Windows Filtering Platform

[Thunder93]

No problem and anytime..

damn... I'm still running on low battery!

[JHPJHP]

I did some quick searches, not much time this weekend for anything else, but maybe this will help? I should be back at it on Monday.
ts-soft: http://www.forums.purebasic.com/english ... 13&t=39728 (one of your older posts)
idle: http://www.purebasic.fr/english/viewtop ... hilit=gzip

[Thunder93]

Thanks. I will poster if I run into any problems.

[Thunder93]

decompressions is Low priority, more important things needs to be done first. What I'm making available here is demonstration code and not implied this is the proper way to handle http-data. But hopefully something to get you started in the right direction. I sort-of cheated a little by not following proper protocol. If you run this, let the browser open and load up to the page. Then wait a moment or two for the FIN and that's the trigger to build PureBasic.deflate file. Now view the file contents and you should see parts that's understandable.

Code: Select all

#DIVERT_LAYER_NETWORK = 0
#DIVERT_PRIORITY_DEFAULT = -1000
#DIVERT_FLAG_SNIFF = 1
#MAXBUF = $FFFF

Structure DIVERT_ADDRESS
  IfIdx.l
  SubIfIdx.l
  Direction.a
EndStructure

Structure DIVERT_IPHDR
  StructureUnion
    HdrLength.a
    Version.a
  EndStructureUnion
  TOS.a
  Length.u
  Id.u
  FragOff0.u
  TTL.a
  Protocol.a
  Checksum.u
  SrcAddr.l
  DstAddr.l
EndStructure

Structure DIVERT_TCPHDR
  SrcPort.u
  DstPort.u
  SeqNum.l
  AckNum.l
  StructureUnion
    Reserved1.a
    HdrLength.a
  EndStructureUnion
  StructureUnion
    Fin.a
    Syn.a
    Rst.a
    Psh.a
    Ack.a
    Urg.a
    Reserved2.a
  EndStructureUnion
  Window.u
  Checksum.u
  UrgPtr.u
EndStructure

Structure PAYLOAD
  Id.u
  *ppData
  pDataLen.l
EndStructure

Prototype protoDivertOpen(filter.s, layer, priority.u, flags.q)
Global DivertOpen.protoDivertOpen

Prototype.b protoDivertRecv(handle, *pPacket, packetLen, pAddr, recvLen)
Global DivertRecv.protoDivertRecv

Prototype.b protoDivertHelperParsePacket(*pPacket, packetLen, *ppIpHdr, *ppIpv6Hdr, *ppIcmpHdr, *ppIcmpv6Hdr, *ppTcpHdr, *ppUdpHdr, *ppData, pDataLen)
Global DivertHelperParsePacket.protoDivertHelperParsePacket

Prototype.b protoDivertClose(handle)
Global DivertClose.protoDivertClose

Prototype.b protoDivertSetParam(handle, param, value.q)
Global DivertSetParam.protoDivertSetParam

Global Dim pPL.PAYLOAD(0)

Procedure BuildPayload()
  SortStructuredArray(pPL(), #PB_Sort_Ascending, OffsetOf(PAYLOAD\Id), TypeOf(PAYLOAD\Id))

  For pCount = 0 To ArraySize(pPL()) ;- 1
    Debug Str(pPL(pCount)\Id) + " (" + Str(pPL(pCount)\pDataLen) + ")"
    Debug "---------------"

    If *Payload = #Null
      plSize = 0
      *Payload = AllocateMemory(pPL(pCount)\pDataLen)
    Else
      plSize = MemorySize(*Payload)
      *Payload = ReAllocateMemory(*Payload, plSize + pPL(pCount)\pDataLen)
    EndIf
    CopyMemory(pPL(pCount)\ppData, *Payload + plSize, pPL(pCount)\pDataLen)
  Next

  If CreateFile(0, "PureBasic.deflate")
    WriteData(0, *Payload, MemorySize(*Payload))
    CloseFile(0)
  EndIf
  FreeMemory(*Payload)
EndProcedure

