请做过数据包拦截技术的高手进来~~~~~~~ 有谁用NDIS钩子技术拦截数据包呀~~~~~~~~ 现在很急用~~~~ 希望有例子~~~~~如果可行我愿意付出1000分 我留下EMAIL [email protected] 解决方案 » 免费领取超大流量手机卡,每月29元包185G流量+100分钟通话, 中国电信官方发货 有本书叫做 Windows下的防火墙封包技术(名字可能不完全正确)应该提到to qrivis:winpcap不行,只能监听,无法拦截 你可以用SPI做成防火墙来拦截包相比NDIS HOOK和标准HOOK方式来说SPI拦截不到ICMP等数据,但是一般的标准的TCP/IP UDP数据都可以拦截可以看这里http://www.csdn.net/Develop/article/15/15919.shtm至于NDIS HOOK可以看这里,不过比SPI更复杂还有标准的NDIS驱动更复杂http://www.jobs2me.com/forum/viewthread.php?tid=22595 仅攻参考http://expert.csdn.net/Expert/topic/1014/1014996.xml?temp=.6851465 char Buffer[BUFFERSIZE+SERVERNAMEMAXSIZE];SocketPair theSocket;struct sockaddr_in from;//(struct sockaddr*)&fromint fromLen;struct sockaddr_in ServerAddr;char Address[256];int Port=80;int i,n; HowLink++;//增加连接 fromLen=sizeof(from); printf("监听##################%d",HowLink); theSocket.Client=accept(Proxy,(struct sockaddr *)&from,&fromLen); if(theSocket.Client==INVALID_SOCKET) { printf("监听失败!accept()\n");//printf("\nError in accept."); return -5; } printf("##################监听\n"); AfxBeginThread(ProxyThread,NULL);//建立新监听 n=recv(theSocket.Client,Buffer,sizeof(Buffer),0); if(n==SOCKET_ERROR) { printf("Error:接收客户数据失败!recv()\n"); goto ErrorExitThread; } Buffer[n] = 0; printf("Message:从客户接收数据\n"); GetAddressAndPort(Buffer,Address,&Port); theSocket.Server = socket(AF_INET,SOCK_STREAM,0); /* 打开一个 socket */ if(theSocket.Server < 0 ) { printf("Error:建立服务器Socket失败!socket():%d\n",WSAGetLastError()); goto ErrorExitThread; } memset(&ServerAddr,0,sizeof(ServerAddr)); ServerAddr.sin_addr.s_addr=inet_addr(Address); ServerAddr.sin_family=AF_INET; ServerAddr.sin_port=htons(Port);// ServerAddr.sin_addr.s_addr=inet_addr("200.0.0.5"); if (connect(theSocket.Server,(struct sockaddr*)&ServerAddr,sizeof(ServerAddr))==SOCKET_ERROR) { printf("Error:连接服务器出错!connect():%d\n",WSAGetLastError()); goto ErrorExitThread; } i=send(theSocket.Server,Buffer,sizeof(Buffer),0); if(i==SOCKET_ERROR) { printf("Error:向服务器发送数据失败!send():%d\n",WSAGetLastError()); goto ErrorExitThread; } while(1) {//WSAECONNABORTED i = recv(theSocket.Server,Buffer,sizeof (Buffer),0);//0 if (i == SOCKET_ERROR &&i!=WSAECONNRESET) {//WSAECONNRESET//#########就在这跳到下面去了###### printf("Error:接收服务器数据失败!recv():%d\n",WSAGetLastError()); break; } n=i; if (i == 0) { printf("Message:服务器关闭连接!\n");//printf("Server closed connection\n"); break; } i = send(theSocket.Client,Buffer,n,0); if (i == SOCKET_ERROR) { printf("send() failed: error %d\n",WSAGetLastError()); break; } } closesocket(theSocket.Client); closesocket(theSocket.Server); HowLink--; return 0;ErrorExitThread: HowLink--; return -1; 哈,不好意思贴错地方了,也请大家关注http://expert.csdn.net/Expert/topic/1249/1249629.xml?temp=.3224298 用Winpcap监听,在写Ndis拦截行不行?好像packet就可以过滤数据吧? 到driverdevelop.com论坛里有gjpland给的源码。 1。需要在DDK环境中编译 2。需要修改注册表中LMHK\System\\CurrentControlSet\\Services\\IPFILTERDRIVER的START类型为3,让他随系统启动而启动 3。编译生成了sys文件后需要拷贝到winnt\system32\drivers目录下 4。