|
阅读:1913回复:6
网络获包大哥救救我呀。TDI层邮件过滤提问,200分
要做个TDI层的邮件过滤。用FilterTCP麻烦。我采用HOOK IP获包。并而要把协议解释得非常清楚。下面是IP头和TCP头解释,太多了发不完。 我的思路是想创建个线程分析SMTP包。
PTCPHeader pTCPHeader; PIPHeader pIPHeader; PICMPHeader pICMPHeader; HANDLE Handle; char buffer[256]; int type; int flag; int DataOffset; int TcpHeaderLen; int IPHeaderLen; int iBufSize; char * TcpData; KIRQL aIrqL; int control; pIPHeader = (PIPHeader)PacketHeader; { memset(buffer,0,256); sprintf(buffer," IPv %d ",(pIPHeader->ver_len>>4)&15); DbgPrint("n%s", buffer); memset(buffer,0,256); //版本 sprintf(buffer," 版本:%d ",(pIPHeader->ver_len>>4)&15); DbgPrint("%s", buffer); //报头长度 memset(buffer,0,256); sprintf(buffer," 报头长:%d字节 ",(pIPHeader->ver_len&15)*32/8); DbgPrint("%s", buffer); IPHeaderLen=(pIPHeader->ver_len&15)*32/8; //服务类型 memset(buffer,0,256); sprintf(buffer," 服务类型:0x%02x ",pIPHeader->type); DbgPrint("%s", buffer); type=pIPHeader->type&7; if(type==0) DbgPrint(" 普通 "); if(type==1) DbgPrint(" 优先 "); if(type==2) DbgPrint(" 立刻 "); if(type==3) DbgPrint(" 即时 "); if(type==4) DbgPrint(" 即时、优先 "); if(type==5) DbgPrint(" 重要 "); if(type==6) DbgPrint(" 网络间控制 "); if(type==7) DbgPrint(" 网络控制 "); //处理第三位到第六位 type=(pIPHeader->type>>3)&7; if(type==0) DbgPrint(" 普通服务 "); if(type==1) DbgPrint(" 金钱成本最小 "); if(type==2) DbgPrint(" 可靠性最大 "); if(type==4) DbgPrint(" 吞吐量最大 "); if(type==8) DbgPrint(" 延迟最小 "); if(type==15) DbgPrint(" 安全级最高 "); //数据报长度 memset(buffer,0,256); sprintf(buffer," 数据报长度:%d字节 ",pIPHeader->length[0]*0x100+pIPHeader->length[1]); DbgPrint("%s", buffer); iBufSize=(pIPHeader->length[0]*0x100+pIPHeader->length[1]); //标识 memset(buffer,0,256); sprintf(buffer," 标识:%d ",pIPHeader->id[0]*0x100+pIPHeader->id[1]); DbgPrint("%s", buffer); //标志 memset(buffer,0,256); flag=pIPHeader->flag_offset[0]>>5; sprintf(buffer," 标志:%d ",flag); DbgPrint("%s", buffer); if((flag&4)==0) DbgPrint(" 预约固定 "); if((flag&2)==0) DbgPrint(" 有碎块 "); if((flag&1)==0) DbgPrint(" 最后的碎块 "); else DbgPrint(" 接收中 "); //数据块偏移 memset(buffer,0,256); sprintf(buffer," '数据块偏移':%d ",(pIPHeader->flag_offset[0]*0x100+pIPHeader->flag_offset[1])&8191);//后13位 DbgPrint("%s", buffer); //TTL memset(buffer,0,256); sprintf(buffer," 生存时间TTL:%d ",pIPHeader->time); DbgPrint("%s", buffer); ````````````````````````````````````````````````````````````````````````````` TcpUserData // 这个是用户数据地址 TcpUserDataSize //用户数据大小 VOID FilterAnalysePacket(IN PVOID Context) { char buffer[1000]={0}; char bufferr[100]={0}; char* pdest; int result; NTSTATUS ntstatus=STATUS_SUCCESS; RtlCopyMemory(buffer,TcpUserData,TcpUserDataSize); if(strncmp(buffer,"DATA",4)!=0) 我在应用层分析smtp发包 里面有DATA 。我判断是不是邮件包。 { if(strstr(buffer,"To:")!=NULL) 这个TO是发信人。TO后面就是发信人地址 { pdest=strstr(buffer,"To:"); result = pdest - buffer; _snprintf(bufferr,result,buffer); DbgPrint("发信人邮件地址 %sn",bufferr); 问,为什么我收不了SMTP包。在包里我找不到,"DATA",标志 在HOOK IP 获包要怎么才可以过滤垃圾邮件。得到邮件地址和附件名字// 快说呀,我急用。!!!! 求求你们了 |
|
最新喜欢: wingma...
|
|
沙发#
发布于:2004-02-19 10:17
今天抓研发经理来研究了一翻,结果论述个25 SMTP不从IP层走包,现在要改写层我最拿手的NDIS获得包。哎~写了20多天的代码就这么废了
|
|
|
|
板凳#
发布于:2004-02-20 13:13
smtp怎么不从ip走包?
|
|
|
地板#
发布于:2004-02-20 14:02
我那里知道呀。
|
|
|
|
地下室#
发布于:2004-02-20 15:06
你的ip包是不是被封装了,比如在pppoe里面阿
|
|
|
5楼#
发布于:2004-02-21 15:36
我不知道呀。。我在NDIS获得包 数据他也是
00000000 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000010 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000020 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000030 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000040 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000050 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000060 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000070 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000080 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000090 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000a0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000b0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000c0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000d0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000e0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000f0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000100 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 可用应用层臭探器是有输出的。 数据偏移没错。 |
|
|
|
6楼#
发布于:2004-02-21 21:55
哈哈。我搞定了。彻底搞定了,所有想要的东西都得到了。我 哈哈
原来问题是个增值出错。哈哈。发现了 |
|
|