Initial commit

Makefile

@@ -9,6 +9,9 @@ LDFLAGS =
 DETOURS_PATH ?= /usr/local/detours
 DETOURS_LIB = $(DETOURS_PATH)/lib64/detours.lib
 
+# Alternative: build without Detours (limited functionality)
+NO_DETOURS ?= 0
+
 # Targets
 all: network_monitor.exe ssl_hook.dll packet_capture.dll bgvnc.exe
 
@@ -16,7 +19,12 @@ network_monitor.exe: network_monitor.c
 	$(CC) $(CFLAGS) -o $@ $< -lws2_32 -liphlpapi $(LDFLAGS)
 
 ssl_hook.dll: ssl_hook.c ssl_hook.h
+ifeq ($(NO_DETOURS),1)
+	@echo "Building ssl_hook.dll without Detours (limited functionality)"
+	$(CC) $(CFLAGS) -shared -o $@ $< -DNO_DETOURS $(LDFLAGS)
+else
 	$(CC) $(CFLAGS) -shared -o $@ $< -L$(DETOURS_PATH)/lib64 -ldetours -lsspi $(LDFLAGS)
+endif
 
 packet_capture.dll: packet_capture.c
 	$(CC) $(CFLAGS) -shared -o $@ $< -lws2_32 $(LDFLAGS)

README.md

@@ -20,47 +20,105 @@ A comprehensive Windows network monitoring and SSL interception toolkit that can
 
 ## Output Files
 
-The suite generates 8 different log files:
+The suite generates multiple log files organized by connection:
 
+### Global Logs
 1. `internal_traffic.log` - Internal network connection details
 2. `external_traffic.log` - External network connection details
 3. `ssl_log.txt` - SSL traffic hex dumps
-4. `syscall_log.txt` - DLL loading and function calls
-5. `internal_tcp_dump.bin` - Raw internal TCP payload dump
-6. `external_tcp_dump.bin` - Raw external TCP payload dump
-7. `internal_tcp_wireshark.pcap` - Wireshark PCAP for internal traffic
-8. `external_tcp_wireshark.pcap` - Wireshark PCAP for external traffic
+4. `syscall_log.txt` - DLL loading and function calls with timestamps
+
+### Per-Connection Files
+For each unique TCP connection, the following files are created:
+
+**Binary dumps:**
+- `tcp_dump_{internal|external}_{src_ip}:{src_port}-{dest_ip}:{dest_port}.bin`
+
+**Hex dumps:**
+- `tcp_hexdump_{internal|external}_{src_ip}:{src_port}-{dest_ip}:{dest_port}.log`
+
+**Wireshark PCAP files:**
+- `tcp_wireshark_{internal|external}_{src_ip}:{src_port}-{dest_ip}:{dest_port}.pcap`
+
+### Example File Names
+- `tcp_dump_internal_192.168.1.100:12345-10.0.0.1:443.bin`
+- `tcp_hexdump_external_192.168.1.100:54321-8.8.8.8:53.log`
+- `tcp_wireshark_internal_192.168.1.100:12345-10.0.0.1:443.pcap`
 
 ## Building
 
 ### Prerequisites
 
 - Linux system with MinGW-w64 cross-compiler
-- Microsoft Detours library (for hooking functionality)
+- Microsoft Detours library (for full hooking functionality - optional)
 
-### Quick Start
+### Quick Start (Limited Functionality)
 
 ```bash
 ./configure.sh
-make
+make NO_DETOURS=1
+```
+
+### Full Build with Detours Support
+
+#### 1. Install Base Dependencies
+
+```bash
+sudo apt-get update
+sudo apt-get install gcc-mingw-w64 git
+```
+
+#### 2. Build Microsoft Detours (Requires Windows)
+
+On a Windows machine with Visual Studio Build Tools:
+
+```cmd
+git clone https://github.com/microsoft/Detours.git
+cd Detours
+nmake
+```
+
+Copy the built Detours to your Linux machine:
+
+```bash
+# Create Detours directory on Linux
+sudo mkdir -p /usr/local/detours
+
+# Copy from Windows (adjust paths as needed)
+# scp user@windows:/path/to/Detours/include/* /usr/local/detours/include/
+# scp user@windows:/path/to/Detours/lib.X64/* /usr/local/detours/lib64/
 ```
 
