数据包拦截:Windows下网络数据报的监听和拦截技术疯狂代码！

Windows下网络数据报

监听和拦截技术1
Windows下网络数据报

监听和拦截技术是

个比较古老

话题

应用也很广泛

例如
防火墙等等

这篇小文只是对该技术

个整理总结

没有新技术

高手免看:)
要监听和拦截Windows下

数据报

基本可以在两个层次进行

个是用户态(user-mo
de)

个是核心态(kernel-mode)

在用户态下

从高到低大概有 4种思路方法

1、原是套结字(Raw Socket)

Winsock2以后提供了原始套结字功能

可以在用户态用
Winsock

接收所有流经Winsock

IP包

这种思路方法在MSDN里面有叙述

是MS官方支持

思路方法

在网上也有很多资料

但是这种思路方法只能监听但是不能拦截数据报

所以可以
作为网络监视器

选择技术

但是不能实现防火墙等更高要求

功能

另外最致命

缺
点就是只能在Winsock层次上进行

而对于网络协议栈中底层协议

数据包例如TDI无法
进行处理

对于

些木马和病毒来说很容易避开这个层次

监听

2、替换系统自带

WINSOCK动态连接库

这种思路方法可以在很多文章里面找到详细

实现
细节

通过替换系统Winsock库

部分导出

实现数据报

监听和拦截

缺点同1

3、Winsock服务提供者(SPI)

SPI是Winsock

另

面

是Winsock2

个新特性

起初

Winsock是围绕着TCP/IP协议运行

但是在Winsock 2中却增加了对更多传输协
议

支持

Winsock2不仅提供了

个供应用

访问网络服务

Windows

应用程
序编程接口(API)

还包含了由传输服务提供者和名字解析服务提供者实现

Winsock
服务提供者接口(SPI)和ws2_32.dll

Winsock 2

传输服务提供者是以动态链接库

形式(DLL)存在

以下是winsock 2在传输服务提供者上

WOSA(Windows开放服务结
构):
----------------------------
|Windows

2 应用

|
----------------------------Windows

2 API
| WS2_32.DLL |
----------------------------Windows

2 传输SPI
| 传输服务提供者(DLL) |
----------------------------
Windows

SPI提供 3种协议:分层协议

基础协议和协议链

分层协议是在基础
协议

上层

依靠底层基础协议实现更高级

通信服务

基础协议是能够独立

安全地
和远程端点实现数据通信

协议

它是相对和分层协议而言

协议链是将

系列

基
础协议和分层协议按特点

顺序连接在

起

链状结构

可以通过Platform SDK附带

工具Sporder.exe察看系统已经安装

SPI

通过Ws2_32.dll和相应

服务提供者进行严格

数据交换

Ws2_32.dl
l根
据应用

在创建套接字时所提供

参数来选择特定

服务提供者

然后把应用

实现过程转发由所选创建套接字

服务提供者来管理

也就是说

Ws2_32.dll只是

个
中间过程

而应用

只是

个接口

数据通信

实现却是由服务提供者来完成

所
以我们通过适当

增加自己

分层协议服务提供者

使其位于SPI

顶端

那么就能将W
s2_32.dll传给服务提供者

数据报拦截下来

由于是MS

官方思路方法

具体

使用思路方法在
其Platform SDK里面有详细

例子(LSP)

在MSDN里面也有详细

解释

这种思路方法

优点
是能够获得

Winsock

进程

详细信息

并能实现Qos和数据加密

所以SPI是用户态
数据拦截

较好地点

缺点同1

4、Windows2000包过滤接口

由于过滤规则限制太多不灵活而应用不多

5、网络监视器SDK

MS官方

实时监视分析网络数据

思路方法

但是由于封装

太复?
樱?
使用起来不灵活

在核心态下

数据报

监视和拦截思路方法比较复杂

由于大多个人防火墙都是在核心?
?
实现

所以在这里比较详细

叙述

下

具体

请参见nt/2kDDK文档

大概有下面几
个思路方法

1、 TDI过滤驱动

(TDI Filter Driver)

2、 NDIS中间层驱动

(NDIS Intermediate Driver)

编写IM DRIVER在NDIS中间层

对MINIPORT(网卡驱动

)和协议驱动

的间

数据包进行拦截

这是微软提供

种技术

在DDK中MS提供了Passthru例子

很多中间层过滤驱动都可以由的改编

但编
写该过滤

拦截

非常

复杂

安装也很麻烦

3、 Win2k Filter-Hook Driver

4、 NDIS Hook Driver

这种思路方法又有两种实现方式

(1)向NDIS注册假协议(fake protocol)

