I used to write a SPI filter article, so for the details of the SPI, there are not many talks here. I don't know what I used to "research on SPI filter technology". Later, I found that in fact, the revision of the SPI middle layer, is essentially a modification of the registry. All SPI's DLL is stored in the registry. Therefore, insert the system SPI list with a custom intermediate layer, the essence is also a changed registry. Based on this reason, we think of a more direct method (of course, not what I think): Directly modify the registry. Let's first find the place where the SPI DLL path is stored in the registry: HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / SERVICES / WINSOCK2 / Parameters / Protocol_catalog9 / catalog_entries This DLL is stored here. Then, we only need to change these paths to custom DLL path, then perform your own code in a custom DLL, load the original SPI's DLL, isn't it possible to reach the same effect inserted into the intermediate layer ? The above is a general idea of my so-called "2 solutions for SPI filter technology". Technically, it is nothing more than modifying the registry, the technical content is not high, but this is also another way to solve problems from another angle. The so-called "strip road Tong Rome", which has been proven again here. Ok, don't talk nonsense, do you do it. Below we will make specific instructions through the code! The code is equally divided into two parts: the installation section and the DLL section.
1, the installation section:
#include "stdafx.h" #include "stdio.h" #include "ws2spi.h" #include "windows.h" #pragma Comment (lib, "ws2_32.lib")
#define SPI_REG_KEY "System // CurrentControlSet // Services // WinSock2 // Parameters // Protocol_Catalog9 // Catalog_Entries" #define SAVE_REG_KEY "System // CurrentControlSet // Services // WinSock2 // Parameters // SPIDLL" #define KEY_VALUE_LEN MAX_PATH SIZEOF (Wsaprotocol_infow)
Void usage () {Printf ("******************************************************************************); Printf "* Made by ffantasyd * / n"); Printf ("* qq: 76889713 * / n"); Printf ("* email: ffantasyd@163.com * / n"); printf ("****** ***************************** / N "); Printf (" this Program Have 1 parameter: installfilter (/ install or / limited ) / N "); Printf (" if you select '/ install', you will install the filter; / n "); Printf (" And if you select '/ remove ", you will remove the filter thing you have installed. / N ");} void install () {hkey hkey, hsubkey, hsavekey; ulong index = 0, size = key_Value_len; wsaprotocol_infow protoinfo = {0}; char dllpath [MAX_PATH] = {0}, Name [128] = { 0}, keyValue [key_value_len] = {0}, copydllpath [max_path] = {0};
// Check if it is installed: if (:: regopenkey (hkey_local_machine, save_reg_key, & hsavekey) == Error_Success) {Printf ("The Filter Has Been Installed! / N); Return;} :: regclosekeyKey (HSAVEY);