-### Manual Build
+#### 3. Configure and Build
 
 ```bash
-# Install dependencies
-sudo apt-get install gcc-mingw-w64
+./configure.sh
+make
+```
+
+### Manual Build Commands
 
-# Download and install Microsoft Detours
-# (Extract to /usr/local/detours)
+#### Without Detours (Limited functionality):
+```bash
+x86_64-w64-mingw32-gcc network_monitor.c -o network_monitor.exe -lws2_32 -liphlpapi -static
+x86_64-w64-mingw32-gcc -shared ssl_hook.c -o ssl_hook.dll -DNO_DETOURS -static
+x86_64-w64-mingw32-gcc -shared packet_capture.c -o packet_capture.dll -lws2_32 -static
+x86_64-w64-mingw32-gcc bgvnc.c -o bgvnc.exe -lws2_32 -lgdi32 -luser32 -static
+```
 
-# Build components
+#### With Detours (Full functionality):
+```bash
 x86_64-w64-mingw32-gcc network_monitor.c -o network_monitor.exe -lws2_32 -liphlpapi -static
-x86_64-w64-mingw32-gcc -shared ssl_hook.c -o ssl_hook.dll -L/path/to/detours/lib64 -ldetours -lsspi -static
+x86_64-w64-mingw32-gcc -shared ssl_hook.c -o ssl_hook.dll -L/usr/local/detours/lib64 -ldetours -lsspi -static
 x86_64-w64-mingw32-gcc -shared packet_capture.c -o packet_capture.dll -lws2_32 -static
 x86_64-w64-mingw32-gcc bgvnc.c -o bgvnc.exe -lws2_32 -lgdi32 -luser32 -static
 ```
 
+### Build Options
+
+- `NO_DETOURS=1`: Build without Detours (limited SSL hooking)
+- `DETOURS_PATH=/custom/path`: Specify custom Detours installation path
+
 ## Usage
 
 ### Network Monitor with SSL Interception

config.mk

+# Auto-generated configuration file
+DETOURS_PATH = /usr/local/detours
+CC = x86_64-w64-mingw32-gcc

network_monitor.c

@@ -16,21 +16,21 @@
  * along with this program.  If not, see <https://www.gnu.org/licenses/>.
  */
 
-#include <windows.h>
 #include <winsock2.h>
+#include <windows.h>
 #include <iphlpapi.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <tlhelp32.h>
 
-#pragma comment(lib, "ws2_32.lib")
-#pragma comment(lib, "iphlpapi.lib")
+// #pragma comment(lib, "ws2_32.lib")
+// #pragma comment(lib, "iphlpapi.lib")
 
 int is_internal_ip(DWORD ip) {
     BYTE b1 = (ip >> 24) & 0xFF;
     BYTE b2 = (ip >> 16) & 0xFF;
-    BYTE b3 = (ip >> 8) & 0xFF;
-    BYTE b4 = ip & 0xFF;
+    // BYTE b3 = (ip >> 8) & 0xFF;
+    // BYTE b4 = ip & 0xFF;
     if (b1 == 10) return 1;
     if (b1 == 172 && b2 >= 16 && b2 <= 31) return 1;
     if (b1 == 192 && b2 == 168) return 1;
@@ -68,7 +68,8 @@ int main() {
     fgets(program, sizeof(program), stdin);
     program[strcspn(program, "\n")] = 0;
 
-    STARTUPINFO si = { sizeof(si) };
+    STARTUPINFO si = {0};
+    si.cb = sizeof(si);
     PROCESS_INFORMATION pi;
     if (!CreateProcess(NULL, program, NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &si, &pi)) {
         printf("Failed to start process\n");
@@ -103,7 +104,7 @@ int main() {
                 DWORD localIP = row.dwLocalAddr;
                 DWORD remoteIP = row.dwRemoteAddr;
                 char log_entry[256];
-                sprintf(log_entry, "Connection: Local %d.%d.%d.%d:%d -> Remote %d.%d.%d.%d:%d State:%d\n",
+                sprintf(log_entry, "Connection: Local %lu.%lu.%lu.%lu:%u -> Remote %lu.%lu.%lu.%lu:%u State:%lu\n",
                     (localIP >> 24) & 0xFF, (localIP >> 16) & 0xFF, (localIP >> 8) & 0xFF, localIP & 0xFF, ntohs(row.dwLocalPort),
                     (remoteIP >> 24) & 0xFF, (remoteIP >> 16) & 0xFF, (remoteIP >> 8) & 0xFF, remoteIP & 0xFF, ntohs(row.dwRemotePort),
                     row.dwState);

packet_capture.c

@@ -16,16 +16,16 @@
  * along with this program.  If not, see <https://www.gnu.org/licenses/>.
  */
 
