| Author | Message | Time |
|---|---|---|
| PunK | I use to use WPE but it doesn't quite work with logging any blizzard games... So I am using AnalogX now and it's alright. You can set your own rules and what not but I would like to individually packet log separate PID's instead of just certain parameters on the whole machine... If you get what I am trying to say.. Anyone have a better packet sniffer? | December 10, 2008, 8:59 PM |
| l2k-Shadow | Well, you are looking for a WPE-style packet logger which essentially is a dll that injects itself into the program and sniffs packets. I have not seen any other but WPE that does this and I don't think it will work on blizzard games. Why not just use WireShark with a filter setting? | December 10, 2008, 9:58 PM |
| Barabajagal | You know... you can get WPE to work on blizzard games pretty easily by rewriting the DACL. Here's some simple VB6 code to do it: [code]Option Explicit Private Declare Function FindWindow Lib "user32" Alias "FindWindowA" (ByVal lpClassName As String, ByVal lpWindowName As String) As Long Private Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal blnheritHandle As Long, ByVal dwAppProcessId As Long) As Long Private Declare Function SetEntriesInAcl Lib "advapi32" Alias "SetEntriesInAclW" (ByVal cCountOfExplicitEntries As Long, ByRef pListOfExplicitEntries As EXPLICIT_ACCESS, ByVal OldAcl As Long, ByRef NewAcl As Long) As Long Private Declare Function SetSecurityInfo Lib "advapi32" (ByVal handle As Long, ByVal ObjectType As Long, ByVal SecurityInfo As Long, ByVal psidOwner As Long, ByVal psidGroup As Long, ByVal pDacl As Long, ByVal pSacl As Long) As Long Private Declare Function LocalFree Lib "kernel32" (ByVal hMem As Long) As Long Private Declare Function GetWindowThreadProcessId Lib "user32" (ByVal hWnd As Long, lpdwProcessId As Long) As Long Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long Private Type TRUSTEE pMultipleTrustee As Long MultipleTrusteeOperation As Long TrusteeForm As Long TrusteeType As Long ptstrName As Long End Type Private Type EXPLICIT_ACCESS grfAccessPermissions As Long grfAccessMode As Long grfInheritance As Long myTrustee As TRUSTEE End Type Private Type tSID Revision As Byte SubAuthorityCount As Byte IdentifierAuthority(5) As Byte SubAuthority As Long End Type Public Sub Main() Dim dWnd As Long Dim hProcess As Long Dim pID As Long Dim SID As tSID Dim EA As EXPLICIT_ACCESS Dim pDacl As Long Dim sClass As String sClass = InputBox("Please enter the Class name of the process you wish to rewrite:", "RewriteDACL") If LenB(sClass) = 0 Then Exit Sub dWnd = FindWindow(sClass, vbNullString) If dWnd = 0 Then MsgBox "Could not find process!", vbCritical, "RewriteDACL" Exit Sub End If GetWindowThreadProcessId dWnd, pID hProcess = OpenProcess(&H40000, &H0, pID) SID.Revision = &H1 SID.SubAuthorityCount = &H1 SID.IdentifierAuthority(5) = &H1 EA.grfAccessPermissions = &H1F0FFF If MsgBox("Enable DACL?", vbQuestion + vbYesNo, "RewriteDACL") = vbYes Then EA.grfAccessMode = &H2 Else EA.grfAccessMode = &H3 End If EA.myTrustee.TrusteeType = &H1 EA.myTrustee.ptstrName = VarPtr(SID.Revision) SetEntriesInAcl &H1, EA, &H0, pDacl SetSecurityInfo hProcess, &H6, &H4, &H0, &H0, pDacl, &H0 LocalFree pDacl CloseHandle hProcess End Sub[/code] Or the compiled EXE: http://realityripple.com/Uploads/Projects/RewriteDACL.exe | December 10, 2008, 11:55 PM |
