I use to use WPE but it doesn't quite work with logging any blizzard games... So I am using AnalogX now and it's alright. You can set your own rules and what not but I would like to individually packet log separate PID's instead of just certain parameters on the whole machine... If you get what I am trying to say.. Anyone have a better packet sniffer?
Well, you are looking for a WPE-style packet logger which essentially is a dll that injects itself into the program and sniffs packets. I have not seen any other but WPE that does this and I don't think it will work on blizzard games. Why not just use WireShark with a filter setting?
You know... you can get WPE to work on blizzard games pretty easily by rewriting the DACL.
Here's some simple VB6 code to do it:
Option Explicit
Private Declare Function FindWindow Lib "user32" Alias "FindWindowA" (ByVal lpClassName As String, ByVal lpWindowName As String) As Long
Private Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal blnheritHandle As Long, ByVal dwAppProcessId As Long) As Long
Private Declare Function SetEntriesInAcl Lib "advapi32" Alias "SetEntriesInAclW" (ByVal cCountOfExplicitEntries As Long, ByRef pListOfExplicitEntries As EXPLICIT_ACCESS, ByVal OldAcl As Long, ByRef NewAcl As Long) As Long
Private Declare Function SetSecurityInfo Lib "advapi32" (ByVal handle As Long, ByVal ObjectType As Long, ByVal SecurityInfo As Long, ByVal psidOwner As Long, ByVal psidGroup As Long, ByVal pDacl As Long, ByVal pSacl As Long) As Long
Private Declare Function LocalFree Lib "kernel32" (ByVal hMem As Long) As Long
Private Declare Function GetWindowThreadProcessId Lib "user32" (ByVal hWnd As Long, lpdwProcessId As Long) As Long
Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
Private Type TRUSTEE
pMultipleTrustee As Long
MultipleTrusteeOperation As Long
TrusteeForm As Long
TrusteeType As Long
ptstrName As Long
End Type
Private Type EXPLICIT_ACCESS
grfAccessPermissions As Long
grfAccessMode As Long
grfInheritance As Long
myTrustee As TRUSTEE
End Type
Private Type tSID
Revision As Byte
SubAuthorityCount As Byte
IdentifierAuthority(5) As Byte
SubAuthority As Long
End Type
Public Sub Main()
Dim dWnd As Long
Dim hProcess As Long
Dim pID As Long
Dim SID As tSID
Dim EA As EXPLICIT_ACCESS
Dim pDacl As Long
Dim sClass As String
sClass = InputBox("Please enter the Class name of the process you wish to rewrite:", "RewriteDACL")
If LenB(sClass) = 0 Then Exit Sub
dWnd = FindWindow(sClass, vbNullString)
If dWnd = 0 Then
MsgBox "Could not find process!", vbCritical, "RewriteDACL"
Exit Sub
End If
GetWindowThreadProcessId dWnd, pID
hProcess = OpenProcess(&H40000, &H0, pID)
SID.Revision = &H1
SID.SubAuthorityCount = &H1
SID.IdentifierAuthority(5) = &H1
EA.grfAccessPermissions = &H1F0FFF
If MsgBox("Enable DACL?", vbQuestion + vbYesNo, "RewriteDACL") = vbYes Then
EA.grfAccessMode = &H2
Else
EA.grfAccessMode = &H3
End If
EA.myTrustee.TrusteeType = &H1
EA.myTrustee.ptstrName = VarPtr(SID.Revision)
SetEntriesInAcl &H1, EA, &H0, pDacl
SetSecurityInfo hProcess, &H6, &H4, &H0, &H0, pDacl, &H0
LocalFree pDacl
CloseHandle hProcess
End Sub
Or the compiled EXE: http://realityripple.com/Uploads/Projects/RewriteDACL.exe
Quote from: Andy on December 10, 2008, 05:55 PM
You know... you can get WPE to work on blizzard games pretty easily by rewriting the DACL.
