作者:成松林
QQ:179641795
轉(zhuǎn)貼請(qǐng)不要改變作者信息!
為了簡(jiǎn)單、速度代碼在以前研究驅(qū)動(dòng)基礎(chǔ)上改寫(xiě)。
驅(qū)動(dòng)層源代碼:
;goto make
.586p
.model flat,stdcall
option casemap:none
includelib D:\masm32\LIB\w2k\ntoskrnl.lib
includelib D:\masm32\LIB\w2k\hal.lib
includelib D:\masm32\LIB\w2k\ndis.lib
;***************************************************************
;沒(méi)有INC文件,要使用的NDIS函數(shù)定義
NdisChainBufferAtFront proto :DWORD,:DWORD
CopyPktTOLocBuf proto :DWORD,:DWORD
NdisAllocatePacketPool PROTO STDCALL :DWORD,:DWORD,:DWORD,:DWORD
NdisAllocateBuffer PROTO STDCALL :DWORD,:DWORD,:DWORD,:DWORD,:DWORD
NdisAllocatePacket PROTO STDCALL :DWORD,:DWORD,:DWORD
NdisSend PROTO STDCALL :DWORD,:DWORD,:DWORD
MySendPacket proto :dword,:dword,:dword
NdisQueryBufferSafe proto :dword,:dword,:dword,:dword
NdisInitializeEvent proto :dword
NdisSetEvent proto :dword
NdisResetEvent proto :dword
NdisFreePacketPool proto :dword
NdisFreePacket proto :dword
NdisFreeBuffer proto :dword
NdisWaitEvent proto :dword,:dword
NdisRegisterProtocol proto :dword,:dword,:dword,:dword
NdisDeregisterProtocol proto :dword,:dword
IoCreateDevice proto :dword,:dword,:dword,:dword,:dword,:dword,:dword
IoDeleteDevice proto :dword
IoCreateSymbolicLink proto :dword,:dword
IoDeleteSymbolicLink proto :dword
IoCompleteRequest proto :dword,:dword
IoCreateNotificationEvent proto :dword,:dword
RtlCompareUnicodeString proto :dword,:dword,:dword
ZwClose proto :dword
;***************************************************************
;公共數(shù)據(jù)定義區(qū)
.data
lpProtocolHandle dd 0 ;協(xié)議句柄的指針
lpDeviceObject dd 0 ;設(shè)備對(duì)象的指針
;*********************************
lpOldSend dd 0 ;保存TCPIP協(xié)議驅(qū)動(dòng)的OPEN_BLOCK里的SendHandler派發(fā)函數(shù)地址
lpOldRecv dd 0 ;保存TCPIP協(xié)議驅(qū)動(dòng)的OPEN_BLOCK里的ReceiveHandler派發(fā)函數(shù)地址
lpOldRecvP dd 0 ;保存TCPIP協(xié)議驅(qū)動(dòng)的OPEN_BLOCK里的ReceivePacketHandler派發(fā)函數(shù)地址
lpOldSendComplete dd 0 ;保存TCPIP協(xié)議驅(qū)動(dòng)的OPEN_BLOCK里的SendCompleteHandler派發(fā)函數(shù)地址
;*******************************
lpSend3Event dd 0 ;RING3發(fā)送事件在本驅(qū)動(dòng)的指針
hSend3Event dd 0 ;RING3發(fā)送事件在本驅(qū)動(dòng)的句柄
lpRecv3Event dd 0 ;RING3接收事件在本驅(qū)動(dòng)的指針
hRecv3Event dd 0 ;RING3接收事件在本驅(qū)動(dòng)的句柄
dwStatus dd 0
dwTempVar dd 0
obSendEvent db 16 dup(0) ;RING0 SEND對(duì)象
obRecvEvent db 16 dup(0) ;RING0 RECV對(duì)象
stProtocolChar db 70h dup(0) ;NdisRegisterProtocol()要使用的NDIS_PROTOCOL_CHARACTERISTIC結(jié)構(gòu)
szSendBuffer db 800h dup(0) ;系統(tǒng)將要發(fā)送的數(shù)據(jù)包的副本
szRecvBuffer db 800h dup(0) ;系統(tǒng)將要接收的數(shù)據(jù)包的副本
szTempBuffer db 800h dup(0)
szMyPacketBuffer db 800h dup(0)
