Page 5 of 14
Re: Windows Filtering Platform
Posted: Sat Sep 28, 2013 4:12 pm
by Thunder93
Re: Windows Filtering Platform
Posted: Sat Sep 28, 2013 9:46 pm
by Thunder93
The TCP header offset field (*ppTcpHdr\HdrLength) is four bits.
Then we have just the one true Reserved field in the TCP header which is another four bits. Following is an 8bit field which includes also the CWR and the ECE TCP flags with the other 6 common flags.
.... However with the divert driver, this person created and using another structure field for just the CWR and ECE from the rest and stores it into the structure 'Reserved2' field.
UINT16 Reserved1:4; <--- four bits, so in PureBasic we link (union-ified) it to the offset field which is also another four bits. This makes it 8bits, 1 byte PB read and we split it up to read only each four bits separately.
UINT16 Reserved2:2; <--- two bits, so in PureBasic we union-ified it in the same memory space with other 6 common tcp flags. Now makes it an 8bit, 1 byte PB read
Re: Windows Filtering Platform
Posted: Sat Sep 28, 2013 10:52 pm
by Thunder93
Are you still having fun?
Re: Windows Filtering Platform
Posted: Sun Sep 29, 2013 12:11 am
by Thunder93
I've made some more small changes... mostly to visual. Like this one...
ppIpHdr\FragOff0
_Flags: 0x02 (Don't Fragment)
--Bit 0 (Reseverd): 0
--Bit 1 (May Fragment = 0 / Don't Fragment = 1): 1
--Bit 2 (Last Fragment = 0 / More Fragments = 1): 0
--Fragment Offset: 0
Hopefully you'll like all the changes I've made today?
Re: Windows Filtering Platform
Posted: Sun Sep 29, 2013 1:01 am
by JHPJHP
Frustrated Fun... but still fun!
I think the changes you've made are great - really allows someone to make sense of all this.
This doesn't look right though:
Code: Select all
Structure DIVERT_TCPHDR
SrcPort.u
DstPort.u
SeqNum.l
AckNum.l
StructureUnion
HdrLength.b
Reserved1.b
;;;;HdrLength.u
;;;;Reserved1.u
EndStructureUnion
StructureUnion
Reserved2.b
Fin.b
Syn.b
Rst.b
Psh.b
Ack.b
Urg.b
;;;;Fin.u
;;;;Syn.u
;;;;Rst.u
;;;;Psh.u
;;;;Ack.u
;;;;Urg.u
EndStructureUnion
;;;;StructureUnion
;;;; Reserved2.u
;;;;EndStructureUnion
Window.u
Checksum.u
UrgPtr.u
EndStructure
I think either Reserved2 needs to be last or the others need to be reversed, but I usually wouldn't reverse order in the Structure.
Because data type is Unsigned (.a) makes more sense.
Code: Select all
Structure DIVERT_TCPHDR
SrcPort.u
DstPort.u
SeqNum.l
AckNum.l
StructureUnion
Reserved1.a
HdrLength.a
EndStructureUnion
StructureUnion
Fin.a
Syn.a
Rst.a
Psh.a
Ack.a
Urg.a
Reserved2.a
EndStructureUnion
Window.u
Checksum.u
UrgPtr.u
EndStructure
(just trying to get my head around this)
- total: 16 bits
-- first 8 bits (Big Endian)
---- 4 bits: HdrLength
---- 3 bits: Reserved1
---- 1 bit: NS (Reserved1)
-- last 8 bits (Big Endian)
---- 1 bit: CWR (Reserved2)
---- 1 bit: ECE (Reserved2)
---- 1 bit: URG
---- 1 bit: ACK
---- 1 bit: PSH
---- 1 bit: RST
---- 1 bit: SYN
---- 1 bit: FIN
Re: Windows Filtering Platform
Posted: Sun Sep 29, 2013 1:56 am
by Thunder93
Hi. Thanks.
Your right, the ordering 'should' be exact ... unless reversing the order for all or those in the group. I in-fact had that in the right order but I was thinking about changing the fields order in that structure but didn't follow through but left Reserved2 in-place there.
Using data type .a does make more since instead of the alternative option.
What you laid out there is right. What part don't you understand about it?
Regarding the tcp header structure, here is what I'm using now and will update the other post to include the changes.
Code: Select all
Structure DIVERT_TCPHDR
SrcPort.u
DstPort.u
SeqNum.l
AckNum.l
StructureUnion
Reserved1.a
HdrLength.a
EndStructureUnion
StructureUnion
Fin.a
Syn.a
Rst.a
Psh.a
Ack.a
Urg.a
Reserved2.a
EndStructureUnion
Window.u
Checksum.u
UrgPtr.u
EndStructure
Re: Windows Filtering Platform
Posted: Sun Sep 29, 2013 2:21 am
by Thunder93
Wait a minute.... I see what you've done.
