├── linux-2.4 ├── AUTHORS ├── COPYING ├── ChangeLog ├── INSTALL ├── Makefile.am ├── Makefile.in ├── NEWS ├── README ├── README.FILTER ├── acconfig.h ├── aclocal.m4 ├── af_packet.c.diff.adder ├── af_packet.diff ├── af_packet_prepare.sh ├── cleaner.c ├── compile_filter.pl ├── config.guess ├── config.h.in ├── config.sub ├── configure ├── configure.in ├── depcomp ├── filter.c ├── filter.h ├── filter.txt ├── gen_fudge.pl ├── get_if.pl ├── install-sh ├── missing ├── sbk_install.sh ├── sbk_util.c ├── sbk_util.h ├── sebek.c └── sebek.h ├── linux-2.6 ├── AUTHORS ├── BUILD ├── COPYING ├── ChangeLog ├── INSTALL ├── Makefile.am ├── Makefile.in ├── NEWS ├── README ├── acconfig.h ├── aclocal.m4 ├── compile_filter.pl ├── config.guess ├── config.sub ├── configure ├── configure.in ├── depcomp ├── filter.txt ├── gen_fudge.pl ├── install-sh ├── missing ├── sbk_install.sh └── src │ ├── Makefile │ ├── af_packet.diff │ ├── config.h.in │ ├── filter.c │ ├── filter.h │ ├── net.c │ ├── net.h │ ├── sebek.c │ ├── sebek.h │ ├── syscall.c │ ├── syscall.h │ ├── util.c │ └── util.h ├── sebekd ├── Makefile.am ├── Makefile.rpm ├── README ├── acconfig.h ├── config.h.in ├── configure.in ├── init.d │ └── sebekd ├── sbk_diag.pl ├── sbk_extract.c ├── sbk_extract.h ├── sbk_ks_log.pl ├── sbk_upload.pl ├── sbk_viewer.pl ├── sebek_extract.c ├── sebek_extract.h ├── sebekd.pl └── sebekd.spec └── windows ├── Configuration Wizard ├── Configuration Wizard.cpp ├── Configuration Wizard.dsp ├── Configuration Wizard.dsw ├── Configuration Wizard.h ├── Configuration Wizard.ncb ├── Configuration Wizard.rc ├── Configuration Wizard.sln ├── Configuration Wizard.suo ├── Configuration Wizard.vcproj ├── ConfigurationWizardConfigFileName.cpp ├── ConfigurationWizardConfigFileName.h ├── ConfigurationWizardFinish.cpp ├── ConfigurationWizardFinish.h ├── ConfigurationWizardMagicValue.cpp ├── ConfigurationWizardMagicValue.h ├── ConfigurationWizardNetworkConfig.cpp ├── ConfigurationWizardNetworkConfig.h ├── ConfigurationWizardSelectFile.cpp ├── ConfigurationWizardSelectFile.h ├── ConfigurationWizardServerConfig.cpp ├── ConfigurationWizardServerConfig.h ├── ConfigurationWizardSheet.cpp ├── ConfigurationWizardSheet.h ├── ConfigurationWizardWelcome.cpp ├── ConfigurationWizardWelcome.h ├── DriverConfig.cpp ├── DriverConfig.h ├── MersenneTwister.h ├── Singleton.h ├── StdAfx.cpp ├── StdAfx.h ├── res │ ├── Configuration Wizard.ICO │ ├── Configuration Wizard.rc2 │ ├── WizardHeader.bmp │ ├── WizardWatermark.bmp │ └── dot.bmp └── resource.h ├── License.txt ├── MAKEFILE ├── NSIS └── sebek.nsi ├── Project.lnt ├── ProjectFiles.lnt ├── README.txt ├── SOURCES ├── adapters.c ├── adapters.h ├── antidetection.c ├── antidetection.h ├── av.c ├── av.h ├── consolespy.c ├── consolespy.h ├── datapipe.c ├── datapipe.h ├── debug.c ├── debug.h ├── exports.c ├── exports.h ├── exports_int.h ├── hooked_fn.c ├── logging.c ├── logging.h ├── memtrack.c ├── memtrack.h ├── net.h ├── nt.h ├── obj_tbl.c ├── obj_tbl.h ├── packet.c ├── packet.h ├── pe.h ├── proc_tbl.c ├── proc_tbl.h ├── resource.h ├── sebek.aps ├── sebek.c ├── sebek.dsp ├── sebek.dsw ├── sebek.h ├── sebek.rc ├── sebek.sln ├── sebek.suo ├── sebek.vcproj ├── sock.c ├── sock.h ├── system_service.h ├── tdi_hook.c ├── tdi_hook.h ├── tdithread.c ├── tdithread.h ├── tib.h ├── util.c └── util.h /linux-2.4/AUTHORS: -------------------------------------------------------------------------------- 1 | // Butchered by Edward Balas 2 | // Bug catcher: Camilo Viecco 3 | // write tracking by Raul Siles 4 | -------------------------------------------------------------------------------- /linux-2.4/COPYING: -------------------------------------------------------------------------------- 1 | 2 | Copyright (C) 2001/2002 The Honeynet Project. 3 | All rights reserved. 4 | 5 | Redistribution and use in source and binary forms, with or without 6 | modification, are permitted provided that the following conditions 7 | are met: 8 | 1. Redistributions of source code must retain the above copyright 9 | notice, this list of conditions and the following disclaimer. 10 | 2. Redistributions in binary form must reproduce the above copyright 11 | notice, this list of conditions and the following disclaimer in the 12 | documentation and/or other materials provided with the distribution. 13 | 3. All advertising materials mentioning features or use of this software 14 | must display the following acknowledgement: 15 | This product includes software developed by The Honeynet Project. 16 | 4. The name "The Honeynet Project" may not be used to endorse or promote 17 | products derived from this software without specific prior written 18 | permission. 19 | 20 | THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY 21 | EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 23 | ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE 24 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 26 | OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 27 | HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 28 | LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 29 | OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 30 | SUCH DAMAGE. 31 | 32 | 33 | 34 | -------------------------------------------------------------------------------- /linux-2.4/Makefile.am: -------------------------------------------------------------------------------- 1 | #KERN_SRC = /usr/src/linux-2.4 2 | KERN_SRC = @kern_src@ 3 | INCLUDES = -I$(KERN_SRC)/include 4 | CFLAGS = -O2 -DUSE_MOD_LICENSE -DUSE_FUDGE 5 | 6 | 7 | EXTRA_DIST = sbk_install.sh gen_fudge.pl af_packet_prepare.sh af_packet.c.diff.adder compile_filter.pl filter.txt get_if.pl README README.FILTER 8 | bin_SCRIPTS = sbk_install.sh gen_fudge.pl af_packet_prepare.sh get_if.pl 9 | bin_PROGRAMS = sebek cleaner bintar 10 | 11 | sebek_SOURCES = sebek.c sebek.h af_packet.diff sbk_util.c sbk_util.h filter.c filter.h 12 | cleaner_SOURCES = cleaner.c 13 | bintar_SOURCES = 14 | 15 | 16 | 17 | af_packet.c: af_packet.diff 18 | cp -f $(KERN_SRC)/net/packet/af_packet.c . 19 | ./af_packet_prepare.sh 20 | patch af_packet.c af_packet.diff 21 | 22 | fudge.h: gen_fudge.pl 23 | ./gen_fudge.pl > fudge.h 24 | 25 | sbk_OBJ: af_packet.c sebek.c filter.c sbk_util.c fudge.h 26 | $(CC) -c $(INCLUDES) ${DFLAGS} $(CFLAGS) $(srcdir)/sebek.c -o sebek.o 27 | $(CC) -c $(INCLUDES) ${DFLAGS} $(CFLAGS) $(srcdir)/filter.c -o filter.o 28 | $(CC) -c $(INCLUDES) ${DFLAGS} $(CFLAGS) $(srcdir)/sbk_util.c -o sbk_util.o 29 | rm af_packet.c 30 | 31 | sebek$(EXEEXT): af_packet.c sbk_OBJ fudge.h 32 | ld -m elf_i386 -r -o sbk_mod.o sebek.o filter.o sbk_util.o 33 | 34 | 35 | cleaner$(EXEEXT): cleaner.c 36 | $(CC) -c $(INCLUDES) $(CFLAGS) $(srcdir)/cleaner.c -o cleaner.o 37 | 38 | bintar$(EXEEXT): sebek cleaner 39 | mkdir @PACKAGE@-@VERSION@-bin 40 | cp sbk_mod.o @PACKAGE@-@VERSION@-bin 41 | cp cleaner.o @PACKAGE@-@VERSION@-bin 42 | cp $(srcdir)/compile_filter.pl @PACKAGE@-@VERSION@-bin 43 | cp $(srcdir)/filter.txt @PACKAGE@-@VERSION@-bin 44 | cp $(srcdir)/parameters.sh @PACKAGE@-@VERSION@-bin 45 | cp $(srcdir)/sbk_install.sh @PACKAGE@-@VERSION@-bin 46 | cp $(srcdir)/get_if.pl @PACKAGE@-@VERSION@-bin 47 | cp $(srcdir)/README @PACKAGE@-@VERSION@-bin 48 | cp $(srcdir)/README.FILTER @PACKAGE@-@VERSION@-bin 49 | chmod u+x @PACKAGE@-@VERSION@-bin/sbk_install.sh 50 | tar -cf @PACKAGE@-@VERSION@-bin.tar @PACKAGE@-@VERSION@-bin 51 | rm -rf @PACKAGE@-@VERSION@-bin 52 | -------------------------------------------------------------------------------- /linux-2.4/NEWS: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/honeynet/sebek/11bb9954c589f1a3e33c27c1d541f9d34d5d4bbc/linux-2.4/NEWS -------------------------------------------------------------------------------- /linux-2.4/acconfig.h: -------------------------------------------------------------------------------- 1 | #undef PACKAGE 2 | #undef VERSION 3 | #undef BSDI 4 | #undef FREEBSD 5 | #undef LINUX 6 | #undef OPENBSD 7 | #undef MACOS 8 | #undef SOLARIS 9 | 10 | #undef SBK_TASK_P_PPTR 11 | -------------------------------------------------------------------------------- /linux-2.4/af_packet.c.diff.adder: -------------------------------------------------------------------------------- 1 | --- af_packet.c.blah 2005-08-26 09:38:18.643179087 -0500 2 | +++ af_packet.c 2005-08-26 09:49:46.598944733 -0500 3 | @@ -1902,3 +1902,4 @@ 4 | 5 | module_init(packet_init); 6 | module_exit(packet_exit); 7 | +MODULE_LICENSE("GPL"); 8 | -------------------------------------------------------------------------------- /linux-2.4/af_packet.diff: -------------------------------------------------------------------------------- 1 | --- af_packet.c.orig Mon Feb 2 11:12:30 2004 2 | +++ af_packet.c Mon Feb 2 11:12:32 2004 3 | @@ -35,13 +35,17 @@ 4 | * Cyrus Durgin : Fixed kerneld for kmod. 5 | * Michal Ostrowski : Module initialization cleanup. 6 | * 7 | + * Edward Balas : Butchered for Sebek use 8 | + * 9 | * This program is free software; you can redistribute it and/or 10 | * modify it under the terms of the GNU General Public License 11 | * as published by the Free Software Foundation; either version 12 | * 2 of the License, or (at your option) any later version. 13 | * 14 | */ 15 | - 16 | + 17 | +#include "sebek.h" 18 | + 19 | #include 20 | #include 21 | #include 22 | @@ -1019,7 +1022,12 @@ 23 | struct sk_buff *skb; 24 | int copied, err; 25 | 26 | + //---- sebek variables 27 | + u32 * s_ptr; 28 | + struct udphdr * udp_ptr; 29 | + 30 | err = -EINVAL; 31 | + 32 | if (flags & ~(MSG_PEEK|MSG_DONTWAIT|MSG_TRUNC)) 33 | goto out; 34 | 35 | @@ -1048,8 +1056,12 @@ 36 | * but then it will block. 37 | */ 38 | 39 | + try_again: 40 | + 41 | skb=skb_recv_datagram(sk,flags,flags&MSG_DONTWAIT,&err); 42 | 43 | + 44 | + 45 | /* 46 | * An error occurred so return it. Because skb_recv_datagram() 47 | * handles the blocking we don't see and worry about blocking 48 | @@ -1059,6 +1071,26 @@ 49 | if(skb==NULL) 50 | goto out; 51 | 52 | + 53 | + //------ Filter out sebek packets if 54 | + //------ The protocol is IP 55 | + //------- Destintion matches the configured val 56 | + //------- first 32 bits of the payload match the magic val. 57 | + if(ntohs(skb->protocol) == ETH_P_IP && 58 | + skb->nh.iph->protocol == IPPROTO_UDP ){ 59 | + 60 | + //--- this is a bit of a hack 61 | + udp_ptr = (struct udphdr *)((char *)((char *)skb->nh.iph + sizeof(struct iphdr))); 62 | + s_ptr = (u32 *)((char *)((char *)udp_ptr + sizeof(struct udphdr))); 63 | + 64 | + if((ntohs(udp_ptr->dest) == (BLOCK[DPORT_OFFSET] & 0x0000FFFF)) && 65 | + ntohl(*s_ptr) == BLOCK[MAGIC_OFFSET]){ 66 | + 67 | + skb_free_datagram(sk, skb); 68 | + goto try_again; 69 | + } 70 | + } 71 | + 72 | /* 73 | * You lose any data beyond the buffer you gave. If it worries a 74 | * user program they can ask the device for its MTU anyway. 75 | @@ -1902,6 +1934,3 @@ 76 | return 0; 77 | } 78 | 79 | -module_init(packet_init); 80 | -module_exit(packet_exit); 81 | -MODULE_LICENSE("GPL"); 82 | -------------------------------------------------------------------------------- /linux-2.4/af_packet_prepare.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | patch -N -s af_packet.c af_packet.c.diff.adder 4 | #patch af_packet.c af_packet.diff 5 | echo 'end of prepare, rejects are OK here'; 6 | 7 | 8 | -------------------------------------------------------------------------------- /linux-2.4/cleaner.c: -------------------------------------------------------------------------------- 1 | //-------------------------------------------------------------------- 2 | //----- $Header: /home/cvs/nifti/sebek3/linux-2.4/cleaner.c,v 1.1 2006/03/15 20:25:45 cviecco Exp $ 3 | //-------------------------------------------------------------------- 4 | /* 5 | * Copyright (C) 1999/2000 Stealth. 6 | * All rights reserved. 7 | * 8 | * Redistribution and use in source and binary forms, with or without 9 | * modification, are permitted provided that the following conditions 10 | * are met: 11 | * 1. Redistributions of source code must retain the above copyright 12 | * notice, this list of conditions and the following disclaimer. 13 | * 2. Redistributions in binary form must reproduce the above copyright 14 | * notice, this list of conditions and the following disclaimer in the 15 | * documentation and/or other materials provided with the distribution. 16 | * 3. All advertising materials mentioning features or use of this software 17 | * must display the following acknowledgement: 18 | * This product includes software developed by Stealth. 19 | * 4. The name Stealth may not be used to endorse or promote 20 | * products derived from this software without specific prior written 21 | * permission. 22 | * 23 | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY 24 | * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 25 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 26 | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE 27 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 28 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 29 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 30 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 31 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 32 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 33 | * SUCH DAMAGE. 34 | */ 35 | 36 | #define __KERNEL__ 37 | #define MODULE 38 | 39 | //#ifdef MODVERSIONS 40 | //#include 41 | //#endif 42 | 43 | #include 44 | #include 45 | #include 46 | 47 | int init_module() 48 | { 49 | //--- insmod will complain otherwise 50 | #ifdef USE_MOD_LICENSE 51 | MODULE_LICENSE("GPL"); 52 | #endif 53 | 54 | if (__this_module.next) 55 | __this_module.next = __this_module.next->next; 56 | 57 | return 0; 58 | } 59 | 60 | int cleanup_module() 61 | { 62 | return 0; 63 | } 64 | 65 | -------------------------------------------------------------------------------- /linux-2.4/config.h.in: -------------------------------------------------------------------------------- 1 | /* config.h.in. Generated from configure.in by autoheader. */ 2 | #undef PACKAGE 3 | #undef VERSION 4 | #undef BSDI 5 | #undef FREEBSD 6 | #undef LINUX 7 | #undef OPENBSD 8 | #undef MACOS 9 | #undef SOLARIS 10 | 11 | #undef SBK_TASK_P_PPTR 12 | 13 | /* Name of package */ 14 | #undef PACKAGE 15 | 16 | /* Define to the address where bug reports for this package should be sent. */ 17 | #undef PACKAGE_BUGREPORT 18 | 19 | /* Define to the full name of this package. */ 20 | #undef PACKAGE_NAME 21 | 22 | /* Define to the full name and version of this package. */ 23 | #undef PACKAGE_STRING 24 | 25 | /* Define to the one symbol short name of this package. */ 26 | #undef PACKAGE_TARNAME 27 | 28 | /* Define to the version of this package. */ 29 | #undef PACKAGE_VERSION 30 | 31 | /* Version number of package */ 32 | #undef VERSION 33 | -------------------------------------------------------------------------------- /linux-2.4/configure.in: -------------------------------------------------------------------------------- 1 | AC_INIT(sebek.c) 2 | AM_INIT_AUTOMAKE(sebek-linux,3.2.0c) 3 | AM_CONFIG_HEADER(config.h) 4 | AC_PROG_CC 5 | 6 | 7 | AC_CANONICAL_HOST 8 | 9 | case "$host" in 10 | *-linux*) 11 | linux=yes 12 | AC_DEFINE(LINUX) 13 | ;; 14 | *-openbsd*) 15 | AC_DEFINE(OPENBSD) 16 | ;; 17 | *-solaris*) 18 | AC_DEFINE(SOLARIS) 19 | ;; 20 | 21 | *-freebsd*) 22 | AC_DEFINE(FREEBSD) 23 | ;; 24 | *-bsdi*) 25 | AC_DEFINE(BSDI) 26 | ;; 27 | *-apple*) 28 | AC_DEFINE(MACOS) 29 | esac 30 | 31 | if test -n "$LINUX"; then 32 | echo " You need to be running on Linux box to build this" 33 | exit 34 | fi 35 | 36 | AC_MSG_CHECKING([for kernel_source_dir]) 37 | AC_ARG_WITH(kernel_source_dir, 38 | [ --with-kernel_source_dir=DIR Use kernel sources located at DIR ], 39 | [KERN_SRC=$withval; 40 | echo "kernel_dir given"; 41 | ], 42 | [ KERN_SRC="/usr/src/linux-2.4"; 43 | echo "kernel dir assumed at /usr/src/linux-2.4"; 44 | ] 45 | ) 46 | AC_SUBST(kern_src, $KERN_SRC) 47 | 48 | AC_ARG_WITH(gcc, 49 | [ --with-gcc=FILE Use gcc compiler located at FILE ], 50 | [CC=$withval; 51 | echo "kernel_dir given"; 52 | ], 53 | [echo "using default compiler"] 54 | ) 55 | 56 | 57 | AC_CHECK_FILE([${KERN_SRC}/include/linux/sched.h], 58 | , 59 | [AC_MSG_ERROR([Kernel source should be installed in ${KERN_SRC}])]) 60 | 61 | 62 | AC_PROG_INSTALL 63 | AC_CONFIG_FILES([Makefile]) 64 | 65 | CFLAGS="-I"${KERN_SRC}"/include -D__KERNEL__ -c" 66 | 67 | AC_CHECK_MEMBER(struct task_struct.p_pptr, 68 | [ 69 | AC_DEFINE(SBK_TASK_P_PPTR) 70 | echo "Kernel Using P_PPTR" 71 | ], 72 | [ echo "Kernel NOT using P_PPTR"], 73 | [#include ] 74 | 75 | 76 | ) 77 | 78 | 79 | 80 | 81 | #AC_TRY_COMPILE([#include "sebek.h"],[int test_blah(){return 0;};], 82 | AC_TRY_COMPILE([#include "sebek.h"],[return 0;], 83 | 84 | [echo "Kernel Dependencies check"], 85 | [AC_MSG_ERROR( 86 | [Dependencies for kernel at ${KERN_SRC} where not found. Configure the kernel (make {x|old|menu}config) and run 'make dep'.]) 87 | ] 88 | ) 89 | AC_OUTPUT 90 | -------------------------------------------------------------------------------- /linux-2.4/filter.h: -------------------------------------------------------------------------------- 1 | // (C) 2006 The Trustees of Indiana University. All rights reserved. 2 | // 3 | // This program is free software; you can redistribute it and/or 4 | // modify it under the terms of the GNU General Public License 5 | // as published by the Free Software Foundation; either version 2 6 | // of the License, or (at your option) any later version. 7 | // 8 | // This program is distributed in the hope that it will be useful, 9 | // but WITHOUT ANY WARRANTY; without even the implied warranty of 10 | // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 11 | // GNU General Public License for more details. 12 | // 13 | // You should have received a copy of the GNU General Public License 14 | // along with this program; if not, write to the Free Software 15 | // Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA 16 | // 17 | /* 18 | * Copyright (C) 2004 Edward Balas. 19 | * All rights reserved. 20 | * 21 | */ 22 | #ifndef __FILTER_H__ 23 | #define __FILTER_H__ 24 | #include 25 | #include 26 | #include 27 | #include 28 | #include 29 | #include 30 | #include 31 | #include 32 | #include 33 | #include 34 | #include 35 | #include 36 | #include 37 | #include 38 | #include 39 | #include 40 | #include 41 | #include 42 | #include 43 | #include 44 | #include 45 | #include 46 | #include 47 | #include 48 | #include 49 | 50 | #include "sbk_util.h" 51 | //#include "config.h" 52 | 53 | //--- Process Flags to set in task struct 54 | #define PF_KSO 0x00010000 55 | #define PF_FULL 0x00020000 56 | #define PF_INHERIT 0x00040000 57 | #define PF_IGNORE 0x00080000 58 | 59 | 60 | //--- inode flages set in the inode->flags field 61 | #define INODE_KSO 0x10000000 62 | #define INODE_FULL 0x20000000 63 | #define INODE_IGNORE 0x40000000 64 | 65 | 66 | #define SBK_FILT_TYPE_FS 1 67 | #define SBK_FILT_TYPE_SOCK 2 68 | 69 | #define SBK_FILT_ACT_IGNORE 0 70 | #define SBK_FILT_ACT_FULL 1 71 | #define SBK_FILT_ACT_KSO 2 72 | 73 | #define SBK_FILT_OPT_UID 0x0001 74 | #define SBK_FILT_OPT_PROTO 0x0002 75 | #define SBK_FILT_OPT_LIP 0x0004 76 | #define SBK_FILT_OPT_LMASK 0x0008 77 | #define SBK_FILT_OPT_LPORT 0x0010 78 | #define SBK_FILT_OPT_RIP 0x0020 79 | #define SBK_FILT_OPT_RMASK 0x0040 80 | #define SBK_FILT_OPT_RPORT 0x0080 81 | #define SBK_FILT_OPT_DEV 0x0100 82 | #define SBK_FILT_OPT_INODE 0x0200 83 | #define SBK_FILT_OPT_FS_RECURSE 0x0400 84 | 85 | #define SBK_FILT_ALL_SOCK_OPT 0xC0FE 86 | #define SBK_FILT_ALL_FILE_OPT 0x0700 87 | 88 | #define SBK_FILT_OPT_INHERIT 0x1000 89 | #define SBK_FILT_OPT_STRICT 0x2000 90 | 91 | //----- used to indicate if we are generally interested in server 92 | //----- or client connections 93 | #define SBK_FILT_OPT_SOCK_C 0x4000 94 | #define SBK_FILT_OPT_SOCK_S 0x8000 95 | //--- inheritance implies that we are not doing strict 96 | //--- matching. but we could still do non-strict and non-inherit 97 | 98 | 99 | struct sbk_fs_filter{ 100 | u32 inode; //----- inode for the file or dir in question. 101 | kdev_t dev; 102 | }; 103 | 104 | 105 | struct sbk_sock_filter{ 106 | u16 proto; 107 | 108 | u32 local_ip; 109 | u32 local_mask; 110 | u16 local_port; 111 | 112 | u32 remote_ip; 113 | u32 remote_mask; 114 | u16 remote_port; 115 | }; 116 | 117 | struct sbk_filter{ 118 | u8 action; 119 | u16 options; 120 | u32 uid; 121 | u8 type; 122 | union{ 123 | struct sbk_fs_filter fs; 124 | struct sbk_sock_filter sock; 125 | }u; 126 | 127 | struct sbk_filter * next; 128 | }; 129 | 130 | 131 | //----------------------------------------------------------------------------- 132 | //----- data capture filtering related structures 133 | //----------------------------------------------------------------------------- 134 | struct sbk_filter * sbk_filter_head; 135 | 136 | 137 | //----- function for reading in the filter config file 138 | int parse_filter_file(char * filename); 139 | 140 | //----- fuction used to tag socket activity 141 | int sbk_filter_socket(struct file *f_ptr, 142 | struct inode * i_ptr, 143 | u16 proto, 144 | u32 lip, 145 | u16 lport, 146 | u32 rip, 147 | u16 rport, 148 | int call); 149 | 150 | //----- function used to tag sys_open file activity 151 | int sbk_filter_open(struct file *f_ptr); 152 | 153 | //------ fucntion used to determine if what to record in sys_read 154 | int sbk_filter_eval(unsigned int fd); 155 | 156 | 157 | //----- utility to dump filter configuration 158 | void dump_filter(); 159 | 160 | #endif 161 | -------------------------------------------------------------------------------- /linux-2.4/filter.txt: -------------------------------------------------------------------------------- 1 | #----------------------------------------------------------------------------- 2 | #----- Sebek capture filter file -------------------------------------------- 3 | #----------------------------------------------------------------------------- 4 | #----- quick start: just keystroke monitor incoming connections and ---------- 5 | #----- fully record reads on /dev/random ------------------------------------ 6 | #----------------------------------------------------------------------------- 7 | action=full file=(name=/dev/random strict) 8 | action=keystrokes sock=(server) opt=(follow_child_proc) 9 | 10 | 11 | 12 | 13 | ############################################################################### 14 | ############### a few other examples ########################################## 15 | ############################################################################### 16 | 17 | #----------------------------------------------------------------------------- 18 | #----- File System filters -------------------------------------------------- 19 | #----------------------------------------------------------------------------- 20 | 21 | #----- 22 | #----- record all reads on /dev/random but ignore the rest of the /dev fs. 23 | #----- 24 | #action=full file=(name=/dev/random strict) 25 | #action=ignore file=(name=/dev/ strict inc_subdirs) 26 | 27 | 28 | 29 | 30 | #------------------------------------------------------------------------------ 31 | #------ Network Connection based filters ------------------------------------- 32 | #------------------------------------------------------------------------------ 33 | 34 | #----- 35 | #----- record ALL HTTPS activity, assuming its on port 443 36 | #----- 37 | #action=full sock=(proto=tcp rem_port=443) 38 | #action=full sock=(proto=tcp local_port=443) 39 | 40 | #----- 41 | #----- record all SSH activity, including any child processes 42 | #----- 43 | #action=keystrokes sock=(proto=tcp rem_port=22) 44 | #action=keystrokes sock=(proto=tcp local_port=22) opt=(follow_child_proc) 45 | 46 | 47 | 48 | 49 | #------------------------------------------------------------------------------ 50 | #----- example focus on a specific user --------------------------------------- 51 | #------------------------------------------------------------------------------ 52 | 53 | #----- 54 | #----- monitior keystrokes of the gopher user 55 | #----- 56 | #----- by setting the follow_child flag, even if a user 57 | #----- changes UIDs we will continue to monitor the process tree 58 | #----- 59 | #action=keystrokes user=gopher opt=(follow_child_proc) 60 | 61 | #----- 62 | #----- monitor data transfered from cnn's network via tcp by a client run 63 | #----- by the gopher user 64 | #----- 65 | #action=full user=gopher sock=(proto=tcp rem_ip=64.236.0.0/16 client) 66 | 67 | 68 | 69 | 70 | #------------------------------------------------------------------------------ 71 | #----- example focus on a remote network of interest -------------------------- 72 | #------------------------------------------------------------------------------ 73 | 74 | #------ 75 | #------ is sombody from 192.168.0.0/16 opens a TCP connection to this 76 | #------ host, monitor their keystrokes. 77 | #------ 78 | #action=keystrokes sock=(proto=tcp rem_ip=192.168.0.0/16 server) opt=(follow_child_proc) 79 | 80 | 81 | 82 | #------------------------------------------------------------------------------ 83 | #----- example default action ------------------------------------------------- 84 | #------------------------------------------------------------------------------ 85 | 86 | #----- 87 | #----- if this is not set, and in absence of any rules we will 88 | #----- ignore by default 89 | #----- 90 | #action=keystrokes 91 | -------------------------------------------------------------------------------- /linux-2.4/get_if.pl: -------------------------------------------------------------------------------- 1 | #!/usr/bin/perl 2 | # 3 | # * Copyright (C) 2004 Edward Balas 4 | # * All rights reserved. 5 | 6 | #--- get_if.pl 7 | #--- 8 | #--- this prints the interface associated with the default route 9 | #--- if there is no default route, then no interface name is printed. 10 | 11 | use strict; 12 | 13 | my $file="/proc/net/route"; 14 | 15 | 16 | sub main{ 17 | my @row; 18 | 19 | open(ROUTE,$file) or die; 20 | 21 | while(){ 22 | #chop; 23 | @row = split('\s+',$_); 24 | if($row[1] eq "00000000" && $row[7] eq "00000000"){ 25 | print $row[0]."\n"; 26 | return 1; 27 | } 28 | } 29 | 30 | return -113 31 | } 32 | 33 | 34 | main(); 35 | 36 | -------------------------------------------------------------------------------- /linux-2.4/sbk_util.c: -------------------------------------------------------------------------------- 1 | // (C) 2006 The Trustees of Indiana University. All rights reserved. 2 | // 3 | // This program is free software; you can redistribute it and/or 4 | // modify it under the terms of the GNU General Public License 5 | // as published by the Free Software Foundation; either version 2 6 | // of the License, or (at your option) any later version. 7 | // 8 | // This program is distributed in the hope that it will be useful, 9 | // but WITHOUT ANY WARRANTY; without even the implied warranty of 10 | // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 11 | // GNU General Public License for more details. 12 | // 13 | // You should have received a copy of the GNU General Public License 14 | // along with this program; if not, write to the Free Software 15 | // Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA 16 | // 17 | 18 | /* 19 | * Copyright 2004-2006 Edward Balas, The Honeynet Project 20 | * All rights reserved. 