需要运行一个程序后手动生成注册表项 5。使用时用net start fxfilthook启动驱动,用net stop fxfilthook停止驱动 6。此方法只能对ip包进行过滤,其他的协议不会经过这个过滤钩子进行处理。//驱动程序的头文件#include "ntddk.h"#include "ntddndis.h"#include "pfhook.h"#ifndef __NTHANDLE_H#define __NTHANDLE_H#define NT_DEVICE_NAME L"\\Device\\Fxfilthook"#define DOS_DEVICE_NAME L"\\DosDevices\\Fxfilthook"#define PROT_TCP 6#include "ntddk.h"#include "xfilthook.h"typedef struct IPHeader { UCHAR iph_verlen; // Version and length UCHAR iph_tos; // Type of service USHORT iph_length; // Total datagram length USHORT iph_id; // Identification USHORT iph_offset; // Flags, fragment offset UCHAR iph_ttl; // Time to live UCHAR iph_protocol; // Protocol USHORT iph_xsum; // Header checksum ULONG iph_src; // Source address ULONG iph_dest; // Destination address } IPHeader; NTSTATUSDriverEntry( IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath);NTSTATUSCreateFilterHook(IN PDRIVER_OBJECT DriverObject);VOIDDriverUnload(IN PDRIVER_OBJECT DriverObject);PF_FORWARD_ACTIONIpFilterHook( IN unsigned char *PacketHeader, IN unsigned char *Packet, IN unsigned int PacketLength, IN unsigned int RecvInterfaceIndex, IN unsigned int SendInterfaceIndex, IN IPAddr RecvLinkNextHop, IN IPAddr SendLinkNextHop);#endif//驱动程序的c文件#define PROT_TCP 6#include "ntddk.h"#include "ntddndis.h"#include "pfhook.h"#include "fxfilthook.h"PDEVICE_OBJECT deviceObject;UNICODE_STRING win32DeviceName;//住驱动入口点NTSTATUSDriverEntry( IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath ){ NTSTATUS status = STATUS_SUCCESS; UNICODE_STRING ntDeviceName; RtlInitUnicodeString(&ntDeviceName,NT_DEVICE_NAME); //建立一个过滤钩子驱动设备 status = IoCreateDevice (DriverObject,0,&ntDeviceName,FILE_DEVICE_UNKNOWN,0,TRUE,&deviceObject); if (!NT_SUCCESS (status)) { goto ERROR; } RtlInitUnicodeString(&win32DeviceName, DOS_DEVICE_NAME); //建立一个过滤钩子驱动设备符号连接 status = IoCreateSymbolicLink( &win32DeviceName, &ntDeviceName ); if (!NT_SUCCESS(status)) // If we couldn't create the link then { // abort installation. goto ERROR; }//申明卸载例程 DriverObject->DriverUnload = DriverUnload;//建立钩子挂接 status = CreateFilterHook(DriverObject); if (!NT_SUCCESS(status)) // If we couldn't create the link then { // abort installation. IoDeleteSymbolicLink(&win32DeviceName); goto ERROR; } return(STATUS_SUCCESS);ERROR: if(deviceObject) IoDeleteDevice(deviceObject); //DbgPrint( "Leave DriverEntry failed\n" ); return status;}NTSTATUSCreateFilterHook(IN PDRIVER_OBJECT DriverObject){ PIRP nirp; NTSTATUS status = STATUS_SUCCESS; PFILE_OBJECT filtfileob; UNICODE_STRING ntDeviceName; PDEVICE_OBJECT filtdeviceob; PF_SET_EXTENSION_HOOK_INFO filthook; IO_STATUS_BLOCK filtstatus; RtlInitUnicodeString(&ntDeviceName,L"\\Device\\IPFILTERDRIVER"); //将钩子挂接函数放入结构中 filthook.ExtensionPointer = IpFilterHook; //获得系统ipfilterdriver驱动的设备指针 status = IoGetDeviceObjectPointer(&ntDeviceName,FILE_GENERIC_READ|FILE_GENERIC_WRITE,&filtfileob,&filtdeviceob); if(status!