作者:成松林
QQ:179641795
轉貼請不要改變作者信息!
為了簡單、速度代碼在以前研究驅動基礎上改寫。
驅動層源代碼:
;goto make
.586p
.model flat,stdcall
option casemap:none
includelib D:\masm32\LIB\w2k\ntoskrnl.lib
includelib D:\masm32\LIB\w2k\hal.lib
includelib D:\masm32\LIB\w2k\ndis.lib
;***************************************************************
;沒有INC文件,要使用的NDIS函數定義
NdisChainBufferAtFront proto :DWORD,:DWORD
CopyPktTOLocBuf proto :DWORD,:DWORD
NdisAllocatePacketPool PROTO STDCALL :DWORD,:DWORD,:DWORD,:DWORD
NdisAllocateBuffer PROTO STDCALL :DWORD,:DWORD,:DWORD,:DWORD,:DWORD
NdisAllocatePacket PROTO STDCALL :DWORD,:DWORD,:DWORD
NdisSend PROTO STDCALL :DWORD,:DWORD,:DWORD
MySendPacket proto :dword,:dword,:dword
NdisQueryBufferSafe proto :dword,:dword,:dword,:dword
NdisInitializeEvent proto :dword
NdisSetEvent proto :dword
NdisResetEvent proto :dword
NdisFreePacketPool proto :dword
NdisFreePacket proto :dword
NdisFreeBuffer proto :dword
NdisWaitEvent proto :dword,:dword
NdisRegisterProtocol proto :dword,:dword,:dword,:dword
NdisDeregisterProtocol proto :dword,:dword
IoCreateDevice proto :dword,:dword,:dword,:dword,:dword,:dword,:dword
IoDeleteDevice proto :dword
IoCreateSymbolicLink proto :dword,:dword
IoDeleteSymbolicLink proto :dword
IoCompleteRequest proto :dword,:dword
IoCreateNotificationEvent proto :dword,:dword
RtlCompareUnicodeString proto :dword,:dword,:dword
ZwClose proto :dword
;***************************************************************
;公共數據定義區
.data
lpProtocolHandle dd 0 ;協議句柄的指針
lpDeviceObject dd 0 ;設備對象的指針
;*********************************
lpOldSend dd 0 ;保存TCPIP協議驅動的OPEN_BLOCK里的SendHandler派發函數地址
lpOldRecv dd 0 ;保存TCPIP協議驅動的OPEN_BLOCK里的ReceiveHandler派發函數地址
lpOldRecvP dd 0 ;保存TCPIP協議驅動的OPEN_BLOCK里的ReceivePacketHandler派發函數地址
lpOldSendComplete dd 0 ;保存TCPIP協議驅動的OPEN_BLOCK里的SendCompleteHandler派發函數地址
;*******************************
lpSend3Event dd 0 ;RING3發送事件在本驅動的指針
hSend3Event dd 0 ;RING3發送事件在本驅動的句柄
lpRecv3Event dd 0 ;RING3接收事件在本驅動的指針
hRecv3Event dd 0 ;RING3接收事件在本驅動的句柄
dwStatus dd 0
dwTempVar dd 0
obSendEvent db 16 dup(0) ;RING0 SEND對象
obRecvEvent db 16 dup(0) ;RING0 RECV對象
stProtocolChar db 70h dup(0) ;NdisRegisterProtocol()要使用的NDIS_PROTOCOL_CHARACTERISTIC結構
szSendBuffer db 800h dup(0) ;系統將要發送的數據包的副本
szRecvBuffer db 800h dup(0) ;系統將要接收的數據包的副本
szTempBuffer db 800h dup(0)
szMyPacketBuffer db 800h dup(0)
szMyPacketLen dd 0
dwSendSize dd 0 ;發送副本大小
