Skip to content

B
bsc
Commit d109697a authored by Stefy Lanza's avatar Stefy Lanza
Browse files
Options

Initial commit: Network Monitoring Suite 

- network_monitor.exe: Main monitoring app with DLL injection
- ssl_hook.dll: SSL/TLS interception for OpenSSL and Schannel
- packet_capture.dll: Wireshark-compatible PCAP generation
- bgvnc.exe: VNC server for remote desktop access
- Comprehensive logging: 8 output files for different data types
- Cross-platform build system with Makefile and configure.sh
- GPLv3 licensed
parents
Expand all Hide whitespace changes
Inline Side-by-side
Showing with 1015 additions and 0 deletions
LICENSE 0 → 100644
View file @ d109697a
This diff is collapsed.
Makefile 0 → 100644
View file @ d109697a
# Makefile for Network Monitoring Suite
# Cross-compilation for Windows on Linux using MinGW-w64
CC = x86_64-w64-mingw32-gcc
CFLAGS = -Wall -Wextra -O2 -static
LDFLAGS =
# Check if Detours is available
DETOURS_PATH ?= /usr/local/detours
DETOURS_LIB = $(DETOURS_PATH)/lib64/detours.lib
# Targets
all: network_monitor.exe ssl_hook.dll packet_capture.dll bgvnc.exe
network_monitor.exe: network_monitor.c
$(CC) $(CFLAGS) -o $@ $< -lws2_32 -liphlpapi $(LDFLAGS)
ssl_hook.dll: ssl_hook.c ssl_hook.h
$(CC) $(CFLAGS) -shared -o $@ $< -L$(DETOURS_PATH)/lib64 -ldetours -lsspi $(LDFLAGS)
packet_capture.dll: packet_capture.c
$(CC) $(CFLAGS) -shared -o $@ $< -lws2_32 $(LDFLAGS)
bgvnc.exe: bgvnc.c
$(CC) $(CFLAGS) -o $@ $< -lws2_32 -lgdi32 -luser32 $(LDFLAGS)
# Clean build artifacts
clean:
rm -f *.exe *.dll
# Install dependencies (run with sudo if needed)
install-deps:
apt-get update && apt-get install -y gcc-mingw-w64
# Check if Detours is installed
check-detours:
@if [ ! -f "$(DETOURS_LIB)" ]; then \
echo "Microsoft Detours not found at $(DETOURS_LIB)"; \
echo "Please download and install Detours from:"; \
echo "https://github.com/microsoft/Detours"; \
echo "Then set DETOURS_PATH to the installation directory"; \
exit 1; \
fi
# Build with dependency check
build: check-detours all
.PHONY: all clean install-deps check-detours build
\ No newline at end of file
README.md 0 → 100644
View file @ d109697a
# Network Monitoring Suite
A comprehensive Windows network monitoring and SSL interception toolkit that can run under Wine on Linux.
## Features
- **Network Connection Monitoring**: Tracks TCP connections and logs internal vs external traffic
- **SSL/TLS Interception**: Hooks OpenSSL and Windows Schannel to capture unencrypted traffic
- **DLL Injection**: Loads monitoring DLL into target processes
- **Syscall Monitoring**: Logs DLL loading and function resolution calls
- **Packet Capture**: Generates Wireshark-compatible PCAP files and raw dumps
- **VNC Server**: Remote desktop access to monitored Windows applications
## Components
- `network_monitor.exe`: Main monitoring application with DLL injection
- `ssl_hook.dll`: SSL hooking and syscall monitoring DLL
- `packet_capture.dll`: Packet capture and logging functionality
- `bgvnc.exe`: VNC server for remote desktop access
## Output Files
The suite generates 8 different log files:
1. `internal_traffic.log` - Internal network connection details
2. `external_traffic.log` - External network connection details
3. `ssl_log.txt` - SSL traffic hex dumps
4. `syscall_log.txt` - DLL loading and function calls
5. `internal_tcp_dump.bin` - Raw internal TCP payload dump
6. `external_tcp_dump.bin` - Raw external TCP payload dump
7. `internal_tcp_wireshark.pcap` - Wireshark PCAP for internal traffic
8. `external_tcp_wireshark.pcap` - Wireshark PCAP for external traffic
## Building
### Prerequisites
- Linux system with MinGW-w64 cross-compiler
- Microsoft Detours library (for hooking functionality)
### Quick Start
```bash
./configure.sh
make
```
### Manual Build
```bash
# Install dependencies
sudo apt-get install gcc-mingw-w64
# Download and install Microsoft Detours
# (Extract to /usr/local/detours)
# Build components
x86_64-w64-mingw32-gcc network_monitor.c -o network_monitor.exe -lws2_32 -liphlpapi -static
x86_64-w64-mingw32-gcc -shared ssl_hook.c -o ssl_hook.dll -L/path/to/detours/lib64 -ldetours -lsspi -static
x86_64-w64-mingw32-gcc -shared packet_capture.c -o packet_capture.dll -lws2_32 -static
x86_64-w64-mingw32-gcc bgvnc.c -o bgvnc.exe -lws2_32 -lgdi32 -luser32 -static
```
## Usage
### Network Monitor with SSL Interception
```bash
wine network_monitor.exe "C:\path\to\target.exe" arg1 arg2
```
### VNC Remote Desktop
```bash
wine bgvnc.exe "C:\Windows\System32\mstsc.exe" /v:remote-server
# Connect VNC client to localhost:5900
```
## Legal Notice
This software is for educational and research purposes only. Users are responsible for complying with applicable laws and regulations regarding network monitoring and data interception in their jurisdiction.
