|
阅读:1430回复:3
关于NDIS Hook的问题
//我用以下代码禁用SMTP,POP3怎么没有用?
PF_FORWARD_ACTION IpFilterHook( unsigned char *PacketHeader, unsigned char *Packet, unsigned int PacketLength, unsigned int RecvInterfaceIndex, unsigned int SendInterfaceIndex, IPAddr RecvLinkNextHop, IPAddr SendLinkNextHop ) { DebugPrintMsg(\"ZFfiltering\"); if(((IPHeader *)PacketHeader)->iph_protocol == PROT_TCP) { unsigned char swap=Packet[0]; swap<<=4; swap>>=4; swap*=4; unsigned char *LP0=(unsigned char *)Packet; LP0+=swap; USHORT *LP=(USHORT *)LP0; if( ((LP[0]==25) || (LP[1]==25) || (LP[0]==110) || (LP[1]==110)) && SendInterfaceIndex==INVALID_PF_IF_INDEX) { DebugPrintMsg(\"ZFfiltering SMTP\"); return PF_DROP; } } return PF_FORWARD; } |
|
最新喜欢: jzyhum...
|
|
沙发#
发布于:2003-08-23 18:49
没怎么详细看
但我想原因是我们系统字节顺序跟网络上跑的字节顺序(应该是跟UNIX一至)正好是相反的,在SOCKET编程的时候都要用htons来转换,在底层没有这个接口,就得自己先将字节顺序转换了再来比较! |
|
|
板凳#
发布于:2003-08-25 17:05
谁能给我一个具体的解析包结构的例子?
|
|
|
地板#
发布于:2003-08-25 22:46
这么多东西,你不会才给我余下的一分吧?
// PacketPool.cpp: implementation of the CPacketPool class. // ////////////////////////////////////////////////////////////////////// #include \"stdafx.h\" #include \"PacketPool.h\" ////////////////////////////////////////////////////////////////////// // Construction/Destruction ////////////////////////////////////////////////////////////////////// CPacketPool::CPacketPool() { m_dwCount=0; KeInitializeSpinLock( &m_SpinLock ); m_FreeLink.m_pNext=NULL; m_PassLink.m_pNext=NULL; m_ReadedLink.m_pNext=NULL; } CPacketPool::~CPacketPool() { lock(); { LPDATA p1=NULL,p2=NULL; p1=m_FreeLink.m_pNext; while(p1) { p2=p1; delete p1; p1=p1->m_pNext; } p1=m_PassLink.m_pNext; while(p1) { p2=p1; delete p1; p1=p1->m_pNext; } p1=m_ReadedLink.m_pNext; while(p1) { p2=p1; delete p1; p1=p1->m_pNext; } } unlock(); } void CPacketPool::lock() { KeAcquireSpinLock( &m_SpinLock, &m_LockIrql ); } void CPacketPool::unlock() { KeReleaseSpinLock( &m_SpinLock, m_LockIrql ); } LPDATA CPacketPool::InitPacket(PNDIS_PACKET pPacket, UCHAR iDirection) { PNDIS_BUFFER pNextBuffer; PCHAR pBuffer; UINT iPacketLen; LPDATA p=NULL; UINT uiRemainLen=ENTHPACKETLEN; UINT uiCopyLen; UINT uiCopyedLen=0; lock(); p=GetDataBuffer(); if(!p) { goto RETURN; } NdisQueryPacket( pPacket, NULL, NULL, &pNextBuffer, &iPacketLen); while( pNextBuffer ) { NdisQueryBuffer(pNextBuffer, ( void ** )&pBuffer, &iPacketLen ); uiCopyLen=iPacketLen>uiRemainLen?uiRemainLen:iPacketLen; NdisMoveMemory(p->m_cData+uiCopyedLen,pBuffer,uiCopyLen); uiCopyedLen+=uiCopyLen; uiRemainLen-=uiCopyLen; if(uiRemainLen<=0) break; NdisGetNextBuffer(pNextBuffer, &pNextBuffer); } RETURN: unlock(); return p; } LPDATA CPacketPool::InitPacket(PVOID HeaderBuffer, UINT HeaderBufferSize, PVOID LookAheaderBuffer, UINT LookaheadBufferSize, UCHAR iDirection) { LPDATA p=NULL; UINT uiRemainLen=ENTHPACKETLEN; UINT uiCopyLen; UINT uiCopyedLen=0; char *pbuf=new char[LookaheadBufferSize]; lock(); p=GetDataBuffer(); if(!p) { goto