dwRecvSize dd 0 ;接收副本大小
GateWay db 10 dup (0) ;網關IP和MAC
;常量定義區
.const
stTcpip dw 5*2,6*2
dd offset szTcpip
szTcpip dw 'T','c','p','i','p',0
stDeviceName dw 15*2,16*2
dd offset szDeviceName
szDeviceName dw '\','D','e','v','i','c','e','\','N','d','i','s','D','r','v',0
stSymbolicLinkName dw 19*2,20*2
dd offset szSymbolicLinkName
szSymbolicLinkName dw '\','D','o','s','D','e','v','i','c','e','s','\','N','D','I','S','D','R','V',0
stSend3Event dw 28*2,29*2
dd offset szSend3Event
szSend3Event dw '\','B','a','s','e','N','a','m','e','d','O','b','j','e','c','t','s','\','S','e','n','d','3','E','v','e','n','t',0
stRecv3Event dw 28*2,29*2
dd offset szRecv3Event
szRecv3Event dw '\','B','a','s','e','N','a','m','e','d','O','b','j','e','c','t','s','\','R','e','c','v','3','E','v','e','n','t',0
;**************************************************************************************
;*************************************************************************************
;驅動主程序代碼從這里開始
.code
start proc DriverObject,RegisterPath ;安裝驅動上層傳下來兩個參數
pushad ;保存堆棧
; 這里開始是關于協議操作的代碼
;注冊假協議返回lpProtocolHandle指向的NDIS_PROTOCOL_BLOCK鏈表首地址
;NDIS_PROTOCOL_BLOCK(協議表)是NDIS維護所有系統中已注冊協議的單向鏈接表
mov dword ptr stProtocolChar,5
mov dword ptr stProtocolChar+3ch,offset PtBindAdapter
mov dword ptr stProtocolChar+40h,offset PtUnbindAdapter
;以上是填充NDIS_PROTOCOL_CHARACTERISTIC結構
invoke NdisRegisterProtocol,offset dwStatus,offset lpProtocolHandle,offset stProtocolChar,6ch
cmp dwStatus,0
jnz _exit ;注冊假協議失敗退出驅動
;********************************
mov ebx,lpProtocolHandle
mov ebx,[ebx+10h] ;去掉我們注冊的假協議.
;我們注冊的假協議已經沒有用了,注銷掉.
invoke NdisDeregisterProtocol,offset dwStatus,lpProtocolHandle
mov lpProtocolHandle,ebx ;保存真正的系統協議鏈表的首地址
;這個循環是在系統協議鏈表搜索TCPIP協議的PROTOCOL_HANDLE,ebx->NDIS_PROTOCOL_BLOCK鏈表首
mov esi,offset stTcpip ;esi->Unicode格式(NTDDK中IFSDDK.INC)定義的協議名
.repeat
lea edi,[ebx+44h] ;當前協議名(Unicode格式)
invoke RtlCompareUnicodeString,edi,esi,1 ;進行與我們查找的進行比較
.break .if eax==0 ;查找到退出循環
mov ebx,[ebx+10h] ;ebx->下一個協議
.until ebx==0 ;查找到表尾
cmp eax,0
jnz _exit ;協議沒找到退出驅動
;************************************************************************************
;正常的協議工作流程:1、調用NdisRegisterProtocol注冊協議,2、下層協議(或系統管理層協議)
;會調用協議鏈表里的所有協議的BindAdapterHandler派發函數,這是注冊協議的回調過程.
;3、BindAdapterHandler派發函數里會調用NdisOpenAdapter來綁定自己到合適網絡設備.
;4、最后NdisOpenAdapter函數返回BindingHandle,BindingHandle指向NDIS_OPEN_BLOCK鏈表.