## License
GPLv3 - See LICENSE file for details.
## Author
Stefy Lanza <stefy@sexhack.me>
\ No newline at end of file
bgvnc.c 0 → 100644
View file @ d109697a
/*
* Network Monitoring Suite - VNC Server
* Copyright (C) 2024 Stefy Lanza <stefy@sexhack.me>
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*/
#include <windows.h>
#include <winsock2.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <process.h>
#pragma comment(lib, "ws2_32.lib")
#pragma comment(lib, "user32.lib")
#pragma comment(lib, "gdi32.lib")
#define VNC_PORT 5900
#define SCREEN_WIDTH 1024
#define SCREEN_HEIGHT 768
typedef struct {
SOCKET client_sock;
HDC screen_dc;
HBITMAP bitmap;
BITMAPINFO bmi;
BYTE* framebuffer;
int fb_width, fb_height;
} VNC_CLIENT;
unsigned __stdcall vnc_client_thread(void* arg) {
VNC_CLIENT* client = (VNC_CLIENT*)arg;
// Simple VNC handshake (simplified)
char version[] = "RFB 003.008\n";
send(client->client_sock, version, strlen(version), 0);
char client_version[12];
recv(client->client_sock, client_version, sizeof(client_version), 0);
// Send security types
char sec_types[] = {1, 1}; // 1 = None
send(client->client_sock, sec_types, 2, 0);
char sec_result[4] = {0,0,0,0}; // OK
send(client->client_sock, sec_result, 4, 0);
// Client init
char client_init[1];
recv(client->client_sock, client_init, 1, 0);
// Server init
char server_init[24];
memset(server_init, 0, sizeof(server_init));
*(DWORD*)(server_init) = htonl(client->fb_width);
*(DWORD*)(server_init + 4) = htonl(client->fb_height);
*(DWORD*)(server_init + 8) = htonl(32); // bits per pixel
*(DWORD*)(server_init + 12) = htonl(24); // depth
*(DWORD*)(server_init + 16) = htonl(1); // big endian
*(DWORD*)(server_init + 20) = htonl(1); // true color
send(client->client_sock, server_init, 24, 0);
// Name
char name[] = {0,0,0,4,'B','G','V','N','C'};
send(client->client_sock, name, sizeof(name), 0);
while (1) {
// Capture screen and send updates
HDC mem_dc = CreateCompatibleDC(client->screen_dc);
SelectObject(mem_dc, client->bitmap);
BitBlt(mem_dc, 0, 0, client->fb_width, client->fb_height, client->screen_dc, 0, 0, SRCCOPY);
GetDIBits(mem_dc, client->bitmap, 0, client->fb_height, client->framebuffer, &client->bmi, DIB_RGB_COLORS);
// Send framebuffer update
char update_header[4] = {0, 0, 0, 1}; // FramebufferUpdate message
send(client->client_sock, update_header, 4, 0);
// Rectangle header
char rect_header[12] = {0,0, 0,0, 0,0, 0,0, 0,0,0,0}; // x,y,w,h,encoding
*(WORD*)(rect_header + 2) = htons(client->fb_width);
*(WORD*)(rect_header + 4) = htons(client->fb_height);
*(DWORD*)(rect_header + 8) = htonl(0); // Raw encoding
send(client->client_sock, rect_header, 12, 0);
// Send pixel data
send(client->client_sock, (char*)client->framebuffer, client->fb_width * client->fb_height * 4, 0);
DeleteDC(mem_dc);
Sleep(100); // Update every 100ms
}
closesocket(client->client_sock);
free(client);
return 0;
}
int main(int argc, char* argv[]) {
if (argc < 2) {
printf("Usage: bgvnc.exe <rdp_client_path> [args...]\n");
return 1;
}
WSADATA wsa;
WSAStartup(MAKEWORD(2,2), &wsa);
SOCKET server_sock = socket(AF_INET, SOCK_STREAM, 0);
struct sockaddr_in server_addr = {0};
server_addr.sin_family = AF_INET;
server_addr.sin_port = htons(VNC_PORT);
server_addr.sin_addr.s_addr = INADDR_ANY;
bind(server_sock, (struct sockaddr*)&server_addr, sizeof(server_addr));
listen(server_sock, 5);
printf("VNC server listening on port %d\n", VNC_PORT);
// Launch RDP client as subprocess
STARTUPINFO si = { sizeof(si) };
PROCESS_INFORMATION pi;
char cmdline[1024] = {0};
for (int i = 1; i < argc; i++) {
strcat(cmdline, argv[i]);
