• Welcome to Valhalla Legends Archive.
 

Favorite packet logger

Started by PunK, December 10, 2008, 02:59 PM

Previous topic - Next topic

PunK

I use to use WPE but it doesn't quite work with logging any blizzard games... So I am using AnalogX now and it's alright. You can set your own rules and what not but I would like to individually packet log separate PID's instead of just certain parameters on the whole machine... If you get what I am trying to say.. Anyone have a better packet sniffer?

l2k-Shadow

Well, you are looking for a WPE-style packet logger which essentially is a dll that injects itself into the program and sniffs packets. I have not seen any other but WPE that does this and I don't think it will work on blizzard games. Why not just use WireShark with a filter setting?
Quote from: replaced on November 04, 2006, 11:54 AM
I dunno wat it means, someone tell me whats ix86 and pmac?
Can someone send me a working bot source (with bnls support) to my email?  Then help me copy and paste it to my bot? ;D
Já jsem byl určenej abych tady žil,
Dával si ovar, křen a k tomu pivo pil.
Tam by ses povídaj jak prase v žitě měl,
Já nechci před nikym sednout si na prdel.

Já nejsem z USA, já nejsem z USA, já vážně nejsem z USA... a snad se proto na mě nezloběj.

Barabajagal

#2
You know... you can get WPE to work on blizzard games pretty easily by rewriting the DACL.

Here's some simple VB6 code to do it:

Option Explicit
Private Declare Function FindWindow Lib "user32" Alias "FindWindowA" (ByVal lpClassName As String, ByVal lpWindowName As String) As Long
Private Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal blnheritHandle As Long, ByVal dwAppProcessId As Long) As Long
Private Declare Function SetEntriesInAcl Lib "advapi32" Alias "SetEntriesInAclW" (ByVal cCountOfExplicitEntries As Long, ByRef pListOfExplicitEntries As EXPLICIT_ACCESS, ByVal OldAcl As Long, ByRef NewAcl As Long) As Long
Private Declare Function SetSecurityInfo Lib "advapi32" (ByVal handle As Long, ByVal ObjectType As Long, ByVal SecurityInfo As Long, ByVal psidOwner As Long, ByVal psidGroup As Long, ByVal pDacl As Long, ByVal pSacl As Long) As Long
Private Declare Function LocalFree Lib "kernel32" (ByVal hMem As Long) As Long
Private Declare Function GetWindowThreadProcessId Lib "user32" (ByVal hWnd As Long, lpdwProcessId As Long) As Long
Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long

Private Type TRUSTEE
    pMultipleTrustee                    As Long
    MultipleTrusteeOperation            As Long
    TrusteeForm                         As Long
    TrusteeType                         As Long
    ptstrName                           As Long
End Type
Private Type EXPLICIT_ACCESS
    grfAccessPermissions                As Long
    grfAccessMode                       As Long
    grfInheritance                      As Long
    myTrustee                           As TRUSTEE
End Type
Private Type tSID
   Revision                             As Byte
   SubAuthorityCount                    As Byte
   IdentifierAuthority(5)               As Byte
   SubAuthority                         As Long
End Type

Public Sub Main()
Dim dWnd        As Long
Dim hProcess    As Long
Dim pID         As Long
Dim SID         As tSID
Dim EA          As EXPLICIT_ACCESS
Dim pDacl       As Long
Dim sClass      As String
  sClass = InputBox("Please enter the Class name of the process you wish to rewrite:", "RewriteDACL")
  If LenB(sClass) = 0 Then Exit Sub
  dWnd = FindWindow(sClass, vbNullString)
  If dWnd = 0 Then
    MsgBox "Could not find process!", vbCritical, "RewriteDACL"
    Exit Sub
  End If
  GetWindowThreadProcessId dWnd, pID
  hProcess = OpenProcess(&H40000, &H0, pID)
  SID.Revision = &H1
  SID.SubAuthorityCount = &H1
  SID.IdentifierAuthority(5) = &H1
  EA.grfAccessPermissions = &H1F0FFF
  If MsgBox("Enable DACL?", vbQuestion + vbYesNo, "RewriteDACL") = vbYes Then
    EA.grfAccessMode = &H2
  Else
    EA.grfAccessMode = &H3
  End If
  EA.myTrustee.TrusteeType = &H1
  EA.myTrustee.ptstrName = VarPtr(SID.Revision)
  SetEntriesInAcl &H1, EA, &H0, pDacl
  SetSecurityInfo hProcess, &H6, &H4, &H0, &H0, pDacl, &H0
  LocalFree pDacl
  CloseHandle hProcess
End Sub


Or the compiled EXE: http://realityripple.com/Uploads/Projects/RewriteDACL.exe

PunK

#3
Quote from: Andy on December 10, 2008, 05:55 PM
You know... you can get WPE to work on blizzard games pretty easily by rewriting the DACL.