;勾掛NDIS_OPEN_BLOCK鏈表:1、接收數據ReceiveHandle、ReceivePacketHandler函數
;2、發送數據SendHandler、SendPacketsHandler函數.
mov ebx,[ebx] ;ebx->tcpip的NDIS_OPEN_BLOCK鏈表系統不同版本不同
mov lpProtocolHandle,ebx ;保存TCPIP協議的OPEN_BLOCK(BINDING_HANDLE)
mov eax,[ebx+30h]
mov lpOldSend,eax ;保存TCPIP協議驅動的OPEN_BLOCK里的SendHandler派發函數地址
mov eax,[ebx+40h]
mov lpOldRecv,eax ;保存TCPIP協議驅動的OPEN_BLOCK里的ReceiveHandler派發函數地址
mov eax,[ebx+50h]
mov lpOldRecvP,eax ;保存TCPIP協議驅動的OPEN_BLOCK里的ReceivePacketHandler派發函數地址
mov eax,[ebx+38h]
mov lpOldSendComplete,eax ;保存TCPIP協議驅動的OPEN_BLOCK里的SendCompleteHandler派發函數地址
; 協議操作代碼在這里結束HOOK函數代碼在后面.
;*************************************************************************************
;*******************************************************************************************************************
; 這里開始是建立一個可以讓應用程序(ring3)訪問的驅動.以事件方式建立,數據傳送方式為DIRECT_IO.
;建立設備以備應用程序訪問,DeviceExtension size=18h, type= device_transfer
invoke IoCreateDevice,DriverObject,18h,offset stDeviceName,21h,0,0,offset lpDeviceObject
invoke IoCreateSymbolicLink,offset stSymbolicLinkName,offset stDeviceName
mov eax,lpDeviceObject
or dword ptr [eax+1ch],10h ;把device.flag設置為DO_DIRECT_IO,使驅動程序的READ、WRITE例程直接映射用戶緩沖區到本驅動
mov edi,DriverObject
add edi,38h
mov ecx,1ch
mov eax,offset _CommonIoControl
rep stosd ;填充共用例程,必須,否則CreateFile()不能打開本驅動
;***********************
mov eax,DriverObject
mov dword ptr [eax+34h],offset _Unload
mov dword ptr [eax+44h],offset _Read
mov dword ptr [eax+48h],offset _Write ;注冊驅動例程
mov byte ptr [eax+8],2 ;強行修改Driver.flag為legacy driver,否則DriverEntry返回時系統就會卸載本驅動(因為本驅動默認編譯為WDM drvier)
;建立RING0事件
invoke NdisInitializeEvent,offset obSendEvent
invoke NdisInitializeEvent,offset obRecvEvent
invoke NdisResetEvent,offset obSendEvent
invoke NdisResetEvent,offset obRecvEvent
;建立RING3事件,在RING3用OpenEvent()打開
invoke IoCreateNotificationEvent,offset stSend3Event,offset hSend3Event
mov lpSend3Event,eax
invoke NdisResetEvent,eax
invoke IoCreateNotificationEvent,offset stRecv3Event,offset hRecv3Event
mov lpRecv3Event,eax
invoke NdisResetEvent,eax
; 建立可讓應用程序訪問的驅動代碼在這里結束.
;***************************************************************************************
;***************************************************************************************
; 這里是設置HOOK TCPIP協議的函數
mov ebx,lpProtocolHandle ;ebx->NDIS_OPEN_BLOCK
mov dword ptr [ebx+30h],offset _mySend ;HOOK TCPIP協議的Send
mov dword ptr [ebx+40h],offset _myRecv ;HOOK TCPIP協議的Recv
mov dword ptr [ebx+50h],offset _myRecvP ;HOOK TCPIP協議的RecvPacket
mov dword ptr [ebx+38h],offset _mySendComplete ;HOOK TCPIP協議的SendComplete
;*****************************************************************************************
_exit:
popad
xor eax,eax
ret
start endp
;驅動主程序在這里結束..