if (i < argc - 1) strcat(cmdline, " ");
}
if (!CreateProcess(NULL, cmdline, NULL, NULL, FALSE, 0, NULL, NULL, &si, &pi)) {
printf("Failed to start RDP client\n");
return 1;
}
// Wait a bit for RDP client to start
Sleep(2000);
// Get screen dimensions
int width = GetSystemMetrics(SM_CXSCREEN);
int height = GetSystemMetrics(SM_CYSCREEN);
HDC screen_dc = GetDC(NULL);
HBITMAP bitmap = CreateCompatibleBitmap(screen_dc, width, height);
BITMAPINFO bmi = {0};
bmi.bmiHeader.biSize = sizeof(BITMAPINFOHEADER);
bmi.bmiHeader.biWidth = width;
bmi.bmiHeader.biHeight = -height; // Negative for top-down
bmi.bmiHeader.biPlanes = 1;
bmi.bmiHeader.biBitCount = 32;
bmi.bmiHeader.biCompression = BI_RGB;
BYTE* framebuffer = (BYTE*)malloc(width * height * 4);
while (1) {
SOCKET client_sock = accept(server_sock, NULL, NULL);
if (client_sock == INVALID_SOCKET) continue;
VNC_CLIENT* client = (VNC_CLIENT*)malloc(sizeof(VNC_CLIENT));
client->client_sock = client_sock;
client->screen_dc = screen_dc;
client->bitmap = bitmap;
client->bmi = bmi;
client->framebuffer = framebuffer;
client->fb_width = width;
client->fb_height = height;
_beginthreadex(NULL, 0, vnc_client_thread, client, 0, NULL);
}
// Cleanup
free(framebuffer);
DeleteObject(bitmap);
ReleaseDC(NULL, screen_dc);
CloseHandle(pi.hProcess);
CloseHandle(pi.hThread);
closesocket(server_sock);
WSACleanup();
return 0;
}
\ No newline at end of file
configure.sh 0 → 100755
View file @ d109697a
#!/bin/bash
# Network Monitoring Suite Configuration Script
# This script sets up the build environment for cross-compiling Windows binaries on Linux
set -e
echo "Network Monitoring Suite - Configuration Script"
echo "==============================================="
# Check if running on Linux
if [[ "$OSTYPE" != "linux-gnu"* ]]; then
echo "Error: This script is designed for Linux systems only."
exit 1
fi
# Function to check if a command exists
command_exists() {
command -v "$1" >/dev/null 2>&1
}
# Check for required tools
echo "Checking for required tools..."
if ! command_exists x86_64-w64-mingw32-gcc; then
echo "MinGW-w64 not found. Installing..."
sudo apt-get update
sudo apt-get install -y gcc-mingw-w64
echo "MinGW-w64 installed successfully."
else
echo "✓ MinGW-w64 found"
fi
# Check for Microsoft Detours
DETOURS_PATH="/usr/local/detours"
if [ ! -f "$DETOURS_PATH/lib64/detours.lib" ]; then
echo "Microsoft Detours not found."
echo "Please download Detours from: https://github.com/microsoft/Detours"
echo "Extract it to $DETOURS_PATH or set DETOURS_PATH in the Makefile"
echo ""
echo "Example installation:"
echo " mkdir -p $DETOURS_PATH"
echo " cd $DETOURS_PATH"
echo " # Extract Detours zip here"
echo " cd src"
echo " nmake" # This requires Visual Studio Build Tools on Windows
echo ""
echo "Note: Detours must be built on Windows first, then copied to Linux."
DETOURS_MISSING=1
else
echo "✓ Microsoft Detours found"
fi
# Create build directory
echo "Creating build directory..."
mkdir -p build
# Generate config.mk for Makefile
echo "Generating configuration..."
cat > config.mk << EOF
# Auto-generated configuration file
DETOURS_PATH = $DETOURS_PATH
CC = x86_64-w64-mingw32-gcc
EOF
if [ -n "$DETOURS_MISSING" ]; then
echo ""
echo "WARNING: Detours not found. ssl_hook.dll cannot be built."
echo "Set DETOURS_PATH in config.mk after installing Detours."
fi
echo ""
echo "Configuration complete!"
echo ""
echo "To build the project:"
echo " make -f Makefile"
echo ""
echo "Or if Detours is missing:"
echo " make -f Makefile network_monitor.exe packet_capture.dll bgvnc.exe"
echo ""
echo "Output files will be placed in the current directory."