#DIVERT_PARAM_QUEUE_LEN = 0
#DIVERT_PARAM_QUEUE_TIME = 1


WinDivert = OpenLibrary(#PB_Any, "WinDivert.dll")

If IsLibrary(WinDivert)
  DivertOpen = GetFunction(WinDivert, "DivertOpen")
  DivertSetParam = GetFunction(WinDivert, "DivertSetParam")
  DivertRecv = GetFunction(WinDivert, "DivertRecv")
  DivertHelperParsePacket = GetFunction(WinDivert, "DivertHelperParsePacket")
  DivertClose = GetFunction(WinDivert, "DivertClose")

  filter.s = "inbound && (ip.SrcAddr == 88.191.144.148) && tcp.Ack";  && tcp.PayloadLength > 0"

  hWndDivert = DivertOpen(filter, #DIVERT_LAYER_NETWORK, #DIVERT_PRIORITY_DEFAULT, #DIVERT_FLAG_SNIFF)

  If hWndDivert <> #INVALID_HANDLE_VALUE
    pAddr.DIVERT_ADDRESS
    *ppIpHdr.DIVERT_IPHDR
    *ppTcpHdr.DIVERT_TCPHDR
    
    

    DivertSetParam(WinDivert, #DIVERT_PARAM_QUEUE_LEN, 8192)
    DivertSetParam(WinDivert, #DIVERT_PARAM_QUEUE_TIME, 1024)
    
    RunProgram("iexplore", "http://www.purebasic.com/", "")
       
    

    Repeat
      *pPacket = AllocateMemory(#MAXBUF)

      If DivertRecv(hWndDivert, *pPacket, #MAXBUF, @pAddr, @recvLen)
        DivertHelperParsePacket(*pPacket, recvLen, @*ppIpHdr, #Null, #Null, #Null, @*ppTcpHdr, #Null, @*ppData, @pDataLen)
        If *ppIpHdr = #Null : Debug "warning: junk packet" : Continue : EndIf 
        
        IPHdrLength.a = PeekA(@*ppIpHdr\HdrLength) & %1111
        IPLength.u = ntohs_(PeekU(@*ppIpHdr\Length))        
        
        If *ppTcpHdr
          TCPHdrResv2.a = PeekA(@*ppTcpHdr\Reserved2)      
        EndIf


        
        If *ppData And *ppTcpHdr ;And pDataLen               
            ReDim pPL(pCount)
            pPL(pCount)\Id = ntohs_(PeekU(@*ppIpHdr\Id))
            pPL(pCount)\ppData = AllocateMemory(pDataLen)
            CopyMemory(*ppData, pPL(pCount)\ppData, pDataLen)
            pPL(pCount)\pDataLen = pDataLen
            pCount + 1        
            
          EndIf        
      
        If (TCPHdrResv2 & %1) : Debug "We know this Ended" : Break : EndIf
        
      EndIf

      FreeMemory(*pPacket)
    ForEver : Debug "Finished"
    DivertClose(hWndDivert)
  EndIf
  CloseLibrary(WinDivert)
  RunProgram("sc", "stop WinDivert1.0", "", #PB_Program_Hide)
  RunProgram("sc", "delete WinDivert1.0", "", #PB_Program_Hide)
  BuildPayload()
EndIf

I think this needs a fresh pair of eyes / fresh perspective (bare in mind that the code is in "Mid-Test-State"):

This line is to exit the Forever loop when the last packet is received - we will have to come up with a clean Break later - modify it to fit your needs.

Code: Select all

If pCount = 13 : Break : EndIf

- BuildPayload() Procedure added
-- orders the packets
-- combines the packet memory (all or whatever count you set @ the Break)
-- creates a file: PureBasic.deflate (this could be the problem - needs to be decoded in memory?)

Website I'm using to test with (GZIP-compatible encoding needs to be checked - I guess?): http://i-tools.org/gzip
(this could be the problem - compression is not compatible?)

- testing data @ the website to confirm that I'm on the right track, but only receiving a garbled mess; I wasn't expecting a fully intact webpage, but I was hoping for some partially readable text.