=STATUS_SUCCESS) return status; //绑定过滤钩子到系统ipfilterdriver驱动的设备指针 nirp = IoBuildDeviceIoControlRequest( IOCTL_PF_SET_EXTENSION_POINTER, filtdeviceob, &filthook, sizeof(PF_SET_EXTENSION_HOOK_INFO), NULL, 0, FALSE, NULL, &filtstatus); if(nirp==NULL) return filtstatus.Status; //调度系统ipfilterdriver设备重新操作irp return (IoCallDriver(filtdeviceob,nirp));}VOIDDriverUnload(IN PDRIVER_OBJECT DriverObject){//与加载一样,只是钩子函数结构中放NULL,让系统ipfilterdriver卸载加载的钩子函数 PIRP nirp; NTSTATUS status = STATUS_SUCCESS; PDEVICE_OBJECT filtdeviceob; PFILE_OBJECT filtfileob; PF_SET_EXTENSION_HOOK_INFO filthook; IO_STATUS_BLOCK filtstatus; UNICODE_STRING ntDeviceName; RtlInitUnicodeString(&ntDeviceName,L"\\Device\\IPFILTERDRIVER"); filthook.ExtensionPointer = NULL; status = IoGetDeviceObjectPointer(&ntDeviceName,FILE_GENERIC_READ|FILE_GENERIC_WRITE,&filtfileob,&filtdeviceob); if(status==STATUS_SUCCESS) { nirp = IoBuildDeviceIoControlRequest( IOCTL_PF_SET_EXTENSION_POINTER, filtdeviceob, &filthook, sizeof(PF_SET_EXTENSION_HOOK_INFO), NULL, 0, FALSE, NULL, &filtstatus); if(nirp!=NULL) IoCallDriver(filtdeviceob,nirp); } IoDeleteSymbolicLink(&win32DeviceName); IoDeleteDevice(deviceObject); return;}PF_FORWARD_ACTION IpFilterHook( unsigned char *PacketHeader, unsigned char *Packet, unsigned int PacketLength, unsigned int RecvInterfaceIndex, unsigned int SendInterfaceIndex, IPAddr RecvLinkNextHop, IPAddr SendLinkNextHop){//过滤钩子函数,这儿只简单判断属于TCP协议且数据是抵达而且带SYN标志则过滤。大家可以根据需要修改自己的过滤判断和处理。 if(((IPHeader *)PacketHeader)->iph_protocol == PROT_TCP) {//Packet[13]==0x2就是TCP中SYN的标志//SendInterfaceIndex==INVALID_PF_IF_INDEX说明包是抵达而不是发送的,因此这样过滤就不会影响自己的包出去,但是外来带SYN请求的包则会拒绝。 if(Packet[13]==0x2 && SendInterfaceIndex==INVALID_PF_IF_INDEX) return PF_DROP; } return PF_FORWARD;}//简单的建立注册表项的程序unsigned char sysdir[256];unsigned char drivcedir[256];int RegHandelDev(char * exename){ //修改注册表启动一个NTHANDLE驱动程序 char subkey[200]; int buflen; HKEY hkResult; char Data[4]; DWORD isok; buflen = sprintf(subkey,"System\\CurrentControlSet\\Services\\%s",exename); subkey[buflen]=0; isok = RegCreateKey(HKEY_LOCAL_MACHINE,subkey,&hkResult); if(isok!=ERROR_SUCCESS) return FALSE; Data[0]=3; Data[1]=0; Data[2]=0; Data[3]=0; isok=RegSetValueEx(hkResult,"Start",0,4,(const unsigned char *)Data,4); Data[0]=1; isok=RegSetValueEx(hkResult,"Type",0,4,(const unsigned char *)Data,4); isok=RegSetValueEx(hkResult,"ErrorControl",0,4,(const unsigned char *)Data,4); GetSystemDirectory(sysdir,256); buflen = sprintf(drivcedir,"%s\\Drivers\\FxFiltHook.sys",sysdir); buflen = sprintf(subkey,"\\??\\%s",drivcedir); subkey[buflen]=0; isok=RegSetValueEx(hkResult,"ImagePath",0,1,(const unsigned char *)subkey,buflen); RegCloseKey(hkResult); buflen = sprintf(subkey,"\\Registry\\Machine\\System\\CurrentControlSet\\Services\\%s",exename); subkey[buflen]=0; return TRUE;}int main(int argc,char *argv[]){ //注册驱动 http://www.vchelp.net/itbookreview/view_paper.asp?paper_id=519 PNG做透明按钮 VC下TeeChart控件坐标轴设定的问题 'SHDocvw' : does not exist or is not a namespace? 散分]纪念 MSProject 注册会员过1000 关于DLL同名的问题 static library中添加资源 如何用SplitterWnd实现三个窗口? 真的没有人懂WTL吗? 关于#pragma comment(linker, " ")有个问题,我发现有两个地方说的怎么矛盾呢? 排课程表的程序怎么弄? 一个有关error LNK2001的问题! 关于控件reflect问题