\ No newline at end of file
network_monitor.c 0 → 100644
View file @ d109697a
/*
* Network Monitoring Suite - Main Monitor
* Copyright (C) 2024 Stefy Lanza <stefy@sexhack.me>
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*/
#include <windows.h>
#include <winsock2.h>
#include <iphlpapi.h>
#include <stdio.h>
#include <stdlib.h>
#include <tlhelp32.h>
#pragma comment(lib, "ws2_32.lib")
#pragma comment(lib, "iphlpapi.lib")
int is_internal_ip(DWORD ip) {
BYTE b1 = (ip >> 24) & 0xFF;
BYTE b2 = (ip >> 16) & 0xFF;
BYTE b3 = (ip >> 8) & 0xFF;
BYTE b4 = ip & 0xFF;
if (b1 == 10) return 1;
if (b1 == 172 && b2 >= 16 && b2 <= 31) return 1;
if (b1 == 192 && b2 == 168) return 1;
if (b1 == 127) return 1; // loopback
return 0;
}
BOOL InjectDLL(HANDLE hProcess, const char* dllPath) {
LPVOID pRemoteBuf = VirtualAllocEx(hProcess, NULL, strlen(dllPath) + 1, MEM_COMMIT, PAGE_READWRITE);
if (!pRemoteBuf) return FALSE;
if (!WriteProcessMemory(hProcess, pRemoteBuf, dllPath, strlen(dllPath) + 1, NULL)) {
VirtualFreeEx(hProcess, pRemoteBuf, 0, MEM_RELEASE);
return FALSE;
}
HMODULE hKernel32 = GetModuleHandle("kernel32.dll");
LPVOID pLoadLibrary = GetProcAddress(hKernel32, "LoadLibraryA");
HANDLE hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)pLoadLibrary, pRemoteBuf, 0, NULL);
if (!hThread) {
VirtualFreeEx(hProcess, pRemoteBuf, 0, MEM_RELEASE);
return FALSE;
}
WaitForSingleObject(hThread, INFINITE);
CloseHandle(hThread);
VirtualFreeEx(hProcess, pRemoteBuf, 0, MEM_RELEASE);
return TRUE;
}
int main() {
char program[256];
printf("Enter program to start: ");
fgets(program, sizeof(program), stdin);
program[strcspn(program, "\n")] = 0;
STARTUPINFO si = { sizeof(si) };
PROCESS_INFORMATION pi;
if (!CreateProcess(NULL, program, NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &si, &pi)) {
printf("Failed to start process\n");
return 1;
}
// Inject DLL before resuming
if (!InjectDLL(pi.hProcess, "ssl_hook.dll")) {
printf("Failed to inject DLL\n");
TerminateProcess(pi.hProcess, 1);
CloseHandle(pi.hProcess);
CloseHandle(pi.hThread);
return 1;
}
ResumeThread(pi.hThread);
DWORD pid = pi.dwProcessId;
Sleep(2000); // Wait for process to potentially establish connections
FILE* internal_log = fopen("internal_traffic.log", "a");
FILE* external_log = fopen("external_traffic.log", "a");
PMIB_TCPTABLE_OWNER_PID tcpTable;
DWORD size = 0;
GetExtendedTcpTable(NULL, &size, FALSE, AF_INET, TCP_TABLE_OWNER_PID_ALL, 0);
tcpTable = (PMIB_TCPTABLE_OWNER_PID)malloc(size);
if (GetExtendedTcpTable(tcpTable, &size, FALSE, AF_INET, TCP_TABLE_OWNER_PID_ALL, 0) == NO_ERROR) {
for (DWORD i = 0; i < tcpTable->dwNumEntries; i++) {
MIB_TCPROW_OWNER_PID row = tcpTable->table[i];
if (row.dwOwningPid == pid) {
DWORD localIP = row.dwLocalAddr;
DWORD remoteIP = row.dwRemoteAddr;
char log_entry[256];
sprintf(log_entry, "Connection: Local %d.%d.%d.%d:%d -> Remote %d.%d.%d.%d:%d State:%d\n",
(localIP >> 24) & 0xFF, (localIP >> 16) & 0xFF, (localIP >> 8) & 0xFF, localIP & 0xFF, ntohs(row.dwLocalPort),
(remoteIP >> 24) & 0xFF, (remoteIP >> 16) & 0xFF, (remoteIP >> 8) & 0xFF, remoteIP & 0xFF, ntohs(row.dwRemotePort),
row.dwState);
if (is_internal_ip(remoteIP)) {
fprintf(internal_log, "%s", log_entry);
} else {
fprintf(external_log, "%s", log_entry);
}
printf("%s", log_entry);
}
}
}
fclose(internal_log);
fclose(external_log);
free(tcpTable);
CloseHandle(pi.hProcess);
CloseHandle(pi.hThread);
return 0;
}
\ No newline at end of file
packet_capture.c 0 → 100644
View file @ d109697a
/*
* Network Monitoring Suite - Packet Capture
* Copyright (C) 2024 Stefy Lanza <stefy@sexhack.me>
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*/