Code: Select all

#DIVERT_LAYER_NETWORK = 0
#DIVERT_PRIORITY_DEFAULT = 0
#DIVERT_FLAG_SNIFF = 1
#MAXBUF = $FFFF

Structure DIVERT_ADDRESS
  IfIdx.l
  SubIfIdx.l
  Direction.a
EndStructure

Structure DIVERT_IPHDR
  StructureUnion
    HdrLength.a
    Version.a
  EndStructureUnion
  TOS.a
  Length.u
  Id.u
  FragOff0.u
  TTL.a
  Protocol.a
  Checksum.u
  SrcAddr.l
  DstAddr.l
EndStructure

Structure DIVERT_TCPHDR
  SrcPort.u
  DstPort.u
  SeqNum.l
  AckNum.l
  StructureUnion
    Reserved1.a
    HdrLength.a
  EndStructureUnion
  StructureUnion
    Fin.a
    Syn.a
    Rst.a
    Psh.a
    Ack.a
    Urg.a
    Reserved2.a
  EndStructureUnion
  Window.u
  Checksum.u
  UrgPtr.u
EndStructure

Structure PAYLOAD
  Id.u
  *ppData
  pDataLen.l
EndStructure

Prototype protoDivertOpen(filter.s, layer, priority.u, flags.q)
Global DivertOpen.protoDivertOpen

Prototype.b protoDivertRecv(handle, *pPacket, packetLen, pAddr, recvLen)
Global DivertRecv.protoDivertRecv

Prototype.b protoDivertHelperParsePacket(*pPacket, packetLen, *ppIpHdr, *ppIpv6Hdr, *ppIcmpHdr, *ppIcmpv6Hdr, *ppTcpHdr, *ppUdpHdr, *ppData, pDataLen)
Global DivertHelperParsePacket.protoDivertHelperParsePacket

Prototype.b protoDivertClose(handle)
Global DivertClose.protoDivertClose

Global Dim pPL.PAYLOAD(0)

Procedure BuildPayload()
  SortStructuredArray(pPL(), #PB_Sort_Ascending, OffsetOf(PAYLOAD\Id), TypeOf(PAYLOAD\Id))

  For pCount = 0 To ArraySize(pPL()) - 1
    Debug Str(pPL(pCount)\Id) + " (" + Str(pPL(pCount)\pDataLen) + ")"
    Debug "---------------"

    If *Payload = #Null
      plSize = 0
      *Payload = AllocateMemory(pPL(pCount)\pDataLen)
    Else
      plSize = MemorySize(*Payload)
      *Payload = ReAllocateMemory(*Payload, plSize + pPL(pCount)\pDataLen)
    EndIf
    CopyMemory(pPL(pCount)\ppData, *Payload + plSize, pPL(pCount)\pDataLen)
  Next

  If CreateFile(0, "PureBasic.deflate")
    WriteData(0, *Payload, MemorySize(*Payload))
    CloseFile(0)
  EndIf
  FreeMemory(*Payload)
EndProcedure

WinDivert = OpenLibrary(#PB_Any, "WinDivert.dll")

If IsLibrary(WinDivert)
  DivertOpen = GetFunction(WinDivert, "DivertOpen")
  DivertSetParam = GetFunction(WinDivert, "DivertSetParam")
  DivertRecv = GetFunction(WinDivert, "DivertRecv")
  DivertHelperParsePacket = GetFunction(WinDivert, "DivertHelperParsePacket")
  DivertClose = GetFunction(WinDivert, "DivertClose")
  filter.s = "(ip.SrcAddr == 88.191.144.148 || ip.DstAddr == 88.191.144.148) && tcp.PayloadLength > 0"
  hWndDivert = DivertOpen(filter, #DIVERT_LAYER_NETWORK, #DIVERT_PRIORITY_DEFAULT, #DIVERT_FLAG_SNIFF)

  If hWndDivert <> #INVALID_HANDLE_VALUE
    pAddr.DIVERT_ADDRESS
    *ppIpHdr.DIVERT_IPHDR
    *ppTcpHdr.DIVERT_TCPHDR
    RunProgram("iexplore", "http://www.purebasic.com/", "")