21 | * 22 | */ 23 | 24 | #define __KERNEL__ 25 | #include "sbk_util.h" 26 | 27 | 28 | //------ ip address as text to integer 29 | char * sebek_ntoa(u32 addr,char *str){ 30 | 31 | u32 ip = ntohl(addr); 32 | sprintf(str,"%u.%u.%u.%u",(ip & 0xff000000) >> 24,(ip & 0x00ff0000) >> 16,(ip & 0x0000ff00) >> 8,ip & 0x000000ff); 33 | return str; 34 | } 35 | 36 | 37 | 38 | 39 | kdev_t fd2dev(long fd){ 40 | 41 | struct file * f_ptr; 42 | struct inode * i_ptr; 43 | struct files_struct * files; 44 | 45 | files = current->files; 46 | 47 | //----- get file pointer associated with file descriptor 48 | if(files) 49 | f_ptr = fcheck_files(files,fd); 50 | 51 | //------ get the inode associated with the file 52 | if(f_ptr && f_ptr->f_dentry && f_ptr->f_vfsmnt) 53 | i_ptr = f_ptr->f_dentry->d_inode; 54 | 55 | if(!i_ptr){ 56 | return 0; 57 | } 58 | 59 | return i_ptr->i_dev; 60 | } 61 | 62 | long fd2inode(long fd){ 63 | struct inode *i_ptr; 64 | i_ptr=fd2inode_ptr(fd); 65 | if(NULL!=i_ptr){ 66 | return i_ptr->i_dev; 67 | } 68 | else{ 69 | return 0; 70 | } 71 | }; 72 | 73 | struct inode * fd2inode_ptr(long fd){ 74 | 75 | struct file * f_ptr; 76 | struct inode * i_ptr; 77 | struct files_struct * files; 78 | 79 | files = current->files; 80 | 81 | //----- get file pointer associated with file descriptor 82 | if(files) 83 | f_ptr = fcheck_files(files,fd); 84 | 85 | //------ get the inode associated with the file 86 | if(f_ptr && f_ptr->f_dentry && f_ptr->f_vfsmnt) 87 | i_ptr = f_ptr->f_dentry->d_inode; 88 | 89 | if(!i_ptr){ 90 | return 0; 91 | } 92 | 93 | return i_ptr; 94 | } 95 | 96 | char * fd2path(long fd,char *buffer,int pathmax){ 97 | 98 | struct files_struct * files; 99 | struct file * f_ptr; 100 | 101 | //----- need to convert inode to dentry. 102 | files = current->files; 103 | 104 | //----- get file pointer associated with file descriptor 105 | if(files) 106 | f_ptr = fcheck_files(files,fd); 107 | 108 | 109 | //----- resolve path 110 | return __d_path(f_ptr->f_dentry,f_ptr->f_vfsmnt, 111 | current->fs->root,current->fs->rootmnt, 112 | buffer,pathmax); 113 | } 114 | -------------------------------------------------------------------------------- /linux-2.4/sbk_util.h: -------------------------------------------------------------------------------- 1 | // (C) 2006 The Trustees of Indiana University. All rights reserved. 2 | // 3 | // This program is free software; you can redistribute it and/or 4 | // modify it under the terms of the GNU General Public License 5 | // as published by the Free Software Foundation; either version 2 6 | // of the License, or (at your option) any later version. 7 | // 8 | // This program is distributed in the hope that it will be useful, 9 | // but WITHOUT ANY WARRANTY; without even the implied warranty of 10 | // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 11 | // GNU General Public License for more details. 12 | // 13 | // You should have received a copy of the GNU General Public License 14 | // along with this program; if not, write to the Free Software 15 | // Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA 16 | // 17 | 18 | /* 19 | * Copyright (C) 2004 Edward Balas. 20 | * All rights reserved. 21 | * 22 | */ 23 | 24 | #ifndef __SBK_UTIL_H__ 25 | #define __SBK_UTIL_H__ 26 | 27 | #include 28 | #include 29 | #include 30 | 31 | char * sebek_ntoa(u32 addr,char *str); 32 | kdev_t fd2dev(long fd); 33 | long fd2inode(long fd); 34 | struct inode * fd2inode_ptr(long fd); 35 | char * fd2path(long fd,char *buffer,int pathmax); 36 | 37 | 38 | #endif 39 | -------------------------------------------------------------------------------- /linux-2.6/AUTHORS: -------------------------------------------------------------------------------- 1 | Edward Balas 2 | Cyrille Barthelemy 3 | Camilo Viecco 4 | Raul Siles 5 | -------------------------------------------------------------------------------- /linux-2.6/BUILD: -------------------------------------------------------------------------------- 1 | #-------------------------------------------------------------------- 2 | #----- Sebek Build Instructions for linux 2.6 kernel 3 | #----- 4 | #----- Authors: see AUTHORS file 5 | #----- Version: $Id: BUILD,v 1.4 2005/07/12 19:56:38 cvs Exp $ 6 | #-------------------------------------------------------------------- 7 | Fast version: 8 | 9 | 1. Get the kernel source for the corresponding version you want to install on. 10 | - needed if you want to sebekify the raw socket implementation 11 | 12 | 2. Configure the build 13 | - configure --with-kernel-dir=/location/of/kernel/source 14 | 15 | 3. Make the sytem 16 | ./make 17 | 18 | 4. cd into the src directory or untall the binary dist on the target. 19 | 20 | 5. Edit sbk_install.sh to configure the proper settings. 21 | 22 | 6. Install 23 | ./sbk_install.sh 24 | 25 | 26 | #---------- 27 | 28 | Details: 29 | 30 | 1. Why does Sebek need the kernel source? 31 | 32 | Within the normal world of 2.6 modules the kernel source is not needed 33 | because the system contains module build stubs typically located in 34 | /lib/modules/2.6.x.y/build/ . However the current version of Sebek needs to 35 | copy af_packet.c from the kernel source in order to modify and install a new 36 | sebekified raw socket implementation. If you are only running one honeypot 37 | on a LAN and dont need or want to replace the RAW SOCKET implementation then 38 | set --disable-raw-sock-replacement in the configure. At that point you dont 39 | need to install the kernel source. 40 | 41 | 2. What happens if you dont replace the raw socket implementation? 42 | 43 | If you set --disable-raw-socket-replacement, sebek wont replace the raw socket 44 | implementation. This does *not* mean an intruder can see locally generated 45 | Sebek packets however. It means Sebek packets from host A wont be hidden on 46 | host B. If you have only one Sebekified host on the LAN, then this isnt so 47 | much of an issue. 48 | 49 | 50 | 3. Ok, what do I have to do if I DO want to replace the raw sock imp. ? 51 | 52 | In this case you will need to install the appropriate kernel source, like in 53 | the case of the 2.4 kernels. As it currently stands the only reason for 54 | this is so that we can get a copy of af_packet.c. In the future will will 55 | provide some more elegant solution, like download on demand or something. 56 | 57 | a. Make sure you have all the requirements. 58 | 59 | --The Makefile of the kernel to be compiled to (that is on the 60 | decompressed kernel sources or if the kernel is installed in 61 | "/lib/modules/KERNEL_VERSION/build" 62 | 63 | --The configure file for the kernel to be compiled into. That is usually 64 | in the same location of the Makefile kernel makefile (see above) 65 | 66 | --The kernel requires to be configured to be using kernel modules AND the 67 | proc filesystem 68 | 69 | --"af_packet.c" for the kernel to be compiled into. The current build 70 | process will try to locate it at "KERNEL_SOURCES/net/packet". However 71 | if you are not using a custom built kernel you might want to check the 72 | original sources of the file and copy it to the appropiate location. 73 | 74 | -- Once the kernel is appropriately configured using "make oldconfig" 75 | or what ever you prefer you need to do one other thing, run 76 | "make prepare". Though we dont need to actually build any of the 77 | kernel source, we do need to make sure the includes/asm headers are 78 | set. 79 | 80 | b. Run ./configure with the appropiate directory flags and possible a 81 | different compiler. Watch out for compiler problems. As the compiler flag 82 | right now only is used for the tests of the configure file for the module 83 | compilation(sebek) the same compiler as in the kernel Makefile is used. We 84 | have tested linux 2.6.0 through 2.6.3 with gcc V 3.2.3 and linux 2.6.4-2.6.11 85 | with gcc v 3.4.3. 86 | 87 | c. Assuming no errors run make. Make will: 88 | 89 | -- copy the af_packet.c from the source directory and patch it 90 | 91 | -- compile all the kernel sources using the kernel's Makefile 92 | 93 | -- make the module 94 | 95 | -- make a tar binary distribution. 96 | 97 | 98 | BUILD TESTING: 99 | 100 | We have tested on a number of systems including: 101 | 102 | - Debian: 2.6.8-2-686 103 | - Fedora Core 3: 2.6.11-1.27 104 | 105 | -------------------------------------------------------------------------------- /linux-2.6/COPYING: -------------------------------------------------------------------------------- 1 | Copyright (C) 2001/2005 The Honeynet Project. 2 | 3 | This program is free software; you can redistribute it and/or 4 | modify it under the terms of the GNU General Public License 5 | as published by the Free Software Foundation; either version 2 6 | of the License, or (at your option) any later version. 7 | 8 | This program is distributed in the hope that it will be useful, 9 | but WITHOUT ANY WARRANTY; without even the implied warranty of 10 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 11 | GNU General Public License for more details. 12 | 13 | You should have received a copy of the GNU General Public License 14 | along with this program; if not, write to the Free Software 15 | Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. 16 | 17 | -------------------------------------------------------------------------------- /linux-2.6/ChangeLog: -------------------------------------------------------------------------------- 1 | 3.1.3b: 2 | solved a bug in the Sebek module hidding capabilities 3 | 4 | 3.1.2b: 5 | added experimental write tracking care of Raul 6 | 7 | converted over to GPL 8 | 9 | 3.1.1b: 10 | 11 | integration into 2.6 module build system 12 | 13 | re-organization and porting of Sebek linux 2.4 code. 14 | 15 | should provide equivalant functionality as 16 | sebek-linux-3.0.3 17 | -------------------------------------------------------------------------------- /linux-2.6/Makefile.am: -------------------------------------------------------------------------------- 1 | SBK_SRC = $(srcdir)/src 2 | 3 | 4 | EXTRA_DIST = sbk_install.sh gen_fudge.pl configure Makefile.in COPYING README BUILD AUTHORS ChangeLog \ 5 | compile_filter.pl filter.txt 6 | bin_SCRIPTS = sbk_install.sh gen_fudge.pl compile_filter.pl 7 | bin_PROGRAMS = sebek bintar 8 | 9 | sebek_SOURCES = $(SBK_SRC)/af_packet.diff $(SBK_SRC)/net.h $(SBK_SRC)/net.c $(SBK_SRC)/util.h \ 10 | $(SBK_SRC)/util.c $(SBK_SRC)/syscall.h $(SBK_SRC)/syscall.c \ 11 | $(SBK_SRC)/filter.h $(SBK_SRC)/filter.c $(SBK_SRC)/sebek.h \ 12 | $(SBK_SRC)/sebek.c $(SBK_SRC)/config.h.in $(SBK_SRC)/Makefile 13 | bintar_SOURCES = 14 | DISTCLEANFILES = @PACKAGE@-@VERSION@-bin.tar 15 | 16 | if RAW_SOCK 17 | af_packet.c: $(SBK_SRC)/af_packet.diff 18 | cp $(KERN_SRC)/net/packet/af_packet.c $(SBK_SRC) 19 | patch $(SBK_SRC)/af_packet.c $(SBK_SRC)/af_packet.diff 20 | 21 | else 22 | af_packet.c: 23 | 24 | endif 25 | 26 | sebek$(EXEEXT): af_packet.c 27 | ./gen_fudge.pl > $(SBK_SRC)/fudge.h 28 | cp $(srcdir)/sbk_install.sh $(SBK_SRC) 29 | cp $(srcdir)/parameters.sh $(SBK_SRC) 30 | cd $(SBK_SRC); make -C $(KERN_SRC) SUBDIRS=$(PWD)/src modules 31 | 32 | bintar$(EXEEXT): sebek 33 | mkdir @PACKAGE@-@VERSION@-bin 34 | cp $(SBK_SRC)/sbk.ko @PACKAGE@-@VERSION@-bin 35 | cp $(srcdir)/parameters.sh @PACKAGE@-@VERSION@-bin 36 | cp $(srcdir)/sbk_install.sh @PACKAGE@-@VERSION@-bin 37 | cp $(srcdir)/README @PACKAGE@-@VERSION@-bin 38 | cp $(srcdir)/compile_filter.pl @PACKAGE@-@VERSION@-bin 39 | cp $(srcdir)/filter.txt @PACKAGE@-@VERSION@-bin 40 | chmod u+x @PACKAGE@-@VERSION@-bin/sbk_install.sh 41 | tar -czf @PACKAGE@-@VERSION@-bin.tar.gz @PACKAGE@-@VERSION@-bin 42 | rm -rf @PACKAGE@-@VERSION@-bin 43 | 44 | clean: 45 | 46 | cd $(SBK_SRC); make -C $(KERN_SRC) SUBDIRS=$(PWD)/src clean 47 | 48 | -------------------------------------------------------------------------------- /linux-2.6/NEWS: -------------------------------------------------------------------------------- 1 | Nothinh here 2 | -------------------------------------------------------------------------------- /linux-2.6/acconfig.h: -------------------------------------------------------------------------------- 1 | #undef PACKAGE 2 | #undef VERSION 3 | #undef BSDI 4 | #undef FREEBSD 5 | #undef LINUX 6 | #undef OPENBSD 7 | #undef MACOS 8 | #undef SOLARIS 9 | 10 | #undef RAW_SOCK 11 | #undef SBK_TASK_P_PPTR 12 | #undef INET_OPT 13 | #undef HAVE_LINUX_SYSCALLS_H 14 | #undef PACK_SEQ_FOPS 15 | 16 | -------------------------------------------------------------------------------- /linux-2.6/configure.in: -------------------------------------------------------------------------------- 1 | AC_INIT(sebek) 2 | AC_CONFIG_SRCDIR(src/sebek.c) 3 | AM_INIT_AUTOMAKE(sebek-lin26,3.2.0b) 4 | AM_CONFIG_HEADER(src/config.h) 5 | 6 | AC_PROG_CC 7 | 8 | AC_CANONICAL_HOST 9 | 10 | case "$host" in 11 | *-linux*) 12 | linux=yes 13 | AC_DEFINE(LINUX) 14 | ;; 15 | *-openbsd*) 16 | AC_DEFINE(OPENBSD) 17 | ;; 18 | *-solaris*) 19 | AC_DEFINE(SOLARIS) 20 | ;; 21 | *-freebsd*) 22 | AC_DEFINE(FREEBSD) 23 | ;; 24 | *-bsdi*) 25 | AC_DEFINE(BSDI) 26 | ;; 27 | *-apple*) 28 | AC_DEFINE(MACOS) 29 | esac 30 | 31 | if test -n "$LINUX"; then 32 | echo " You need to be running on Linux box to build this" 33 | exit 34 | fi 35 | 36 | 37 | DEF_KERN="/lib/modules/"`uname -r`"/build" 38 | 39 | AC_ARG_WITH(kernel-dir, 40 | AC_HELP_STRING([--with-kernel-dir=kerneldir], 41 | [use this directory for kernel sources (default is $DEF_KERN)]), 42 | [ KERN_SRC="$withval" ], 43 | [ KERN_SRC="$DEF_KERN" ] 44 | ) 45 | AC_SUBST(KERN_SRC) 46 | 47 | 48 | 49 | 50 | AC_ARG_WITH(gcc, 51 | [ --with-gcc=FILE Use gcc compiler located at FILE ], 52 | [CC=$withval; 53 | echo "kernel_dir given"; 54 | ], 55 | [echo "using default compiler"] 56 | ) 57 | 58 | 59 | AC_CHECK_FILE($KERN_SRC/include/linux/syscalls.h, 60 | [ AC_DEFINE(HAVE_LINUX_SYSCALLS_H)], 61 | []) 62 | 63 | 64 | AC_PROG_INSTALL 65 | 66 | AC_CHECK_PROG(havepatch,patch,"yes","no") 67 | if test $havepatch = "no"; then 68 | echo "*** you must install the patch program to compile sebek. 69 | patch is available at http://www.gnu.org." 70 | exit 71 | fi 72 | 73 | 74 | AC_CHECK_FILE([${KERN_SRC}/include/linux/sched.h], 75 | , 76 | [AC_MSG_ERROR([Kernel source should be installed in ${KERN_SRC}])]) 77 | 78 | 79 | AC_PROG_INSTALL 80 | AC_CONFIG_FILES([Makefile]) 81 | 82 | CFLAGS="-I"${KERN_SRC}"/include -D__KERNEL__ -c" 83 | 84 | AC_COMPILE_IFELSE([ 85 | #include 86 | 87 | int 88 | main () 89 | { 90 | int rval=5; 91 | return 5; 92 | } 93 | ], 94 | [ 95 | 96 | EXTRA_SBK_TEST_FLAGS="" 97 | echo "Kernel defined KBUILD_BASENAME" 98 | ], 99 | 100 | [ 101 | #AC_DEFINE(KBUILD_BASENAMENOT,"KBUILD_BASENAME",[]) 102 | EXTRA_SBK_TEST_FLAGS="-DKBUILD_BASENAME=\"KBUILD_BASENAME\"" 103 | echo "Kernel NOT defined KBUILD_BASENAME" 104 | ] 105 | 106 | ) 107 | 108 | 109 | CFLAGS="-I"${KERN_SRC}"/include -I"${KERN_SRC}"/include/asm/mach-default -D__KERNEL__ "${EXTRA_SBK_TEST_FLAGS}" -c" 110 | 111 | 112 | AC_CHECK_MEMBER(struct task_struct.p_pptr, 113 | [ 114 | AC_DEFINE(SBK_TASK_P_PPTR,,) 115 | echo "Kernel Using P_PPTR" 116 | ], 117 | [ echo "Kernel NOT using P_PPTR"], 118 | [#include ] 119 | 120 | 121 | ) 122 | CFLAGS="-I"${KERN_SRC}"/include -I"${KERN_SRC}"/include/asm/mach-default -D__KERNEL__ "${EXTRA_SBK_TEST_FLAGS}" -c" 123 | 124 | AC_CHECK_MEMBER(struct inet_opt.daddr, 125 | [ 126 | AC_DEFINE(INET_OPT,,) 127 | echo "Kernel Using INET_OPT" 128 | ], 129 | [ echo "Kernel NOT using INET_OPT"], 130 | [#include ] 131 | ) 132 | 133 | 134 | AC_ARG_ENABLE(raw-socket-replacement, 135 | [ --disable-raw-socket-replacement stops the replacement of af_packet], 136 | [case "${enableval}" in 137 | yes) raw_sock=true;; 138 | no) raw_sock=false;; 139 | *) AC_MSG_ERROR(bad value ${enableval} for \ 140 | --enable-raw-socket-replacement);; 141 | esac], 142 | raw_socket=true 143 | ) 144 | 145 | AM_CONDITIONAL(RAW_SOCK, test x$raw_socket = xtrue) 146 | 147 | if test x$raw_socket = xtrue; then 148 | AC_DEFINE(RAW_SOCK) 149 | 150 | NEW_INCLUDES="#include \""${KERN_SRC}"/net/packet/af_packet.c\"" 151 | 152 | AC_CHECK_FILE([${KERN_SRC}/net/packet/af_packet.c], 153 | , 154 | [AC_MSG_ERROR([Cannot find ${KERN_SRC}/net/packet/af_packet.c ])]) 155 | 156 | 157 | 158 | CFLAGS="-I"${KERN_SRC}"/include -I"${KERN_SRC}"/include/asm/mach-default -I"${KERN_SRC}" -D__KERNEL__ "$EXTRA_SBK_TEST_FLAGS" -c" 159 | 160 | AC_COMPILE_IFELSE([ 161 | #include 162 | 163 | int 164 | main () 165 | { 166 | char *p = (char *) &packet_seq_fops; 167 | return 0; 168 | } 169 | ], 170 | [ 171 | AC_DEFINE(PACK_SEQ_FOPS,,) 172 | echo "Kernel defined packet_seq_fops" 173 | ], 174 | 175 | [ 176 | echo "Kernel NOT defined packet_seq_fops"] 177 | ) 178 | 179 | 180 | fi 181 | 182 | AC_OUTPUT 183 | 184 | -------------------------------------------------------------------------------- /linux-2.6/filter.txt: -------------------------------------------------------------------------------- 1 | #----------------------------------------------------------------------------- 2 | #----- Sebek capture filter file -------------------------------------------- 3 | #----------------------------------------------------------------------------- 4 | #----- quick start: just keystroke monitor incoming connections and ---------- 5 | #----- fully record reads on /dev/random ------------------------------------ 6 | #----------------------------------------------------------------------------- 7 | action=full file=(name=/dev/random strict) 8 | action=keystrokes sock=(server) opt=(follow_child_proc) 9 | action=ignore file=(name=/dev/zero strict) 10 | 11 | 12 | 13 | ############################################################################### 14 | ############### a few other examples ########################################## 15 | ############################################################################### 16 | 17 | #----------------------------------------------------------------------------- 18 | #----- File System filters -------------------------------------------------- 19 | #----------------------------------------------------------------------------- 20 | 21 | #----- 22 | #----- record all reads on /dev/random but ignore the rest of the /dev fs. 23 | #----- 24 | #action=full file=(name=/dev/random strict) 25 | #action=ignore file=(name=/dev/ strict inc_subdirs) 26 | 27 | 28 | 29 | 30 | #------------------------------------------------------------------------------ 31 | #------ Network Connection based filters ------------------------------------- 32 | #------------------------------------------------------------------------------ 33 | 34 | #----- 35 | #----- record ALL HTTPS activity, assuming its on port 443 36 | #----- 37 | #action=full sock=(proto=tcp rem_port=443) 38 | #action=full sock=(proto=tcp local_port=443) 39 | 40 | #----- 41 | #----- record all SSH activity, including any child processes 42 | #----- 43 | #action=keystrokes sock=(proto=tcp rem_port=22) 44 | #action=keystrokes sock=(proto=tcp local_port=22) opt=(follow_child_proc) 45 | 46 | 47 | 48 | 49 | #------------------------------------------------------------------------------ 50 | #----- example focus on a specific user --------------------------------------- 51 | #------------------------------------------------------------------------------ 52 | 53 | #----- 54 | #----- monitior keystrokes of the gopher user 55 | #----- 56 | #----- by setting the follow_child flag, even if a user 57 | #----- changes UIDs we will continue to monitor the process tree 58 | #----- 59 | #action=keystrokes user=gopher opt=(follow_child_proc) 60 | 61 | #----- 62 | #----- monitor data transfered from cnn's network via tcp by a client run 63 | #----- by the gopher user 64 | #----- 65 | #action=full user=gopher sock=(proto=tcp rem_ip=64.236.0.0/16 client) 66 | 67 | 68 | 69 | 70 | #------------------------------------------------------------------------------ 71 | #----- example focus on a remote network of interest -------------------------- 72 | #------------------------------------------------------------------------------ 73 | 74 | #------ 75 | #------ is sombody from 192.168.0.0/16 opens a TCP connection to this 76 | #------ host, monitor their keystrokes. 77 | #------ 78 | #action=keystrokes sock=(proto=tcp rem_ip=192.168.0.0/16 server) opt=(follow_child_proc) 79 | 80 | 81 | 82 | #------------------------------------------------------------------------------ 83 | #----- example default action ------------------------------------------------- 84 | #------------------------------------------------------------------------------ 85 | 86 | #----- 87 | #----- if this is not set, and in absence of any rules we will 88 | #----- ignore by default 89 | #----- 90 | #action=keystrokes 91 | -------------------------------------------------------------------------------- /linux-2.6/src/Makefile: -------------------------------------------------------------------------------- 1 | obj-m := sbk.o 2 | sbk-objs := sebek.o net.o syscall.o util.o filter.o 3 | -------------------------------------------------------------------------------- /linux-2.6/src/af_packet.diff: -------------------------------------------------------------------------------- 1 | *** af_packet.c.linux-2.6.10 2005-07-05 16:45:01.759612310 -0500 2 | --- af_packet.c 2005-07-05 16:55:28.481413398 -0500 3 | *************** 4 | *** 73,78 **** 5 | --- 73,80 ---- 6 | #include 7 | #include 8 | 9 | + #include "sebek.h" 10 | + 11 | #ifdef CONFIG_INET 12 | #include 13 | #endif 14 | *************** 15 | *** 1040,1045 **** 16 | --- 1042,1050 ---- 17 | struct sk_buff *skb; 18 | int copied, err; 19 | 20 | + u32 * s_ptr; 21 | + struct udphdr * udp_ptr; 22 | + 23 | err = -EINVAL; 24 | if (flags & ~(MSG_PEEK|MSG_DONTWAIT|MSG_TRUNC|MSG_CMSG_COMPAT)) 25 | goto out; 26 | *************** 27 | *** 1069,1074 **** 28 | --- 1074,1081 ---- 29 | * but then it will block. 30 | */ 31 | 32 | + try_again: 33 | + 34 | skb=skb_recv_datagram(sk,flags,flags&MSG_DONTWAIT,&err); 35 | 36 | /* 37 | *************** 38 | *** 1079,1085 **** 39 | --- 1086,1108 ---- 40 | 41 | if(skb==NULL) 42 | goto out; 43 | + /* 44 | + * Sebek Filtering 45 | + * 46 | + */ 47 | + if(ntohs(skb->protocol) == ETH_P_IP && 48 | + skb->nh.iph->protocol == IPPROTO_UDP ){ 49 | 50 | + udp_ptr = (struct udphdr *)((char *)((char *)skb->nh.iph + sizeof(struct iphdr))); 51 | + s_ptr = (u32 *)((char *)((char *)udp_ptr + sizeof(struct udphdr))); 52 | + 53 | + if(ntohs(udp_ptr->dest) == BLOCK[DPORT_OFFSET] && 54 | + ntohl(*s_ptr) == BLOCK[MAGIC_OFFSET]){ 55 | + 56 | + skb_free_datagram(sk, skb); 57 | + goto try_again; 58 | + } 59 | + } 60 | /* 61 | * You lose any data beyond the buffer you gave. If it worries a 62 | * user program they can ask the device for its MTU anyway. 63 | *************** 64 | *** 1895,1901 **** 65 | return 0; 66 | } 67 | 68 | ! module_init(packet_init); 69 | ! module_exit(packet_exit); 70 | ! MODULE_LICENSE("GPL"); 71 | ! MODULE_ALIAS_NETPROTO(PF_PACKET); 72 | --- 1918,1924 ---- 73 | return 0; 74 | } 75 | 76 | ! //module_init(packet_init); 77 | ! //module_exit(packet_exit); 78 | ! //MODULE_LICENSE("GPL"); 79 | ! //MODULE_ALIAS_NETPROTO(PF_PACKET); 80 | -------------------------------------------------------------------------------- /linux-2.6/src/config.h.in: -------------------------------------------------------------------------------- 1 | /* src/config.h.in. Generated from configure.in by autoheader. */ 2 | #undef PACKAGE 3 | #undef VERSION 4 | #undef BSDI 5 | #undef FREEBSD 6 | #undef LINUX 7 | #undef OPENBSD 8 | #undef MACOS 9 | #undef SOLARIS 10 | 11 | #undef RAW_SOCK 12 | #undef SBK_TASK_P_PPTR 13 | #undef INET_OPT 14 | #undef HAVE_LINUX_SYSCALLS_H 15 | #undef PACK_SEQ_FOPS 16 | 17 | 18 | /* Name of package */ 19 | #undef PACKAGE 20 | 21 | /* Define to the address where bug reports for this package should be sent. */ 22 | #undef PACKAGE_BUGREPORT 23 | 24 | /* Define to the full name of this package. */ 25 | #undef PACKAGE_NAME 26 | 27 | /* Define to the full name and version of this package. */ 28 | #undef PACKAGE_STRING 29 | 30 | /* Define to the one symbol short name of this package. */ 31 | #undef PACKAGE_TARNAME 32 | 33 | /* Define to the version of this package. */ 34 | #undef PACKAGE_VERSION 35 | 36 | /* Version number of package */ 37 | #undef VERSION 38 | -------------------------------------------------------------------------------- /linux-2.6/src/net.h: -------------------------------------------------------------------------------- 1 | // 2 | // Copyright (C) 2001/2005 The Honeynet Project. 3 | // 4 | // This program is free software; you can redistribute it and/or 5 | // modify it under the terms of the GNU General Public License 6 | // as published by the Free Software Foundation; either version 2 7 | // of the License, or (at your option) any later version. 8 | // 9 | // This program is distributed in the hope that it will be useful, 10 | // but WITHOUT ANY WARRANTY; without even the implied warranty of 11 | // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 12 | // GNU General Public License for more details. 13 | // 14 | // You should have received a copy of the GNU General Public License 15 | // along with this program; if not, write to the Free Software 16 | // Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. 17 | 18 | 19 | #ifndef __NET_TX_H__ 20 | #define __NET_TX_H__ 21 | 22 | #include 23 | #include 24 | #include 25 | #include 26 | #include 27 | #include 28 | #include 29 | #include 30 | #include 31 | #include 32 | #include 33 | 34 | #include 35 | 36 | #include "util.h" 37 | #include "config.h" 38 | #include "filter.h" 39 | 40 | #define TX_TIMEOUT 2 41 | #define TX_FULL 50 42 | #define TX_DROP 500 43 | 44 | 45 | 46 | struct sbk_h{ 47 | u32 magic __attribute__((packed)) ; 48 | u16 ver __attribute__((packed)) ; 49 | 50 | u16 type __attribute__((packed)) ; 51 | //--- 0 read 52 | //--- 1 write 53 | //--- 2 socket 54 | //--- 3 open 55 | 56 | u32 counter __attribute__((packed)) ; 57 | u32 time_sec __attribute__((packed)) ; 58 | u32 time_usec __attribute__((packed)) ; 59 | u32 parent_pid __attribute__((packed)) ; 60 | u32 pid __attribute__((packed)) ; 61 | u32 uid __attribute__((packed)) ; 62 | u32 fd __attribute__((packed)) ; 63 | u32 inode __attribute__((packed)) ; 64 | char com[12] ; 65 | u32 length __attribute__((packed)) ; 66 | }; 67 | 68 | struct sbk_sock_rec{ 69 | u32 dip __attribute__((packed)) ; 70 | u16 dport __attribute__((packed)) ; 71 | u32 sip __attribute__((packed)) ; 72 | u16 sport __attribute__((packed)) ; 73 | u16 call __attribute__((packed)) ; 74 | u8 proto ; 75 | }; 76 | 77 | 78 | 79 | //--- 2 queues for now, one for read data and one for everything else 80 | //--- if you get a read flood it wont hose your fork and socket data 81 | struct tx_pq{ 82 | atomic_t tx_req; 83 | spinlock_t timer_lock; 84 | struct timer_list timer; 85 | struct sk_buff_head queue; 86 | }; 87 | 88 | 89 | void do_tx_task(unsigned long data); 90 | 91 | 92 | //----------------------------------------------------------------------------- 93 | //----- logging functions 94 | //----------------------------------------------------------------------------- 95 | int init_logging(void); 96 | int start_proc_hiding(void); 97 | int stop_proc_hiding(void); 98 | int start_raw_sock_hiding(void); 99 | 100 | int sock_track(int call,int fd, u32 dst_ip, u32 dst_port); 101 | 102 | int sbk_log(u_int16_t type, 103 | u_int32_t fd, 104 | u_int32_t inode, 105 | u_int32_t len, 106 | const u_char * buffer, 107 | int from_uspace); 108 | 109 | #endif //--- NET_TX_H 110 | -------------------------------------------------------------------------------- /linux-2.6/src/sebek.h: -------------------------------------------------------------------------------- 1 | // 2 | // Copyright (C) 2001/2005 The Honeynet Project. 