Windows Filtering Platform

[Thunder93]

Yes I had that experience repeatedly when testing yours .. the original. The update I giving addresses this problem. I can be on the forum and site and still have it work without problems. Remember depending on your default browser settings, you might need to clear the cache before the code triggers.

Just a quick note: Don't have the PureBasic site (forum included) loaded prior to testing the Replace script - it can cause a browser crash - otherwise it works pretty good, providing the "replacelength" value is set correctly.

[JHPJHP]

The magic fix is your filter (not crashing with browser pre-opened to PureBasic):

"(ip.SrcAddr == 88.191.144.148 or ip.DstAddr == 88.191.144.148) && tcp.Ack && tcp.PayloadLength > 0"

And a more accurate setting for the example I supplied (trial and error @ the moment):

Code: Select all

Select #True
  Case Bool(FindString(replacedata, "/images/logopb.gif") > 0)
    replacedata = ReplaceString(replacedata, "/images/logopb.gif", "/images/logoextra.gif")
    replacelength = SizeOf(DATAPACKET) + StringByteLength(replacedata) - 6
  Case Bool(FindString(replacedata, "/images/box.png") > 0)
    replacedata = ReplaceString(replacedata, "/images/box.png", "/images/logopb2.gif")
    replacelength = SizeOf(DATAPACKET) + StringByteLength(replacedata) - 7
  Default
    DivertSend(hWndDivert, *pPacket, recvLen, @pAddr, #Null)
    Continue
EndSelect

I nerver said... Really like the Windivert.h

[Thunder93]

You figured out my secret! heh

[JHPJHP]

... and I think I figured out the other secret as well - at least the 10 or so tests I performed indicate so, but I'm sure if I'm wrong - I will know shortly.

Code: Select all

Select #True
  Case Bool(FindString(replacedata, "/images/logopb.gif") > 0)
    replacedata = ReplaceString(replacedata, "/images/logopb.gif", "/images/de.png")
  Case Bool(FindString(replacedata, "/images/box.png") > 0)
    replacedata = ReplaceString(replacedata, "/images/box.png", "/images/de.png")
  Default
    DivertSend(hWndDivert, *pPacket, recvLen, @pAddr, #Null)
    Continue
EndSelect
pOffset = (pDataLen - StringByteLength(replacedata)) * 2

If pOffset < 0
  replacelength = SizeOf(DATAPACKET) + StringByteLength(replacedata) + ((pDataLen - StringByteLength(replacedata)) * 2)
Else
  replacelength = SizeOf(DATAPACKET) + StringByteLength(replacedata)
EndIf

[Thunder93]

Very good. Nice job on that.

[Thunder93]

I know you hadn't. What I meant by your original... your first version.

I nerver said... Really like the Windivert.h

[Thunder93]

The updated filter string wasn't the magic fix.

The filter string changes only narrows it down to the type of packets we looking for. Regardless.. the crash doesn't happen until after there is the right packet that contains data and has a matching string and following by the packet manipulations. The other undesirable packets are simply re-injected and nothing been altered and no crash to result from that.

The magic fix is your filter (not crashing with browser pre-opened to PureBasic):

"(ip.SrcAddr == 88.191.144.148 or ip.DstAddr == 88.191.144.148) && tcp.Ack && tcp.PayloadLength > 0"

[JHPJHP]

Call me thick (ok don't) , but I'm not sure if your telling me that there is still a bug, or it's working as best it can?

NB*: The Replace script was only to get you interested in the Assembly script I started. As you can see, the Payload has been reordered and saved to a structure - it "only" needs to be reassembled. I'll be busy this weekend, but I hope to have a gzip (inflate / deflate) script early next week... unless you beat me to the punch.

Stuff:
http://tools.ietf.org/html/rfc815
http://en.wikipedia.org/wiki/Network_packet
http://en.wikipedia.org/wiki/IP_fragmentation

[Thunder93]

I was in reference to the magic fix and the misconception that the WinDivert filter string update being the magic fix for the code I posted earlier today fixing the stability problems that we was experiencing from running that original / first version of that code that you posted http://www.purebasic.fr/english/viewtop ... 29#p426929.