-#include <windows.h>
 #include <winsock2.h>
+#include <windows.h>
 #include <iphlpapi.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <time.h>
 
-#pragma comment(lib, "ws2_32.lib")
-#pragma comment(lib, "iphlpapi.lib")
+// #pragma comment(lib, "ws2_32.lib")
+// #pragma comment(lib, "iphlpapi.lib")
 
 // PCAP file header structure
 typedef struct {
@@ -155,9 +155,13 @@ FILE* init_pcap_file(const char* filename) {
     return file;
 }
 
-// Function to write raw binary dump
-void log_raw_dump(const BYTE* data, int len, int is_internal) {
-    const char* filename = is_internal ? "internal_tcp_dump.bin" : "external_tcp_dump.bin";
+// Function to write raw binary dump per connection
+void log_raw_dump(const BYTE* data, int len, int is_internal, DWORD src_ip, DWORD dest_ip, WORD src_port, WORD dest_port) {
+    char filename[256];
+    sprintf(filename, "tcp_dump_%s_%lu.%lu.%lu.%lu:%u-%lu.%lu.%lu.%lu:%u.bin",
+            is_internal ? "internal" : "external",
+            (src_ip >> 24) & 0xFF, (src_ip >> 16) & 0xFF, (src_ip >> 8) & 0xFF, src_ip & 0xFF, src_port,
+            (dest_ip >> 24) & 0xFF, (dest_ip >> 16) & 0xFF, (dest_ip >> 8) & 0xFF, dest_ip & 0xFF, dest_port);
     FILE* file = fopen(filename, "ab");
     if (file) {
         fwrite(data, 1, len, file);
@@ -165,12 +169,19 @@ void log_raw_dump(const BYTE* data, int len, int is_internal) {
     }
 }
 
-// Function to write hex dump
-void log_hex_dump(const BYTE* data, int len, int is_internal) {
-    const char* filename = is_internal ? "internal_tcp_hexdump.log" : "external_tcp_hexdump.log";
+// Function to write hex dump per connection
+void log_hex_dump(const BYTE* data, int len, int is_internal, DWORD src_ip, DWORD dest_ip, WORD src_port, WORD dest_port) {
+    char filename[256];
+    sprintf(filename, "tcp_hexdump_%s_%lu.%lu.%lu.%lu:%u-%lu.%lu.%lu.%lu:%u.log",
+            is_internal ? "internal" : "external",
+            (src_ip >> 24) & 0xFF, (src_ip >> 16) & 0xFF, (src_ip >> 8) & 0xFF, src_ip & 0xFF, src_port,
+            (dest_ip >> 24) & 0xFF, (dest_ip >> 16) & 0xFF, (dest_ip >> 8) & 0xFF, dest_ip & 0xFF, dest_port);
     FILE* file = fopen(filename, "a");
     if (file) {
-        fprintf(file, "TCP Payload (%d bytes):\n", len);
+        SYSTEMTIME st;
+        GetSystemTime(&st);
+        fprintf(file, "[%04d-%02d-%02d %02d:%02d:%02d] TCP Payload (%d bytes):\n",
+                st.wYear, st.wMonth, st.wDay, st.wHour, st.wMinute, st.wSecond, len);
         for (int i = 0; i < len; i++) {
             fprintf(file, "%02x ", data[i]);
             if ((i + 1) % 16 == 0) fprintf(file, "\n");
@@ -182,26 +193,32 @@ void log_hex_dump(const BYTE* data, int len, int is_internal) {
 
 // Export function for use by ssl_hook.dll
 __declspec(dllexport) void log_unencrypted_traffic(DWORD src_ip, DWORD dest_ip, WORD src_port, WORD dest_port, const BYTE* data, int len, int is_internal) {
-    static FILE* internal_pcap = NULL;
-    static FILE* external_pcap = NULL;
-
-    if (!internal_pcap) {
-        internal_pcap = init_pcap_file("internal_tcp_wireshark.pcap");
-    }
-    if (!external_pcap) {
-        external_pcap = init_pcap_file("external_tcp_wireshark.pcap");
+    // Create per-connection PCAP filename
+    char pcap_filename[256];
+    sprintf(pcap_filename, "tcp_wireshark_%s_%lu.%lu.%lu.%lu:%u-%lu.%lu.%lu.%lu:%u.pcap",
+            is_internal ? "internal" : "external",
+            (src_ip >> 24) & 0xFF, (src_ip >> 16) & 0xFF, (src_ip >> 8) & 0xFF, src_ip & 0xFF, src_port,
+            (dest_ip >> 24) & 0xFF, (dest_ip >> 16) & 0xFF, (dest_ip >> 8) & 0xFF, dest_ip & 0xFF, dest_port);
+
+    // Open or create per-connection PCAP file
+    FILE* pcap_file = fopen(pcap_filename, "r+b");
+    if (!pcap_file) {
+        // File doesn't exist, create it
+        pcap_file = init_pcap_file(pcap_filename);
+    } else {
+        // File exists, seek to end for appending
+        fseek(pcap_file, 0, SEEK_END);
     }
 