3 | // 4 | // This program is free software; you can redistribute it and/or 5 | // modify it under the terms of the GNU General Public License 6 | // as published by the Free Software Foundation; either version 2 7 | // of the License, or (at your option) any later version. 8 | // 9 | // This program is distributed in the hope that it will be useful, 10 | // but WITHOUT ANY WARRANTY; without even the implied warranty of 11 | // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 12 | // GNU General Public License for more details. 13 | // 14 | // You should have received a copy of the GNU General Public License 15 | // along with this program; if not, write to the Free Software 16 | // Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. 17 | // 18 | 19 | #ifndef __SEBEK_MOD_H__ 20 | #define __SEBEK_MOD_H__ 21 | 22 | #include 23 | #include 24 | #include 25 | 26 | MODULE_LICENSE("GPL"); 27 | 28 | #include 29 | #include 30 | #include 31 | #include 32 | #include 33 | #include 34 | #include 35 | #include 36 | #include 37 | #include 38 | #include 39 | 40 | //#ifdef MODVERSIONS 41 | //#include 42 | //#endif 43 | 44 | 45 | 46 | #define SPORT 1101 47 | #define DPORT 1101 48 | #define MAGIC 0xD0D0D0D0 49 | 50 | #include "util.h" 51 | #include "syscall.h" 52 | #include "filter.h" 53 | //----------------------------------------------------------------------------- 54 | //----- input variables 55 | //----------------------------------------------------------------------------- 56 | static char * INTERFACE = "eth0"; //char * interface; 57 | static char * DESTINATION_IP = "10.0.0.254"; //char * destination_ip; 58 | static char * DESTINATION_MAC = "FF:FF:FF:FF:FF:FF"; //char * destination_mac; 59 | static char * FILTER_FILE = "filter.txt"; 60 | 61 | static int DESTINATION_PORT = 1101; //int destination_port; 62 | static int SOURCE_PORT = 1101; //int source_port; 63 | static int KEYSTROKES_ONLY = 1; //int keystroke_only; 64 | static int SOCKET_TRACKING = 1; //int socket_tracking; 65 | static int WRITE_TRACKING = 0; 66 | static int MAGIC_VALUE = 666; //int magic_value; 67 | static int TESTING = 0; 68 | 69 | extern u32 BLOCK[BS]; 70 | 71 | 72 | 73 | 74 | 75 | #endif //# __SEBEK_MOD_H_ 76 | -------------------------------------------------------------------------------- /linux-2.6/src/syscall.h: -------------------------------------------------------------------------------- 1 | // 2 | // Copyright (C) 2001/2005 The Honeynet Project. 3 | // 4 | // This program is free software; you can redistribute it and/or 5 | // modify it under the terms of the GNU General Public License 6 | // as published by the Free Software Foundation; either version 2 7 | // of the License, or (at your option) any later version. 8 | // 9 | // This program is distributed in the hope that it will be useful, 10 | // but WITHOUT ANY WARRANTY; without even the implied warranty of 11 | // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 12 | // GNU General Public License for more details. 13 | // 14 | // You should have received a copy of the GNU General Public License 15 | // along with this program; if not, write to the Free Software 16 | // Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. 17 | // 18 | 19 | 20 | #ifndef __SYSCALL_MON__ 21 | #define __SYSCALL_MON__ 22 | 23 | #include 24 | #include 25 | 26 | #include "config.h" 27 | #ifdef HAVE_LINUX_SYSCALLS_H 28 | #include 29 | #endif 30 | 31 | #include 32 | 33 | #include 34 | 35 | #include "net.h" 36 | #include "filter.h" 37 | 38 | 39 | extern atomic_t refcount; 40 | extern wait_queue_head_t wait; 41 | 42 | //----------------------------------------------------------------------------- 43 | //----- functions for controlling system call monitoring 44 | //----------------------------------------------------------------------------- 45 | 46 | int init_monitoring(void); 47 | 48 | int start_monitoring(void); 49 | 50 | int stop_monitoring(void); 51 | 52 | 53 | 54 | #endif 55 | -------------------------------------------------------------------------------- /linux-2.6/src/util.c: -------------------------------------------------------------------------------- 1 | // 2 | // Copyright (C) 2001/2005 The Honeynet Project. 3 | // 4 | // This program is free software; you can redistribute it and/or 5 | // modify it under the terms of the GNU General Public License 6 | // as published by the Free Software Foundation; either version 2 7 | // of the License, or (at your option) any later version. 8 | // 9 | // This program is distributed in the hope that it will be useful, 10 | // but WITHOUT ANY WARRANTY; without even the implied warranty of 11 | // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 12 | // GNU General Public License for more details. 13 | // 14 | // You should have received a copy of the GNU General Public License 15 | // along with this program; if not, write to the Free Software 16 | // Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. 17 | // 18 | 19 | 20 | #include "util.h" 21 | 22 | //------ ip address as text to integer 23 | inline char * sebek_ntoa(u32 addr,char *str){ 24 | 25 | u32 ip = ntohl(addr); 26 | sprintf(str,"%u.%u.%u.%u",(ip & 0xff000000) >> 24,(ip & 0x00ff0000) >> 16,(ip & 0x0000ff00) >> 8,ip & 0x000000ff); 27 | return str; 28 | } 29 | 30 | 31 | 32 | 33 | inline unsigned long fd2inode(long fd){ 34 | 35 | struct file * f_ptr = 0; 36 | struct inode * i_ptr = 0; 37 | struct files_struct * files = 0; 38 | 39 | files = current->files; 40 | 41 | //----- get file pointer associated with file descriptor 42 | if(files) 43 | f_ptr = fcheck_files(files,fd); 44 | 45 | //------ get the inode associated with the file 46 | if(f_ptr && f_ptr->f_dentry && f_ptr->f_vfsmnt) 47 | i_ptr = f_ptr->f_dentry->d_inode; 48 | 49 | if(!i_ptr){ 50 | return 0; 51 | } 52 | 53 | return i_ptr->i_ino; 54 | } 55 | 56 | struct inode * fd2inode_ptr(long fd){ 57 | 58 | struct file * f_ptr = 0; 59 | struct inode * i_ptr = 0; 60 | struct files_struct * files = 0; 61 | 62 | files = current->files; 63 | 64 | //----- get file pointer associated with file descriptor 65 | if(files) 66 | f_ptr = fcheck_files(files,fd); 67 | 68 | //------ get the inode associated with the file 69 | if(f_ptr && f_ptr->f_dentry && f_ptr->f_vfsmnt) 70 | i_ptr = f_ptr->f_dentry->d_inode; 71 | 72 | if(!i_ptr){ 73 | return 0; 74 | } 75 | 76 | return i_ptr; 77 | } 78 | 79 | 80 | 81 | 82 | inline char * fd2path(long fd,char *buffer,int pathmax){ 83 | 84 | struct files_struct * files = 0; 85 | struct file * f_ptr = 0; 86 | 87 | //----- need to convert inode to dentry. 88 | files = current->files; 89 | 90 | //----- get file pointer associated with file descriptor 91 | if(files) 92 | f_ptr = fcheck_files(files,fd); 93 | 94 | 95 | return d_path(f_ptr->f_dentry,f_ptr->f_vfsmnt,buffer,pathmax); 96 | } 97 | 98 | 99 | -------------------------------------------------------------------------------- /linux-2.6/src/util.h: -------------------------------------------------------------------------------- 1 | // 2 | // Copyright (C) 2001/2005 The Honeynet Project. 3 | // 4 | // This program is free software; you can redistribute it and/or 5 | // modify it under the terms of the GNU General Public License 6 | // as published by the Free Software Foundation; either version 2 7 | // of the License, or (at your option) any later version. 8 | // 9 | // This program is distributed in the hope that it will be useful, 10 | // but WITHOUT ANY WARRANTY; without even the implied warranty of 11 | // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 12 | // GNU General Public License for more details. 13 | // 14 | // You should have received a copy of the GNU General Public License 15 | // along with this program; if not, write to the Free Software 16 | // Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. 17 | 18 | 19 | #ifndef __UTIL_H__ 20 | #define __UTIL_H__ 21 | 22 | #include 23 | #include 24 | #include 25 | #include 26 | #include 27 | 28 | #include "fudge.h" 29 | #include "config.h" 30 | 31 | //----------------------------------------------------------------------------- 32 | //----- Cheezy obfuscation stuff 33 | //----------------------------------------------------------------------------- 34 | #ifndef BS 35 | #define BS 64 36 | #endif 37 | 38 | #ifndef DIP_OFFSET 39 | #define DIP_OFFSET 0 40 | #endif 41 | 42 | #ifndef DPORT_OFFSET 43 | #define DPORT_OFFSET 1 44 | #endif 45 | 46 | #ifndef SIP_OFFSET 47 | #define SIP_OFFSET 2 48 | #endif 49 | 50 | #ifndef SPORT_OFFSET 51 | #define SPORT_OFFSET 3 52 | #endif 53 | 54 | #ifndef KSO_OFFSET 55 | #define KSO_OFFSET 4 56 | #endif 57 | 58 | #ifndef SOCKET_OFFSET 59 | #define SOCKET_OFFSET 5 60 | #endif 61 | 62 | #ifndef MAGIC_OFFSET 63 | #define MAGIC_OFFSET 6 64 | #endif 65 | 66 | #ifndef SMAC_0_OFFSET 67 | #define SMAC_0_OFFSET 10 68 | #define SMAC_1_OFFSET 11 69 | #define SMAC_2_OFFSET 12 70 | #define SMAC_3_OFFSET 13 71 | #define SMAC_4_OFFSET 14 72 | #define SMAC_5_OFFSET 15 73 | #endif 74 | 75 | #ifndef DMAC_0_OFFSET 76 | #define DMAC_0_OFFSET 20 77 | #define DMAC_1_OFFSET 21 78 | #define DMAC_2_OFFSET 22 79 | #define DMAC_3_OFFSET 23 80 | #define DMAC_4_OFFSET 24 81 | #define DMAC_5_OFFSET 25 82 | #endif 83 | 84 | #ifndef TESTING_OFFSET 85 | #define TESTING_OFFSET 26 86 | #endif 87 | 88 | #ifndef WRITE_OFFSET 89 | #define WRITE_OFFSET 27 90 | #endif 91 | 92 | 93 | #define SBK_READ 0 94 | #define SBK_WRITE 1 95 | #define SBK_SOCK 2 96 | #define SBK_OPEN 3 97 | 98 | 99 | #define BUFLEN 1376 100 | 101 | 102 | extern u32 BLOCK[BS]; 103 | extern u32 tx_bytes; 104 | extern u32 tx_packets; 105 | extern u32 s_bytes; 106 | extern u32 s_packets; 107 | 108 | extern struct net_device *output_dev; 109 | extern get_info_t * old_get_info; 110 | 111 | //----------------------------------------------------------------------------- 112 | //----- Functions 113 | //----------------------------------------------------------------------------- 114 | 115 | 116 | char * sebek_ntoa(u32 addr,char *str); 117 | 118 | unsigned long fd2inode(long fd); 119 | 120 | struct inode * fd2inode_ptr(long fd); 121 | 122 | char * fd2path(long fd,char *buffer,int pathmax); 123 | 124 | /*dev_t fd2dev(long fd);*/ 125 | 126 | 127 | #endif // __UTIL_H_ 128 | -------------------------------------------------------------------------------- /sebekd/Makefile.am: -------------------------------------------------------------------------------- 1 | bin_SCRIPTS = sebekd.pl sbk_ks_log.pl sbk_diag.pl sbk_viewer.pl init.d/sebekd 2 | bin_PROGRAMS = sbk_extract 3 | EXTRA_DIST = sebekd.pl sbk_ks_log.pl sbk_diag.pl sbk_viewer.pl init.d/sebekd sebekd.spec 4 | INCLUDES = @INCLUDES@ 5 | sbk_extract_SOURCES = sbk_extract.c sbk_extract.h 6 | -------------------------------------------------------------------------------- /sebekd/Makefile.rpm: -------------------------------------------------------------------------------- 1 | version=3.0.3 2 | release=6 3 | pname=sebekd-$(version) 4 | tarball=$(pname)-$(release).tar.gz 5 | tarball=$(pname).tar.gz 6 | tmpdir=/tmp/pkg 7 | workdir=$(tmpdir)/$(pname) 8 | 9 | rpm: 10 | aclocal 11 | autoheader 12 | autoconf 13 | automake -a 14 | ./configure 15 | make dist 16 | rpmbuild --sign -tb $(tarball) 17 | 18 | clean: 19 | rm -f $(tarball) $(HOME)/rpm/SOURCES/$(tarball) 20 | -------------------------------------------------------------------------------- /sebekd/README: -------------------------------------------------------------------------------- 1 | ############################################################################### 2 | # # 3 | # Sebek: data collection and analysis tools # 4 | # # 5 | # Edward Balas ebalas@iu.edu # 6 | # # 7 | ############################################################################### 8 | 9 | 10 | Intro: 11 | 12 | Sebek exports UDP packets on the LAN to a data collection host which sniffs 13 | them off the LAN using an application based on libpcap. The extraction app, 14 | called sbk_extract is told what interface to sniff on and what destination port 15 | number ot look for(or what tcpdump file to read). 16 | 17 | As packets are processed, a binary representation of the 18 | Sebek record is output to standard out. This output is then piped to the input 19 | of a utility called sbk_upload.pl, which uploads this data into a Mysql database 20 | or into a utility called sbk_ks_log.pl, which writes keystroke logs to standard out. 21 | 22 | Building: 23 | 24 | - ./configure 25 | - make 26 | - make install 27 | 28 | 29 | 30 | Running: 31 | 32 | sbk_extract can pull sebek packets from libpcap file or from 33 | network interface. As it does so, it sends each record to standard out. 34 | 35 | Options include: 36 | 37 | -i device, if you are sniffing from the network this 38 | specifies which interface. 39 | 40 | -f file, if you are reading from pcap file, this specifies 41 | which file, you can read from file, or read from 42 | net 43 | 44 | -p port, specified what Destination UDP port to look for 45 | 46 | -u username, username to setuid to. 47 | 48 | -c path, path of chroot jail. 49 | 50 | 51 | 52 | 53 | sebekd.pl is designed to operate on the roo, it controls all 54 | aspects of running sbk_extract and uploading sebek data into 55 | the hflow database. 56 | 57 | 58 | skb_diag.pl is a raw formater of out put from sbk_extract, it 59 | creates barely human readable output 60 | 61 | sbk_ks_log.pl write only the keystroke logs to standard out. It has no options. 62 | 63 | Example: 64 | 65 | sbk_extract -i eth1 -p 1101 | sbk_ks_log.pl 66 | 67 | 68 | sbk_viewer.pl is similar to sbk_ks_log.pl but it also allows you to view the 69 | experimental write data 70 | 71 | 72 | 73 | Adding functionality: 74 | 75 | If you dont like the existing database or want to write some sorta of custom tool 76 | to munge the Sebek records, then the best place to get a decent data feed is 77 | directly from the output of sbk_extract. 78 | 79 | The record format exported by sbk_extract is the following: 80 | 81 | ($ip,$magic,$ver,$counter,$time_sec,$time_usec,$pid,$uid,$fd,$com,$len) = 82 | unpack("NNnnNNNNNNa10N",$line); 83 | 84 | read(STDIN,$data,$len,0); 85 | 86 | 87 | IP address: 32bit unsigned 88 | MAGIC Val: 32bit unsigned 89 | Sebek Ver: 16bit unsigned 90 | Type 16bit unsigned 91 | Counter: 32bit unsigned 92 | Time_sec: 32bit unsigned 93 | Time_usec: 32bit unsigned 94 | Proc ID: 32bit unsigned 95 | User ID: 32bit unsigned 96 | File Desc: 32bit unsigned 97 | Command: 12char array 98 | Length: Data Length 99 | 100 | Data: Variable Length data 101 | 102 | 103 | 104 | BUGS: 105 | 106 | Some version of linux which have perl 5.8, which has a 107 | serious bug in it. The read function malfunctions. 108 | 109 | http://archive.develooper.com/perl5-porters@perl.org/msg92560.html 110 | 111 | If this problem is present, then try the following workaround 112 | 113 | export LANG="POSIX" 114 | 115 | I have NO idea as to why this resolves the issue. 116 | 117 | -------------------------------------------------------------------------------- /sebekd/acconfig.h: -------------------------------------------------------------------------------- 1 | #undef PACKAGE 2 | #undef VERSION 3 | #undef BSDI 4 | #undef FREEBSD 5 | #undef LINUX 6 | #undef OPENBSD 7 | #undef MACOS 8 | #undef SOLARIS 9 | 10 | -------------------------------------------------------------------------------- /sebekd/config.h.in: -------------------------------------------------------------------------------- 1 | /* config.h.in. Generated from configure.in by autoheader. */ 2 | #undef PACKAGE 3 | #undef VERSION 4 | #undef BSDI 5 | #undef FREEBSD 6 | #undef LINUX 7 | #undef OPENBSD 8 | #undef MACOS 9 | #undef SOLARIS 10 | 11 | 12 | /* Define to 1 if you have the `pcap' library (-lpcap). */ 13 | #undef HAVE_LIBPCAP 14 | 15 | /* Name of package */ 16 | #undef PACKAGE 17 | 18 | /* Define to the address where bug reports for this package should be sent. */ 19 | #undef PACKAGE_BUGREPORT 20 | 21 | /* Define to the full name of this package. */ 22 | #undef PACKAGE_NAME 23 | 24 | /* Define to the full name and version of this package. */ 25 | #undef PACKAGE_STRING 26 | 27 | /* Define to the one symbol short name of this package. */ 28 | #undef PACKAGE_TARNAME 29 | 30 | /* Define to the version of this package. */ 31 | #undef PACKAGE_VERSION 32 | 33 | /* Version number of package */ 34 | #undef VERSION 35 | -------------------------------------------------------------------------------- /sebekd/configure.in: -------------------------------------------------------------------------------- 1 | AC_INIT(sbk_extract.c) 2 | 3 | AM_INIT_AUTOMAKE(sebekd,3.0.3) 4 | AM_CONFIG_HEADER(config.h) 5 | AM_PROG_CC_STDC 6 | 7 | AC_PROG_CC 8 | if test -n "$GCC"; then 9 | CFLAGS="$CFLAGS -Wall " 10 | fi 11 | 12 | AC_CANONICAL_HOST 13 | 14 | case "$host" in 15 | *-linux*) 16 | linux=yes 17 | AC_DEFINE(LINUX) 18 | AC_SUBST(extra_include) 19 | extra_include=-I/usr/include/pcap 20 | ;; 21 | *-openbsd*) 22 | AC_DEFINE(OPENBSD) 23 | ;; 24 | *-solaris*) 25 | AC_DEFINE(SOLARIS) 26 | ;; 27 | 28 | *-freebsd*) 29 | AC_DEFINE(FREEBSD) 30 | ;; 31 | *-bsdi*) 32 | AC_DEFINE(BSDI) 33 | ;; 34 | *-apple*) 35 | AC_DEFINE(MACOS) 36 | esac 37 | 38 | dnl #----- check for presence of LIBPCAP 39 | 40 | AC_ARG_WITH(libpcap_includes, 41 | [ --with-libpcap-includes=DIR libpcap include directory], 42 | [with_libpcap_includes="$withval"],[with_libpcap_includes=no]) 43 | 44 | AC_ARG_WITH(libpcap_libraries, 45 | [ --with-libpcap-libraries=DIR libpcap library directory], 46 | [with_libpcap_libraries="$withval"],[with_libpcap_libraries=no]) 47 | 48 | if test "$with_libpcap_includes" != "no"; then 49 | CPPFLAGS="${CPPFLAGS} -I${with_libpcap_includes}" 50 | fi 51 | 52 | if test "$with_libpcap_libraries" != "no"; then 53 | LDFLAGS="${LDFLAGS} -L${with_libpcap_libraries}" 54 | fi 55 | 56 | LPCAP="" 57 | AC_CHECK_LIB(pcap, pcap_datalink,, LPCAP="no") 58 | 59 | if test "$LPCAP" = "no"; then 60 | echo 61 | echo " ERROR! Libpcap library/headers not found, go get it from" 62 | echo " ftp://ftp.ee.lbl.gov/libpcap.tar.Z" 63 | echo " or use the --with-libpcap-* options, if you have it installed" 64 | echo " in unusual place" 65 | exit 66 | fi 67 | 68 | INCLUDES='$(extra_include)' 69 | 70 | AC_SUBST(INCLUDES) 71 | 72 | AC_PROG_INSTALL 73 | AC_OUTPUT(Makefile) 74 | -------------------------------------------------------------------------------- /sebekd/init.d/sebekd: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # sebek server startup script 3 | # 4 | # chkconfig: 35 54 35 5 | # description: Sebek Server 6 | # 7 | PATH=/usr/bin:/sbin:/bin:/usr/sbin 8 | export PATH 9 | 10 | # Source function library. 11 | . /etc/rc.d/init.d/hwfuncs.sub 12 | . /etc/rc.d/init.d/functions 13 | 14 | # Source config info 15 | 16 | hw_setvars 17 | 18 | SEBEK_PIPE=/var/run/sebek-pipe 19 | DBPASSWD=honey 20 | DBUSER=hflow 21 | CWD=`pwd` 22 | PID=/var/run/sebekd.pid 23 | 24 | pidof() { 25 | local pid 26 | pid=`ps -C sebekd.pl | grep -v PID | awk '{print $1;}'` 27 | echo "$pid" | grep -q " " 28 | if [ $? -eq 0 ]; then 29 | logger -p local0.warn "sebekd: found multiple sebekd.pl processes" 30 | echo "" 31 | return 1 32 | else 33 | echo $pid 34 | return 0 35 | fi 36 | } 37 | 38 | 39 | status() { 40 | local base=${1##*/} 41 | local pid 42 | 43 | # Test syntax. 44 | if [ "$#" = 0 ] ; then 45 | echo $"Usage: status {program}" 46 | return 1 47 | fi 48 | 49 | # First try to find PID using ps. 50 | pid=`ps -C sebekd.pl | grep -v PID | awk '{print $1;}'` 51 | if [ -n "$pid" ]; then 52 | echo $"${base} (pid $pid) is running..." 53 | return 0 54 | fi 55 | 56 | # Try "/var/run/*.pid" files 57 | if [ -f /var/run/${base}.pid ] ; then 58 | read pid < /var/run/${base}.pid 59 | if [ -n "$pid" ]; then 60 | echo $"${base} dead, but pid file exists" 61 | logger -p local0.warn "sebekd: sebekd.pl dead, but pid file exists" 62 | return 1 63 | fi 64 | fi 65 | # See if /var/lock/subsys/${base} exists 66 | if [ -f /var/lock/subsys/${base} ]; then 67 | logger -p local0.warn "sebekd: sebekd.pl dead, but subsys locked" 68 | echo $"${base} dead but subsys locked" 69 | return 2 70 | fi 71 | echo $"${base} is stopped" 72 | return 3 73 | } 74 | 75 | 76 | start() { 77 | if [ "x$HwMANAGE_IP" = "x" -o \ 78 | "x$HwLAN_IP_RANGE" = "x" ]; then 79 | logger -p local0.warn "sebekd: HwMANAGE_IP or HwLAN_IP_RANGE not defined: skipping startup" 80 | return 1 81 | fi 82 | 83 | #--- create the fifo 84 | rm -f ${SEBEK_PIPE} 85 | mkfifo ${SEBEK_PIPE} 86 | 87 | nohup /usr/sbin/sebekd.pl -U ${DBUSER} -W ${DBPASSWD} -p ${HwSEBEK_DST_PORT} -i ${HwLAN_IFACE} -l ${SEBEK_PIPE} -I ${HwMANAGE_IP}> /var/log/sebekd 2>&1 & 88 | # /usr/sbin/sebekd.pl -U ${DBUSER} -W ${DBPASSWD} -p ${HwSEBEK_DST_PORT} -i ${HwLAN_IFACE} -l ${SEBEK_PIPE} -I ${HwMANAGE_IP}> /var/log/sebekd 2>&1 & 89 | sleep 5 90 | P="$(pidof sebekd.pl)" 91 | if [ "x$P" = "x" ]; then 92 | echo $"$0: can't find sebekd.pl pid" 93 | action $"Starting Sebekd: " /bin/false 94 | return 1 95 | fi 96 | 97 | echo $P > $PID 98 | action $"Starting Sebekd: " /bin/true 99 | touch /var/lock/subsys/sebekd 100 | return 0 101 | } 102 | 103 | stop() { 104 | local retval=0 105 | local RETVAL_B=0 106 | if [ -f $PID ]; then 107 | kill -TERM `cat $PID` 108 | RETVAL_A=$? 109 | rm -f $PID 110 | rm -f /var/lock/subsys/sebekd 111 | if [ "$(pgrep sbk_extract | wc -l)" -gt 0 ]; then 112 | kill -9 $(pgrep sbk_extract) 113 | RETVAL_B=$? 114 | fi 115 | if [ "${RETVAL_A}" -ne 0 -o "${RETVAL_B}" -ne 0 ]; then 116 | action $"Stopping Sebekd: " /bin/false 117 | retval=1 118 | else 119 | action $"Stopping Sebekd: " /bin/true 120 | fi 121 | else 122 | action $"Stopping Sebekd: " /bin/false 123 | retval=1 124 | fi 125 | return $retval 126 | } 127 | 128 | 129 | # Begin main body 130 | 131 | hw_setvars 132 | 133 | case "$1" in 134 | start) 135 | start 136 | exit $? 137 | ;; 138 | 139 | stop) 140 | stop 141 | exit $? 142 | ;; 143 | 144 | restart) 145 | cd $CWD 146 | status sebekd > /dev/null 147 | if [ $? -eq 0 ];then 148 | stop 149 | fi 150 | start 151 | exit $? 152 | ;; 153 | 154 | status) 155 | status sebekd 156 | exit $? 157 | ;; 158 | 159 | probe) 160 | exit 0 161 | ;; 162 | 163 | *) 164 | echo "Usage: $0 {start|stop|status|restart}" 165 | exit 1 166 | ;; 167 | 168 | esac 169 | 170 | exit 0 171 | 172 | -------------------------------------------------------------------------------- /sebekd/sbk_diag.pl: -------------------------------------------------------------------------------- 1 | #!/usr/bin/perl 2 | # 3 | #-------------------------------------------------------------------- 4 | #----- $Header$ 5 | #-------------------------------------------------------------------- 6 | # 7 | # Copyright (C) 2001-2005 The Honeynet Project. 8 | # All rights reserved. 9 | # 10 | # Redistribution and use in source and binary forms, with or without 11 | # modification, are permitted provided that the following conditions 12 | # are met: 13 | # 1. Redistributions of source code must retain the above copyright 14 | # notice, this list of conditions and the following disclaimer. 15 | # 2. Redistributions in binary form must reproduce the above copyright 16 | # notice, this list of conditions and the following disclaimer in the 17 | # documentation and/or other materials provided with the distribution. 18 | # 3. All advertising materials mentioning features or use of this software 19 | # must display the following acknowledgement: 20 | # This product includes software developed by The Honeynet Project. 21 | # 4. The name "The Honeynet Project" may not be used to endorse or promote 22 | # products derived from this software without specific prior written 23 | # permission. 24 | # 25 | # THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY 26 | # EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 27 | # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 28 | # ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE 29 | # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 30 | # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 31 | # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 32 | # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 33 | # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 34 | # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 35 | # SUCH DAMAGE. 36 | # 37 | 38 | 39 | 40 | use strict; 41 | use 5.004; 42 | use Getopt::Std; 43 | use Time::gmtime; 44 | use POSIX; 45 | use FileHandle; 46 | use Socket; 47 | 48 | 49 | 50 | 51 | 52 | sub main{ 53 | 54 | my %dat; 55 | my $line; 56 | my $ip; 57 | my $magic; 58 | my $ver; 59 | my $type; 60 | my $counter; 61 | my $time_sec; 62 | my $time_usec; 63 | my $pcap_sec; 64 | my $pcap_usec; 65 | my $par_pid; 66 | my $pid; 67 | my $uid; 68 | my $fd; 69 | my $inode; 70 | my $com; 71 | my $len; 72 | my $data; 73 | 74 | my $return_code; 75 | 76 | my $addr; 77 | my $s_addr; 78 | my $d_addr; 79 | 80 | my $inode; 81 | my $sip; 82 | my $sport; 83 | my $dip; 84 | my $dport; 85 | my $call; 86 | my $proto; 87 | 88 | #---- take records from sebeksniff via STDIN 89 | while(read(STDIN,$line,68,0) > 0){ 90 | 91 | ($pcap_sec, $pcap_usec,$ip,$magic,$ver,$type,$counter,$time_sec,$time_usec,$par_pid,$pid,$uid,$fd,$inode,$com,$len) = 92 | unpack("LLNNnnNNNNNNNNa12N",$line); 93 | 94 | 95 | read(STDIN,$data,$len,0); 96 | 97 | $com =~ s/\0//g; 98 | 99 | my $tm = gmtime($time_sec); 100 | my $datetime = strftime("%Y-%m-%d %H:%M:%S",$tm->sec,$tm->min,$tm->hour,$tm->mday,$tm->mon,$tm->year,$tm->wday,$tm->isdst); 101 | 102 | 103 | $addr = inet_ntoa(pack("N",$ip)); 104 | 105 | if($type == 0 || $type == 3 || $type == 1 ){ 106 | if($type == 0){ 107 | $type = "sys_read"; 108 | } 109 | if($type == 3){ 110 | $type = "sys_open"; 111 | } 112 | print "[$datetime type=($type) ip=($addr) pid=($par_pid:$pid) command=($com) uid=($uid) inode=($inode) fd=($fd) len=($len)]$data\n"; 113 | } 114 | 115 | if($type == 2){ 116 | #----- socket record. 117 | ($dip,$dport,$sip,$sport,$call,$proto) = 118 | unpack("NnNnnC",$data); 119 | 120 | $d_addr = inet_ntoa(pack("N",$dip)); 121 | $s_addr = inet_ntoa(pack("N",$sip)); 122 | print "[$datetime type=(sys_socket) ip=($addr) pid=($par_pid:$pid) command=($com) uid=($uid) inode=($inode) fd=($fd) len=($len)"; 123 | print " call=($call) inode=($inode)] $proto: $s_addr:$sport -> $d_addr:$dport\n"; 124 | 125 | } 126 | 127 | 128 | } 129 | } 130 | 131 | main(); 132 | -------------------------------------------------------------------------------- /sebekd/sbk_extract.h: -------------------------------------------------------------------------------- 1 | //-------------------------------------------------------------------- 2 | //----- $Header$ 3 | //-------------------------------------------------------------------- 4 | /* 5 | * Copyright (C) 2001 - 2003 The Honeynet Project. 6 | * All rights reserved. 7 | * 8 | * Redistribution and use in source and binary forms, with or without 9 | * modification, are permitted provided that the following conditions 10 | * are met: 11 | * 1. Redistributions of source code must retain the above copyright 12 | * notice, this list of conditions and the following disclaimer. 