Category:Digital-Forensics/Sniffers
Jump to navigation
Jump to search
| You are here: | Sniffers
|
Description
INCOMPLETE SECTION OR ARTICLE
This section/article is being written and is therefore not complete.
Thank you for your comprehension.
Thank you for your comprehension.
Steps
| Step | Functions | Example (RKSniffer) |
|---|---|---|
| Create a raw socket |
|
.text:0040118B push 1 ; dwFlags
.text:0040118D push eax ; g
.text:0040118E push eax ; lpProtocolInfo
.text:0040118F push eax ; protocol
.text:00401190 push 3 ; type
.text:00401192 push 2 ; af
.text:00401194 call ds:WSASocketA
|
| Bind socket to an interface |
|
.text:004012BD lea eax, [ebp+name]
.text:004012C0 push 10h ; namelen
.text:004012C2 push eax ; name
.text:004012C3 push dword ptr [esi+4] ; s
.text:004012C6 call ds:bind
|
| Put interface into promiscuous mode |
|
.text:004012DE push edi ; lpCompletionRoutine
.text:004012DF lea eax, [ebp+cbBytesReturned]
.text:004012E2 push edi ; lpOverlapped
.text:004012E3 push eax ; lpcbBytesReturned
.text:004012E4 lea eax, [ebp+vOutBuffer]
.text:004012E7 push 28h ; cbOutBuffer
.text:004012E9 push eax ; lpvOutBuffer
.text:004012EA lea eax, [ebp+vInBuffer]
.text:004012ED push 4 ; cbInBuffer
.text:004012EF push eax ; lpvInBuffer
.text:004012F0 push SIO_RCVALL ; dwIoControlCode (Initial value: 0x98000001 converted with IDA Pro standard symbolic constant)
.text:004012F5 push dword ptr [esi+4] ; s
.text:004012F8 call ds:WSAIoctl
|
Comments
Pages in this category
This category currently contains no pages or media.