;****************************************************************************************
;*****************************************************************************************
;這里開始是驅動程序的分派函數
;卸載驅動程序函數
_Unload proc DriverObject
mov edx,lpProtocolHandle
mov eax,lpOldSend
mov [edx+30h],eax
mov eax,lpOldRecv
mov [edx+40h],eax
mov eax,lpOldRecvP
mov [edx+50h],eax
mov eax,lpOldSendComplete
mov [edx+38h],eax
;恢復TCPIP協議的OPEN_BLOCK里原來的派發例程
invoke ZwClose,hSend3Event
invoke ZwClose,hRecv3Event
invoke NdisSetEvent,offset obSendEvent
invoke NdisSetEvent,offset obRecvEvent
invoke IoDeleteSymbolicLink,offset stSymbolicLinkName
invoke IoDeleteDevice,lpDeviceObject
xor eax,eax
ret
_Unload endp
;******************************************************************************************
;***************************************************************************************
;驅動程序公共控制函數
_CommonIoControl proc DeviceObject,pIrp
mov eax,pIrp
mov dword ptr [eax+18h],0
mov dword ptr [eax+1ch],0
invoke IoCompleteRequest,pIrp,0
xor eax,eax
ret
_CommonIoControl endp
;***************************************************************************************
;***************************************************************************************
;驅動程序傳給應用程序數據函數.應用程序用ReadFile()調用
_Read proc DeviceObject,pIrp
pushad
mov ebx,pIrp
mov edi,[ebx+4]
mov ecx,[edi+18h]
mov edi,[edi+10h]
add edi,ecx ;EDI=用戶緩沖區
mov ecx,lpSend3Event
mov edx,lpRecv3Event
.if dword ptr [ecx+4]
invoke NdisResetEvent,lpSend3Event ;RING3事件復位,防止再次放行
mov esi,offset szSendBuffer
mov ecx,dwSendSize
mov eax,[ebx+60h]
.if ecx>[eax+4]
mov ecx,[eax+4]
.endif
.else
invoke NdisResetEvent,lpRecv3Event
mov esi,offset szRecvBuffer
mov ecx,dwRecvSize
mov eax,[ebx+60h]
.if ecx>[eax+4]
mov ecx,[eax+4]
.endif
.endif
mov dword ptr [ebx+18h],0
mov dword ptr [ebx+1ch],ecx ;設置ReadFile()的讀取字節數
rep movsb ;把數據包復制到ReadFile()提供的緩沖區
invoke IoCompleteRequest,pIrp,0
popad
xor eax,eax
ret
_Read endp
;***************************************************************************************
;***************************************************************************************
;***************************************************************************************
;應用程序傳給驅動程序數據函數.應用程序用WriteFile()調用
_Write proc DeviceObject,pIrp
mov eax,pIrp
mov dword ptr [eax+18h],0
mov dword ptr [eax+1ch],0
mov edx,[eax+4]
mov ecx,[eax+60h]
mov ecx,[ecx+4] ;ECX=數據長度
mov eax,[edx+18h]
mov edx,[edx+10h]
add edx,eax ;EDX=用戶緩沖區
mov szMyPacketLen,ecx ;我們自己構造的包長度
mov edi,offset szMyPacketBuffer
mov esi,edx
rep movsb ;拷貝包到本驅動
;發送應用程序傳下來的數據包
invoke MySendPacket,lpProtocolHandle,addr szMyPacketBuffer,szMyPacketLen
invoke IoCompleteRequest,pIrp,0
xor eax,eax
ret
_Write endp
;驅動程序的分派函數在這里結束
;***************************************************************************************
;***************************************************************************************
;這里開始是我們HOOK協議的及相關要用的函數
;將發送和接收的包拷到本地緩沖區
CopyPktTOLocBuf proc uses ebx ecx edi esi _lpPacket:dword,_lpBuffer:dword
local PacketVa:dword
local PacketSize:dword
mov ebx,_lpPacket
mov ebx,[ebx+8]
;循環復制協議數據包到指定緩沖區里
mov edi,_lpBuffer
.repeat
invoke NdisQueryBufferSafe,ebx,addr PacketVa,addr PacketSize,20h
mov esi,PacketVa
mov ecx,PacketSize
rep movsb
mov ebx,[ebx]
.until ebx==0
sub edi,_lpBuffer
mov eax,edi
ret
CopyPktTOLocBuf endp
;這是我們HOOK tcpip協議的發送函數
_mySend proc _lpAdapt,_lpPacket
local PacketVa:dword
local PacketSize:dword
pushad
invoke CopyPktTOLocBuf,_lpPacket,addr szRecvBuffer
mov dwSendSize,eax
invoke NdisSetEvent,lpSend3Event ;放行RING3的WaitForSingleObject(),通知RING3用ReadFile來讀數據包內容(重要)
popad
leave
jmp lpOldSend ;轉到系統原來的Send例程執行
_mySend endp
;***************************************************************************************
;***************************************************************************************
;這是我們HOOK tcpip協議的接收函數
_myRecvP proc _lpAdapt,_lpPacket
local PacketVa:dword
local PacketSize:dword
pushad
invoke CopyPktTOLocBuf,_lpPacket,addr szRecvBuffer
mov dwRecvSize,eax
invoke NdisSetEvent,lpRecv3Event ;放行RING3的WaitForSingleObject(),通知RING3用ReadFile來讀數據包內容(重要)
;*************************************************************************************
;處理ARP包開始.只檢測誰在偽裝網關.把偽裝ARP響應包改成ARP請求包并填寫正確的網關MAC地址.