Here's some simple VB6 code to do it:
Option Explicit
Private Declare Function FindWindow Lib "user32" Alias "FindWindowA" (ByVal lpClassName As String, ByVal lpWindowName As String) As Long
Private Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal blnheritHandle As Long, ByVal dwAppProcessId As Long) As Long
Private Declare Function SetEntriesInAcl Lib "advapi32" Alias "SetEntriesInAclW" (ByVal cCountOfExplicitEntries As Long, ByRef pListOfExplicitEntries As EXPLICIT_ACCESS, ByVal OldAcl As Long, ByRef NewAcl As Long) As Long
Private Declare Function SetSecurityInfo Lib "advapi32" (ByVal handle As Long, ByVal ObjectType As Long, ByVal SecurityInfo As Long, ByVal psidOwner As Long, ByVal psidGroup As Long, ByVal pDacl As Long, ByVal pSacl As Long) As Long
Private Declare Function LocalFree Lib "kernel32" (ByVal hMem As Long) As Long
Private Declare Function GetWindowThreadProcessId Lib "user32" (ByVal hWnd As Long, lpdwProcessId As Long) As Long
Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
Private Type TRUSTEE
pMultipleTrustee As Long
MultipleTrusteeOperation As Long
TrusteeForm As Long
TrusteeType As Long
ptstrName As Long
End Type
Private Type EXPLICIT_ACCESS
grfAccessPermissions As Long
grfAccessMode As Long
grfInheritance As Long
myTrustee As TRUSTEE
End Type
Private Type tSID
Revision As Byte
SubAuthorityCount As Byte
IdentifierAuthority(5) As Byte
SubAuthority As Long
End Type
Public Sub Main()
Dim dWnd As Long
Dim hProcess As Long
Dim pID As Long
Dim SID As tSID
Dim EA As EXPLICIT_ACCESS
Dim pDacl As Long
Dim sClass As String
sClass = InputBox("Please enter the Class name of the process you wish to rewrite:", "RewriteDACL")
If LenB(sClass) = 0 Then Exit Sub
dWnd = FindWindow(sClass, vbNullString)
If dWnd = 0 Then
MsgBox "Could not find process!", vbCritical, "RewriteDACL"
Exit Sub
End If
GetWindowThreadProcessId dWnd, pID
hProcess = OpenProcess(&H40000, &H0, pID)
SID.Revision = &H1
SID.SubAuthorityCount = &H1
SID.IdentifierAuthority(5) = &H1
EA.grfAccessPermissions = &H1F0FFF
If MsgBox("Enable DACL?", vbQuestion + vbYesNo, "RewriteDACL") = vbYes Then
EA.grfAccessMode = &H2
Else
EA.grfAccessMode = &H3
End If
EA.myTrustee.TrusteeType = &H1
EA.myTrustee.ptstrName = VarPtr(SID.Revision)
SetEntriesInAcl &H1, EA, &H0, pDacl
SetSecurityInfo hProcess, &H6, &H4, &H0, &H0, pDacl, &H0
LocalFree pDacl
CloseHandle hProcess
End Sub
Or the compiled EXE: http://realityripple.com/Uploads/Projects/RewriteDACL.exe
Thats what i'm talking about. Thanks boss.
//
Actually I just ran into an issue.. It seems that it only records outgoing, not incoming. However, it doesn't do that with other programs, such as bots...
I'm probably doing something stupid but I don't see what possibly could be the issue.
View>Option. Check to make sure you have Send and Recv on Winsock 1.1 enabled. I tried it myself and got everything just fine, so I don't know what the problem might be if it's not that.
Yeah, it's on. Still giving me the same problem. And also, whats starcrafts window name? Because I type in "Starcraft" but it gets no results.
SWarClass. It's not the window name, it's the class name. You can rewrite it to use the window name if you want.
Oh.. Well then I guess I got lucky for war3. It's named "Warcraft III" unless that seems to be the problem... How do I find the class name of war3?
Spy++?
best off using wireshark
Quote from: MysT_DooM on December 11, 2008, 10:16 AM
best off using wireshark
Wireshark is, by far, the best.
That's 3 different people who said use wireshark...
Using wireshark...
Thanks.
Quote from: PunK on December 11, 2008, 01:50 AM
Oh.. Well then I guess I got lucky for war3. It's named "Warcraft III" unless that seems to be the problem... How do I find the class name of war3?
GetClassInfo() (http://msdn.microsoft.com/en-us/library/ms633578(VS.85).aspx)