szMyPacketLen dd 0
dwSendSize dd 0 ;發(fā)送副本大小
dwRecvSize dd 0 ;接收副本大小
GateWay db 10 dup (0) ;網(wǎng)關(guān)IP和MAC
;常量定義區(qū)
.const
stTcpip dw 5*2,6*2
dd offset szTcpip
szTcpip dw 'T','c','p','i','p',0
stDeviceName dw 15*2,16*2
dd offset szDeviceName
szDeviceName dw '\','D','e','v','i','c','e','\','N','d','i','s','D','r','v',0
stSymbolicLinkName dw 19*2,20*2
dd offset szSymbolicLinkName
szSymbolicLinkName dw '\','D','o','s','D','e','v','i','c','e','s','\','N','D','I','S','D','R','V',0
stSend3Event dw 28*2,29*2
dd offset szSend3Event
szSend3Event dw '\','B','a','s','e','N','a','m','e','d','O','b','j','e','c','t','s','\','S','e','n','d','3','E','v','e','n','t',0
stRecv3Event dw 28*2,29*2
dd offset szRecv3Event
szRecv3Event dw '\','B','a','s','e','N','a','m','e','d','O','b','j','e','c','t','s','\','R','e','c','v','3','E','v','e','n','t',0
;**************************************************************************************
;*************************************************************************************
;驅(qū)動(dòng)主程序代碼從這里開(kāi)始
.code
start proc DriverObject,RegisterPath ;安裝驅(qū)動(dòng)上層傳下來(lái)兩個(gè)參數(shù)
pushad ;保存堆棧
; 這里開(kāi)始是關(guān)于協(xié)議操作的代碼
;注冊(cè)假協(xié)議返回lpProtocolHandle指向的NDIS_PROTOCOL_BLOCK鏈表首地址
;NDIS_PROTOCOL_BLOCK(協(xié)議表)是NDIS維護(hù)所有系統(tǒng)中已注冊(cè)協(xié)議的單向鏈接表
mov dword ptr stProtocolChar,5
mov dword ptr stProtocolChar+3ch,offset PtBindAdapter
mov dword ptr stProtocolChar+40h,offset PtUnbindAdapter
;以上是填充NDIS_PROTOCOL_CHARACTERISTIC結(jié)構(gòu)
invoke NdisRegisterProtocol,offset dwStatus,offset lpProtocolHandle,offset stProtocolChar,6ch
cmp dwStatus,0
jnz _exit ;注冊(cè)假協(xié)議失敗退出驅(qū)動(dòng)
;********************************
mov ebx,lpProtocolHandle
mov ebx,[ebx+10h] ;去掉我們注冊(cè)的假協(xié)議.
;我們注冊(cè)的假協(xié)議已經(jīng)沒(méi)有用了,注銷掉.
invoke NdisDeregisterProtocol,offset dwStatus,lpProtocolHandle
mov lpProtocolHandle,ebx ;保存真正的系統(tǒng)協(xié)議鏈表的首地址
;這個(gè)循環(huán)是在系統(tǒng)協(xié)議鏈表搜索TCPIP協(xié)議的PROTOCOL_HANDLE,ebx->NDIS_PROTOCOL_BLOCK鏈表首
mov esi,offset stTcpip ;esi->Unicode格式(NTDDK中IFSDDK.INC)定義的協(xié)議名
.repeat
lea edi,[ebx+44h] ;當(dāng)前協(xié)議名(Unicode格式)
invoke RtlCompareUnicodeString,edi,esi,1 ;進(jìn)行與我們查找的進(jìn)行比較
.break .if eax==0 ;查找到退出循環(huán)
mov ebx,[ebx+10h] ;ebx->下一個(gè)協(xié)議
.until ebx==0 ;查找到表尾
cmp eax,0
jnz _exit ;協(xié)議沒(méi)找到退出驅(qū)動(dòng)
;************************************************************************************
;正常的協(xié)議工作流程:1、調(diào)用NdisRegisterProtocol注冊(cè)協(xié)議,2、下層協(xié)議(或系統(tǒng)管理層協(xié)議)
;會(huì)調(diào)用協(xié)議鏈表里的所有協(xié)議的BindAdapterHandler派發(fā)函數(shù),這是注冊(cè)協(xié)議的回調(diào)過(guò)程.