mov ebx,_lpPacket
mov ebx,[ebx+8]
invoke NdisQueryBufferSafe,ebx,addr PacketVa,addr PacketSize,20h
mov edi,PacketVa ;由于ARP包小,不用獲取下一個MDL
.if word ptr [edi+0ch]==0608h ;收到的網絡包是ARP包.
.if word ptr [edi+14h]==0200h ;是ARP響應包.
lea esi,GateWay
mov eax,[edi+1ch]
mov ebx,[esi+6]
add edi,16h
mov ecx,10
.if word ptr [edi+14h]==0AA55h ;自己的特殊向網關請求的ARP包標志.
xchg esi,edi
rep movsb ;保存正確的網關IP及MAC
.elseif ebx==eax ;是來自網關的響應包.
mov word ptr [edi-02h],0100h ;把他改成請求包.
rep movsb
.endif
.endif
.endif
;處理ARP包結束
;*************************************************************************************
popad
leave
jmp lpOldRecvP ;轉到系統原來的Recv例程執行
_myRecvP endp
_myRecv proc _PBC,_MRC,_HeaderBuffer,_HBSize,_LAB,_LABSize,_PacketSize
pushad
mov esi,_HeaderBuffer
mov edi,offset szRecvBuffer
mov ecx,_PacketSize
mov dwRecvSize,ecx
rep movsb
invoke NdisSetEvent,lpRecv3Event ;放行RING3的WaitForSingleObject(),通知RING3用ReadFile來讀數據包內容(重要)
;*************************************************************************************
;處理ARP包開始.只檢測誰在偽裝網關.把偽裝ARP響應包改成ARP請求包并填寫正確的網關MAC地址.
mov edi,_HeaderBuffer
.if word ptr [edi+0ch]==0608h ;收到的網絡包是ARP包.
.if word ptr [edi+14h]==0200h ;是ARP響應包.
lea esi,GateWay
mov eax,[edi+1ch]
mov ebx,[esi+6]
add edi,16h
mov ecx,10
.if word ptr [edi+14h]==0AA55h ;自己的特殊向網關請求的ARP包標志.
xchg esi,edi
rep movsb ;保存正確的網關IP及MAC
.elseif ebx==eax ;是來自網關的響應包.
mov word ptr [edi-02h],0100h ;把他改成請求包.