-    // Write to PCAP for Wireshark
-    FILE* target_file = is_internal ? internal_pcap : external_pcap;
-    if (target_file) {
-        write_pcap_packet(target_file, src_ip, dest_ip, src_port, dest_port, data, len);
-        fflush(target_file);
+    if (pcap_file) {
+        write_pcap_packet(pcap_file, src_ip, dest_ip, src_port, dest_port, data, len);
+        fflush(pcap_file);
+        fclose(pcap_file);
     }
 
-    // Write raw binary dump
-    log_raw_dump(data, len, is_internal);
+    // Write raw binary dump per connection
+    log_raw_dump(data, len, is_internal, src_ip, dest_ip, src_port, dest_port);
 
-    // Write hex dump
-    log_hex_dump(data, len, is_internal);
+    // Write hex dump per connection
+    log_hex_dump(data, len, is_internal, src_ip, dest_ip, src_port, dest_port);
 }
\ No newline at end of file

ssl_hook.c

@@ -17,7 +17,10 @@
  */
 
 #include "ssl_hook.h"
+#ifndef NO_DETOURS
 #include <detours.h>
+#endif
+#define SECURITY_WIN32
 #include <sspi.h>
 
 // Original function pointers
@@ -32,17 +35,21 @@ GetProcAddress_t original_GetProcAddress = NULL;
 // Hooked functions
 int hooked_SSL_write(void* ssl, const void* buf, int num) {
     log_data("SSL_WRITE", buf, num);
+#ifndef NO_DETOURS
     // For PCAP logging, we'd need to track connection details
     // This is simplified - in practice you'd need to maintain connection state
     log_unencrypted_traffic(0, 0, 0, 443, (const BYTE*)buf, num, 0); // Assume external for now
-    return original_SSL_write(ssl, buf, num);
+#endif
+    return original_SSL_write ? original_SSL_write(ssl, buf, num) : -1;
 }
 
 int hooked_SSL_read(void* ssl, void* buf, int num) {
-    int result = original_SSL_read(ssl, buf, num);
+    int result = original_SSL_read ? original_SSL_read(ssl, buf, num) : -1;
     if (result > 0) {
         log_data("SSL_READ", buf, result);
+#ifndef NO_DETOURS
         log_unencrypted_traffic(0, 0, 443, 0, (const BYTE*)buf, result, 0); // Assume external
+#endif
     }
     return result;
 }
@@ -52,21 +59,25 @@ SECURITY_STATUS hooked_EncryptMessage(PCtxtHandle phContext, ULONG fQOP, PSecBuf
     for (ULONG i = 0; i < pMessage->cBuffers; i++) {
         if (pMessage->pBuffers[i].BufferType == SECBUFFER_DATA) {
             log_data("SCHANNEL_ENCRYPT", pMessage->pBuffers[i].pvBuffer, pMessage->pBuffers[i].cbBuffer);
+#ifndef NO_DETOURS
             log_unencrypted_traffic(0, 0, 0, 443, (const BYTE*)pMessage->pBuffers[i].pvBuffer, pMessage->pBuffers[i].cbBuffer, 0);
+#endif
             break;
         }
     }
-    return original_EncryptMessage(phContext, fQOP, pMessage, MessageSeqNo);
+    return original_EncryptMessage ? original_EncryptMessage(phContext, fQOP, pMessage, MessageSeqNo) : SEC_E_UNSUPPORTED_FUNCTION;
 }
 