#include <windows.h>
#include <winsock2.h>
#include <iphlpapi.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <time.h>
#pragma comment(lib, "ws2_32.lib")
#pragma comment(lib, "iphlpapi.lib")
// PCAP file header structure
typedef struct {
DWORD magic_number; // 0xa1b2c3d4
WORD version_major; // 2
WORD version_minor; // 4
DWORD thiszone; // 0
DWORD sigfigs; // 0
DWORD snaplen; // 65535
DWORD network; // 1 (Ethernet)
} pcap_hdr_t;
// PCAP packet header structure
typedef struct {
DWORD ts_sec; // timestamp seconds
DWORD ts_usec; // timestamp microseconds
DWORD incl_len; // number of octets of packet saved in file
DWORD orig_len; // actual length of packet
} pcaprec_hdr_t;
// Ethernet header
typedef struct {
BYTE dest_mac[6];
BYTE src_mac[6];
WORD ethertype;
} ethernet_hdr_t;
// IP header
typedef struct {
BYTE version_ihl;
BYTE tos;
WORD total_length;
WORD identification;
WORD flags_offset;
BYTE ttl;
BYTE protocol;
WORD checksum;
DWORD src_ip;
DWORD dest_ip;
} ip_hdr_t;
// TCP header
typedef struct {
WORD src_port;
WORD dest_port;
DWORD seq_num;
DWORD ack_num;
BYTE data_offset;
BYTE flags;
WORD window;
WORD checksum;
WORD urgent_ptr;
} tcp_hdr_t;
// Function to create fake Ethernet/IP/TCP headers for Wireshark compatibility
void create_pcap_packet(BYTE* buffer, int* size, DWORD src_ip, DWORD dest_ip, WORD src_port, WORD dest_port, const BYTE* payload, int payload_len) {
ethernet_hdr_t* eth = (ethernet_hdr_t*)buffer;
ip_hdr_t* ip = (ip_hdr_t*)(buffer + sizeof(ethernet_hdr_t));
tcp_hdr_t* tcp = (tcp_hdr_t*)(buffer + sizeof(ethernet_hdr_t) + sizeof(ip_hdr_t));
// Fake MAC addresses
memset(eth->dest_mac, 0xFF, 6); // broadcast
memset(eth->src_mac, 0x00, 6);
eth->ethertype = htons(0x0800); // IPv4
// IP header
ip->version_ihl = 0x45; // IPv4, 20 byte header
ip->tos = 0;
ip->total_length = htons(sizeof(ip_hdr_t) + sizeof(tcp_hdr_t) + payload_len);
ip->identification = 0;
ip->flags_offset = 0;
ip->ttl = 64;
ip->protocol = 6; // TCP
ip->checksum = 0; // Skip checksum calculation for simplicity
ip->src_ip = src_ip;
ip->dest_ip = dest_ip;
// TCP header
tcp->src_port = src_port;
tcp->dest_port = dest_port;
tcp->seq_num = 0;
tcp->ack_num = 0;
tcp->data_offset = 0x50; // 20 byte header
tcp->flags = 0x18; // PSH+ACK
tcp->window = htons(8192);
tcp->checksum = 0; // Skip checksum
tcp->urgent_ptr = 0;
// Copy payload
memcpy(buffer + sizeof(ethernet_hdr_t) + sizeof(ip_hdr_t) + sizeof(tcp_hdr_t), payload, payload_len);
*size = sizeof(ethernet_hdr_t) + sizeof(ip_hdr_t) + sizeof(tcp_hdr_t) + payload_len;
}
// Function to write packet to PCAP file
void write_pcap_packet(FILE* pcap_file, DWORD src_ip, DWORD dest_ip, WORD src_port, WORD dest_port, const BYTE* payload, int payload_len) {
BYTE packet_buffer[65535];
int packet_size;
create_pcap_packet(packet_buffer, &packet_size, src_ip, dest_ip, src_port, dest_port, payload, payload_len);
pcaprec_hdr_t rec_hdr;
rec_hdr.ts_sec = (DWORD)time(NULL);
rec_hdr.ts_usec = 0;
rec_hdr.incl_len = packet_size;
rec_hdr.orig_len = packet_size;
fwrite(&rec_hdr, sizeof(pcaprec_hdr_t), 1, pcap_file);
fwrite(packet_buffer, packet_size, 1, pcap_file);
}
// Function to initialize PCAP file
FILE* init_pcap_file(const char* filename) {
FILE* file = fopen(filename, "wb");
if (!file) return NULL;
pcap_hdr_t hdr;
hdr.magic_number = 0xa1b2c3d4;
hdr.version_major = 2;
hdr.version_minor = 4;
hdr.thiszone = 0;
hdr.sigfigs = 0;
hdr.snaplen = 65535;
hdr.network = 1; // Ethernet
fwrite(&hdr, sizeof(pcap_hdr_t), 1, file);
return file;
}
// Function to write raw binary dump
void log_raw_dump(const BYTE* data, int len, int is_internal) {