| PunK | [quote author=Andy link=topic=17742.msg180753#msg180753 date=1228953336] You know... you can get WPE to work on blizzard games pretty easily by rewriting the DACL. Here's some simple VB6 code to do it: [code]Option Explicit Private Declare Function FindWindow Lib "user32" Alias "FindWindowA" (ByVal lpClassName As String, ByVal lpWindowName As String) As Long Private Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal blnheritHandle As Long, ByVal dwAppProcessId As Long) As Long Private Declare Function SetEntriesInAcl Lib "advapi32" Alias "SetEntriesInAclW" (ByVal cCountOfExplicitEntries As Long, ByRef pListOfExplicitEntries As EXPLICIT_ACCESS, ByVal OldAcl As Long, ByRef NewAcl As Long) As Long Private Declare Function SetSecurityInfo Lib "advapi32" (ByVal handle As Long, ByVal ObjectType As Long, ByVal SecurityInfo As Long, ByVal psidOwner As Long, ByVal psidGroup As Long, ByVal pDacl As Long, ByVal pSacl As Long) As Long Private Declare Function LocalFree Lib "kernel32" (ByVal hMem As Long) As Long Private Declare Function GetWindowThreadProcessId Lib "user32" (ByVal hWnd As Long, lpdwProcessId As Long) As Long Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long Private Type TRUSTEE pMultipleTrustee As Long MultipleTrusteeOperation As Long TrusteeForm As Long TrusteeType As Long ptstrName As Long End Type Private Type EXPLICIT_ACCESS grfAccessPermissions As Long grfAccessMode As Long grfInheritance As Long myTrustee As TRUSTEE End Type Private Type tSID Revision As Byte SubAuthorityCount As Byte IdentifierAuthority(5) As Byte SubAuthority As Long End Type Public Sub Main() Dim dWnd As Long Dim hProcess As Long Dim pID As Long Dim SID As tSID Dim EA As EXPLICIT_ACCESS Dim pDacl As Long Dim sClass As String sClass = InputBox("Please enter the Class name of the process you wish to rewrite:", "RewriteDACL") If LenB(sClass) = 0 Then Exit Sub dWnd = FindWindow(sClass, vbNullString) If dWnd = 0 Then MsgBox "Could not find process!", vbCritical, "RewriteDACL" Exit Sub End If GetWindowThreadProcessId dWnd, pID hProcess = OpenProcess(&H40000, &H0, pID) SID.Revision = &H1 SID.SubAuthorityCount = &H1 SID.IdentifierAuthority(5) = &H1 EA.grfAccessPermissions = &H1F0FFF If MsgBox("Enable DACL?", vbQuestion + vbYesNo, "RewriteDACL") = vbYes Then EA.grfAccessMode = &H2 Else EA.grfAccessMode = &H3 End If EA.myTrustee.TrusteeType = &H1 EA.myTrustee.ptstrName = VarPtr(SID.Revision) SetEntriesInAcl &H1, EA, &H0, pDacl SetSecurityInfo hProcess, &H6, &H4, &H0, &H0, pDacl, &H0 LocalFree pDacl CloseHandle hProcess End Sub[/code] Or the compiled EXE: http://realityripple.com/Uploads/Projects/RewriteDACL.exe [/quote] Thats what i'm talking about. Thanks boss. // Actually I just ran into an issue.. It seems that it only records outgoing, not incoming. However, it doesn't do that with other programs, such as bots... I'm probably doing something stupid but I don't see what possibly could be the issue. | December 11, 2008, 4:39 AM |
| Barabajagal | View>Option. Check to make sure you have Send and Recv on Winsock 1.1 enabled. I tried it myself and got everything just fine, so I don't know what the problem might be if it's not that. | December 11, 2008, 5:45 AM |
| PunK | Yeah, it's on. Still giving me the same problem. And also, whats starcrafts window name? Because I type in "Starcraft" but it gets no results. | December 11, 2008, 7:40 AM |
| Barabajagal | SWarClass. It's not the window name, it's the class name. You can rewrite it to use the window name if you want. | December 11, 2008, 7:41 AM |
| PunK | Oh.. Well then I guess I got lucky for war3. It's named "Warcraft III" unless that seems to be the problem... How do I find the class name of war3? | December 11, 2008, 7:50 AM |
| Barabajagal | Spy++? | December 11, 2008, 8:02 AM |
| MysT_DooM | best off using wireshark | December 11, 2008, 4:16 PM |
| iago | [quote author=MysT_DooM link=topic=17742.msg180779#msg180779 date=1229012198] best off using wireshark [/quote] Wireshark is, by far, the best. | December 11, 2008, 5:00 PM |
| PunK | That's 3 different people who said use wireshark... Using wireshark... Thanks. | December 11, 2008, 5:56 PM |
| BreW | [quote author=PunK link=topic=17742.msg180772#msg180772 date=1228981846] Oh.. Well then I guess I got lucky for war3. It's named "Warcraft III" unless that seems to be the problem... How do I find the class name of war3? [/quote] GetClassInfo() | December 12, 2008, 1:27 AM |