;3、BindAdapterHandler派發(fā)函數(shù)里會(huì)調(diào)用NdisOpenAdapter來(lái)綁定自己到合適網(wǎng)絡(luò)設(shè)備.
;4、最后NdisOpenAdapter函數(shù)返回BindingHandle,BindingHandle指向NDIS_OPEN_BLOCK鏈表.
;勾掛NDIS_OPEN_BLOCK鏈表:1、接收數(shù)據(jù)ReceiveHandle、ReceivePacketHandler函數(shù)
;2、發(fā)送數(shù)據(jù)SendHandler、SendPacketsHandler函數(shù).
mov ebx,[ebx] ;ebx->tcpip的NDIS_OPEN_BLOCK鏈表系統(tǒng)不同版本不同
mov lpProtocolHandle,ebx ;保存TCPIP協(xié)議的OPEN_BLOCK(BINDING_HANDLE)
mov eax,[ebx+30h]
mov lpOldSend,eax ;保存TCPIP協(xié)議驅(qū)動(dòng)的OPEN_BLOCK里的SendHandler派發(fā)函數(shù)地址
mov eax,[ebx+40h]
mov lpOldRecv,eax ;保存TCPIP協(xié)議驅(qū)動(dòng)的OPEN_BLOCK里的ReceiveHandler派發(fā)函數(shù)地址
mov eax,[ebx+50h]
mov lpOldRecvP,eax ;保存TCPIP協(xié)議驅(qū)動(dòng)的OPEN_BLOCK里的ReceivePacketHandler派發(fā)函數(shù)地址
mov eax,[ebx+38h]
mov lpOldSendComplete,eax ;保存TCPIP協(xié)議驅(qū)動(dòng)的OPEN_BLOCK里的SendCompleteHandler派發(fā)函數(shù)地址
; 協(xié)議操作代碼在這里結(jié)束HOOK函數(shù)代碼在后面.
;*************************************************************************************
;*******************************************************************************************************************
; 這里開(kāi)始是建立一個(gè)可以讓?xiě)?yīng)用程序(ring3)訪問(wèn)的驅(qū)動(dòng).以事件方式建立,數(shù)據(jù)傳送方式為DIRECT_IO.
;建立設(shè)備以備應(yīng)用程序訪問(wèn),DeviceExtension size=18h, type= device_transfer
invoke IoCreateDevice,DriverObject,18h,offset stDeviceName,21h,0,0,offset lpDeviceObject
invoke IoCreateSymbolicLink,offset stSymbolicLinkName,offset stDeviceName
mov eax,lpDeviceObject
or dword ptr [eax+1ch],10h ;把device.flag設(shè)置為DO_DIRECT_IO,使驅(qū)動(dòng)程序的READ、WRITE例程直接映射用戶緩沖區(qū)到本驅(qū)動(dòng)
mov edi,DriverObject
add edi,38h
mov ecx,1ch
mov eax,offset _CommonIoControl
rep stosd ;填充共用例程,必須,否則CreateFile()不能打開(kāi)本驅(qū)動(dòng)
;***********************
mov eax,DriverObject
mov dword ptr [eax+34h],offset _Unload
mov dword ptr [eax+44h],offset _Read
mov dword ptr [eax+48h],offset _Write ;注冊(cè)驅(qū)動(dòng)例程
mov byte ptr [eax+8],2 ;強(qiáng)行修改Driver.flag為legacy driver,否則DriverEntry返回時(shí)系統(tǒng)就會(huì)卸載本驅(qū)動(dòng)(因?yàn)楸掘?qū)動(dòng)默認(rèn)編譯為WDM drvier)
;建立RING0事件
invoke NdisInitializeEvent,offset obSendEvent
invoke NdisInitializeEvent,offset obRecvEvent
invoke NdisResetEvent,offset obSendEvent
invoke NdisResetEvent,offset obRecvEvent
;建立RING3事件,在RING3用OpenEvent()打開(kāi)
invoke IoCreateNotificationEvent,offset stSend3Event,offset hSend3Event
mov lpSend3Event,eax
invoke NdisResetEvent,eax
invoke IoCreateNotificationEvent,offset stRecv3Event,offset hRecv3Event
mov lpRecv3Event,eax
invoke NdisResetEvent,eax
; 建立可讓?xiě)?yīng)用程序訪問(wèn)的驅(qū)動(dòng)代碼在這里結(jié)束.
