Favorite packet logger

[PunK]

I use to use WPE but it doesn't quite work with logging any blizzard games... So I am using AnalogX now and it's alright. You can set your own rules and what not but I would like to individually packet log separate PID's instead of just certain parameters on the whole machine... If you get what I am trying to say.. Anyone have a better packet sniffer?

[l2k-Shadow]

Well, you are looking for a WPE-style packet logger which essentially is a dll that injects itself into the program and sniffs packets. I have not seen any other but WPE that does this and I don't think it will work on blizzard games. Why not just use WireShark with a filter setting?

[Barabajagal]

You know... you can get WPE to work on blizzard games pretty easily by rewriting the DACL.

Here's some simple VB6 code to do it:

Code Select Expand

Option Explicit
Private Declare Function FindWindow Lib "user32" Alias "FindWindowA" (ByVal lpClassName As String, ByVal lpWindowName As String) As Long
Private Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal blnheritHandle As Long, ByVal dwAppProcessId As Long) As Long
Private Declare Function SetEntriesInAcl Lib "advapi32" Alias "SetEntriesInAclW" (ByVal cCountOfExplicitEntries As Long, ByRef pListOfExplicitEntries As EXPLICIT_ACCESS, ByVal OldAcl As Long, ByRef NewAcl As Long) As Long
Private Declare Function SetSecurityInfo Lib "advapi32" (ByVal handle As Long, ByVal ObjectType As Long, ByVal SecurityInfo As Long, ByVal psidOwner As Long, ByVal psidGroup As Long, ByVal pDacl As Long, ByVal pSacl As Long) As Long
Private Declare Function LocalFree Lib "kernel32" (ByVal hMem As Long) As Long
Private Declare Function GetWindowThreadProcessId Lib "user32" (ByVal hWnd As Long, lpdwProcessId As Long) As Long
Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long

Private Type TRUSTEE
    pMultipleTrustee                    As Long
    MultipleTrusteeOperation            As Long
    TrusteeForm                         As Long
    TrusteeType                         As Long
    ptstrName                           As Long
End Type
Private Type EXPLICIT_ACCESS
    grfAccessPermissions                As Long
    grfAccessMode                       As Long
    grfInheritance                      As Long
    myTrustee                           As TRUSTEE
End Type
Private Type tSID
   Revision                             As Byte
   SubAuthorityCount                    As Byte
   IdentifierAuthority(5)               As Byte
   SubAuthority                         As Long
End Type

Public Sub Main()
Dim dWnd        As Long
Dim hProcess    As Long
Dim pID         As Long
Dim SID         As tSID
Dim EA          As EXPLICIT_ACCESS
Dim pDacl       As Long
Dim sClass      As String
  sClass = InputBox("Please enter the Class name of the process you wish to rewrite:", "RewriteDACL")
  If LenB(sClass) = 0 Then Exit Sub
  dWnd = FindWindow(sClass, vbNullString)
  If dWnd = 0 Then
    MsgBox "Could not find process!", vbCritical, "RewriteDACL"
    Exit Sub
  End If
  GetWindowThreadProcessId dWnd, pID
  hProcess = OpenProcess(&H40000, &H0, pID)
  SID.Revision = &H1
  SID.SubAuthorityCount = &H1
  SID.IdentifierAuthority(5) = &H1
  EA.grfAccessPermissions = &H1F0FFF
  If MsgBox("Enable DACL?", vbQuestion + vbYesNo, "RewriteDACL") = vbYes Then
    EA.grfAccessMode = &H2
  Else
    EA.grfAccessMode = &H3
  End If
  EA.myTrustee.TrusteeType = &H1
  EA.myTrustee.ptstrName = VarPtr(SID.Revision)
  SetEntriesInAcl &H1, EA, &H0, pDacl
  SetSecurityInfo hProcess, &H6, &H4, &H0, &H0, pDacl, &H0
  LocalFree pDacl
  CloseHandle hProcess
End Sub

Or the compiled EXE: http://realityripple.com/Uploads/Projects/RewriteDACL.exe

[PunK]

You know... you can get WPE to work on blizzard games pretty easily by rewriting the DACL.

