|
阅读:1725回复:8
[winpcap相关]指点小弟,感激不尽,谢谢了.
小弟一个不小心毕业论文选了《数据包的拦截与分析》,老师让我用winpcap对数据包进行拦截并分析数据包的类型,由于小弟以前从未接触过相关内容,以至于已经过去1个多月了现在还是一头雾水.老师要求我用VC++编程,使用winpcap软件包中的源代码就可以,可是看上去简单,没人指点,简单的几步也弄不明白,哪个好心的兄弟又耐心指点在下,感激不尽~~~~~~~~
|
|
|
沙发#
发布于:2005-04-21 17:07
小弟时刻关注着~~~~~~~~~~~~~
|
|
|
板凳#
发布于:2005-04-21 22:49
我也是和你一样用WINCAP做网络分析器,说明文档里有编程向导,看看就知道,还有例程,很方便的.毕设的我把后台采集代码写的差不多了.
|
|
|
地板#
发布于:2005-04-26 00:00
小弟一个不小心毕业论文选了《数据包的拦截与分析》,老师让我用winpcap对数据包进行拦截并分析数据包的类型,由于小弟以前从未接触过相关内容,以至于已经过去1个多月了现在还是一头雾水.老师要求我用VC++编程,使用winpcap软件包中的源代码就可以,可是看上去简单,没人指点,简单的几步也弄不明白,哪个好心的兄弟又耐心指点在下,感激不尽~~~~~~~~ 我刚关注了一段时间的 libpcap, winpcap,准备跟着这里的大侠们学习 NDIS,看到你的提问,我将我的一些经验提供给你: (1) 首先下载运行环境,winpcap: http://winpcap.polito.it/install/bin/WinPcap_3_1_beta4.exe (2) 然后是下载 winpcap SDK: http://winpcap.polito.it/install/bin/wpdpack_3_1_beta4.zip 解压后,里面的头文件和 lib 文件需要用来编译你的程序。里面有很多例子。根据你的需求,可以只关注 packet 部分就可以了。 (3) 查阅一下资料,了解一下 ethernet, ip, tcp, udp 等 packet 的格式。 |
|
|
|
地下室#
发布于:2005-04-27 10:22
谢谢 3楼的哥们
|
|
|
5楼#
发布于:2005-04-27 14:39
楼主,我和你一样也是选了个自己不懂的网络封包截获的课题!叫传输层过滤驱动开发,下面是一本书里的源代码FilterTdiDriver,但它只是实现了截获IRP请求并把它直接转发到了底层,并未作任何处理。我现在只想实现对网络包的简单过滤然后输出即可,请高手帮忙指点一下!
PACKET.H #define DD_TCP_DEVICE_NAME L\"\\\\Device\\\\Tcp\" #define TDIH_TCP_DEVICE_NAME L\"\\\\Device\\\\TonyTcpFilter\" #define TDIH_DEV_EXT_ATTACHED (0x00000001) /************************************************************************** 每一个结构必须有一个唯一的“node type”或者一个联合签名 **************************************************************************/ #define TDIH_NODE_TYPE_TCP_FILTER_DEVICE (0xfdecba12) /* 输出调试信息 */ #define DBGPRINT(Fmt) \\ { \\ DbgPrint(\" ***FilterTdiDriver.sys*** \"); \\ DbgPrint (Fmt); \\ } /* 进行64位数值的处理,请参阅DDK帮助文档关于RtlLargeIntegerEqualToZero的解释 */ #define UTIL_IsLargeIntegerZero(ReturnValue, LargeIntegerOp, pSpinLock) \\ { \\ KIRQL OldIrql; \\ KeAcquireSpinLock(pSpinLock, &OldIrql); \\ ASSERT(RtlLargeIntegerGreaterOrEqualToZero((LargeIntegerOp))); \\ ReturnValue = RtlLargeIntegerEqualToZero((LargeIntegerOp)); \\ KeReleaseSpinLock(pSpinLock, OldIrql); \\ } //―――――――――――――――――――――――――――――――――――――― // 用来保存驱动程序相关信息的自定义结构类型,这个结构类型可以绑定到 // DEVICE_OBJECT对象的DeviceExtension成员变量之上,随着DEVICE_OBJECT对象在 // 不同的函数之间传递 // typedef struct _TDIH_DeviceExtension { ULONG NodeType; // 标识这个结构 ULONG NodeSize; // 这个结构的大小 PDEVICE_OBJECT pFilterDeviceObject; // 过滤设备对象 KSPIN_LOCK IoRequestsSpinLock; // 同时调用时的保护锁 KEVENT IoInProgressEvent; // 进程间同步处理 ULONG DeviceExtensionFlags; // 设备标志 PDEVICE_OBJECT TargetDeviceObject; // 绑定的设备对象 PFILE_OBJECT TargetFileObject; // 绑定设备的文件对象 PDEVICE_OBJECT LowerDeviceObject; // 绑定前底层设备对象 LARGE_INTEGER OutstandingIoRequests; } TDIH_DeviceExtension, *PTDIH_DeviceExtension; /////////////////////////////////////////////////////////////////////// NTSTATUS DriverEntry( IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath ); VOID PacketUnload( IN PDRIVER_OBJECT DriverObject ); NTSTATUS PacketDispatch( IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp ); NTSTATUS PacketCompletion( IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp, IN