;***************************************************************************************
;***************************************************************************************
; 這里是設(shè)置HOOK TCPIP協(xié)議的函數(shù)
mov ebx,lpProtocolHandle ;ebx->NDIS_OPEN_BLOCK
mov dword ptr [ebx+30h],offset _mySend ;HOOK TCPIP協(xié)議的Send
mov dword ptr [ebx+40h],offset _myRecv ;HOOK TCPIP協(xié)議的Recv
mov dword ptr [ebx+50h],offset _myRecvP ;HOOK TCPIP協(xié)議的RecvPacket
mov dword ptr [ebx+38h],offset _mySendComplete ;HOOK TCPIP協(xié)議的SendComplete
;*****************************************************************************************
_exit:
popad
xor eax,eax
ret
start endp
;驅(qū)動(dòng)主程序在這里結(jié)束..
;****************************************************************************************
;*****************************************************************************************
;這里開(kāi)始是驅(qū)動(dòng)程序的分派函數(shù)
;卸載驅(qū)動(dòng)程序函數(shù)
_Unload proc DriverObject
mov edx,lpProtocolHandle
mov eax,lpOldSend
mov [edx+30h],eax
mov eax,lpOldRecv
mov [edx+40h],eax
mov eax,lpOldRecvP
mov [edx+50h],eax
mov eax,lpOldSendComplete
mov [edx+38h],eax
;恢復(fù)TCPIP協(xié)議的OPEN_BLOCK里原來(lái)的派發(fā)例程
invoke ZwClose,hSend3Event
invoke ZwClose,hRecv3Event
invoke NdisSetEvent,offset obSendEvent
invoke NdisSetEvent,offset obRecvEvent
invoke IoDeleteSymbolicLink,offset stSymbolicLinkName
invoke IoDeleteDevice,lpDeviceObject
xor eax,eax
ret
_Unload endp
;******************************************************************************************
;***************************************************************************************
;驅(qū)動(dòng)程序公共控制函數(shù)
_CommonIoControl proc DeviceObject,pIrp
mov eax,pIrp
mov dword ptr [eax+18h],0
mov dword ptr [eax+1ch],0
invoke IoCompleteRequest,pIrp,0
xor eax,eax
ret
_CommonIoControl endp
;***************************************************************************************
;***************************************************************************************
;驅(qū)動(dòng)程序傳給應(yīng)用程序數(shù)據(jù)函數(shù).應(yīng)用程序用ReadFile()調(diào)用
_Read proc DeviceObject,pIrp
pushad
mov ebx,pIrp
mov edi,[ebx+4]
mov ecx,[edi+18h]
mov edi,[edi+10h]
add edi,ecx ;EDI=用戶緩沖區(qū)
mov ecx,lpSend3Event
mov edx,lpRecv3Event
.if dword ptr [ecx+4]
invoke NdisResetEvent,lpSend3Event ;RING3事件復(fù)位,防止再次放行
mov esi,offset szSendBuffer
mov ecx,dwSendSize
mov eax,[ebx+60h]
.if ecx>[eax+4]
mov ecx,[eax+4]
.endif
.else
invoke NdisResetEvent,lpRecv3Event
mov esi,offset szRecvBuffer
mov ecx,dwRecvSize
mov eax,[ebx+60h]
.if ecx>[eax+4]
mov ecx,[eax+4]
.endif
.endif
mov dword ptr [ebx+18h],0
mov dword ptr [ebx+1ch],ecx ;設(shè)置ReadFile()的讀取字節(jié)數(shù)
rep movsb ;把數(shù)據(jù)包復(fù)制到ReadFile()提供的緩沖區(qū)
invoke IoCompleteRequest,pIrp,0
popad
xor eax,eax
ret
_Read endp