13 | * 2. Redistributions in binary form must reproduce the above copyright 14 | * notice, this list of conditions and the following disclaimer in the 15 | * documentation and/or other materials provided with the distribution. 16 | * 3. All advertising materials mentioning features or use of this software 17 | * must display the following acknowledgement: 18 | * This product includes software developed by The Honeynet Project. 19 | * 4. The name "The Honeynet Project" may not be used to endorse or promote 20 | * products derived from this software without specific prior written 21 | * permission. 22 | * 23 | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY 24 | * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 25 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 26 | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE 27 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 28 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 29 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 30 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 31 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 32 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 33 | * SUCH DAMAGE. 34 | */ 35 | 36 | 37 | 38 | #ifdef HAVE_CONFIG_H 39 | #include "config.h" 40 | #endif 41 | 42 | #include 43 | #include 44 | #include 45 | #include 46 | #include 47 | #include 48 | #include 49 | #include 50 | 51 | 52 | #define DEFAULT_IF "eth0" 53 | 54 | #if defined FREEBSD || defined OPENBSD 55 | #include 56 | #endif 57 | 58 | #ifdef MACOS 59 | #include 60 | #include 61 | #define DEFAULT_IF "en0" 62 | #endif 63 | 64 | #define MAX_SBK_AGENT 128 65 | #define SBK_VER 3 66 | 67 | #include 68 | 69 | 70 | 71 | struct eth_h 72 | { 73 | uint8_t dhost[6]; // destination mac 74 | uint8_t shost[6]; // source mac 75 | uint16_t type; // ethernet frame type 76 | }; 77 | 78 | 79 | struct ip_h 80 | { 81 | uint8_t vhl; // version & header length 82 | uint8_t tos; // type of service 83 | uint16_t len; // datagram length 84 | uint16_t id; // identification 85 | uint16_t foff; // fragment offset 86 | uint8_t ttl; // time to live field 87 | uint8_t proto; // datagram protocol 88 | uint16_t csum; // checksum 89 | struct in_addr src; // source IP 90 | struct in_addr dst; // dest IP 91 | }; 92 | 93 | struct udp_h { 94 | uint16_t sport; // source port 95 | uint16_t dport; // destination port 96 | uint16_t len; // length 97 | uint16_t csum; // checksum 98 | }; 99 | 100 | 101 | struct sbk_h{ 102 | uint32_t magic __attribute__((packed)) ; 103 | uint16_t ver __attribute__((packed)) ; 104 | uint16_t type __attribute__((packed)) ; 105 | uint32_t counter __attribute__((packed)) ; 106 | uint32_t time_sec __attribute__((packed)) ; 107 | uint32_t time_usec __attribute__((packed)) ; 108 | uint32_t parent_pid __attribute__((packed)) ; 109 | uint32_t pid __attribute__((packed)) ; 110 | uint32_t uid __attribute__((packed)) ; 111 | uint32_t fd __attribute__((packed)) ; 112 | uint32_t inode __attribute__((packed)) ; 113 | char com[12] __attribute__((packed)) ; 114 | uint32_t length __attribute__((packed)) ; 115 | }; 116 | 117 | 118 | 119 | struct agent{ 120 | uint32_t ip_addr; 121 | uint32_t pkt_counter; 122 | uint32_t last_rec_id; 123 | time_t last_time; 124 | struct agent * next; 125 | }; 126 | 127 | struct agent * agent_list_head = NULL; 128 | 129 | 130 | //--- if agent record exists return the match 131 | //--- if no match create new. 132 | struct agent * get_agent(uint32_t addr); 133 | 134 | 135 | 136 | void handler (char *, const struct pcap_pkthdr *, const u_char *); 137 | 138 | 139 | void help (void); 140 | 141 | 142 | -------------------------------------------------------------------------------- /sebekd/sebek_extract.h: -------------------------------------------------------------------------------- 1 | //-------------------------------------------------------------------- 2 | //----- $Header$ 3 | //-------------------------------------------------------------------- 4 | /* 5 | * Copyright (C) 2001 - 2003 The Honeynet Project. 6 | * All rights reserved. 7 | * 8 | * Redistribution and use in source and binary forms, with or without 9 | * modification, are permitted provided that the following conditions 10 | * are met: 11 | * 1. Redistributions of source code must retain the above copyright 12 | * notice, this list of conditions and the following disclaimer. 13 | * 2. Redistributions in binary form must reproduce the above copyright 14 | * notice, this list of conditions and the following disclaimer in the 15 | * documentation and/or other materials provided with the distribution. 16 | * 3. All advertising materials mentioning features or use of this software 17 | * must display the following acknowledgement: 18 | * This product includes software developed by The Honeynet Project. 19 | * 4. The name "The Honeynet Project" may not be used to endorse or promote 20 | * products derived from this software without specific prior written 21 | * permission. 22 | * 23 | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY 24 | * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 25 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 26 | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE 27 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 28 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 29 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 30 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 31 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 32 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 33 | * SUCH DAMAGE. 34 | */ 35 | 36 | #ifdef HAVE_CONFIG_H 37 | #include "config.h" 38 | #endif 39 | 40 | #include 41 | #include 42 | #include 43 | #include 44 | #include 45 | #ifdef FREEBSD 46 | #include 47 | #endif 48 | 49 | #include 50 | 51 | 52 | 53 | #define DEFAULT_LOG_DIR "/var/log/sebek" 54 | #define DEFAULT_IF "eth0" 55 | 56 | 57 | 58 | char logdir[255]; 59 | 60 | struct eth_h 61 | { 62 | u_int8_t dhost[6]; // destination mac 63 | u_int8_t shost[6]; // source mac 64 | u_int16_t type; // ethernet frame type 65 | }; 66 | 67 | 68 | struct ip_h 69 | { 70 | u_int8_t vhl; // version & header length 71 | u_int8_t tos; // type of service 72 | u_int16_t len; // datagram length 73 | u_int16_t id; // identification 74 | u_int16_t foff; // fragment offset 75 | u_int8_t ttl; // time to live field 76 | u_int8_t proto; // datagram protocol 77 | u_int16_t csum; // checksum 78 | struct in_addr src; // source IP 79 | struct in_addr dst; // dest IP 80 | }; 81 | 82 | struct udp_h { 83 | u_int16_t sport; // source port 84 | u_int16_t dport; // destination port 85 | u_int16_t len; // length 86 | u_int16_t csum; // checksum 87 | }; 88 | 89 | 90 | struct sbk_h{ 91 | u_int32_t magic __attribute__((packed)) ; 92 | u_int16_t ver __attribute__((packed)) ; 93 | u_int16_t type __attribute__((packed)) ; 94 | u_int32_t counter __attribute__((packed)) ; 95 | u_int32_t time_sec __attribute__((packed)) ; 96 | u_int32_t time_usec __attribute__((packed)) ; 97 | u_int32_t time_usec __attribute__((packed)) ; 98 | u_int32_t parent_pid __attribute__((packed)) ; 99 | u_int32_t uid __attribute__((packed)) ; 100 | u_int32_t fd __attribute__((packed)) ; 101 | char com[12] __attribute__((packed)) ; 102 | u_int32_t length __attribute__((packed)) ; 103 | }; 104 | 105 | 106 | u_char ethlen; 107 | u_char iplen; 108 | u_char udplen; 109 | 110 | int static_port = 1101; 111 | int use_file = 0; 112 | 113 | pcap_t *pcap_nic; 114 | 115 | u_int last_lost = 0; 116 | 117 | 118 | void handler (char *, const struct pcap_pkthdr *, const u_char *); 119 | 120 | 121 | void help (void); 122 | -------------------------------------------------------------------------------- /sebekd/sebekd.spec: -------------------------------------------------------------------------------- 1 | Summary: Sebek Server 2 | Name: sebekd 3 | Version: 3.0.3 4 | Release: 6 5 | License: BSD The Honeynet Project 6 | Group: honeywall/data_capture 7 | URL: http://project.honeynet.org/tools/hflow 8 | Source0: %{name}-%{version}.tar.gz 9 | BuildRoot: %{_tmppath}/%{name}-%{version}.%{release}-root 10 | BuildRequires: libtool automake autoconf 11 | 12 | ########################################################### 13 | # Parameter %pre %post %preun %postun # 14 | # 1st install 1 1 N/C N/C # 15 | # Upgrade 2 2 1 1 # 16 | # Removal N/C N/C 0 0 # 17 | # Note: "-gt 1" instead of 2 covers more than 2 instances # 18 | ########################################################### 19 | 20 | %description 21 | Sebekd provides a pcap based sniffer for the capture of Sebek packets. 22 | It also provides a set of scipts for processing the Sebek Data. 23 | 24 | 25 | %define sebekdir /usr 26 | %define sebekdata %{sebekdir}/sebek 27 | %define sebeksbin %{sebekdir}/sbin 28 | 29 | 30 | %prep 31 | %setup -n %{name}-%{version} 32 | 33 | %build 34 | %configure 35 | make 36 | 37 | rm -rf $RPM_BUILD_ROOT 38 | 39 | mkdir -p $RPM_BUILD_ROOT/etc/init.d 40 | mkdir -p $RPM_BUILD_ROOT%{sebeksbin} 41 | 42 | install -m 0550 init.d/sebekd $RPM_BUILD_ROOT/etc/init.d 43 | install -m 0550 sebekd.pl $RPM_BUILD_ROOT%{sebeksbin} 44 | install -m 0550 sbk_diag.pl $RPM_BUILD_ROOT%{sebeksbin} 45 | install -m 0550 sbk_ks_log.pl $RPM_BUILD_ROOT%{sebeksbin} 46 | install -m 0550 sbk_extract $RPM_BUILD_ROOT%{sebeksbin} 47 | 48 | %clean 49 | rm -rf $RPM_BUILD_ROOT 50 | 51 | 52 | %files 53 | %defattr(-,root,root,-) 54 | /etc/init.d/sebekd 55 | %{sebeksbin}/sbk_ks_log.pl 56 | %{sebeksbin}/sbk_diag.pl 57 | %{sebeksbin}/sebekd.pl 58 | %{sebeksbin}/sbk_extract 59 | 60 | 61 | %post 62 | if [ $1 -eq 1 ]; then 63 | #--- no other instances must be an install not upgrade 64 | if [ ! -e "/etc/init.d/hflow" ] 65 | then 66 | /sbin/chkconfig --add sebekd 67 | fi 68 | 69 | fi 70 | 71 | if [ $1 -gt 1 ]; then 72 | #--- this was an upgrade, make sure to restart the deamons 73 | if [ ! -e "/etc/init.d/hflow" ] 74 | then 75 | /sbin/service sebekd restart 76 | fi 77 | fi 78 | 79 | 80 | 81 | %preun 82 | if [ $1 -eq 0 ]; then 83 | #--- on uninstall if $1 == 0 then we are removing sebekd 84 | /etc/init.d/sebekd stop 85 | /sbin/chkconfig --del sebekd 86 | fi 87 | -------------------------------------------------------------------------------- /windows/Configuration Wizard/Configuration Wizard.cpp: -------------------------------------------------------------------------------- 1 | // Configuration Wizard.cpp : Defines the class behaviors for the application. 2 | // 3 | 4 | #include "stdafx.h" 5 | #include "Configuration Wizard.h" 6 | #include "ConfigurationWizardSheet.h" 7 | #include "DriverConfig.h" 8 | 9 | #ifdef _DEBUG 10 | #define new DEBUG_NEW 11 | #undef THIS_FILE 12 | static char THIS_FILE[] = __FILE__; 13 | #endif 14 | 15 | ///////////////////////////////////////////////////////////////////////////// 16 | // CConfigurationWizardApp 17 | 18 | BEGIN_MESSAGE_MAP(CConfigurationWizardApp, CWinApp) 19 | //{{AFX_MSG_MAP(CConfigurationWizardApp) 20 | // NOTE - the ClassWizard will add and remove mapping macros here. 21 | // DO NOT EDIT what you see in these blocks of generated code! 22 | //}}AFX_MSG 23 | ON_COMMAND(ID_HELP, CWinApp::OnHelp) 24 | END_MESSAGE_MAP() 25 | 26 | ///////////////////////////////////////////////////////////////////////////// 27 | // CConfigurationWizardApp construction 28 | 29 | CConfigurationWizardApp::CConfigurationWizardApp() 30 | { 31 | // TODO: add construction code here, 32 | // Place all significant initialization in InitInstance 33 | } 34 | 35 | ///////////////////////////////////////////////////////////////////////////// 36 | // The one and only CConfigurationWizardApp object 37 | 38 | CConfigurationWizardApp theApp; 39 | 40 | ///////////////////////////////////////////////////////////////////////////// 41 | // CConfigurationWizardApp initialization 42 | 43 | BOOL CConfigurationWizardApp::InitInstance() 44 | { 45 | // Memory Leak Checking... 46 | #ifdef _DEBUG 47 | 48 | // get current dbg flag (report it) 49 | int flag = _CrtSetDbgFlag(_CRTDBG_REPORT_FLAG); 50 | 51 | // logically OR leak check bit 52 | flag |= _CRTDBG_LEAK_CHECK_DF; 53 | 54 | // set the flags again 55 | _CrtSetDbgFlag(flag); 56 | #endif 57 | AfxEnableControlContainer(); 58 | 59 | // Standard initialization 60 | // If you are not using these features and wish to reduce the size 61 | // of your final executable, you should remove from the following 62 | // the specific initialization routines you do not need. 63 | 64 | #ifdef _AFXDLL 65 | Enable3dControls(); // Call this when using MFC in a shared DLL 66 | #else 67 | Enable3dControlsStatic(); // Call this when linking to MFC statically 68 | #endif 69 | 70 | // Create our DriverConfiguration Singleton 71 | CDriverConfig &objConfig = CSingleton::Instance(); 72 | 73 | CBitmap bmWatermark; 74 | CBitmap bmHeader; 75 | if(!bmWatermark.LoadBitmap(IDB_WIZWATERMARK)) 76 | return FALSE; 77 | if(!bmHeader.LoadBitmap(IDB_WIZHEADER)) 78 | return FALSE; 79 | 80 | CConfigurationWizardSheet propSheet(NULL, 0, bmWatermark, NULL, bmHeader);; 81 | m_pMainWnd = &propSheet; 82 | propSheet.DoModal(); 83 | 84 | // Since the dialog has been closed, return FALSE so that we exit the 85 | // application, rather than start the application's message pump. 86 | 87 | 88 | return FALSE; 89 | } 90 | 91 | int CConfigurationWizardApp::ExitInstance() 92 | { 93 | CSingleton::Release(); 94 | return CWinApp::ExitInstance(); 95 | } 96 | -------------------------------------------------------------------------------- /windows/Configuration Wizard/Configuration Wizard.dsw: -------------------------------------------------------------------------------- 1 | Microsoft Developer Studio Workspace File, Format Version 6.00 2 | # WARNING: DO NOT EDIT OR DELETE THIS WORKSPACE FILE! 3 | 4 | ############################################################################### 5 | 6 | Project: "Configuration Wizard"=".\Configuration Wizard.dsp" - Package Owner=<4> 7 | 8 | Package=<5> 9 | {{{ 10 | }}} 11 | 12 | Package=<4> 13 | {{{ 14 | }}} 15 | 16 | ############################################################################### 17 | 18 | Global: 19 | 20 | Package=<5> 21 | {{{ 22 | }}} 23 | 24 | Package=<3> 25 | {{{ 26 | }}} 27 | 28 | ############################################################################### 29 | 30 | -------------------------------------------------------------------------------- /windows/Configuration Wizard/Configuration Wizard.h: -------------------------------------------------------------------------------- 1 | // Configuration Wizard.h : main header file for the CONFIGURATION WIZARD application 2 | // 3 | 4 | #if !defined(AFX_CONFIGURATIONWIZARD_H__97BB04A4_5548_4671_A37B_C3CD71CCAFBC__INCLUDED_) 5 | #define AFX_CONFIGURATIONWIZARD_H__97BB04A4_5548_4671_A37B_C3CD71CCAFBC__INCLUDED_ 6 | 7 | #if _MSC_VER > 1000 8 | #pragma once 9 | #endif // _MSC_VER > 1000 10 | 11 | #ifndef __AFXWIN_H__ 12 | #error include 'stdafx.h' before including this file for PCH 13 | #endif 14 | 15 | #include "resource.h" // main symbols 16 | 17 | ///////////////////////////////////////////////////////////////////////////// 18 | // CConfigurationWizardApp: 19 | // See Configuration Wizard.cpp for the implementation of this class 20 | // 21 | 22 | class CConfigurationWizardApp : public CWinApp 23 | { 24 | public: 25 | CConfigurationWizardApp(); 26 | 27 | // Overrides 28 | // ClassWizard generated virtual function overrides 29 | //{{AFX_VIRTUAL(CConfigurationWizardApp) 30 | public: 31 | virtual BOOL InitInstance(); 32 | virtual int ExitInstance(); 33 | //}}AFX_VIRTUAL 34 | 35 | // Implementation 36 | 37 | //{{AFX_MSG(CConfigurationWizardApp) 38 | // NOTE - the ClassWizard will add and remove member functions here. 39 | // DO NOT EDIT what you see in these blocks of generated code ! 40 | //}}AFX_MSG 41 | DECLARE_MESSAGE_MAP() 42 | }; 43 | 44 | 45 | ///////////////////////////////////////////////////////////////////////////// 46 | 47 | //{{AFX_INSERT_LOCATION}} 48 | // Microsoft Visual C++ will insert additional declarations immediately before the previous line. 49 | 50 | #endif // !defined(AFX_CONFIGURATIONWIZARD_H__97BB04A4_5548_4671_A37B_C3CD71CCAFBC__INCLUDED_) 51 | -------------------------------------------------------------------------------- /windows/Configuration Wizard/Configuration Wizard.ncb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/honeynet/sebek/11bb9954c589f1a3e33c27c1d541f9d34d5d4bbc/windows/Configuration Wizard/Configuration Wizard.ncb -------------------------------------------------------------------------------- /windows/Configuration Wizard/Configuration Wizard.rc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/honeynet/sebek/11bb9954c589f1a3e33c27c1d541f9d34d5d4bbc/windows/Configuration Wizard/Configuration Wizard.rc -------------------------------------------------------------------------------- /windows/Configuration Wizard/Configuration Wizard.sln: -------------------------------------------------------------------------------- 1 | Microsoft Visual Studio Solution File, Format Version 8.00 2 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Configuration Wizard", "Configuration Wizard.vcproj", "{50833A37-90BF-4228-A894-3000AAA5AF2C}" 3 | ProjectSection(ProjectDependencies) = postProject 4 | EndProjectSection 5 | EndProject 6 | Global 7 | GlobalSection(SolutionConfiguration) = preSolution 8 | Debug = Debug 9 | Release = Release 10 | EndGlobalSection 11 | GlobalSection(ProjectConfiguration) = postSolution 12 | {50833A37-90BF-4228-A894-3000AAA5AF2C}.Debug.ActiveCfg = Debug|Win32 13 | {50833A37-90BF-4228-A894-3000AAA5AF2C}.Debug.Build.0 = Debug|Win32 14 | {50833A37-90BF-4228-A894-3000AAA5AF2C}.Release.ActiveCfg = Release|Win32 15 | {50833A37-90BF-4228-A894-3000AAA5AF2C}.Release.Build.0 = Release|Win32 16 | EndGlobalSection 17 | GlobalSection(ExtensibilityGlobals) = postSolution 18 | EndGlobalSection 19 | GlobalSection(ExtensibilityAddIns) = postSolution 20 | EndGlobalSection 21 | EndGlobal 22 | -------------------------------------------------------------------------------- /windows/Configuration Wizard/Configuration Wizard.suo: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/honeynet/sebek/11bb9954c589f1a3e33c27c1d541f9d34d5d4bbc/windows/Configuration Wizard/Configuration Wizard.suo -------------------------------------------------------------------------------- /windows/Configuration Wizard/ConfigurationWizardConfigFileName.cpp: -------------------------------------------------------------------------------- 1 | // ConfigurationWizardConfigFileName.cpp : implementation file 2 | // 3 | 4 | #include "stdafx.h" 5 | #include "configuration wizard.h" 6 | #include "ConfigurationWizardConfigFileName.h" 7 | #include "DriverConfig.h" 8 | 9 | #ifdef _DEBUG 10 | #define new DEBUG_NEW 11 | #undef THIS_FILE 12 | static char THIS_FILE[] = __FILE__; 13 | #endif 14 | 15 | ///////////////////////////////////////////////////////////////////////////// 16 | // CConfigurationWizardConfigFileName property page 17 | 18 | IMPLEMENT_DYNCREATE(CConfigurationWizardConfigFileName, CPropertyPageEx) 19 | 20 | CConfigurationWizardConfigFileName::CConfigurationWizardConfigFileName() : CPropertyPageEx(CConfigurationWizardConfigFileName::IDD) 21 | { 22 | //{{AFX_DATA_INIT(CConfigurationWizardConfigFileName) 23 | m_strFileName = _T(""); 24 | //}}AFX_DATA_INIT 25 | m_strHeaderTitle = "Configuration Program Name"; 26 | m_strHeaderSubTitle = "Sebek will hide itself from all applications except the special configuration program. Specify the filename of the configuration program."; 27 | m_psp.dwFlags |= PSP_USEHEADERSUBTITLE | PSP_USEHEADERTITLE; 28 | } 29 | 30 | CConfigurationWizardConfigFileName::~CConfigurationWizardConfigFileName() 31 | { 32 | } 33 | 34 | void CConfigurationWizardConfigFileName::DoDataExchange(CDataExchange* pDX) 35 | { 36 | CPropertyPage::DoDataExchange(pDX); 37 | //{{AFX_DATA_MAP(CConfigurationWizardConfigFileName) 38 | DDX_Control(pDX, IDC_FILENAME, m_edtFileName); 39 | DDX_Text(pDX, IDC_FILENAME, m_strFileName); 40 | DDV_MaxChars(pDX, m_strFileName, CONFIG_PROC_SIZE); 41 | //}}AFX_DATA_MAP 42 | } 43 | 44 | 45 | BEGIN_MESSAGE_MAP(CConfigurationWizardConfigFileName, CPropertyPageEx) 46 | //{{AFX_MSG_MAP(CConfigurationWizardConfigFileName) 47 | ON_BN_CLICKED(IDC_THISAPP, OnThisapp) 48 | //}}AFX_MSG_MAP 49 | END_MESSAGE_MAP() 50 | 51 | ///////////////////////////////////////////////////////////////////////////// 52 | // CConfigurationWizardConfigFileName message handlers 53 | 54 | BOOL CConfigurationWizardConfigFileName::OnSetActive() 55 | { 56 | CPropertySheet *pParentSheet = (CPropertySheet *)GetParent(); 57 | pParentSheet->SetWizardButtons(PSWIZB_NEXT | PSWIZB_BACK); 58 | 59 | CDriverConfig &objConfig = CSingleton::Instance(); 60 | 61 | m_edtFileName.SetWindowText(objConfig.GetConfigFileName().c_str()); 62 | if(objConfig.GetConfigFileName().size() == 0) 63 | OnThisapp(); 64 | 65 | return CPropertyPageEx::OnSetActive(); 66 | } 67 | 68 | LRESULT CConfigurationWizardConfigFileName::OnWizardNext() 69 | { 70 | UpdateData(); 71 | 72 | if(m_strFileName == "") { 73 | MessageBox("No filename was specified. Please specify a filename!", "No File Name Specified!", MB_OK | MB_ICONEXCLAMATION); 74 | return -1; 75 | } 76 | 77 | CDriverConfig &objConfig = CSingleton::Instance(); 78 | objConfig.SetConfigFileName(m_strFileName); 79 | 80 | return CPropertyPageEx::OnWizardNext(); 81 | } 82 | 83 | void CConfigurationWizardConfigFileName::OnThisapp() 84 | { 85 | char *p; 86 | char file_name[MAX_PATH+1]; 87 | 88 | if (GetModuleFileName (GetModuleHandle (NULL), file_name, sizeof (file_name)-1)) { 89 | p = strrchr (file_name, '\\'); 90 | p++; 91 | p[strlen(p) - 4] = '\0'; // Remove the ".exe" 92 | if(strlen(p) > CONFIG_PROC_SIZE) { 93 | p[CONFIG_PROC_SIZE - 1] = '\0'; 94 | } 95 | m_edtFileName.SetWindowText(p); 96 | } 97 | } 98 | -------------------------------------------------------------------------------- /windows/Configuration Wizard/ConfigurationWizardConfigFileName.h: -------------------------------------------------------------------------------- 1 | #if !defined(AFX_CONFIGURATIONWIZARDCONFIGFILENAME_H__BE7685DC_1DBC_4F53_8B50_340E5CAF0FE6__INCLUDED_) 2 | #define AFX_CONFIGURATIONWIZARDCONFIGFILENAME_H__BE7685DC_1DBC_4F53_8B50_340E5CAF0FE6__INCLUDED_ 3 | 4 | #if _MSC_VER > 1000 5 | #pragma once 6 | #endif // _MSC_VER > 1000 7 | // ConfigurationWizardConfigFileName.h : header file 8 | // 9 | 10 | ///////////////////////////////////////////////////////////////////////////// 11 | // CConfigurationWizardConfigFileName dialog 12 | 13 | class CConfigurationWizardConfigFileName : public CPropertyPageEx 14 | { 15 | DECLARE_DYNCREATE(CConfigurationWizardConfigFileName) 16 | 17 | // Construction 18 | public: 19 | CConfigurationWizardConfigFileName(); 20 | ~CConfigurationWizardConfigFileName(); 21 | 22 | // Dialog Data 23 | //{{AFX_DATA(CConfigurationWizardConfigFileName) 24 | enum { IDD = IDD_CONFIGWIZ_CONFIGFILENAME }; 25 | CEdit m_edtFileName; 26 | CString m_strFileName; 27 | //}}AFX_DATA 28 | 29 | 30 | // Overrides 31 | // ClassWizard generate virtual function overrides 32 | //{{AFX_VIRTUAL(CConfigurationWizardConfigFileName) 33 | public: 34 | virtual BOOL OnSetActive(); 35 | virtual LRESULT OnWizardNext(); 36 | protected: 37 | virtual void DoDataExchange(CDataExchange* pDX); // DDX/DDV support 38 | //}}AFX_VIRTUAL 39 | 40 | // Implementation 41 | protected: 42 | // Generated message map functions 43 | //{{AFX_MSG(CConfigurationWizardConfigFileName) 44 | afx_msg void OnThisapp(); 45 | //}}AFX_MSG 46 | DECLARE_MESSAGE_MAP() 47 | 48 | }; 49 | 50 | //{{AFX_INSERT_LOCATION}} 51 | // Microsoft Visual C++ will insert additional declarations immediately before the previous line. 52 | 53 | #endif // !defined(AFX_CONFIGURATIONWIZARDCONFIGFILENAME_H__BE7685DC_1DBC_4F53_8B50_340E5CAF0FE6__INCLUDED_) 54 | -------------------------------------------------------------------------------- /windows/Configuration Wizard/ConfigurationWizardFinish.cpp: -------------------------------------------------------------------------------- 1 | // ConfigurationWizardFinish.cpp : implementation file 2 | // 3 | 4 | #include "stdafx.h" 5 | #include "configuration wizard.h" 6 | #include "ConfigurationWizardFinish.h" 7 | #include "DriverConfig.h" 8 | 9 | #ifdef _DEBUG 10 | #define new DEBUG_NEW 11 | #undef THIS_FILE 12 | static char THIS_FILE[] = __FILE__; 13 | #endif 14 | 15 | using namespace std; 16 | 17 | ///////////////////////////////////////////////////////////////////////////// 18 | // CConfigurationWizardFinish property page 19 | 20 | IMPLEMENT_DYNCREATE(CConfigurationWizardFinish, CPropertyPageEx) 21 | 22 | CConfigurationWizardFinish::CConfigurationWizardFinish() : CPropertyPageEx(CConfigurationWizardFinish::IDD) 23 | { 24 | //{{AFX_DATA_INIT(CConfigurationWizardFinish) 25 | m_strDetails = _T(""); 26 | //}}AFX_DATA_INIT 27 | m_psp.dwFlags |= PSP_DEFAULT|PSP_HIDEHEADER; 28 | } 29 | 30 | CConfigurationWizardFinish::~CConfigurationWizardFinish() 31 | { 32 | } 33 | 34 | void CConfigurationWizardFinish::DoDataExchange(CDataExchange* pDX) 35 | { 36 | CPropertyPage::DoDataExchange(pDX); 37 | //{{AFX_DATA_MAP(CConfigurationWizardFinish) 38 | DDX_Control(pDX, IDC_CONFIGDETAILS, m_edtDetails); 39 | DDX_Text(pDX, IDC_CONFIGDETAILS, m_strDetails); 40 | //}}AFX_DATA_MAP 41 | } 42 | 43 | 44 | BEGIN_MESSAGE_MAP(CConfigurationWizardFinish, CPropertyPage) 45 | //{{AFX_MSG_MAP(CConfigurationWizardFinish) 46 | // NOTE: the ClassWizard will add message map macros here 47 | //}}AFX_MSG_MAP 48 | END_MESSAGE_MAP() 49 | 50 | ///////////////////////////////////////////////////////////////////////////// 51 | // CConfigurationWizardFinish message handlers 52 | 53 | BOOL CConfigurationWizardFinish::OnSetActive() 54 | { 55 | if(!CPropertyPage::OnSetActive()) 56 | return FALSE; 57 | 58 | CPropertySheet *pParentSheet = (CPropertySheet *)GetParent(); 59 | 60 | pParentSheet->SetWizardButtons(PSWIZB_BACK | PSWIZB_FINISH); 61 | 62 | UpdateData(); 63 | CDriverConfig &objConfig = CSingleton::Instance(); 64 | 65 | string strDetails; 66 | strDetails = "File Location: " + objConfig.GetFileLocation() + "\r\n"; 67 | strDetails += "Destination MAC: "; 68 | 69 | const string &strMAC = objConfig.GetDestinationMAC(); 70 | for(unsigned int i = 0; i < strMAC.size(); i+=2) { 71 | strDetails += strMAC.substr(i, 2); 72 | if(i != strMAC.size() - 2) 73 | strDetails += ":"; 74 | } 75 | strDetails += "\r\n"; 76 | 77 | strDetails += "Destination IP: " + objConfig.GetDestinationIP() + "\r\n"; 78 | strDetails += "Destination Port: " + objConfig.GetDestinationPortAsString() + "\r\n"; 79 | strDetails += "Magic Value: " + objConfig.GetMagicValueAsString() + "\r\n"; 80 | strDetails += "Network Interface: " + objConfig.GetDeviceName() + "\r\n"; 81 | strDetails += "Configuration File Name: " + objConfig.GetConfigFileName() + "\r\n"; 82 | m_edtDetails.SetWindowText(strDetails.c_str()); 83 | 84 | return TRUE; 85 | } 86 | 87 | BOOL CConfigurationWizardFinish::OnWizardFinish() 88 | { 89 | CDriverConfig &objConfig = CSingleton::Instance(); 90 | 91 | // We do this here because we do not give the use an option to configure this. 92 | if(!objConfig.SaveConfig()) { 93 | MessageBox(objConfig.GetErrorString().c_str(), "Error saving