rep movsb
.endif
.endif
.endif
;處理ARP包結束
;*************************************************************************************
popad
leave
jmp lpOldRecv ;轉到系統原來的Recv例程執行
_myRecv endp
;這是我們HOOK tcpip協議的發送完成函數
_mySendComplete proc _PBC,_Packet,_Status
pushad
.if szMyPacketLen ;我們自己的構造的包長度
invoke CopyPktTOLocBuf,_Packet,addr szTempBuffer
mov esi,offset szTempBuffer
mov edi,offset szMyPacketBuffer
mov ecx,szMyPacketLen
repz cmpsb ;比較包的內容
.if !ecx ;是我們的包
mov szMyPacketLen,0 ;設置包的長度
popad
leave
xor eax,eax
ret ;是我們的包直接返回
.endif
.endif
popad ;不是我們的包轉到系統原來例程
leave
jmp lpOldSendComplete ;轉到系統原來的SendComplete例程執行
_mySendComplete endp
;*********************************************************************************************
;*********************************************************************************************
;MySendPacket: 發送自已構造的數據幀(注意:包是直接交給網卡發送)
;入口: BindingHandle=NDIS_PROTOCOL_BLOCK->_NDIS_OPEN_BLOCK
; MyPacket=數據幀緩沖首址,PacketLen=數據幀長度
;出口: dwStatus=返回狀態
MySendPacket proc BindingHandle:dword,MyPacket:dword,PacketLen:dword
local PacketPoolHandle:dword
local PacketHandle:dword
local BufferHandle:dword
invoke NdisAllocatePacketPool,addr dwStatus,addr PacketPoolHandle,0FFFh,10h
invoke NdisAllocateBuffer,addr dwStatus,addr BufferHandle,0,MyPacket,PacketLen
invoke NdisAllocatePacket,addr dwStatus,addr PacketHandle,PacketPoolHandle
invoke NdisChainBufferAtFront,PacketHandle,BufferHandle
invoke NdisSend,Addr dwStatus,BindingHandle,PacketHandle
.if eax!=103h ;NDIS_STATUS_PENDING=103h
invoke NdisFreePacketPool,PacketPoolHandle
invoke NdisFreePacket,PacketHandle
invoke NdisFreeBuffer,BufferHandle
.endif
ret ;發送完成返回dwStatus
MySendPacket endp
;*********************************************************************
;看NTDDK中的Ndis.h中有定義.
NdisChainBufferAtFront proc uses ecx Packet:dword,Buffer:dword
mov eax,Buffer
.while 1
mov ecx,[eax]
.break .if ecx==0
mov eax,ecx ;MDL.Next
.endw ;eax=Tail
mov ecx,Packet
.if dword ptr [ecx+08h]==0 ;Packet->Private.Head
mov [ecx+0ch],eax ;Packet->Private.Tail
.endif
mov ecx,[ecx+08h]
mov [eax],ecx ;MDL.Next
mov eax,Packet
mov ecx,Buffer
mov [eax+08h],ecx
and byte ptr [eax+1ch],0 ;Packet->Private.ValidCounts
ret
NdisChainBufferAtFront endp
;***************************************************************************************************
;***************************************************************************************************
;以下空函數是為了填充NDIS_PROTOCOL_CHARACTERISTIC結構而設置的,實際下基本不會被系統調用,沒有又不行。
PtBindAdapter proc Status,BindContext,DeviceName,SystemSpecific1,SystemSpecific2
xor eax,eax
ret
PtBindAdapter endp
PtUnbindAdapter proc Status,pAdapt,UnbindContext
xor eax,eax
ret
PtUnbindAdapter endp
;我們HOOK協議的及相關要用的函數在這里結束
;******************************************************************************************************
end start
:make
set drv=ndisdrv
d:\masm32\ml /c /coff /Cp %drv%.bat
d:\masm32\link /subsystem:native /driver:wdm /release /align:16 /base:0x10000 /out:%drv%.sys %drv%.obj
;del %drv%.obj
pause
應用層源代碼:
;goto make
.386
.model flat, stdcall
option casemap:none
include d:\masm32\include\windows.inc
include d:\masm32\include\iphlpapi.inc
include d:\masm32\include\ws2_32.inc
include d:\masm32\include\kernel32.inc
include D:\masm32\macros\Strings.mac
include D:\masm32\include\advapi32.inc
include d:\masm32\include\user32.inc
includelib d:\masm32\lib\advapi32.lib
includelib d:\masm32\lib\iphlpapi.lib
includelib d:\masm32\LIB\WS2_32.LIB
includelib d:\masm32\lib\kernel32.lib
includelib d:\masm32\lib\user32.lib
.data
buffer db 800h dup(0)
filename db "\\.\NdisDrv",0
sFileName db "ndisdrv.sys",0
SeviceMe db "Ndis ARP",0
Send3E db "Send3Event",0
Recv3E db "Recv3Event",0
hdrv dd ?
hEvent dd ?
dwTempVar dd 1
hSCManager dd ?
hService dd ?
lpMemory dd ?
dwStructSize dd ?
acDriverPath db 260 dup (?)
