The task is to monitor the C-application with the Internet resources visited by the employees, then filter the results and send them to the server to commit it to the database. I found it in the network and edited the following code:

#include <cstdlib> #include <iostream> #include <winsock2.h> #include <stdio.h> #include <string.h> #include <process.h> using namespace std; #define MAX_PACKET_SIZE 0x10000 #define SIO_RCVALL 0x98000001 char Buffer[MAX_PACKET_SIZE]; // 64 Kb typedef struct IPHeader{ unsigned char iph_verlen, iph_tos, iph_ttl, iph_protocol; unsigned short iph_length, iph_id, iph_offset, iph_xsum; unsigned long iph_src, iph_dest; } IPHeader; char src[10]; char dest[10]; char ds[15]; unsigned short lowbyte, hibyte; int main(){ WSADATA wsadata; SOCKET Socket; char name[128]; HOSTENT* phe; SOCKADDR_IN sa; IN_ADDR sa1; unsigned long flag = 1; // Флаг PROMISC Вкл/выкл. // инициализация WSAStartup(MAKEWORD(2,2), &wsadata); Socket = socket(AF_INET, SOCK_RAW, IPPROTO_IP); //cout << WSAGetLastError(); gethostname(name, sizeof(name)); phe = gethostbyname(name); ZeroMemory(&sa, sizeof(sa)); sa.sin_family = AF_INET; sa.sin_addr.s_addr = ((struct in_addr *)phe->h_addr_list[0])->s_addr; bind(Socket, (SOCKADDR *)&sa, sizeof(SOCKADDR)); ioctlsocket(Socket, SIO_RCVALL, &flag); while(true){ int count = recv(Socket, Buffer, sizeof(Buffer), 0); if (count >= sizeof(IPHeader)){ IPHeader* hdr = (IPHeader *)Buffer; sa1.s_addr = hdr->iph_src; cout << "Src:"; printf(inet_ntoa(sa1)); cout<<endl; cout << "Dest:"; sa1.s_addr = hdr->iph_dest; printf(inet_ntoa(sa1)); cout << endl; switch(hdr->iph_protocol){ case IPPROTO_TCP: cout<<" TCP\n"; break; case IPPROTO_UDP: cout<<" UDP\n"; break; default: cout << " " <<(unsigned short)hdr->iph_protocol << endl; break; } Sleep(1000); } } closesocket(Socket); WSACleanup(); return 0; }

The problem is that nothing is logged from a regular user (only 0.0.0.0 instead of IP) - real addresses are shown only when the application is started as an administrator.

I do not need a full-scale sniffer of the entire network — all that is required is to embed into the working client the monitoring function of the network activity of the current user, which can also work from under the guest.

What does the above code require administrative rights and can this be circumvented?

  • one
    Most likely raw sockets - tilin
  • A lot of time has passed) But I advise you to start the service. - MrBin

1 answer 1

Administrator rights are required to use raw sockets. And it does not get around. Here is an excerpt from Microsoft

SOCK_RAW on Windows 2000 and later

  • OK, and without raw sockets, you can organize something like that, at least for outgoing requests from the employee's PC? - Iceman