|
阅读:1721回复:5
如何将NDIS中ptreceive和ptreceivepacket的数据显示在控制台程序中
如题
如何将NDIS中ptreceive和ptreceivepacket的数据显示在控制台程序中 NDIS_STATUS PtReceive( IN NDIS_HANDLE ProtocolBindingContext, IN NDIS_HANDLE MacReceiveContext, IN PVOID HeaderBuffer, IN UINT HeaderBufferSize, IN PVOID LookAheadBuffer, IN UINT LookAheadBufferSize, IN UINT PacketSize ) /*++ Routine Description: Handle receive data indicated up by the miniport below. We pass it along to the protocol above us. If the miniport below indicates packets, NDIS would more likely call us at our ReceivePacket handler. However we might be called here in certain situations even though the miniport below has indicated a receive packet, e.g. if the miniport had set packet status to NDIS_STATUS_RESOURCES. Arguments: <see DDK ref page for ProtocolReceive> Return Value: NDIS_STATUS_SUCCESS if we processed the receive successfully, NDIS_STATUS_XXX error code if we discarded it. --*/ { PADAPT pAdapt = (PADAPT)ProtocolBindingContext; PNDIS_PACKET MyPacket, Packet; NDIS_STATUS Status = NDIS_STATUS_SUCCESS; if ((!pAdapt->MiniportHandle) || (pAdapt->MPDeviceState > NdisDeviceStateD0)) { Status = NDIS_STATUS_FAILURE; } else do { // BEGIN_PTEX_FILTER BOOLEAN bPass; bPass = FltFilterReceive( pAdapt, MacReceiveContext, HeaderBuffer, HeaderBufferSize, LookAheadBuffer, LookAheadBufferSize, PacketSize ); if(!bPass) { // 拒绝这个封包 Status = NDIS_STATUS_SUCCESS; break; } // END_PTEX_FILTER // // Get at the packet, if any, indicated up by the miniport below. // Packet = NdisGetReceivedPacket(pAdapt->BindingHandle, MacReceiveContext); if (Packet != NULL) { // // The miniport below did indicate up a packet. Use information // from that packet to construct a new packet to indicate up. // #ifdef NDIS51 // // NDIS 5.1 NOTE: Do not reuse the original packet in indicating // up a receive, even if there is sufficient packet stack space. // If we had to do so, we would have had to overwrite the // status field in the original packet to NDIS_STATUS_RESOURCES, // and it is not allowed for protocols to overwrite this field // in received packets. // #endif // NDIS51 // // Get a packet off the pool and indicate that up // NdisDprAllocatePacket(&Status, &MyPacket, pAdapt->RecvPacketPoolHandle); if (Status == NDIS_STATUS_SUCCESS) { MyPacket->Private.Head = Packet->Private.Head; MyPacket->Private.Tail = Packet->Private.Tail; // // Get the original packet (it could be the same packet as the // one received or a different one based on the number of layered // miniports below) and set it on the indicated packet so the OOB // data is visible correctly at protocols above. // NDIS_SET_ORIGINAL_PACKET(MyPacket, NDIS_GET_ORIGINAL_PACKET(Packet)); NDIS_SET_PACKET_HEADER_SIZE(MyPacket, HeaderBufferSize); // // Copy packet flags. // NdisGetPacketFlags(MyPacket) = NdisGetPacketFlags(Packet); // // Force protocols above to make a copy if they want to hang // on to data in this packet. This is because we are in our // Receive handler (not ReceivePacket) and we can't return a // ref count from here. // NDIS_SET_PACKET_STATUS(MyPacket, NDIS_STATUS_RESOURCES); // // By setting NDIS_STATUS_RESOURCES, we also know that we