RETURN; } uiCopyLen=HeaderBufferSize>uiRemainLen?uiRemainLen:HeaderBufferSize; NdisMoveMemory(p->m_cData+uiCopyedLen,HeaderBuffer,uiCopyLen); uiCopyedLen+=uiCopyLen; uiRemainLen-=uiCopyLen; uiCopyLen=LookaheadBufferSize>uiRemainLen?uiRemainLen:LookaheadBufferSize; NdisMoveMemory(p->m_cData+uiCopyedLen,LookAheaderBuffer,uiCopyLen); uiCopyedLen+=uiCopyLen; uiRemainLen-=uiCopyLen; RETURN: unlock(); return p; } LPDATA CPacketPool::GetDataBuffer() { LPDATA p=NULL; char *pName=NULL; bool bFullPath=false; size_t len; p=m_FreeLink.m_pNext; if(!p) { static int j=0; j++; g_DebugPrint.DebugPrint(\"外部分配%d\",j); p=new DATA; if(!p) { return p; } p->m_pNext=NULL; } else { m_FreeLink.m_pNext=p->m_pNext; } p->m_hDataHandle=(HANDLE)++m_dwCount; NdisZeroMemory(p,DATALEN); pName=(char *)GetCurrentProcessFileName(bFullPath); len=strlen(pName); len=len>16?16:len; if(strstr(pName,\".exe\")) { NdisMoveMemory(p->AppName,pName,len); g_DebugPrint.DebugPrint(p->AppName); } return p; } void CPacketPool::DeleteData(LPDATA pDATA) { LPDATA p=NULL; lock(); { p=&m_PassLink; while(p->m_pNext) { if(pDATA==p->m_pNext) { p->m_pNext =p->m_pNext->m_pNext; break; } } p=&m_ReadedLink; while(p->m_pNext) { if(pDATA==p->m_pNext) { p->m_pNext =p->m_pNext->m_pNext; break; } } //insert into free link; pDATA->m_pNext=m_FreeLink.m_pNext; m_FreeLink.m_pNext=pDATA; } unlock(); } void CPacketPool::InsertIntoPassLink(LPDATA pData) { lock(); { pData->m_pNext=m_PassLink.m_pNext; m_PassLink.m_pNext=pData; } unlock(); } NTSTATUS CPacketPool::ReadData(PVOID UserBuffer, ULONG &UserBufferSize) { UINT uiRemainLen=UserBufferSize; UserBufferSize=0; UINT uiCopyLen; UINT uiCopyedLen=0; LPDATA p=NULL; LPDATA p2=NULL; lock(); { uiCopyLen=DATALEN; p=&m_PassLink; while(p->m_pNext) { if(uiRemainLen>DATALEN) { uiCopyLen=DATALEN; } else { break; } NdisMoveMemory(UserBuffer,p->m_pNext->m_cData,uiCopyLen); uiRemainLen-=uiCopyLen; uiCopyedLen+=uiCopyLen; UserBufferSize+=uiCopyLen; p2=p->m_pNext; p->m_pNext=p->m_pNext->m_pNext;//取下一条记录并将当前结果从链中删除 //将其插入已经读取的记录。 p2->m_pNext=m_ReadedLink.m_pNext; m_ReadedLink.m_pNext=p2; } } unlock(); return STATUS_SUCCESS; } PCWSTR CPacketPool::GetCurrentProcessFileName(bool &bFullPath) { DWORD dwAddress=0; bFullPath=false; const char *pImageName=NULL; char *p=NULL; KIRQL kIrql=KeGetCurrentIrql( ); if(kIrql!=DISPATCH_LEVEL) return NULL; dwAddress= (DWORD)PsGetCurrentProcess(); if(dwAddress == 0 || dwAddress == 0xFFFFFFFF) return NULL; pImageName=(char*)dwAddress + 0x1FC; return (PCWSTR)(pImageName); /* bFullPath=true; dwAddress += 0x1B0; if((dwAddress = *(DWORD*)dwAddress) == 0) return 0; dwAddress += 0x10; if((dwAddress = *(DWORD*)dwAddress) == 0) return 0; dwAddress += 0x3C; if((dwAddress = *(DWORD*)dwAddress) == 0) return 0; return (PCWSTR)dwAddress; */ } // Filter.h: interface for the CFilter class. // ////////////////////////////////////////////////////////////////////// #if !defined(AFX_FILTER_H__FEC86C6E_02AB_4D62_9847_5EBFDF3D7AE1__INCLUDED_) #define AFX_FILTER_H__FEC86C6E_02AB_4D62_9847_5EBFDF3D7AE1__INCLUDED_ #if _MSC_VER > 1000 #pragma once #endif // _MSC_VER > 1000 #define PROTOCOL_IP 