本程序的目的: 通过过滤TDI的IRP_MJ_Create请求,得到网络连接的Ip地址,我在过滤分发函数中设置了 完成函数,可是 该完成函数不被调用,还请高手看看 ?
#include <ntddk.h>
#include <tdikrnl.h>
//#include "filterfun.h"
PDEVICE_OBJECT
gTcpfltObj = NULL,
gUdpfltObj = NULL,
gIpfltObj = NULL,
gTcpOldObj = NULL,
gUdpOldObj = NULL,
gIpOldObj = NULL,
g_devcontrol = NULL;
void
d_n_d_device(PDRIVER_OBJECT DriverObject, PDEVICE_OBJECT oldobj, PDEVICE_OBJECT fltobj);
unsigned long ntohl_me (unsigned long netlong);
unsigned short ntohs_me (unsigned short netshort);
NTSTATUS DeviceDispatch( PDEVICE_OBJECT DeviceObject, PIRP irp );
NTSTATUS DeviceCreateFilter( PDEVICE_OBJECT DeviceObject, PIRP irp );
NTSTATUS DeviceControlFilter( PDEVICE_OBJECT DeviceObject, PIRP irp );
NTSTATUS DeviceInternalControlFilter( PDEVICE_OBJECT DeviceObject, PIRP irp );
NTSTATUS DeviceCloseFilter( PDEVICE_OBJECT DeviceObject, PIRP irp );
NTSTATUS DeviceCleanUpFilter( PDEVICE_OBJECT DeviceObject, PIRP irp );
PDEVICE_OBJECT GetOrginalDeviceObject( PDEVICE_OBJECT FilterObject);
NTSTATUS tdi_create_addrobj_complete(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp, IN PVOID Context);
NTSTATUS tdi_create_addrobj_complete2(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp, IN PVOID Context);
NTSTATUS CreateDeviceAndAttach(
PDRIVER_OBJECT DriverObject,
PDEVICE_OBJECT *NewDevice,
PDEVICE_OBJECT *AttatchDevie,
PWSTR DeviceName);
void OnUnload( PDRIVER_OBJECT DriverObject )
{
d_n_d_device(DriverObject, gTcpOldObj, gTcpfltObj );
d_n_d_device(DriverObject, gUdpOldObj, gUdpfltObj );
d_n_d_device(DriverObject, gIpOldObj, gIpfltObj );
// delete control device and symbolic link
if (g_devcontrol != NULL) {
UNICODE_STRING linkname;
RtlInitUnicodeString(&linkname, L"\\??\\tdifw");
IoDeleteSymbolicLink(&linkname);
IoDeleteDevice(g_devcontrol);
}
}
NTSTATUS DriverEntry( PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegPath )
{
NTSTATUS status;
UNICODE_STRING name;
UNICODE_STRING linkname;
int i ;
for ( i = 0; i<IRP_MJ_MAXIMUM_FUNCTION; i++)
{
DriverObject->MajorFunction[i] = DeviceDispatch;
}
DriverObject->DriverUnload = OnUnload;
RtlInitUnicodeString(&name, L"\\Device\\tdifw");
status = IoCreateDevice(DriverObject,
0,
&name,
0,
0,
TRUE, // exclusive!
&g_devcontrol);
if (status != STATUS_SUCCESS) {
KdPrint(("[tdi_fw] DriverEntry: IoCreateDevice(control): 0x%x!\n", status));
return status;
}
RtlInitUnicodeString(&linkname, L"\\??\\tdifw");
status = IoCreateSymbolicLink(&linkname, &name);
if (status != STATUS_SUCCESS) {
KdPrint(("[tdi_fw] DriverEntry: IoCreateSymbolicLink: 0x%x!\n", status));
return status;
}
status = CreateDeviceAndAttach(DriverObject, &gTcpfltObj, &gTcpOldObj, L"\\DEVICE\\TCP" );
if( status != STATUS_SUCCESS )
{
KdPrint(("DriverEntry: CreateDeviceAndAttach(%s): 0x%x\n", L"\\DEVICE\\TCP", status ));
return status;
}
status = CreateDeviceAndAttach(DriverObject, &gUdpfltObj, &gUdpOldObj, L"\\DEVICE\\UDP" );
if( status != STATUS_SUCCESS )
{
KdPrint(("DriverEntry: CreateDeviceAndAttach(%s): 0x%x\n", L"\\DEVICE\\UDP", status ));
return status;
}
status = CreateDeviceAndAttach(DriverObject, &gIpfltObj, &gIpOldObj, L"\\DEVICE\\RAWIp" );
if( status != STATUS_SUCCESS )
{
KdPrint(("DriverEntry: CreateDeviceAndAttach(%s): 0x%x\n", L"\\DEVICE\\RAWIp", status ));
return status;
}
KdPrint(("DriverEntry OK\n"));
return STATUS_SUCCESS;
}
NTSTATUS CreateDeviceAndAttach(
PDRIVER_OBJECT DriverObject,
PDEVICE_OBJECT *NewDevice,
PDEVICE_OBJECT *AttatchDevice,
PWSTR DeviceName)
{
NTSTATUS status;
UNICODE_STRING OrginalDeviceName;
status = IoCreateDevice(DriverObject, 0, NULL, FILE_DEVICE_UNKNOWN, 0, TRUE, NewDevice );
if( status != STATUS_SUCCESS )
{
KdPrint(("CreateDeviceAndAttach: IoCreateDevice(%s): 0x%x\n", DeviceName, status ));
return status;
}
(*NewDevice)->Flags |= DO_DIRECT_IO;
RtlInitUnicodeString(&OrginalDeviceName, DeviceName );
status = IoAttachDevice(*NewDevice, &OrginalDeviceName, AttatchDevice );
if( status != STATUS_SUCCESS )
{
