Windows Filtering Platform

[Thunder93]

No problem.

I actually even changed the filter string to simply 'true' for everything, ... even that didn't help. Other suggestion is irrelevant as I'm doing...

Code: Select all

         FragOff0.l = *ppIpHdr\FragOff0         
         Debug FragOff0

before the string matching.

[JHPJHP]

Not that it will make a difference, but it should be:

Code: Select all

FragOff0.u = PeekU(@*ppIpHdr\FragOff0)
Debug "ppIpHdr\FragOff0 (" + RSet(Bin((FragOff0)), 8, "0") + ")"

[Thunder93]

Yea. I had a .u but I was trying something else.

[JHPJHP]

I Should have figured so, we worked on this together - I'm just grasping at straws.

[Thunder93]

Alright... Nothing wrong with the values. I knew I had a heat stroke... I'm remembering things now.

Going to get well rested and I'll be back on this project.

[JHPJHP]

When your back at it, can you test the following code:
( have a great weekend )

- I think this should be returning 16 bits

Code: Select all

FragOff0.u = PeekU(@*ppIpHdr\FragOff0)

- if so then this makes more sense

Code: Select all

FragOff0.u = ntohs_(PeekU(@*ppIpHdr\FragOff0))

- which would take this

Code: Select all

FragOff0.u = PeekU(@*ppIpHdr\FragOff0)
Debug "ppIpHdr\FragOff0 (" + RSet(Bin(FragOff0), 8, "0") + ")"
Debug "--Bit 0 (Reseverd): " + Str((FragOff0 & $0080) >> 7)
Debug "--Bit 1 (May Fragment = 0 / Don't Fragment = 1): " + Str((FragOff0 & $0040) >> 6)
Debug "--Bit 2 (Last Fragment = 0 / More Fragments = 1): " + Str((FragOff0 & $0020) >> 5)
Debug "--Fragment Offset: " + Str(ntohs_(FragOff0 & $FF1F) * 8)

- to something like this

Code: Select all

FragOff0.u = ntohs_(PeekU(@*ppIpHdr\FragOff0))
Debug "ppIpHdr\FragOff0 (" + RSet(Bin(FragOff0), 16, "0") + ")"
Debug "--Bit 0 (Reseverd): " + Str(FragOff0 >> 15 & %1)
Debug "--Bit 1 (May Fragment = 0 / Don't Fragment = 1): " + Str(FragOff0 >> 14 & %1)
Debug "--Bit 2 (Last Fragment = 0 / More Fragments = 1): " + Str(FragOff0 >> 13 & %1)
Debug "--Fragment Offset: " + Str(FragOff0 >> 12 * 8)

[Thunder93]

It does return 16bits. .u is 2bytes or 16bits, 8bits equals 1 byte.

You are just reading it different but still works except that the offset needs to be 0 until there is an offset value other-than 0.

JHPJHP Update:
ppIpHdr\FragOff0 (0100000000000000)
--Bit 0 (Reseverd): 0
--Bit 1 (May Fragment = 0 / Don't Fragment = 1): 1
--Bit 2 (Last Fragment = 0 / More Fragments = 1): 0
--Fragment Offset: 32
-------------------------------------------------------------------------

Original
ppIpHdr\FragOff0
_Flags: 0
--Bit 0 (Reseverd): 0
--Bit 1 (May Fragment = 0 / Don't Fragment = 1): 1
--Bit 2 (Last Fragment = 0 / More Fragments = 1): 0
--Fragment Offset: 0
=====================================

[JHPJHP]

I agree, but I think it's backwards (works with an RSet of 8, not 16):

Code: Select all

FragOff0.u = PeekU(@*ppIpHdr\FragOff0)
Debug "ppIpHdr\FragOff0 (" + RSet(Bin(FragOff0), 16, "0") + ")"

We worked around the script, instead of with it - but tomato...

[Thunder93]

Windivert - divert.h uses....

Code: Select all

#define DIVERT_IPHDR_GET_FRAGOFF(hdr)                       \
    (((hdr)->FragOff0) & 0xFF1F)
#define DIVERT_IPHDR_GET_MF(hdr)                            \
    ((((hdr)->FragOff0) & 0x0020) != 0)
#define DIVERT_IPHDR_GET_DF(hdr)                            \
    ((((hdr)->FragOff0) & 0x0040) != 0)
#define DIVERT_IPHDR_GET_RESERVED(hdr)                      \
    ((((hdr)->FragOff0) & 0x0080) != 0)

And ported to PureBasic...

Code: Select all

Macro  DIVERT_IPHDR_GET_FRAGOFF
 (*pIpHdr \FragOff0 & $FF1F)
EndMacro

Macro DIVERT_IPHDR_GET_MF
  ((*pIpHdr\FragOff0 & $0020) >> 5)
EndMacro

Macro DIVERT_IPHDR_GET_DF
   ((*pIpHdr\FragOff0 & $0040) >> 6)
 EndMacro
 
 Macro  DIVERT_IPHDR_GET_RESERVED
  ((*pIpHdr\FragOff0 & $0080) >> 7)
EndMacro

It's all good.. I tested it out thoroughly.

[JHPJHP]

Sorry to belabor the point, but it doesn't make sense that we are "reversing" the last 13 bits, but not the first 3 bits:

Code: Select all

Debug "--Fragment Offset: " + Str(ntohs_(FragOff0 & $FF1F) * 8)

Like I have said in the past - I fully trust your tests - I just think it makes more sense the other way (results would be the same).

[Thunder93]

No, with the macro I do read it like that.... ntohs_(DIVERT_IPHDR_GET_FRAGOFF)

[Thunder93]

The same goes while I using the original code...

FragOff0.u = PeekU(@*ppIpHdr\FragOff0)
FragCalc1.l = (FragOff0 & $0080) >> 7 : FragCalc2.l = (FragOff0 & $0040) >> 6
FragCalc3.l = (FragOff0 & $0020) >> 5 : FragCalc4.l = ntohs_(FragOff0 & $FF1F) * 8

[JHPJHP]

I have to be missing something, because your 2nd example is what I'm talking about:
- also why .l (long)

*** I'm not saying your wrong, it just doesn't look right to me ***

FragOff0.u = PeekU(@*ppIpHdr\FragOff0) - Big Endian
- FragCalc1.l = (FragOff0 & $0080) >> 7
- FragCalc2.l = (FragOff0 & $0040) >> 6
- FragCalc3.l = (FragOff0 & $0020) >> 5

(First 3 bits - no ntohs)

FragCalc4.l = ntohs_(FragOff0 & $FF1F) * 8

(last 13 bits - using ntohs)

[Thunder93]

the byte order is big-endian (leftmost byte is sent first), but bit order little-endian (rigthmost, or LSB (Least Significant Bit) of the byte is sent first).

[JHPJHP]

Of course your right - thank you for your patience - and explanations.

-------------------------------------------------------------

It will probably help your testing to have the correct data - replace with the following code:

Code: Select all

If FindString(PacketData, "HTTP") = 0
  ReDim pPL(pCount)
  pPL(pCount)\Id = ntohs_(PeekU(@*ppIpHdr\Id))
  pPL(pCount)\ppData = AllocateMemory(pDataLen)
  CopyMemory(*ppData, pPL(pCount)\ppData, pDataLen)
  pPL(pCount)\pDataLen = pDataLen
  pCount + 1

  If pCount = 13 : Break : EndIf

EndIf