configuration!", MB_OK | MB_ICONEXCLAMATION); 94 | return -1; 95 | } 96 | 97 | return CPropertyPage::OnWizardFinish(); 98 | } 99 | -------------------------------------------------------------------------------- /windows/Configuration Wizard/ConfigurationWizardFinish.h: -------------------------------------------------------------------------------- 1 | #if !defined(AFX_CONFIGURATIONWIZARDFINISH_H__39372D29_E01E_401E_B79E_3FD5F177C448__INCLUDED_) 2 | #define AFX_CONFIGURATIONWIZARDFINISH_H__39372D29_E01E_401E_B79E_3FD5F177C448__INCLUDED_ 3 | 4 | #if _MSC_VER > 1000 5 | #pragma once 6 | #endif // _MSC_VER > 1000 7 | // ConfigurationWizardFinish.h : header file 8 | // 9 | 10 | ///////////////////////////////////////////////////////////////////////////// 11 | // CConfigurationWizardFinish dialog 12 | 13 | class CConfigurationWizardFinish : public CPropertyPageEx 14 | { 15 | DECLARE_DYNCREATE(CConfigurationWizardFinish) 16 | 17 | // Construction 18 | public: 19 | CConfigurationWizardFinish(); 20 | ~CConfigurationWizardFinish(); 21 | 22 | // Dialog Data 23 | //{{AFX_DATA(CConfigurationWizardFinish) 24 | enum { IDD = IDD_CONFIGWIZ_FINISHED }; 25 | CEdit m_edtDetails; 26 | CString m_strDetails; 27 | //}}AFX_DATA 28 | 29 | 30 | // Overrides 31 | // ClassWizard generate virtual function overrides 32 | //{{AFX_VIRTUAL(CConfigurationWizardFinish) 33 | public: 34 | virtual BOOL OnSetActive(); 35 | virtual BOOL OnWizardFinish(); 36 | protected: 37 | virtual void DoDataExchange(CDataExchange* pDX); // DDX/DDV support 38 | //}}AFX_VIRTUAL 39 | 40 | // Implementation 41 | protected: 42 | // Generated message map functions 43 | //{{AFX_MSG(CConfigurationWizardFinish) 44 | // NOTE: the ClassWizard will add member functions here 45 | //}}AFX_MSG 46 | DECLARE_MESSAGE_MAP() 47 | 48 | }; 49 | 50 | //{{AFX_INSERT_LOCATION}} 51 | // Microsoft Visual C++ will insert additional declarations immediately before the previous line. 52 | 53 | #endif // !defined(AFX_CONFIGURATIONWIZARDFINISH_H__39372D29_E01E_401E_B79E_3FD5F177C448__INCLUDED_) 54 | -------------------------------------------------------------------------------- /windows/Configuration Wizard/ConfigurationWizardMagicValue.cpp: -------------------------------------------------------------------------------- 1 | // ConfigurationWizardMagicValue.cpp : implementation file 2 | // 3 | 4 | #include "stdafx.h" 5 | #include "configuration wizard.h" 6 | #include "ConfigurationWizardMagicValue.h" 7 | #include "MersenneTwister.h" 8 | #include 9 | #include "DriverConfig.h" 10 | 11 | #ifdef _DEBUG 12 | #define new DEBUG_NEW 13 | #undef THIS_FILE 14 | static char THIS_FILE[] = __FILE__; 15 | #endif 16 | 17 | using namespace std; 18 | 19 | ///////////////////////////////////////////////////////////////////////////// 20 | // CConfigurationWizardMagicValue property page 21 | 22 | IMPLEMENT_DYNCREATE(CConfigurationWizardMagicValue, CPropertyPageEx) 23 | 24 | CConfigurationWizardMagicValue::CConfigurationWizardMagicValue() : CPropertyPageEx(CConfigurationWizardMagicValue::IDD) 25 | { 26 | //{{AFX_DATA_INIT(CConfigurationWizardMagicValue) 27 | m_uiMagicValue = 0; 28 | //}}AFX_DATA_INIT 29 | m_strHeaderTitle = "Magic Value"; 30 | m_strHeaderSubTitle = "Sebek will hide packets with the proper magic value. Specify a magic value to use."; 31 | m_psp.dwFlags |= PSP_USEHEADERSUBTITLE | PSP_USEHEADERTITLE; 32 | } 33 | 34 | CConfigurationWizardMagicValue::~CConfigurationWizardMagicValue() 35 | { 36 | } 37 | 38 | void CConfigurationWizardMagicValue::DoDataExchange(CDataExchange* pDX) 39 | { 40 | CPropertyPage::DoDataExchange(pDX); 41 | //{{AFX_DATA_MAP(CConfigurationWizardMagicValue) 42 | DDX_Control(pDX, IDC_MAGICVALUE, m_edtMagicValue); 43 | DDX_Text(pDX, IDC_MAGICVALUE, m_uiMagicValue); 44 | //}}AFX_DATA_MAP 45 | } 46 | 47 | 48 | BEGIN_MESSAGE_MAP(CConfigurationWizardMagicValue, CPropertyPageEx) 49 | //{{AFX_MSG_MAP(CConfigurationWizardMagicValue) 50 | ON_BN_CLICKED(IDC_GENRANDOM, OnGenrandom) 51 | //}}AFX_MSG_MAP 52 | END_MESSAGE_MAP() 53 | 54 | ///////////////////////////////////////////////////////////////////////////// 55 | // CConfigurationWizardMagicValue message handlers 56 | 57 | void CConfigurationWizardMagicValue::OnGenrandom() 58 | { 59 | MTRand Random; 60 | unsigned long ulNumber = 0; 61 | 62 | ulNumber = Random.randInt(); 63 | stringstream ss; 64 | ss << ulNumber; 65 | 66 | m_edtMagicValue.SetWindowText(ss.str().c_str()); 67 | } 68 | 69 | BOOL CConfigurationWizardMagicValue::OnSetActive() 70 | { 71 | CPropertySheet *pParentSheet = (CPropertySheet *)GetParent(); 72 | pParentSheet->SetWizardButtons(PSWIZB_NEXT | PSWIZB_BACK); 73 | 74 | CDriverConfig &objConfig = CSingleton::Instance(); 75 | 76 | m_edtMagicValue.SetWindowText(objConfig.GetMagicValueAsString().c_str()); 77 | return CPropertyPageEx::OnSetActive(); 78 | } 79 | 80 | LRESULT CConfigurationWizardMagicValue::OnWizardNext() 81 | { 82 | UpdateData(); 83 | 84 | if(!m_uiMagicValue) { 85 | MessageBox("Invalid Magic Value was specified. Please specify a Magic Value greater then 0!", "Invalid Magic Value Specified!", MB_OK | MB_ICONEXCLAMATION); 86 | return -1; 87 | } 88 | 89 | CDriverConfig &objConfig = CSingleton::Instance(); 90 | objConfig.SetMagicValue(m_uiMagicValue); 91 | 92 | 93 | return CPropertyPageEx::OnWizardNext(); 94 | } 95 | -------------------------------------------------------------------------------- /windows/Configuration Wizard/ConfigurationWizardMagicValue.h: -------------------------------------------------------------------------------- 1 | #if !defined(AFX_CONFIGURATIONWIZARDMAGICVALUE_H__4FEC3E79_7343_4079_9131_C356D1AB07B2__INCLUDED_) 2 | #define AFX_CONFIGURATIONWIZARDMAGICVALUE_H__4FEC3E79_7343_4079_9131_C356D1AB07B2__INCLUDED_ 3 | 4 | #if _MSC_VER > 1000 5 | #pragma once 6 | #endif // _MSC_VER > 1000 7 | // ConfigurationWizardMagicValue.h : header file 8 | // 9 | 10 | ///////////////////////////////////////////////////////////////////////////// 11 | // CConfigurationWizardMagicValue dialog 12 | 13 | class CConfigurationWizardMagicValue : public CPropertyPageEx 14 | { 15 | DECLARE_DYNCREATE(CConfigurationWizardMagicValue) 16 | 17 | // Construction 18 | public: 19 | CConfigurationWizardMagicValue(); 20 | ~CConfigurationWizardMagicValue(); 21 | 22 | // Dialog Data 23 | //{{AFX_DATA(CConfigurationWizardMagicValue) 24 | enum { IDD = IDD_CONFIGWIZ_MAGICVALUE }; 25 | CEdit m_edtMagicValue; 26 | UINT m_uiMagicValue; 27 | //}}AFX_DATA 28 | 29 | 30 | // Overrides 31 | // ClassWizard generate virtual function overrides 32 | //{{AFX_VIRTUAL(CConfigurationWizardMagicValue) 33 | public: 34 | virtual BOOL OnSetActive(); 35 | virtual LRESULT OnWizardNext(); 36 | protected: 37 | virtual void DoDataExchange(CDataExchange* pDX); // DDX/DDV support 38 | //}}AFX_VIRTUAL 39 | 40 | // Implementation 41 | protected: 42 | // Generated message map functions 43 | //{{AFX_MSG(CConfigurationWizardMagicValue) 44 | afx_msg void OnGenrandom(); 45 | //}}AFX_MSG 46 | DECLARE_MESSAGE_MAP() 47 | 48 | }; 49 | 50 | //{{AFX_INSERT_LOCATION}} 51 | // Microsoft Visual C++ will insert additional declarations immediately before the previous line. 52 | 53 | #endif // !defined(AFX_CONFIGURATIONWIZARDMAGICVALUE_H__4FEC3E79_7343_4079_9131_C356D1AB07B2__INCLUDED_) 54 | -------------------------------------------------------------------------------- /windows/Configuration Wizard/ConfigurationWizardNetworkConfig.h: -------------------------------------------------------------------------------- 1 | #if !defined(AFX_CONFIGURATIONWIZARDNETWORKCONFIG_H__3AD5A9C3_5572_4C95_BB0E_3B1D13A4D90D__INCLUDED_) 2 | #define AFX_CONFIGURATIONWIZARDNETWORKCONFIG_H__3AD5A9C3_5572_4C95_BB0E_3B1D13A4D90D__INCLUDED_ 3 | 4 | #if _MSC_VER > 1000 5 | #pragma once 6 | #endif // _MSC_VER > 1000 7 | // ConfigurationWizardNetworkConfig.h : header file 8 | // 9 | 10 | ///////////////////////////////////////////////////////////////////////////// 11 | // CConfigurationWizardNetworkConfig dialog 12 | 13 | class CConfigurationWizardNetworkConfig : public CPropertyPageEx 14 | { 15 | DECLARE_DYNCREATE(CConfigurationWizardNetworkConfig) 16 | 17 | // Construction 18 | public: 19 | CConfigurationWizardNetworkConfig(); 20 | ~CConfigurationWizardNetworkConfig(); 21 | 22 | // Dialog Data 23 | //{{AFX_DATA(CConfigurationWizardNetworkConfig) 24 | enum { IDD = IDD_CONFIGWIZ_NETWORKCONFIG }; 25 | CComboBox m_cbInterfaces; 26 | //}}AFX_DATA 27 | 28 | 29 | // Overrides 30 | // ClassWizard generate virtual function overrides 31 | //{{AFX_VIRTUAL(CConfigurationWizardNetworkConfig) 32 | public: 33 | virtual BOOL OnSetActive(); 34 | virtual LRESULT OnWizardNext(); 35 | virtual BOOL OnKillActive(); 36 | protected: 37 | virtual void DoDataExchange(CDataExchange* pDX); // DDX/DDV support 38 | //}}AFX_VIRTUAL 39 | 40 | // Implementation 41 | protected: 42 | // Generated message map functions 43 | //{{AFX_MSG(CConfigurationWizardNetworkConfig) 44 | // NOTE: the ClassWizard will add member functions here 45 | //}}AFX_MSG 46 | DECLARE_MESSAGE_MAP() 47 | 48 | }; 49 | 50 | //{{AFX_INSERT_LOCATION}} 51 | // Microsoft Visual C++ will insert additional declarations immediately before the previous line. 52 | 53 | #endif // !defined(AFX_CONFIGURATIONWIZARDNETWORKCONFIG_H__3AD5A9C3_5572_4C95_BB0E_3B1D13A4D90D__INCLUDED_) 54 | -------------------------------------------------------------------------------- /windows/Configuration Wizard/ConfigurationWizardSelectFile.cpp: -------------------------------------------------------------------------------- 1 | // ConfigurationWizardSelectFile.cpp : implementation file 2 | // 3 | 4 | #include "stdafx.h" 5 | #include "configuration wizard.h" 6 | #include "ConfigurationWizardSelectFile.h" 7 | #include "DriverConfig.h" 8 | 9 | #ifdef _DEBUG 10 | #define new DEBUG_NEW 11 | #undef THIS_FILE 12 | static char THIS_FILE[] = __FILE__; 13 | #endif 14 | 15 | ///////////////////////////////////////////////////////////////////////////// 16 | // CConfigurationWizardSelectFile property page 17 | 18 | IMPLEMENT_DYNCREATE(CConfigurationWizardSelectFile, CPropertyPageEx) 19 | 20 | CConfigurationWizardSelectFile::CConfigurationWizardSelectFile() : CPropertyPageEx(CConfigurationWizardSelectFile::IDD) 21 | { 22 | //{{AFX_DATA_INIT(CConfigurationWizardSelectFile) 23 | m_strFileLoc = _T(""); 24 | //}}AFX_DATA_INIT 25 | m_strHeaderTitle = "Please select the Sebek driver file"; 26 | m_strHeaderSubTitle = "The Sebek Driver file contains the configuration information used throughout this wizard."; 27 | m_psp.dwFlags |= PSP_USEHEADERSUBTITLE | PSP_USEHEADERTITLE; 28 | } 29 | 30 | CConfigurationWizardSelectFile::~CConfigurationWizardSelectFile() 31 | { 32 | } 33 | 34 | void CConfigurationWizardSelectFile::DoDataExchange(CDataExchange* pDX) 35 | { 36 | CPropertyPage::DoDataExchange(pDX); 37 | //{{AFX_DATA_MAP(CConfigurationWizardSelectFile) 38 | DDX_Control(pDX, IDC_FILELOC, m_edtFileLoc); 39 | DDX_Text(pDX, IDC_FILELOC, m_strFileLoc); 40 | //}}AFX_DATA_MAP 41 | } 42 | 43 | 44 | BEGIN_MESSAGE_MAP(CConfigurationWizardSelectFile, CPropertyPageEx) 45 | //{{AFX_MSG_MAP(CConfigurationWizardSelectFile) 46 | ON_BN_CLICKED(IDC_BROWSE, OnBrowse) 47 | //}}AFX_MSG_MAP 48 | END_MESSAGE_MAP() 49 | 50 | ///////////////////////////////////////////////////////////////////////////// 51 | // CConfigurationWizardSelectFile message handlers 52 | 53 | void CConfigurationWizardSelectFile::OnBrowse() 54 | { 55 | OPENFILENAME ofn; // common dialog box structure 56 | char szFile[260]; // buffer for file name 57 | memset(szFile, 0, sizeof(szFile)); 58 | 59 | // Initialize OPENFILENAME 60 | ZeroMemory(&ofn, sizeof(OPENFILENAME)); 61 | ofn.lStructSize = sizeof(OPENFILENAME); 62 | ofn.hwndOwner = m_hWnd; 63 | ofn.lpstrFile = szFile; 64 | ofn.nMaxFile = sizeof(szFile); 65 | ofn.lpstrFilter = "All (*.*)\0*.*\0"; 66 | ofn.nFilterIndex = 1; 67 | ofn.lpstrFileTitle = NULL; 68 | ofn.nMaxFileTitle = 0; 69 | ofn.lpstrInitialDir = NULL; 70 | ofn.Flags = OFN_PATHMUSTEXIST | OFN_FILEMUSTEXIST; 71 | 72 | // Display the Open dialog box. 73 | 74 | if (GetOpenFileName(&ofn)==TRUE) { 75 | m_edtFileLoc.SetWindowText(szFile); 76 | CPropertySheet *pParentSheet = (CPropertySheet *)GetParent(); 77 | } 78 | } 79 | 80 | LRESULT CConfigurationWizardSelectFile::OnWizardNext() 81 | { 82 | UpdateData(); 83 | 84 | if(m_strFileLoc == "") { 85 | MessageBox("No driver was specified. Please specify a driver!", "No Driver Specified!", MB_OK | MB_ICONEXCLAMATION); 86 | return -1; 87 | } 88 | 89 | CDriverConfig &objConfig = CSingleton::Instance(); 90 | objConfig.SetFileLocation(m_strFileLoc); 91 | if(!objConfig.LoadConfig()) { 92 | MessageBox(objConfig.GetErrorString().c_str(), "Error loading configuration!", MB_OK | MB_ICONEXCLAMATION); 93 | return -1; 94 | } 95 | 96 | return CPropertyPageEx::OnWizardNext(); 97 | } 98 | 99 | BOOL CConfigurationWizardSelectFile::OnSetActive() 100 | { 101 | CPropertySheet *pParentSheet = (CPropertySheet *)GetParent(); 102 | pParentSheet->SetWizardButtons(PSWIZB_NEXT | PSWIZB_BACK); 103 | 104 | char strSystemDir[MAX_PATH + 1]; 105 | ZeroMemory(strSystemDir, MAX_PATH + 1); 106 | 107 | GetSystemDirectory(strSystemDir, MAX_PATH); 108 | 109 | m_strFileLoc = strSystemDir; 110 | m_strFileLoc += "\\drivers\\SEBEK.SYS"; 111 | 112 | UpdateData(FALSE); 113 | return CPropertyPageEx::OnSetActive(); 114 | } 115 | -------------------------------------------------------------------------------- /windows/Configuration Wizard/ConfigurationWizardSelectFile.h: -------------------------------------------------------------------------------- 1 | #if !defined(AFX_CONFIGURATIONWIZARDSELECTFILE_H__E49D8AA8_018F_4E1A_90FA_4F5450843E94__INCLUDED_) 2 | #define AFX_CONFIGURATIONWIZARDSELECTFILE_H__E49D8AA8_018F_4E1A_90FA_4F5450843E94__INCLUDED_ 3 | 4 | #if _MSC_VER > 1000 5 | #pragma once 6 | #endif // _MSC_VER > 1000 7 | // ConfigurationWizardSelectFile.h : header file 8 | // 9 | 10 | ///////////////////////////////////////////////////////////////////////////// 11 | // CConfigurationWizardSelectFile dialog 12 | 13 | class CConfigurationWizardSelectFile : public CPropertyPageEx 14 | { 15 | DECLARE_DYNCREATE(CConfigurationWizardSelectFile) 16 | 17 | // Construction 18 | public: 19 | CConfigurationWizardSelectFile(); 20 | ~CConfigurationWizardSelectFile(); 21 | 22 | // Dialog Data 23 | //{{AFX_DATA(CConfigurationWizardSelectFile) 24 | enum { IDD = IDD_CONFIGWIZ_SELECTFILE }; 25 | CEdit m_edtFileLoc; 26 | CString m_strFileLoc; 27 | //}}AFX_DATA 28 | 29 | 30 | // Overrides 31 | // ClassWizard generate virtual function overrides 32 | //{{AFX_VIRTUAL(CConfigurationWizardSelectFile) 33 | public: 34 | virtual LRESULT OnWizardNext(); 35 | virtual BOOL OnSetActive(); 36 | protected: 37 | virtual void DoDataExchange(CDataExchange* pDX); // DDX/DDV support 38 | //}}AFX_VIRTUAL 39 | 40 | // Implementation 41 | protected: 42 | // Generated message map functions 43 | //{{AFX_MSG(CConfigurationWizardSelectFile) 44 | afx_msg void OnBrowse(); 45 | //}}AFX_MSG 46 | DECLARE_MESSAGE_MAP() 47 | 48 | }; 49 | 50 | //{{AFX_INSERT_LOCATION}} 51 | // Microsoft Visual C++ will insert additional declarations immediately before the previous line. 52 | 53 | #endif // !defined(AFX_CONFIGURATIONWIZARDSELECTFILE_H__E49D8AA8_018F_4E1A_90FA_4F5450843E94__INCLUDED_) 54 | -------------------------------------------------------------------------------- /windows/Configuration Wizard/ConfigurationWizardServerConfig.cpp: -------------------------------------------------------------------------------- 1 | // ConfigurationWizardServerConfig.cpp : implementation file 2 | // 3 | 4 | #include "stdafx.h" 5 | #include "configuration wizard.h" 6 | #include "ConfigurationWizardServerConfig.h" 7 | #include "DriverConfig.h" 8 | 9 | using namespace std; 10 | 11 | #ifdef _DEBUG 12 | #define new DEBUG_NEW 13 | #undef THIS_FILE 14 | static char THIS_FILE[] = __FILE__; 15 | #endif 16 | 17 | ///////////////////////////////////////////////////////////////////////////// 18 | // CConfigurationWizardServerConfig property page 19 | 20 | IMPLEMENT_DYNCREATE(CConfigurationWizardServerConfig, CPropertyPageEx) 21 | 22 | CConfigurationWizardServerConfig::CConfigurationWizardServerConfig() : CPropertyPageEx(CConfigurationWizardServerConfig::IDD) 23 | { 24 | //{{AFX_DATA_INIT(CConfigurationWizardServerConfig) 25 | m_strMAC0 = _T(""); 26 | m_strMAC1 = _T(""); 27 | m_strMAC2 = _T(""); 28 | m_strMAC3 = _T(""); 29 | m_strMAC4 = _T(""); 30 | m_strMAC5 = _T(""); 31 | m_uiDestPort = 0; 32 | //}}AFX_DATA_INIT 33 | m_strHeaderTitle = "Server Configuration"; 34 | m_strHeaderSubTitle = "Sebek logs all data it collects to a central server. Please specify the information sebek will use to generate packets the server can collect."; 35 | m_psp.dwFlags |= PSP_USEHEADERSUBTITLE | PSP_USEHEADERTITLE; 36 | } 37 | 38 | CConfigurationWizardServerConfig::~CConfigurationWizardServerConfig() 39 | { 40 | } 41 | 42 | void CConfigurationWizardServerConfig::DoDataExchange(CDataExchange* pDX) 43 | { 44 | CPropertyPage::DoDataExchange(pDX); 45 | //{{AFX_DATA_MAP(CConfigurationWizardServerConfig) 46 | DDX_Control(pDX, IDC_DESTPORT, m_edtDestPort); 47 | DDX_Control(pDX, IDC_DESTIP, m_DestIP); 48 | DDX_Control(pDX, IDC_MAC5, m_edtMAC5); 49 | DDX_Control(pDX, IDC_MAC4, m_edtMAC4); 50 | DDX_Control(pDX, IDC_MAC3, m_edtMAC3); 51 | DDX_Control(pDX, IDC_MAC2, m_edtMAC2); 52 | DDX_Control(pDX, IDC_MAC1, m_edtMAC1); 53 | DDX_Control(pDX, IDC_MAC0, m_edtMAC0); 54 | DDX_Text(pDX, IDC_MAC0, m_strMAC0); 55 | DDX_Text(pDX, IDC_MAC1, m_strMAC1); 56 | DDX_Text(pDX, IDC_MAC2, m_strMAC2); 57 | DDX_Text(pDX, IDC_MAC3, m_strMAC3); 58 | DDX_Text(pDX, IDC_MAC4, m_strMAC4); 59 | DDX_Text(pDX, IDC_MAC5, m_strMAC5); 60 | DDX_Text(pDX, IDC_DESTPORT, m_uiDestPort); 61 | DDV_MinMaxUInt(pDX, m_uiDestPort, 1, 65536); 62 | //}}AFX_DATA_MAP 63 | } 64 | 65 | 66 | BEGIN_MESSAGE_MAP(CConfigurationWizardServerConfig, CPropertyPageEx) 67 | //{{AFX_MSG_MAP(CConfigurationWizardServerConfig) 68 | //}}AFX_MSG_MAP 69 | END_MESSAGE_MAP() 70 | 71 | BOOL CConfigurationWizardServerConfig::OnSetActive() 72 | { 73 | CPropertySheet *pParentSheet = (CPropertySheet *)GetParent(); 74 | pParentSheet->SetWizardButtons(PSWIZB_NEXT | PSWIZB_BACK); 75 | 76 | CDriverConfig &objConfig = CSingleton::Instance(); 77 | const string &strMAC = objConfig.GetDestinationMAC(); 78 | 79 | string strMACOctet; 80 | strMACOctet += strMAC[0]; 81 | strMACOctet += strMAC[1]; 82 | m_edtMAC0.SetWindowText(strMACOctet.c_str()); 83 | 84 | strMACOctet = ""; 85 | strMACOctet += strMAC[2]; 86 | strMACOctet += strMAC[3]; 87 | m_edtMAC1.SetWindowText(strMACOctet.c_str()); 88 | 89 | strMACOctet = ""; 90 | strMACOctet += strMAC[4]; 91 | strMACOctet += strMAC[5]; 92 | m_edtMAC2.SetWindowText(strMACOctet.c_str()); 93 | 94 | strMACOctet = ""; 95 | strMACOctet += strMAC[6]; 96 | strMACOctet += strMAC[7]; 97 | m_edtMAC3.SetWindowText(strMACOctet.c_str()); 98 | 99 | strMACOctet = ""; 100 | strMACOctet += strMAC[8]; 101 | strMACOctet += strMAC[9]; 102 | m_edtMAC4.SetWindowText(strMACOctet.c_str()); 103 | 104 | strMACOctet = ""; 105 | strMACOctet += strMAC[10]; 106 | strMACOctet += strMAC[11]; 107 | m_edtMAC5.SetWindowText(strMACOctet.c_str()); 108 | 109 | m_DestIP.SetWindowText(objConfig.GetDestinationIP().c_str()); 110 | m_edtDestPort.SetWindowText(objConfig.GetDestinationPortAsString().c_str()); 111 | return CPropertyPageEx::OnSetActive(); 112 | } 113 | 114 | LRESULT CConfigurationWizardServerConfig::OnWizardNext() 115 | { 116 | UpdateData(); 117 | 118 | if(!m_DestIP.GetWindowTextLength()) { 119 | MessageBox("No Destination IP Address was specified. Please specify an address!", "No Destination IP Address Specified!", MB_OK | MB_ICONEXCLAMATION); 120 | return -1; 121 | } 122 | 123 | CString strDestIP; 124 | m_DestIP.GetWindowText(strDestIP); 125 | 126 | if(!m_strMAC0 || !m_strMAC1 || !m_strMAC2 || !m_strMAC3 || !m_strMAC4 || !m_strMAC5) { 127 | MessageBox("Invalid Destination MAC was specified. Please specify a valid MAC!", "No Destination MAC Specified!", MB_OK | MB_ICONEXCLAMATION); 128 | return -1; 129 | } 130 | 131 | string strMAC = m_strMAC0 + m_strMAC1 + m_strMAC2 + m_strMAC3 + m_strMAC4 + m_strMAC5; 132 | CDriverConfig &objConfig = CSingleton::Instance(); 133 | objConfig.SetDestinationIP(strDestIP); 134 | objConfig.SetDestinationMAC(strMAC); 135 | objConfig.SetDestinationPort(m_uiDestPort); 136 | 137 | return CPropertyPageEx::OnWizardNext(); 138 | } 139 | -------------------------------------------------------------------------------- /windows/Configuration Wizard/ConfigurationWizardServerConfig.h: -------------------------------------------------------------------------------- 1 | #if !defined(AFX_CONFIGURATIONWIZARDSERVERCONFIG_H__0D20A11B_8E2A_44E3_9DC7_DAB461A86C6A__INCLUDED_) 2 | #define AFX_CONFIGURATIONWIZARDSERVERCONFIG_H__0D20A11B_8E2A_44E3_9DC7_DAB461A86C6A__INCLUDED_ 3 | 4 | #if _MSC_VER > 1000 5 | #pragma once 6 | #endif // _MSC_VER > 1000 7 | // ConfigurationWizardServerConfig.h : header file 8 | // 9 | 10 | ///////////////////////////////////////////////////////////////////////////// 11 | // CConfigurationWizardServerConfig dialog 12 | 13 | class CConfigurationWizardServerConfig : public CPropertyPageEx 14 | { 15 | DECLARE_DYNCREATE(CConfigurationWizardServerConfig) 16 | 17 | // Construction 18 | public: 19 | CConfigurationWizardServerConfig(); 20 | ~CConfigurationWizardServerConfig(); 21 | 22 | // Dialog Data 23 | //{{AFX_DATA(CConfigurationWizardServerConfig) 24 | enum { IDD = IDD_CONFIGWIZ_SERVERCONFIG }; 25 | CEdit m_edtDestPort; 26 | CIPAddressCtrl m_DestIP; 27 | CEdit m_edtMAC5; 28 | CEdit m_edtMAC4; 29 | CEdit m_edtMAC3; 30 | CEdit m_edtMAC2; 31 | CEdit m_edtMAC1; 32 | CEdit m_edtMAC0; 33 | CString m_strMAC0; 34 | CString m_strMAC1; 35 | CString m_strMAC2; 36 | CString m_strMAC3; 37 | CString m_strMAC4; 38 | CString m_strMAC5; 39 | UINT m_uiDestPort; 40 | //}}AFX_DATA 41 | 42 | 43 | // Overrides 44 | // ClassWizard generate virtual function overrides 45 | //{{AFX_VIRTUAL(CConfigurationWizardServerConfig) 46 | public: 47 | virtual BOOL OnSetActive(); 48 | virtual LRESULT OnWizardNext(); 49 | protected: 50 | virtual void DoDataExchange(CDataExchange* pDX); // DDX/DDV support 51 | //}}AFX_VIRTUAL 52 | 53 | // Implementation 54 | protected: 55 | // Generated message map functions 56 | //{{AFX_MSG(CConfigurationWizardServerConfig) 57 | //}}AFX_MSG 58 | DECLARE_MESSAGE_MAP() 59 | 60 | }; 61 | 62 | //{{AFX_INSERT_LOCATION}} 63 | // Microsoft Visual C++ will insert additional declarations immediately before the previous line. 64 | 65 | #endif // !defined(AFX_CONFIGURATIONWIZARDSERVERCONFIG_H__0D20A11B_8E2A_44E3_9DC7_DAB461A86C6A__INCLUDED_) 66 | -------------------------------------------------------------------------------- /windows/Configuration Wizard/ConfigurationWizardSheet.cpp: -------------------------------------------------------------------------------- 1 | // ConfigurationWizardSheet.cpp : implementation file 2 | // 3 | 4 | #include "stdafx.h" 5 | #include "resource.h" 6 | #include "ConfigurationWizardSheet.h" 7 | 8 | #ifdef _DEBUG 9 | #undef THIS_FILE 10 | static char BASED_CODE THIS_FILE[] = __FILE__; 11 | #endif 12 | 13 | ///////////////////////////////////////////////////////////////////////////// 14 | // CConfigurationWizardSheet 15 | 16 | IMPLEMENT_DYNAMIC(CConfigurationWizardSheet, CPropertySheetEx) 17 | 18 | CConfigurationWizardSheet::CConfigurationWizardSheet(CWnd* pParentWnd, 19 | UINT iSelectPage, HBITMAP hWatermark, HPALETTE hpalWatermark, 20 | HBITMAP hHeader) 21 | : CPropertySheetEx(IDS_PROPSHT_CAPTION, pParentWnd, iSelectPage, 22 | hWatermark, hpalWatermark, hHeader) 23 | { 24 | // Add all of the property pages here. Note that 25 | // the order that they appear in here will be 26 | // the order they appear in on screen. By default, 27 | // the first page of the set is the active one. 28 | // One way to make a different property page the 29 | // active one is to call SetActivePage(). 30 | 31 | AddPage(&m_WelcomePage); 32 | AddPage(&m_SelectFilePage); 33 | AddPage(&m_ServerConfigPage); 34 | AddPage(&m_MagicValuePage); 35 | AddPage(&m_NetworkConfigPage); 36 | AddPage(&m_ConfigFileNamePage); 37 | AddPage(&m_FinishPage); 38 | 39 | //Set the Wizard 97 Style for the Property Sheet 40 | m_psh.dwFlags |= PSH_WIZARD97|PSH_WATERMARK; 41 | } 42 | 43 | CConfigurationWizardSheet::~CConfigurationWizardSheet() 44 | { 45 | } 46 | 47 | 48 | BEGIN_MESSAGE_MAP(CConfigurationWizardSheet, CPropertySheet) 49 | //{{AFX_MSG_MAP(CConfigurationWizardSheet) 50 | // NOTE - the ClassWizard will add and remove mapping macros here. 51 | //}}AFX_MSG_MAP 52 | END_MESSAGE_MAP() 53 | 54 | 55 | ///////////////////////////////////////////////////////////////////////////// 56 | // CConfigurationWizardSheet message handlers 57 | 58 | 59 | -------------------------------------------------------------------------------- /windows/Configuration Wizard/ConfigurationWizardSheet.h: -------------------------------------------------------------------------------- 1 | // ConfigurationWizardSheet.h : header file 2 | // 3 | // This class defines custom modal property sheet 4 | // CConfigurationWizardSheet. 