Here's some simple VB6 code to do it:

Option Explicit
Private Declare Function FindWindow Lib "user32" Alias "FindWindowA" (ByVal lpClassName As String, ByVal lpWindowName As String) As Long
Private Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal blnheritHandle As Long, ByVal dwAppProcessId As Long) As Long
Private Declare Function SetEntriesInAcl Lib "advapi32" Alias "SetEntriesInAclW" (ByVal cCountOfExplicitEntries As Long, ByRef pListOfExplicitEntries As EXPLICIT_ACCESS, ByVal OldAcl As Long, ByRef NewAcl As Long) As Long
Private Declare Function SetSecurityInfo Lib "advapi32" (ByVal handle As Long, ByVal ObjectType As Long, ByVal SecurityInfo As Long, ByVal psidOwner As Long, ByVal psidGroup As Long, ByVal pDacl As Long, ByVal pSacl As Long) As Long
Private Declare Function LocalFree Lib "kernel32" (ByVal hMem As Long) As Long
Private Declare Function GetWindowThreadProcessId Lib "user32" (ByVal hWnd As Long, lpdwProcessId As Long) As Long
Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long

Private Type TRUSTEE
    pMultipleTrustee                    As Long
    MultipleTrusteeOperation            As Long
    TrusteeForm                         As Long
    TrusteeType                         As Long
    ptstrName                           As Long
End Type
Private Type EXPLICIT_ACCESS
    grfAccessPermissions                As Long
    grfAccessMode                       As Long
    grfInheritance                      As Long
    myTrustee                           As TRUSTEE
End Type
Private Type tSID
   Revision                             As Byte
   SubAuthorityCount                    As Byte
   IdentifierAuthority(5)               As Byte
   SubAuthority                         As Long
End Type

Public Sub Main()
Dim dWnd        As Long
Dim hProcess    As Long
Dim pID         As Long
Dim SID         As tSID
Dim EA          As EXPLICIT_ACCESS
Dim pDacl       As Long
Dim sClass      As String
  sClass = InputBox("Please enter the Class name of the process you wish to rewrite:", "RewriteDACL")
  If LenB(sClass) = 0 Then Exit Sub
  dWnd = FindWindow(sClass, vbNullString)
  If dWnd = 0 Then
    MsgBox "Could not find process!", vbCritical, "RewriteDACL"
    Exit Sub
  End If
  GetWindowThreadProcessId dWnd, pID
  hProcess = OpenProcess(&H40000, &H0, pID)
  SID.Revision = &H1
  SID.SubAuthorityCount = &H1
  SID.IdentifierAuthority(5) = &H1
  EA.grfAccessPermissions = &H1F0FFF
  If MsgBox("Enable DACL?", vbQuestion + vbYesNo, "RewriteDACL") = vbYes Then
    EA.grfAccessMode = &H2
  Else
    EA.grfAccessMode = &H3
  End If
  EA.myTrustee.TrusteeType = &H1
  EA.myTrustee.ptstrName = VarPtr(SID.Revision)
  SetEntriesInAcl &H1, EA, &H0, pDacl
  SetSecurityInfo hProcess, &H6, &H4, &H0, &H0, pDacl, &H0
  LocalFree pDacl
  CloseHandle hProcess
End Sub


Or the compiled EXE: http://realityripple.com/Uploads/Projects/RewriteDACL.exe

Thats what i'm talking about. Thanks boss.

//

Actually I just ran into an issue.. It seems that it only records outgoing, not incoming. However, it doesn't do that with other programs, such as bots...

I'm probably doing something stupid but I don't see what possibly could be the issue.

Barabajagal

View>Option. Check to make sure you have Send and Recv on Winsock 1.1 enabled. I tried it myself and got everything just fine, so I don't know what the problem might be if it's not that.

PunK

Yeah, it's on. Still giving me the same problem. And also, whats starcrafts window name? Because I type in "Starcraft" but it gets no results.

Barabajagal

SWarClass. It's not the window name, it's the class name. You can rewrite it to use the window name if you want.

PunK

Oh.. Well then I guess I got lucky for war3. It's named "Warcraft III" unless that seems to be the problem... How do I find the class name of war3?

Barabajagal


MysT_DooM



vb6, something about that combination of numbers and letters is sexy

iago

This'll make an interesting test for broken AV:
QuoteX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*


PunK

That's 3 different people who said use wireshark...

Using wireshark...

Thanks.

brew

Quote from: PunK on December 11, 2008, 01:50 AM
Oh.. Well then I guess I got lucky for war3. It's named "Warcraft III" unless that seems to be the problem... How do I find the class name of war3?
GetClassInfo()
<3 Zorm
Quote[01:08:05 AM] <@Zorm> haha, me get pussy? don't kid yourself quik
Scio te esse, sed quid sumne? :P