to qrivis:winpcap不行,只能监听,无法拦截
相比NDIS HOOK和标准HOOK方式来说
SPI拦截不到ICMP等数据,但是一般的标准的TCP/IP UDP数据都可以拦截可以看这里
http://www.csdn.net/Develop/article/15/15919.shtm至于NDIS HOOK
可以看这里,不过比SPI更复杂
还有标准的NDIS驱动更复杂http://www.jobs2me.com/forum/viewthread.php?tid=22595
http://expert.csdn.net/Expert/topic/1014/1014996.xml?temp=.6851465
struct sockaddr_in from;//(struct sockaddr*)&from
int fromLen;struct sockaddr_in ServerAddr;char Address[256];
int Port=80;int i,n; HowLink++;//增加连接 fromLen=sizeof(from);
printf("监听##################%d",HowLink);
theSocket.Client=accept(Proxy,(struct sockaddr *)&from,&fromLen);
if(theSocket.Client==INVALID_SOCKET)
{
printf("监听失败!accept()\n");//printf("\nError in accept.");
return -5;
}
printf("##################监听\n"); AfxBeginThread(ProxyThread,NULL);//建立新监听 n=recv(theSocket.Client,Buffer,sizeof(Buffer),0);
if(n==SOCKET_ERROR)
{
printf("Error:接收客户数据失败!recv()\n");
goto ErrorExitThread;
} Buffer[n] = 0; printf("Message:从客户接收数据\n"); GetAddressAndPort(Buffer,Address,&Port); theSocket.Server = socket(AF_INET,SOCK_STREAM,0); /* 打开一个 socket */
if(theSocket.Server < 0 )
{
printf("Error:建立服务器Socket失败!socket():%d\n",WSAGetLastError());
goto ErrorExitThread;
} memset(&ServerAddr,0,sizeof(ServerAddr));
ServerAddr.sin_addr.s_addr=inet_addr(Address);
ServerAddr.sin_family=AF_INET;
ServerAddr.sin_port=htons(Port);
// ServerAddr.sin_addr.s_addr=inet_addr("200.0.0.5"); if (connect(theSocket.Server,(struct sockaddr*)&ServerAddr,sizeof(ServerAddr))==SOCKET_ERROR)
{
printf("Error:连接服务器出错!connect():%d\n",WSAGetLastError());
goto ErrorExitThread;
} i=send(theSocket.Server,Buffer,sizeof(Buffer),0);
if(i==SOCKET_ERROR)
{
printf("Error:向服务器发送数据失败!send():%d\n",WSAGetLastError());
goto ErrorExitThread;
} while(1)
{//WSAECONNABORTED
i = recv(theSocket.Server,Buffer,sizeof (Buffer),0);//0
if (i == SOCKET_ERROR &&i!=WSAECONNRESET)
{//WSAECONNRESET//#########就在这跳到下面去了######
printf("Error:接收服务器数据失败!recv():%d\n",WSAGetLastError());
break;
}
n=i;
if (i == 0)
{
printf("Message:服务器关闭连接!\n");//printf("Server closed connection\n");
break;
} i = send(theSocket.Client,Buffer,n,0);
if (i == SOCKET_ERROR)
{
printf("send() failed: error %d\n",WSAGetLastError());
break;
}
} closesocket(theSocket.Client);
closesocket(theSocket.Server);
HowLink--;
return 0;ErrorExitThread: HowLink--;
return -1;
http://expert.csdn.net/Expert/topic/1249/1249629.xml?temp=.3224298
2。需要修改注册表中LMHK\System\\CurrentControlSet\\Services\\IPFILTERDRIVER的START类型为3,让他随系统启动而启动
3。编译生成了sys文件后需要拷贝到winnt\system32\drivers目录下
4。需要运行一个程序后手动生成注册表项