can reclaim // this packet as soon as the call to NdisMIndicateReceivePacket // returns. // //包分析处理函数 ReceivePacketAnalysis(MyPacket); NdisMIndicateReceivePacket(pAdapt->MiniportHandle, &MyPacket, 1); // // Reclaim the indicated packet. Since we had set its status // to NDIS_STATUS_RESOURCES, we are guaranteed that protocols // above are done with it. // NdisDprFreePacket(MyPacket); break; } } else { // // The miniport below us uses the old-style (not packet) // receive indication. Fall through. // } // // Fall through if the miniport below us has either not // indicated a packet or we could not allocate one // pAdapt->IndicateRcvComplete = TRUE; switch (pAdapt->Medium) { case NdisMedium802_3: case NdisMediumWan: NdisMEthIndicateReceive(pAdapt->MiniportHandle, MacReceiveContext, HeaderBuffer, HeaderBufferSize, LookAheadBuffer, LookAheadBufferSize, PacketSize); break; case NdisMedium802_5: NdisMTrIndicateReceive(pAdapt->MiniportHandle, MacReceiveContext, HeaderBuffer, HeaderBufferSize, LookAheadBuffer, LookAheadBufferSize, PacketSize); break; case NdisMediumFddi: NdisMFddiIndicateReceive(pAdapt->MiniportHandle, MacReceiveContext, HeaderBuffer, HeaderBufferSize, LookAheadBuffer, LookAheadBufferSize, PacketSize); break; default: ASSERT(FALSE); break; } } while(FALSE); return Status; } //PtReceive中的报分析处理函数 VOID ReceivePacketAnalysis( NDIS_Packet MyPacket ) { NDIS_STATUS status ; PNDIS_BUFFER NdisBuffer ; UINT TotalPacketLength = 0 , copysize = 0 , DataOffset = 0 , PhysicalBufferCount , BufferCount ; PUCHAR mybuffer = NULL ,tembuffer = NULL ; //假设这个是在PtReceive等函数中得到的PACKET NdisQueryPacket(packet //先得到第一个NDISBUFFER的指针 , &PhysicalBufferCount , &BufferCount ,&NdisBuffer //NdisBuffer就是指向链表头 , &TotalPacketLength ); //其实也可以直接 NdisBuffer = packet->Private.Head ;就可以取得第一个BUFFER了 status = NdisAllocateMemory( &mybuffer, 2048, 0, HighestAcceptableMax ); //分配内存块 if( status != NDIS_STATUS_SUCCESS ) return NDIS_STATUS_FAILURE ; NdisZeroMemory( mybuffer, 2048 ) ; NdisQueryBufferSafe( //取得NDIS_BUFFER描述符中数据的首地址和大小 NdisBuffer, &tembuffer, ©size, NormalPagePriority //将数据复制到内存中 NdisMoveMemory(mybuffer, tembuffer, copysize) ; DataOffset = copysize ; while(1) { //也可以这样操作而不用NdisGetNextBuffer if(NdisBuffer->Next == packet->Private.Tail ) break ; NdisBuffer = NdisBuffer->Next ; if(pmdl == NULL ) break ; //获得下一个NDIS_BUFFER的的指针 NdisGetNextBuffer(NdisBuffer , &NdisBuffer ) ; //如果指针是NULL那么表示到链表尾了 if( NdisBuffer == NULL ) break ; NdisQueryBufferSafe( NdisBuffer, &tembuffer, ©size, NormalPagePriority ) ; NdisMoveMemory( mybuffer + DataOffset , tembuffer, copysize) ; DataOffset += copysize ; } // packet_buffer=mybuffer; } 即 代码段 //包分析处理函数 ReceivePacketAnalysis(MyPacket); 中得到的mybuffer内容显示在控制台程序中 |
|
|
沙发#
发布于:2009-05-18 22:36
怎么没有人回呢?
|
|
|
板凳#
发布于:2009-05-18 22:59
自己来顶一个.....
|
|
|
地板#
发布于:2009-05-19 13:23
处理下和应用层通讯
|
|
|
地下室#
发布于:2009-05-20 09:44
把mybuffer映射到用户模式,可以先把它弄成MDL直接访问的方式,然后把mybuffer的地址用DeviceIoControl()传给应用层,这样应用层就可以直接访问了,用listctrl控件 再用个Cstring对象把数据读出来显示,不过数据大部分都是加过密的,读出来都是乱码。还可以转换成十六进制的形式,不过有点麻烦。
|
|
|
5楼#
发布于:2009-05-20 10:22
确定 要显示的那部分数据没加密
通过比较底层的软件抓包看了的 抓出来的包完全是明文 说实话想做个sql防火墙屏蔽恶意sql代码 在驱动层截取包 在应用层检查然后返回控制驱动行为 高手帮忙 啊 |
|