Windows Filtering Platform

[Thunder93]

Made another update - http://www.purebasic.fr/english/viewtop ... 73#p426273

[Thunder93]

The TCP header offset field (*ppTcpHdr\HdrLength) is four bits.

Then we have just the one true Reserved field in the TCP header which is another four bits. Following is an 8bit field which includes also the CWR and the ECE TCP flags with the other 6 common flags.

.... However with the divert driver, this person created and using another structure field for just the CWR and ECE from the rest and stores it into the structure 'Reserved2' field.

UINT16 Reserved1:4; <--- four bits, so in PureBasic we link (union-ified) it to the offset field which is also another four bits. This makes it 8bits, 1 byte PB read and we split it up to read only each four bits separately.

UINT16 Reserved2:2; <--- two bits, so in PureBasic we union-ified it in the same memory space with other 6 common tcp flags. Now makes it an 8bit, 1 byte PB read

[Thunder93]

Are you still having fun?

[Thunder93]

I've made some more small changes... mostly to visual. Like this one...

ppIpHdr\FragOff0
_Flags: 0x02 (Don't Fragment)
--Bit 0 (Reseverd): 0
--Bit 1 (May Fragment = 0 / Don't Fragment = 1): 1
--Bit 2 (Last Fragment = 0 / More Fragments = 1): 0
--Fragment Offset: 0


Hopefully you'll like all the changes I've made today?

[JHPJHP]

Frustrated Fun... but still fun!

I think the changes you've made are great - really allows someone to make sense of all this.

This doesn't look right though:

Code: Select all

Structure DIVERT_TCPHDR
  SrcPort.u
  DstPort.u
  SeqNum.l
  AckNum.l
  StructureUnion
    HdrLength.b
    Reserved1.b

    ;;;;HdrLength.u
    ;;;;Reserved1.u
  EndStructureUnion
  StructureUnion
    Reserved2.b
    Fin.b
    Syn.b
    Rst.b
    Psh.b
    Ack.b
    Urg.b

    ;;;;Fin.u
    ;;;;Syn.u
    ;;;;Rst.u
    ;;;;Psh.u
    ;;;;Ack.u
    ;;;;Urg.u
  EndStructureUnion

  ;;;;StructureUnion
  ;;;;  Reserved2.u
  ;;;;EndStructureUnion
  
  Window.u
  Checksum.u
  UrgPtr.u
EndStructure

I think either Reserved2 needs to be last or the others need to be reversed, but I usually wouldn't reverse order in the Structure.
Because data type is Unsigned (.a) makes more sense.

Code: Select all

Structure DIVERT_TCPHDR
  SrcPort.u
  DstPort.u
  SeqNum.l
  AckNum.l
  StructureUnion
    Reserved1.a
    HdrLength.a
  EndStructureUnion
  StructureUnion
    Fin.a
    Syn.a
    Rst.a
    Psh.a
    Ack.a
    Urg.a
    Reserved2.a
  EndStructureUnion
  Window.u
  Checksum.u
  UrgPtr.u
EndStructure

(just trying to get my head around this)

- total: 16 bits
-- first 8 bits (Big Endian)
---- 4 bits: HdrLength
---- 3 bits: Reserved1
---- 1 bit: NS (Reserved1)
-- last 8 bits (Big Endian)
---- 1 bit: CWR (Reserved2)
---- 1 bit: ECE (Reserved2)
---- 1 bit: URG
---- 1 bit: ACK
---- 1 bit: PSH
---- 1 bit: RST
---- 1 bit: SYN
---- 1 bit: FIN

[Thunder93]

Hi. Thanks.

Your right, the ordering 'should' be exact ... unless reversing the order for all or those in the group. I in-fact had that in the right order but I was thinking about changing the fields order in that structure but didn't follow through but left Reserved2 in-place there.

Using data type .a does make more since instead of the alternative option.

What you laid out there is right. What part don't you understand about it?


Regarding the tcp header structure, here is what I'm using now and will update the other post to include the changes.

