1、新增实时数据包分析器针对TCP协议特性进行自动组包

2、整体代码优化
yggo · Feb 4, 2021 · d372890 · d372890
1 parent ed46646
commit d372890
Show file tree

Hide file tree

Showing 21 changed files with 329 additions and 338 deletions.
diff --git a/Attributes/CustomEvent.cs b/Attributes/CustomEvent.cs
@@ -7,7 +7,7 @@ public class CustomEvent : Attribute
     {
         private readonly string windowName;
 
-        public string WindowName { get { return windowName; } }
+        public string WindowName => windowName;
 
         public CustomEvent(string windowName)
         {

diff --git a/Attributes/TLVParser.cs b/Attributes/TLVParser.cs
@@ -7,7 +7,8 @@ public class TLVParser : Attribute
     {
         private readonly short cmd;
 
-        public short Cmd { get { return cmd; } }
+        public short Cmd => cmd;
+
         public TLVParser(short cmd)
         {
             this.cmd = cmd;

diff --git a/Common/Common.cs b/Common/Common.cs
@@ -46,12 +46,12 @@ public static byte[] TeaKeyLogDecrypt(byte[] In, out DecryptionKey decryptionKey
         {
             decryptionKey = null;
             List<DecryptionKey> keys = Keys.ToList();
-            for (int i = 0; i < keys.Count; i++)
+            foreach (DecryptionKey t in keys)
             {
-                var d = Tea.Decrypt(In, HexUtil.DecodeHex(keys[i].Key));
+                var d = Tea.Decrypt(In, t.Key.DecodeHex());
                 if (d != null)
                 {
-                    decryptionKey = keys[i];
+                    decryptionKey = t;
                     return d;
                 }
             }

diff --git a/Common/HookData.cs b/Common/HookData.cs
@@ -2,7 +2,7 @@
 {
     public static class HookData
     {
-        private static FormMain Frm { get => FormMain.Form; }
+        private static FormMain Frm => FormMain.Form;
 
         #region Hook Data
         public static string _androidId = string.Empty;

diff --git a/Component/PacketAnalyzer.cs b/Component/PacketAnalyzer.cs
@@ -85,7 +85,7 @@ protected void Resolve0A01()
             }
             int qq_len = Buf.ReadInt() - 4;
             Uin = Buf.ReadCharSequence(qq_len, Encoding.UTF8).ToString();
-            byte[] remaining = Util.ReadRemainingBytes(Buf);
+            byte[] remaining = Buf.ReadRemainingBytes();
             byte[] decrypt_data = Common.TeaKeyLogDecrypt(remaining, out _);
             if (decrypt_data == null) return;
             var buf_part1 = Unpooled.WrappedBuffer(decrypt_data);
@@ -126,7 +126,7 @@ protected void Resolve0A02()
             Buf.ReadByte();
             int qq_len = Buf.ReadInt() - 4;
             Uin = Buf.ReadCharSequence(qq_len, Encoding.UTF8).ToString();
-            byte[] remaining = Util.ReadRemainingBytes(Buf);
+            byte[] remaining = Buf.ReadRemainingBytes();
             byte[] decrypt_data = Tea.Decrypt(remaining, new byte[16]);
             if (decrypt_data == null) return;
             var buf_part1 = Unpooled.WrappedBuffer(decrypt_data);
@@ -203,7 +203,7 @@ protected void Resolve0B01()
             Buf.ReadByte();
             int qq_len = Buf.ReadInt() - 4;
             Uin = Buf.ReadCharSequence(qq_len, Encoding.UTF8).ToString();
-            byte[] remaining = Util.ReadRemainingBytes(Buf);
+            byte[] remaining = Buf.ReadRemainingBytes();
             byte[] decrypt_data = Common.TeaKeyLogDecrypt(remaining, out _);
             if (decrypt_data == null) return;
             var buf_part1 = Unpooled.WrappedBuffer(decrypt_data);
@@ -227,7 +227,7 @@ protected void Resolve0B02()
                 Buf.ReadByte();
                 int qq_len = Buf.ReadInt() - 4;
                 Uin = Buf.ReadCharSequence(qq_len, Encoding.UTF8).ToString();
-                byte[] remaining = Util.ReadRemainingBytes(Buf);
+                byte[] remaining = Buf.ReadRemainingBytes();
                 byte[] decrypt_data = Tea.Decrypt(remaining, new byte[16]);
                 if (decrypt_data == null) return;
                 var buf_part1 = Unpooled.WrappedBuffer(decrypt_data);
@@ -244,7 +244,7 @@ protected void Resolve0B02()
                 Buf.ReadByte();
                 int qq_len = Buf.ReadInt() - 4;
                 Uin = Buf.ReadCharSequence(qq_len, Encoding.UTF8).ToString();
-                byte[] remaining = Util.ReadRemainingBytes(Buf);
+                byte[] remaining = Buf.ReadRemainingBytes();
                 byte[] decrypt_data = Tea.Decrypt(remaining, new byte[16]);
                 if (decrypt_data == null) return;
                 var buf_part1 = Unpooled.WrappedBuffer(decrypt_data);

