Wiki Navigation

Modifying Capture

Capture is a honeyclient implementation by the Honeynet Alliance. We use a modified version of the client portion of Capture 2.0, in which we have added features as necessary. The code retains its GPL license, and is available in the capture-mod repository. It can be checked out using the normal methods, but by substituting "capture-mod" for "honeyclient".

Development Environment

In order to make modifications to Capture, you will first need to obtain its prerequisites. Detailed instructions are available here. However, we have the following recommendations:

In order to make it easier to modify your environment variables while trying to get the development environment set up, and to ensure the required environment variables are always set up while compiling, it is recommended to set up a batch file and place it in the directory where the Visual Studio command prompt opens initially (in our case, F $:\$ Program Files\Microsoft Visual Studio 8\VC). Then you can simply execute the batch file and all of your paths are guaranteed to be set up correctly. An example one was set up like this (with all the paths required by the Capture documentation):
  cd F:\capture-mod
  set INCLUDE=%INCLUDE%;F:\Boost;F:\Program Files\Microsoft Platform SDK\Include;...
  set LIB=%LIB%;F:\boost_1_34_0\lib;F:\Program Files\Microsoft Platform SDK\Lib; ...
  set WNETBASE=F:\WinDDK\6000
  set PATH=%PATH%;F:\WinDDK\6000\bin;F:\capture-mod\ddkbuild_v70b7;...

It is also possible to modify the Visual Studio project so that you only build the files from within it, rather than via the makefile. However, this is not recommended unless you are very comfortable with Visual Studio, and until you are familiar with how the makefile works (i.e. in particular all its post-build events).

Also, note that the Capture makefile has been modified to remove the clean step before every build, so that the project builds faster. If you are modifying the kernel modules, it is recommended that you add that back in, for safety. Also, the solution file has been modified so that the makefile only causes it to build the release builds, not the debug builds. Again, this is due to the desire for faster compiles. Debug builds through the makefile can be reenabled from Visual Studio by going to Build→Configurations Manager. Then check the boxes of things you want enabled or disabled. Then go to the Solution Explorer side bar, select "Solution 'CaptureClient'" and go to File→Save CaptureClient.sln.

Once your build environment is set up, you should be able to compile with either "nmake release-bat" or "nmake release-hpc" as described in the Capture documentation. The difference is primarily in the post-build events. "release-bat" will make CaptureBat.exe in the capture-mod/install directory. CaptureBat is meant to run standalone, and it is how we built Capture prior to integration of a SOAP server. "release-hpc" builds the "full" Capture client, which will be capture-mod/install/CaptureClient.exe, but also it will build the plugins necessary to run other applications such as InternetExplorer. This is the build method which must be used now that Capture will be used without our Perl Agent.pm being responsible for driving IE.

Boost Signals

Talk about how we signal the visitor thread. Talk about how SOAP functions are signaled on reg/file/proc events.

gSOAP

Talk about using soapcpp2.exe to autogenerate code when modifying captureGSOAP.h

b64

We use b64 version 1.3.3 from http://www.synesis.com.au/software/b64.html to provide base64 encoding/decoding.

Download in other formats:

Plain Text