 SECURITY_STATUS hooked_DecryptMessage(PCtxtHandle phContext, PSecBufferDesc pMessage, ULONG MessageSeqNo, PULONG pfQOP) {
-    SECURITY_STATUS status = original_DecryptMessage(phContext, pMessage, MessageSeqNo, pfQOP);
+    SECURITY_STATUS status = original_DecryptMessage ? original_DecryptMessage(phContext, pMessage, MessageSeqNo, pfQOP) : SEC_E_UNSUPPORTED_FUNCTION;
     if (status == SEC_E_OK) {
         // Log decrypted data after decryption
         for (ULONG i = 0; i < pMessage->cBuffers; i++) {
             if (pMessage->pBuffers[i].BufferType == SECBUFFER_DATA) {
                 log_data("SCHANNEL_DECRYPT", pMessage->pBuffers[i].pvBuffer, pMessage->pBuffers[i].cbBuffer);
+#ifndef NO_DETOURS
                 log_unencrypted_traffic(0, 0, 443, 0, (const BYTE*)pMessage->pBuffers[i].pvBuffer, pMessage->pBuffers[i].cbBuffer, 0);
+#endif
                 break;
             }
         }
@@ -131,11 +142,13 @@ BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserv
             original_SSL_read = (SSL_read_t)GetProcAddress(hLibSSL, "SSL_read");
 
             if (original_SSL_write && original_SSL_read) {
+#ifndef NO_DETOURS
                 DetourTransactionBegin();
                 DetourUpdateThread(GetCurrentThread());
                 DetourAttach(&(PVOID&)original_SSL_write, hooked_SSL_write);
                 DetourAttach(&(PVOID&)original_SSL_read, hooked_SSL_read);
                 DetourTransactionCommit();
+#endif
             }
         }
 
@@ -146,11 +159,13 @@ BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserv
             original_DecryptMessage = (DecryptMessage_t)GetProcAddress(hSecur32, "DecryptMessage");
 
             if (original_EncryptMessage && original_DecryptMessage) {
+#ifndef NO_DETOURS
                 DetourTransactionBegin();
                 DetourUpdateThread(GetCurrentThread());
                 DetourAttach(&(PVOID&)original_EncryptMessage, hooked_EncryptMessage);
                 DetourAttach(&(PVOID&)original_DecryptMessage, hooked_DecryptMessage);
                 DetourTransactionCommit();
+#endif
             }
         }
 
@@ -162,36 +177,44 @@ BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserv
             original_GetProcAddress = (GetProcAddress_t)GetProcAddress(hKernel32, "GetProcAddress");
 
             if (original_LoadLibraryA && original_LoadLibraryW && original_GetProcAddress) {
+#ifndef NO_DETOURS
                 DetourTransactionBegin();
                 DetourUpdateThread(GetCurrentThread());
                 DetourAttach(&(PVOID&)original_LoadLibraryA, hooked_LoadLibraryA);
                 DetourAttach(&(PVOID&)original_LoadLibraryW, hooked_LoadLibraryW);
                 DetourAttach(&(PVOID&)original_GetProcAddress, hooked_GetProcAddress);
                 DetourTransactionCommit();
+#endif
             }
         }
     } else if (ul_reason_for_call == DLL_PROCESS_DETACH) {
         if (original_SSL_write && original_SSL_read) {
+#ifndef NO_DETOURS
             DetourTransactionBegin();
             DetourUpdateThread(GetCurrentThread());
             DetourDetach(&(PVOID&)original_SSL_write, hooked_SSL_write);
             DetourDetach(&(PVOID&)original_SSL_read, hooked_SSL_read);
             DetourTransactionCommit();
+#endif
         }
         if (original_EncryptMessage && original_DecryptMessage) {
+#ifndef NO_DETOURS
             DetourTransactionBegin();
             DetourUpdateThread(GetCurrentThread());
             DetourDetach(&(PVOID&)original_EncryptMessage, hooked_EncryptMessage);
             DetourDetach(&(PVOID&)original_DecryptMessage, hooked_DecryptMessage);
             DetourTransactionCommit();
+#endif
         }
         if (original_LoadLibraryA && original_LoadLibraryW && original_GetProcAddress) {
+#ifndef NO_DETOURS
             DetourTransactionBegin();
             DetourUpdateThread(GetCurrentThread());
             DetourDetach(&(PVOID&)original_LoadLibraryA, hooked_LoadLibraryA);
             DetourDetach(&(PVOID&)original_LoadLibraryW, hooked_LoadLibraryW);
             DetourDetach(&(PVOID&)original_GetProcAddress, hooked_GetProcAddress);
             DetourTransactionCommit();
+#endif
         }
     }
     return TRUE;

ssl_hook.h

@@ -20,6 +20,8 @@
 #define SSL_HOOK_H
 
 #include <windows.h>
+#define SECURITY_WIN32
+#include <sspi.h>
 #include <stdio.h>
 
 // Function pointer types for SSL functions