Writing NDIS filter hook driver Implement IP package filter

xiaoxiao2021-03-06  63

Reprint, please specify the original security focus

The method of implementing the implementation package filtering under normal Windows 2000 is mainly writing NDIS filter drivers, and the skills need to be high, and it is cumbersome and needs to consider a lot of details. However, for many applications, it is only necessary to filter the IP package to filter the IP package. In fact, NDIS provides a way to write filter hook drivers for IP packages, the main method is:

A normal device is created in the driver, then use IOCTL_PF_SET_EXTENSION_POINTER to operate the filter hook of your kernel mode to the system default IP filter driver so you can achieve a complete package-based analysis in your own filter hook. And the processing of filtration.

Below is a complete NDIS filter hook-driven code rejects all the processes of the establishment of the TCP band S.

Precautions:

????1. Need to compile in the DDK environment

????2. Need to modify the Start type of lmhk / system // ipfilterdriver in the registry to 3, let him start with the system

???? 3. Compile to generate the SYS file, you need to copy it to the Winnt / System32 / Drivers directory.

???? 4. Required a registry key after you need to run a program

???? 5. Start the drive with NET Start FxFilThook, stop the drive with Net Stop FxFilThook

???? 6. This method can only filter IP packets, and other protocols do not process this filter hook.

// Driver's header file

#include "ntddk.h"

#include "ntddndis.h"

#include "pfhook.h"

#ifndef __nthandle_h

#define __nthandle_h

#define nt_device_name l "// device // fxfilthook"

#define dos_device_name l "// dosdevices // fxfilthook"

#define prot_tcp ?? 6

#include "ntddk.h"

#include "xfilthook.h"

Typedef struct ipheader {

???? uchar ???? iph_verlen; ????? // version and what

???? uchar ???? iph_tos; ????????? // Type of Service

???? ushort ???? iph_length; ???? // Total DataGram Length

???? ushort ???? iph_id; ???????? // identification

???? ushort ???? iph_offset; ???? // flags, Fragment Offset

???? uchar ???? iph_ttl; ????????? // Time to Live

???? uchar ???? iph_protocol; ?? // protocol

???? ushort ???? iph_xsum; ?????? // Header Checksum

???? ulong ???? iph_src; ????????? // source address

???? ulong ???? iph_dest; ?????? // Destination Address

} Ipheader;

NTSTATUS

Driverentry

???? in pdriver_object driverObject,

????? in dunicode_string registrypath;

NTSTATUS

Createfilterhook

(In PDRIVER_Object DriverObject);

Void

Driverunload

(In PDRIVER_Object DriverObject);

Pf_forward_action

Ipfilterhook

?? in unsigned char * packetheader,

?? in unsigned char * packet,

?? in unsigned int packetlength,

?? in unsigned int RECVINTERFACEIDEX,

?? in unsigned int sendInterfaceIndex,

?? in ipaddr recvlinknexthop,

?? in ipaddr sendlinknexthop);

#ENDIF

// Driver's C file

#define prot_tcp ?? 6

#include "ntddk.h"

#include "ntddndis.h"

#include "pfhook.h"

#include "fxfilthook.h"

PDEVICE_Object ?????????????????? deviceObject;

Unicode_string ?????????????????? Win32DeviceName

// live in the driving entry point

NTSTATUS

Driverentry

???? in pdriver_object driverObject,

???? in powderode_string registrypath

????)

{

???? ntstatus ??????????????????????????????????????? status = status_success

???? unicode_string ??????????????????? NTDeviceName

????????

???? rtlinitunicodeString (& NTDeviceName, NT_Device_name);

???? // Establish a filter hook drive device

???? status = ocreateDevice (DriverObject, 0, & ntdevicename, file_device_unknown, 0, true, & deviceObject); ????

???? if (! nt_success (status)) {

???????? goto error

????}

???? rtlinitunicodeString (& Win32DeviceName, DOS_DEVICE_NAME);

???? // Establish a filter hook drive device symbol connection

???? status = IocreateSymbolicLink (& Win32DeviceName); & NtDeviceName

???? if (! nt_success (status)) ???? // if we couldn't create the link dam

???? {??????????????????? ?? Abort installation.

???????? goto error

????}

/ / State unloading routine

???? driverObject-> driverunload = driverunload;

// Establish a hook hook

???? status = createfilterhook (DriverObject);

???? if (! nt_success (status)) ???? // if we couldn't create the link dam

???? {??????????????????? ?? Abort installation.

???????? odeltessymboliclink (& win32devicename); ????

???????? goto error; ????}

???? Return (status_success);

Error:

???? if (DeviceObject)

???????? odeletedevice (DeviceObject);

???? // DBGPrint ("Leave Driverentry Failed / N);

???? Return Status;

}

NTSTATUS

CreateFilterhook (in PDRIVER_Object DriverObject)

{

???? pirp ???????????????????? NIRP;

???? ntstatus ??????????????????????????????????????? status = status_success

???? pfile_Object ????????????????????fileob;

???? a unicode_string ??????????????????? NtdeviceName;???

???? pdevice_object ??????????????????filtdeviceob;

???? pf_set_extension_hook_info ???????? filthook; ????

???? i o st _? ???????????? filtstatus;

??? rtlinitunicodeString (& NTDeviceName, L "// device // ipfilterdriver");

???????? // put the hook-mounted function into the structure

???? filthook.extensionpointer = ipfilterhook;

???????? // obtain the system IPFilterDriver driven device pointer

???? status = IOGETDEVICEOBJECTPOINTER (& NTDeviceName, File_Generic_Read | File_Generic_WRITE, & FILTFILEOB, & FILTDEVICEOB);

???? i (status! = status_success)

??????? rturn status;

???????? // Bind the filter hook to the system IPFilterDriver driven device pointer

???? nirp = IobuildDeviceiocontrolRequest

???????? ioctl_pf_set_extension_pointer,

???????? FiltDeviceOb,

???????? & filthook,

???????? sizeof (pf_set_extension_hook_info),

???????? NULL,

????????? 0,

???????? false,

???????? NULL,

???????? & filtstatus);

???? if (nirp == null)

???????? Return Filtatus.status;

???????? // Scheduling system ipfilterdriver device Re-operate IRP

???? Return (IocallDriver (FiltDeviceOb, nirp);

}

Void

Driverunload (in PDRIVER_Object DriverObject)

{

/ / Like the load, just the hook function structure in the hook function structure, let the system IPFilterDriver uninstall the loaded hook function

???? pirp ???????????????????? NIRP;

???? ntstatus ??????????????????????????????????????? status = status_success

???? pdevice_object ?????????????????????? pfile_object ??????????????????????? Filtfileob;

???? pf_set_extension_hook_info ???????? filthook; ????

???? i o st _? ???????????? filtstatus;

???? a unicode_string ??????????????????? NtdeviceName;???

??? rtlinitunicodeString (& NTDeviceName, L "// device // ipfilterdriver");

???? filthook.extensionPointer = null;

???? status = IOGETDEVICEOBJECTPOINTER (& NTDeviceName, File_Generic_Read | File_Generic_WRITE, & FILTFILEOB, & FILTDEVICEOB);

???? if (status == status_success)

???? {

???????? nirp = IOBUILDDEVICEIOCONTROLREQUEST

???????????? ioctl_pf_set_extension_pointer,

???????????? FiltdeviceOb,

???????????? & filthook,

???????????? SizeOf (pf_set_extension_hook_info),

???????????? null,

???????????? 0,

???????????? false,

???????????? null,

???????????? & filtstatus);

???????? if (nirp! = null)

???????????? IocallDriver (FiltDeviceOb, NIRP);

????}

???? odoretessymboliclink (& win32devicename);????

???? odeltedevice (deviceObject);

???? Return;

}

Pf_forward_action

Ipfilterhook

???????? unsigned char ?? * packetheader,

???????? unsigned char ?? * packet,

???????? unsigned int ???? packetlength,

???????? unsigned int ???? RecvinterFaceIndex,

???????? unsigned int ???? SendinterfaceIndex,

???????? ipaddr ????????? RecvlinkNexthop,

???????? ipaddr ?????????? SendlinkNexthop

)

{

// Filter the hook function, which simply determines that the TCP protocol is belonging and the data is arriving and the SYN flag is filtered. You can modify your filter judgment and processing as needed.

???? ing ((ipHeader *) packethead) -> iPh_protocol == prot_tcp)

???? {

// packet [13] == 0x2 is the symbol of SYN in TCP

// sendinterfaceIndex == invalid_pf_if_index description package is arriving instead of send, so the filtering will not affect its own package, but the package with SYN request will refuse.

???????? IF (packet [13] == 0x2 && sendinterfaceIndex == invalid_pf_if_index) ???????????? Return PF_DROP;

????}

???? Return PF_FORWARD;

}

// Simplely established a registry key program

Unsigned char sysdir [256];

UNSIGNED Char Drivcedir [256];

Int Reghandeldev (Char * EXENAME)

{

???? // Modify the registry launch a NTHANDLE driver

???? char subkey [200];

???? int buflen;

???? HKey HkResult;

???? char data [4];

???? DWORD ISOK;

???? buflen = Sprintf (Subkey, "System // CurrentControlset // Services //% S", Exename);

???? Subkey [buflen] = 0;

???? isok = regreateKey (HKEY_LOCAL_MACHINE, SUBEY, & HKRESULT);

???? i (isok! = error_success)

???????? Return False;

???? Data [0] = 3;

???? Data [1] = 0;

???? Data [2] = 0;

???? Data [3] = 0; ????

???? isok = regSetValueex (HKRESULT, "Start", 0, 4, 4) Data, 4);

???? Data [0] = 1;

???? isok = regsetValueex (HKRESULT, "Type", 0, 4, (const unsigned char *) DATA, 4);

???? isok = regsetValueex (HKRESULT, "ERRORCONTROL", 0, 4 (const unsigned char *) DATA, 4); ????

???? getsystemdirectory (sysdir, 256);

???? buflen = sprintf (drivcedir, "% s // drivers // fxfilthook.sys", sysdir);

???? buflen = sprintf (Subkey, "// ?? //% s", drivcedir);

???? Subkey [buflen] = 0;

???? isok = regSetValueex (HKRESULT, IMAGEPATH ", 0, 1, (const unsigned char *) Subkey, BUFLEN);

??? regclosekey (HKRESULT); ????

???? buflen = sprintf (Subkey, "// registry // machine // system // currentControlset ////% s", exename);

???? Subkey [buflen] = 0;

???? Return True;

}

Int main (int Argc, char * argv [])

{

???? // Registered driver

???? f (Reghandeldev ("fxfilthook") == false)

???????? Return False;

???? Return True;

转载请注明原文地址:https://www.9cbs.com/read-119189.html

New Post(0)