最好能实现网络ip最好
不知道该怎么做?
期待....?
不知道该怎么做?
期待....?
解决方案 »
- 怎么实现下面这个界面设计?
- odbc如何访问access数据库?
- 高手请进!写一个程序,通过递归创建线程1000次来测定windows server 2003中的线程速度!创建进程的已经解决了
- 关于Edit控件获取键盘输入数据的判断问题
- 关于:Accept-Encoding: gzip,deflate 问题(500求助),解决后立即结贴!(200/500)
- 介绍个游戏制作群(艺术编程、游戏编程)
- 100分请问谁知道用网页作界面怎么做?
- 为何SDI的宽度不能小于100个像素呢?
- 关于请教rc文件的结尾?
- 如何使用assert()?
- 请问有没有针对flash处理的类?急需
- 请问:VC++中控件的ID是什么概念?句柄又是什么?
#include "NDISFilter.h"#include "Pfhook.h"#define PROT_TCP 6
#define DEVICE_NAME L"\\Device\\NDISFilter"
#define DEVICE_LINK_NAME L"\\Global??\\NDISFilter"PDEVICE_OBJECT pGlobalDev;
UNICODE_STRING pLinkName;////////////////////////////////////////////////////////////////////////
NTSTATUS
DriverEntry(
IN PDRIVER_OBJECT pDriverObject,
IN PUNICODE_STRING pRegistrPath
){
NTSTATUS status = STATUS_SUCCESS;
UNICODE_STRING pDeviceName;
DBGPRINT("Filter Service Start");
RtlInitUnicodeString(&pDeviceName,DEVICE_NAME);
//建立一个过滤钩子驱动设备
status = IoCreateDevice (pDriverObject,0,&pDeviceName,FILE_DEVICE_UNKNOWN,0,
TRUE,&pGlobalDev);
if (!NT_SUCCESS (status))
{
DBGPRINT("creae device faile");
goto ERROR;
}
RtlInitUnicodeString(&pLinkName, DEVICE_LINK_NAME);
//建立一个过滤钩子驱动设备符号连接
status = IoCreateSymbolicLink( &pLinkName, &pDeviceName );
if (!NT_SUCCESS(status)) // If we couldn't create the link then
{ // abort installation.
DBGPRINT("creae link faile");
goto ERROR;
}
//申明卸载例程
pDriverObject->DriverUnload = PacketUnload;
//建立钩子挂接
status = CreateDevice(pDriverObject,1);
if (!NT_SUCCESS(status)) // If we couldn't create the link then
{ // abort installation.
// DBGPRINT("creae filter faile");
IoDeleteSymbolicLink(&pLinkName);
goto ERROR;
}
return(STATUS_SUCCESS);
ERROR:
if(pGlobalDev)
IoDeleteDevice(pGlobalDev);
//DbgPrint( "Leave DriverEntry failed\n" );
return status;
}
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
NTSTATUS
CreateDevice(
IN PDRIVER_OBJECT pDriverObject,
IN ULONG DeviceNumber
)
{
PIRP pIrp;
NTSTATUS status = STATUS_SUCCESS;
PDEVICE_OBJECT pLowDev;
PFILE_OBJECT pLowFile;
PF_SET_EXTENSION_HOOK_INFO pHookInfo;
IO_STATUS_BLOCK filterBlock;
UNICODE_STRING targetDeviceName;
RtlInitUnicodeString(&targetDeviceName,L"\\Device\\IPFILTERDRIVER");
//将钩子挂接函数放入结构中
pHookInfo.ExtensionPointer = IpFilterHook;
//获得系统ipfilterdriver驱动的设备指针
status = IoGetDeviceObjectPointer(&targetDeviceName,GENERIC_READ|GENERIC_WRITE,
&pLowFile,&pLowDev);
if(!NT_SUCCESS(status))
{
DBGPRINT("can not find the pointer");
return status;
}
//绑定过滤钩子到系统ipfilterdriver驱动的设备指针 pIrp=IoBuildDeviceIoControlRequest(
IOCTL_PF_SET_EXTENSION_POINTER,
pLowDev,
&pHookInfo,
sizeof(PF_SET_EXTENSION_HOOK_INFO),
NULL,
0,
FALSE,
NULL,
&filterBlock);
// DBGPRINT("here");/////////////////////////////////////////
if(pIrp==NULL)
{
DBGPRINT("creae filter faile");
return filterBlock.Status;
} //调度系统ipfilterdriver设备重新操作irp
return (IoCallDriver(pLowDev,pIrp));
}
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////NTSTATUS CreateCompletion(
IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp,
IN PVOID Context
)
{
DBGPRINT("completion start");
if(Irp->PendingReturned)
{
IoMarkIrpPending(Irp);
}
return STATUS_SUCCESS;
}PF_FORWARD_ACTION
IpFilterHook(
unsigned char *PacketHeader,
unsigned char *Packet,
unsigned int PacketLength,
unsigned int RecvInterfaceIndex,
