" Socket-Scanner is a TCP-IP packet logger. It can dump data sent by windows
win-sock dll, via the 'send' and 'recv' apis. By analyzing the logs, one
can, at least in theory, catch programs who like to "call home", and do other
misbehaviors.
Here's a little snippet from one of the programs I've tested:
(sent.log) [19:11:40] 207.159.139.57:80
GET /cgi-bin/vcheck?/ws4cu.chk&UNREGISTERED HTTP/1.1
User-Agent: Mozilla/2.0 (compatible; WS4.0d.199)
Host: www.robomagic.com
Be aware that on connection the program (wetsock in this example) just
revealed your ip to it's home server, and marked it 'unregistered' -
something you would not voluntarily give away.
How to scan a target:
1. Run Socket-scanner first.
2. Select check-boxes if you wish to log the packets.
3. Run target application.
4. Let the target run its course, while everything is logged in the background.
5. Close target.
6. Close the scanner.
Take care about the order: run scanner,run target,close target,close scanner.
How S-Scan works:
This work was originally intended simply to test my API hook engine (-yes,there
are simpler ways to log packets..and yes, this will only work under win9x.)
However, wsock32.dll is not mapped to a shared memory region (check its image
base), meaning every process gets a fresh image of the wsock32 module.
So in order to hook the 'send' and 'recv' apis, the program first hooks
'LoadLibrary' api, which checks whenever a process tries to link the winsock
dll. If it catches a process that does, it will set up the hooks for the
send/recv apis.
This simply means that only applications that were run after s-scan will be
logged. And for safety reasons (and becouse im a lazy coder:), be sure to
close the target application before your stop s-scan.
Last words:
With some more work, this tool can also EDIT the packets. This means a
trainer for network based games.. anyone interested? :)
You can reach me at [email protected]
Greetings to all PC members , and all the crackers in the world =)
The+Q "
|