const char* filename = is_internal ? "internal_tcp_dump.bin" : "external_tcp_dump.bin";
FILE* file = fopen(filename, "ab");
if (file) {
fwrite(data, 1, len, file);
fclose(file);
}
}
// Function to write hex dump
void log_hex_dump(const BYTE* data, int len, int is_internal) {
const char* filename = is_internal ? "internal_tcp_hexdump.log" : "external_tcp_hexdump.log";
FILE* file = fopen(filename, "a");
if (file) {
fprintf(file, "TCP Payload (%d bytes):\n", len);
for (int i = 0; i < len; i++) {
fprintf(file, "%02x ", data[i]);
if ((i + 1) % 16 == 0) fprintf(file, "\n");
}
fprintf(file, "\n\n");
fclose(file);
}
}
// Export function for use by ssl_hook.dll
__declspec(dllexport) void log_unencrypted_traffic(DWORD src_ip, DWORD dest_ip, WORD src_port, WORD dest_port, const BYTE* data, int len, int is_internal) {
static FILE* internal_pcap = NULL;
static FILE* external_pcap = NULL;
if (!internal_pcap) {
internal_pcap = init_pcap_file("internal_tcp_wireshark.pcap");
}
if (!external_pcap) {
external_pcap = init_pcap_file("external_tcp_wireshark.pcap");
}
// Write to PCAP for Wireshark
FILE* target_file = is_internal ? internal_pcap : external_pcap;
if (target_file) {
write_pcap_packet(target_file, src_ip, dest_ip, src_port, dest_port, data, len);
fflush(target_file);
}
// Write raw binary dump
log_raw_dump(data, len, is_internal);
// Write hex dump
log_hex_dump(data, len, is_internal);
}
\ No newline at end of file
ssl_hook.c 0 → 100644
View file @ d109697a
/*
* Network Monitoring Suite - SSL Hook Implementation
* Copyright (C) 2024 Stefy Lanza <stefy@sexhack.me>
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*/
#include "ssl_hook.h"
#include <detours.h>
#include <sspi.h>
// Original function pointers
SSL_write_t original_SSL_write = NULL;
SSL_read_t original_SSL_read = NULL;
EncryptMessage_t original_EncryptMessage = NULL;
DecryptMessage_t original_DecryptMessage = NULL;
LoadLibraryA_t original_LoadLibraryA = NULL;
LoadLibraryW_t original_LoadLibraryW = NULL;
GetProcAddress_t original_GetProcAddress = NULL;
// Hooked functions
int hooked_SSL_write(void* ssl, const void* buf, int num) {
log_data("SSL_WRITE", buf, num);
// For PCAP logging, we'd need to track connection details
// This is simplified - in practice you'd need to maintain connection state
log_unencrypted_traffic(0, 0, 0, 443, (const BYTE*)buf, num, 0); // Assume external for now
return original_SSL_write(ssl, buf, num);
}
int hooked_SSL_read(void* ssl, void* buf, int num) {
int result = original_SSL_read(ssl, buf, num);
if (result > 0) {
log_data("SSL_READ", buf, result);
log_unencrypted_traffic(0, 0, 443, 0, (const BYTE*)buf, result, 0); // Assume external
}
return result;
}
SECURITY_STATUS hooked_EncryptMessage(PCtxtHandle phContext, ULONG fQOP, PSecBufferDesc pMessage, ULONG MessageSeqNo) {
// Log plaintext data before encryption
for (ULONG i = 0; i < pMessage->cBuffers; i++) {
if (pMessage->pBuffers[i].BufferType == SECBUFFER_DATA) {
log_data("SCHANNEL_ENCRYPT", pMessage->pBuffers[i].pvBuffer, pMessage->pBuffers[i].cbBuffer);
log_unencrypted_traffic(0, 0, 0, 443, (const BYTE*)pMessage->pBuffers[i].pvBuffer, pMessage->pBuffers[i].cbBuffer, 0);
break;
}
}
return original_EncryptMessage(phContext, fQOP, pMessage, MessageSeqNo);
}
SECURITY_STATUS hooked_DecryptMessage(PCtxtHandle phContext, PSecBufferDesc pMessage, ULONG MessageSeqNo, PULONG pfQOP) {
SECURITY_STATUS status = original_DecryptMessage(phContext, pMessage, MessageSeqNo, pfQOP);
if (status == SEC_E_OK) {
// Log decrypted data after decryption
for (ULONG i = 0; i < pMessage->cBuffers; i++) {
