怎么自己做一个firewall,只要能实现对某些ip通行,某些拦截就行了?????? 最好能实现网络ip最好不知道该怎么做?期待....? 解决方案 » 免费领取超大流量手机卡,每月29元包185G流量+100分钟通话, 中国电信官方发货 #include "ndis.h"#include "NDISFilter.h"#include "Pfhook.h"#define PROT_TCP 6#define DEVICE_NAME L"\\Device\\NDISFilter"#define DEVICE_LINK_NAME L"\\Global??\\NDISFilter"PDEVICE_OBJECT pGlobalDev;UNICODE_STRING pLinkName;////////////////////////////////////////////////////////////////////////NTSTATUSDriverEntry( IN PDRIVER_OBJECT pDriverObject, IN PUNICODE_STRING pRegistrPath){ NTSTATUS status = STATUS_SUCCESS; UNICODE_STRING pDeviceName; DBGPRINT("Filter Service Start"); RtlInitUnicodeString(&pDeviceName,DEVICE_NAME); //建立一个过滤钩子驱动设备 status = IoCreateDevice (pDriverObject,0,&pDeviceName,FILE_DEVICE_UNKNOWN,0, TRUE,&pGlobalDev); if (!NT_SUCCESS (status)) { DBGPRINT("creae device faile"); goto ERROR; } RtlInitUnicodeString(&pLinkName, DEVICE_LINK_NAME); //建立一个过滤钩子驱动设备符号连接 status = IoCreateSymbolicLink( &pLinkName, &pDeviceName ); if (!NT_SUCCESS(status)) // If we couldn't create the link then { // abort installation. DBGPRINT("creae link faile"); goto ERROR; } //申明卸载例程 pDriverObject->DriverUnload = PacketUnload; //建立钩子挂接 status = CreateDevice(pDriverObject,1); if (!NT_SUCCESS(status)) // If we couldn't create the link then { // abort installation.// DBGPRINT("creae filter faile"); IoDeleteSymbolicLink(&pLinkName); goto ERROR; } return(STATUS_SUCCESS);ERROR: if(pGlobalDev) IoDeleteDevice(pGlobalDev); //DbgPrint( "Leave DriverEntry failed\n" ); return status;}////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////NTSTATUSCreateDevice( IN PDRIVER_OBJECT pDriverObject, IN ULONG DeviceNumber ){ PIRP pIrp; NTSTATUS status = STATUS_SUCCESS; PDEVICE_OBJECT pLowDev; PFILE_OBJECT pLowFile; PF_SET_EXTENSION_HOOK_INFO pHookInfo; IO_STATUS_BLOCK filterBlock; UNICODE_STRING targetDeviceName; RtlInitUnicodeString(&targetDeviceName,L"\\Device\\IPFILTERDRIVER"); //将钩子挂接函数放入结构中 pHookInfo.ExtensionPointer = IpFilterHook; //获得系统ipfilterdriver驱动的设备指针 status = IoGetDeviceObjectPointer(&targetDeviceName,GENERIC_READ|GENERIC_WRITE, &pLowFile,&pLowDev); if(!NT_SUCCESS(status)) { DBGPRINT("can not find the pointer"); return status; } //绑定过滤钩子到系统ipfilterdriver驱动的设备指针 pIrp=IoBuildDeviceIoControlRequest( IOCTL_PF_SET_EXTENSION_POINTER, pLowDev, &pHookInfo, sizeof(PF_SET_EXTENSION_HOOK_INFO), NULL, 0, FALSE, NULL, &filterBlock);// DBGPRINT("here");///////////////////////////////////////// if(pIrp==NULL) { DBGPRINT("creae filter faile"); return filterBlock.Status; } //调度系统ipfilterdriver设备重新操作irp return (IoCallDriver(pLowDev,pIrp));}////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////NTSTATUS