PVOID Context ); NTSTATUS TCPFilter_Attach( IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath ); NTSTATUS TCPFilter_InitDeviceExtension( IN PTDIH_DeviceExtension pTDIH_DeviceExtension, IN PDEVICE_OBJECT pFilterDeviceObject, IN PDEVICE_OBJECT pTargetDeviceObject, IN PFILE_OBJECT pTargetFileObject, IN PDEVICE_OBJECT pLowerDeviceObject ); VOID TCPFilter_Detach( IN PDEVICE_OBJECT pDeviceObject ); Packet.c #include <ndis.h> #include <tdikrnl.h> #include <ntddk.h> #include \"packet.h\" NTSTATUS DriverEntry( IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath ) { NTSTATUS status = 0; ULONG i; DBGPRINT(\"DriverEntry Loading...\\n\"); DriverObject->DriverUnload = PacketUnload; for (i=0; i <= IRP_MJ_MAXIMUM_FUNCTION; i++) { DriverObject->MajorFunction = PacketDispatch; } status = TCPFilter_Attach(DriverObject,RegistryPath); return status; } VOID PacketUnload( IN PDRIVER_OBJECT DriverObject ) { PDEVICE_OBJECT DeviceObject; PDEVICE_OBJECT OldDeviceObject; PTDIH_DeviceExtension pTDIH_DeviceExtension; DBGPRINT(\"DriverEntry unLoading...\\n\"); DeviceObject = DriverObject->DeviceObject; while (DeviceObject != NULL) { OldDeviceObject = DeviceObject; pTDIH_DeviceExtension = (PTDIH_DeviceExtension )DeviceObject->DeviceExtension; if( pTDIH_DeviceExtension->NodeType == TDIH_NODE_TYPE_TCP_FILTER_DEVICE ) TCPFilter_Detach( DeviceObject ); // Calls IoDeleteDevice else IoDeleteDevice(OldDeviceObject); DeviceObject = DeviceObject->NextDevice; } } NTSTATUS PacketDispatch( IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp ) { NTSTATUS RC = STATUS_SUCCESS; PTDIH_DeviceExtension pTDIH_DeviceExtension; PIO_STACK_LOCATION IrpStack; PIO_STACK_LOCATION NextIrpStack; pTDIH_DeviceExtension = (PTDIH_DeviceExtension )(DeviceObject->DeviceExtension); IrpStack = IoGetCurrentIrpStackLocation(Irp); switch(IrpStack->MajorFunction) { case IRP_MJ_CREATE: DBGPRINT(\"PacketDispatch(IRP_MJ_CREATE)...\\n\"); break; case IRP_MJ_CLOSE: DBGPRINT(\"PacketDispatch(IRP_MJ_CLOSE)...\\n\"); break; case IRP_MJ_CLEANUP: DBGPRINT(\"PacketDispatch(IRP_MJ_CLEANUP)...\\n\"); break; case IRP_MJ_INTERNAL_DEVICE_CONTROL: switch (IrpStack->MinorFunction) { case TDI_ACCEPT: DBGPRINT(\"PacketDispatch(IRP_MJ_INTERNAL_DEVICE_CONTROL\\ [TDI_ACCEPT])...\\n\"); break; case TDI_ACTION: DBGPRINT(\"PacketDispatch(IRP_MJ_INTERNAL_DEVICE_CONTROL\\ [TDI_ACTION])...\\n\"); break; case TDI_ASSOCIATE_ADDRESS: DBGPRINT(\"PacketDispatch(IRP_MJ_INTERNAL_DEVICE_CONTROL\\ [TDI_ASSOCIATE_ADDRESS])...\\n\"); break; case TDI_DISASSOCIATE_ADDRESS: DBGPRINT(\"PacketDispatch(IRP_MJ_INTERNAL_DEVICE_CONTROL\\ [TDI_DISASSOCIATE_ADDRESS])...\\n\"); break; case TDI_CONNECT: DBGPRINT(\"PacketDispatch(IRP_MJ_INTERNAL_DEVICE_CONTROL\\ [TDI_CONNECT])...\\n\"); break; case TDI_DISCONNECT: DBGPRINT(\"PacketDispatch(IRP_MJ_INTERNAL_DEVICE_CONTROL\\ [TDI_DISCONNECT])...\\n\"); break; case TDI_LISTEN: DBGPRINT(\"PacketDispatch(IRP_MJ_INTERNAL_DEVICE_CONTROL\\ [TDI_LISTEN])...\\n\"); break; case TDI_QUERY_INFORMATION: DBGPRINT(\"PacketDispatch(IRP_MJ_INTERNAL_DEVICE_CONTROL\\ [TDI_QUERY_INFORMATION])...