    Repeat
      *pPacket = AllocateMemory(#MAXBUF)

      If DivertRecv(hWndDivert, *pPacket, #MAXBUF, @pAddr, @recvLen)
        DivertHelperParsePacket(*pPacket, recvLen, @*ppIpHdr, #Null, #Null, #Null, @*ppTcpHdr, #Null, @*ppData, @pDataLen)

        If *ppData
          PacketData.s = PeekS(*ppData, pDataLen, #PB_UTF8)

          If FindString(PacketData, "HTTP") = 0
            Redim pPL(pCount)
            pPL(pCount)\Id = ntohs_(PeekU(@*ppIpHdr\Id))
            pPL(pCount)\ppData = *ppData
            pPL(pCount)\pDataLen = pDataLen
            pCount + 1

            If pCount = 13 : Break : EndIf

          EndIf
        EndIf
      EndIf
      FreeMemory(*pPacket)
    ForEver
    DivertClose(hWndDivert)
  EndIf
  CloseLibrary(WinDivert)
  RunProgram("sc", "stop WinDivert1.0", "", #PB_Program_Hide)
  RunProgram("sc", "delete WinDivert1.0", "", #PB_Program_Hide)
  BuildPayload()
EndIf

[JHPJHP]

I hate to be the barer of bad news, but it's returning the same results as my previous script.

For test purposes I filtered the results to only return the compressed data:

Code: Select all

If FindString(PacketData, "HTTP") = 0

To see the same results as the code you posted - modify my original script to this (or leave it out altogether):

Code: Select all

If FindString(PacketData, "HTTP") > 0

I guess I could have filtered for [ Content-Type: text/html ], including consecutive packets within a range of 2. But I wasn't worried about image data getting thrown into the mix, as long as I saw "some" results after being decompressed.

- if a Packet range started at 1222, then I would only grab the packets numbered 1223, 1225, 1231, etc., exiting if not within 2 of each other, or exiting after reading a packet size less-than 1460.

My intention was to return only the compressed data, creating a file to test with. Even if that meant taking the .deflate file and running it manually through a third party tool or website, trying to determine what would be needed to make it readable; decompression was my priority.

I do think your exit code has potential, but I have yet to be "started" in the right direction.

-------------------------------------------- UPDATE --------------------------------------------

Here is what I was talking about - returns the range of a segmented text packet assembled:
- filename changed to: tPacket.txt
- best viewed in Wordpad
- assumes your MTU is set to 1500 (1460 max packet size)

Code: Select all

#DIVERT_LAYER_NETWORK = 0
#DIVERT_PRIORITY_DEFAULT = 0
#DIVERT_FLAG_SNIFF = 1
#MAXBUF = $FFFF

Structure DIVERT_ADDRESS
  IfIdx.l
  SubIfIdx.l
  Direction.a
EndStructure

Structure DIVERT_IPHDR
  StructureUnion
    HdrLength.a
    Version.a
  EndStructureUnion
  TOS.a
  Length.u
  Id.u
  FragOff0.u
  TTL.a
  Protocol.a
  Checksum.u
  SrcAddr.l
  DstAddr.l
EndStructure

Structure DIVERT_TCPHDR
  SrcPort.u
  DstPort.u
  SeqNum.l
  AckNum.l
  StructureUnion
    Reserved1.a
    HdrLength.a
  EndStructureUnion
  StructureUnion
    Fin.a
    Syn.a
    Rst.a
    Psh.a
    Ack.a
    Urg.a
    Reserved2.a
  EndStructureUnion
  Window.u
  Checksum.u
  UrgPtr.u
EndStructure

Structure PAYLOAD
  Id.u
  AckNum.l
  *ppData
  pDataLen.l
EndStructure

Prototype protoDivertOpen(filter.s, layer, priority.u, flags.q)
Global DivertOpen.protoDivertOpen

Prototype.b protoDivertRecv(handle, *pPacket, packetLen, pAddr, recvLen)
Global DivertRecv.protoDivertRecv

