|
20楼#
发布于:2002-05-13 09:04
水木清华 -- DriverDev精华区文章阅读
-------------------------------------------------------------------------------- 发信人: Immortal1015 (1015), 信区: WinDDK 标 题: 一个win2000下的IP HOOK DRIVER 发信站: BBS 水木清华站 (Fri Mar 16 08:32:45 2001) 呵呵,因为做这个东东比较容易。 下面是源代码: #include \"ntddk.h\" #include \"ntddndis.h\" #include \"pfhook.h\" #include \"filter.h\" #define PROT_TCP 6 #define NT_DEVICE_NAME L\"\\\\Device\\\\IbanHook\" #define DOS_DEVICE_NAME L\"\\\\DosDevices\\\\IbanHookV1\" NTSTATUS DriverEntry( IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath ) { PDEVICE_OBJECT deviceObject=NULL; NTSTATUS status; PIPFILTER_INFO deviceInfo; UNICODE_STRING uniNtNameString; UNICODE_STRING uniWin32NameString; UNICODE_STRING uniIPFILTERNameString; PIRP ipFilterIRP=NULL; RtlInitUnicodeString(&uniNtNameString,NT_DEVICE_NAME); //1.创建一个设备 status=IoCreateDevice(DriverObject, sizeof(deviceInfo), &uniNtNameString, FILE_DEVICE_UNKNOWN, 0, FALSE, &deviceObject); if(!NT_SUCCESS(status)) { return status; } DriverObject->MajorFunction[IRP_MJ_CREATE]=SetFilterHook; DriverObject->MajorFunction[IRP_MJ_CLOSE]=CloseFilterHook; DriverObject->DriverUnload=FilterUnload; //2.创建SymbolName RtlInitUnicodeString(&uniWin32NameString,DOS_DEVICE_NAME); status=IoCreateSymbolicLink(&uniWin32NameString,&uniNtNameString); if(!NT_SUCCESS(status)) { IoDeleteDevice(DriverObject->DeviceObject); } deviceInfo=(PIPFILTER_INFO)deviceObject->DeviceExtension; //添加Hook if(deviceObject) { deviceInfo=(PIPFILTER_INFO)deviceObject->DeviceExtension; } RtlInitUnicodeString(&uniIPFILTERNameString, DD_IPFLTRDRVR_DEVICE_NAME); status=IoGetDeviceObjectPointer(&uniIPFILTERNameString, FILE_ALL_ACCESS, &deviceInfo->ipfilter , &deviceInfo->filterObject); deviceInfo->callback.ExtensionPointer= DropTcpPackets; ipFilterIRP=IoBuildDeviceIoControlRequest(IOCTL_PF_SET_EXTENSION_POINTER, deviceInfo->filterObject , &deviceInfo->callback , sizeof(deviceInfo->callback), NULL, 0, FALSE, NULL, NULL); status=IoCallDriver(deviceInfo->filterObject,ipFilterIRP ); if(!NT_SUCCESS(status)) { IoDeleteSymbolicLink(&uniWin32NameString); IoDeleteDevice(DriverObject->DeviceObject); return status; } return STATUS_SUCCESS; } NTSTATUS FilterUnload(PDRIVER_OBJECT DriverObject) { UNICODE_STRING uniWin32NameString; UNICODE_STRING uniIPFILTERNameString; PIRP ipFilterIRP=NULL; NTSTATUS status; PIPFILTER_INFO deviceInfo; //删除挂钩 if(DriverObject->DeviceObject) { deviceInfo=(PIPFILTER_INFO)(DriverObject->DeviceObject)->DeviceExtension; } RtlInitUnicodeString(&uniIPFILTERNameString, DD_IPFLTRDRVR_DEVICE_NAME); status=IoGetDeviceObjectPointer(&uniIPFILTERNameString, FILE_ALL_ACCESS, &deviceInfo->ipfilter , &deviceInfo->filterObject); deviceInfo->callback.ExtensionPointer= NULL; ipFilterIRP=IoBuildDeviceIoControlRequest(IOCTL_PF_SET_EXTENSION_POINTER, deviceInfo->filterObject , &deviceInfo->callback , sizeof(deviceInfo->callback), NULL, 0, FALSE, NULL, NULL); status=IoCallDriver(deviceInfo->filterObject,ipFilterIRP ); RtlInitUnicodeString(&uniWin32NameString,DOS_DEVICE_NAME); //删除SymbolicLink IoDeleteSymbolicLink(&uniWin32NameString); //删除设备 IoDeleteDevice(DriverObject->DeviceObject); return STATUS_SUCCESS; } //处理IRP_MJ_CREATE NTSTATUS SetFilterHook(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp) { KdPrint((\"ooh--create\")); Irp->IoStatus.Status=STATUS_SUCCESS; Irp->IoStatus.Information=0; IoCompleteRequest(Irp,IO_NO_INCREMENT); return STATUS_SUCCESS; } //处理IRP_MJ_CLOSE NTSTATUS CloseFilterHook(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp) { KdPrint((\"ooh--Close\")); Irp->IoStatus.Status = STATUS_SUCCESS; Irp->IoStatus.Information = 0; IoCompleteRequest( Irp, IO_NO_INCREMENT ); return STATUS_SUCCESS; } // Drop all TCP packets PF_FORWARD_ACTION DropTcpPackets( unsigned char *PacketHeader, unsigned char *Packet, unsigned int PacketLength, unsigned int RecvInterfaceIndex, unsigned int SendInterfaceIndex, IPAddr RecvLinkNextHop, IPAddr SendLinkNextHop ) { /* if (((IPHeader *)PacketHeader)->iph_protocol == PROT_TCP) { KdPrint((\"TCP DATA\")); return PF_DROP; }*/ return PF_DROP; //return PF_FORWARD; } |
|
|
|
21楼#
发布于:2002-05-13 10:38
这个例子要如何安装到机器上?
是否要自己写安装文件? 终于知道什么是export table了,呵呵,用dumpbin可以看到, 与不知道的共享 example:dumpbin /exports ndis.sys |
|
|
22楼#
发布于:2002-05-13 10:59
在pcause上看到这个,证明ndis imd在98&NT上的安装问题,依然是个大问题,
如果谁做过NT上的自动安装,可否讲讲经验! For example, although NDIS Intermediate (IM) drivers are quite effective for packet filtering on the Windows 2000 and Windows XP platforms, they are less practical to use on Windows NT and Windows 9X/ME. Issues that lead to impracticality include: Installation Issues - It may be possible to develop a NDIS IM driver for Windows 9X/ME and Windows NT, but difficult or impossible to install it. Operation On RAS/PPP Adapters - Microsoft does not provide a mechanism to filter packets on RAS/PPP adapters on Windows 9X/ME and Windows NT. Filtering on these adapters is essential for some products. Special Requirements - Some products have functional needs that simply are not provided by the standard NDIS APIs. |
|
|
23楼#
发布于:2002-08-02 10:21
up ! up!
|
|
|
|
24楼#
发布于:2002-08-02 11:16
我用的是hook ndis的方法,看我的贴子
http://www.driverdevelop.com/forum/viewthread.php?tid=19249 http://www.driverdevelop.com/forum/viewthread.php?tid=19246 |
|
|
25楼#
发布于:2002-08-02 11:42
我用的是hook ndis的方法,看我的贴子 大狭,你怎么编译的,没有Makefile,直接在VC中编译吗 |
|
|
|
26楼#
发布于:2002-08-02 12:42
装上driverstudio!
|
|
|
27楼#
发布于:2002-08-03 23:35
不需要装DS,只需要在VC里面设置好就可以直接用VC编译啦.
|
|
|
28楼#
发布于:2002-08-05 13:21
REGISTER FAKE PROTOCOL的方法在2K/XP下原理是一样的,而且我还做到了几乎是SOURCE的兼容,这个大家可以去大胆的尝试了,,。。。
但是现在我的问题是:当PFW遭遇SYN FLOOD的时候,驱动就把CPU给占完了,大家对于PFW防止SYN FLOOD有什么好的办法吗?可以讨论讨论吧 |
|
|
上一页
下一页