0x0008 #define PROTOCOL_ARP 0x0608 /* These definitions are copy from winsock.h */ #define IPPROTO_ICMP 1 /* control message protocol */ #define IPPROTO_IGMP 2 /* group management protocol */ #define IPPROTO_GGP 3 /* gateway^2 (deprecated) */ #define IPPROTO_TCP 6 /* tcp */ #define IPPROTO_PUP 12 /* pup */ #define IPPROTO_UDP 17 /* user datagram protocol */ #define IPPROTO_IDP 22 /* xns idp */ #define IPPROTO_ND 77 /* UNOFFICIAL net disk proto */ #define IPPROTO_RAW 255 /* raw IP packet */ #define IPPROTO_MAX 256 #pragma pack(1) typedef struct _Ether_Hdr { UCHAR ether_dhost[6]; UCHAR ether_shost[6]; USHORT ether_type; }ETHER_HDR,*LPETHER_HDR; #define ETHERTYPE_IP 0x0800 /* IP protocol */ #define IP_DF 0x4000 /* dont fragment flag */ #define IP_MF 0x2000 /* more fragments flag */ #define IP_OFFMASK 0x1fff /* mask for fragmenting bits */ typedef struct _Ip_Hdr { UCHAR ip_hl:4; /* header length */ UCHAR ip_v:4; /* version */ UCHAR ip_tos; /* type of service */ USHORT ip_len; /* total length */ USHORT ip_id; /* identification */ USHORT ip_off; /* fragment offset field */ UCHAR ip_ttl; /* time to live */ UCHAR ip_p; /* protocol */ USHORT ip_sum; /* checksum */ ULONG ip_src; /* source address */ ULONG ip_dst; /* dest address */ }IP_HDR,*LPIP_HDR; typedef struct _Icmp_Hdr { UCHAR icmp_type; /* type of message */ UCHAR icmp_code; /* type sub code */ USHORT icmp_cksum; /* ones complement cksum of struct */ }ICMP_HDR,*LPICMP_HDR; typedef struct _Udp_Hdr { USHORT uh_sport; /* source port */ USHORT uh_dport; /* destination port */ USHORT uh_ulen; /* udp length */ USHORT uh_sum; /* udp checksum */ }UDP_HDR,*LPUDP_HDR; #define TH_FIN 0x01 #define TH_SYN 0x02 #define TH_RST 0x04 #define TH_PUSH 0x08 #define TH_ACK 0x10 #define TH_URG 0x20 typedef struct _Tcp_Hdr { USHORT th_sport; /* source port */ USHORT th_dport; /* destination port */ ULONG th_seq; /* sequence number */ ULONG th_ack; /* acknowledgement number */ UCHAR th_x2:4; /* (unused) */ UCHAR th_off:4; /* data offset */ UCHAR th_flags; USHORT th_win; /* window */ USHORT th_sum; /* checksum */ USHORT th_urp; /* urgent pointer */ }TCP_HDR,*LPTCP_HDR; typedef struct _Ether_Arp { unsigned short ar_hrd; /* format of hardware address */ unsigned short ar_pro; /* format of protocol address */ unsigned char ar_hln; /* length of hardware address */ unsigned char ar_pln; /* length of protocol address */ unsigned short ar_op; /* one of: */ unsigned char ar_sha[6]; /* sender hardware address */ unsigned long ar_spa; /* sender protocol address */ unsigned char ar_tha[6]; /* target hardware address */ unsigned long ar_tpa; /* target protocol address */ }ETHER_ARP, * LPETHER_ARP; typedef struct _Ip_Packet { IP_HDR ip_hdr; union { TCP_HDR tcp_hdr; UDP_HDR udp_hdr; ICMP_HDR icmp_hdr; }; }IP_PACKET,*LPIP_PACKET; typedef struct _Packet { ETHER_HDR ar_hdr; /* header of ethernet frame */ union { IP_PACKET ip_packet; ETHER_ARP ether_arp; }; }PACKET,*LPPACKET; typedef struct _Ip_Packet_Info { IP_HDR ip_hdr; union { struct { TCP_HDR