CreateCompletion( IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp, IN PVOID Context ){ DBGPRINT("completion start"); if(Irp->PendingReturned) { IoMarkIrpPending(Irp); } return STATUS_SUCCESS;}PF_FORWARD_ACTION IpFilterHook( unsigned char *PacketHeader, unsigned char *Packet, unsigned int PacketLength, unsigned int RecvInterfaceIndex, unsigned int SendInterfaceIndex, IPAddr RecvLinkNextHop, IPAddr SendLinkNextHop ){ PIP_HEADER pIpHdr=(PIP_HEADER)PacketHeader; PTCP_HEADER pTcpHdr=(PTCP_HEADER)Packet; unsigned int sourceIP=pIpHdr->sourceIP; unsigned int destIP=pIpHdr->destIP; USHORT Uport=pTcpHdr->th_sport; unsigned char port=Uport>>8; unsigned char sbyte1; unsigned char sbyte2; unsigned char sbyte3; unsigned char sbyte4; unsigned char dbyte1; unsigned char dbyte2; unsigned char dbyte3; unsigned char dbyte4; sbyte1=sourceIP>>24; sbyte2=sourceIP>>16; sbyte3=sourceIP>>8; sbyte4=(unsigned char)sourceIP; dbyte1=destIP>>24; dbyte2=destIP>>16; dbyte3=destIP>>8; dbyte4=(unsigned char)destIP; if(pIpHdr->proto == 0x06)//tcp协议 { switch(port) { case 23: DbgPrint("原端口%d",port); DbgPrint("目的ip %d.%d.%d.%d",dbyte4,dbyte3,dbyte2,dbyte1); DbgPrint("源ip %d.%d.%d.%d",sbyte4,sbyte3,sbyte2,sbyte1); DbgPrint("正在使用telnet"); //return PF_DROP; break; case 80: DbgPrint("原端口%d",port); DbgPrint("目的ip %d.%d.%d.%d",dbyte4,dbyte3,dbyte2,dbyte1); DbgPrint("源ip %d.%d.%d.%d",sbyte4,sbyte3,sbyte2,sbyte1); DbgPrint("正在使用http"); //return PF_DROP; break; case 21: DbgPrint("原端口%d",port); DbgPrint("目的ip %d.%d.%d.%d",dbyte4,dbyte3,dbyte2,dbyte1); DbgPrint("源ip %d.%d.%d.%d",sbyte4,sbyte3,sbyte2,sbyte1); DbgPrint("正在使用ftp"); //return PF_DROP; break; } if(dbyte1<=20&&dbyte1>=2)//此网段被屏蔽 { DbgPrint("目的ip %d.%d.%d.%d",dbyte4,dbyte3,dbyte2,dbyte1); DbgPrint("源ip %d.%d.%d.%d",sbyte4,sbyte3,sbyte2,sbyte1); DbgPrint("数据包已经被截获"); return PF_DROP; } } //我们开发的协议 if(pIpHdr->proto==255||pIpHdr->proto==254) { DbgPrint("原协议%d",pIpHdr->proto); DbgPrint("目的ip %d.%d.%d.%d",dbyte4,dbyte3,dbyte2,dbyte1); DbgPrint("源ip %d.%d.%d.%d",sbyte4,sbyte3,sbyte2,sbyte1); DbgPrint("正在使用我们的开发的协议"); } //icmp协议,被截获 if(pIpHdr->proto == 0x01) { DbgPrint("原协议%d",pIpHdr->proto); DbgPrint("目的ip %d.%d.%d.%d",dbyte4,dbyte3,dbyte2,dbyte1); DbgPrint("源ip %d.%d.%d.