To prevent the browser from crashing, we had to address the lengths. Once this had been addressed the crashing was gone and then I also slapped on the new filter string before posting.


Regarding your latest hosted downloadable code and the latest patches, yours is rock solid and good looking code too. Good job on that!

The Assembly script looks awesome too.

[JHPJHP]

I think this needs a fresh pair of eyes / fresh perspective (bare in mind that the code is in "Mid-Test-State"):

This line is to exit the Forever loop when the last packet is received - we will have to come up with a clean Break later - modify it to fit your needs.

Code: Select all

If pCount = 13 : Break : EndIf

- BuildPayload() Procedure added
-- orders the packets
-- combines the packet memory (all or whatever count you set @ the Break)
-- creates a file: PureBasic.deflate (this could be the problem - needs to be decoded in memory?)

Website I'm using to test with (GZIP-compatible encoding needs to be checked - I guess?): http://i-tools.org/gzip
(this could be the problem - compression is not compatible?)

- testing data @ the website to confirm that I'm on the right track, but only receiving a garbled mess; I wasn't expecting a fully intact webpage, but I was hoping for some partially readable text.

Code: Select all

#DIVERT_LAYER_NETWORK = 0
#DIVERT_PRIORITY_DEFAULT = 0
#DIVERT_FLAG_SNIFF = 1
#MAXBUF = $FFFF

Structure DIVERT_ADDRESS
  IfIdx.l
  SubIfIdx.l
  Direction.a
EndStructure

Structure DIVERT_IPHDR
  StructureUnion
    HdrLength.a
    Version.a
  EndStructureUnion
  TOS.a
  Length.u
  Id.u
  FragOff0.u
  TTL.a
  Protocol.a
  Checksum.u
  SrcAddr.l
  DstAddr.l
EndStructure

Structure DIVERT_TCPHDR
  SrcPort.u
  DstPort.u
  SeqNum.l
  AckNum.l
  StructureUnion
    Reserved1.a
    HdrLength.a
  EndStructureUnion
  StructureUnion
    Fin.a
    Syn.a
    Rst.a
    Psh.a
    Ack.a
    Urg.a
    Reserved2.a
  EndStructureUnion
  Window.u
  Checksum.u
  UrgPtr.u
EndStructure

Structure PAYLOAD
  Id.u
  *ppData
  pDataLen.l
EndStructure

Prototype protoDivertOpen(filter.s, layer, priority.u, flags.q)
Global DivertOpen.protoDivertOpen

Prototype.b protoDivertRecv(handle, *pPacket, packetLen, pAddr, recvLen)
Global DivertRecv.protoDivertRecv

Prototype.b protoDivertHelperParsePacket(*pPacket, packetLen, *ppIpHdr, *ppIpv6Hdr, *ppIcmpHdr, *ppIcmpv6Hdr, *ppTcpHdr, *ppUdpHdr, *ppData, pDataLen)
Global DivertHelperParsePacket.protoDivertHelperParsePacket

Prototype.b protoDivertClose(handle)
Global DivertClose.protoDivertClose

Global Dim pPL.PAYLOAD(0)

Procedure BuildPayload()
  SortStructuredArray(pPL(), #PB_Sort_Ascending, OffsetOf(PAYLOAD\Id), TypeOf(PAYLOAD\Id))

  For pCount = 0 To ArraySize(pPL()) - 1
    Debug Str(pPL(pCount)\Id) + " (" + Str(pPL(pCount)\pDataLen) + ")"
    Debug "---------------"

    If *Payload = #Null
      plSize = 0
      *Payload = AllocateMemory(pPL(pCount)\pDataLen)
    Else
      plSize = MemorySize(*Payload)
      *Payload = ReAllocateMemory(*Payload, plSize + pPL(pCount)\pDataLen)
    EndIf
    CopyMemory(pPL(pCount)\ppData, *Payload + plSize, pPL(pCount)\pDataLen)
  Next

  If CreateFile(0, "PureBasic.deflate")
    WriteData(0, *Payload, MemorySize(*Payload))
    CloseFile(0)
  EndIf
  FreeMemory(*Payload)
EndProcedure