LocalMac db 6 dup (?)
szMacLen dd 6
ArpPacket db 0ffh,0ffh,0ffh,0ffh,0ffh,0ffh,000h,090h,027h,099h,012h,0bah,008h,006h,000h,001h
db 008h,000h,006h,004h,000h,001h,000h,090h,027h,099h,012h,0bah,0c0h,0a8h,001h,006h
db 000h,000h,000h,000h,000h,000h,0c0h,0a8h,001h,001h,055h,0aah,0ffh,0ffh,0ffh,0ffh
MsgCaption db "ARP防火墻",0
MsgBoxText db "作者:成松林 QQ:179641795 該版本為調試版本試用系統win2k/xp",0
.code
MyArpPacket proc
;********************************************************************
invoke GetAdaptersInfo,NULL,addr dwStructSize
invoke GlobalAlloc,GPTR,dwStructSize
mov lpMemory,eax
invoke GetAdaptersInfo,lpMemory,addr dwStructSize
mov esi,lpMemory
lea edi,ArpPacket
add esi,1b0h
invoke inet_addr,esi
mov [edi+1ch],eax
invoke SendARP,eax,0,addr LocalMac,addr szMacLen
add esi,28h
invoke inet_addr,esi
mov [edi+26h],eax
lea esi,LocalMac
add edi,6
mov ecx,6
rep movsb
lea edi,ArpPacket
lea esi,LocalMac
add edi,16h
mov ecx,6
rep movsb
ret
MyArpPacket endp
start:
invoke OpenSCManager, NULL, NULL, SC_MANAGER_CREATE_SERVICE
.if eax != NULL
mov hSCManager, eax
push eax
invoke GetFullPathName, addr sFileName,sizeof acDriverPath,addr acDriverPath,esp
pop eax
invoke CreateService, hSCManager, addr sFileName, addr SeviceMe, \
SERVICE_START + DELETE, SERVICE_KERNEL_DRIVER, SERVICE_DEMAND_START, \
SERVICE_ERROR_IGNORE, addr acDriverPath, NULL, NULL, NULL, NULL, NULL
.if eax != NULL
mov hService, eax
invoke StartService, hService, 0, NULL
invoke DeleteService, hService
invoke CloseServiceHandle, hService
.else
;invoke MessageBox, NULL, $CTA0("Can't register driver."), NULL, MB_ICONSTOP
.endif
invoke CloseServiceHandle, hSCManager
.else
;invoke MessageBox, NULL, $CTA0("Can't connect to Service Control Manager."),NULL, MB_ICONSTOP
.endif
;************************************************************************************************************
invoke CreateFile,addr filename,0c0000000h,0,0,3,0,0
mov hdrv,eax
;invoke OpenEvent,100000h,0,addr Send3E
invoke OpenEvent,100000h,0,addr Recv3E
mov hEvent,eax ;接收數據事件
invoke MyArpPacket ;自己構造的ARP請求包.
invoke WriteFile,hdrv,addr ArpPacket,64,addr dwTempVar,0 ;發送數據包
;.while 1
invoke WaitForSingleObject,hEvent,-1
;.endw
invoke MessageBoxA, 0,addr MsgBoxText, addr MsgCaption,0
invoke ExitProcess, 0
end start
:make
set drv=ndisring3
d:\masm32\ml /c /coff %drv%.bat
d:\masm32\link /subsystem:windows %drv%.obj
del %drv%.obj
pause
本程序在win2k上調試通過。。用的NetFuke ver1.01工具作arp雙向欺騙作實驗..
posted on 2007-08-10 02:30
聶文龍 閱讀(2599)
評論(4) 編輯 收藏 引用