;***************************************************************************************
;***************************************************************************************
;***************************************************************************************
;應(yīng)用程序傳給驅(qū)動(dòng)程序數(shù)據(jù)函數(shù).應(yīng)用程序用WriteFile()調(diào)用
_Write proc DeviceObject,pIrp
mov eax,pIrp
mov dword ptr [eax+18h],0
mov dword ptr [eax+1ch],0
mov edx,[eax+4]
mov ecx,[eax+60h]
mov ecx,[ecx+4] ;ECX=數(shù)據(jù)長(zhǎng)度
mov eax,[edx+18h]
mov edx,[edx+10h]
add edx,eax ;EDX=用戶緩沖區(qū)
mov szMyPacketLen,ecx ;我們自己構(gòu)造的包長(zhǎng)度
mov edi,offset szMyPacketBuffer
mov esi,edx
rep movsb ;拷貝包到本驅(qū)動(dòng)
;發(fā)送應(yīng)用程序傳下來(lái)的數(shù)據(jù)包
invoke MySendPacket,lpProtocolHandle,addr szMyPacketBuffer,szMyPacketLen
invoke IoCompleteRequest,pIrp,0
xor eax,eax
ret
_Write endp
;驅(qū)動(dòng)程序的分派函數(shù)在這里結(jié)束
;***************************************************************************************
;***************************************************************************************
;這里開(kāi)始是我們HOOK協(xié)議的及相關(guān)要用的函數(shù)
;將發(fā)送和接收的包拷到本地緩沖區(qū)
CopyPktTOLocBuf proc uses ebx ecx edi esi _lpPacket:dword,_lpBuffer:dword
local PacketVa:dword
local PacketSize:dword
mov ebx,_lpPacket
mov ebx,[ebx+8]
;循環(huán)復(fù)制協(xié)議數(shù)據(jù)包到指定緩沖區(qū)里
mov edi,_lpBuffer
.repeat
invoke NdisQueryBufferSafe,ebx,addr PacketVa,addr PacketSize,20h
mov esi,PacketVa
mov ecx,PacketSize
rep movsb
mov ebx,[ebx]
.until ebx==0
sub edi,_lpBuffer
mov eax,edi
ret
CopyPktTOLocBuf endp
;這是我們HOOK tcpip協(xié)議的發(fā)送函數(shù)
_mySend proc _lpAdapt,_lpPacket
local PacketVa:dword
local PacketSize:dword
pushad
invoke CopyPktTOLocBuf,_lpPacket,addr szRecvBuffer
mov dwSendSize,eax
invoke NdisSetEvent,lpSend3Event ;放行RING3的WaitForSingleObject(),通知RING3用ReadFile來(lái)讀數(shù)據(jù)包內(nèi)容(重要)
popad
leave
jmp lpOldSend ;轉(zhuǎn)到系統(tǒng)原來(lái)的Send例程執(zhí)行
_mySend endp
;***************************************************************************************
;***************************************************************************************
;這是我們HOOK tcpip協(xié)議的接收函數(shù)
_myRecvP proc _lpAdapt,_lpPacket
local PacketVa:dword
local PacketSize:dword
pushad
invoke CopyPktTOLocBuf,_lpPacket,addr szRecvBuffer
mov dwRecvSize,eax
invoke NdisSetEvent,lpRecv3Event ;放行RING3的WaitForSingleObject(),通知RING3用ReadFile來(lái)讀數(shù)據(jù)包內(nèi)容(重要)
;*************************************************************************************
;處理ARP包開(kāi)始.只檢測(cè)誰(shuí)在偽裝網(wǎng)關(guān).把偽裝ARP響應(yīng)包改成ARP請(qǐng)求包并填寫(xiě)正確的網(wǎng)關(guān)MAC地址.
mov ebx,_lpPacket
mov ebx,[ebx+8]
invoke NdisQueryBufferSafe,ebx,addr PacketVa,addr PacketSize,20h
mov edi,PacketVa ;由于ARP包小,不用獲取下一個(gè)MDL
.if word ptr [edi+0ch]==0608h ;收到的網(wǎng)絡(luò)包是ARP包.
