-
Notifications
You must be signed in to change notification settings - Fork 60
Case study. Part 4: Creating custom layers and fields
Finally, I would like to present the use case where, for some reason (e.g. if it is a network protocol without a public specification) Polymorph is not able to dissect all the layers and fields of the network packet when the template is generated.
For these cases, Polymorph provides us with the ability to create new layers and fields within the template or to modify the type of fields already present.
Modifying the type of a field that is presented in the template is something trivial but can be very useful when building the functions. Remember that in the functions we must always consider that the fields we access have the type indicated in the template.
In the example shown below we change the type of the field msg to be a string instead of a set of bytes.
PH:cap/t3 > layer mqtt
PH:cap/t3/MQTT > show
---[ MQTT ]---
FT_HEX hdrflags = 0x30
FT_INT_BE len = 11
FT_INT_BE topic_len = 4
FT_STRING topic = test
FT_BYTES msg = b'hello'
PH:cap/t3/MQTT > field msg
PH:cap/t3/MQTT/msg > type -a
1: FT_INT_BE
2: FT_INT_LE
3: FT_STRING
4: FT_BYTES
5: FT_BIN_BE
6: FT_BIN_LE
7: FT_HEX
8: FT_ETHER
9: FT_IPv4
10: FT_IPv6
11: FT_ABSOLUTE_TIME
12: FT_RELATIVE_TIME
13: FT_EUI64
Select the type of the field: 3
[+] New type Ftype.FT_STRING added to the field.
PH:cap/t3/MQTT/msg > back
PH:cap/t3/MQTT > show
---[ MQTT ]---
FT_HEX hdrflags = 0x30
FT_INT_BE len = 11
FT_INT_BE topic_len = 4
FT_STRING topic = test
FT_STRING msg = hello
PH:cap/t3/MQTT >
Adding new layers and fields is something very useful when Polymorph is not able to dissect the entire network packet, usually this happens in protocols without public specification.
To add a new layer, all we have to do is execute the command layer -a new_layer, Polymorph will ask us for some values, such as the layer's position within the bytes of the network packet.
PH:cap/t3 > layer -a new_layer
00000000: 00 0C 29 72 3C 22 00 0C 29 54 0D 00 08 00 45 02 ..)r<"..)T....E.
00000010: 00 41 8A 44 40 00 40 06 A0 13 C0 A8 47 8A C0 A8 .A.D@.@.....G...
00000020: 47 82 C4 6E 07 5B 7E 4E FE 7B 53 2C 2B 04 80 18 G..n.[~N.{S,+...
00000030: 00 E5 98 E2 00 00 01 01 08 0A 50 2C C1 A1 E3 F9 ..........P,....
00000040: B4 3B 30 0B 00 04 74 65 73 74 68 65 6C 6C 6F .;0...testhello
Start byte of the custom layer: 50
End byte of the custom layer: 79
[+] New layer new_layer added to the Template
PH:cap/t3 > show
---[ ETH ]---
FT_ETHER dst = 00:0c:29:72:3c:22
FT_ETHER src = 00:0c:29:54:0d:00
FT_HEX type = 0x800
---[ IP ]---
FT_BIN_BE version = 4
FT_BIN_BE hdr_len = 5
FT_HEX dsfield = 0x2
FT_INT_BE len = 65
FT_HEX id = 0x8a44
FT_HEX flags = 0x4000
FT_INT_BE ttl = 64
FT_INT_BE proto = 6
FT_HEX checksum = 0xa013
FT_IPv4 src = 192.168.71.138
FT_IPv4 addr = 192.168.71.130
---[ TCP ]---
FT_INT_BE srcport = 50286
FT_INT_BE dstport = 1883
FT_HEX len = 0x80
FT_HEX seq = 0x7e4efe7b
FT_HEX ack = 0x532c2b04
FT_BIN_BE flags = 24
FT_INT_BE window_size_value= 229
FT_HEX checksum = 0x98e2
FT_INT_BE urgent_pointer= 0
FT_BYTES options = b'\x01\x01\x08\nP,\xc1\xa1\xe3\xf9\xb4;'
FT_BYTES payload = b'0\x0b\x00\x04testhello'
---[ MQTT ]---
FT_HEX hdrflags = 0x30
FT_INT_BE len = 11
FT_INT_BE topic_len = 4
FT_STRING topic = test
FT_STRING msg = hello
---[ NEW_LAYER ]---
PH:cap/t3 >
Creating a new field is also a simple task, all we have to do is access the layer where we want to create the new field and execute the command field -a new_field.
PH:cap/t0 > layer new_layer
PH:cap/t0/NEW_LAYER > field -a new_field
00000000: 00 0C 29 72 3C 22 00 0C 29 54 0D 00 08 00 45 02 ..)r<"..)T....E.
00000010: 00 41 8A 44 40 00 40 06 A0 13 C0 A8 47 8A C0 A8 .A.D@.@.....G...
00000020: 47 82 C4 6E 07 5B 7E 4E FE 7B 53 2C 2B 04 80 18 G..n.[~N.{S,+...
00000030: 00 E5 98 E2 00 00 01 01 08 0A 50 2C C1 A1 E3 F9 ..........P,....
00000040: B4 3B 30 0B 00 04 74 65 73 74 68 65 6C 6C 6F .;0...testhello
Start byte of the custom field: 74
End byte of the custom field: 79
1: FT_INT_BE
2: FT_INT_LE
3: FT_STRING
4: FT_BYTES
5: FT_BIN_BE
6: FT_BIN_LE
7: FT_HEX
8: FT_ETHER
9: FT_IPv4
10: FT_IPv6
11: FT_ABSOLUTE_TIME
12: FT_RELATIVE_TIME
13: FT_EUI64
Select the type of the field: 3
[+] Field new_field added to the layer
PH:cap/t0/NEW_LAYER > show
---[ NEW_LAYER ]---
FT_STRING new_field = hello
PH:cap/t0/NEW_LAYER >
All new layers and fields created support the same manipulations and accesses as the original layers and fields dissected by Polymorph.