%d",sbyte4,sbyte3,sbyte2,sbyte1); DbgPrint("正在使用icmp协议,正在经过tdi层,被截获"); return PF_DROP; } return PF_FORWARD;}//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////VOID PacketUnload( IN PDRIVER_OBJECT pDriverObject){ PIRP nirp; NTSTATUS status = STATUS_SUCCESS; PDEVICE_OBJECT pLowDev; PFILE_OBJECT pLowFile; PF_SET_EXTENSION_HOOK_INFO pHookInfo; IO_STATUS_BLOCK filterBlock; UNICODE_STRING targetDeviceName; RtlInitUnicodeString(&targetDeviceName,L"\\Device\\IPFILTERDRIVER"); pHookInfo.ExtensionPointer = NULL; status = IoGetDeviceObjectPointer(&targetDeviceName,FILE_GENERIC_READ|FILE_GENERIC_WRITE, &pLowFile,&pLowDev); if(status==STATUS_SUCCESS) { nirp = IoBuildDeviceIoControlRequest( IOCTL_PF_SET_EXTENSION_POINTER, pLowDev, &pHookInfo, sizeof(PF_SET_EXTENSION_HOOK_INFO), NULL, 0, FALSE, NULL, &filterBlock); if(nirp!=NULL) IoCallDriver(pLowDev,nirp); } IoDeleteSymbolicLink(&pLinkName); IoDeleteDevice(pGlobalDev); return;} 在普通的WINDOWS 2000下实现实现包过滤的方法主要是书写NDIS过滤驱动程序,需要的技巧比较高,而且烦琐,需要考虑很多细节。但是对于很多应用而言,只需要能更方便的对ip包进行过滤处理,其实NDIS对于ip包的过滤提供一种书写过滤钩子驱动的方式,主要方法是:驱动中建立一个普通的设备,然后通过IOCTL_PF_SET_EXTENSION_POINTER操作将你的内核模式的过滤钩子挂接到系统默认的ip过滤驱动上,这样你就可以在自己的过滤钩子里面实现完整的基于包的各种分析和过滤的处理了。下面就是一个完整的NDIS过滤钩子驱动的代码拒绝所有外来的TCP带S的建立连接的请求。注意事项: 1。需要在DDK环境中编译 2。需要修改注册表中LMHK\System\\CurrentControlSet\\Services\\IPFILTERDRIVER的START类型为3,让他随系统启动而启动 3。编译生成了sys文件后需要拷贝到winnt\system32\drivers目录下 4。需要运行一个程序后手动生成注册表项 5。使用时用net start fxfilthook启动驱动,用net stop fxfilthook停止驱动 6。此方法只能对ip包进行过滤,其他的协议不会经过这个过滤钩子进行处理。 阴影算法可能会出现小数情况吗?//Alpha/1到底啥作用 中兴薪资咨询 一个关于字符串的问题 如果编程实现一个和交换机进行会话的图形界面程序 关于ado访问数据库的问题 关于PVOID的赋值问题。 怎样使程序选中CListCtrl的某一行? 弱质问题 : 请问如何在客户端(基于View/Document的)处理ActiveX的事件? DDK程序编译成为。SYS文件后,如何装载进系统 MFC 登陆对话,取消登陆后,不让主窗口显示 请问有没有针对flash处理的类?急需 请问:VC++中控件的ID是什么概念?句柄又是什么?
#include "NDISFilter.h"#include "Pfhook.h"#define PROT_TCP 6
#define DEVICE_NAME L"\\Device\\NDISFilter"
#define DEVICE_LINK_NAME L"\\Global??\\NDISFilter"PDEVICE_OBJECT pGlobalDev;
UNICODE_STRING pLinkName;////////////////////////////////////////////////////////////////////////
NTSTATUS
DriverEntry(
IN PDRIVER_OBJECT pDriverObject,
IN PUNICODE_STRING pRegistrPath
){
NTSTATUS status = STATUS_SUCCESS;
UNICODE_STRING pDeviceName;
DBGPRINT("Filter Service Start");
RtlInitUnicodeString(&pDeviceName,DEVICE_NAME);
//建立一个过滤钩子驱动设备
status = IoCreateDevice (pDriverObject,0,&pDeviceName,FILE_DEVICE_UNKNOWN,0,
TRUE,&pGlobalDev);
if (!NT_SUCCESS (status))
{
DBGPRINT("creae device faile");
goto ERROR;
}
RtlInitUnicodeString(&pLinkName, DEVICE_LINK_NAME);
//建立一个过滤钩子驱动设备符号连接
status = IoCreateSymbolicLink( &pLinkName, &pDeviceName );
if (!NT_SUCCESS(status)) // If we couldn't create the link then
{ // abort installation.
DBGPRINT("creae link faile");
goto ERROR;
}
//申明卸载例程
pDriverObject->DriverUnload = PacketUnload;
//建立钩子挂接
status = CreateDevice(pDriverObject,1);
if (!NT_SUCCESS(status)) // If we couldn't create the link then
{ // abort installation.
