff & $0040
FlagReseverd = ipHdr_FragsOff & $0080
FragOffset = ipHdr_FragsOff & $FF1F
ipHdr_TTL = PeekA(@*ppIpHdr\TTL)
ipHdr_Protocol = PeekA(@*ppIpHdr\Protocol)
ipHdr_Checksum = PeekU(@*ppIpHdr\Checksum)
ipHdr_SrcAddr.s = IPString(PeekL(@*ppIpHdr\SrcAddr)) ;Dropped htonl_(), Native PB command sufficient.
ipHdr_DstAddr.s = IPString(PeekL(@*ppIpHdr\DstAddr))
Debug "ppIpHdr\HdrLength: " + ipHdr_Length
Debug "ppIpHdr\Version: " + ipHdr_Version
Debug "ppIpHdr\TOS: " + ipHdr_TOS
Debug "ppIpHdr\Length: " + ipHdr_TotalLength
Debug "ppIpHdr\Id: " + ipHdr_Id
Debug "ppIpHdr\FragOff0: " + ipHdr_FragsOff
If FlagReseverd : Debug "Reserved" : EndIf
If FlagDF : Debug " Don't Fragment (DF) set" : EndIf
If FlagMF : Debug " More Fragments (MF) set" : EndIf
Debug "Frag Offset: " + FragOffset
Debug "-"ʽʽSuccess is almost totally dependent upon drive and persistence. The extra energy required to make another effort or try another approach is the secret of winning.ʾʾ --Dennis Waitley
Re: Windows Filtering Platform
It is cool JHPJHP. I we know you'll eventually get to see my postings. 
JHPJHP wrote:Sorry about this posting thing... not sure if you noticed - it takes me 3 or 4 times to get it right, and some times I don't even realize that you've already responded.
ʽʽSuccess is almost totally dependent upon drive and persistence. The extra energy required to make another effort or try another approach is the secret of winning.ʾʾ --Dennis Waitley
Re: Windows Filtering Platform
-Prototyped the rest of the functions.
-Made some minor changes to Structures (based on netdump.c).
-Added ntoh to the FragOff script (based on return values, and information from netdump.c).
The following provided additional information:
http://en.wikipedia.org/wiki/IP_fragmentation_attacks
-Made some minor changes to Structures (based on netdump.c).
-Added ntoh to the FragOff script (based on return values, and information from netdump.c).
The following provided additional information:
http://en.wikipedia.org/wiki/IP_fragmentation_attacks
Last edited by JHPJHP on Thu Oct 03, 2013 10:28 pm, edited 1 time in total.
If you're not investing in yourself, you're falling behind.
My PureBasic Stuff ➤ FREE STUFF, Scripts & Programs.
My PureBasic Forum ➤ Questions, Requests & Comments.
Re: Windows Filtering Platform
I've been AFK all day, getting ready for winter in Canada.
...Well I could be wrong, It has been a few years since I have been really involved in packets.
From what I can remember the Frag Offset is 0 until there is fragmentation. Also when the DF flag is set the frag offset is 0, anything else would be unwanted, invalid or malformed packet.
Your ntoh addition to FragOff script causes problems. I know for a fact that my tested packets are with DF flag set, your change does not show this flag set but mine does.
Your frag offset field is non-zero for me, but my tested packets are .... for sure .... with DF frag flag set. Not only that but your change has Frag Offset is simply repeating the main return value on the FragOff0.u w/ ntosh_ usage.
...Well I could be wrong, It has been a few years since I have been really involved in packets.
From what I can remember the Frag Offset is 0 until there is fragmentation. Also when the DF flag is set the frag offset is 0, anything else would be unwanted, invalid or malformed packet.
Your ntoh addition to FragOff script causes problems. I know for a fact that my tested packets are with DF flag set, your change does not show this flag set but mine does.
Your frag offset field is non-zero for me, but my tested packets are .... for sure .... with DF frag flag set. Not only that but your change has Frag Offset is simply repeating the main return value on the FragOff0.u w/ ntosh_ usage.
ʽʽSuccess is almost totally dependent upon drive and persistence. The extra energy required to make another effort or try another approach is the secret of winning.ʾʾ --Dennis Waitley
Re: Windows Filtering Platform
Yes, your right... confirmed with Wireshark - but I am getting a weird number for Bit 1 (is it not supposed to be: 0 | 1?):
From documentation: ntohs(WINDIVERT_IPHDR_GET_FRAGOFF(ip_header))ppIpHdr\FragOff0 (64)
--Bit 0 (Reseverd): 0
--Bit 1 (May Fragment = 0 / Don't Fragment = 1): 64
--Bit 2 (Last Fragment = 0 / More Fragments = 1): 0
--Fragment Offset: 0
If you're not investing in yourself, you're falling behind.
My PureBasic Stuff ➤ FREE STUFF, Scripts & Programs.
My PureBasic Forum ➤ Questions, Requests & Comments.
Re: Windows Filtering Platform
Yea. There is a slight hiccup. It is related to storing & reading w/ .u type.
ʽʽSuccess is almost totally dependent upon drive and persistence. The extra energy required to make another effort or try another approach is the secret of winning.ʾʾ --Dennis Waitley
Re: Windows Filtering Platform
Just because it returns the correct number - doesn't make it right. 
Do you have a way to test this?
Code: Select all
FragOff0.u = PeekU(@*ppIpHdr\FragOff0)
Debug "ppIpHdr\FragOff0 (" + Str(FragOff0) + ")"
Debug "--Bit 0 (Reseverd): " + Str((FragOff0 & $0080) >> 7)
Debug "--Bit 1 (May Fragment = 0 / Don't Fragment = 1): " + Str((FragOff0 & $0040) >> 6)
Debug "--Bit 2 (Last Fragment = 0 / More Fragments = 1): " + Str((FragOff0 & $0020) >> 5)
Debug "--Fragment Offset: " + Str(FragOff0 & $FF1F)If you're not investing in yourself, you're falling behind.
My PureBasic Stuff ➤ FREE STUFF, Scripts & Programs.
My PureBasic Forum ➤ Questions, Requests & Comments.
Re: Windows Filtering Platform
Yea. give me a moment
ʽʽSuccess is almost totally dependent upon drive and persistence. The extra energy required to make another effort or try another approach is the secret of winning.ʾʾ --Dennis Waitley
Re: Windows Filtering Platform
The DF is 1, set for me... That works. 
ʽʽSuccess is almost totally dependent upon drive and persistence. The extra energy required to make another effort or try another approach is the secret of winning.ʾʾ --Dennis Waitley