WinDivert = OpenLibrary(#PB_Any, "WinDivert.dll")

If IsLibrary(WinDivert)
  DivertOpen = GetFunction(WinDivert, "DivertOpen")
  DivertSetParam = GetFunction(WinDivert, "DivertSetParam")
  DivertRecv = GetFunction(WinDivert, "DivertRecv")
  DivertHelperParsePacket = GetFunction(WinDivert, "DivertHelperParsePacket")
  DivertClose = GetFunction(WinDivert, "DivertClose")
  filter.s = "(ip.SrcAddr == 88.191.144.148 || ip.DstAddr == 88.191.144.148) && tcp.PayloadLength > 0"
  hWndDivert = DivertOpen(filter, #DIVERT_LAYER_NETWORK, #DIVERT_PRIORITY_DEFAULT, #DIVERT_FLAG_SNIFF)

  If hWndDivert <> #INVALID_HANDLE_VALUE
    pAddr.DIVERT_ADDRESS
    *ppIpHdr.DIVERT_IPHDR
    *ppTcpHdr.DIVERT_TCPHDR
    RunProgram("iexplore", "http://www.purebasic.com/", "")

    Repeat
      *pPacket = AllocateMemory(#MAXBUF)

      If DivertRecv(hWndDivert, *pPacket, #MAXBUF, @pAddr, @recvLen)
        DivertHelperParsePacket(*pPacket, recvLen, @*ppIpHdr, #Null, #Null, #Null, @*ppTcpHdr, #Null, @*ppData, @pDataLen)

        If *ppData
          PacketData.s = PeekS(*ppData, pDataLen, #PB_UTF8)

          If FindString(PacketData, "HTTP") = 0
            Redim pPL(pCount)
            pPL(pCount)\Id = ntohs_(PeekU(@*ppIpHdr\Id))
            pPL(pCount)\ppData = *ppData
            pPL(pCount)\pDataLen = pDataLen
            pCount + 1

            If pCount = 13 : Break : EndIf

          EndIf
        EndIf
      EndIf
      FreeMemory(*pPacket)
    ForEver
    DivertClose(hWndDivert)
  EndIf
  CloseLibrary(WinDivert)
  RunProgram("sc", "stop WinDivert1.0", "", #PB_Program_Hide)
  RunProgram("sc", "delete WinDivert1.0", "", #PB_Program_Hide)
  BuildPayload()
EndIf

[Thunder93]

I was AFK all day. Returned home an hour ago, about to get a little something to eat.

Edit: Will have time to experiment, will get back to you on this.

[Thunder93]

JHPJHP.. I'm puzzled. All I'm seeing returned from the IP Flags is 'More Fragments' set and Fragment Offset is always 0.

[JHPJHP]

I'm the puzzled one, and there's only enough room in here for one of us.

... It's my incomplete understanding of packets, but if I get a push in the right direction I'll be able to write something useful.
- I figured the packets without HTTP in the header (URI), would contain the rest of the payload (text and such) gzip compressed; the size returned from the "filtered" packets seemed to indicate as much - or so I thought?

[Thunder93]

Something's wrong..... All that's being returned from the IP flag & offset field is 64 which is MF flag set. Absolutely NOTHING else throughout the entire run will show.

--- What we should be seeing
* The last fragment has a non-zero Fragment Offset field, differentiating it from an unfragmented packet.
* The more fragments (MF) flag is set for all segments except the last one, which is set to 0.
---

Is there something wrong with WinDivert? Or PB storing and reading?

I'm the puzzled one, and there's only enough room in here for one of us.

... It's my incomplete understanding of packets, but if I get a push in the right direction I'll be able to write something useful.
- I figured the packets without HTTP in the header (URI), would contain the rest of the payload (text and such) gzip compressed; the size returned from the "filtered" packets seemed to indicate as much - or so I thought?

[JHPJHP]

Sorry for the delay, I'm trying to think of something useful to contribute, as you have a deeper understanding then I do, concerning the correct Packet response.

- have you tried removing all restrictions / filters
- changing the URL to something other then PureBasic

... things along these lines?