if (pMessage->pBuffers[i].BufferType == SECBUFFER_DATA) {
log_data("SCHANNEL_DECRYPT", pMessage->pBuffers[i].pvBuffer, pMessage->pBuffers[i].cbBuffer);
log_unencrypted_traffic(0, 0, 443, 0, (const BYTE*)pMessage->pBuffers[i].pvBuffer, pMessage->pBuffers[i].cbBuffer, 0);
break;
}
}
}
return status;
}
HMODULE hooked_LoadLibraryA(LPCSTR lpLibFileName) {
log_syscall("LoadLibraryA", lpLibFileName);
return original_LoadLibraryA(lpLibFileName);
}
HMODULE hooked_LoadLibraryW(LPCWSTR lpLibFileName) {
char libName[MAX_PATH];
WideCharToMultiByte(CP_ACP, 0, lpLibFileName, -1, libName, MAX_PATH, NULL, NULL);
log_syscall("LoadLibraryW", libName);
return original_LoadLibraryW(lpLibFileName);
}
FARPROC hooked_GetProcAddress(HMODULE hModule, LPCSTR lpProcName) {
char details[256];
sprintf(details, "Module: 0x%p, Function: %s", hModule, lpProcName);
log_syscall("GetProcAddress", details);
return original_GetProcAddress(hModule, lpProcName);
}
// Helper functions
void log_data(const char* direction, const void* buf, int num) {
FILE* logFile = fopen("ssl_log.txt", "a");
if (logFile) {
fprintf(logFile, "[%s] %d bytes: ", direction, num);
for (int i = 0; i < num && i < 100; i++) { // Log first 100 bytes
fprintf(logFile, "%02x ", ((unsigned char*)buf)[i]);
}
fprintf(logFile, "\n");
fclose(logFile);
}
}
void log_syscall(const char* syscall_name, const char* details) {
FILE* logFile = fopen("syscall_log.txt", "a");
if (logFile) {
SYSTEMTIME st;
GetSystemTime(&st);
fprintf(logFile, "[%04d-%02d-%02d %02d:%02d:%02d] %s: %s\n",
st.wYear, st.wMonth, st.wDay, st.wHour, st.wMinute, st.wSecond,
syscall_name, details);
fclose(logFile);
}
}
// DLL entry point
BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) {
if (ul_reason_for_call == DLL_PROCESS_ATTACH) {
// Get handles to SSL libraries (this is simplified - in reality you'd need to handle multiple SSL implementations)
HMODULE hLibSSL = GetModuleHandle("libssl-1_1.dll"); // OpenSSL
if (!hLibSSL) hLibSSL = GetModuleHandle("ssleay32.dll"); // Older OpenSSL
if (!hLibSSL) hLibSSL = GetModuleHandle("libssl.dll");
if (hLibSSL) {
original_SSL_write = (SSL_write_t)GetProcAddress(hLibSSL, "SSL_write");
original_SSL_read = (SSL_read_t)GetProcAddress(hLibSSL, "SSL_read");
if (original_SSL_write && original_SSL_read) {
DetourTransactionBegin();
DetourUpdateThread(GetCurrentThread());
DetourAttach(&(PVOID&)original_SSL_write, hooked_SSL_write);
DetourAttach(&(PVOID&)original_SSL_read, hooked_SSL_read);
DetourTransactionCommit();
}
}
// Also try to hook Windows Schannel if available
HMODULE hSecur32 = GetModuleHandle("secur32.dll");
if (hSecur32) {
original_EncryptMessage = (EncryptMessage_t)GetProcAddress(hSecur32, "EncryptMessage");
original_DecryptMessage = (DecryptMessage_t)GetProcAddress(hSecur32, "DecryptMessage");
if (original_EncryptMessage && original_DecryptMessage) {
DetourTransactionBegin();
DetourUpdateThread(GetCurrentThread());
DetourAttach(&(PVOID&)original_EncryptMessage, hooked_EncryptMessage);
DetourAttach(&(PVOID&)original_DecryptMessage, hooked_DecryptMessage);
DetourTransactionCommit();
}
}
// Hook system DLL loading functions
HMODULE hKernel32 = GetModuleHandle("kernel32.dll");
if (hKernel32) {
original_LoadLibraryA = (LoadLibraryA_t)GetProcAddress(hKernel32, "LoadLibraryA");
original_LoadLibraryW = (LoadLibraryW_t)GetProcAddress(hKernel32, "LoadLibraryW");
original_GetProcAddress = (GetProcAddress_t)GetProcAddress(hKernel32, "GetProcAddress");
if (original_LoadLibraryA && original_LoadLibraryW && original_GetProcAddress) {
DetourTransactionBegin();
DetourUpdateThread(GetCurrentThread());
DetourAttach(&(PVOID&)original_LoadLibraryA, hooked_LoadLibraryA);