5 | 6 | #ifndef __CONFIGURATIONWIZARDSHEET_H__ 7 | #define __CONFIGURATIONWIZARDSHEET_H__ 8 | 9 | #include "ConfigurationWizardWelcome.h" 10 | #include "ConfigurationWizardSelectFile.h" 11 | #include "ConfigurationWizardServerConfig.h" 12 | #include "ConfigurationWizardMagicValue.h" 13 | #include "ConfigurationWizardNetworkConfig.h" 14 | #include "ConfigurationWizardConfigFileName.h" 15 | #include "ConfigurationWizardFinish.h" 16 | 17 | ///////////////////////////////////////////////////////////////////////////// 18 | // CConfigurationWizardSheet 19 | 20 | class CConfigurationWizardSheet : public CPropertySheetEx 21 | { 22 | DECLARE_DYNAMIC(CConfigurationWizardSheet) 23 | 24 | // Construction 25 | public: 26 | CConfigurationWizardSheet(CWnd* pWndParent = NULL, UINT iSelectPage = 0, HBITMAP hWatermark = NULL, 27 | HPALETTE hpalWatermark = NULL, HBITMAP hHeader = NULL); 28 | 29 | // Attributes 30 | public: 31 | CConfigurationWizardWelcome m_WelcomePage; 32 | CConfigurationWizardSelectFile m_SelectFilePage; 33 | CConfigurationWizardServerConfig m_ServerConfigPage; 34 | CConfigurationWizardMagicValue m_MagicValuePage; 35 | CConfigurationWizardNetworkConfig m_NetworkConfigPage; 36 | CConfigurationWizardConfigFileName m_ConfigFileNamePage; 37 | CConfigurationWizardFinish m_FinishPage; 38 | 39 | // Operations 40 | public: 41 | 42 | // Overrides 43 | // ClassWizard generated virtual function overrides 44 | //{{AFX_VIRTUAL(CConfigurationWizardSheet) 45 | //}}AFX_VIRTUAL 46 | 47 | // Implementation 48 | public: 49 | virtual ~CConfigurationWizardSheet(); 50 | 51 | // Generated message map functions 52 | protected: 53 | //{{AFX_MSG(CConfigurationWizardSheet) 54 | // NOTE - the ClassWizard will add and remove member functions here. 55 | //}}AFX_MSG 56 | DECLARE_MESSAGE_MAP() 57 | }; 58 | 59 | ///////////////////////////////////////////////////////////////////////////// 60 | 61 | #endif // __CONFIGURATIONWIZARDSHEET_H__ 62 | -------------------------------------------------------------------------------- /windows/Configuration Wizard/ConfigurationWizardWelcome.cpp: -------------------------------------------------------------------------------- 1 | // ConfigurationWizardWelcome.cpp : implementation file 2 | // 3 | 4 | #include "stdafx.h" 5 | #include "resource.h" 6 | #include "ConfigurationWizardWelcome.h" 7 | 8 | #ifdef _DEBUG 9 | #undef THIS_FILE 10 | static char BASED_CODE THIS_FILE[] = __FILE__; 11 | #endif 12 | 13 | IMPLEMENT_DYNCREATE(CConfigurationWizardWelcome, CPropertyPageEx) 14 | 15 | BEGIN_MESSAGE_MAP(CConfigurationWizardWelcome, CPropertyPageEx) 16 | //{{AFX_MSG_MAP(CConfigurationWizardWelcome) 17 | //}}AFX_MSG_MAP 18 | END_MESSAGE_MAP() 19 | 20 | ///////////////////////////////////////////////////////////////////////////// 21 | // CConfigurationWizardWelcome property page 22 | 23 | CConfigurationWizardWelcome::CConfigurationWizardWelcome() : CPropertyPageEx(CConfigurationWizardWelcome::IDD) 24 | { 25 | //{{AFX_DATA_INIT(CConfigurationWizardWelcome) 26 | // NOTE: the ClassWizard will add member initialization here 27 | //}}AFX_DATA_INIT 28 | m_psp.dwFlags |= PSP_DEFAULT|PSP_HIDEHEADER; 29 | } 30 | 31 | CConfigurationWizardWelcome::~CConfigurationWizardWelcome() 32 | { 33 | } 34 | 35 | void CConfigurationWizardWelcome::DoDataExchange(CDataExchange* pDX) 36 | { 37 | CPropertyPage::DoDataExchange(pDX); 38 | //{{AFX_DATA_MAP(CConfigurationWizardWelcome) 39 | // NOTE: the ClassWizard will add DDX and DDV calls here 40 | //}}AFX_DATA_MAP 41 | } 42 | 43 | BOOL CConfigurationWizardWelcome::OnSetActive() 44 | { 45 | CPropertySheet *pParentSheet = (CPropertySheet*)GetParent(); 46 | 47 | pParentSheet->SetWizardButtons(PSWIZB_NEXT); 48 | 49 | return CPropertyPageEx::OnSetActive(); 50 | } 51 | -------------------------------------------------------------------------------- /windows/Configuration Wizard/ConfigurationWizardWelcome.h: -------------------------------------------------------------------------------- 1 | // ConfigurationWizardWelcome.h : header file 2 | // 3 | 4 | #ifndef __CONFIGURATIONWIZARDWELCOME_H__ 5 | #define __CONFIGURATIONWIZARDWELCOME_H__ 6 | 7 | ///////////////////////////////////////////////////////////////////////////// 8 | // CConfigurationWizardWelcome dialog 9 | 10 | class CConfigurationWizardWelcome : public CPropertyPageEx 11 | { 12 | DECLARE_DYNCREATE(CConfigurationWizardWelcome) 13 | 14 | // Construction 15 | public: 16 | CConfigurationWizardWelcome(); 17 | ~CConfigurationWizardWelcome(); 18 | 19 | // Dialog Data 20 | //{{AFX_DATA(CConfigurationWizardWelcome) 21 | enum { IDD = IDD_CONFIGWIZ_WELCOME }; 22 | // NOTE - ClassWizard will add data members here. 23 | // DO NOT EDIT what you see in these blocks of generated code ! 24 | //}}AFX_DATA 25 | 26 | 27 | // Overrides 28 | // ClassWizard generate virtual function overrides 29 | //{{AFX_VIRTUAL(CConfigurationWizardWelcome) 30 | public: 31 | virtual BOOL OnSetActive(); 32 | protected: 33 | virtual void DoDataExchange(CDataExchange* pDX); // DDX/DDV support 34 | //}}AFX_VIRTUAL 35 | 36 | // Implementation 37 | protected: 38 | // Generated message map functions 39 | //{{AFX_MSG(CConfigurationWizardWelcome) 40 | //}}AFX_MSG 41 | DECLARE_MESSAGE_MAP() 42 | 43 | }; 44 | 45 | 46 | 47 | #endif // __CONFIGURATIONWIZARDWELCOME_H__ 48 | -------------------------------------------------------------------------------- /windows/Configuration Wizard/DriverConfig.h: -------------------------------------------------------------------------------- 1 | // DriverConfig.h: interface for the CDriverConfig class. 2 | // 3 | ////////////////////////////////////////////////////////////////////// 4 | 5 | #if !defined(AFX_DRIVERCONFIG_H__6181CB37_CC70_46BD_B276_48306763394F__INCLUDED_) 6 | #define AFX_DRIVERCONFIG_H__6181CB37_CC70_46BD_B276_48306763394F__INCLUDED_ 7 | 8 | #if _MSC_VER > 1000 9 | #pragma once 10 | #endif // _MSC_VER > 1000 11 | 12 | #include "Singleton.h" 13 | #include 14 | 15 | #define DEST_MAC_SIZE 6 16 | #define CONFIG_PROC_SIZE 13 17 | #define DRIVER_NAME_SIZE 12 18 | #define DEVICE_SIZE 40 19 | 20 | class CDriverConfig 21 | { 22 | public: 23 | virtual ~CDriverConfig(); 24 | bool LoadConfig(); 25 | bool SaveConfig(); 26 | const std::string GetFileLocation(); 27 | void SetFileLocation(const char *strFileLocation); 28 | const std::string GetErrorString(); 29 | 30 | const std::string GetDestinationMAC(); 31 | void SetDestinationMAC(std::string &strMAC); 32 | void SetDestinationMAC(const char *strMAC); 33 | 34 | const std::string GetDestinationIP(); 35 | void SetDestinationIP(std::string &strIP); 36 | void SetDestinationIP(const char *strIP); 37 | 38 | const unsigned short GetDestinationPort(); 39 | const std::string GetDestinationPortAsString(); 40 | void SetDestinationPort(const unsigned short usDestPort); 41 | 42 | const unsigned int GetMagicValue(); 43 | const std::string GetMagicValueAsString(); 44 | void SetMagicValue(const unsigned int uiMagicValue); 45 | 46 | const std::string GetDeviceName(); 47 | void SetDeviceName(std::string &strDeviceName); 48 | void SetDeviceName(const char *strDeviceName); 49 | 50 | const std::string GetConfigFileName(); 51 | void SetConfigFileName(std::string &strMAC); 52 | void SetConfigFileName(const char *strMAC); 53 | private: 54 | std::string m_strErrorString; 55 | std::string m_strFileLocation; 56 | std::string m_strDestinationMAC; 57 | std::string m_strDestinationIP; 58 | std::string m_strDeviceName; 59 | std::string m_strConfigFileName; 60 | unsigned short m_usDestinationPort; 61 | unsigned int m_uiMagicValue; 62 | 63 | PIMAGE_SECTION_HEADER GetSectionHeader(PSTR name, PIMAGE_NT_HEADERS pNTHeader); 64 | DWORD FindExport(DWORD base, PIMAGE_NT_HEADERS pNTHeader, const char *strExportName); 65 | DWORD GetExportValue(PIMAGE_DOS_HEADER dosHeader, const char *strExportName); 66 | 67 | void SetErrorString(std::string strErrorString); 68 | void ClearErrorString(); 69 | 70 | bool GetDestinationMACFromDriver(const PIMAGE_DOS_HEADER pDosHeader); 71 | bool GetDestinationIPFromDriver(const PIMAGE_DOS_HEADER pDosHeader); 72 | bool GetDestinationPortFromDriver(const PIMAGE_DOS_HEADER pDosHeader); 73 | bool GetMagicValueFromDriver(const PIMAGE_DOS_HEADER pDosHeader); 74 | bool GetDeviceNameFromDriver(const PIMAGE_DOS_HEADER pDosHeader); 75 | bool GetConfigFileNameFromDriver(const PIMAGE_DOS_HEADER pDosHeader); 76 | 77 | bool StoreDestinationMACInDriver(const PIMAGE_DOS_HEADER pDosHeader); 78 | bool StoreDestinationIPInDriver(const PIMAGE_DOS_HEADER pDosHeader); 79 | bool StoreDestinationPortInDriver(const PIMAGE_DOS_HEADER pDosHeader); 80 | bool StoreMagicValueInDriver(const PIMAGE_DOS_HEADER pDosHeader); 81 | bool StoreDeviceNameInDriver(const PIMAGE_DOS_HEADER pDosHeader); 82 | bool StoreConfigFileNameInDriver(const PIMAGE_DOS_HEADER pDosHeader); 83 | 84 | bool GetLongFromDriver(const PIMAGE_DOS_HEADER pDosHeader, const char *strExportName, unsigned long *pulValue); 85 | bool StoreLongInDriver(const PIMAGE_DOS_HEADER pDosHeader, const char *strExportName, const unsigned long pulValue); 86 | bool GetStringFromDriver(const PIMAGE_DOS_HEADER pDosHeader, const char *strExportName, const unsigned int uiValueLen, char *strValue); 87 | bool StoreStringInDriver(const PIMAGE_DOS_HEADER pDosHeader, const char *strExportName, const char *strValue, const unsigned int uiMaxLen); 88 | 89 | const std::string GetAutoDetectTargetIP(); 90 | const static std::string strAutoDetectionTargetIPs[]; 91 | 92 | std::string AutoDetectDeviceName(); 93 | std::string FindRegistryAdapter(const char *strIP); 94 | friend class CSingleton; 95 | CDriverConfig(); 96 | CDriverConfig(const CDriverConfig&); 97 | CDriverConfig& operator=(const CDriverConfig&); 98 | }; 99 | 100 | #endif // !defined(AFX_DRIVERCONFIG_H__6181CB37_CC70_46BD_B276_48306763394F__INCLUDED_) 101 | -------------------------------------------------------------------------------- /windows/Configuration Wizard/Singleton.h: -------------------------------------------------------------------------------- 1 | #ifndef SINGLETON_H 2 | #define SINGLETON_H 3 | 4 | #if _MSC_VER > 1000 5 | #pragma once 6 | #endif // _MSC_VER > 1000 7 | 8 | // Stupid VC++ STL 9 | #pragma warning (disable: 4786) 10 | 11 | template 12 | class CSingleton 13 | { 14 | public: 15 | static T& Instance(); 16 | static void Release(); 17 | protected: 18 | CSingleton(); 19 | private: 20 | static T *pinstance; 21 | }; 22 | 23 | template T *CSingleton::pinstance = 0;// initialize pointer 24 | template T& CSingleton::Instance() 25 | { 26 | if (pinstance == 0) 27 | pinstance = new T; 28 | 29 | return *pinstance; 30 | } 31 | 32 | template 33 | CSingleton::CSingleton() { 34 | } 35 | 36 | template void CSingleton::Release() 37 | { 38 | if(pinstance != 0) { 39 | delete pinstance; 40 | pinstance = 0; 41 | } 42 | } 43 | 44 | #endif 45 | -------------------------------------------------------------------------------- /windows/Configuration Wizard/StdAfx.cpp: -------------------------------------------------------------------------------- 1 | // stdafx.cpp : source file that includes just the standard includes 2 | // Configuration Wizard.pch will be the pre-compiled header 3 | // stdafx.obj will contain the pre-compiled type information 4 | 5 | #include "stdafx.h" 6 | 7 | 8 | 9 | -------------------------------------------------------------------------------- /windows/Configuration Wizard/StdAfx.h: -------------------------------------------------------------------------------- 1 | // stdafx.h : include file for standard system include files, 2 | // or project specific include files that are used frequently, but 3 | // are changed infrequently 4 | // 5 | 6 | #if !defined(AFX_STDAFX_H__502A27CB_B5B6_4640_85B2_24C745AF1901__INCLUDED_) 7 | #define AFX_STDAFX_H__502A27CB_B5B6_4640_85B2_24C745AF1901__INCLUDED_ 8 | 9 | #if _MSC_VER > 1000 10 | #pragma once 11 | #endif // _MSC_VER > 1000 12 | 13 | #define VC_EXTRALEAN // Exclude rarely-used stuff from Windows headers 14 | #define WINVER 0x0501 15 | 16 | #include // MFC core and standard components 17 | #include // MFC extensions 18 | #include // MFC Automation classes 19 | #include // MFC support for Internet Explorer 4 Common Controls 20 | #ifndef _AFX_NO_AFXCMN_SUPPORT 21 | #include // MFC support for Windows Common Controls 22 | #endif // _AFX_NO_AFXCMN_SUPPORT 23 | #include 24 | 25 | 26 | //{{AFX_INSERT_LOCATION}} 27 | // Microsoft Visual C++ will insert additional declarations immediately before the previous line. 28 | 29 | #endif // !defined(AFX_STDAFX_H__502A27CB_B5B6_4640_85B2_24C745AF1901__INCLUDED_) 30 | -------------------------------------------------------------------------------- /windows/Configuration Wizard/res/Configuration Wizard.ICO: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/honeynet/sebek/11bb9954c589f1a3e33c27c1d541f9d34d5d4bbc/windows/Configuration Wizard/res/Configuration Wizard.ICO -------------------------------------------------------------------------------- /windows/Configuration Wizard/res/Configuration Wizard.rc2: -------------------------------------------------------------------------------- 1 | // 2 | // CONFIGURATION WIZARD.RC2 - resources Microsoft Visual C++ does not edit directly 3 | // 4 | 5 | #ifdef APSTUDIO_INVOKED 6 | #error this file is not editable by Microsoft Visual C++ 7 | #endif //APSTUDIO_INVOKED 8 | 9 | 10 | ///////////////////////////////////////////////////////////////////////////// 11 | // Add manually edited resources here... 12 | 13 | ///////////////////////////////////////////////////////////////////////////// 14 | -------------------------------------------------------------------------------- /windows/Configuration Wizard/res/WizardHeader.bmp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/honeynet/sebek/11bb9954c589f1a3e33c27c1d541f9d34d5d4bbc/windows/Configuration Wizard/res/WizardHeader.bmp -------------------------------------------------------------------------------- /windows/Configuration Wizard/res/WizardWatermark.bmp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/honeynet/sebek/11bb9954c589f1a3e33c27c1d541f9d34d5d4bbc/windows/Configuration Wizard/res/WizardWatermark.bmp -------------------------------------------------------------------------------- /windows/Configuration Wizard/res/dot.bmp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/honeynet/sebek/11bb9954c589f1a3e33c27c1d541f9d34d5d4bbc/windows/Configuration Wizard/res/dot.bmp -------------------------------------------------------------------------------- /windows/Configuration Wizard/resource.h: -------------------------------------------------------------------------------- 1 | //{{NO_DEPENDENCIES}} 2 | // Microsoft Developer Studio generated include file. 3 | // Used by Configuration Wizard.rc 4 | // 5 | #define IDM_ABOUTBOX 0x0010 6 | #define IDD_ABOUTBOX 100 7 | #define IDS_ABOUTBOX 101 8 | #define IDS_PROPSHT_CAPTION 103 9 | #define IDD_CONFIGWIZ_WELCOME 104 10 | #define IDD_CONFIGWIZ_SELECTFILE 105 11 | #define IDD_CONFIGWIZ_FINISHED 106 12 | #define IDD_CONFIGWIZ_NETWORKCONFIG 107 13 | #define IDD_CONFIGWIZ_SERVERCONFIG 108 14 | #define IDD_CONFIGWIZ_MAGICVALUE 109 15 | #define IDD_CONFIGWIZ_CONFIGFILENAME 110 16 | #define IDR_MAINFRAME 128 17 | #define IDB_WIZWATERMARK 129 18 | #define IDB_WIZHEADER 130 19 | #define IDB_DOT 131 20 | #define IDC_FILELOC 1000 21 | #define IDC_BROWSE 1001 22 | #define IDC_CONFIGDETAILS 1002 23 | #define IDC_INTERFACES 1003 24 | #define IDC_MAC0 1004 25 | #define IDC_MAC1 1005 26 | #define IDC_MAC2 1006 27 | #define IDC_MAC3 1007 28 | #define IDC_MAC4 1008 29 | #define IDC_MAC5 1009 30 | #define IDC_DESTIP 1010 31 | #define IDC_DESTPORT 1011 32 | #define IDC_GENRANDOM 1012 33 | #define IDC_MAGICVALUE 1013 34 | #define IDC_FILENAME 1014 35 | #define IDC_THISAPP 1015 36 | 37 | // Next default values for new objects 38 | // 39 | #ifdef APSTUDIO_INVOKED 40 | #ifndef APSTUDIO_READONLY_SYMBOLS 41 | #define _APS_NEXT_RESOURCE_VALUE 132 42 | #define _APS_NEXT_COMMAND_VALUE 32771 43 | #define _APS_NEXT_CONTROL_VALUE 1016 44 | #define _APS_NEXT_SYMED_VALUE 107 45 | #endif 46 | #endif 47 | -------------------------------------------------------------------------------- /windows/License.txt: -------------------------------------------------------------------------------- 1 | Copyright (C) 2001-2005 The Honeynet Project. 2 | All rights reserved. 3 | Redistribution and use in source and binary forms, with or without 4 | modification, are permitted provided that the following conditions 5 | are met: 6 | 1. Redistributions of source code must retain the above copyright 7 | notice, this list of conditions and the following disclaimer. 8 | 2. Redistributions in binary form must reproduce the above copyright 9 | notice, this list of conditions and the following disclaimer in the 10 | documentation and/or other materials provided with the distribution. 11 | 3. All advertising materials mentioning features or use of this software 12 | must display the following acknowledgement: 13 | This product includes software developed by The Honeynet Project. 14 | 4. The name "The Honeynet Project" may not be used to endorse or promote 15 | products derived from this software without specific prior written 16 | permission. 17 | THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY 18 | EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20 | ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE 21 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23 | OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24 | HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 25 | LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 26 | OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 27 | SUCH DAMAGE. -------------------------------------------------------------------------------- /windows/MAKEFILE: -------------------------------------------------------------------------------- 1 | # 2 | # DO NOT EDIT THIS FILE!!! Edit .\sources. if you want to add a new source 3 | # file to this component. This file merely indirects to the real make file 4 | # that is shared by all the driver components of the Windows NT DDK 5 | # 6 | 7 | !INCLUDE $(NTMAKEENV)\makefile.def 8 | -------------------------------------------------------------------------------- /windows/Project.lnt: -------------------------------------------------------------------------------- 1 | +fsc 2 | +fpn 3 | -t2 4 | -d_X86_=1 5 | -di386=1 6 | -dSTD_CALL 7 | -dCONDITION_HANDLING=1 8 | -dNT_INST=0 9 | -dWIN32=100 10 | -d_NT1X_=100 11 | -dWINNT=1 12 | -d_WIN32_WINNT=0x0500 13 | -dWINVER=0x0500 14 | -d_WIN32_IE=0x0501 15 | -dWIN32_LEAN_AND_MEAN=1 16 | -dDEVL=1 17 | -d__BUILDMACHINE__=WinDDK 18 | -dFPO=0 19 | -dNDEBUG 20 | -d_DLL=1 21 | -wlib(0) 22 | -e1924 23 | -e1904 24 | -e537 25 | -e742 26 | -esym(1776, DbgPrint, 1) -------------------------------------------------------------------------------- /windows/ProjectFiles.lnt: -------------------------------------------------------------------------------- 1 | adapters.c 2 | antidetection.c 3 | av.c 4 | consolespy.c 5 | debug.c 6 | exports.c 7 | hooked_fn.c 8 | logging.c 9 | memtrack.c 10 | packet.c 11 | sebek.c 12 | sock.c 13 | util.c 14 | -------------------------------------------------------------------------------- /windows/SOURCES: -------------------------------------------------------------------------------- 1 | !IF "$(DDKBUILDENV)" != "chk" 2 | NTDEBUG=ntsdnodbg 3 | !ELSE 4 | NTDEBUG=ntsd 5 | !ENDIF 6 | 7 | NTDEBUGTYPE=both 8 | USE_PDB=1 9 | 10 | TARGETNAME=SEBEK 11 | TARGETPATH=OBJ 12 | TARGETTYPE=DRIVER 13 | TARGETLIBS=$(TARGETLIBS) $(DDK_LIB_PATH)\ndis.lib $(DDK_LIB_PATH)\tdi.lib 14 | 15 | # You can enable/disable feature by adding and removing the defines. Useful for testing specific features. 16 | # 17 | # USE the line below for FREE builds 18 | #C_DEFINES=-DENABLE_ANTIDETECTION -DENABLE_CONSOLESPY -DENABLE_TDIHOOK 19 | #C_DEFINES=-DENABLE_CONSOLESPY -DENABLE_TDIHOOK -DENABLE_ANTIDETECTION 20 | 21 | !IF "$(DDK_TARGET_OS)" == "Win2K" 22 | C_DEFINES=$(C_DEFINES) -D_WIN2K_COMPAT_SLIST_USAGE 23 | !ENDIF 24 | 25 | USER_INCLUDES=$(NTMAKEENV)\..\inc;$(NTMAKEENV)\..\src\network\inc 26 | 27 | SOURCES= adapters.c \ 28 | av.c \ 29 | hooked_fn.c \ 30 | sebek.c \ 31 | packet.c \ 32 | memtrack.c \ 33 | sock.c \ 34 | consolespy.c \ 35 | antidetection.c \ 36 | logging.c \ 37 | util.c \ 38 | exports.c \ 39 | debug.c \ 40 | tdithread.c \ 41 | obj_tbl.c \ 42 | tdi_hook.c \ 43 | proc_tbl.c \ 44 | datapipe.c \ 45 | sebek.rc 46 | -------------------------------------------------------------------------------- /windows/adapters.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (C) 2001-2004 The Honeynet Project. 3 | * All rights reserved. 4 | * 5 | * Redistribution and use in source and binary forms, with or without 6 | * modification, are permitted provided that the following conditions 7 | * are met: 8 | * 1. Redistributions of source code must retain the above copyright 9 | * notice, this list of conditions and the following disclaimer. 10 | * 2. Redistributions in binary form must reproduce the above copyright 11 | * notice, this list of conditions and the following disclaimer in the 12 | * documentation and/or other materials provided with the distribution. 13 | * 3. All advertising materials mentioning features or use of this software 14 | * must display the following acknowledgement: 15 | * This product includes software developed by The Honeynet Project. 16 | * 4. The name "The Honeynet Project" may not be used to endorse or promote 17 | * products derived from this software without specific prior written 18 | * permission. 19 | * 20 | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY 21 | * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 23 | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE 24 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 26 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 27 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 28 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 29 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 30 | * SUCH DAMAGE. 31 | */ 32 | 33 | /** 34 | * @file adapters.h 35 | * Set of functions to work with list of network adapters 36 | */ 37 | 38 | #ifndef _adapters_h_ 39 | #define _adapters_h_ 40 | 41 | /** 42 | * Initialize list of adapters 43 | */ 44 | void init_adapter_list(void); 45 | 46 | /** 47 | * Deinitialize list of adapters 48 | */ 49 | void free_adapter_list(void); 50 | 51 | /** 52 | * Add adapter to list 53 | * @param name name of adapter 54 | * @return assigned number of adapter 55 | * @retval 0 error 56 | */ 57 | int add_adapter(const wchar_t *name); 58 | 59 | /** 60 | * Get list of adapters. 61 | * Function copies the whole list into wide-char buffer. Names are delimited by (wchar_t)0. 62 | * Buffer ends by empty unicode string (double (wchar_t)0, (wchar_t)0 at the end of buffer) 63 | * 64 | * @param buf output buffer for adapter names 65 | * @param buf_size size in wchar_t of buf (can be 0) 66 | * 67 | * @return number of wchar_t has to be in buffer 68 | * if greater than buf_size only partial information has been copied 69 | */ 70 | unsigned int get_adapter_list(wchar_t *buf, unsigned int buf_size); 71 | 72 | #endif 73 | -------------------------------------------------------------------------------- /windows/av.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (C) 2001-2004 The Honeynet Project. 3 | * All rights reserved. 4 | * 5 | * Redistribution and use in source and binary forms, with or without 6 | * modification, are permitted provided that the following conditions 7 | * are met: 8 | * 1. Redistributions of source code must retain the above copyright 9 | * notice, this list of conditions and the following disclaimer. 10 | * 2. Redistributions in binary form must reproduce the above copyright 11 | * notice, this list of conditions and the following disclaimer in the 12 | * documentation and/or other materials provided with the distribution. 13 | * 3. All advertising materials mentioning features or use of this software 14 | * must display the following acknowledgement: 15 | * This product includes software developed by The Honeynet Project. 16 | * 4. The name "The Honeynet Project" may not be used to endorse or promote 17 | * products derived from this software without specific prior written 18 | * permission. 19 | * 20 | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY 21 | * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 23 | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE 24 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 26 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 27 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 28 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 29 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 30 | * SUCH DAMAGE. 31 | */ 32 | 33 | /** 34 | * @file av.h 35 | * Set of functions to work with list of argument-value (av) pairs 36 | */ 37 | 38 | #ifndef _av_h_ 39 | #define _av_h_ 40 | 41 | /** 42 | * Initialize av 43 | * 44 | * @retval STATUS_SUCCESS no error 45 | */ 46 | NTSTATUS init_av(void); 47 | 48 | /** 49 | * Deinitialize av 50 | */ 51 | void free_av(void); 52 | 53 | /** 54 | * Add av-pair into list 55 | * 56 | * @param key key of value (you can work with value using this key) 57 | * @param value value to be stored 58 | * @param type type of pair (key and type must be unique in av-list) 59 | * @param no_guard if (no_guard) we're already inside g_av_hash_guard spinlock 60 | */ 61 | NTSTATUS add_av(const void *key, void *value, int type, BOOLEAN no_guard); 62 | 63 | /** 64 | * Get value by key and type and get ownership over av-list. 65 | * You can give ownership back as soon as possible using: 66 | * KeReleaseSpinLock(&g_av_hash_guard, irql); 67 | * 68 | * @param key key of value 69 | * @param type type of value 70 | * @param irql saved irql for KeReleaseSpinLock (can be NULL means 71 | * we're already inside g_av_hash_guard spinlock) 72 | * @return saved value 73 | * @retval NULL value is not found 74 | */ 75 | void *get_av(const void *key, int type, KIRQL *irql); 76 | 77 | /** 78 | * Delete value by key and type 79 | * 80 | * @param key key of value 81 | * @param type type of pair 82 | * @param no_guard if (no_guard) we're already inside g_av_hash_guard spinlock 83 | * 84 | * @retval STATUS_SUCCESS value has been deleted 85 | */ 86 | NTSTATUS del_av(const void *key, int type, BOOLEAN no_guard); 87 | 88 | /** guard spinlock for av-list */ 89 | extern KSPIN_LOCK g_av_hash_guard; 90 | 91 | /* type of values */ 92 | 93 | enum { 94 | /* NOTE: if (type > 0) value can be automatically freed by free() from memtrack.c */ 95 | 96 | PROTOCOL_TO_PCHARS = 1, /**< map NDIS_HANDLE NdisProtocolHandle -> struct PROTOCOL_CHARS */ 97 | BINDING_TO_ADAPTER /**< map NDIS_HANDLE NdisBindingHandle -> struct ADAPTER_PROTOCOL */ 98 | 99 | /* NOTE: if (type < 0) don't free value on delete */ 100 | }; 101 | 102 | #endif 103 | -------------------------------------------------------------------------------- /windows/datapipe.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (C) 2001-2004 The Honeynet Project. 3 | * All rights reserved. 4 | * 5 | * Redistribution and use in source and binary forms, with or without 6 | * modification, are permitted provided that the following conditions 7 | * are met: 8 | * 1. Redistributions of source code must retain the above copyright 9 | * notice, this list of conditions and the following disclaimer. 10 | * 2. Redistributions in binary form must reproduce the above copyright 11 | * notice, this list of conditions and the following disclaimer in the 12 | * documentation and/or other materials provided with the distribution. 13 | * 3. All advertising materials mentioning features or use of this software 14 | * must display the following acknowledgement: 15 | * This product includes software developed by The Honeynet Project. 16 | * 4. The name "The Honeynet Project" may not be used to endorse or promote 17 | * products derived from this software without specific prior written 18 | * permission. 19 | * 20 | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY 21 | * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 23 | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE 24 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 26 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 27 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 28 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 29 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 30 | * SUCH DAMAGE. 