Prototype.b protoDivertHelperParsePacket(*pPacket, packetLen, *ppIpHdr, *ppIpv6Hdr, *ppIcmpHdr, *ppIcmpv6Hdr, *ppTcpHdr, *ppUdpHdr, *ppData, pDataLen)
Global DivertHelperParsePacket.protoDivertHelperParsePacket

Prototype.b protoDivertClose(handle)
Global DivertClose.protoDivertClose

Global Dim pPL.PAYLOAD(0), AckNum

Procedure BuildPayload()
  pRange.b = #False
  SortStructuredArray(pPL(), #PB_Sort_Ascending, OffsetOf(PAYLOAD\Id), TypeOf(PAYLOAD\Id))

  For pCount = 0 To ArraySize(pPL()) - 1
    PacketData.s = PeekS(pPL(pCount)\ppData, pPL(pCount)\pDataLen, #PB_UTF8)

    If FindString(PacketData, "Content-Type: text/html") > 0 Or pRange
      If pRange
        If pPL(pCount)\Id > pId + 2 : Break : Else : pId = pPL(pCount)\Id : EndIf
      Else
        pRange = #True
        pId = pPL(pCount)\Id
;        Continue
      EndIf
      Debug Str(pPL(pCount)\Id) + " (" + Str(pPL(pCount)\pDataLen) + ")"

      If AckNum = 0
        Debug "Acknowledgment Number FIRST"
      Else
        If pPL(pCount)\AckNum = AckNum : Debug "Acknowledgment Number MATCH" : Else : Debug "Acknowledgment Number ERROR" : EndIf
      EndIf
      AckNum = pPL(pCount)\AckNum
      Debug "---------------"

      If *Payload
        plSize = MemorySize(*Payload)
        *Payload = ReAllocateMemory(*Payload, plSize + pPL(pCount)\pDataLen)
      Else
        plSize = 0
        *Payload = AllocateMemory(pPL(pCount)\pDataLen)
      EndIf
      CopyMemory(pPL(pCount)\ppData, *Payload + plSize, pPL(pCount)\pDataLen)

      If pPL(pCount)\pDataLen < 1460 : Break : EndIf

    EndIf
  Next

  If CreateFile(0, "tPacket.txt")
    WriteData(0, *Payload, MemorySize(*Payload))
    CloseFile(0)
  EndIf
  FreeMemory(*Payload)
EndProcedure

WinDivert = OpenLibrary(#PB_Any, "WinDivert.dll")

If IsLibrary(WinDivert)
  DivertOpen = GetFunction(WinDivert, "DivertOpen")
  DivertSetParam = GetFunction(WinDivert, "DivertSetParam")
  DivertRecv = GetFunction(WinDivert, "DivertRecv")
  DivertHelperParsePacket = GetFunction(WinDivert, "DivertHelperParsePacket")
  DivertClose = GetFunction(WinDivert, "DivertClose")
  filter.s = "inbound && ip.SrcAddr == 88.191.144.148 && tcp.Ack"
  hWndDivert = DivertOpen(filter, #DIVERT_LAYER_NETWORK, #DIVERT_PRIORITY_DEFAULT, #DIVERT_FLAG_SNIFF)

  If hWndDivert <> #INVALID_HANDLE_VALUE
    pAddr.DIVERT_ADDRESS
    *ppIpHdr.DIVERT_IPHDR
    *ppTcpHdr.DIVERT_TCPHDR
    RunProgram("iexplore", "http://www.purebasic.com/", "")

    Repeat
      *pPacket = AllocateMemory(#MAXBUF)

      If DivertRecv(hWndDivert, *pPacket, #MAXBUF, @pAddr, @recvLen)
        DivertHelperParsePacket(*pPacket, recvLen, @*ppIpHdr, #Null, #Null, #Null, @*ppTcpHdr, #Null, @*ppData, @pDataLen)

