|
阅读:5517回复:7
NDIS6 通用hook代码【2008R2X64通过】
main.rar
static int init_ndis_hook(void* ProtoBlock)
{
PNDIS60_PROTOCOL_BLOCK protocol = ProtoBlock;
PNDIS_OPEN_BLOCK TcpOpenBlock = NULL;
PUNICODE_STRING BindDeviceName = NULL;
PUNICODE_STRING RootDeviceName = NULL;
unsigned char *buf = NULL;
_u32 OpenBlockSearchLen = 0xE0 * sizeof(PVOID);
KdPrint(("init_ndis_hook:%x %x\n", protocol, protocol->NextProtocol));
while (protocol = protocol->NextProtocol) {
PUNICODE_STRING Name = NULL;
Name = &protocol->Name;
KdPrint(("Enume protocol %wZ\n", Name));
if (0 == wcsncmp(Name->Buffer, (const wchar_t*)&L"TCPIP", Name->Length>>1)){
TcpOpenBlock = protocol->OpenQueue;
break;
}
}
if (!TcpOpenBlock)
return -1;
ndis_hook_info.OpenBlock = TcpOpenBlock;
ndis_hook_info.ProtocolHandle = protocol;
NetBufferListPool = init_nbl_pool(protocol);
KdPrint(("TcpOpenBlock %p OpenBlockSearchLen %x\n", TcpOpenBlock, OpenBlockSearchLen));
/* 搜索BindDeviceName以及RootDeviceName */
for (buf = (_u8*)TcpOpenBlock; buf < (_u8*)TcpOpenBlock + OpenBlockSearchLen; buf += sizeof(PVOID)) {
if (*(PVOID*)(buf) > (PVOID)MmUserProbeAddress
&& MmIsAddressValid(buf)
&& MmIsAddressValid(*(PVOID*)(buf))
&& **(PULONG*)(buf) == 0x005e005c
&& **(PULONG*)(buf + sizeof(PVOID)) == 0x005e005c) {
BindDeviceName = *(PUNICODE_STRING*)buf;
RootDeviceName = *(PUNICODE_STRING*)(buf + sizeof(PVOID));
ndis_hook_info.RootDeviceName = RootDeviceName;
KdPrint(("tcp root dev %wZ\n", RootDeviceName));
break;
}
}
/* 搜索 ReceiveNetBufferLists 地址 */
for (buf = (_u8*)TcpOpenBlock; buf < (_u8*)TcpOpenBlock + OpenBlockSearchLen; buf += sizeof(PVOID)) {
if (*(PVOID*)(buf) > (PVOID)MmUserProbeAddress
&& MmIsAddressValid(buf)
&& *(PVOID*)(buf) == *(PVOID*)(buf + sizeof(PVOID))
&& *(PVOID*)(buf) == *(PVOID*)(buf + sizeof(PVOID)*3)) {
/* buf->tcpip!FlReceiveNetBufferListChain */
ndis_hook_info.POpenBlockReceiveHandler = (PVOID*)(buf + sizeof(PVOID)*2);
ndis_hook_info.ReceiveNetBufferLists = *ndis_hook_info.POpenBlockReceiveHandler;
KdPrint(("ReceiveNetBufferLists:%p %p %p %p\n",
ndis_hook_info.ReceiveNetBufferLists,
*(PVOID*)(buf),
*(PVOID*)(buf + sizeof(PVOID),
*(PVOID*)(buf + sizeof(PVOID)*3))));
break;
}
}
/* 搜索底层 miniblock数据发送函数 */
if (ndisFindMiniportOnGlobalList && RootDeviceName) {
PNDIS_MINIPORT_BLOCK miniBlock;
PNDIS60_M_DRIVER_BLOCK driverBlock;
miniBlock = ndisFindMiniportOnGlobalList(RootDeviceName);
if (!miniBlock) {
KdPrint(("ndisFindMiniportOnGlobalList failed!\n"));
return -1;
}
/* 0x16c NextSendNetBufferListsHandler 偏移地址NDIS6中固定 */
ndis_hook_info.MiniBlock = miniBlock;
driverBlock = miniblock_to_mdriveblock(miniBlock);
if (!driverBlock) {
KdPrint(("ndis driverBlock no found!\n"));
return -1;
}
ndis_hook_info.PMDriverCharacteristicsSndHandler =
&driverBlock->MiniportDriverCharacteristics.SendNetBufferListsHandler;
ndis_hook_info.SendNetBufferListsHandler =
*ndis_hook_info.PMDriverCharacteristicsSndHandler;
KdPrint(("miniBlock: %p %p\n", miniBlock, ndis_hook_info.SendNetBufferListsHandler));
}
KdPrint(("mdriver_block %p\n", miniblock_to_mdriveblock(ndis_hook_info.MiniBlock)));
/* 进行NDIS60的HOOK处理 */
if (ndis_hook_info.POpenBlockReceiveHandler)
*ndis_hook_info.POpenBlockReceiveHandler = HookReceiveNetBuferLists;
if (ndis_hook_info.PMDriverCharacteristicsSndHandler)
*ndis_hook_info.PMDriverCharacteristicsSndHandler = HookSendNetBufferLists;
return 0;
}好久没来驱动开发网了,把最近的一点代码贴上,算是小礼物 具体自己测试吧!也许还有些问题 在windows7 X86以及windows2008 R2 X64测试通过 |
|
最新喜欢: ljmwor...
|
|
沙发#
发布于:2011-12-17 15:15
首见似乎在03年前后,时过n年又见ndis hook,支持一下
|
|
|
|
板凳#
发布于:2011-12-29 14:10
再见ndis hook, 令人欣慰.
|
|
|
地板#
发布于:2012-04-18 04:09
很感兴趣,但是楼主的代码没给全不能编译
能补全下吗? 谢谢. |
|
|
地下室#
发布于:2013-04-02 11:03
大牛啊
不知道和微软的框架比,优势? |
|
|
5楼#
发布于:2014-05-05 14:53
不能提供完整的代码,用处不大啊。
|
|
|
6楼#
发布于:2014-05-07 10:51
参考 看雪论坛上的关于 X86的框架,结合这个,我把X64的HOOK终于搞定了,多谢。
|
|
|
7楼#
发布于:2014-07-26 17:17
求源代码, 感激不尽, QQ591593903
|
|