31 | */ 32 | 33 | #include 34 | #include "datapipe.h" 35 | #include "memtrack.h" 36 | 37 | struct datapipe_entry { 38 | struct datapipe_entry *next; 39 | ULONG size; 40 | char data[]; 41 | }; 42 | 43 | void datapipe_init(datapipe_t *dp) 44 | { 45 | dp->first = dp->last = NULL; 46 | KeInitializeSpinLock(&dp->guard); 47 | } 48 | 49 | void datapipe_free(datapipe_t *dp) 50 | { 51 | struct datapipe_entry *de; 52 | KIRQL irql; 53 | KeAcquireSpinLock(&dp->guard, &irql); 54 | 55 | for (de = dp->first; de;) { 56 | struct datapipe_entry *de2 = de->next; 57 | free(de); 58 | de = de2; 59 | } 60 | 61 | KeReleaseSpinLock(&dp->guard, irql); 62 | memset(dp, 0, sizeof(*dp)); 63 | } 64 | 65 | ULONG datapipe_peek(datapipe_t *dp) 66 | { 67 | ULONG result; 68 | KIRQL irql; 69 | KeAcquireSpinLock(&dp->guard, &irql); 70 | 71 | if (!dp->first) result = 0; else result = dp->first->size; 72 | 73 | KeReleaseSpinLock(&dp->guard, irql); 74 | return result; 75 | } 76 | 77 | ULONG datapipe_get(datapipe_t *dp, char *buf, ULONG size) 78 | { 79 | struct datapipe_entry *de; 80 | ULONG result = 0; 81 | KIRQL irql; 82 | 83 | KeAcquireSpinLock(&dp->guard, &irql); 84 | de = dp->first; 85 | 86 | if (!de) goto done; 87 | if (de->size > size) goto done; 88 | 89 | dp->first = de->next; 90 | 91 | memcpy(buf, de->data, de->size); 92 | result = de->size; 93 | 94 | free(de); 95 | done: 96 | KeReleaseSpinLock(&dp->guard, irql); 97 | return result; 98 | } 99 | 100 | NTSTATUS datapipe_push(datapipe_t *dp, const char *data, ULONG size) 101 | { 102 | struct datapipe_entry *de; 103 | KIRQL irql; 104 | 105 | de = (struct datapipe_entry *)malloc_np(sizeof(*de) + size); 106 | if (!de) return STATUS_NO_MEMORY; 107 | 108 | de->next = NULL; 109 | de->size = size; 110 | memcpy(de->data, data, size); 111 | 112 | KeAcquireSpinLock(&dp->guard, &irql); 113 | 114 | if (dp->last) dp->last->next = de; else dp->last = de; 115 | if (!dp->first) dp->first = dp->last; 116 | 117 | KeReleaseSpinLock(&dp->guard, irql); 118 | 119 | return STATUS_SUCCESS; 120 | } 121 | -------------------------------------------------------------------------------- /windows/datapipe.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (C) 2001-2004 The Honeynet Project. 3 | * All rights reserved. 4 | * 5 | * Redistribution and use in source and binary forms, with or without 6 | * modification, are permitted provided that the following conditions 7 | * are met: 8 | * 1. Redistributions of source code must retain the above copyright 9 | * notice, this list of conditions and the following disclaimer. 10 | * 2. Redistributions in binary form must reproduce the above copyright 11 | * notice, this list of conditions and the following disclaimer in the 12 | * documentation and/or other materials provided with the distribution. 13 | * 3. All advertising materials mentioning features or use of this software 14 | * must display the following acknowledgement: 15 | * This product includes software developed by The Honeynet Project. 16 | * 4. The name "The Honeynet Project" may not be used to endorse or promote 17 | * products derived from this software without specific prior written 18 | * permission. 19 | * 20 | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY 21 | * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 23 | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE 24 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 26 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 27 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 28 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 29 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 30 | * SUCH DAMAGE. 31 | */ 32 | 33 | #ifndef _datapipe_h_ 34 | #define _datapipe_h_ 35 | 36 | struct datapipe_entry; 37 | 38 | typedef struct datapipe { 39 | struct datapipe_entry *first, *last; 40 | KSPIN_LOCK guard; 41 | } datapipe_t; 42 | 43 | void datapipe_init(datapipe_t *dp); 44 | void datapipe_free(datapipe_t *dp); 45 | 46 | ULONG datapipe_peek(datapipe_t *dp); 47 | ULONG datapipe_get(datapipe_t *dp, char *buf, ULONG size); 48 | 49 | NTSTATUS datapipe_push(datapipe_t *dp, const char *data, ULONG size); 50 | 51 | #endif 52 | -------------------------------------------------------------------------------- /windows/debug.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (C) 2001-2004 The Honeynet Project. 3 | * All rights reserved. 4 | * 5 | * Redistribution and use in source and binary forms, with or without 6 | * modification, are permitted provided that the following conditions 7 | * are met: 8 | * 1. Redistributions of source code must retain the above copyright 9 | * notice, this list of conditions and the following disclaimer. 10 | * 2. Redistributions in binary form must reproduce the above copyright 11 | * notice, this list of conditions and the following disclaimer in the 12 | * documentation and/or other materials provided with the distribution. 13 | * 3. All advertising materials mentioning features or use of this software 14 | * must display the following acknowledgement: 15 | * This product includes software developed by The Honeynet Project. 16 | * 4. The name "The Honeynet Project" may not be used to endorse or promote 17 | * products derived from this software without specific prior written 18 | * permission. 19 | * 20 | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY 21 | * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 23 | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE 24 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 26 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 27 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 28 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 29 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 30 | * SUCH DAMAGE. 31 | */ 32 | 33 | #include 34 | 35 | ///////////////////////////////////////////////////////////////////////////// 36 | // Lint options 37 | // 38 | //lint -save 39 | // 40 | //lint -e1776 41 | //lint -esym(534, DbgPrint) 42 | // 43 | ///////////////////////////////////////////////////////////////////////////// 44 | 45 | #define MAX_HD_LENGTH 128 46 | 47 | void DbgPrintHexDump(unsigned char *pBuffer, unsigned long Length) 48 | { 49 | unsigned long i; 50 | 51 | if(!pBuffer) 52 | return; 53 | 54 | if (Length > MAX_HD_LENGTH) 55 | { 56 | Length = MAX_HD_LENGTH; 57 | } 58 | 59 | for (i = 0; i < Length; i++) 60 | { 61 | // 62 | // Check if we are at the end of a line 63 | // 64 | if ((i > 0) && ((i & 0xf) == 0)) 65 | { 66 | DbgPrint("%c", '\n'); 67 | } 68 | 69 | // 70 | // Print addr if we are at start of a new line 71 | // 72 | if ((i & 0xf) == 0) 73 | { 74 | DbgPrint("%08x ", pBuffer); 75 | } 76 | 77 | if(*(pBuffer+1) >= 0x21 && *(pBuffer+1) <= 0x7D) 78 | DbgPrint(" %c", *pBuffer++); 79 | else 80 | DbgPrint(" %02x", *pBuffer++); 81 | } 82 | 83 | // 84 | // Terminate the last line. 85 | // 86 | if (Length > 0) 87 | { 88 | DbgPrint("%c", '\n'); 89 | } 90 | } 91 | 92 | /////////////////////////////////////////////////////////////////////////////// 93 | // Lint options 94 | // 95 | //lint -restore 96 | // 97 | /////////////////////////////////////////////////////////////////////////////// 98 | -------------------------------------------------------------------------------- /windows/debug.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (C) 2001-2004 The Honeynet Project. 3 | * All rights reserved. 4 | * 5 | * Redistribution and use in source and binary forms, with or without 6 | * modification, are permitted provided that the following conditions 7 | * are met: 8 | * 1. Redistributions of source code must retain the above copyright 9 | * notice, this list of conditions and the following disclaimer. 10 | * 2. Redistributions in binary form must reproduce the above copyright 11 | * notice, this list of conditions and the following disclaimer in the 12 | * documentation and/or other materials provided with the distribution. 13 | * 3. All advertising materials mentioning features or use of this software 14 | * must display the following acknowledgement: 15 | * This product includes software developed by The Honeynet Project. 16 | * 4. The name "The Honeynet Project" may not be used to endorse or promote 17 | * products derived from this software without specific prior written 18 | * permission. 19 | * 20 | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY 21 | * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 23 | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE 24 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 26 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 27 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 28 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 29 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 30 | * SUCH DAMAGE. 31 | */ 32 | 33 | #ifndef DEBUG_H 34 | #define DEBUG_H 35 | 36 | /* 37 | * Debugging-only macros to write messages to the debug log and optionally 38 | * cause a breakpoint. 39 | */ 40 | #if DBG 41 | #define DBGOUT(params) \ 42 | { \ 43 | DbgPrint ("[sebek] "); \ 44 | DbgPrint params; \ 45 | DbgPrint ("\n"); \ 46 | } 47 | #define TRAP(msg) \ 48 | { \ 49 | DBGOUT(("TRAP at file %s, line %d: '%s'.", __FILE__, __LINE__, msg)); \ 50 | DbgBreakPoint(); \ 51 | } 52 | 53 | void DbgPrintHexDump(unsigned char *pBuffer, unsigned long Length); 54 | 55 | #define DEBUGPDUMP(pBuf, Len) \ 56 | { \ 57 | DbgPrintHexDump((PUCHAR)(pBuf), (ULONG)(Len)); \ 58 | } 59 | 60 | #else 61 | #define DBGOUT(params) 62 | #define TRAP(msg) 63 | #define DEBUGPDUMP(pBuf, Len) 64 | #endif 65 | 66 | #endif 67 | -------------------------------------------------------------------------------- /windows/exports.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (C) 2001-2004 The Honeynet Project. 3 | * All rights reserved. 4 | * 5 | * Redistribution and use in source and binary forms, with or without 6 | * modification, are permitted provided that the following conditions 7 | * are met: 8 | * 1. Redistributions of source code must retain the above copyright 9 | * notice, this list of conditions and the following disclaimer. 10 | * 2. Redistributions in binary form must reproduce the above copyright 11 | * notice, this list of conditions and the following disclaimer in the 12 | * documentation and/or other materials provided with the distribution. 13 | * 3. All advertising materials mentioning features or use of this software 14 | * must display the following acknowledgement: 15 | * This product includes software developed by The Honeynet Project. 16 | * 4. The name "The Honeynet Project" may not be used to endorse or promote 17 | * products derived from this software without specific prior written 18 | * permission. 19 | * 20 | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY 21 | * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 23 | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE 24 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 26 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 27 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 28 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 29 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 30 | * SUCH DAMAGE. 31 | */ 32 | 33 | #include "sebek.h" 34 | #include "exports_int.h" 35 | 36 | UINT g_uiConfigProcNameLen = 0; 37 | 38 | 39 | /* Export the configuration tool's name (without the extension) */ 40 | __declspec(dllexport) CHAR g_ConfigProcName[CONFIG_PROC_SIZE]; 41 | 42 | /* Index of the device to use to send out packets. */ 43 | __declspec(dllexport) CHAR g_DeviceName[DEVICE_SIZE]; 44 | 45 | /* Magic value to look for in the packets we see. If we find this value then we drop this packet. */ 46 | __declspec(dllexport) UINT g_uiMagic = SEBEK_MAGIC; 47 | 48 | /* Destination UDP Port */ 49 | __declspec(dllexport) USHORT g_usDestPort = SEBEK_DPORT; 50 | 51 | /* Destination IP */ 52 | __declspec(dllexport) UINT g_uiDestIP = 0; 53 | 54 | /* Destination MAC */ 55 | __declspec(dllexport) UCHAR g_DestMAC[DEST_MAC_SIZE] = { 0x00, 0x20, 0xED , 0x00, 0x00, 0x00 }; 56 | -------------------------------------------------------------------------------- /windows/exports.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (C) 2001-2004 The Honeynet Project. 3 | * All rights reserved. 4 | * 5 | * Redistribution and use in source and binary forms, with or without 6 | * modification, are permitted provided that the following conditions 7 | * are met: 8 | * 1. Redistributions of source code must retain the above copyright 9 | * notice, this list of conditions and the following disclaimer. 10 | * 2. Redistributions in binary form must reproduce the above copyright 11 | * notice, this list of conditions and the following disclaimer in the 12 | * documentation and/or other materials provided with the distribution. 13 | * 3. All advertising materials mentioning features or use of this software 14 | * must display the following acknowledgement: 15 | * This product includes software developed by The Honeynet Project. 16 | * 4. The name "The Honeynet Project" may not be used to endorse or promote 17 | * products derived from this software without specific prior written 18 | * permission. 19 | * 20 | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY 21 | * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 23 | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE 24 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 26 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 27 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 28 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 29 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 30 | * SUCH DAMAGE. 31 | */ 32 | 33 | #ifndef EXPORTS_H 34 | #define EXPORTS_H 35 | 36 | #include "exports_int.h" 37 | 38 | extern CHAR g_DeviceName[DEVICE_SIZE]; 39 | extern USHORT g_usDestPort; 40 | extern UINT g_uiDestIP; 41 | extern UCHAR g_DestMAC[DEST_MAC_SIZE]; 42 | extern UINT g_uiMagic; 43 | extern CHAR g_ConfigProcName[CONFIG_PROC_SIZE]; 44 | extern UINT g_uiConfigProcNameLen; 45 | #endif 46 | -------------------------------------------------------------------------------- /windows/exports_int.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (C) 2001-2004 The Honeynet Project. 3 | * All rights reserved. 4 | * 5 | * Redistribution and use in source and binary forms, with or without 6 | * modification, are permitted provided that the following conditions 7 | * are met: 8 | * 1. Redistributions of source code must retain the above copyright 9 | * notice, this list of conditions and the following disclaimer. 10 | * 2. Redistributions in binary form must reproduce the above copyright 11 | * notice, this list of conditions and the following disclaimer in the 12 | * documentation and/or other materials provided with the distribution. 13 | * 3. All advertising materials mentioning features or use of this software 14 | * must display the following acknowledgement: 15 | * This product includes software developed by The Honeynet Project. 16 | * 4. The name "The Honeynet Project" may not be used to endorse or promote 17 | * products derived from this software without specific prior written 18 | * permission. 19 | * 20 | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY 21 | * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 23 | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE 24 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 26 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 27 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 28 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 29 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 30 | * SUCH DAMAGE. 31 | */ 32 | 33 | #ifndef EXPORTSINT_H 34 | #define EXPORTSINT_H 35 | 36 | #define DEST_MAC_SIZE 6 37 | #define CONFIG_PROC_SIZE 13 38 | #define DRIVER_NAME_SIZE 12 39 | #define DEVICE_SIZE 40 40 | 41 | #endif 42 | -------------------------------------------------------------------------------- /windows/memtrack.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (C) 2001-2004 The Honeynet Project. 3 | * All rights reserved. 4 | * 5 | * Redistribution and use in source and binary forms, with or without 6 | * modification, are permitted provided that the following conditions 7 | * are met: 8 | * 1. Redistributions of source code must retain the above copyright 9 | * notice, this list of conditions and the following disclaimer. 10 | * 2. Redistributions in binary form must reproduce the above copyright 11 | * notice, this list of conditions and the following disclaimer in the 12 | * documentation and/or other materials provided with the distribution. 13 | * 3. All advertising materials mentioning features or use of this software 14 | * must display the following acknowledgement: 15 | * This product includes software developed by The Honeynet Project. 16 | * 4. The name "The Honeynet Project" may not be used to endorse or promote 17 | * products derived from this software without specific prior written 18 | * permission. 19 | * 20 | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY 21 | * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 23 | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE 24 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 26 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 27 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 28 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 29 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 30 | * SUCH DAMAGE. 31 | */ 32 | 33 | /** 34 | * @file memtrack.h 35 | * Debug nonpaged pool support. 36 | * Can help you to find your memory buffers overrun and underrun and memory leaks. 37 | */ 38 | 39 | #ifndef _memtrack_h_ 40 | #define _memtrack_h_ 41 | 42 | /** tag for memory blocks */ 43 | //lint -e742 44 | #define MEM_TAG '1VRD' 45 | 46 | /** 47 | * @fn memtrack_init 48 | * Initialize memory tracking engine 49 | */ 50 | 51 | /** 52 | * @fn memtrack_free 53 | * Deinitialize memory tracking engine 54 | */ 55 | 56 | /** 57 | * @def malloc_np 58 | * Allocate memory from nonpaged pool 59 | * @param size size of block 60 | * @return address of allocated block in nonpaged pool 61 | * @retval NULL error 62 | */ 63 | 64 | /** 65 | * @def free 66 | * Free block allocated by malloc_np 67 | * @param ptr pointer to memory block (can't be NULL) 68 | */ 69 | 70 | #if DBG 71 | 72 | void memtrack_init(void); 73 | 74 | void memtrack_free(void); 75 | 76 | /** 77 | * Allocate memory from nonpaged pool and store name of file and line of code with this block 78 | * @param size size of block 79 | * @param file name of file to associate with memory block 80 | * @param line line number to associate with memory block 81 | * @return address of allocated block in nonpaged pool 82 | * @retval NULL error 83 | */ 84 | void *mt_malloc(ULONG size, const char *file, ULONG line); 85 | 86 | #define malloc_np(size) mt_malloc((size), __FILE__, __LINE__) 87 | 88 | void free(void *ptr); 89 | 90 | #define _TEST_ME_ __asm int 3 91 | 92 | #else /* DBG */ 93 | 94 | #define memtrack_init() 95 | #define memtrack_free() 96 | 97 | #define malloc_np(size) ExAllocatePoolWithTag(NonPagedPool, (size), MEM_TAG) 98 | //lint -e683 99 | #define free(ptr) ExFreePool(ptr) 100 | 101 | /** macro for debug break in checked build */ 102 | #define _TEST_ME_ 103 | 104 | #endif /* DBG */ 105 | 106 | #endif 107 | -------------------------------------------------------------------------------- /windows/net.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (C) 2001-2004 The Honeynet Project. 3 | * All rights reserved. 4 | * 5 | * Redistribution and use in source and binary forms, with or without 6 | * modification, are permitted provided that the following conditions 7 | * are met: 8 | * 1. Redistributions of source code must retain the above copyright 9 | * notice, this list of conditions and the following disclaimer. 10 | * 2. Redistributions in binary form must reproduce the above copyright 11 | * notice, this list of conditions and the following disclaimer in the 12 | * documentation and/or other materials provided with the distribution. 13 | * 3. All advertising materials mentioning features or use of this software 14 | * must display the following acknowledgement: 15 | * This product includes software developed by The Honeynet Project. 16 | * 4. The name "The Honeynet Project" may not be used to endorse or promote 17 | * products derived from this software without specific prior written 18 | * permission. 19 | * 20 | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY 21 | * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 23 | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE 24 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 26 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 27 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 28 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 29 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 30 | * SUCH DAMAGE. 31 | */ 32 | 33 | #ifndef _net_h_ 34 | #define _net_h_ 35 | 36 | /* 37 | * network definitions 38 | */ 39 | 40 | #include 41 | 42 | #define ETH_ADDR_LEN 6 43 | 44 | struct ether_hdr { 45 | UCHAR ether_dhost[ETH_ADDR_LEN]; 46 | UCHAR ether_shost[ETH_ADDR_LEN]; 47 | USHORT ether_type; 48 | }; 49 | 50 | #define ETH_HEADER_LEN 14 51 | 52 | #define ETHERNET_TYPE_IP 0x0008 /* IP protocol, host order */ 53 | 54 | #define IP_HEADER_LEN 20 55 | #define IP_DF 0x4000 /* dont fragment flag */ 56 | #define IP_MF 0x2000 /* more fragments flag */ 57 | #define IP_OFFMASK 0x1fff /* mask for fragmenting bits */ 58 | 59 | struct ip_hdr { 60 | UCHAR ip_hl:4; /* header length */ 61 | UCHAR ip_v:4; /* version */ 62 | UCHAR ip_tos; /* type of service */ 63 | USHORT ip_len; /* total length */ 64 | USHORT ip_id; /* identification */ 65 | USHORT ip_off; /* fragment offset field */ 66 | UCHAR ip_ttl; /* time to live */ 67 | UCHAR ip_p; /* protocol */ 68 | USHORT ip_sum; /* checksum */ 69 | ULONG ip_src; /* source address */ 70 | ULONG ip_dst; /* dest address */ 71 | }; 72 | 73 | struct udp_hdr { 74 | USHORT uh_sport; /* source port */ 75 | USHORT uh_dport; /* destination port */ 76 | USHORT uh_ulen; /* udp length */ 77 | USHORT uh_sum; /* udp checksum */ 78 | }; 79 | 80 | #define UDP_HEADER_LEN 8 81 | 82 | #include 83 | 84 | #endif 85 | -------------------------------------------------------------------------------- /windows/nt.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (C) 2001-2004 The Honeynet Project. 3 | * All rights reserved. 4 | * 5 | * Redistribution and use in source and binary forms, with or without 6 | * modification, are permitted provided that the following conditions 7 | * are met: 8 | * 1. Redistributions of source code must retain the above copyright 9 | * notice, this list of conditions and the following disclaimer. 10 | * 2. Redistributions in binary form must reproduce the above copyright 11 | * notice, this list of conditions and the following disclaimer in the 12 | * documentation and/or other materials provided with the distribution. 13 | * 3. All advertising materials mentioning features or use of this software 14 | * must display the following acknowledgement: 15 | * This product includes software developed by The Honeynet Project. 16 | * 4. The name "The Honeynet Project" may not be used to endorse or promote 17 | * products derived from this software without specific prior written 18 | * permission. 19 | * 20 | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY 21 | * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 23 | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE 24 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 26 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 27 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 28 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 29 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 30 | * SUCH DAMAGE. 31 | */ 32 | 33 | #ifndef _nt_h_ 34 | #define _nt_h_ 35 | 36 | /* 37 | * some prototypes for Native API 38 | */ 39 | 40 | #define SystemModuleInformation 11 41 | 42 | typedef struct _SYSTEM_MODULE_INFORMATION { 43 | ULONG Reserved[2]; 44 | PVOID Base; 45 | ULONG Size; 46 | ULONG Flags; 47 | USHORT Index; 48 | USHORT Unknown; 49 | USHORT LoadCount; 50 | USHORT ModuleNameOffset; 51 | CHAR ImageName[255]; 52 | } SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION; 53 | 54 | NTSYSAPI 55 | NTSTATUS 56 | ZwQuerySystemInformation( 57 | IN ULONG SystemInformationClass, 58 | IN PVOID SystemInformation, 59 | IN ULONG SystemInformationLength, 60 | OUT PULONG ReturnLength); 61 | 62 | NTSTATUS 63 | NTAPI 64 | ZwWaitForSingleObject( 65 | IN HANDLE hObject, 66 | IN BOOLEAN bAlertable, 67 | IN PLARGE_INTEGER Timeout 68 | ); 69 | 70 | #endif 71 | -------------------------------------------------------------------------------- /windows/obj_tbl.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (C) 2001-2004 The Honeynet Project. 3 | * All rights reserved. 4 | * 5 | * Redistribution and use in source and binary forms, with or without 6 | * modification, are permitted provided that the following conditions 7 | * are met: 8 | * 1. Redistributions of source code must retain the above copyright 9 | * notice, this list of conditions and the following disclaimer. 10 | * 2. Redistributions in binary form must reproduce the above copyright 11 | * notice, this list of conditions and the following disclaimer in the 12 | * documentation and/or other materials provided with the distribution. 13 | * 3. All advertising materials mentioning features or use of this software 14 | * must display the following acknowledgement: 15 | * This product includes software developed by The Honeynet Project. 16 | * 4. The name "The Honeynet Project" may not be used to endorse or promote 17 | * products derived from this software without specific prior written 18 | * permission. 19 | * 20 | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY 21 | * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 23 | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE 24 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 26 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 27 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 28 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 29 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 30 | * SUCH DAMAGE. 31 | */ 32 | 33 | #ifndef _obj_tbl_h_ 34 | #define _obj_tbl_h_ 35 | 36 | #include 37 | #include "datapipe.h" 38 | 39 | NTSTATUS ot_init(void); 40 | void ot_free(void); 41 | 42 | #define FILEOBJ_CONTROLOBJ 0 43 | #define FILEOBJ_ADDROBJ 1 44 | #define FILEOBJ_CONNOBJ 2 45 | 46 | NTSTATUS ot_add_fileobj(PDEVICE_OBJECT devobj, PFILE_OBJECT fileobj, int fileobj_type, CONNECTION_CONTEXT conn_ctx); 47 | NTSTATUS ot_del_fileobj(PFILE_OBJECT fileobj, int *fileobj_type); 48 | 49 | // maximum length of TDI_ADDRESS_TYPE_* 50 | #define TDI_ADDRESS_MAX_LENGTH TDI_ADDRESS_LENGTH_OSI_TSAP 51 | #define TA_ADDRESS_MAX (sizeof(TA_ADDRESS) - 1 + TDI_ADDRESS_MAX_LENGTH) 52 | #define TDI_ADDRESS_INFO_MAX (sizeof(TDI_ADDRESS_INFO) - 1 + TDI_ADDRESS_MAX_LENGTH) 53 | 54 | // max event index 55 | #define MAX_EVENT (TDI_EVENT_ERROR_EX + 1) 56 | 57 | /* replaced context */ 58 | typedef struct { 59 | PFILE_OBJECT fileobj; 60 | PVOID old_handler; 61 | PVOID old_context; 62 | } TDI_EVENT_CONTEXT; 63 | 64 | typedef struct ot_entry { 65 | ULONG signature; 66 | struct ot_entry *next; 67 | PDEVICE_OBJECT devobj; 68 | PFILE_OBJECT fileobj, associated_fileobj; 69 | int type; 70 | TDI_EVENT_CONTEXT ctx[MAX_EVENT]; 71 | UCHAR local_addr[TA_ADDRESS_MAX]; 72 | UCHAR remote_addr[TA_ADDRESS_MAX]; 73 | ULONG out_offset, in_offset, out_oob_offset, in_oob_offset; 74 | CONNECTION_CONTEXT conn_ctx; 75 | datapipe_t in_pipe, in_oob_pipe; 76 | ULONG pid; 77 | char ProcessName[16]; 78 | UCHAR ipproto; // Protocol for this connection 79 | } ot_entry_t; 80 | 81 | ot_entry_t *ot_find_fileobj(PFILE_OBJECT fileobj, KIRQL *irql); 82 | // Note: don't forget KeReleaseSpinLock(&g_ot_hash_guard, irql); 83 | 84 | extern KSPIN_LOCK g_ot_hash_guard; 85 | 86 | NTSTATUS ot_add_conn_ctx(PFILE_OBJECT addrobj, CONNECTION_CONTEXT conn_ctx, PFILE_OBJECT connobj); 87 | NTSTATUS ot_del_conn_ctx(PFILE_OBJECT addrobj, CONNECTION_CONTEXT conn_ctx); 88 | 89 | PFILE_OBJECT ot_find_conn_ctx(PFILE_OBJECT addrobj, CONNECTION_CONTEXT conn_ctx); 90 | 91 | #endif 92 | -------------------------------------------------------------------------------- /windows/packet.