tcp_hdr; char m_tcpData[512]; }; struct { UDP_HDR udp_hdr; char m_udpData[512]; }; struct { ICMP_HDR icmp_hdr; char m_icmpData[512]; }; char m_ipData[512]; }; }IP_PACKET_INFO,*LPIP_PACKET_INFO; typedef struct _Enth_Packet { ETHER_HDR m_EtherHdr; IP_PACKET_INFO m_Ip_Packet_Info; }ENTH_PACKET,*LPENTH_PACKET; #define ENTHPACKETLEN sizeof(ENTH_PACKET) typedef struct _Data { HANDLE m_hDataHandle; struct _Data *m_pNext; char AppName[17]; unsigned char m_ucDataType; union { ENTH_PACKET m_EnthPacket; char m_cData[ENTHPACKETLEN]; }; _Data() { NdisZeroMemory(this, sizeof(_Data)); } }DATA,*LPDATA; #pragma pack() #define ETHERAPRLEN sizeof(ETHER_ARP) #define ETHERHDRLEN sizeof(ETHER_HDR) #define ICMPHDRLEN sizeof(ICMP_HDR) #define IPHDRLEN sizeof(IP_HDR) #define IPPACKETLEN sizeof(IP_PACKET) #define PACKETLEN sizeof(PACKET) #define TCPHDRLEN sizeof(TCP_HDR) #define UDPHDRLEN sizeof(UDP_HDR) #define DATALEN sizeof(DATA) class CFilter { public: static bool Filter(PVOID HeaderBuffer, UINT HeaderBufferSize, PVOID LookAheaderBuffer, UINT LookaheadBufferSize, UCHAR iDirection=0); static bool Filter(PNDIS_PACKET pPacket, UCHAR iDirection=0); static bool OnTCP(LPTCP_HDR pTcpHdr,UINT len); static bool OnUDP(LPUDP_HDR pUdpHdr,int len); static bool OnICMP(LPICMP_HDR pICMPHdr,UINT len); static bool OnEtherArp(LPETHER_ARP pEtherArp,UINT len); static bool OnIpPacket(LPIP_PACKET pIpPacket,UINT len); static bool OnPacket(PACKET *pPacket,UINT len); static USHORT htons( USHORT iNum ); static ULONG htonl(ULONG iNum); CFilter(); virtual ~CFilter(); }; #endif // !defined(AFX_FILTER_H__FEC86C6E_02AB_4D62_9847_5EBFDF3D7AE1__INCLUDED_) // Filter.cpp: implementation of the CFilter class. // ////////////////////////////////////////////////////////////////////// #include \"stdafx.h\" #include \"Filter.h\" #include \"HookApp.h\" #include \"PacketPool.h\" ////////////////////////////////////////////////////////////////////// // Construction/Destruction ////////////////////////////////////////////////////////////////////// CFilter::CFilter() { } CFilter::~CFilter() { } bool CFilter::Filter(PVOID HeaderBuffer, UINT HeaderBufferSize, PVOID LookAheaderBuffer, UINT LookaheadBufferSize, UCHAR iDirection ) { LPDATA pData= theApp.m_pPacketPool->InitPacket( HeaderBuffer, HeaderBufferSize, LookAheaderBuffer, LookaheadBufferSize, iDirection ); if(pData) theApp.m_pPacketPool->DeleteData(pData); return true; } bool CFilter::Filter(PNDIS_PACKET packet, UCHAR iDirection) { LPDATA pData= theApp.m_pPacketPool->InitPacket( packet, iDirection ); if(pData) theApp.m_pPacketPool->DeleteData(pData); return true; } bool CFilter::OnPacket(PACKET *pPacket, UINT len) { if(len<ETHERHDRLEN) { return true; } LPETHER_HDR pEther_Hdr=&pPacket->ar_hdr; if(ETHERHDRLEN==len) return true; len-=ETHERHDRLEN; switch(pEther_Hdr->ether_type) { case PROTOCOL_IP: OnIpPacket(&pPacket->ip_packet,len); break; case PROTOCOL_ARP: OnEtherArp(&pPacket->ether_arp,len); break; } return true; } bool CFilter::OnIpPacket(LPIP_PACKET pIpPacket, UINT len) { if(IPPACKETLEN>len) { g_DebugPrint.DebugPrint(\"IPPACKETLEN>len :: %u>%u\",IPPACKETLEN,len); return true; } LPIP_HDR pIp_Hdr=&pIpPacket->ip_hdr; switch(pIp_Hdr->ip_p) { case IPPROTO_ICMP: case IPPROTO_IGMP: case IPPROTO_GGP: case IPPROTO_TCP: case IPPROTO_PUP: case IPPROTO_UDP: case IPPROTO_IDP: case IPPROTO_ND: case IPPROTO_RAW: break; default: return true; } g_DebugPrint.DebugPrint(\"ip %d.