.if word ptr [edi+14h]==0200h ;是ARP響應(yīng)包.
lea esi,GateWay
mov eax,[edi+1ch]
mov ebx,[esi+6]
add edi,16h
mov ecx,10
.if word ptr [edi+14h]==0AA55h ;自己的特殊向網(wǎng)關(guān)請(qǐng)求的ARP包標(biāo)志.
xchg esi,edi
rep movsb ;保存正確的網(wǎng)關(guān)IP及MAC
.elseif ebx==eax ;是來(lái)自網(wǎng)關(guān)的響應(yīng)包.
mov word ptr [edi-02h],0100h ;把他改成請(qǐng)求包.
rep movsb
.endif
.endif
.endif
;處理ARP包結(jié)束
;*************************************************************************************
popad
leave
jmp lpOldRecvP ;轉(zhuǎn)到系統(tǒng)原來(lái)的Recv例程執(zhí)行
_myRecvP endp
_myRecv proc _PBC,_MRC,_HeaderBuffer,_HBSize,_LAB,_LABSize,_PacketSize
pushad
mov esi,_HeaderBuffer
mov edi,offset szRecvBuffer
mov ecx,_PacketSize
mov dwRecvSize,ecx
rep movsb
invoke NdisSetEvent,lpRecv3Event ;放行RING3的WaitForSingleObject(),通知RING3用ReadFile來(lái)讀數(shù)據(jù)包內(nèi)容(重要)
;*************************************************************************************
;處理ARP包開(kāi)始.只檢測(cè)誰(shuí)在偽裝網(wǎng)關(guān).把偽裝ARP響應(yīng)包改成ARP請(qǐng)求包并填寫(xiě)正確的網(wǎng)關(guān)MAC地址.
mov edi,_HeaderBuffer
.if word ptr [edi+0ch]==0608h ;收到的網(wǎng)絡(luò)包是ARP包.
.if word ptr [edi+14h]==0200h ;是ARP響應(yīng)包.
lea esi,GateWay
mov eax,[edi+1ch]
mov ebx,[esi+6]
add edi,16h
mov ecx,10
.if word ptr [edi+14h]==0AA55h ;自己的特殊向網(wǎng)關(guān)請(qǐng)求的ARP包標(biāo)志.
xchg esi,edi
rep movsb ;保存正確的網(wǎng)關(guān)IP及MAC
.elseif ebx==eax ;是來(lái)自網(wǎng)關(guān)的響應(yīng)包.
mov word ptr [edi-02h],0100h ;把他改成請(qǐng)求包.
rep movsb
.endif
.endif
.endif
;處理ARP包結(jié)束
;*************************************************************************************
popad
leave
jmp lpOldRecv ;轉(zhuǎn)到系統(tǒng)原來(lái)的Recv例程執(zhí)行
_myRecv endp
;這是我們HOOK tcpip協(xié)議的發(fā)送完成函數(shù)
_mySendComplete proc _PBC,_Packet,_Status
pushad
.if szMyPacketLen ;我們自己的構(gòu)造的包長(zhǎng)度
invoke CopyPktTOLocBuf,_Packet,addr szTempBuffer
mov esi,offset szTempBuffer
mov edi,offset szMyPacketBuffer
mov ecx,szMyPacketLen
repz cmpsb ;比較包的內(nèi)容
.if !ecx ;是我們的包
mov szMyPacketLen,0 ;設(shè)置包的長(zhǎng)度
popad
leave
xor eax,eax
ret ;是我們的包直接返回
.endif
.endif
popad ;不是我們的包轉(zhuǎn)到系統(tǒng)原來(lái)例程
leave
jmp lpOldSendComplete ;轉(zhuǎn)到系統(tǒng)原來(lái)的SendComplete例程執(zhí)行
_mySendComplete endp
;*********************************************************************************************
;*********************************************************************************************
;MySendPacket: 發(fā)送自已構(gòu)造的數(shù)據(jù)幀(注意:包是直接交給網(wǎng)卡發(fā)送)
;入口: BindingHandle=NDIS_PROTOCOL_BLOCK->_NDIS_OPEN_BLOCK
; MyPacket=數(shù)據(jù)幀緩沖首址,PacketLen=數(shù)據(jù)幀長(zhǎng)度
;出口: dwStatus=返回狀態(tài)
MySendPacket proc BindingHandle:dword,MyPacket:dword,PacketLen:dword
local PacketPoolHandle:dword
local PacketHandle:dword
local BufferHandle:dword
invoke NdisAllocatePacketPool,addr dwStatus,addr PacketPoolHandle,0FFFh,10h
invoke NdisAllocateBuffer,addr dwStatus,addr BufferHandle,0,MyPacket,PacketLen
invoke NdisAllocatePacket,addr dwStatus,addr PacketHandle,PacketPoolHandle
invoke NdisChainBufferAtFront,PacketHandle,BufferHandle
invoke NdisSend,Addr dwStatus,BindingHandle,PacketHandle
.if eax!=103h ;NDIS_STATUS_PENDING=103h
invoke NdisFreePacketPool,PacketPoolHandle
invoke NdisFreePacket,PacketHandle
invoke NdisFreeBuffer,BufferHandle
.endif
ret ;發(fā)送完成返回dwStatus
MySendPacket endp
;*********************************************************************
;看NTDDK中的Ndis.h中有定義.
NdisChainBufferAtFront proc uses ecx Packet:dword,Buffer:dword
mov eax,Buffer
.while 1
mov ecx,[eax]
.break .if ecx==0
mov eax,ecx ;MDL.Next
.endw ;eax=Tail
mov ecx,Packet
.if dword ptr [ecx+08h]==0 ;Packet->Private.Head
mov [ecx+0ch],eax ;Packet->Private.Tail
.endif
mov ecx,[ecx+08h]
mov [eax],ecx ;MDL.Next
mov eax,Packet
mov ecx,Buffer
mov [eax+08h],ecx
and byte ptr [eax+1ch],0 ;Packet->Private.ValidCounts
ret
NdisChainBufferAtFront endp
;***************************************************************************************************
;***************************************************************************************************
;以下空函數(shù)是為了填充NDIS_PROTOCOL_CHARACTERISTIC結(jié)構(gòu)而設(shè)置的,實(shí)際下基本不會(huì)被系統(tǒng)調(diào)用,沒(méi)有又不行。
PtBindAdapter proc Status,BindContext,DeviceName,SystemSpecific1,SystemSpecific2
xor eax,eax
ret
PtBindAdapter endp
PtUnbindAdapter proc Status,pAdapt,UnbindContext
xor eax,eax
ret
PtUnbindAdapter endp
;我們HOOK協(xié)議的及相關(guān)要用的函數(shù)在這里結(jié)束
;******************************************************************************************************
end start
:make
set drv=ndisdrv
d:\masm32\ml /c /coff /Cp %drv%.bat
d:\masm32\link /subsystem:native /driver:wdm /release /align:16 /base:0x10000 /out:%drv%.sys %drv%.obj
;del %drv%.obj
pause
應(yīng)用層源代碼:
;goto make
.386
.model flat, stdcall
option casemap:none
include d:\masm32\include\windows.inc
include d:\masm32\include\iphlpapi.inc
include d:\masm32\include\ws2_32.inc
include d:\masm32\include\kernel32.inc
include D:\masm32\macros\Strings.mac
include D:\masm32\include\advapi32.inc
include d:\masm32\include\user32.inc
includelib d:\masm32\lib\advapi32.lib
includelib d:\masm32\lib\iphlpapi.lib
includelib d:\masm32\LIB\WS2_32.LIB
includelib d:\masm32\lib\kernel32.lib
includelib d:\masm32\lib\user32.lib
.data
buffer db 800h dup(0)
filename db "\\.\NdisDrv",0
sFileName db "ndisdrv.sys",0
SeviceMe db "Ndis ARP",0
Send3E db "Send3Event",0
Recv3E db "Recv3Event",0
hdrv dd ?
hEvent dd ?
dwTempVar dd 1
hSCManager dd ?
hService dd ?
lpMemory dd ?
dwStructSize dd ?
acDriverPath db 260 dup (?)