:: getCurrentDirectory; Strcat (DLLPATH, "// packetfilter.dll"); // This settings DLL copy to the path: Memcpy (CopyDllPath, "C: //mmty.dll", Strlen ("c : //mmty.dll "); copyfile (dllpath, copydllpath, 0);
:: RegOpenKey (HKEY_LOCAL_MACHINE, SPI_REG_KEY, & hKey); while (:: RegEnumKey (hKey, index, name, 128) == ERROR_SUCCESS) {:: RegOpenKey (hKey, name, & hSubKey); :: RegQueryValueEx (hSubKey, "PackedCatalogItem" , 0, null, (byte *) KeyValue, & size); // Printf ("% s / n", keyvalue;
memcpy (& protoInfo, keyValue MAX_PATH, sizeof (WSAPROTOCOL_INFOW)); if ((protoInfo.ProtocolChain.ChainLen == 1) && ((protoInfo.iProtocol == 6) || (protoInfo.iProtocol == 17))) {char EntryID [128] = {0};
sprintf (entryId, "% u", protoInfo.dwCatalogEntryId); :: RegCreateKey (HKEY_LOCAL_MACHINE, SAVE_REG_KEY, & hSaveKey); :: RegSetValueEx (hSaveKey, entryId, 0, REG_SZ, (BYTE *) keyValue, MAX_PATH); memset (keyValue, 0, MAX_PATH); MEMCPY (KeyValue, CopyDllPath, Max_Path); :: RegSetValueex (Hsubkey, "PackedcatalogItem", 0, Reg_binary, (Byte *) KeyValue, Key_Value_len;
INDEX ;}
Printf ("Install Successful! / N"); Return;}
void remove () {HKEY hKey, hSubKey, hSaveKey; ULONG index = 0, size = KEY_VALUE_LEN; WSAPROTOCOL_INFOW protoInfo = {0}; char dllPath [MAX_PATH] = {0}, name [128] = {0}, keyValue [KEY_VALUE_LEN ] = {0};
/ / Check if it is installed: if (:: regoPENKEY (HKEY_LOCAL_MACHINE, Save_REG_KEY, & HSAVEY)! = Error_Success) {Printf ("The Filter Hasn't Been Installed! / N"); Return;}
:: RegOpenKey (HKEY_LOCAL_MACHINE, SPI_REG_KEY, & hKey); while (:: RegEnumKey (hKey, index, name, 128) == ERROR_SUCCESS) {:: RegOpenKey (hKey, name, & hSubKey); :: RegQueryValueEx (hSubKey, "PackedCatalogItem" , 0, null, (byte *) KeyValue, & size);
memcpy (& protoInfo, keyValue MAX_PATH, sizeof (WSAPROTOCOL_INFOW)); if ((protoInfo.ProtocolChain.ChainLen == 1) && ((protoInfo.iProtocol == 6) || (protoInfo.iProtocol == 17))) {char Entryid [128] = {0}; ulong sizeofpath = max_path; sprintf (entryid, "% u", protoinfo.dwcatalogenTryID); // printf ("% s / n", entryid;
:: RegQueryValueex (HsaveKey, Entryid, 0, NULL, (Byte *) DLLPATH, & SIZEOFPATH
memset (keyValue, 0, MAX_PATH); memcpy (keyValue, dllPath, MAX_PATH); :: RegSetValueEx (hSubKey, "PackedCatalogItem", 0, REG_BINARY, (BYTE *) keyValue, KEY_VALUE_LEN);} index ;} // delete the copy to The DLL under the C disc: deletefile ("c: //mmty.dll");
:: RegCloseKey (hKey); :: RegOpenKey (HKEY_LOCAL_MACHINE, "System // CurrentControlSet // Services // WinSock2 // Parameters", & hKey); :: RegDeleteKey (hKey, "SPIDLL");! Printf ( "Remove successful / n "); return;} int main (int Argc, char * argv []) {usage (); if (argc! = 2) {RETURN 0; }printf (" start ........ .... / n ");
IF (strCMP (argv [1], "/ install) == 0) {install (); return 0;} if (strcmp (argv [1]," / remove ") == 0) {transove (); Return 0;}
Printf ("the parameter error! / n"); return 0;}
2, DLL section:
#include "stdafx.h" #include "ws2spi.h" #include "windows.h" #include "stdio.h" #pragma Comment (lib, "ws2_32.lib")
