Last active
October 28, 2018 21:17
-
-
Save mak/093e52d99653a8012b16 to your computer and use it in GitHub Desktop.
SmokLoader dissector for wireshark
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| do | |
| local smk_req_proto = Proto("smk_req", "SmokeLoader Request"); | |
| local smk_resp_proto = Proto("smk_resp", "SmokeLoader Response"); | |
| function split(str, pat) | |
| local t = {} -- NOTE: use {n = 0} in Lua-5.0 | |
| local fpat = "(.-)" .. pat | |
| local last_end = 1 | |
| local s, e, cap = str:find(fpat, 1) | |
| while s do | |
| if s ~= 1 or cap ~= "" then | |
| table.insert(t,cap) | |
| end | |
| last_end = e+1 | |
| s, e, cap = str:find(fpat, last_end) | |
| end | |
| if last_end <= #str then | |
| cap = str:sub(last_end) | |
| table.insert(t, cap) | |
| end | |
| return t | |
| end | |
| function smk_xor(t,buf,s) | |
| r = "" | |
| xor={} | |
| for i=0,4 do | |
| xor[i] = buf(i,1):uint() | |
| end | |
| for i=0,s-1 do | |
| local v = bit32.bxor(buf(4+i,1):uint(),xor[i%4]) | |
| v = bit32.bxor(v,(255-(i%255))) | |
| r = r .. string.char(v) | |
| end | |
| return r | |
| end | |
| local media_type_table = DissectorTable.get("media_type") | |
| local frm_old_dissector = media_type_table:get_dissector("application/x-www-form-urlencoded") | |
| local htm_old_dissector = media_type_table:get_dissector("text/html") | |
| function smk_req_proto.dissector(tvb, pinfo, tree) | |
| frm_old_dissector:call(tvb, pinfo, tree) | |
| local subtree = tree:add(smk_req_proto, tvb()) | |
| local size = tvb(0,4):le_uint() | |
| -- d(tree,'Size: ' .. size) | |
| if size == tvb():len() then | |
| local s = smk_xor(tree,tvb:range(4),size-8) | |
| for k, v in pairs(split(s,'&')) do | |
| local pp = split(v,'=') | |
| if pp[1] == "r" then | |
| break | |
| end | |
| subtree:add(tvb(),v) | |
| end | |
| subtree:add(tvb_range,s) | |
| end | |
| end | |
| function smk_resp_proto.dissector(tvb,pinfo,tree) | |
| -- skip non numeric shit... | |
| htm_old_dissector:call(tvb,pinfo,tree) | |
| if tonumber(tvb(0,1):string()) == nil then | |
| return | |
| end | |
| local s = "" | |
| for i=0,tvb():len() do | |
| if tvb(i,1):int() == 0 then | |
| break | |
| end | |
| s = tvb(0,i+1) | |
| end | |
| -- d(tree,s:string()) | |
| local xor = tonumber(s(0,3):string()) | |
| local r = "" | |
| for i=3,s:len()-3,3 do | |
| local v = bit32.bxor(xor,tonumber(s(i,3):string()) ) | |
| r = r .. string.char(v) | |
| end | |
| local subtree = tree:add(smk_resp_proto, s()) | |
| subtree:add(s(),r) | |
| end | |
| media_type_table:add("text/html", smk_resp_proto) | |
| media_type_table:add("application/x-www-form-urlencoded", smk_req_proto) | |
| end | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment