Seeing the interception technology of the packets provided by many people, the most is to write the im Driver in the NDIS intermediate layer.
Intercept the packet between MiniPort (NIC Drivers) and protocol drivers. This is a technology provided by Microsoft
But writing this filter interceptor is very complicated, and the installation is also very troublesome.
I briefly introduce a more efficient NDIS package intercept technology.
Everyone knows that the NDIS protocol driver is to fill in a table of NDIS_PROTOCOL_CHARACTERISTICS and call NDIS API.
Function NDISREGIsterProtocol is registered. Now let's pay attention to the table of ndis_protocol_characteristics,
The entrance to all protocol drivers and underlying distribution functions are present in this table. Such as SendHandler, ReceiveHandler, BindAdapterHandler, etc.
When the NIC has a packet entry, there is a protocol by the ReceiveHandle or ReceivePacketHandler notification protocol driver in the table.
The packet is entered, and the protocol driver is driven to the network card to send packets to the network through the SendHandler or SendPacketsHandler function.
Going up, someone will strange the program clearly not calling the NDISSEND or NDISSENDPACKETS function? That's right, this is like this.
But you can look at NDIS. H's header file knows the definition of these two functions, they are all
Macro definition is actually sent in SendHandler or SendPacketShandler through this table.
Now what we have to do should be very clear, as long as we can fill in each protocol program NDIS_PROTOCOL_CHARACTERISTICSTICS
The distribution function in the table points to its own function, and we can successfully intercept the packet. So this table of each protocol driver is put in
Where? Too simple, look at the prototypes rendered by NDISREGISTERPROTOCOL.
Struct _ndis_protocol_block
{
Pndis_open_block openqueue; // Queue of Opens for this Protocol
Reference Ref; // Contains Spinlock for OpenQueue
Uint length; // of this ndis_protocol_block structure
NDIS50_PROTOCOL_CHARACTERISTICS Protocolcharacteristics; // Handler Addresses
Struct _ndis_protocol_block * NextProtocol; // link to next
Ulong maxpatternsize;
#if Defined (ndis_wrapper)
//
// Protocol Filters
//
Struct _ndis_protocol_filter * protocolfilter [NDISMEDIUMMAX 1];
Work_Queue_Item WorkItem; // Used During NdisregisterProtocol To
// Notify Protocols of existing drive.
Kmutex Mutex; // for Serialization of Bind / Unbind Requests
PKEVENT DeRegevent; // Used by NdisdeRegisterProtocol
#ENDIF
}
TYPEDEF STRUCT _NDIS_PROTOCOL_BLOCK NDIS_PROTOCOL_BLOCK, * PNDIS_PROTOCOL_BLOCK;
Export
VoidndisRegisterProtocol
Out pndis_status status,
Out pndis_protocol_block ndisprotocolhandle, / * Note NDIS_HANDLE is the structure of Pndis_Protocol_block, don't doubt. * /
In Pndis_Protocol_Characteristics Protocolcharacteristics,
In uint characteristicsLENGTH
);
NDIS_PROTOCOL_BLOCK (protocol table) is NDIS Maintaining a one-way link table that has been registered in all systems. Field NextProtocol points to the next protocol table.
Fortunately, when we register a new agreement, NDIS always puts the newly registered Acjunction on the head of the list and returns this table, so as long as we register a new agreement.
The list of returned lists returned by the new protocol can easily traverse all protocol tables in the system. Now we hope to get every protocol
NDIS_PROTOCOL_CHARACTERISTICS table is in front of us, how to hook the distribution function in the hangar, I don't want to say more. by the way
NDISREGISTERPROTOCOL assigned by NDIS_PROTOCOL_BLOCK is NonPagedPool type. For core Driver, the core area memory
Is a linear memory area, all core Driver is any address that can access the core memory area. What to pay attention to is to paginate the different IRQL level
And non-paged memory.
Will someone will ask this way? Do you really intercept? If there is that dear, the prime is now writing the program now,
As will be disappointed, because he will find what the results are not intercepted or even intercept some packets. why?
Because the NDIS network card driver and protocol driver is not called pndis_open_block-> protocolcharacteristics when sending and receiving a number of times
Distribute function. How to do?
It is necessary to introduce how binding between NDIS network card drivers and protocol drivers,
NDISREGISTERPROTOCOL After registering a protocol, NDIS shortly NDIS will pass the call table.
BindAdapterHandler Delivery function, the notification protocol is binding each network card. Or when the system passes PNP to find a new network card
BindAdapterHandler will also call the protocol. In the binding call, the agreement will use NDisopenadapter according to your needs.
Bind itself to the appropriate NIC. And return ndisbindinghandle.ndisbindingHandle? NdisbindingHandl is actually
Point a pointer to the NDIS_OPEN_BLOCK table, then what is the use of the ndis_open_block table? When the agreement is binding, each bound NIC
The channels of data transfer are established between each protocol, while NDIS_OPEN_BLOCK is used to maintain this data channel.
Struct _ndis_open_block
{
Pndis_mac_block machandle; // Pointer to Our Mac
Ndis_handle macbindingHandle; // context when calling macxx funcs
Pndis_adapter_block adapterHandle; // Pointer to Our Adapter
Pndis_protocol_block protocolhandle; // Pointer to Our Protocol
NDIS_HANDLE ProtocolbindingContext; // Context When Calling Protxx Funcs
Pndis_open_block adapternextopen; // buy by Adapter's OpenQueue
Pndis_open_block protocolnextopen; // used by Protocol's OpenQueue
Pfile_Object fileObject; // create by Operating System
Boolean Closing; // True When Reming this Struct
Boolean unloading; // True When processing unload
Boolean Noprotrsvdonrcvpkt; // Reflect the Protocol_Options
Ndis_handle closequesthandle; // 0 Indicates an internal close
Kspin_lock spinlock; // guards closing
Pndis_open_block nextglobalopen;
//
// THESE is Optimizations for getting to mac routines. They area not
// Necessary, but is here to save a dereference through the mac block.
//
Send_handler SendHandler;
Transfer_data_handler transfertatahandler;
//
// THESE ARE Optimizations for getting to protocol routines. They area NOT
// Necessary, but is here to save a dereference through the protocol block.
//
Send_complete_handler dendcompletehandler;
Transfer_data_complete_handler TransferDatumpletehandler;
Receive_Handler ReceiveHandler;
Receive_complete_handler receivecompletehandler;
//
// Extentions to the open_block since produter 1.
//
Receive_Handler PostNT31ReceiveHandler;
Receive_complete_handler postnt31receivecompletehandler;
//
// NDIS 4.0 Extensions
//
Receive_packet_handler receivepackethandler;
Send_packets_handler sendpacketshandler;
//
// More Ndis 3.0 Cached Handlers
//
RESET_HANDLER RESETHANDLER;
Request_handler RequestHandler;
//
// NEEDED for PNP
//
Unicode_String AdapterName; // Upcased Name of the Adapter We Are Bound To
}
The above table structure can be clearly seen that this table is a one-way linked table and stored and pndis_open_block-> protocolcharacteristics
The same data transceiver distribution function, when the N-block network card is sent to the nth protocol, the nth protocol is called between the Nth NIC.
The SendHandler or SendPacketHandler in the NDIS_OPEN_BLOCK table. So we also need to process the distribution function in this table (hook). So how do you hook the NDIS_OPEN_BLOCK table between the protocol and the NIC. Let's go back to NDIS_PROTOCOL_BLOCK this table, in
NDIS_PROTOCOL_BLOCK Table Field Pndis_Open_Block OpenQueue; is the header of all NDIS_OPEN_BLOCKs in this protocol.
Traverse it through AdapterNextopen, and then hook it. It can be intercepted smoothly.
It is worth noting.
1.
NDIS_OPEN_BLOCK
NDIS_PROTOCOL_BLOCK
These structures are different from NDIS versions.
Solution is to use the definition of Ndis.h with Windows 98DDK with Windows 98 and Windows 95 (NDIS 3.1)
Under Windows Me (NDIS 5.0 or 4.0) Please use the definition in Ndis.h in Windows 98DDK
NT (NDIS4.0) In this class, 2000 (NDIS5.0) in NTDDK
2. Do not repeat the hook the same function.
Problem can pass
QQ: 3955727
Mail: gjpland@netese.com
Let's discuss together
