Category:Digital-Forensics/Sniffers

From aldeid
Jump to: navigation, search
You are here:
Sniffers

Description

Incomplete.png
INCOMPLETE SECTION OR ARTICLE
This section/article is being written and is therefore not complete.
Thank you for your comprehension.

Steps

Step Functions Example (RKSniffer)
Create a raw socket
  • WSASocket()
  • socket()
.text:0040118B                 push    1               ; dwFlags
.text:0040118D                 push    eax             ; g
.text:0040118E                 push    eax             ; lpProtocolInfo
.text:0040118F                 push    eax             ; protocol
.text:00401190                 push    3               ; type
.text:00401192                 push    2               ; af
.text:00401194                 call    ds:WSASocketA
Bind socket to an interface
  • bind()
.text:004012BD                 lea     eax, [ebp+name]
.text:004012C0                 push    10h             ; namelen
.text:004012C2                 push    eax             ; name
.text:004012C3                 push    dword ptr [esi+4] ; s
.text:004012C6                 call    ds:bind
Put interface into promiscuous mode
  • WSAIoctl()
  • ioctlsocket()
.text:004012DE                 push    edi             ; lpCompletionRoutine
.text:004012DF                 lea     eax, [ebp+cbBytesReturned]
.text:004012E2                 push    edi             ; lpOverlapped
.text:004012E3                 push    eax             ; lpcbBytesReturned
.text:004012E4                 lea     eax, [ebp+vOutBuffer]
.text:004012E7                 push    28h             ; cbOutBuffer
.text:004012E9                 push    eax             ; lpvOutBuffer
.text:004012EA                 lea     eax, [ebp+vInBuffer]
.text:004012ED                 push    4               ; cbInBuffer
.text:004012EF                 push    eax             ; lpvInBuffer
.text:004012F0                 push    SIO_RCVALL      ; dwIoControlCode (Initial value: 0x98000001 converted with IDA Pro standard symbolic constant)
.text:004012F5                 push    dword ptr [esi+4] ; s
.text:004012F8                 call    ds:WSAIoctl

Comments

blog comments powered by Disqus

Pages in this category

This category currently contains no pages or media.