Code: Select all

Structure DIVERT_TCPHDR
  SrcPort.u
  DstPort.u
  SeqNum.l
  AckNum.l
  StructureUnion
    Reserved1.a
    HdrLength.a
  EndStructureUnion
  StructureUnion  
    Fin.a
    Syn.a
    Rst.a
    Psh.a
    Ack.a
    Urg.a
    Reserved2.a
  EndStructureUnion
  
  Window.u
  Checksum.u
  UrgPtr.u
EndStructure

[Thunder93]

Wait a minute.... I see what you've done.

(just trying to get my head around this)

- total: 16 bits
-- first 8 bits (Big Endian)
---- 4 bits: HdrLength
---- 3 bits: Reserved1
---- 1 bit: NS (Reserved1)
-- last 8 bits (Big Endian)
---- 1 bit: CWR (Reserved2)
---- 1 bit: ECE (Reserved2)
---- 1 bit: URG
---- 1 bit: ACK
---- 1 bit: PSH
---- 1 bit: RST
---- 1 bit: SYN
---- 1 bit: FIN

[Thunder93]

Reserved1 is four bits.... As I explained in an earlier post.

RS & NS are new flags occupying two bits in the Reserved or w/divert Reserved1 location.

[Thunder93]

Therefore to update what you have...

- total: 16 bits
-- first 8 bits (Big Endian)
---- 4 bits: HdrLength
---- 4 bits: Reserved1
_Reserved1: 2 bits - Not-Used.
_Reserved1: 1 bit: RS
_Reserved1: 1 bit: NS

-- last 8 bits (Big Endian)
---- 1 bit: CWR (Reserved2)
---- 1 bit: ECE (Reserved2)
---- 1 bit: URG
---- 1 bit: ACK
---- 1 bit: PSH
---- 1 bit: RST
---- 1 bit: SYN
---- 1 bit: FIN

[JHPJHP]

Nice - thank you, Wikipedia needs an update: http://en.wikipedia.org/wiki/Transmissi ... _structure

You used a Procedure, but for my own learning pleasure I'd like to see the 8 individual formula that returns each bit... Using Arithmetic shift and Modulo; my results just don't match what I see from Wireshark.

Also, shouldn't this return the 8 bits?

Code: Select all

Bin(PeekA(@*ppTcpHdr\Reserved2))

[Thunder93]

Aren't you suppose to be using PB Rset in this case?

[JHPJHP]

Better then my approach (old school):

Code: Select all

Right("0000000" + Bin(PeekA(@*ppTcpHdr\Reserved2)), 8)

But still not getting the results I expected - I'm running our script in a Repeat Forever loop, and all the bit information is the same - I should at least be getting a FIN at the end?

[Thunder93]

Code: Select all

        Debug "-- last 8 bits (Big Endian)"        
        tcpHdrResv.a = PeekA(@*ppTcpHdr\Reserved2)        
        Debug "---- 1 bit: CWR (Reserved2): " + str(tcpHdrResv >> 7 & %1)
        Debug "---- 1 bit: ECE (Reserved2): " + str(tcpHdrResv >> 6 & %1)
        Debug "---- 1 bit: URG: " + str(tcpHdrResv >> 5 & %1)
        Debug "---- 1 bit: ACK: " + str(tcpHdrResv >> 4 & %1)
        Debug "---- 1 bit: PSH: " + str(tcpHdrResv >> 3 & %1)
        Debug "---- 1 bit: RST: " + str(tcpHdrResv >> 2 & %1)
        Debug "---- 1 bit: SYN: " + str(tcpHdrResv >> 1 & %1)
        Debug "---- 1 bit: FIN: " + str(tcpHdrResv >> 0 & %1)

Updated: Rev1

Rev 1: When I was slapping this together for you, I forgot to replace the bin() w/ str().

[Thunder93]

I really like PureBasic... It's pretty powerful. I never imagined I'd be handling bits and nibbles with PB. ... on another note, did you find that evil bit in the IPv4 header yet? heh


Like you now, I was the other day trying to wrap my head around this all! But at least it's still going for us.

[JHPJHP]

Isn't that the truth...

At least I know I'm not doing it wrong, but same results.

- 8 bits are always the same?

Note: the script is in an infinite loop - you will need to kill it after viewing the debug output, it will also automatically load the webpage (explorer).

Thanks,