阅读:1415回复:10
想用HOOK来实现嗅探器功能,怎么搞?
NDIS_STATUS
#if (VER_PRODUCTBUILD < 2195) NDIS_API #endif MyNdisReceive( IN RECEIVE_HANDLER pOldFunAddr,//原来函数地址 IN NDIS_HANDLE hProHandle,//该协议所在的协议链节地址 //以下是原来的参数 IN NDIS_HANDLE ProtocolBindingContext, IN NDIS_HANDLE MacReceiveContext, IN PVOID HeaderBuffer, IN UINT HeaderBufferSize, IN PVOID LookAheadBuffer, IN UINT LookaheadBufferSize, IN UINT PacketSize ) { PWRAPPER_PROTOCOL_BLOCK pProHandle = hProHandle; //原来的函数入口是否正确 if(!pOldFunAddr) { return NDIS_STATUS_NOT_ACCEPTED; } //******************************************************************************** if(LookaheadBufferSize >= PacketSize) { //整个数据包都在HeaderBuffer和LookAheadBuffer这两个缓冲区里面 }else if((pProHandle)&&(pProHandle->OpenQueue)){ //pProHandle->OpenQueue就是NdisTransferData需要的第二个参数 //至于为什么不直接把pProHandle->OpenQueue作为参数,有两个方面 //1当卸载协议和网卡bind后又从新bind时会有问题,这个动作更改的只是pProHandle->OpenQueue的值 //2其他函数还可能需要pProHandle指向的结构的其他值 //数据包不全,必须调用NdisTransferData获得剩下的数据 //简要过程 /* PNDIS_PACKET Packet = NULL; UINT BytesTransferred = 0; PNDIS_BUFFER pPacketData = NULL; NDIS_STATUS Status = NDIS_STATUS_SUCCESS; PUCHAR pucTempPoint = NULL; NDIS_HANDLE g_hPoolHandle = NULL; NdisAllocatePacketPool(&Status, &g_hPoolHandle, 255, 32); if (Status != NDIS_STATUS_SUCCESS) { return NDIS_STATUS_NOT_ACCEPTED; } NdisAllocatePacket(&Status, &Packet, g_hPoolHandle); if (Status != NDIS_STATUS_SUCCESS) { NdisFreePacketPool(g_hPoolHandle); return NDIS_STATUS_NOT_ACCEPTED; } Status = NdisAllocateMemoryWithTag(&pucTempPoint, ulDataLength, 0x87654321); if (Status != NDIS_STATUS_SUCCESS) { NdisFreePacket(Packet); NdisFreePacketPool(g_hPoolHandle); return NDIS_STATUS_NOT_ACCEPTED; } NdisAllocateBuffer(&Status, &pPacketData, g_hPoolHandle, pucTempPoint+HeaderBufferSize, PacketSize); if (Status != NDIS_STATUS_SUCCESS ) { NdisFreeMemory(pucTempPoint, ulDataLength, 0x87654321); NdisFreePacket(Packet); NdisFreePacketPool(g_hPoolHandle); return NDIS_STATUS_NOT_ACCEPTED; } RtlCopyMemory(pucTempPoint, HeaderBuffer, HeaderBufferSize); NdisChainBufferAtFront(Packet, pPacketData); NdisTransferData(&Status, pProHandle->OpenQueue, MacReceiveContext, 0, PacketSize, Packet, &BytesTransferred ); NdisFreeBuffer(pPacketData); NdisFreePacket(Packet); NdisFreePacketPool(g_hPoolHandle); */ } //***************************************************************************** //调用原来的函数 return pOldFunAddr(ProtocolBindingContext, MacReceiveContext, HeaderBuffer, HeaderBufferSize, LookAheadBuffer, LookaheadBufferSize, PacketSize ); } 如果 LookaheadBufferSize < PacketSize这里用什么办法得到余下的部分? |
|
最新喜欢:chili
|
沙发#
发布于:2004-07-12 00:37
救命啊,怎么没有人顶啊,驱坛好像越来越冷清了
|
|
|
板凳#
发布于:2004-07-12 11:29
你的代码里不是很清楚了么。
如果 LookaheadBufferSize < PacketSize NdisTransferData(&Status, pProHandle->OpenQueue, MacReceiveContext, 0, PacketSize, Packet, &BytesTransferred ); Packet中就是完整的包内容。 |
|
地板#
发布于:2004-07-12 11:36
惭愧,我真粗心,看到注释过的,就一眼都不看就过去了,
但是作者为什么把这段代码注释呢? |
|
|
地下室#
发布于:2004-07-12 12:35
注释里说这只是个简要过程。
肯定代码还有不完善的地方,但方向是没有错的。 |
|
5楼#
发布于:2004-07-12 15:58
谢谢,我会好好研究的
|
|
|
6楼#
发布于:2004-07-12 17:41
NdisAllocateMemoryWithTag(&pucTempPoint, ulDataLength, 0x87654321);
再问一个,这句是什么意思? 为什么编译的时候系统说ulDatalength没有定义? 怎么解决这个问题? |
|
|
7楼#
发布于:2004-07-12 22:46
NdisAllocateMemoryWithTag(&pucTempPoint,
LookaheadBufferSize, 'Iori'); 这样可以么? |
|
|
8楼#
发布于:2004-07-12 23:12
奇怪啊,运行了半个小时
都没有LookaheadBufferSize 不等于 PacketSize的情况,这种情况什么时候才发生呢? |
|
|
9楼#
发布于:2004-07-13 16:12
这段代码应该是老鼠写的,你问他
|
|
|
10楼#
发布于:2004-07-13 22:47
老鼠兄弟在哪里?
|
|
|