这是在协议层上

处理

在Windows内核中

所有已注册

协议是通过

个单向

协议链表来维护

这个单向链表保存了所有已
注册协议

NDIS_PROTOCOL_BLOCK结构

地址

在这个结构中保存了协议驱动所指定

相
应

派发

地址如RECEIVE_HANDLER等

struct _NDIS_PROTOCOL_BLOCK
{
PNDIS_OPEN_BLOCK OpenQueue; // queue of opens for this protocol
REFERENCE Ref; // contains spinlock for OpenQueue
UINT Length; // of this NDIS_PROTOCOL_BLOCK struct
NDIS50_PROTOCOL_CHARACTERISTICS ProtocolCharacteristics;// handler addresses

struct _NDIS_PROTOCOL_BLOCK * NextProtocol; // Link to next
ULONG MaxPatternSize;
#

d(NDIS_WRAPPER)
//
// Protocol filters
//
struct _NDIS_PROTOCOL_FILTER * ProtocolFilter[NdisMediumMax+1];
WORK_QUEUE_ITEM WorkItem; // Used during NdisRegisterProtocol to
// not

y protocols of existing drivers.
KMUTEX Mutex; // For serialization of Bind/Unbind requests
PKEVENT DeregEvent; // Used by NdisDeregisterProtocol
#end

};
typedef struct _NDIS_PROTOCOL_BLOCK NDIS_PROTOCOL_BLOCK, *PNDIS_PROTOCOL_BLO
CK;并且

每个协议驱动还对应

个NDIS_OPEN_BLOCK

单向链表来维护其所绑定

网卡
信息

当协议驱动

NdisRegisterProtocol的后

EXPORT
VOID
NdisRegisterProtocol(
OUT PNDIS_STATUS Status,
OUT PNDIS_PROTOCOL_BLOCK NdisProtocolHandle, /*注意NDIS_HANDLE所指向

就是PN
DIS_PROTOCOL_BLOCK

结构

不要有什么怀疑

*/
IN PNDIS_PROTOCOL_CHARACTERISTICS ProtocolCharacteristics,
IN UINT CharacteristicsLength
);
NDIS总是会把新注册

协议放在协议链表

表头并返回这张表

所以只要我们注册

个
新

协议通过新协议注册返回

链表头就可以轻而易举

遍历系统中所有协议表

但是

如果要成功地挂接派发

还需要对协议所对应

NDIS_OPEN_BLOCK结构里

派发函
数进行挂接

NDIS并不是直接

协议驱动在NDIS_PROTOCOL_CHARACTERISTICS所注
册

派发

地址

而是

NDIS_OPEN_BLOCK里

派发

struct _NDIS_OPEN_BLOCK
{
PNDIS_MAC_BLOCK MacHandle; // po

er to our MAC
NDIS_HANDLE MacBindingHandle; // context when calling MacXX funcs
PNDIS_ADAPTER_BLOCK AdapterHandle; // po

er to our adapter
PNDIS_PROTOCOL_BLOCK ProtocolHandle; // po

er to our protocol
NDIS_HANDLE ProtocolBindingContext;// context when calling ProtXX funcs
PNDIS_OPEN_BLOCK AdapterNextOpen; // used by adapter\'s OpenQueue
PNDIS_OPEN_BLOCK ProtocolNextOpen; // used by protocol\'s OpenQueue
PFILE_OBJECT FileObject; // created by operating system
BOOLEAN Closing; // TRUE when removing this struct
BOOLEAN Unloading; // TRUE when processing unload
BOOLEAN NoProtRsvdOnRcvPkt; // Reflect the protocol_options
NDIS_HANDLE CloseRequestHandle; // 0 indicates an

ernal close
KSPIN_LOCK SpinLock; // guards Closing
PNDIS_OPEN_BLOCK NextGlobalOpen;
//
// These are optimizations for getting to MAC routines. They are not
// necessary, but are here to save a dereference through the MAC block.
//
SEND_HANDLER SendHandler;
TRANSFER_DATA_HANDLER TransferDataHandler;
//
// These are optimizations for getting to PROTOCOL routines. They are not
// necessary, but are here to save a dereference through the PROTOCOL block.

