#!/usr/bin/perl -nwT # # Copyright Hank Leininger , KoreLogic, Inc INIT { $::V = '$Id: decode_contentidpost,v 1.11 2007/10/03 04:25:02 hlein Exp $'; $::V =~ s/^.*,v //; $::V =~ s/ .*//; } # Read in some POSTs to one of the MarketSpace spyware servers, # and decompress and print the deflated POST body (i.e., read # whatever messages were sent up to the mothership by the spyware). # # Feed this script with something like: # server$ dbgrep -S -e SPY:URL-CONTENTIDPOST 2005May03/dragon.db | \ # dbgrep -dport 80 | dbcat -D | decode_contentidpost | less # # (The second dbgrep is needed to make sure you get only the client-sending # side of the conversations, not the server responses, which will confuse # this script.) INIT { if ( (@ARGV and $ARGV[0] =~ /^-./) or (-t STDIN and not @ARGV) ) { (my $basename = $0) =~ s%.*/%%; warn " Usage: $basename decoded_db_with_binary_data or: dbgrep -S -e SPY:URL-CONTENTIDPOST dragon.db | \ dbgrep -dport 80 | dbcat -D | $basename $basename version: $::V "; exit; } } use strict; use Compress::Zlib; our ($blob); exit unless defined($_); # Are we at the start of a new POST session? if (/^20[0-9]{2}-[0-9]{2}-[0-9]{2} .*SPY:URL-CONTENTIDPOST/) { # skip dupes (they will have nothing for us, anyway) next if /repeat=/; # if so, print any data from last session, and reset PrintBlob($blob); $blob=undef; print $_; } # Are we in the middle of a session? elsif (/^20[0-9]{2}-[0-9]{2}-[0-9]{2} .*DYNAMIC-TCP.*/) { # if so, any data in $blob has an extra \n for nothing chomp($blob) if ($blob); } # Do we have any data for this session yet? elsif ($blob and length($blob)) { # if so, tack this onto it. $blob .= $_; } # Do we see the start-of-deflated-data marker? elsif (s/^(?:[^x]+(?:x[^\x9c])?)*x\x9c/x\x9c/) { # if so, start collecting data. $blob = $_; } # Flush any pending data blob at EOF END { PrintBlob($blob); } # Attempt to inflate and print our blob of POSTed data sub PrintBlob { my $blob = shift; return unless ($blob); if (my $raw=uncompress($blob)) { print "$raw\n"; } else { print "uncompress failed line $., blob " . length($blob) . " bytes\n"; } }