Is the following declaration from connectioninfo.h correct ?


struct Connection
{
Connection() {dwBlockReason = 0;protocolNo = 0;}
~Connection();
bool bReported;
bool bInterfaceDisplayed;
DWORD hAddress; //connection identifier (hAddress)
DWORD dwConnID; //connection identifier (hConnection)
long bAllowed; //allowed/blocked
Direction direction;//inbound/outbound
DWORD dwIPHost; //remote addr
DWORD dwIPLocal;
long nRemotePort; //remote port
long nLocalPort; //local addr
Prot protocol; //local port
COleDateTime timeStart; //connection start time
COleDateTime timeUp; //connection start time
DWORD dwBytesSent; //sent bytes statistic
DWORD dwBytesRecvd; //recived bytes statistic
HANDLE hProcess; //the host application module handle
CString strModuleName; //GetModuleFileName( hAppModule )
POSITION posApp;
bool bCurrentSession;
CPtrList listHTTP;
long protocolNo;

DWORD dwBlockReason;
//if blocked, it is block reason. If allowed, it is allow reason. You can't change this member directly, use
//g_pRuntime->pConnetionList->SetBlockReasonToConnection( pconnection, dwReason );

};

Hi Alex, welcome aboard.
Structure looks OK, what's your problem/question?

I am working with Muchod's HTTPLog Plug-In and in order to get a correct pointer to 'Connection' I must modify it in the following way:

httplog.cpp
-----------------------------------------------------------
void CPlugin::ProcessDriverMessage( void *pdata ) {
..........................
if ( event->cnn!=0 ) {
pConnection=g_pRuntime->pConnectionList->FindConnection(event->cnn,0);
//--------------------------------------------------------------
pConnection = (Connection*) ((char*)pConnection + 4); //my modification
//--------------------------------------------------------------
if( pConnection ) {
event->appname=new char[strlen(pConnection->strModuleName)+1];
..........................
}

System: Win2000 Svr, MS Visual C++ 6.0, Outpost 1.0.1817

The same thing in the Content Blocking Plug-in:

content.cpp
-----------------------------------------------------------
void CContentInfo::ProcessDriverMessage( void *pdata )
{
.................................................
if( pMsg->Message == ADBLOCK_MSG_HOST_BLOCKED||
pMsg->Message == ADBLOCK_MSG_STOPWORD)
{
Connection *pconnection = g_pRuntime->pConnectionList->FindConnection( dwConnectionHandle, 0 );
//--------------------------------------------------------------
pconnection = (Connection*) ((char*)pconnection + 4); //my modification
//--------------------------------------------------------------
pMsg->Data[pMsg->Length - sizeof(VFILT_MESSAGE)] = 0;
.................................................. ..

Yes, I remember I did a modification directly in a SDK header structure. Agnitum did some modifications and the SDK is not updated...
I don't have the file here, tomorrow I'll confirm to you the change.

Regards,

Confirmed, it's the header I modified to make my plugin working.
This is the struct I use (I'm not sure that the dummy DWORD is placed in the correct offset or must be set befere, but the following data is ok).


struct Connection
{
Connection() {dwBlockReason = 0;protocolNo = 0;}
~Connection();
bool bReported;
bool bInterfaceDisplayed;
DWORD hAddress; //connection identifier (hAddress)
DWORD dwConnID; //connection identifier (hConnection)
DWORD dummy; //muchod !!!!!!!!WARNING!!!!!!!!
long bAllowed; //allowed/blocked
Direction direction; //inbound/outbound
DWORD dwIPHost; //remote addr
DWORD dwIPLocal;
long nRemotePort; //remote port
long nLocalPort; //local addr
Prot protocol; //local port
COleDateTime timeStart; //connection start time
COleDateTime timeUp; //connection start time
DWORD dwBytesSent; //sent bytes statistic
DWORD dwBytesRecvd; //recived bytes statistic
HANDLE hProcess; //the host application module handle
CString strModuleName; //GetModuleFileName( hAppModule )
POSITION posApp;
bool bCurrentSession;
CPtrList listHTTP;
long protocolNo;
DWORD dwBlockReason;
//if blocked, it is block reason. If allowed, it is allow reason. You can't change this member directly, use
//g_pRuntime->pConnetionList->SetBlockReasonToConnection( pconnection, dwReason );
};

As far as I tested the dummy DWORD should be before 'bReported'.

Originally posted by /\lex
As far as I tested the dummy DWORD should be before 'bReported'.

May be, I didn't test so much due to I got access to all data I need and I was expecting a new SDK update for the 2.0 version (I was too optimist :) )

Regards,

In order to make the Content Blocking and the Attack Detection plug-ins working I inserted 12 dummy bytes into the class 'OutpostRuntime' from runtimeinfo.h:

class OutpostRuntime
{
public:
IConnectionList *pConnectionList;
IDNS *pDNS;
IPortTokenizer *pTokenizerTCP;
IPortTokenizer *pTokenizerUDP;
ITokenizerICMP *pTokenizerICMP;
IApplicationList *pApplicationList;
IDriverCfg *pDrvConfig;
ILog *pLog;
ILearningQuery *pLearningQuery;
IOutpostPropBag *pPropertyBag;

long m_lFirewallBlockCounter,
m_lWebBlockCounter;

bool m_bOverwrite;
long m_nStoreDays;
DWORD m_dwMaxSize;
bool g_bShowLog;
HWND m_hwndMain, m_hwndOutpost;
bool m_bWindowsNT;

void *debug_ptr;

public:
//---------------------------------------------------------------------
char dummy[12]; // my modification
//----------------------------------------------------------------------
bool (*pfnQueryPassword)();
.................................................. ..........
}

May be dummy bytes should be placed higher (i didn't test).
So has Agnitum got proper headers ?

Is the following declaration from connectioninfo.h correct ?On SDK header you can see that it relates to driver 228. Current version uses driver 242. Unfortunately we don't have enough time to change this documentation in time.

I send the thread to SDK creator. Hope he will update it soon.