diff --git a/Component/PacketFormatter.cs b/Component/PacketFormatter.cs
@@ -16,7 +16,7 @@ public string Parse(IByteBuffer value)
             ReadPacketLen();
             int packet_type = Buf.ReadInt();
             byte encrypt_type = Buf.ReadByte();
-           
+
             if (packet_type == 0x0A)
             {
                 Sb.Append(packet_type.HexPadLeft().HexDump()).Append(" //packet_type").AppendLine();
@@ -69,7 +69,7 @@ public string Parse(IByteBuffer value)
             }
             return Sb.ToString();
         }
- 
+
         private void ReadPacketLen()
         {
             int packet_len = Buf.ReadInt();
@@ -95,7 +95,7 @@ private void Resolve0A02()
             Sb.Append((uin_len + 4).HexPadLeft().HexDump()).Append(" //uin_len").AppendLine();
             Sb.Append(Encoding.UTF8.GetBytes(Uin).HexDump()).Append($" //uin {Uin}").AppendLine();
 
-            byte[] remaining = Util.ReadRemainingBytes(Buf);
+            byte[] remaining = Buf.ReadRemainingBytes();
             Sb.Append(remaining.HexDump()).AppendLine().AppendLine();
 
             byte[] decrypt_data = Common.TeaKeyLogDecrypt(remaining, out DecryptionKey decryptionKey);

diff --git a/Component/PacketLogLVI.cs b/Component/PacketLogLVI.cs
@@ -0,0 +1,34 @@
+using System.Windows.Forms;
+
+namespace YgAndroidQQSniffer.Component
+{
+    public class PacketLogLVI
+    {
+        public string Index { get; set; }
+        public string Orientation { get; set; }
+        public string SrcIp { get; set; }
+        public string DstIp { get; set; }
+        public string CaptureTime { get; set; }
+        public string PayloadLen { get; set; }
+        public string PayloadData { get; set; }
+        public object Tag { get; set; }
+
+        public ListViewItem BuildLVI()
+        {
+            return new ListViewItem()
+            {
+                Text = Index,
+                SubItems =
+                {
+                    Orientation,
+                    SrcIp,
+                    DstIp,
+                    CaptureTime,
+                    PayloadLen,
+                    PayloadData
+                },
+                Tag = Tag
+            };
+        }
+    }
+}
diff --git a/Component/RealTimePacketsAnalyzer.cs b/Component/RealTimePacketsAnalyzer.cs
@@ -0,0 +1,164 @@
+using DotNetty.Buffers;
+using DotNetty.Common.Utilities;
+using NLog;
+using PacketDotNet;
+using System;
+using System.Collections;
+using System.Drawing;
+using System.Net;
+using System.Threading;
+using System.Windows.Forms;
+using static System.Collections.StructuralComparisons;
+
+namespace YgAndroidQQSniffer.Component
+{
+    public class RealTimePacketsAnalyzer
+    {
+        public string MatchedSrcIp { get; private set; }
+        public string MatchedDstIp { get; private set; }
+        public string MatchedSrcPort { get; private set; }
+        public string MatchedDstPort { get; private set; }
+        private IByteBuffer MatchedPayloadBuf { get; set; }
+
+        private readonly byte[] ZERO_BYTES = { 0 };
+        private static FormMain Frm => FormMain.Form;
+        private static Logger Logger { get; } = LogManager.GetCurrentClassLogger();
+
+        public void ProcessPackets(TcpPacket tcpPacket)
+        {
+            IPPacket ipPacket = (IPPacket)tcpPacket.ParentPacket;
+            IPAddress srcIp = ipPacket.SourceAddress;
+            IPAddress dstIp = ipPacket.DestinationAddress;
+            int srcPort = tcpPacket.SourcePort;
+            int dstPort = tcpPacket.DestinationPort;
+
+            if (tcpPacket.PayloadData.Length == 0 || tcpPacket.PayloadData == ZERO_BYTES) return;
+
+            if (MatchedDstIp == null)
+            {
+                //首次捕获
+                IByteBuffer buf = Unpooled.WrappedBuffer(tcpPacket.PayloadData);
+                try
+                {
+                    if (IsAndroidQQProtocol(buf))
+                    {
+                        MatchedPayloadBuf.WriteBytes(tcpPacket.PayloadData);
+                        MatchedSrcIp = srcIp.ToString();
+                        MatchedDstIp = dstIp.ToString();
+                        MatchedSrcPort = srcPort.ToString();
+                        MatchedDstPort = dstPort.ToString();
+                    }
+                }
+                finally
+                {
+                    buf.SafeRelease();
+                }
+            }
+            else
+            {
+                if (srcIp.ToString() == MatchedDstIp || dstIp.ToString() == MatchedDstIp)
+                {
+                    MatchedPayloadBuf.WriteBytes(tcpPacket.PayloadData);
+                }
+            }
+        }
+
+        public void StartAnalysisThread()
+        {
+            MatchedPayloadBuf = Unpooled.Buffer();
+            new Thread(() =>
+            {
+                while (Frm.Device.Started)
+                {
+                    try
+                    {
+                        while (MatchedPayloadBuf.IsReadable())
+                        {
+                            if (IsAndroidQQProtocol(MatchedPayloadBuf))
+                            {
+                                string orientation = (MatchedPayloadBuf.GetInt(MatchedPayloadBuf.ReaderIndex + 9) == 0) ? "Recv" : "Send";
+                                int pkg_len = MatchedPayloadBuf.GetInt(MatchedPayloadBuf.ReaderIndex);
+                                byte[] pkg_payload = new byte[pkg_len];
+                                if (MatchedPayloadBuf.ReadableBytes >= pkg_payload.Length)
+                                {
+                                    MatchedPayloadBuf.ReadBytes(pkg_payload, 0, pkg_payload.Length);
+                                    AppendPacketLogItems(orientation, pkg_payload);
+                                    MatchedPayloadBuf.DiscardReadBytes();
+                                }
+                            }
+                            else if (MatchedPayloadBuf.ReadableBytes >= 9)
+                            {
+                                MatchedPayloadBuf.ReadBytes(9);
+                            }
+                            else
+                            {
+                                Thread.Sleep(1000);
+                            }
+                        }
+                    }
+                    catch (Exception ex)
+                    {
+                        Logger.Error(ex, ex.Message);
+                    }
+                    Thread.Sleep(1000);
+                }
+                Logger.Info("The analysis thread has stopped.");
+                MatchedSrcIp = null;
+                MatchedDstIp = null;
+                MatchedSrcPort = null;
+                MatchedDstPort = null;
+                MatchedPayloadBuf.SafeRelease();
+            }).Start();
+        }
+
+        private void AppendPacketLogItems(string orientation, byte[] payload)
+        {
+            PacketLogLVI pl = new PacketLogLVI()
+            {
+                Index = (Frm.lv_packet_log.Items.Count + 1).ToString(),
+                Orientation = orientation,
+
+                CaptureTime = DateTime.Now.ToString(),
+                PayloadLen = payload.Length.ToString(),
+                PayloadData = payload.HexDump(),
+                Tag = new PacketAnalyzer() { HexPayload = payload.HexDump() }
+            };
+            if (orientation == "Send")
+            {
+                pl.SrcIp = $"{MatchedSrcIp}:{MatchedSrcPort}";
+                pl.DstIp = $"{MatchedDstIp}:{MatchedDstPort}";
+            }
+            else
+            {
+                pl.SrcIp = $"{MatchedDstIp}:{MatchedDstPort}";
+                pl.DstIp = $"{MatchedSrcIp}:{MatchedSrcPort}";
+            }
+
+            Frm.ThreadSafeUpdate(() =>
+            {
+                ListViewItem lv = pl.BuildLVI();
+                lv.ForeColor = orientation == "Send" ? Color.Red : Color.Blue;
+                Frm.lv_packet_log.Items.Add(lv);
+            });
+        }
+
+        private readonly byte[] ANDROIDQQ_PROTOCOL_MARK1 = { 0x00, 0x00, 0x00, 0x0A, 0x00 };
+        private readonly byte[] ANDROIDQQ_PROTOCOL_MARK2 = { 0x00, 0x00, 0x00, 0x0A, 0x01 };
+        private readonly byte[] ANDROIDQQ_PROTOCOL_MARK3 = { 0x00, 0x00, 0x00, 0x0A, 0x02 };
+        private readonly byte[] ANDROIDQQ_PROTOCOL_MARK4 = { 0x00, 0x00, 0x00, 0x0B, 0x00 };
+        private readonly byte[] ANDROIDQQ_PROTOCOL_MARK5 = { 0x00, 0x00, 0x00, 0x0B, 0x01 };
+        private readonly byte[] ANDROIDQQ_PROTOCOL_MARK6 = { 0x00, 0x00, 0x00, 0x0B, 0x02 };
+        private bool IsAndroidQQProtocol(IByteBuffer buffer)
+        {
+            if (buffer.ReadableBytes < 9) return false;
+            byte[] tag = new byte[5];
+            buffer.GetBytes(buffer.ReaderIndex + 4, tag, 0, 5);
+            return ((IStructuralEquatable)tag).Equals(ANDROIDQQ_PROTOCOL_MARK1, StructuralEqualityComparer) ||
+                   ((IStructuralEquatable)tag).Equals(ANDROIDQQ_PROTOCOL_MARK2, StructuralEqualityComparer) ||
+                   ((IStructuralEquatable)tag).Equals(ANDROIDQQ_PROTOCOL_MARK3, StructuralEqualityComparer) ||
+                   ((IStructuralEquatable)tag).Equals(ANDROIDQQ_PROTOCOL_MARK4, StructuralEqualityComparer) ||
+                   ((IStructuralEquatable)tag).Equals(ANDROIDQQ_PROTOCOL_MARK5, StructuralEqualityComparer) ||
+                   ((IStructuralEquatable)tag).Equals(ANDROIDQQ_PROTOCOL_MARK6, StructuralEqualityComparer);
+        }
+    }
+}