        If *ppIpHdr And *ppTcpHdr
          If *ppData
            ReDim pPL(pCount)
            pPL(pCount)\Id = ntohs_(PeekU(@*ppIpHdr\Id))
            pPL(pCount)\AckNum = ntohl_(PeekL(@*ppTcpHdr\AckNum))
            pPL(pCount)\ppData = AllocateMemory(pDataLen)
            CopyMemory(*ppData, pPL(pCount)\ppData, pDataLen)
            pPL(pCount)\pDataLen = pDataLen
            pCount + 1
          EndIf

          If PeekA(@*ppTcpHdr\Reserved2) & %1 : Break : EndIf

        EndIf
      EndIf
      FreeMemory(*pPacket)
    ForEver
    DivertClose(hWndDivert)
  EndIf
  CloseLibrary(WinDivert)
  RunProgram("sc", "stop WinDivert1.0", "", #PB_Program_Hide)
  RunProgram("sc", "delete WinDivert1.0", "", #PB_Program_Hide)
  BuildPayload()
EndIf

[Thunder93]

Apologies, I wasn't clear. Not worried about the decompression stage yet. It is important to get all the 'related' data streams, aka TCP segments. My posted version, while not nearly perfect ... for what we want it to-do all... but does do this for me, and if compression wasn't used entirely for all the content you'd see it.


Not everything is black and white. It is important to see and use the data response header messages to be handling the response body information appropriately.

Take note: the message "TCP segment" has nothing to do with IP fragmentation (however, this TCP segment may in its turn be IP fragmented). ..While it is important to cover IP fragmentation, and fairly simple to cover, I want to focus on the other aspects for now. Anyways, my packets are set with DF flag and nothing IP fragment related needs to be dealt with. Like mine I bet for instance when doing the PB page test, your TCP packets aren't being 'IP fragmented'?


Alright. Back to data response header messages, please visit http://en.wikipedia.org/wiki/HTTP_response#Responses .... Especially look at the following responses... 'Accept-Ranges', * 'Content-Encoding', * 'Content-Type', * 'Content-Length', and especially 'Transfer-Encoding'.


I might not be explaining things in way for another to understand, I'm not good at explaining things at times. Thing to remember is that you simply can't store every packet data into a single structure field and think that you'll be-able to handle it all with one step specific decompression method.

[JHPJHP]

I appreciate the link - but I have a lot more reading to do before I'm at your level of understanding packets.

Your not the only one who has trouble being clear... I wrote fragmented but meant segmented ; my previous example took a text/html segmented packet and reassembled it.

That part was easy:
- the header told me what kind of packet I was dealing with
- the Id number told me the order of the packets
- the packet size (with the Id number) told me when the segment ended
- ...

A similar method could be used for every packet - ordering, reassembling, and subcategorizing the data of interest.
(note the REM'd out line: by including this line - it will remove the packet header - saving only the compressed payload to file)

Did you get a chance to run my previous example?
- I updated it to include your [ Break ] line, and your [ filter ] line changes
- I also included (Over-Kill) Acknowledgment Number verification

[Thunder93]

You've been busy.

You not realizing this yet, but you stop dealing with the other segments when you doing the reassembling in...
If FindString(PacketData, "Content-Type: text/html") > 0

you can have multiple segments apart from the initial one, that has no header response information to work with. However does include more parts of the content relating to the text/html that's yet to be joined on.

[JHPJHP]

Made some changes (better checks and balances):
- calculates length, not relying on a static size of 1460
- removed break based on size, replaced it with Acknowledgment number

Code: Select all

#DIVERT_LAYER_NETWORK = 0
#DIVERT_PRIORITY_DEFAULT = 0
#DIVERT_FLAG_SNIFF = 1
#MAXBUF = $FFFF

Structure DIVERT_ADDRESS
  IfIdx.l
  SubIfIdx.l
  Direction.a
EndStructure

Structure DIVERT_IPHDR
  StructureUnion
    HdrLength.a
    Version.a
  EndStructureUnion
  TOS.a
  Length.u
  Id.u
  FragOff0.u
  TTL.a
  Protocol.a
  Checksum.u
  SrcAddr.l
  DstAddr.l
EndStructure