unsigned int SendInterfaceIndex,
IPAddr RecvLinkNextHop,
IPAddr SendLinkNextHop
)
{
PIP_HEADER pIpHdr=(PIP_HEADER)PacketHeader;
PTCP_HEADER pTcpHdr=(PTCP_HEADER)Packet;
unsigned int sourceIP=pIpHdr->sourceIP;
unsigned int destIP=pIpHdr->destIP;
USHORT Uport=pTcpHdr->th_sport;
unsigned char port=Uport>>8; unsigned char sbyte1;
unsigned char sbyte2;
unsigned char sbyte3;
unsigned char sbyte4; unsigned char dbyte1;
unsigned char dbyte2;
unsigned char dbyte3;
unsigned char dbyte4; sbyte1=sourceIP>>24;
sbyte2=sourceIP>>16;
sbyte3=sourceIP>>8;
sbyte4=(unsigned char)sourceIP; dbyte1=destIP>>24;
dbyte2=destIP>>16;
dbyte3=destIP>>8;
dbyte4=(unsigned char)destIP; if(pIpHdr->proto == 0x06)//tcp协议
{
switch(port)
{
case 23:
DbgPrint("原端口%d",port);
DbgPrint("目的ip %d.%d.%d.%d",dbyte4,dbyte3,dbyte2,dbyte1);
DbgPrint("源ip %d.%d.%d.%d",sbyte4,sbyte3,sbyte2,sbyte1);
DbgPrint("正在使用telnet");
//return PF_DROP;
break;
case 80:
DbgPrint("原端口%d",port);
DbgPrint("目的ip %d.%d.%d.%d",dbyte4,dbyte3,dbyte2,dbyte1);
DbgPrint("源ip %d.%d.%d.%d",sbyte4,sbyte3,sbyte2,sbyte1);
DbgPrint("正在使用http");
//return PF_DROP;
break;
case 21:
DbgPrint("原端口%d",port);
DbgPrint("目的ip %d.%d.%d.%d",dbyte4,dbyte3,dbyte2,dbyte1);
DbgPrint("源ip %d.%d.%d.%d",sbyte4,sbyte3,sbyte2,sbyte1);
DbgPrint("正在使用ftp");
//return PF_DROP;
break;
} if(dbyte1<=20&&dbyte1>=2)//此网段被屏蔽
{
DbgPrint("目的ip %d.%d.%d.%d",dbyte4,dbyte3,dbyte2,dbyte1);
DbgPrint("源ip %d.%d.%d.%d",sbyte4,sbyte3,sbyte2,sbyte1);
DbgPrint("数据包已经被截获");
return PF_DROP;
}
}
//我们开发的协议
if(pIpHdr->proto==255||pIpHdr->proto==254)
{
DbgPrint("原协议%d",pIpHdr->proto);
DbgPrint("目的ip %d.%d.%d.%d",dbyte4,dbyte3,dbyte2,dbyte1);
DbgPrint("源ip %d.%d.%d.%d",sbyte4,sbyte3,sbyte2,sbyte1);
DbgPrint("正在使用我们的开发的协议");
}
//icmp协议,被截获
if(pIpHdr->proto == 0x01)
{
DbgPrint("原协议%d",pIpHdr->proto);
DbgPrint("目的ip %d.%d.%d.%d",dbyte4,dbyte3,dbyte2,dbyte1);
DbgPrint("源ip %d.%d.%d.%d",sbyte4,sbyte3,sbyte2,sbyte1);
DbgPrint("正在使用icmp协议,正在经过tdi层,被截获");
return PF_DROP;
} return PF_FORWARD;
}
//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
VOID PacketUnload(
IN PDRIVER_OBJECT pDriverObject
){
PIRP nirp;
NTSTATUS status = STATUS_SUCCESS;
PDEVICE_OBJECT pLowDev;
PFILE_OBJECT pLowFile;
PF_SET_EXTENSION_HOOK_INFO pHookInfo;
IO_STATUS_BLOCK filterBlock;
UNICODE_STRING targetDeviceName;
RtlInitUnicodeString(&targetDeviceName,L"\\Device\\IPFILTERDRIVER");
pHookInfo.ExtensionPointer = NULL;
status = IoGetDeviceObjectPointer(&targetDeviceName,FILE_GENERIC_READ|FILE_GENERIC_WRITE,
&pLowFile,&pLowDev);
if(status==STATUS_SUCCESS)
{
nirp = IoBuildDeviceIoControlRequest(
IOCTL_PF_SET_EXTENSION_POINTER,
pLowDev,
&pHookInfo,
sizeof(PF_SET_EXTENSION_HOOK_INFO),
NULL,
0,
FALSE,
NULL,
&filterBlock);
if(nirp!=NULL)
IoCallDriver(pLowDev,nirp);
}
IoDeleteSymbolicLink(&pLinkName);
IoDeleteDevice(pGlobalDev);
return;
}
驱动中建立一个普通的设备,然后通过IOCTL_PF_SET_EXTENSION_POINTER操作将你的内核模式的过滤钩子挂接到系统默认的ip过滤驱动上,这样你就可以在自己的过滤钩子里面实现完整的基于包的各种分析和过滤的处理了。
下面就是一个完整的NDIS过滤钩子驱动的代码拒绝所有外来的TCP带S的建立连接的请求。
注意事项:
1。需要在DDK环境中编译
2。需要修改注册表中LMHK\System\\CurrentControlSet\\Services\\IPFILTERDRIVER的START类型为3,让他随系统启动而启动
3。编译生成了sys文件后需要拷贝到winnt\system32\drivers目录下
4。需要运行一个程序后手动生成注册表项
5。使用时用net start fxfilthook启动驱动,用net stop fxfilthook停止驱动
6。此方法只能对ip包进行过滤,其他的协议不会经过这个过滤钩子进行处理。