LocalMac db 6 dup (?)
szMacLen dd 6
ArpPacket db 0ffh,0ffh,0ffh,0ffh,0ffh,0ffh,000h,090h,027h,099h,012h,0bah,008h,006h,000h,001h
db 008h,000h,006h,004h,000h,001h,000h,090h,027h,099h,012h,0bah,0c0h,0a8h,001h,006h
db 000h,000h,000h,000h,000h,000h,0c0h,0a8h,001h,001h,055h,0aah,0ffh,0ffh,0ffh,0ffh
MsgCaption db "ARP防火墻",0
MsgBoxText db "作者:成松林 QQ:179641795 該版本為調(diào)試版本試用系統(tǒng)win2k/xp",0
.code
MyArpPacket proc
;********************************************************************
invoke GetAdaptersInfo,NULL,addr dwStructSize
invoke GlobalAlloc,GPTR,dwStructSize
mov lpMemory,eax
invoke GetAdaptersInfo,lpMemory,addr dwStructSize
mov esi,lpMemory
lea edi,ArpPacket
add esi,1b0h
invoke inet_addr,esi
mov [edi+1ch],eax
invoke SendARP,eax,0,addr LocalMac,addr szMacLen
add esi,28h
invoke inet_addr,esi
mov [edi+26h],eax
lea esi,LocalMac
add edi,6
mov ecx,6
rep movsb
lea edi,ArpPacket
lea esi,LocalMac
add edi,16h
mov ecx,6
rep movsb
ret
MyArpPacket endp
start:
invoke OpenSCManager, NULL, NULL, SC_MANAGER_CREATE_SERVICE
.if eax != NULL
mov hSCManager, eax
push eax
invoke GetFullPathName, addr sFileName,sizeof acDriverPath,addr acDriverPath,esp
pop eax
invoke CreateService, hSCManager, addr sFileName, addr SeviceMe, \
SERVICE_START + DELETE, SERVICE_KERNEL_DRIVER, SERVICE_DEMAND_START, \
SERVICE_ERROR_IGNORE, addr acDriverPath, NULL, NULL, NULL, NULL, NULL
.if eax != NULL
mov hService, eax
invoke StartService, hService, 0, NULL
invoke DeleteService, hService
invoke CloseServiceHandle, hService
.else
;invoke MessageBox, NULL, $CTA0("Can't register driver."), NULL, MB_ICONSTOP
.endif
invoke CloseServiceHandle, hSCManager
.else
;invoke MessageBox, NULL, $CTA0("Can't connect to Service Control Manager."),NULL, MB_ICONSTOP
.endif
;************************************************************************************************************
invoke CreateFile,addr filename,0c0000000h,0,0,3,0,0
mov hdrv,eax
;invoke OpenEvent,100000h,0,addr Send3E
invoke OpenEvent,100000h,0,addr Recv3E
mov hEvent,eax ;接收數(shù)據(jù)事件
invoke MyArpPacket ;自己構(gòu)造的ARP請(qǐng)求包.
invoke WriteFile,hdrv,addr ArpPacket,64,addr dwTempVar,0 ;發(fā)送數(shù)據(jù)包
;.while 1
invoke WaitForSingleObject,hEvent,-1
;.endw
invoke MessageBoxA, 0,addr MsgBoxText, addr MsgCaption,0
invoke ExitProcess, 0
end start
:make
set drv=ndisring3
d:\masm32\ml /c /coff %drv%.bat
d:\masm32\link /subsystem:windows %drv%.obj
del %drv%.obj
pause
本程序在win2k上調(diào)試通過(guò)。。用的NetFuke ver1.01工具作arp雙向欺騙作實(shí)驗(yàn)..
posted on 2007-08-10 02:30
聶文龍 閱讀(2599)
評(píng)論(4) 編輯 收藏 引用