Structure DIVERT_TCPHDR
  SrcPort.u
  DstPort.u
  SeqNum.l
  AckNum.l
  StructureUnion
    Reserved1.a
    HdrLength.a
  EndStructureUnion
  StructureUnion
    Fin.a
    Syn.a
    Rst.a
    Psh.a
    Ack.a
    Urg.a
    Reserved2.a
  EndStructureUnion
  Window.u
  Checksum.u
  UrgPtr.u
EndStructure

Structure PAYLOAD
  HdrLength.a
  Length.u
  Id.u
  AckNum.l
  *ppData
  pDataLen.l
EndStructure

Prototype protoDivertOpen(filter.s, layer, priority.u, flags.q)
Global DivertOpen.protoDivertOpen

Prototype.b protoDivertRecv(handle, *pPacket, packetLen, pAddr, recvLen)
Global DivertRecv.protoDivertRecv

Prototype.b protoDivertHelperParsePacket(*pPacket, packetLen, *ppIpHdr, *ppIpv6Hdr, *ppIcmpHdr, *ppIcmpv6Hdr, *ppTcpHdr, *ppUdpHdr, *ppData, pDataLen)
Global DivertHelperParsePacket.protoDivertHelperParsePacket

Prototype.b protoDivertClose(handle)
Global DivertClose.protoDivertClose

Global Dim pPL.PAYLOAD(0)

Procedure BuildPayload()
  pRange.b = #False
  SortStructuredArray(pPL(), #PB_Sort_Ascending, OffsetOf(PAYLOAD\Id), TypeOf(PAYLOAD\Id))

  For pCount = 0 To ArraySize(pPL()) - 1
    PacketData.s = PeekS(pPL(pCount)\ppData, pPL(pCount)\pDataLen, #PB_UTF8)

    If FindString(PacketData, "Content-Type: text/html") > 0 Or pRange
      If pPL(pCount)\pDataLen <> (pPL(pCount)\Length - pPL(pCount)\HdrLength) : Debug "ERROR: Length" : Break : EndIf

      If pRange
        If pPL(pCount)\Id > pId + 2 : Break : Else : pId = pPL(pCount)\Id : EndIf
        If pPL(pCount)\AckNum <> pPL(pCount - 1)\AckNum : Break : EndIf
      Else
        pRange = #True
        pId = pPL(pCount)\Id
;        Continue
      EndIf
      Debug Str(pPL(pCount)\Id) + " (" + Str(pPL(pCount)\pDataLen) + ")"
      Debug "---------------"

      If *Payload
        plSize = MemorySize(*Payload)
        *Payload = ReAllocateMemory(*Payload, plSize + pPL(pCount)\pDataLen)
      Else
        plSize = 0
        *Payload = AllocateMemory(pPL(pCount)\pDataLen)
      EndIf
      CopyMemory(pPL(pCount)\ppData, *Payload + plSize, pPL(pCount)\pDataLen)
    EndIf
  Next

  If CreateFile(0, "tPacket.txt")
    WriteData(0, *Payload, MemorySize(*Payload))
    CloseFile(0)
  EndIf
  FreeMemory(*Payload)
EndProcedure

WinDivert = OpenLibrary(#PB_Any, "WinDivert.dll")

If IsLibrary(WinDivert)
  DivertOpen = GetFunction(WinDivert, "DivertOpen")
  DivertSetParam = GetFunction(WinDivert, "DivertSetParam")
  DivertRecv = GetFunction(WinDivert, "DivertRecv")
  DivertHelperParsePacket = GetFunction(WinDivert, "DivertHelperParsePacket")
  DivertClose = GetFunction(WinDivert, "DivertClose")
  filter.s = "inbound && ip.SrcAddr == 88.191.144.148 && tcp.Ack"
  hWndDivert = DivertOpen(filter, #DIVERT_LAYER_NETWORK, #DIVERT_PRIORITY_DEFAULT, #DIVERT_FLAG_SNIFF)

  If hWndDivert <> #INVALID_HANDLE_VALUE
    pAddr.DIVERT_ADDRESS
    *ppIpHdr.DIVERT_IPHDR
    *ppTcpHdr.DIVERT_TCPHDR
    RunProgram("iexplore", "http://www.purebasic.com/", "")