//
SEND_COMPLETE_HANDLER SendCompleteHandler;
TRANSFER_DATA_COMPLETE_HANDLER TransferDataCompleteHandler;
RECEIVE_HANDLER ReceiveHandler;
RECEIVE_COMPLETE_HANDLER ReceiveCompleteHandler;
//
// Extentions to the OPEN_BLOCK since Product 1.
//
RECEIVE_HANDLER PostNt31ReceiveHandler;
RECEIVE_COMPLETE_HANDLER PostNt31ReceiveCompleteHandler;
//
// NDIS 4.0 extensions
//
RECEIVE_PACKET_HANDLER ReceivePacketHandler;
SEND_PACKETS_HANDLER SendPacketsHandler;
//
// More NDIS 3.0 Cached Handlers
//
RESET_HANDLER Re

Handler;
REQUEST_HANDLER RequestHandler;
//
// Needed for PnP
//
UNICODE_STRING AdapterName; // Up

d name of the adapter we are bound to
};
这张表是

个单向链接表

并且存放了和PNDIS_OPEN_BLOCK->ProtocolCharacteristic
s

样

数据收发派发

当第N块网卡发送数据包到第N个协议时

就会

第N个协议
和第N个网卡的间建立

NDIS_OPEN_BLOCK表里

SendHandler或SendPacketHandler

所以我们还需要对这张表里

派发

进行处理(勾挂)

值得注意

是

在Windows9x/Me/NT

DDK中

NDIS_PROTOCOL_BLOCK

定义是很明确

而在Windows 2000/xp

DDK中

并没有该结构

详细定义

也就是说该结构在Windows2
000/xp下是非公开

因此开发人员需要利用各种调试工具来发掘该结构

详细定义

也正是

如此

这种思路方法对平台

依赖性比较大

需要在

中判断区别

操作系统
版本而使用区别

结构定义

可以用NdisOpenProtocolConfiguration打开协议配置

用
NdisReadConfiguration查询NDIS版本

下面

注册fake protocol并将PNDIS_PROTOCOL_BLOCK结构存在ProtHandle中NDIS_
HANDLE GetProtocolBlock

{
NDIS_PROTOCOL_CHARACTERISTICS PChars;
NDIS_STRING Name;
NDIS_HANDLE ProtHandle;
NDIS_STATUS Status;
NdisZeroMemory(&PChars,

(NDIS_PROTOCOL_CHARACTERISTICS));
PChars.MajorNdisVersion = 5;
PChars.MinorNdisVersion = 0;
NdisInitUnicodeString(&Name, L\"WssFW\"); // Protocol name
PChars.Name = Name;
PChars.OpenAdapterCompleteHandler = NULL;
PChars.CloseAdapterCompleteHandler = NULL;
PChars.SendCompleteHandler = NULL;
PChars.TransferDataCompleteHandler = NULL;

PChars.Re

CompleteHandler = NULL;
PChars.RequestCompleteHandler = NULL;
PChars.ReceiveHandler = NULL;
PChars.ReceiveCompleteHandler = NULL;
PChars.StatusHandler = NULL;
PChars.StatusCompleteHandler = NULL;
PChars.BindAdapterHandler = NULL;
PChars.UnbindAdapterHandler = NULL;
PChars.UnloadHandler = NULL;
PChars.ReceivePacketHandler = NULL;
PChars.PnPEventHandler= NULL;
NdisRegisterProtocol(&Status,
&ProtHandle,
&PChars,

(NDIS_PROTOCOL_CHARACTERIS
TICS));
ASSERT(Status

NDIS_STATUS_SUCCESS);

(Status

NDIS_STATUS_SUCCESS)

ProtHandle;

NULL;
}
下面

挂接PNDIS_PROTOCOL_BLOCK中PNDIS_PROTOCOL_CHARACTERISTICS结构

R
ec
eiveHandler和ReceivePacketHandler
PVOID
HookProtoFunc(
PNDIS_PROTOCOL_CHARACTERISTICS pCharacteristics,

DWORD dwFunctionCode,
PVOID pfuncNew,
DWORD dwNdisVersion)
{
PVOID pOldFunc = NULL;
//Check parameters

( (!pCharacteristics ) || (!pfuncNew) )

NULL;
switch(dwFunctionCode)
{

PROTO_RECEIVE_HANDLER:
//Just hook _disibledevent=> {
pOldFunc = pCharacteristics->ReceiveHandler;

( pOldFunc )
pCharacteristics->ReceiveHandler = pfuncNew;
}

;

PROTO_RECEIVE_PACKET_HANDLER:

(pCharacteristics->ReceivePacketHandler != pfuncNew)
{
//

pOpenBlock is NULL or pOpenBlock->ReceivePacketHandl
er is NULL,
//just hook Characteristics;
pOldFunc = pCharacteristics->ReceivePacketHandler;

(pOldFunc)
pCharacteristics->ReceivePacketHandler = pfuncNew
;
}

;
default:

;
}

pOldFunc;
}
下面

挂接PNDIS_OPEN_BLOCK结构里

ReceiveHandler和ReceivePacketHandler
PVOID
HookBlockFunc(
PNDIS_OPEN_BLOCK pFirstOpenBlock,
DWORD dwFunctionCode,
PVOID pfuncNew,
DWORD dwNdisVersion)
{
RECEIVE_HANDLER * pReceiveHandler = NULL;

RECEIVE_PACKET_HANDLER * pReceivePacketHandler = NULL;
// PVOID pFuncHandler = NULL;
PVOID pOldFunc = NULL;
PNDIS_OPEN_BLOCK pOpenBlock = pFirstOpenBlock;

(!pFirstOpenBlock)

NULL;

(!pfuncNew )

NULL;
switch(dwFunctionCode)
{

PROTO_RECEIVE_HANDLER:
//travel all NDIS_OPEN_BLOCK
for(;pOpenBlock;pOpenBlock = GetNextBlock( pOpenBlock,dwNdisVersi
on ))
{
pReceiveHandler = GetReceiveHandler(pOpenBlock,dwNdisVers
ion);
//Just hook _disibledevent=> {
pOldFunc = *pReceiveHandler;
*pReceiveHandler = pfuncNew;
}

(dwNdisVersion

0x00040001)//win2k ????
{
pReceiveHandler = GetPostNt31ReceiveHandler(pOpen
Block,dwNdisVersion);

( *pReceiveHandler != pfuncNew )
{
pOldFunc = *pReceiveHandler;
*pReceiveHandler = pfuncNew;
}
}
}

;

PROTO_RECEIVE_PACKET_HANDLER:
//travel all NDIS_OPEN_BLOCK
for(;pOpenBlock;pOpenBlock = GetNextBlock( pOpenBlock,dwNdisVersi

on ))
pReceivePacketHandler = GetReceivePacketHandler( pOpenBlo
ck,dwNdisVersion
);
//Just hook _disibledevent=> {
pOldFunc = *pReceivePacketHandler;
*pReceivePacketHandler = pfuncNew;
}
}

;

default:

;
}

pOldFunc;
}

bsp; &PChars,

(NDIS_PROTOCOL_CHARACTERIS
TICS));
ASSERT(Status

NDIS_STATUS_SUCCESS);

(Status

NDIS_STATUS_SUCCESS)

ProtHandle;

NULL;
}
下面

挂接PNDIS_PROTOCOL_BLOCK中PNDIS_PROTOCOL_CHARACTERISTICS结构

R
ec
eiveHandler和ReceivePacketHandler
PVOID
HookProtoFunc(
PNDIS_PROTOCOL_CHARACTERISTICS pCharacteristics,
DWORD dwFunctionCode,
PVOID pfuncNew,
DWORD dwNdisVersion)
{
PVOID pOldFunc = NULL;
//Check parameters

( (!pCharacteristics ) || (!pfuncNew) )

NULL;
switch(dwFunctionCode)
{

PROTO_RECEIVE_HANDLER:
//Just hook _disibledevent=> {
pOldFunc = pCharacteristics->ReceiveHandler;

( pOldFunc )

pCharacteristics->ReceiveHandler = pfuncNew;
}

;

PROTO_RECEIVE_PACKET_HANDLER:

(pCharacteristics->ReceivePacketHandler != pfuncNew)
{
//

pOpenBlock is NULL or pOpenBlock->ReceivePacketHandl
er is NULL,
//just hook Characteristics;
pOldFunc = pCharacteristics->ReceivePacketHandler;

(pOldFunc)
pCharacteristics->ReceivePacketHandler = pfuncNew
;
}

;
default:

;
}

pOldFunc;
}
下面

挂接PNDIS_OPEN_BLOCK结构里

ReceiveHandler和ReceivePacketHandler
PVOID
HookBlockFunc(
PNDIS_OPEN_BLOCK pFirstOpenBlock,
DWORD dwFunctionCode,
PVOID pfuncNew,
DWORD dwNdisVersion)
{
RECEIVE_HANDLER * pReceiveHandler = NULL;
RECEIVE_PACKET_HANDLER * pReceivePacketHandler = NULL;
// PVOID pFuncHandler = NULL;
PVOID pOldFunc = NULL;
PNDIS_OPEN_BLOCK pOpenBlock = pFirstOpenBlock;

(!pFirstOpenBlock)

NULL;

(!pfuncNew )

NULL;
switch(dwFunctionCode)
{

PROTO_RECEIVE_HANDLER:
//travel all NDIS_OPEN_BLOCK
for(;pOpenBlock;pOpenBlock = GetNextBlock( pOpenBlock,dwNdisVersi
on ))
{
pReceiveHandler = GetReceiveHandler(pOpenBlock,dwNdisVers
ion);
//Just hook _disibledevent=>

{
pOldFunc = *pReceiveHandler;
*pReceiveHandler = pfuncNew;
}

(dwNdisVersion

0x00040001)//win2k ????
{
pReceiveHandler = GetPostNt31ReceiveHandler(pOpen
Block,dwNdisVersion);

( *pReceiveHandler != pfuncNew )
{
pOldFunc = *pReceiveHandler;
*pReceiveHandler = pfuncNew;
}
}
}

;

PROTO_RECEIVE_PACKET_HANDLER:
//travel all NDIS_OPEN_BLOCK
for(;pOpenBlock;pOpenBlock = GetNextBlock( pOpenBlock,dwNdisVersi
on ))
pReceivePacketHandler = GetReceivePacketHandler( pOpenBlo
ck,dwNdisVersion
);
//Just hook _disibledevent=> {
pOldFunc = *pReceivePacketHandler;
*pReceivePacketHandler = pfuncNew;
}
}

;

default:

;
}

pOldFunc;
}

bsp; &PChars,

(NDIS_PROTOCOL_CHARACTERIS
TICS));
ASSERT(Status

NDIS_STATUS_SUCCESS);

(Status

NDIS_STATUS_SUCCESS)

ProtHandle;

NULL;
}
下面

挂接PNDIS_PROTOCOL_BLOCK中PNDIS_PROTOCOL_CHARACTERISTICS结构

R
ec
eiveHandler和ReceivePacketHandler
PVOID
HookProtoFunc(
PNDIS_PROTOCOL_CHARACTERISTICS pCharacteristics,
DWORD dwFunctionCode,
PVOID pfuncNew,
DWORD dwNdisVersion)
{
PVOID pOldFunc = NULL;
//Check parameters

( (!pCharacteristics ) || (!pfuncNew) )

NULL;
switch(dwFunctionCode)
{

PROTO_RECEIVE_HANDLER:
//Just hook _disibledevent=> {
pOldFunc = pCharacteristics->ReceiveHandler;

( pOldFunc )
pCharacteristics->ReceiveHandler = pfuncNew;
}

;

PROTO_RECEIVE_PACKET_HANDLER:

(pCharacteristics->ReceivePacketHandler != pfuncNew)
{
//

pOpenBlock is NULL or pOpenBlock->ReceivePacketHandl
er is NULL,
//just hook Characteristics;
pOldFunc = pCharacteristics->ReceivePacketHandler;

(pOldFunc)
pCharacteristics->ReceivePacketHandler = pfuncNew

;
}

;
default:

;
}

pOldFunc;
}
下面

挂接PNDIS_OPEN_BLOCK结构里

ReceiveHandler和ReceivePacketHandler
PVOID
HookBlockFunc(
PNDIS_OPEN_BLOCK pFirstOpenBlock,
DWORD dwFunctionCode,
PVOID pfuncNew,
DWORD dwNdisVersion)
{
RECEIVE_HANDLER * pReceiveHandler = NULL;
RECEIVE_PACKET_HANDLER * pReceivePacketHandler = NULL;
// PVOID pFuncHandler = NULL;
PVOID pOldFunc = NULL;
PNDIS_OPEN_BLOCK pOpenBlock = pFirstOpenBlock;

(!pFirstOpenBlock)

NULL;

(!pfuncNew )

NULL;
switch(dwFunctionCode)
{

(dwNdisVersion

0x00040001)//win2k ????
{
pReceiveHandler = GetPostNt31ReceiveHandler(pOpen
Block,dwNdisVersion);

( *pReceiveHandler != pfuncNew )
{

pOldFunc = *pReceiveHandler;
*pReceiveHandler = pfuncNew;
}
}
}

;

PROTO_RECEIVE_PACKET_HANDLER:
//travel all NDIS_OPEN_BLOCK
for(;pOpenBlock;pOpenBlock = GetNextBlock( pOpenBlock,dwNdisVersi
on ))
pReceivePacketHandler = GetReceivePacketHandler( pOpenBlo
ck,dwNdisVersion
);
//Just hook _disibledevent=> {
pOldFunc = *pReceivePacketHandler;
*pReceivePacketHandler = pfuncNew;
}
}

;

default:

;
}

pOldFunc;
}

Tags: 数据包拦截工具如何拦截数据包数据拦截数据包拦截

数据包拦截:Windows下网络数据报的监听和拦截技术

延伸阅读

最新评论

发表评论

赞助商广告

随机更新

热门标注

最近更新

最新标注