JHPJHP wrote:
(just trying to get my head around this)
- total: 16 bits
-- first 8 bits (Big Endian)
---- 4 bits: HdrLength
---- 3 bits: Reserved1
---- 1 bit: NS (Reserved1)
-- last 8 bits (Big Endian)
---- 1 bit: CWR (Reserved2)
---- 1 bit: ECE (Reserved2)
---- 1 bit: URG
---- 1 bit: ACK
---- 1 bit: PSH
---- 1 bit: RST
---- 1 bit: SYN
---- 1 bit: FIN
Re: Windows Filtering Platform
Posted: Sun Sep 29, 2013 2:22 am
by Thunder93
Reserved1 is four bits.... As I explained in an earlier post.
RS & NS are new flags occupying two bits in the Reserved or w/divert Reserved1 location.
Re: Windows Filtering Platform
Posted: Sun Sep 29, 2013 2:29 am
by Thunder93
Therefore to update what you have...
- total: 16 bits
-- first 8 bits (Big Endian)
---- 4 bits: HdrLength
---- 4 bits: Reserved1
_Reserved1: 2 bits - Not-Used.
_Reserved1: 1 bit: RS
_Reserved1: 1 bit: NS
-- last 8 bits (Big Endian)
---- 1 bit: CWR (Reserved2)
---- 1 bit: ECE (Reserved2)
---- 1 bit: URG
---- 1 bit: ACK
---- 1 bit: PSH
---- 1 bit: RST
---- 1 bit: SYN
---- 1 bit: FIN
Re: Windows Filtering Platform
Posted: Sun Sep 29, 2013 2:51 am
by JHPJHP
Nice - thank you, Wikipedia needs an update:
http://en.wikipedia.org/wiki/Transmissi ... _structure
You used a Procedure, but for my own learning pleasure I'd like to see the 8 individual formula that returns each bit... Using Arithmetic shift and Modulo; my results just don't match what I see from Wireshark.
Also, shouldn't this return the 8 bits?
Re: Windows Filtering Platform
Posted: Sun Sep 29, 2013 2:56 am
by Thunder93
Aren't you suppose to be using PB Rset in this case?
Re: Windows Filtering Platform
Posted: Sun Sep 29, 2013 3:10 am
by JHPJHP
Better then my approach (old school):
Code: Select all
Right("0000000" + Bin(PeekA(@*ppTcpHdr\Reserved2)), 8)
But still not getting the results I expected - I'm running our script in a Repeat Forever loop, and all the bit information is the same - I should at least be getting a FIN at the end?
Re: Windows Filtering Platform
Posted: Sun Sep 29, 2013 3:26 am
by Thunder93
Code: Select all
Debug "-- last 8 bits (Big Endian)"
tcpHdrResv.a = PeekA(@*ppTcpHdr\Reserved2)
Debug "---- 1 bit: CWR (Reserved2): " + str(tcpHdrResv >> 7 & %1)
Debug "---- 1 bit: ECE (Reserved2): " + str(tcpHdrResv >> 6 & %1)
Debug "---- 1 bit: URG: " + str(tcpHdrResv >> 5 & %1)
Debug "---- 1 bit: ACK: " + str(tcpHdrResv >> 4 & %1)
Debug "---- 1 bit: PSH: " + str(tcpHdrResv >> 3 & %1)
Debug "---- 1 bit: RST: " + str(tcpHdrResv >> 2 & %1)
Debug "---- 1 bit: SYN: " + str(tcpHdrResv >> 1 & %1)
Debug "---- 1 bit: FIN: " + str(tcpHdrResv >> 0 & %1)
Updated: Rev1
Rev 1: When I was slapping this together for you, I forgot to replace the bin() w/ str().
Re: Windows Filtering Platform
Posted: Sun Sep 29, 2013 3:41 am
by Thunder93
I really like PureBasic... It's pretty powerful. I never imagined I'd be handling bits and nibbles with PB. ... on another note, did you find that evil bit in the IPv4 header yet? heh
Like you now, I was the other day trying to wrap my head around this all! But at least it's still going for us.
Re: Windows Filtering Platform
Posted: Sun Sep 29, 2013 3:50 am
by JHPJHP
Isn't that the truth...
At least I know I'm not doing it wrong, but same results.
- 8 bits are always the same?
Note: the script is in an infinite loop - you will need to kill it after viewing the debug output, it will also automatically load the webpage (explorer).
Thanks,