\\n\"); break; case TDI_RECEIVE: DBGPRINT(\"PacketDispatch(IRP_MJ_INTERNAL_DEVICE_CONTROL\\ [TDI_RECEIVE])...\\n\"); break; case TDI_RECEIVE_DATAGRAM: DBGPRINT(\"PacketDispatch(IRP_MJ_INTERNAL_DEVICE_CONTROL\\ [TDI_RECEIVE_DATAGRAM])...\\n\"); break; case TDI_SEND: DBGPRINT(\"PacketDispatch(IRP_MJ_INTERNAL_DEVICE_CONTROL\\ [TDI_SEND])...\\n\"); break; case TDI_SEND_DATAGRAM: DBGPRINT(\"PacketDispatch(IRP_MJ_INTERNAL_DEVICE_CONTROL\\ [TDI_SEND_DATAGRAM])...\\n\"); break; case TDI_SET_EVENT_HANDLER: DBGPRINT(\"PacketDispatch(IRP_MJ_INTERNAL_DEVICE_CONTROL\\ [TDI_SET_EVENT_HANDLER])...\\n\"); break; case TDI_SET_INFORMATION: DBGPRINT(\"PacketDispatch(IRP_MJ_INTERNAL_DEVICE_CONTROL\\ [TDI_SET_INFORMATION])...\\n\"); break; default: DBGPRINT(\"PacketDispatch(IRP_MJ_INTERNAL_DEVICE_CONTROL\\ [INVALID_MINOR_FUNCTION])...\\n\"); break; } break; case IRP_MJ_DEVICE_CONTROL: DBGPRINT(\"PacketDispatch(IRP_MJ_DEVICE_CONTROL)...\\n\"); break; default: DBGPRINT(\"PacketDispatch(OTHER_MAJOR_FUNCTION)...\\n\"); break; } if (Irp->CurrentLocation == 1) { ULONG ReturnedInformation = 0; DBGPRINT((\"PacketDispatch encountered bogus current location\\n\")); RC = STATUS_INVALID_DEVICE_REQUEST; Irp->IoStatus.Status = RC; Irp->IoStatus.Information = ReturnedInformation; IoCompleteRequest(Irp, IO_NO_INCREMENT); return( RC ); } NextIrpStack = IoGetNextIrpStackLocation(Irp); *NextIrpStack = *IrpStack; IoSetCompletionRoutine(Irp,PacketCompletion,NULL,TRUE,TRUE,TRUE); return IoCallDriver(pTDIH_DeviceExtension->LowerDeviceObject,Irp); } NTSTATUS PacketCompletion( IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp, IN PVOID Context ) { if(Irp->PendingReturned) IoMarkIrpPending(Irp); return STATUS_SUCCESS; } NTSTATUS TCPFilter_Attach( IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath ) { NTSTATUS status = 0; UNICODE_STRING uniNtNameString; PTDIH_DeviceExtension pTDIH_DeviceExtension; PDEVICE_OBJECT pFilterDeviceObject = NULL; PDEVICE_OBJECT pTargetDeviceObject = NULL; PFILE_OBJECT pTargetFileObject = NULL; PDEVICE_OBJECT pLowerDeviceObject = NULL; DBGPRINT(\"TCPFilter_Attach.\\n\"); RtlInitUnicodeString( &uniNtNameString, DD_TCP_DEVICE_NAME ); status = IoGetDeviceObjectPointer( IN &uniNtNameString, IN FILE_READ_ATTRIBUTES, OUT &pTargetFileObject, OUT &pTargetDeviceObject ); if( !NT_SUCCESS(status) ) { DBGPRINT((\"TCPFilter_Attach: Couldn\'t get the TCP Device Object\\n\")); pTargetFileObject = NULL; pTargetDeviceObject = NULL; return( status ); } RtlInitUnicodeString( &uniNtNameString, TDIH_TCP_DEVICE_NAME ); status = IoCreateDevice( IN DriverObject, IN sizeof( TDIH_DeviceExtension ), IN &uniNtNameString, IN pTargetDeviceObject->DeviceType, IN pTargetDeviceObject->Characteristics, IN FALSE, OUT &pFilterDeviceObject ); if( !NT_SUCCESS(status) ) { DBGPRINT((\"TCPFilter_Attach: Couldn\'t create the TCP Filter Device Object\\n\")); ObDereferenceObject( pTargetFileObject ); pTargetFileObject = NULL; pTargetDeviceObject = NULL; return( status ); } pLowerDeviceObject = IoAttachDeviceToDeviceStack(pFilterDeviceObject,pTargetDeviceObject); if( !pLowerDeviceObject ) { DBGPRINT((\"TCPFilter_Attach: Couldn\'t attach to TCP Device Object\\n\")); IoDeleteDevice( pFilterDeviceObject ); pFilterDeviceObject = NULL; ObDereferenceObject( pTargetFileObject ); pTargetFileObject = NULL; pTargetDeviceObject = NULL; return( status ); } pTDIH_DeviceExtension = (PTDIH_DeviceExtension )( pFilterDeviceObject->DeviceExtension ); TCPFilter_InitDeviceExtension( IN pTDIH_DeviceExtension, IN pFilterDeviceObject, IN pTargetDeviceObject, IN pTargetFileObject, IN pLowerDeviceObject ); pFilterDeviceObject->Flags |= pTargetDeviceObject->Flags & (DO_BUFFERED_IO | DO_DIRECT_IO); return status; } NTSTATUS TCPFilter_InitDeviceExtension( IN PTDIH_DeviceExtension pTDIH_DeviceExtension, IN PDEVICE_OBJECT pFilterDeviceObject, IN PDEVICE_OBJECT pTargetDeviceObject, IN PFILE_OBJECT pTargetFileObject, IN PDEVICE_OBJECT pLowerDeviceObject ) { NdisZeroMemory( pTDIH_DeviceExtension, sizeof( TDIH_DeviceExtension ) ); pTDIH_DeviceExtension->NodeType = TDIH_NODE_TYPE_TCP_FILTER_DEVICE; pTDIH_DeviceExtension->NodeSize = sizeof( TDIH_DeviceExtension ); pTDIH_DeviceExtension->pFilterDeviceObject = pFilterDeviceObject; KeInitializeSpinLock(&(pTDIH_DeviceExtension->IoRequestsSpinLock)); KeInitializeEvent(&(pTDIH_DeviceExtension->IoInProgressEvent) , NotificationEvent, FALSE); pTDIH_DeviceExtension->TargetDeviceObject = pTargetDeviceObject; pTDIH_DeviceExtension->TargetFileObject = pTargetFileObject; pTDIH_DeviceExtension->LowerDeviceObject = pLowerDeviceObject; pTDIH_DeviceExtension->DeviceExtensionFlags |= TDIH_DEV_EXT_ATTACHED; return( STATUS_SUCCESS ); } VOID TCPFilter_Detach( IN PDEVICE_OBJECT pDeviceObject ) { PTDIH_DeviceExtension pTDIH_DeviceExtension; BOOLEAN NoRequestsOutstanding = FALSE; pTDIH_DeviceExtension = (PTDIH_DeviceExtension )pDeviceObject->DeviceExtension; try { try { while (TRUE) { UTIL_IsLargeIntegerZero( NoRequestsOutstanding, pTDIH_DeviceExtension->OutstandingIoRequests, &(pTDIH_DeviceExtension->IoRequestsSpinLock) ); if( !NoRequestsOutstanding ) KeWaitForSingleObject( (void *)(&(pTDIH_DeviceExtension->IoInProgressEvent)), Executive, KernelMode, FALSE, NULL ); else break; } if( pTDIH_DeviceExtension->DeviceExtensionFlags & TDIH_DEV_EXT_ATTACHED) { IoDetachDevice( pTDIH_DeviceExtension->TargetDeviceObject ); pTDIH_DeviceExtension->DeviceExtensionFlags &= ~(TDIH_DEV_EXT_ATTACHED); } pTDIH_DeviceExtension->NodeType = 0; pTDIH_DeviceExtension->NodeSize = 0; if( pTDIH_DeviceExtension->TargetFileObject ) ObDereferenceObject( pTDIH_DeviceExtension->TargetFileObject ); pTDIH_DeviceExtension->TargetFileObject = NULL; IoDeleteDevice( pDeviceObject ); DBGPRINT((\"TCPFilter_Attach: TCPFilter_Detach Finished\\n\")); } except (EXCEPTION_EXECUTE_HANDLER){} } finally{} return; } |
|
|
6楼#
发布于:2005-05-12 11:18
谢谢 3楼的哥们 这么久了,还没有给分? |
|
|
|
7楼#
发布于:2005-05-15 10:33
不好意思.忙了一镇子别的事情.也没来看看.我以为系统自动给分呢.好了.我已经点给分了.不好意思啊.
|
|
|
8楼#
发布于:2005-05-15 10:51
我发现分给少了.怎么才2分啊.怎么能给补加啊
|
|