5。使用时用net start fxfilthook启动驱动,用net stop fxfilthook停止驱动
6。此方法只能对ip包进行过滤,其他的协议不会经过这个过滤钩子进行处理。//驱动程序的头文件
#include "ntddk.h"
#include "ntddndis.h"
#include "pfhook.h"
#ifndef __NTHANDLE_H
#define __NTHANDLE_H#define NT_DEVICE_NAME L"\\Device\\Fxfilthook"
#define DOS_DEVICE_NAME L"\\DosDevices\\Fxfilthook"#define PROT_TCP 6#include "ntddk.h"
#include "xfilthook.h"typedef struct IPHeader {
UCHAR iph_verlen; // Version and length
UCHAR iph_tos; // Type of service
USHORT iph_length; // Total datagram length
USHORT iph_id; // Identification
USHORT iph_offset; // Flags, fragment offset
UCHAR iph_ttl; // Time to live
UCHAR iph_protocol; // Protocol
USHORT iph_xsum; // Header checksum
ULONG iph_src; // Source address
ULONG iph_dest; // Destination address
} IPHeader; NTSTATUS
DriverEntry(
IN PDRIVER_OBJECT DriverObject,
IN PUNICODE_STRING RegistryPath);NTSTATUS
CreateFilterHook
(IN PDRIVER_OBJECT DriverObject);VOID
DriverUnload
(IN PDRIVER_OBJECT DriverObject);PF_FORWARD_ACTION
IpFilterHook(
IN unsigned char *PacketHeader,
IN unsigned char *Packet,
IN unsigned int PacketLength,
IN unsigned int RecvInterfaceIndex,
IN unsigned int SendInterfaceIndex,
IN IPAddr RecvLinkNextHop,
IN IPAddr SendLinkNextHop);
#endif//驱动程序的c文件
#define PROT_TCP 6
#include "ntddk.h"
#include "ntddndis.h"
#include "pfhook.h"
#include "fxfilthook.h"PDEVICE_OBJECT deviceObject;
UNICODE_STRING win32DeviceName;//住驱动入口点
NTSTATUS
DriverEntry(
IN PDRIVER_OBJECT DriverObject,
IN PUNICODE_STRING RegistryPath
)
{
NTSTATUS status = STATUS_SUCCESS;
UNICODE_STRING ntDeviceName;
RtlInitUnicodeString(&ntDeviceName,NT_DEVICE_NAME);
//建立一个过滤钩子驱动设备
status = IoCreateDevice (DriverObject,0,&ntDeviceName,FILE_DEVICE_UNKNOWN,0,TRUE,&deviceObject);
if (!NT_SUCCESS (status)) {
goto ERROR;
}
RtlInitUnicodeString(&win32DeviceName, DOS_DEVICE_NAME);
//建立一个过滤钩子驱动设备符号连接
status = IoCreateSymbolicLink( &win32DeviceName, &ntDeviceName );
if (!NT_SUCCESS(status)) // If we couldn't create the link then
{ // abort installation.
goto ERROR;
}
//申明卸载例程
DriverObject->DriverUnload = DriverUnload;
//建立钩子挂接
status = CreateFilterHook(DriverObject);
if (!NT_SUCCESS(status)) // If we couldn't create the link then
{ // abort installation.
IoDeleteSymbolicLink(&win32DeviceName);
goto ERROR;
}
return(STATUS_SUCCESS);
ERROR:
if(deviceObject)
IoDeleteDevice(deviceObject);
//DbgPrint( "Leave DriverEntry failed\n" );
return status;
}NTSTATUS
CreateFilterHook(IN PDRIVER_OBJECT DriverObject)
{
PIRP nirp;
NTSTATUS status = STATUS_SUCCESS;
PFILE_OBJECT filtfileob;
UNICODE_STRING ntDeviceName;
PDEVICE_OBJECT filtdeviceob;
PF_SET_EXTENSION_HOOK_INFO filthook;
IO_STATUS_BLOCK filtstatus; RtlInitUnicodeString(&ntDeviceName,L"\\Device\\IPFILTERDRIVER");
//将钩子挂接函数放入结构中
filthook.ExtensionPointer = IpFilterHook;
//获得系统ipfilterdriver驱动的设备指针
status = IoGetDeviceObjectPointer(&ntDeviceName,FILE_GENERIC_READ|FILE_GENERIC_WRITE,&filtfileob,&filtdeviceob);