Here's some simple VB6 code to do it:

Code Select Expand

Option Explicit
Private Declare Function FindWindow Lib "user32" Alias "FindWindowA" (ByVal lpClassName As String, ByVal lpWindowName As String) As Long
Private Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal blnheritHandle As Long, ByVal dwAppProcessId As Long) As Long
Private Declare Function SetEntriesInAcl Lib "advapi32" Alias "SetEntriesInAclW" (ByVal cCountOfExplicitEntries As Long, ByRef pListOfExplicitEntries As EXPLICIT_ACCESS, ByVal OldAcl As Long, ByRef NewAcl As Long) As Long
Private Declare Function SetSecurityInfo Lib "advapi32" (ByVal handle As Long, ByVal ObjectType As Long, ByVal SecurityInfo As Long, ByVal psidOwner As Long, ByVal psidGroup As Long, ByVal pDacl As Long, ByVal pSacl As Long) As Long
Private Declare Function LocalFree Lib "kernel32" (ByVal hMem As Long) As Long
Private Declare Function GetWindowThreadProcessId Lib "user32" (ByVal hWnd As Long, lpdwProcessId As Long) As Long
Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long

Private Type TRUSTEE
    pMultipleTrustee                    As Long
    MultipleTrusteeOperation            As Long
    TrusteeForm                         As Long
    TrusteeType                         As Long
    ptstrName                           As Long
End Type
Private Type EXPLICIT_ACCESS
    grfAccessPermissions                As Long
    grfAccessMode                       As Long
    grfInheritance                      As Long
    myTrustee                           As TRUSTEE
End Type
Private Type tSID
   Revision                             As Byte
   SubAuthorityCount                    As Byte
   IdentifierAuthority(5)               As Byte
   SubAuthority                         As Long
End Type

Public Sub Main()
Dim dWnd        As Long
Dim hProcess    As Long
Dim pID         As Long
Dim SID         As tSID
Dim EA          As EXPLICIT_ACCESS
Dim pDacl       As Long
Dim sClass      As String
  sClass = InputBox("Please enter the Class name of the process you wish to rewrite:", "RewriteDACL")
  If LenB(sClass) = 0 Then Exit Sub
  dWnd = FindWindow(sClass, vbNullString)
  If dWnd = 0 Then
    MsgBox "Could not find process!", vbCritical, "RewriteDACL"
    Exit Sub
  End If
  GetWindowThreadProcessId dWnd, pID
  hProcess = OpenProcess(&H40000, &H0, pID)
  SID.Revision = &H1
  SID.SubAuthorityCount = &H1
  SID.IdentifierAuthority(5) = &H1
  EA.grfAccessPermissions = &H1F0FFF
  If MsgBox("Enable DACL?", vbQuestion + vbYesNo, "RewriteDACL") = vbYes Then
    EA.grfAccessMode = &H2
  Else
    EA.grfAccessMode = &H3
  End If
  EA.myTrustee.TrusteeType = &H1
  EA.myTrustee.ptstrName = VarPtr(SID.Revision)
  SetEntriesInAcl &H1, EA, &H0, pDacl
  SetSecurityInfo hProcess, &H6, &H4, &H0, &H0, pDacl, &H0
  LocalFree pDacl
  CloseHandle hProcess
End Sub

Or the compiled EXE: http://realityripple.com/Uploads/Projects/RewriteDACL.exe

Thats what i'm talking about. Thanks boss.

//

Actually I just ran into an issue.. It seems that it only records outgoing, not incoming. However, it doesn't do that with other programs, such as bots...

I'm probably doing something stupid but I don't see what possibly could be the issue.

[Barabajagal]

View>Option. Check to make sure you have Send and Recv on Winsock 1.1 enabled. I tried it myself and got everything just fine, so I don't know what the problem might be if it's not that.

[PunK]

Yeah, it's on. Still giving me the same problem. And also, whats starcrafts window name? Because I type in "Starcraft" but it gets no results.

[Barabajagal]

SWarClass. It's not the window name, it's the class name. You can rewrite it to use the window name if you want.

[PunK]

Oh.. Well then I guess I got lucky for war3. It's named "Warcraft III" unless that seems to be the problem... How do I find the class name of war3?

[Barabajagal]

Spy++?

[MysT_DooM]

best off using wireshark

[iago]

best off using wireshark

Wireshark is, by far, the best.

[PunK]

That's 3 different people who said use wireshark...

Using wireshark...

Thanks.

[brew]

Oh.. Well then I guess I got lucky for war3. It's named "Warcraft III" unless that seems to be the problem... How do I find the class name of war3?

GetClassInfo()