def search_keyword(self, l, r, payload, packet_id):
if l + 1 == r:
return l, 1
if l < r:
mid = (l + r) / 2
payload_left_modified = randomize(payload, l, mid)
self.sock.send(payload_left_modified)
hash_value_left = hash_int(payload_modified)
payload_right_modified = randomize(payload, mid + 1, r)
self.sock.send(payload_right_modified)
hash_value_right = hash_int(payload_right_modified)
#Divide into 2 sepearate branches
if self.server_checker(packet_id, hash_value_left) == False:
#Never go through middle box,means payload left contains keyword
lkeyword_start, lkeyword_len_ = self.search_keyword(
l, mid, payload, packet_id)
else:
lkeyword_start, lkeyword_len = [l], [0]
if self.search_keyword(packet_id, hash_value_right) == False:
#Means payload right contains keyword
rkeyword_start, rkeyword_len = self.search_keyword(
mid + 1, r, payload, packet_id)
else:
rkeyword_start, rkeyword_len = [mid + 1], [0]
#Merge 2 seperate branches
keyword_start = []
keyword_end = []
for i in range(len(lkeyword_start)):
if lkeyword_len[i] != 0:
keyword_start.append(lkeyword_start[i])
keyword_end.append(lkeyword_len[i] + lkeyword_start[i])
for i in range(len(rkeyword_start)):
if rkeyword_len[i] != 0:
keyword_start.append(rkeyword_start[i])
keyword_end.append(rkeyword_len[i] + rkeyword_start[i])
i = 0
while True:
if i >= len(keyword_start):
break
if (i + 1) < len(keyword_start
) and keyword_end[i] == keyword_start[i + 1]:
tmp = keyword_end[i + 1]
keyword_start.remove(keyword_start[i + 1])
keyword_end.remove(tmp)
keyword_end[i] = tmp
else:
i = i + 1
for i in range(0, len(keyword_start)):
keyword_end[i] = keyword_end[i] - keyword_start[i]
return keyword_start, keyword_end
def send_thread(self):
while True:
if self.current_packet_id + 1 in self.server_packets_id:
payload = self.stream['payload'][self.current_packet_id+1-1]
self.sock.send(payload)
self.current_packet_id +=1
print('send {packet_id:%d,hash:%d}'%(self.current_packet_id,hash_int(payload)))
time.sleep(0.02)
def __init__(self, pcapname, pcap_client_ip):
#pcap_client_ip 是抓取的原始pcap里面,主动向外发起请求的ip 地址,这个一般就是客户端IP
#重放的数据流
self.stream = python_lib.extractStream(pcapname, pcap_client_ip)
self.client_packets_id = set() #客户端需要发送的数据包的id号
self.server_packets_id = set() #服务端需要发送的数据的id号
self.server_payload_hash_to_id = {}
self.client_payload_hash_to_id = {}
self.payload_hash_to_id = {}
for each in self.stream['c2s']:
hash_value = hash_int(each['payload'])
self.client_payload_hash_to_id[hash_value] = each['id']
self.payload_hash_to_id[hash_value] = each['id']
self.client_packets_id.add(each['id'])
for each in self.stream['s2c']:
hash_value = hash_int(each['payload'])
self.server_payload_hash_to_id[hash_value] = each['id']
self.payload_hash_to_id[hash_value] = each['id']
self.server_packets_id.add(each['id'])
def recv_thread(self):
while True:
data = self.sock.recv(4096)
if data:
hash_value = hash_int(data)
packet_id = self.payload_hash_to_id.get(hash_value,-1)
print('recv {id:%d,hash:%d}'%(packet_id,hash_value))
if packet_id > 0:
self.current_packet_id = packet_id
self.recv_db.insert({'packet_id':packet_id,'hash_value':hash_value})
else:
self.sock.close()
break
def recv_thread(self):
index = 0
while True:
data = self.sock.recv(len(self.stream['s2c'][index]['payload']))
if data:
#收到了重放的响应数据包
hash_value = hash_int(data)
packet_id = self.server_payload_hash_to_id.get(hash_value, 0)
if packet_id > 0:
self.recv_set.add(packet_id)
print('recv: {id:%d,hash:%d}' % (packet_id, hash_value))
index += 1
else:
self.sock.close()
break
def replay(self, replay_port=None):
if replay_port == None:
port = self.replay_server_start_port
self.sock = SOCKET(proto=self.stream['c2s'][0]['proto'],
role='client',
ip=self.replay_server_ip,
port=port)
self.current_bidirection_packet_id = 1 #目前双向通信的 packet id
self.current_single_curse_packet_id = 0
self.thread = Thread(target=self.recv_thread)
self.thread.start()
while self.current_single_curse_packet_id < len(self.stream['c2s']):
payload = copy.deepcopy(self.stream['c2s'][
self.current_single_curse_packet_id]['payload'])
self.sock.send(payload)
#检查是否服务端是否收到数据包
hash_value = hash_int(payload)
packet_id = self.payload_hash_to_id.get(hash_value, 0)
if self.server_checker(packet_id, hash_value) == True:
#原始数据包就可以直接通过,那么处理下一个client端的数据包
while (packet_id + 1) in self.server_packets_id and (
packet_id + 1) not in self.recv_set:
time.sleep(0.05)
print('wait for next packet from server...')
else:
#原始数据包被拦截
keyword_start, keyword_len = self.search_keyword(
0, len(payload), payload, packet_id)
for i in range(len(keyword_start)):
keyword = {
"start":
keyword_start[i],
"len":
keyword_len[i],
"packet_id":
packet_id,
"content":
payload[keyword_start:(keyword_start + keyword_len)]
}
self.keyword.add(keyword)
self.keyword_db.insert(keyword)
self.current_single_curse_packet_id += 1
self.thread.join()
self.sock.close()