if(status!=STATUS_SUCCESS)
return status;
//绑定过滤钩子到系统ipfilterdriver驱动的设备指针
nirp = IoBuildDeviceIoControlRequest(
IOCTL_PF_SET_EXTENSION_POINTER,
filtdeviceob,
&filthook,
sizeof(PF_SET_EXTENSION_HOOK_INFO),
NULL,
0,
FALSE,
NULL,
&filtstatus);
if(nirp==NULL)
return filtstatus.Status;
//调度系统ipfilterdriver设备重新操作irp
return (IoCallDriver(filtdeviceob,nirp));
}VOID
DriverUnload(IN PDRIVER_OBJECT DriverObject)
{
//与加载一样,只是钩子函数结构中放NULL,让系统ipfilterdriver卸载加载的钩子函数 PIRP nirp;
NTSTATUS status = STATUS_SUCCESS;
PDEVICE_OBJECT filtdeviceob;
PFILE_OBJECT filtfileob;
PF_SET_EXTENSION_HOOK_INFO filthook;
IO_STATUS_BLOCK filtstatus;
UNICODE_STRING ntDeviceName; RtlInitUnicodeString(&ntDeviceName,L"\\Device\\IPFILTERDRIVER");
filthook.ExtensionPointer = NULL;
status = IoGetDeviceObjectPointer(&ntDeviceName,FILE_GENERIC_READ|FILE_GENERIC_WRITE,&filtfileob,&filtdeviceob);
if(status==STATUS_SUCCESS)
{
nirp = IoBuildDeviceIoControlRequest(
IOCTL_PF_SET_EXTENSION_POINTER,
filtdeviceob,
&filthook,
sizeof(PF_SET_EXTENSION_HOOK_INFO),
NULL,
0,
FALSE,
NULL,
&filtstatus);
if(nirp!=NULL)
IoCallDriver(filtdeviceob,nirp);
}
IoDeleteSymbolicLink(&win32DeviceName);
IoDeleteDevice(deviceObject);
return;
}PF_FORWARD_ACTION
IpFilterHook(
unsigned char *PacketHeader,
unsigned char *Packet,
unsigned int PacketLength,
unsigned int RecvInterfaceIndex,
unsigned int SendInterfaceIndex,
IPAddr RecvLinkNextHop,
IPAddr SendLinkNextHop
)
{
//过滤钩子函数,这儿只简单判断属于TCP协议且数据是抵达而且带SYN标志则过滤。大家可以根据需要修改自己的过滤判断和处理。
if(((IPHeader *)PacketHeader)->iph_protocol == PROT_TCP)
{
//Packet[13]==0x2就是TCP中SYN的标志
//SendInterfaceIndex==INVALID_PF_IF_INDEX说明包是抵达而不是发送的,因此这样过滤就不会影响自己的包出去,但是外来带SYN请求的包则会拒绝。
if(Packet[13]==0x2 && SendInterfaceIndex==INVALID_PF_IF_INDEX)
return PF_DROP;
}
return PF_FORWARD;
}//简单的建立注册表项的程序unsigned char sysdir[256];
unsigned char drivcedir[256];
int RegHandelDev(char * exename)
{
//修改注册表启动一个NTHANDLE驱动程序
char subkey[200];
int buflen;
HKEY hkResult;
char Data[4];
DWORD isok;
buflen = sprintf(subkey,"System\\CurrentControlSet\\Services\\%s",exename);
subkey[buflen]=0;
isok = RegCreateKey(HKEY_LOCAL_MACHINE,subkey,&hkResult);
if(isok!=ERROR_SUCCESS)
return FALSE;
Data[0]=3;
Data[1]=0;
Data[2]=0;
Data[3]=0;
isok=RegSetValueEx(hkResult,"Start",0,4,(const unsigned char *)Data,4);
Data[0]=1;
isok=RegSetValueEx(hkResult,"Type",0,4,(const unsigned char *)Data,4);
isok=RegSetValueEx(hkResult,"ErrorControl",0,4,(const unsigned char *)Data,4);
GetSystemDirectory(sysdir,256);
buflen = sprintf(drivcedir,"%s\\Drivers\\FxFiltHook.sys",sysdir);
buflen = sprintf(subkey,"\\??\\%s",drivcedir);
subkey[buflen]=0;
isok=RegSetValueEx(hkResult,"ImagePath",0,1,(const unsigned char *)subkey,buflen);
RegCloseKey(hkResult);
buflen = sprintf(subkey,"\\Registry\\Machine\\System\\CurrentControlSet\\Services\\%s",exename);
subkey[buflen]=0;
return TRUE;
}int main(int argc,char *argv[])
{
//注册驱动