// DBGPRINT("creae filter faile");
IoDeleteSymbolicLink(&pLinkName);
goto ERROR;
}
return(STATUS_SUCCESS);
ERROR:
if(pGlobalDev)
IoDeleteDevice(pGlobalDev);
//DbgPrint( "Leave DriverEntry failed\n" );
return status;
}
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
NTSTATUS
CreateDevice(
IN PDRIVER_OBJECT pDriverObject,
IN ULONG DeviceNumber
)
{
PIRP pIrp;
NTSTATUS status = STATUS_SUCCESS;
PDEVICE_OBJECT pLowDev;
PFILE_OBJECT pLowFile;
PF_SET_EXTENSION_HOOK_INFO pHookInfo;
IO_STATUS_BLOCK filterBlock;
UNICODE_STRING targetDeviceName;
RtlInitUnicodeString(&targetDeviceName,L"\\Device\\IPFILTERDRIVER");
//将钩子挂接函数放入结构中
pHookInfo.ExtensionPointer = IpFilterHook;
//获得系统ipfilterdriver驱动的设备指针
status = IoGetDeviceObjectPointer(&targetDeviceName,GENERIC_READ|GENERIC_WRITE,
&pLowFile,&pLowDev);
if(!NT_SUCCESS(status))
{
DBGPRINT("can not find the pointer");
return status;
}
//绑定过滤钩子到系统ipfilterdriver驱动的设备指针 pIrp=IoBuildDeviceIoControlRequest(
IOCTL_PF_SET_EXTENSION_POINTER,
pLowDev,
&pHookInfo,
sizeof(PF_SET_EXTENSION_HOOK_INFO),
NULL,
0,
FALSE,
NULL,
&filterBlock);
// DBGPRINT("here");/////////////////////////////////////////
if(pIrp==NULL)
{
DBGPRINT("creae filter faile");
return filterBlock.Status;
} //调度系统ipfilterdriver设备重新操作irp
return (IoCallDriver(pLowDev,pIrp));
}
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////NTSTATUS CreateCompletion(
IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp,
IN PVOID Context
)
{
DBGPRINT("completion start");
if(Irp->PendingReturned)
{
IoMarkIrpPending(Irp);
}
return STATUS_SUCCESS;
}PF_FORWARD_ACTION
IpFilterHook(
unsigned char *PacketHeader,
unsigned char *Packet,
unsigned int PacketLength,
unsigned int RecvInterfaceIndex,
unsigned int SendInterfaceIndex,
IPAddr RecvLinkNextHop,
IPAddr SendLinkNextHop
)
{
PIP_HEADER pIpHdr=(PIP_HEADER)PacketHeader;
PTCP_HEADER pTcpHdr=(PTCP_HEADER)Packet;
unsigned int sourceIP=pIpHdr->sourceIP;
unsigned int destIP=pIpHdr->destIP;
USHORT Uport=pTcpHdr->th_sport;
unsigned char port=Uport>>8; unsigned char sbyte1;
unsigned char sbyte2;
unsigned char sbyte3;
unsigned char sbyte4; unsigned char dbyte1;
unsigned char dbyte2;
unsigned char dbyte3;
unsigned char dbyte4; sbyte1=sourceIP>>24;
sbyte2=sourceIP>>16;
sbyte3=sourceIP>>8;
sbyte4=(unsigned char)sourceIP; dbyte1=destIP>>24;
dbyte2=destIP>>16;
dbyte3=destIP>>8;
dbyte4=(unsigned char)destIP; if(pIpHdr->proto == 0x06)//tcp协议
{
switch(port)
{
case 23:
DbgPrint("原端口%d",port);
