Skip to content

Commit

Permalink
updated the doc about quick_sniff
Browse files Browse the repository at this point in the history
  • Loading branch information
oryair1 committed Aug 12, 2024
1 parent da0b3a7 commit fb536e0
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion docs/doc_quick_sniff.md
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ quick_sniff is really a DLL that is injected into the Quick Share for Windows ap
### Parameters
Since quick_sniff is a DLL and not a command line tool, we created two constant variables at the top of the `quick_sniff.cc` file that is compiled into `quick_sniff.dll`. These are their names and purpose:
* `LOG_FILE_PATH`: A path to a log file to create. The sent and received packets will be logged into this log file.
* `PACKET_FLOW_DIR_PATH`: A path to a directory to save files in our custom format that contain sequences of sent packets. For each session between two Quick Share devices, two files will be created. Each of them contains the sequence of packets that were sent by one of the participated devices. The format is very simple - 4 bytes of length in little endian, followed by a serialized packet (the packets that Quick Share uses are called OfflineFrame, and they are defined by Protobuf. So, a serialized packet means a Protobuf serialized OfflineFrame)
* `PACKET_FLOW_DIR_PATH`: A path to a directory to save files in our custom format that contain sequences of sent packets. For each session between two Quick Share devices, two files will be created. Each of them contains the sequence of packets that were sent by one of the participated devices. The format is very simple - 4 bytes of length in little endian, followed by a serialized packet (the packets that Quick Share uses are called OfflineFrame, and they are defined by Protobuf. So, a serialized packet means a Protobuf serialized OfflineFrame). To better understand the custom format, read the docs about [**pack_packet_flows & parse_packet_flows**](/docs/doc_pack_parse_packet_flows.md)

### Advanced Parameters
quick_sniff works by hooking the most basic Read & Write functions that are used by Quick Share to send and receive packets using any communication method. They don't have symbols inside the compiled binary, and so we must set their addresses (offsets) statically per the version of the Quick Share app. We set the addresses to the addresses of these functions in the vulnerable version of Quick Share that is present in this repository. If you want to sniff packets on a different version, you'll have to modify the addresses. Quick explanations for how to find these functions in a disassembler are written in comments in `quick_sniff.cc`. The names of these functions in Quick Share's source code are:
Expand Down

0 comments on commit fb536e0

Please sign in to comment.