#define save_reg_key "System // CurrentControlset // Services // Winsock2 // Parameters // Spidll"
Wspproc_table sourceProctable;
int WSPAPI WSPConnect (SOCKET s, const struct sockaddr FAR * name, int namelen, LPWSABUF lpCallerData, LPWSABUF lpCalleeData, LPQOS lpSQOS, LPQOS lpGQOS, LPINT lpErrno) {sockaddr_in addr_in = {0}; FILE * pf = fopen ( "c: / /SPILOG.TXT ", "a" "; character * IP;
Memcpy (& addr_in, name, sizeof (sockaddr)); IP = inet_ntoa (addr_in.sin_addr); fprintf (PF, "CONNECT TO% S / N", IP);
Fclose (PF); Return SourceProctable.lpwspConnect (S, Name, Namelen, LpcallerData, Lpcalleedata, LPSQOS, LPGQOS, LPERRNO);
SOCKET WSPAPI WSPSocket (int af, int type, int protocol, LPWSAPROTOCOL_INFOW lpProtocolInfo, GROUP g, DWORD dwFlags, LPINT lpErrno) {FILE * pf = fopen ( "c: //spiLog.txt", "a"); fprintf (pf , "Start Socket! / N"); Fclose (PF); Return SourceProctable.lpwspsocket (AF, Type, Protocol, LPPROTOCOLINFO, G, DWFLAGS, LPERRNO);}
int WSPAPI WSPSendTo (SOCKET s, LPWSABUF lpBuffers, DWORD dwBufferCount, LPDWORD lpNumberOfBytesSent, DWORD dwFlags, const struct sockaddr FAR * lpTo, int iTolen, LPWSAOVERLAPPED lpOverlapped, LPWSAOVERLAPPED_COMPLETION_ROUTINE lpCompletionRoutine, LPWSATHREADID lpThreadId, LPINT lpErrno) {sockaddr_in addr_in = {0}; FILE * pf = fopen ("c: //spilog.txt", "a"); char * IP;
Memcpy (& addr_in, lpto, sizeof (sockaddr)); IP = inet_ntoa (addr_in.sin_addr); FPrintf (PF, "Send TO% S / N", IP);
Fclose (PF); Return SourceProctable.lpwspsendto (S, LPBuffers, Dwbuffercount, LPNumberofbytessent, DWFLAGS, LPTO, ITOLEN, LPOVERLAPPED, LPCOMPLETIN, LPTHREADID, LPERRNO);}
Bool WinApi Dllmain (Handle Hmodule, DWORD UL_REASON_FOR_CALL, LPVOID LPRESERVED) {// file * pf = fopen ("start.txt", "w"); // fprintf (pf, "start: / n"); // fclose (pf); return TRUE;} int WSPAPI WSPStartup (WORD wVersionRequested, lPWSPDATA lpWSPData, LPWSAPROTOCOL_INFOW lpProtocolInfo, WSPUPCALLTABLE upcallTable, LPWSPPROC_TABLE lpProcTable) {HKEY hSaveKey; HMODULE hSourceDll = NULL; lPWSPSTARTUP lpWspStartup = NULL; char entryId [128] = {0} , dllpath [max_path] = {0}, expanddllpath [max_path] = {0}; ulong size = max_path, uentryid = 0; int CHAINLEN = LPPROTOCOLINFO-> protocolchain.Chainlen;
if (chainLen <= 1) {uEntryId = lpProtocolInfo-> dwCatalogEntryId;} else {uEntryId = lpProtocolInfo-> ProtocolChain.ChainEntries [chainLen-1];} :: RegOpenKey (HKEY_LOCAL_MACHINE, SAVE_REG_KEY, & hSaveKey); sprintf (entryId, "% u ", uentryid ;: regQueryValueex (hsavekey, entryid, 0, null, (byte *) DLLPATH, & size); ExpandenvironmentStrings (DLLPATH, ExpandDLLPATH, MAX_PATH);
hSourceDll = :: LoadLibrary (expandDllPath); lpWspStartup = (LPWSPSTARTUP) :: GetProcAddress (hSourceDll, "WSPStartup"); lpWspStartup (wVersionRequested, lpWSPData, lpProtocolInfo, upcallTable, lpProcTable);
SourceProctable = * LPPROCTABLE;
LPPROCTABLE-> LPWSPSENDTO = WspsendTo; LPPROCTABLE-> LPWSPCONNECT = WspConnect; LPPROCTABLE-> LPWSPSPSOCKET = Wspsocket;
Return 0;}
