geph4-client 4.7.6-alpha.2

Geph client
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109

use super::{bindings, Handle, InternalError, Layer};
use std::convert::TryInto;
use std::{
    mem::MaybeUninit,
    net::{IpAddr, SocketAddr},
};

/// A handle for socket-layer events.
pub struct SocketHandle {
    handle: Handle,
}

impl SocketHandle {
    /// Opens a SocketHandle.
    pub fn open(filter: &str, priority: i16) -> Result<Self, InternalError> {
        let handle = Handle::open(
            filter,
            Layer::Socket,
            priority,
            (bindings::WINDIVERT_FLAG_SNIFF | bindings::WINDIVERT_FLAG_RECV_ONLY) as _,
        )?;
        Ok(Self { handle })
    }

    /// Receives a socket event.
    pub fn receive(&mut self) -> Result<SocketEvt, InternalError> {
        let mut addr: MaybeUninit<bindings::WINDIVERT_ADDRESS> = MaybeUninit::uninit();
        self.handle.receive(None, Some(&mut addr))?;
        let addr = unsafe { addr.assume_init() };

        // now we parse it. we parse the "flow" part of the union even though this is a socket handle because they are the same.
        let data = unsafe { addr.__bindgen_anon_1.Socket };
        let (local_addr, remote_addr) = parse_addr(&addr, &data);
        let evt_type = match addr.Event() as _ {
            bindings::WINDIVERT_EVENT_WINDIVERT_EVENT_SOCKET_ACCEPT => SocketEvtType::Accept,
            bindings::WINDIVERT_EVENT_WINDIVERT_EVENT_SOCKET_BIND => SocketEvtType::Bind,
            bindings::WINDIVERT_EVENT_WINDIVERT_EVENT_SOCKET_CLOSE => SocketEvtType::Close,
            bindings::WINDIVERT_EVENT_WINDIVERT_EVENT_SOCKET_CONNECT => SocketEvtType::Connect,
            bindings::WINDIVERT_EVENT_WINDIVERT_EVENT_SOCKET_LISTEN => SocketEvtType::Listen,
            _ => panic!("Non-socket event somehow got here..."),
        };

        let is_tcp = data.Protocol == 6;

        Ok(SocketEvt {
            kind: evt_type,
            local_addr,
            remote_addr,
            process_id: data.ProcessId,
            is_tcp,
        })
    }
}

/// An socket-related event
#[derive(Debug, Clone, Copy)]
pub struct SocketEvt {
    pub kind: SocketEvtType,
    pub local_addr: SocketAddr,
    pub remote_addr: SocketAddr,
    pub process_id: u32,
    pub is_tcp: bool,
}

#[derive(Copy, Clone, PartialEq, Eq, Debug)]
pub enum SocketEvtType {
    Bind,
    Connect,
    Listen,
    Accept,
    Close,
}

pub fn parse_addr(
    addr: &bindings::WINDIVERT_ADDRESS,
    windivert_socket: &bindings::WINDIVERT_DATA_SOCKET,
) -> (SocketAddr, SocketAddr) {
    if addr.IPv6() == 1 {
        (
            SocketAddr::new(
                IpAddr::V6(to_u8(windivert_socket.LocalAddr).into()),
                windivert_socket.LocalPort,
            ),
            SocketAddr::new(
                IpAddr::V6(to_u8(windivert_socket.RemoteAddr).into()),
                windivert_socket.RemotePort,
            ),
        )
    } else {
        (
            SocketAddr::new(
                IpAddr::V4(windivert_socket.LocalAddr[0].into()),
                windivert_socket.LocalPort,
            ),
            SocketAddr::new(
                IpAddr::V4(windivert_socket.RemoteAddr[0].into()),
                windivert_socket.RemotePort,
            ),
        )
    }
}

fn to_u8(thirty_twos: [u32; 4]) -> [u8; 16] {
    let thirty_twos: Vec<u32> = thirty_twos.iter().rev().cloned().collect();
    let v: Vec<u8> = (0..16)
        .map(|i| thirty_twos[i / 4].to_be_bytes()[i % 4])
        .collect();
    v.try_into().unwrap()
}