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (C) 2001-2004 The Honeynet Project. 3 | * All rights reserved. 4 | * 5 | * Redistribution and use in source and binary forms, with or without 6 | * modification, are permitted provided that the following conditions 7 | * are met: 8 | * 1. Redistributions of source code must retain the above copyright 9 | * notice, this list of conditions and the following disclaimer. 10 | * 2. Redistributions in binary form must reproduce the above copyright 11 | * notice, this list of conditions and the following disclaimer in the 12 | * documentation and/or other materials provided with the distribution. 13 | * 3. All advertising materials mentioning features or use of this software 14 | * must display the following acknowledgement: 15 | * This product includes software developed by The Honeynet Project. 16 | * 4. The name "The Honeynet Project" may not be used to endorse or promote 17 | * products derived from this software without specific prior written 18 | * permission. 19 | * 20 | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY 21 | * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 23 | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE 24 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 26 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 27 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 28 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 29 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 30 | * SUCH DAMAGE. 31 | */ 32 | 33 | #ifndef _packet_h_ 34 | #define _packet_h_ 35 | 36 | #include 37 | #include "net.h" 38 | 39 | enum { 40 | FILTER_UNKNOWN, 41 | FILTER_ALLOW, 42 | FILTER_DENY, 43 | FILTER_CONTENT, 44 | FILTER_IGNORE 45 | }; 46 | 47 | enum { 48 | DIRECTION_IN, 49 | DIRECTION_OUT 50 | }; 51 | 52 | int filter_packet(int direction, int iface, PNDIS_PACKET packet); 53 | 54 | int process_ip_packet(int direction, int iface, UCHAR *ip_packet, UINT size); 55 | int process_transp(int direction, int iface, UCHAR proto, struct ip_hdr *ip_hdr, UCHAR *pointer, UINT buffer_len); 56 | int process_ip(int direction, int iface, struct ip_hdr *ip_hdr); 57 | int process_udp(int direction, int iface, struct ip_hdr *ip_hdr, struct udp_hdr *udp_hdr, UCHAR *pointer, UINT buffer_len); 58 | #endif 59 | -------------------------------------------------------------------------------- /windows/proc_tbl.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (C) 2001-2010 The Honeynet Project. 3 | * All rights reserved. 4 | * 5 | * Redistribution and use in source and binary forms, with or without 6 | * modification, are permitted provided that the following conditions 7 | * are met: 8 | * 1. Redistributions of source code must retain the above copyright 9 | * notice, this list of conditions and the following disclaimer. 10 | * 2. Redistributions in binary form must reproduce the above copyright 11 | * notice, this list of conditions and the following disclaimer in the 12 | * documentation and/or other materials provided with the distribution. 13 | * 3. All advertising materials mentioning features or use of this software 14 | * must display the following acknowledgement: 15 | * This product includes software developed by The Honeynet Project. 16 | * 4. The name "The Honeynet Project" may not be used to endorse or promote 17 | * products derived from this software without specific prior written 18 | * permission. 19 | * 20 | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY 21 | * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 23 | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE 24 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 26 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 27 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 28 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 29 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 30 | * SUCH DAMAGE. 31 | */ 32 | 33 | #ifndef _proc_tbl_h_ 34 | #define _proc_tbl_h_ 35 | 36 | #include 37 | #include "logging.h" 38 | 39 | NTSTATUS proc_init(void); 40 | void proc_free(void); 41 | 42 | NTSTATUS proc_add(CONST ULONG pid, CONST ProcessData *pProcInfo, CONST TIME seen); 43 | 44 | typedef struct proc_entry { 45 | struct proc_entry *next; 46 | ULONG pid; 47 | LARGE_INTEGER lastseen; 48 | CONST ProcessData *pProcInfo; 49 | } proc_entry_t; 50 | 51 | proc_entry_t *proc_find(CONST ULONG pid, KIRQL *irql); 52 | // Note: don't forget KeReleaseSpinLock(&g_ot_hash_guard, irql); 53 | 54 | NTSTATUS proc_del(CONST ULONG pid); 55 | 56 | extern KSPIN_LOCK g_proc_hash_guard; 57 | #endif 58 | -------------------------------------------------------------------------------- /windows/resource.h: -------------------------------------------------------------------------------- 1 | //{{NO_DEPENDENCIES}} 2 | // Microsoft Developer Studio generated include file. 3 | // Used by sebek.rc 4 | // 5 | 6 | // Next default values for new objects 7 | // 8 | #ifdef APSTUDIO_INVOKED 9 | #ifndef APSTUDIO_READONLY_SYMBOLS 10 | #define _APS_NEXT_RESOURCE_VALUE 101 11 | #define _APS_NEXT_COMMAND_VALUE 40001 12 | #define _APS_NEXT_CONTROL_VALUE 1000 13 | #define _APS_NEXT_SYMED_VALUE 101 14 | #endif 15 | #endif 16 | -------------------------------------------------------------------------------- /windows/sebek.aps: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/honeynet/sebek/11bb9954c589f1a3e33c27c1d541f9d34d5d4bbc/windows/sebek.aps -------------------------------------------------------------------------------- /windows/sebek.dsw: -------------------------------------------------------------------------------- 1 | Microsoft Developer Studio Workspace File, Format Version 6.00 2 | # WARNING: DO NOT EDIT OR DELETE THIS WORKSPACE FILE! 3 | 4 | ############################################################################### 5 | 6 | Project: "sebek"=".\sebek.dsp" - Package Owner=<4> 7 | 8 | Package=<5> 9 | {{{ 10 | }}} 11 | 12 | Package=<4> 13 | {{{ 14 | }}} 15 | 16 | ############################################################################### 17 | 18 | Global: 19 | 20 | Package=<5> 21 | {{{ 22 | }}} 23 | 24 | Package=<3> 25 | {{{ 26 | }}} 27 | 28 | ############################################################################### 29 | 30 | -------------------------------------------------------------------------------- /windows/sebek.rc: -------------------------------------------------------------------------------- 1 | // Microsoft Visual C++ generated resource script. 2 | // 3 | #include "resource.h" 4 | 5 | #define APSTUDIO_READONLY_SYMBOLS 6 | ///////////////////////////////////////////////////////////////////////////// 7 | // 8 | // Generated from the TEXTINCLUDE 2 resource. 9 | // 10 | #include "winres.h" 11 | 12 | ///////////////////////////////////////////////////////////////////////////// 13 | #undef APSTUDIO_READONLY_SYMBOLS 14 | 15 | ///////////////////////////////////////////////////////////////////////////// 16 | // English (U.S.) resources 17 | 18 | #if !defined(AFX_RESOURCE_DLL) || defined(AFX_TARG_ENU) 19 | #ifdef _WIN32 20 | LANGUAGE LANG_ENGLISH, SUBLANG_ENGLISH_US 21 | #pragma code_page(1252) 22 | #endif //_WIN32 23 | 24 | ///////////////////////////////////////////////////////////////////////////// 25 | // 26 | // Version 27 | // 28 | 29 | VS_VERSION_INFO VERSIONINFO 30 | FILEVERSION 3,0,5,0 31 | PRODUCTVERSION 3,0,5,0 32 | FILEFLAGSMASK 0x3fL 33 | #ifdef _DEBUG 34 | FILEFLAGS 0x1L 35 | #else 36 | FILEFLAGS 0x0L 37 | #endif 38 | FILEOS 0x40004L 39 | FILETYPE 0x0L 40 | FILESUBTYPE 0x0L 41 | BEGIN 42 | BLOCK "StringFileInfo" 43 | BEGIN 44 | BLOCK "040904b0" 45 | BEGIN 46 | VALUE "CompanyName", "The Honeynet Project" 47 | VALUE "FileDescription", "SEBEK" 48 | VALUE "FileVersion", "3, 0, 5, 0" 49 | VALUE "InternalName", "sebek" 50 | VALUE "LegalCopyright", "Copyright ?2010 The Honeynet Project" 51 | VALUE "OriginalFilename", "sebek.sys" 52 | VALUE "ProductName", "sebek" 53 | VALUE "ProductVersion", "3, 0, 5, 0" 54 | END 55 | END 56 | BLOCK "VarFileInfo" 57 | BEGIN 58 | VALUE "Translation", 0x409, 1200 59 | END 60 | END 61 | 62 | 63 | #ifdef APSTUDIO_INVOKED 64 | ///////////////////////////////////////////////////////////////////////////// 65 | // 66 | // TEXTINCLUDE 67 | // 68 | 69 | 1 TEXTINCLUDE 70 | BEGIN 71 | "resource.h\0" 72 | END 73 | 74 | 2 TEXTINCLUDE 75 | BEGIN 76 | "#include ""winres.h""\r\n" 77 | "\0" 78 | END 79 | 80 | 3 TEXTINCLUDE 81 | BEGIN 82 | "\r\n" 83 | "\0" 84 | END 85 | 86 | #endif // APSTUDIO_INVOKED 87 | 88 | #endif // English (U.S.) resources 89 | ///////////////////////////////////////////////////////////////////////////// 90 | 91 | 92 | 93 | #ifndef APSTUDIO_INVOKED 94 | ///////////////////////////////////////////////////////////////////////////// 95 | // 96 | // Generated from the TEXTINCLUDE 3 resource. 97 | // 98 | 99 | 100 | ///////////////////////////////////////////////////////////////////////////// 101 | #endif // not APSTUDIO_INVOKED 102 | 103 | -------------------------------------------------------------------------------- /windows/sebek.sln: -------------------------------------------------------------------------------- 1 | Microsoft Visual Studio Solution File, Format Version 10.00 2 | # Visual Studio 2008 3 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "sebek", "sebek.vcproj", "{392D60C9-6E63-4FCA-97F3-CDC50410538D}" 4 | EndProject 5 | Global 6 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 7 | Windows 2000 Checked|Win32 = Windows 2000 Checked|Win32 8 | Windows 2000 Free|Win32 = Windows 2000 Free|Win32 9 | Windows 2003 Checked|Win32 = Windows 2003 Checked|Win32 10 | Windows 2003 Free|Win32 = Windows 2003 Free|Win32 11 | Windows 7 Checked|Win32 = Windows 7 Checked|Win32 12 | Windows 7 Free|Win32 = Windows 7 Free|Win32 13 | Windows Vista Checked|Win32 = Windows Vista Checked|Win32 14 | Windows Vista Free|Win32 = Windows Vista Free|Win32 15 | Windows XP Checked|Win32 = Windows XP Checked|Win32 16 | Windows XP Free|Win32 = Windows XP Free|Win32 17 | EndGlobalSection 18 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 19 | {392D60C9-6E63-4FCA-97F3-CDC50410538D}.Windows 2000 Checked|Win32.ActiveCfg = Windows 2000 Checked|Win32 20 | {392D60C9-6E63-4FCA-97F3-CDC50410538D}.Windows 2000 Checked|Win32.Build.0 = Windows 2000 Checked|Win32 21 | {392D60C9-6E63-4FCA-97F3-CDC50410538D}.Windows 2000 Free|Win32.ActiveCfg = Windows 2000 Free|Win32 22 | {392D60C9-6E63-4FCA-97F3-CDC50410538D}.Windows 2000 Free|Win32.Build.0 = Windows 2000 Free|Win32 23 | {392D60C9-6E63-4FCA-97F3-CDC50410538D}.Windows 2003 Checked|Win32.ActiveCfg = Windows 2003 Checked|Win32 24 | {392D60C9-6E63-4FCA-97F3-CDC50410538D}.Windows 2003 Checked|Win32.Build.0 = Windows 2003 Checked|Win32 25 | {392D60C9-6E63-4FCA-97F3-CDC50410538D}.Windows 2003 Free|Win32.ActiveCfg = Windows 2003 Free|Win32 26 | {392D60C9-6E63-4FCA-97F3-CDC50410538D}.Windows 2003 Free|Win32.Build.0 = Windows 2003 Free|Win32 27 | {392D60C9-6E63-4FCA-97F3-CDC50410538D}.Windows 7 Checked|Win32.ActiveCfg = Windows 7 Checked|Win32 28 | {392D60C9-6E63-4FCA-97F3-CDC50410538D}.Windows 7 Checked|Win32.Build.0 = Windows 7 Checked|Win32 29 | {392D60C9-6E63-4FCA-97F3-CDC50410538D}.Windows 7 Free|Win32.ActiveCfg = Windows 7 Free|Win32 30 | {392D60C9-6E63-4FCA-97F3-CDC50410538D}.Windows 7 Free|Win32.Build.0 = Windows 7 Free|Win32 31 | {392D60C9-6E63-4FCA-97F3-CDC50410538D}.Windows Vista Checked|Win32.ActiveCfg = Windows Vista Checked|Win32 32 | {392D60C9-6E63-4FCA-97F3-CDC50410538D}.Windows Vista Checked|Win32.Build.0 = Windows Vista Checked|Win32 33 | {392D60C9-6E63-4FCA-97F3-CDC50410538D}.Windows Vista Free|Win32.ActiveCfg = Windows Vista Free|Win32 34 | {392D60C9-6E63-4FCA-97F3-CDC50410538D}.Windows Vista Free|Win32.Build.0 = Windows Vista Free|Win32 35 | {392D60C9-6E63-4FCA-97F3-CDC50410538D}.Windows XP Checked|Win32.ActiveCfg = Windows XP Checked|Win32 36 | {392D60C9-6E63-4FCA-97F3-CDC50410538D}.Windows XP Checked|Win32.Build.0 = Windows XP Checked|Win32 37 | {392D60C9-6E63-4FCA-97F3-CDC50410538D}.Windows XP Free|Win32.ActiveCfg = Windows XP Free|Win32 38 | {392D60C9-6E63-4FCA-97F3-CDC50410538D}.Windows XP Free|Win32.Build.0 = Windows XP Free|Win32 39 | EndGlobalSection 40 | GlobalSection(SolutionProperties) = preSolution 41 | HideSolutionNode = FALSE 42 | EndGlobalSection 43 | EndGlobal 44 | -------------------------------------------------------------------------------- /windows/sebek.suo: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/honeynet/sebek/11bb9954c589f1a3e33c27c1d541f9d34d5d4bbc/windows/sebek.suo -------------------------------------------------------------------------------- /windows/sock.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (C) 2001-2004 The Honeynet Project. 3 | * All rights reserved. 4 | * 5 | * Redistribution and use in source and binary forms, with or without 6 | * modification, are permitted provided that the following conditions 7 | * are met: 8 | * 1. Redistributions of source code must retain the above copyright 9 | * notice, this list of conditions and the following disclaimer. 10 | * 2. Redistributions in binary form must reproduce the above copyright 11 | * notice, this list of conditions and the following disclaimer in the 12 | * documentation and/or other materials provided with the distribution. 13 | * 3. All advertising materials mentioning features or use of this software 14 | * must display the following acknowledgement: 15 | * This product includes software developed by The Honeynet Project. 16 | * 4. The name "The Honeynet Project" may not be used to endorse or promote 17 | * products derived from this software without specific prior written 18 | * permission. 19 | * 20 | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY 21 | * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 23 | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE 24 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 26 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 27 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 28 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 29 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 30 | * SUCH DAMAGE. 31 | */ 32 | 33 | #include 34 | #include 35 | #include "sock.h" 36 | 37 | u_long 38 | ntohl (u_long netlong) 39 | { 40 | u_long result = 0; 41 | ((char *)&result)[0] = ((char *)&netlong)[3]; 42 | ((char *)&result)[1] = ((char *)&netlong)[2]; 43 | ((char *)&result)[2] = ((char *)&netlong)[1]; 44 | ((char *)&result)[3] = ((char *)&netlong)[0]; 45 | return result; 46 | } 47 | 48 | u_short 49 | ntohs (u_short netshort) 50 | { 51 | u_short result = 0; 52 | ((char *)&result)[0] = ((char *)&netshort)[1]; 53 | ((char *)&result)[1] = ((char *)&netshort)[0]; 54 | return result; 55 | } 56 | 57 | u_long 58 | inet_addr(const char *cp) 59 | { 60 | int a, b, c, d; 61 | const char *p; 62 | if(!cp) 63 | return 0; 64 | 65 | p = cp; 66 | 67 | a = atoi(p); 68 | 69 | p = strchr(p, '.'); 70 | if (p == NULL) 71 | return INADDR_NONE; 72 | 73 | b = atoi(++p); 74 | 75 | p = strchr(p, '.'); 76 | if (p == NULL) 77 | return INADDR_NONE; 78 | 79 | c = atoi(++p); 80 | 81 | p = strchr(p, '.'); 82 | if (p == NULL) 83 | return INADDR_NONE; 84 | 85 | d = atoi(++p); 86 | 87 | if (a < 0 || a > 255 || 88 | b < 0 || b > 255 || 89 | c < 0 || c > 255 || 90 | d < 0 || d > 255) 91 | return 0; 92 | 93 | return (a) | (b << 8) | (c << 16) | (d << 24); 94 | } 95 | 96 | u_long 97 | htonl(u_long netlong) 98 | { 99 | // just reverse byte order 100 | return ntohl(netlong); 101 | } 102 | 103 | u_short 104 | htons(u_short netshort) 105 | { 106 | // just reverse byte order 107 | return ntohs(netshort); 108 | } 109 | -------------------------------------------------------------------------------- /windows/sock.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (C) 2001-2004 The Honeynet Project. 3 | * All rights reserved. 4 | * 5 | * Redistribution and use in source and binary forms, with or without 6 | * modification, are permitted provided that the following conditions 7 | * are met: 8 | * 1. Redistributions of source code must retain the above copyright 9 | * notice, this list of conditions and the following disclaimer. 10 | * 2. Redistributions in binary form must reproduce the above copyright 11 | * notice, this list of conditions and the following disclaimer in the 12 | * documentation and/or other materials provided with the distribution. 13 | * 3. All advertising materials mentioning features or use of this software 14 | * must display the following acknowledgement: 15 | * This product includes software developed by The Honeynet Project. 16 | * 4. The name "The Honeynet Project" may not be used to endorse or promote 17 | * products derived from this software without specific prior written 18 | * permission. 19 | * 20 | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY 21 | * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 23 | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE 24 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 26 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 27 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 28 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 29 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 30 | * SUCH DAMAGE. 31 | */ 32 | 33 | #ifndef _sock_h_ 34 | #define _sock_h_ 35 | 36 | /*--- some declarations from winsock.h ---*/ 37 | 38 | /* 39 | * Basic system type definitions, taken from the BSD file sys/types.h. 40 | */ 41 | typedef unsigned char u_char; 42 | typedef unsigned short u_short; 43 | typedef unsigned int u_int; 44 | typedef unsigned long u_long; 45 | 46 | // some socket functions 47 | 48 | u_long ntohl(u_long netlong); 49 | u_short ntohs(u_short netshort); 50 | 51 | u_long htonl(u_long netlong); 52 | u_short htons(u_short netshort); 53 | 54 | u_long inet_addr(const char *cp); 55 | 56 | __inline u_int in_aton(const char *str) 57 | { 58 | u_long l; 59 | u_int val; 60 | u_int i; 61 | 62 | if(!str) 63 | return 0; 64 | 65 | l = 0; 66 | for (i = 0; i < 4; i++) { 67 | l <<= 8; 68 | if (*str != '\0') { 69 | val = 0; 70 | while (*str != '\0' && *str != '.') 71 | { 72 | val *= 10; 73 | //lint -e737 74 | val += *str - '0'; 75 | str++; 76 | } 77 | l |= val; 78 | if (*str != '\0') 79 | str++; 80 | } 81 | } 82 | 83 | return(htonl(l)); 84 | } 85 | 86 | /* 87 | * Protocols 88 | */ 89 | #define IPPROTO_IP 0 /* dummy for IP */ 90 | #define IPPROTO_ICMP 1 /* control message protocol */ 91 | #define IPPROTO_TCP 6 /* tcp */ 92 | #define IPPROTO_UDP 17 /* user datagram protocol */ 93 | 94 | /* 95 | * Structure used by kernel to store most 96 | * addresses. 97 | */ 98 | struct sockaddr { 99 | u_short sa_family; /* address family */ 100 | char sa_data[14]; /* up to 14 bytes of direct address */ 101 | }; 102 | 103 | /* 104 | * Internet address (old style... should be updated) 105 | */ 106 | struct in_addr { 107 | union { 108 | struct { u_char s_b1,s_b2,s_b3,s_b4; } S_un_b; 109 | struct { u_short s_w1,s_w2; } S_un_w; 110 | u_long S_addr; 111 | } S_un; 112 | #define s_addr S_un.S_addr 113 | /* can be used for most tcp & ip code */ 114 | #define s_host S_un.S_un_b.s_b2 115 | /* host on imp */ 116 | #define s_net S_un.S_un_b.s_b1 117 | /* network */ 118 | #define s_imp S_un.S_un_w.s_w2 119 | /* imp */ 120 | #define s_impno S_un.S_un_b.s_b4 121 | /* imp # */ 122 | #define s_lh S_un.S_un_b.s_b3 123 | /* logical host */ 124 | }; 125 | 126 | /* 127 | * Socket address, internet style. 128 | */ 129 | struct sockaddr_in { 130 | short sin_family; 131 | u_short sin_port; 132 | struct in_addr sin_addr; 133 | char sin_zero[8]; 134 | }; 135 | 136 | /* 137 | * Address families. 138 | */ 139 | #define AF_INET 2 /* internetwork: UDP, TCP, etc. */ 140 | 141 | #define INADDR_ANY (u_long)0x00000000 142 | #define INADDR_LOOPBACK 0x7f000001 143 | #define INADDR_BROADCAST (u_long)0xffffffff 144 | #define INADDR_NONE 0xffffffff 145 | 146 | #endif 147 | -------------------------------------------------------------------------------- /windows/tdi_hook.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (C) 2001-2004 The Honeynet Project. 3 | * All rights reserved. 4 | * 5 | * Redistribution and use in source and binary forms, with or without 6 | * modification, are permitted provided that the following conditions 7 | * are met: 8 | * 1. Redistributions of source code must retain the above copyright 9 | * notice, this list of conditions and the following disclaimer. 10 | * 2. Redistributions in binary form must reproduce the above copyright 11 | * notice, this list of conditions and the following disclaimer in the 12 | * documentation and/or other materials provided with the distribution. 13 | * 3. All advertising materials mentioning features or use of this software 14 | * must display the following acknowledgement: 15 | * This product includes software developed by The Honeynet Project. 16 | * 4. The name "The Honeynet Project" may not be used to endorse or promote 17 | * products derived from this software without specific prior written 18 | * permission. 19 | * 20 | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY 21 | * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 23 | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE 24 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 26 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 27 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 28 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 29 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 30 | * SUCH DAMAGE. 31 | */ 32 | 33 | #ifndef _TDI_HOOK_H_ 34 | #define _TDI_HOOK_H_ 35 | 36 | NTSTATUS InitTDIHook(void); 37 | void UnloadTDIHook(void); 38 | 39 | #endif -------------------------------------------------------------------------------- /windows/tdithread.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (C) 2001-2004 The Honeynet Project. 3 | * All rights reserved. 4 | * 5 | * Redistribution and use in source and binary forms, with or without 6 | * modification, are permitted provided that the following conditions 7 | * are met: 8 | * 1. Redistributions of source code must retain the above copyright 9 | * notice, this list of conditions and the following disclaimer. 10 | * 2. Redistributions in binary form must reproduce the above copyright 11 | * notice, this list of conditions and the following disclaimer in the 12 | * documentation and/or other materials provided with the distribution. 13 | * 3. All advertising materials mentioning features or use of this software 14 | * must display the following acknowledgement: 15 | * This product includes software developed by The Honeynet Project. 16 | * 4. The name "The Honeynet Project" may not be used to endorse or promote 17 | * products derived from this software without specific prior written 18 | * permission. 19 | * 20 | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY 21 | * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 23 | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE 24 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 26 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 27 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 28 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 29 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 30 | * SUCH DAMAGE. 31 | */ 32 | 33 | #ifdef ENABLE_TDIHOOK 34 | #include "TDIthread.h" 35 | #include "sebek.h" 36 | #include "exports.h" 37 | #include "debug.h" 38 | #include "logging.h" 39 | #include "util.h" 40 | #include "tdi_hook.h" 41 | 42 | KEVENT g_TDIThreadShutdownEvent; 43 | extern KEVENT g_TDIThreadStartEvent; 44 | PDRIVER_OBJECT g_pTCPIPDriverObject = NULL; 45 | 46 | VOID TDIThread(PVOID pData) 47 | { 48 | PVOID eventArray[2]; 49 | const ULONG ulNumEvents = sizeof(eventArray)/sizeof(eventArray[0]); 50 | NTSTATUS status; 51 | LARGE_INTEGER liTimeout; 52 | UNICODE_STRING drv_name; 53 | ULONG ulTotalTime = 0; 54 | 55 | RtlInitUnicodeString(&drv_name, L"\\Driver\\Tcpip"); 56 | 57 | // Start event is Initialized externally to avoid race conditions 58 | KeInitializeEvent(&g_TDIThreadShutdownEvent, NotificationEvent, FALSE); 59 | 60 | eventArray[0] = &g_TDIThreadShutdownEvent; 61 | eventArray[1] = &g_TDIThreadStartEvent; 62 | 63 | status = KeWaitForMultipleObjects(ulNumEvents, eventArray, WaitAny, Executive, KernelMode, FALSE, NULL, NULL); 64 | switch(status) { 65 | case 0: // Shutdown! 66 | PsTerminateSystemThread(STATUS_SUCCESS); 67 | return; 68 | case 1: 69 | break; 70 | default: 71 | DBGOUT(("TDI Thread KeWaitForMultipleObjects failed! ErrorCode %08X", status)); 72 | PsTerminateSystemThread(STATUS_UNSUCCESSFUL); 73 | return; 74 | } 75 | 76 | 77 | // Timeouts are in units of 100 nanoseconds. 78 | // Negative timeout values are treated as relative time. 79 | liTimeout.QuadPart = (long)TDI_RETRY_TIMER * (1000 * 1000 * 10 * -1); 80 | 81 | DBGOUT(("TDI Thread Initialized! Will loop every %d seconds looking for TCPIP Driver", TDI_RETRY_TIMER)); 82 | while(1) { 83 | status = KeWaitForSingleObject(&g_TDIThreadShutdownEvent, Executive, KernelMode, FALSE, &liTimeout); 84 | 85 | DBGOUT(("KeWaitForSingleObject returned 0x%08X", status)); 86 | switch(status) { 87 | case 0: // Shutdown event! 88 | thread_exit: 89 | PsTerminateSystemThread(STATUS_SUCCESS); 90 | return; 91 | case STATUS_TIMEOUT: // Data on our pipe 92 | { 93 | // See if TCPIP.sys is loaded yet: 94 | status = ObReferenceObjectByName(&drv_name, OBJ_CASE_INSENSITIVE, NULL, 0, IoDriverObjectType, KernelMode, NULL, &g_pTCPIPDriverObject); 95 | if(status == STATUS_SUCCESS) { 96 | DBGOUT(("TDI Driver Hooked!")); 97 | status = InitTDIHook(); 98 | if(status != STATUS_SUCCESS) 99 | DBGOUT(("Unable to Initialize TDI Hook Driver!")); 100 | 101 | goto thread_exit; 102 | } else { 103 | DBGOUT(("Did not find TCPIP.sys driver. Going to sleep")); 104 | ulTotalTime += TDI_RETRY_TIMER; 105 | if(ulTotalTime < TDI_INIT_TIMEOUT) 106 | continue; 107 | else { 108 | // ERROR OUT 109 | DBGOUT(("Never found TCPIP Driver after %d seconds. Failing!!!", TDI_INIT_TIMEOUT)); 110 | goto thread_exit; 111 | } 112 | } 113 | } 114 | break; 115 | default: 116 | DBGOUT(("Unknown status from KeWaitForSingleObject! Status: 0x%08X\n", status)); 117 | goto thread_exit; 118 | } 119 | } 120 | } 121 | #endif -------------------------------------------------------------------------------- /windows/tdithread.h: -------------------------------------------------------------------------------- 1 | #ifndef TDITHREAD_H 2 | #define TDITHREAD_H 3 | 4 | #include 5 | 6 | #define TDI_INIT_TIMEOUT 60 /* in seconds */ 7 | #define TDI_RETRY_TIMER 2 /* seconds */ 8 | 9 | extern KEVENT g_TDIThreadShutdownEvent; 10 | extern KEVENT g_TDIThreadStartEvent; 11 | 12 | NTKERNELAPI 13 | NTSTATUS 14 | ObReferenceObjectByName( 15 | IN PUNICODE_STRING ObjectName, 16 | IN ULONG Attributes, 17 | IN PACCESS_STATE PassedAccessState OPTIONAL, 18 | IN ACCESS_MASK DesiredAccess OPTIONAL, 19 | IN POBJECT_TYPE ObjectType OPTIONAL, 20 | IN KPROCESSOR_MODE AccessMode, 21 | IN OUT PVOID ParseContext OPTIONAL, 22 | OUT PVOID *Object 23 | ); 24 | 25 | extern POBJECT_TYPE IoDriverObjectType; 26 | 27 | KSTART_ROUTINE TDIThread; 28 | VOID TDIThread(PVOID pData); 29 | 30 | #endif --------------------------------------------------------------------------------