DbgPrint("目的ip %d.%d.%d.%d",dbyte4,dbyte3,dbyte2,dbyte1);
DbgPrint("源ip %d.%d.%d.%d",sbyte4,sbyte3,sbyte2,sbyte1);
DbgPrint("正在使用telnet");
//return PF_DROP;
break;
case 80:
DbgPrint("原端口%d",port);
DbgPrint("目的ip %d.%d.%d.%d",dbyte4,dbyte3,dbyte2,dbyte1);
DbgPrint("源ip %d.%d.%d.%d",sbyte4,sbyte3,sbyte2,sbyte1);
DbgPrint("正在使用http");
//return PF_DROP;
break;
case 21:
DbgPrint("原端口%d",port);
DbgPrint("目的ip %d.%d.%d.%d",dbyte4,dbyte3,dbyte2,dbyte1);
DbgPrint("源ip %d.%d.%d.%d",sbyte4,sbyte3,sbyte2,sbyte1);
DbgPrint("正在使用ftp");
//return PF_DROP;
break;
} if(dbyte1<=20&&dbyte1>=2)//此网段被屏蔽
{
DbgPrint("目的ip %d.%d.%d.%d",dbyte4,dbyte3,dbyte2,dbyte1);
DbgPrint("源ip %d.%d.%d.%d",sbyte4,sbyte3,sbyte2,sbyte1);
DbgPrint("数据包已经被截获");
return PF_DROP;
}
}
//我们开发的协议
if(pIpHdr->proto==255||pIpHdr->proto==254)
{
DbgPrint("原协议%d",pIpHdr->proto);
DbgPrint("目的ip %d.%d.%d.%d",dbyte4,dbyte3,dbyte2,dbyte1);
DbgPrint("源ip %d.%d.%d.%d",sbyte4,sbyte3,sbyte2,sbyte1);
DbgPrint("正在使用我们的开发的协议");
}
//icmp协议,被截获
if(pIpHdr->proto == 0x01)
{
DbgPrint("原协议%d",pIpHdr->proto);
DbgPrint("目的ip %d.%d.%d.%d",dbyte4,dbyte3,dbyte2,dbyte1);
DbgPrint("源ip %d.%d.%d.%d",sbyte4,sbyte3,sbyte2,sbyte1);
DbgPrint("正在使用icmp协议,正在经过tdi层,被截获");
return PF_DROP;
} return PF_FORWARD;
}
//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
VOID PacketUnload(
IN PDRIVER_OBJECT pDriverObject
){
PIRP nirp;
NTSTATUS status = STATUS_SUCCESS;
PDEVICE_OBJECT pLowDev;
PFILE_OBJECT pLowFile;
PF_SET_EXTENSION_HOOK_INFO pHookInfo;
IO_STATUS_BLOCK filterBlock;
UNICODE_STRING targetDeviceName;
RtlInitUnicodeString(&targetDeviceName,L"\\Device\\IPFILTERDRIVER");
pHookInfo.ExtensionPointer = NULL;
status = IoGetDeviceObjectPointer(&targetDeviceName,FILE_GENERIC_READ|FILE_GENERIC_WRITE,
&pLowFile,&pLowDev);
if(status==STATUS_SUCCESS)
{
nirp = IoBuildDeviceIoControlRequest(
IOCTL_PF_SET_EXTENSION_POINTER,
pLowDev,
&pHookInfo,
sizeof(PF_SET_EXTENSION_HOOK_INFO),
NULL,
0,
FALSE,
NULL,
&filterBlock);
if(nirp!=NULL)
IoCallDriver(pLowDev,nirp);
}
IoDeleteSymbolicLink(&pLinkName);
IoDeleteDevice(pGlobalDev);
return;
}
驱动中建立一个普通的设备,然后通过IOCTL_PF_SET_EXTENSION_POINTER操作将你的内核模式的过滤钩子挂接到系统默认的ip过滤驱动上,这样你就可以在自己的过滤钩子里面实现完整的基于包的各种分析和过滤的处理了。
下面就是一个完整的NDIS过滤钩子驱动的代码拒绝所有外来的TCP带S的建立连接的请求。
注意事项:
1。需要在DDK环境中编译
2。需要修改注册表中LMHK\System\\CurrentControlSet\\Services\\IPFILTERDRIVER的START类型为3,让他随系统启动而启动
3。编译生成了sys文件后需要拷贝到winnt\system32\drivers目录下
4。需要运行一个程序后手动生成注册表项
5。使用时用net start fxfilthook启动驱动,用net stop fxfilthook停止驱动
6。此方法只能对ip包进行过滤,其他的协议不会经过这个过滤钩子进行处理。