    Repeat
      *pPacket = AllocateMemory(#MAXBUF)

      If DivertRecv(hWndDivert, *pPacket, #MAXBUF, @pAddr, @recvLen)
        DivertHelperParsePacket(*pPacket, recvLen, @*ppIpHdr, #Null, #Null, #Null, @*ppTcpHdr, #Null, @*ppData, @pDataLen)

        If *ppIpHdr And *ppTcpHdr
          If *ppData
            ReDim pPL(pCount)
            pPL(pCount)\HdrLength = (PeekA(@*ppIpHdr\Version) & %1111 * 32 / 8) + (PeekA(@*ppTcpHdr\HdrLength) >> 4 & %1111 * 4)
            pPL(pCount)\Length = ntohs_(PeekU(@*ppIpHdr\Length))
            pPL(pCount)\Id = ntohs_(PeekU(@*ppIpHdr\Id))
            pPL(pCount)\AckNum = ntohl_(PeekL(@*ppTcpHdr\AckNum))
            pPL(pCount)\ppData = AllocateMemory(pDataLen)
            CopyMemory(*ppData, pPL(pCount)\ppData, pDataLen)
            pPL(pCount)\pDataLen = pDataLen
            pCount + 1
          EndIf

          If PeekA(@*ppTcpHdr\Reserved2) & %1 : Break : EndIf

        EndIf
      EndIf
      FreeMemory(*pPacket)
    ForEver
    DivertClose(hWndDivert)
  EndIf
  CloseLibrary(WinDivert)
  RunProgram("sc", "stop WinDivert1.0", "", #PB_Program_Hide)
  RunProgram("sc", "delete WinDivert1.0", "", #PB_Program_Hide)
  BuildPayload()
EndIf

[Thunder93]

Assuming that you reassembled it all correctly, .. leaving out the response header messages. You should be-able to rename the created file extension type to .gz and be-able to use WinRar compressor / decompressor software or something similar that supports gzip decompression. And it should be fruitful. In case that you don't have something, there is an online resource that does this... http://2zip.org/

The 'GZIP compressor/decompressor' site that you suggested, doesn't like this gzip compression. I've read something about two versions of it, don't remember exactly how it went...

[JHPJHP]

You not realizing this yet, but you stop dealing with the other segments when you doing the reassembling in...
If FindString(PacketData, "Content-Type: text/html") > 0

I can't say for certain, but I think you may be wrong on this one; the exact line is:

Code: Select all

If FindString(PacketData, "Content-Type: text/html") > 0 Or pRange

If FindString(PacketData, "Content-Type: text/html") > 0 is only to determine where the first segment (header) starts, then it ignores that and loops for the other segments based on Or pRange.

[Thunder93]

You are absolutely right.. I wasn't paying attention to the 'Or pRange'. Apologies.

You not realizing this yet, but you stop dealing with the other segments when you doing the reassembling in...
If FindString(PacketData, "Content-Type: text/html") > 0

I can't say for certain, but I think you may be wrong on this one; the exact line is:

Code: Select all

If FindString(PacketData, "Content-Type: text/html") > 0 Or pRange

If FindString(PacketData, "Content-Type: text/html") > 0 is only to determine where the first segment (header) starts, then it ignores that and loops for the other segments based on Or pRange.

[JHPJHP]

It's not often (or to date) that you've been wrong...

-----------------------------------------------------------------------------

I haven't taken Padding into account yet, will it have an effect on decompressing the packet?

[Thunder93]

This latest working great JHPJHP. Once you remove the response header messages and rename the file extension to gz and do what I told you previously, It'll decompress and the entire page is in-tact. Superb job!

[Thunder93]

Not necessarily wrong, simply all over the place. I'm working with multiple versions and the ones I was in didn't have Or pRange, otherwise you would have seen it on that if line I was referencing.

It's not often (or to date) that you've been wrong...

-----------------------------------------------------------------------------

I haven't taken Padding into account yet, will it have an effect on decompressing the packet?