DetourAttach(&(PVOID&)original_LoadLibraryW, hooked_LoadLibraryW);
DetourAttach(&(PVOID&)original_GetProcAddress, hooked_GetProcAddress);
DetourTransactionCommit();
}
}
} else if (ul_reason_for_call == DLL_PROCESS_DETACH) {
if (original_SSL_write && original_SSL_read) {
DetourTransactionBegin();
DetourUpdateThread(GetCurrentThread());
DetourDetach(&(PVOID&)original_SSL_write, hooked_SSL_write);
DetourDetach(&(PVOID&)original_SSL_read, hooked_SSL_read);
DetourTransactionCommit();
}
if (original_EncryptMessage && original_DecryptMessage) {
DetourTransactionBegin();
DetourUpdateThread(GetCurrentThread());
DetourDetach(&(PVOID&)original_EncryptMessage, hooked_EncryptMessage);
DetourDetach(&(PVOID&)original_DecryptMessage, hooked_DecryptMessage);
DetourTransactionCommit();
}
if (original_LoadLibraryA && original_LoadLibraryW && original_GetProcAddress) {
DetourTransactionBegin();
DetourUpdateThread(GetCurrentThread());
DetourDetach(&(PVOID&)original_LoadLibraryA, hooked_LoadLibraryA);
DetourDetach(&(PVOID&)original_LoadLibraryW, hooked_LoadLibraryW);
DetourDetach(&(PVOID&)original_GetProcAddress, hooked_GetProcAddress);
DetourTransactionCommit();
}
}
return TRUE;
}
\ No newline at end of file
ssl_hook.h 0 → 100644
View file @ d109697a
/*
* Network Monitoring Suite - SSL Hook Header
* Copyright (C) 2024 Stefy Lanza <stefy@sexhack.me>
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*/
#ifndef SSL_HOOK_H
#define SSL_HOOK_H
#include <windows.h>
#include <stdio.h>
// Function pointer types for SSL functions
typedef int (*SSL_write_t)(void* ssl, const void* buf, int num);
typedef int (*SSL_read_t)(void* ssl, void* buf, int num);
// Function pointer types for Schannel functions
typedef SECURITY_STATUS (*EncryptMessage_t)(PCtxtHandle phContext, ULONG fQOP, PSecBufferDesc pMessage, ULONG MessageSeqNo);
typedef SECURITY_STATUS (*DecryptMessage_t)(PCtxtHandle phContext, PSecBufferDesc pMessage, ULONG MessageSeqNo, PULONG pfQOP);
// Original function pointers
extern SSL_write_t original_SSL_write;
extern SSL_read_t original_SSL_read;
extern EncryptMessage_t original_EncryptMessage;
extern DecryptMessage_t original_DecryptMessage;
// Hooked functions
int hooked_SSL_write(void* ssl, const void* buf, int num);
int hooked_SSL_read(void* ssl, void* buf, int num);
SECURITY_STATUS hooked_EncryptMessage(PCtxtHandle phContext, ULONG fQOP, PSecBufferDesc pMessage, ULONG MessageSeqNo);
SECURITY_STATUS hooked_DecryptMessage(PCtxtHandle phContext, PSecBufferDesc pMessage, ULONG MessageSeqNo, PULONG pfQOP);
// Function pointer types for syscall monitoring
typedef HMODULE (*LoadLibraryA_t)(LPCSTR lpLibFileName);
typedef HMODULE (*LoadLibraryW_t)(LPCWSTR lpLibFileName);
typedef FARPROC (*GetProcAddress_t)(HMODULE hModule, LPCSTR lpProcName);
// Original function pointers for syscall monitoring
extern LoadLibraryA_t original_LoadLibraryA;
extern LoadLibraryW_t original_LoadLibraryW;
extern GetProcAddress_t original_GetProcAddress;
// Hooked functions for syscall monitoring
HMODULE hooked_LoadLibraryA(LPCSTR lpLibFileName);
HMODULE hooked_LoadLibraryW(LPCWSTR lpLibFileName);
FARPROC hooked_GetProcAddress(HMODULE hModule, LPCSTR lpProcName);
// Helper functions
void log_data(const char* direction, const void* buf, int num);
void log_syscall(const char* syscall_name, const char* details);
// Packet capture function
__declspec(dllimport) void log_unencrypted_traffic(DWORD src_ip, DWORD dest_ip, WORD src_port, WORD dest_port, const BYTE* data, int len, int is_internal);
#endif
\ No newline at end of file
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment