From libprotoident Are there any ways to add I need to do?
wechat udp
`/*
*
- Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
- All rights reserved.
- This file is part of libprotoident.
- This code has been developed by the University of Waikato WAND
- research group. For further information please see http://www.wand.net.nz/
- libprotoident is free software; you can redistribute it and/or modify
- it under the terms of the GNU Lesser General Public License as published by
- the Free Software Foundation; either version 3 of the License, or
- (at your option) any later version.
- libprotoident is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU Lesser General Public License for more details.
- You should have received a copy of the GNU Lesser General Public License
- along with this program. If not, see http://www.gnu.org/licenses/.
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
/* Thanks to http://www.cse.cuhk.edu.hk/~pclee/www/pubs/iwqos15chatdissect.pdf
- for helping confirm this rule */
static inline bool match_wechat_uplink_hb(uint32_t payload, uint32_t len) {
/* Byte 3 appears to be a length indicator */
if (MATCH(payload, 0xd1, 0x0a, 0x2e, 0x0a))
return true;
if (MATCH(payload, 0xd1, 0x0a, 0x2d, 0x0a))
return true;
if (MATCH(payload, 0xd1, 0x0a, 0x2c, 0x0a))
return true;
if (MATCH(payload, 0xd1, 0x0a, 0x1e, 0x0a))
return true;
if (MATCH(payload, 0xd1, 0x0a, 0x1d, 0x0a))
return true;
return false;
}
static inline bool match_wechat_downlink_hb(uint32_t payload, uint32_t len) {
/* Byte 3 appears to be a length indicator */
if (MATCHSTR(payload, "\xd1\x0a\x2b\x0a"))
return true;
if (MATCHSTR(payload, "\xd1\x0a\x2a\x0a"))
return true;
if (MATCHSTR(payload, "\xd1\x0a\x2d\x0a"))
return true;
if (MATCHSTR(payload, "\xd1\x0a\x29\x0a"))
return true;
return false;
}
static inline bool match_wechat_voip_a175(uint32_t payload, uint32_t len) {
if (MATCH(payload, 0xa1, 0x08, ANY, ANY) && len == 75)
return true;
return false;
}
static inline bool match_wechat_voip_a192(uint32_t payload, uint32_t len) {
if (MATCH(payload, 0xa1, 0x08, ANY, ANY) && len == 92)
return true;
return false;
}
static inline bool match_wechat_voip_a396(uint32_t payload, uint32_t len) {
if (len == 0)
return true;
if (len == 96 && MATCH(payload, 0xa3, ANY, ANY, ANY))
return true;
return false;
}
static inline bool match_wechat_voip_d6200(uint32_t payload, uint32_t len) {
if (len == 200 && MATCH(payload, 0xd6, ANY, ANY, ANY))
return true;
return false;
}
static inline bool match_wechat_voip_d591(uint32_t payload, uint32_t len) {
if (len < 89 || len > 91)
return false;
if (MATCH(payload, 0xd5, ANY, ANY, ANY))
return true;
return false;
}
static inline bool match_wechat_voip_d5104(uint32_t payload, uint32_t len) {
if (len < 103 || len > 104)
return false;
if (MATCH(payload, 0xd5, ANY, ANY, ANY))
return true;
return false;
}
static inline bool match_wechat_udp(lpi_data_t *data, lpi_module_t *mod UNUSED) {
if (match_wechat_uplink_hb(data->payload[0], data->payload_len[0])) {
if (match_wechat_downlink_hb(data->payload[1],
data->payload_len[1]))
return true;
}
if (match_wechat_uplink_hb(data->payload[1], data->payload_len[1])) {
if (match_wechat_downlink_hb(data->payload[0],
data->payload_len[0]))
return true;
}
/* Lots of different patterns seen when using WeChat to make a voice
* or video call.
*/
if (match_wechat_voip_a396(data->payload[0], data->payload_len[0])) {
if (match_wechat_voip_a396(data->payload[1],
data->payload_len[1]))
return true;
}
if (match_wechat_voip_d6200(data->payload[0], data->payload_len[0])) {
if (match_wechat_voip_d6200(data->payload[1],
data->payload_len[1]))
return true;
}
if (match_wechat_voip_d591(data->payload[0], data->payload_len[0])) {
if (match_wechat_voip_d5104(data->payload[1],
data->payload_len[1]))
return true;
}
if (match_wechat_voip_d591(data->payload[1], data->payload_len[1])) {
if (match_wechat_voip_d5104(data->payload[0],
data->payload_len[0]))
return true;
}
if (match_wechat_voip_a192(data->payload[0], data->payload_len[0])) {
if (match_wechat_voip_a175(data->payload[1],
data->payload_len[1]))
return true;
}
if (match_wechat_voip_a192(data->payload[1], data->payload_len[1])) {
if (match_wechat_voip_a175(data->payload[0],
data->payload_len[0]))
return true;
}
return false;
}
static lpi_module_t lpi_wechat_udp = {
LPI_PROTO_UDP_WECHAT,
LPI_CATEGORY_CHAT,
"WeChat_UDP",
20,
match_wechat_udp
};
void register_wechat_udp(LPIModuleMap mod_map) {
register_protocol(&lpi_wechat_udp, mod_map);
}
/
*
- Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
- All rights reserved.
- This file is part of libprotoident.
- This code has been developed by the University of Waikato WAND
- research group. For further information please see http://www.wand.net.nz/
- libprotoident is free software; you can redistribute it and/or modify
- it under the terms of the GNU Lesser General Public License as published by
- the Free Software Foundation; either version 3 of the License, or
- (at your option) any later version.
- libprotoident is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU Lesser General Public License for more details.
- You should have received a copy of the GNU Lesser General Public License
- along with this program. If not, see http://www.gnu.org/licenses/.
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
/* Thanks to http://www.cse.cuhk.edu.hk/~pclee/www/pubs/iwqos15chatdissect.pdf
- for helping confirm this rule */
static inline bool match_wechat_uplink_hb(uint32_t payload, uint32_t len) {
/* Byte 3 appears to be a length indicator */
if (MATCH(payload, 0xd1, 0x0a, 0x2e, 0x0a))
return true;
if (MATCH(payload, 0xd1, 0x0a, 0x2d, 0x0a))
return true;
if (MATCH(payload, 0xd1, 0x0a, 0x2c, 0x0a))
return true;
if (MATCH(payload, 0xd1, 0x0a, 0x1e, 0x0a))
return true;
if (MATCH(payload, 0xd1, 0x0a, 0x1d, 0x0a))
return true;
return false;
}
static inline bool match_wechat_downlink_hb(uint32_t payload, uint32_t len) {
/* Byte 3 appears to be a length indicator */
if (MATCHSTR(payload, "\xd1\x0a\x2b\x0a"))
return true;
if (MATCHSTR(payload, "\xd1\x0a\x2a\x0a"))
return true;
if (MATCHSTR(payload, "\xd1\x0a\x2d\x0a"))
return true;
if (MATCHSTR(payload, "\xd1\x0a\x29\x0a"))
return true;
return false;
}
static inline bool match_wechat_voip_a175(uint32_t payload, uint32_t len) {
if (MATCH(payload, 0xa1, 0x08, ANY, ANY) && len == 75)
return true;
return false;
}
static inline bool match_wechat_voip_a192(uint32_t payload, uint32_t len) {
if (MATCH(payload, 0xa1, 0x08, ANY, ANY) && len == 92)
return true;
return false;
}
static inline bool match_wechat_voip_a396(uint32_t payload, uint32_t len) {
if (len == 0)
return true;
if (len == 96 && MATCH(payload, 0xa3, ANY, ANY, ANY))
return true;
return false;
}
static inline bool match_wechat_voip_d6200(uint32_t payload, uint32_t len) {
if (len == 200 && MATCH(payload, 0xd6, ANY, ANY, ANY))
return true;
return false;
}
static inline bool match_wechat_voip_d591(uint32_t payload, uint32_t len) {
if (len < 89 || len > 91)
return false;
if (MATCH(payload, 0xd5, ANY, ANY, ANY))
return true;
return false;
}
static inline bool match_wechat_voip_d5104(uint32_t payload, uint32_t len) {
if (len < 103 || len > 104)
return false;
if (MATCH(payload, 0xd5, ANY, ANY, ANY))
return true;
return false;
}
static inline bool match_wechat_udp(lpi_data_t *data, lpi_module_t *mod UNUSED) {
if (match_wechat_uplink_hb(data->payload[0], data->payload_len[0])) {
if (match_wechat_downlink_hb(data->payload[1],
data->payload_len[1]))
return true;
}
if (match_wechat_uplink_hb(data->payload[1], data->payload_len[1])) {
if (match_wechat_downlink_hb(data->payload[0],
data->payload_len[0]))
return true;
}
/* Lots of different patterns seen when using WeChat to make a voice
* or video call.
*/
if (match_wechat_voip_a396(data->payload[0], data->payload_len[0])) {
if (match_wechat_voip_a396(data->payload[1],
data->payload_len[1]))
return true;
}
if (match_wechat_voip_d6200(data->payload[0], data->payload_len[0])) {
if (match_wechat_voip_d6200(data->payload[1],
data->payload_len[1]))
return true;
}
if (match_wechat_voip_d591(data->payload[0], data->payload_len[0])) {
if (match_wechat_voip_d5104(data->payload[1],
data->payload_len[1]))
return true;
}
if (match_wechat_voip_d591(data->payload[1], data->payload_len[1])) {
if (match_wechat_voip_d5104(data->payload[0],
data->payload_len[0]))
return true;
}
if (match_wechat_voip_a192(data->payload[0], data->payload_len[0])) {
if (match_wechat_voip_a175(data->payload[1],
data->payload_len[1]))
return true;
}
if (match_wechat_voip_a192(data->payload[1], data->payload_len[1])) {
if (match_wechat_voip_a175(data->payload[0],
data->payload_len[0]))
return true;
}
return false;
}
static lpi_module_t lpi_wechat_udp = {
LPI_PROTO_UDP_WECHAT,
LPI_CATEGORY_CHAT,
"WeChat_UDP",
20,
match_wechat_udp
};
void register_wechat_udp(LPIModuleMap mod_map) {
register_protocol(&lpi_wechat_udp, mod_map);
}
wechat tcp
/
*
- Copyright (c) 2011-2016 The University of Waikato, Hamilton, New Zealand.
- All rights reserved.
- This file is part of libprotoident.
- This code has been developed by the University of Waikato WAND
- research group. For further information please see http://www.wand.net.nz/
- libprotoident is free software; you can redistribute it and/or modify
- it under the terms of the GNU Lesser General Public License as published by
- the Free Software Foundation; either version 3 of the License, or
- (at your option) any later version.
- libprotoident is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU Lesser General Public License for more details.
- You should have received a copy of the GNU Lesser General Public License
- along with this program. If not, see http://www.gnu.org/licenses/.
*/
#include <string.h>
#include "libprotoident.h"
#include "proto_manager.h"
#include "proto_common.h"
static inline bool match_wc_pair(uint32_t payloada, uint32_t lena,
uint32_t payloadb, uint32_t lenb) {
if (lena == 16 && MATCH(payloada, 0x00, 0x00, 0x00, 0x10)) {
if (lenb == 16 && MATCH(payloadb, 0x00, 0x00, 0x00, 0x10))
return true;
if (lenb == 18 && MATCH(payloadb, 0x00, 0x00, 0x00, 0x12))
return true;
}
if (lena == 21 && MATCH(payloada, 0x00, 0x00, 0x00, 0x15)) {
if (lenb == 25 && MATCH(payloadb, 0x00, 0x00, 0x00, 0x19))
return true;
}
return false;
}
static inline bool match_wc_ab_request(uint32_t payload, uint32_t len) {
/* This is 0xab, followed by 4 bytes of length for the first
* packet.
*/
if (len <= 255 && MATCH(payload, 0xab, 0x00, 0x00, 0x00))
return true;
if (MATCH(payload, 0xab, 0x00, 0x00, 0x01))
return true;
return false;
}
static inline bool match_wc_ab_big02(uint32_t payload, uint32_t len) {
/* again 0xab followed by length, except this time the length is
* for the entire flow.
*/
if (len <= 255)
return false;
/* Flows are unlikely to need a full 4 bytes for length so I'm
* going to stick 0x00 in the top byte for now */
if (MATCH(payload, 0xab, 0x00, ANY, ANY)) {
return true;
}
return false;
}
static inline bool match_wc_ab_big01(uint32_t payload, uint32_t len) {
if (len < 100)
return false;
if (len <= 255 && MATCH(payload, 0xab, 0x00, 0x00, 0x00))
return true;
if (len > 255 && MATCH(payload, 0xab, 0x00, 0x00, 0x01))
return true;
return false;
}
static inline bool match_wc_ab_reply(uint32_t payload, uint32_t len) {
/* All replies appear to be 41 bytes */
if (len != 41)
return false;
if (MATCH(payload, 0xab, 0x00, 0x00, 0x00))
return true;
return false;
}
static inline bool match_wechat(lpi_data_t *data, lpi_module_t *mod UNUSED) {
bool valid_port = false;
/* WeChat begins with a very simple 4 byte length field.
* This is not unique to WeChat though, so we need to be careful.
*/
/* Only observed on port 80, 443 or 8080. Because the payload
* signature is not entirely unique to WeChat, let's restrict matches
* to flows using those ports unless it shows up on other ports.
*/
if (data->server_port == 80 || data->client_port == 80)
valid_port = true;
if (data->server_port == 8080 || data->client_port == 8080)
valid_port = true;
if (data->server_port == 443 || data->client_port == 443)
valid_port = true;
if (!valid_port)
return false;
if (match_wc_pair(data->payload[0], data->payload_len[0],
data->payload[1], data->payload_len[1])) {
return true;
}
if (match_wc_pair(data->payload[1], data->payload_len[1],
data->payload[0], data->payload_len[0])) {
return true;
}
if (match_wc_ab_request(data->payload[0], data->payload_len[0])) {
if (match_wc_ab_reply(data->payload[1], data->payload_len[1]))
return true;
}
if (match_wc_ab_request(data->payload[1], data->payload_len[1])) {
if (match_wc_ab_reply(data->payload[0], data->payload_len[0]))
return true;
}
if (match_wc_ab_big01(data->payload[0], data->payload_len[0])) {
if (match_wc_ab_big02(data->payload[1], data->payload_len[1]))
return true;
}
if (match_wc_ab_big01(data->payload[1], data->payload_len[1])) {
if (match_wc_ab_big02(data->payload[0], data->payload_len[0]))
return true;
}
return false;
}
static lpi_module_t lpi_wechat = {
LPI_PROTO_WECHAT,
LPI_CATEGORY_CHAT,
"WeChat",
10,
match_wechat
};
void register_wechat(LPIModuleMap *mod_map) {
register_protocol(&lpi_wechat, mod_map);
}
`