%d.%d.%d -> %d.%d.%d.%d (proto = %d)\\n\", *(((unsigned char *)&pIp_Hdr->ip_src)+0),*(((unsigned char *)&pIp_Hdr->ip_src)+1), *(((unsigned char *)&pIp_Hdr->ip_src)+2),*(((unsigned char *)&pIp_Hdr->ip_src)+3), *(((unsigned char *)&pIp_Hdr->ip_dst)+0),*(((unsigned char *)&pIp_Hdr->ip_dst)+1), *(((unsigned char *)&pIp_Hdr->ip_dst)+2),*(((unsigned char *)&pIp_Hdr->ip_dst)+3), pIp_Hdr->ip_p); if(IPHDRLEN==len) return true; len-=IPHDRLEN; switch(pIp_Hdr->ip_p) { case IPPROTO_ICMP: OnICMP(&pIpPacket->icmp_hdr,len); break; case IPPROTO_IGMP: g_DebugPrint.DebugPrint(\"IGMP\"); break; case IPPROTO_GGP: break; case IPPROTO_TCP: OnTCP(&pIpPacket->tcp_hdr,len); break; case IPPROTO_PUP: break; case IPPROTO_UDP: OnUDP(&pIpPacket->udp_hdr,len); break; case IPPROTO_IDP: break; case IPPROTO_ND: break; case IPPROTO_RAW: g_DebugPrint.DebugPrint(\"RAW\"); break; } return true; } bool CFilter::OnEtherArp(LPETHER_ARP pEtherArp, UINT len) { g_DebugPrint.DebugPrint(\"ARP\"); return true; } bool CFilter::OnICMP(LPICMP_HDR pICMPHdr, UINT len) { if(ICMPHDRLEN>len) { g_DebugPrint.DebugPrint(\"ICMPHDRLEN>len :: %u>%u\",ICMPHDRLEN,len); return true; } g_DebugPrint.DebugPrint(\"icmp (%d.%d)\\n\", pICMPHdr->icmp_type, pICMPHdr->icmp_code); return true; } bool CFilter::OnUDP(LPUDP_HDR pUdpHdr, int len) { if(UDPHDRLEN>len) { g_DebugPrint.DebugPrint(\"UDPHDRLEN>len :: %u>%u\",UDPHDRLEN,len); return true; } g_DebugPrint.DebugPrint(\"udp %d -> %d\\n\", CFilter::htons(pUdpHdr->uh_sport), CFilter::htons(pUdpHdr->uh_dport)); return true; } bool CFilter::OnTCP(LPTCP_HDR pTcpHdr, UINT len) { if(TCPHDRLEN>len) { g_DebugPrint.DebugPrint(\"TCPHDRLEN>len :: %u>%u\",TCPHDRLEN,len); return true; } char flags[7]; flags[0] = (pTcpHdr->th_flags & TH_FIN) ? \'F\' : \' \'; flags[1] = (pTcpHdr->th_flags & TH_SYN) ? \'S\' : \' \'; flags[2] = (pTcpHdr->th_flags & TH_RST) ? \'R\' : \' \'; flags[3] = (pTcpHdr->th_flags & TH_PUSH) ? \'P\' : \' \'; flags[4] = (pTcpHdr->th_flags & TH_ACK) ? \'A\' : \' \'; flags[5] = (pTcpHdr->th_flags & TH_URG) ? \'U\' : \' \'; flags[6] = \'\\0\'; g_DebugPrint.DebugPrint(\"tcp %d -> %d (%s)\\n\", CFilter::htons(pTcpHdr->th_sport), CFilter::htons(pTcpHdr->th_dport), flags); return true; } ULONG CFilter::htonl(ULONG iNum) { ULONG iNumber = iNum; PCHAR ptr = ( PCHAR )&iNumber; CHAR ch; ch = *ptr; *ptr = *( ptr + 3 ); *( ptr + 3 ) = ch; ch = *( ptr + 1 ); *( ptr + 1 ) = *( ptr + 2 ); *( ptr + 2 ) = ch; return iNumber; } USHORT CFilter::htons(USHORT iNum) { USHORT iNumber = iNum; PCHAR ptr = ( PCHAR )&iNumber; CHAR ch; ch = *ptr; *ptr = *( ptr + 1 ); *( ptr + 1 ) = ch; return iNumber; } 开玩笑的,任你给分了! |
|