KdPrint(("CreateDeviceAndAttach: IoAttachDevice(%s): 0x%x\n", DeviceName, status ));
return status;
}
return STATUS_SUCCESS;
}
NTSTATUS DeviceDispatch( PDEVICE_OBJECT DeviceObject, PIRP irp )
{
NTSTATUS status;
PIO_STACK_LOCATION irps;
irps = IoGetCurrentIrpStackLocation( irp );
switch( irps->MajorFunction )
{
case IRP_MJ_CREATE:
DeviceCreateFilter(DeviceObject, irp );
break;
case IRP_MJ_DEVICE_CONTROL:
DeviceControlFilter(DeviceObject, irp );
break;
case IRP_MJ_INTERNAL_DEVICE_CONTROL:
DeviceInternalControlFilter(DeviceObject, irp );
break;
case IRP_MJ_CLOSE:
DeviceCloseFilter(DeviceObject, irp );
break;
case IRP_MJ_CLEANUP:
DeviceCleanUpFilter( DeviceObject, irp );
break;
default:
break;
}
return STATUS_SUCCESS;
}
//====================================================================================
//
//
//
// for filter function implement
//
//
//
//
//
//
//===================================================================================
struct completion {
PIO_COMPLETION_ROUTINE routine;
PVOID context;
};
NTSTATUS DeviceCreateFilter( PDEVICE_OBJECT DeviceObject, PIRP irp )
{
NTSTATUS status;
PIRP query_irp;
struct completion CompletionContext;
FILE_FULL_EA_INFORMATION * ea = (FILE_FULL_EA_INFORMATION *)irp->AssociatedIrp.SystemBuffer;
PIO_STACK_LOCATION irps = IoGetCurrentIrpStackLocation( irp );
PIO_STACK_LOCATION NextIrps ;
PDEVICE_OBJECT OrginalObject;
OrginalObject = GetOrginalDeviceObject( irps->DeviceObject );
if( irp == NULL )
{
return STATUS_SUCCESS;
}
if( NULL == OrginalObject )
{
if( irp->IoStatus.Status == STATUS_SUCCESS )
{
status = irp->IoStatus.Status = STATUS_ACCESS_DENIED;
}
else
{
status = irp->IoStatus.Status;
}
IoCompleteRequest (irp, IO_NO_INCREMENT);
return status;
}
if( ea == NULL )
{
IoSkipCurrentIrpStackLocation(irp);
IoCallDriver( OrginalObject, irp);
return STATUS_SUCCESS;
}
KdPrint(("DeviceCreateFilter\n"));
[COLOR="Red"] if( ea->EaNameLength == TDI_TRANSPORT_ADDRESS_LENGTH &&
memcmp( ea->EaName, TdiTransportAddress, TDI_TRANSPORT_ADDRESS_LENGTH ) ==0 )
{//传输层地址的生成
query_irp = TdiBuildInternalDeviceControlIrp( TDI_QUERY_INFORMATION, OrginalObject, irps->FileObject, NULL, NULL );
if( query_irp == NULL )
{
KdPrint(("DeviceCreateFilter TdiBuildInternalDeviceControlIrp Fail\n" ));
return STATUS_UNSUCCESSFUL;
}
KdPrint( ("TdiBuildInternalDeviceControlIrp OK\n") );
CompletionContext.context = query_irp;
CompletionContext.routine = tdi_create_addrobj_complete;
IoSetCompletionRoutine( irp, CompletionContext.routine, CompletionContext.context, TRUE, TRUE,TRUE );
KdPrint(("IoSetCompletionRoutine OK\n"));
IoCopyCurrentIrpStackLocationToNext(irp );
IoCallDriver( OrginalObject, irp );
}[/COLOR] else if( ea->EaNameLength == TDI_CONNECTION_CONTEXT_LENGTH &&
memcmp( ea->EaName, TdiConnectionContext, TDI_CONNECTION_CONTEXT_LENGTH ) ==0 )
{//连接终端的生成
IoSkipCurrentIrpStackLocation( irp );
IoCallDriver( OrginalObject, irp );
}
return STATUS_SUCCESS;
}
NTSTATUS DeviceControlFilter( PDEVICE_OBJECT DeviceObject, PIRP irp )
{
NTSTATUS status;
PDEVICE_OBJECT OrginalDevice = GetOrginalDeviceObject(DeviceObject);
IoSkipCurrentIrpStackLocation( irp );
IoCallDriver( OrginalDevice, irp );
// KdPrint(("DeviceControlFilter\n"));
return STATUS_SUCCESS;
}
NTSTATUS DeviceInternalControlFilter( PDEVICE_OBJECT DeviceObject, PIRP irp )
{
NTSTATUS status;
PDEVICE_OBJECT OrginalDevice = GetOrginalDeviceObject(DeviceObject);
IoSkipCurrentIrpStackLocation( irp );
IoCallDriver( OrginalDevice, irp );
// KdPrint(("DeviceInternalControlFilter\n"));
return STATUS_SUCCESS;
}
NTSTATUS DeviceCloseFilter( PDEVICE_OBJECT DeviceObject, PIRP irp )
{
NTSTATUS status;
PDEVICE_OBJECT OrginalDevice = GetOrginalDeviceObject(DeviceObject);
IoSkipCurrentIrpStackLocation( irp );
IoCallDriver( OrginalDevice, irp );
// KdPrint(("DeviceCloseFilter\n"));
return STATUS_SUCCESS;
}
NTSTATUS DeviceCleanUpFilter( PDEVICE_OBJECT DeviceObject, PIRP irp )
{
NTSTATUS status;
PDEVICE_OBJECT OrginalDevice = GetOrginalDeviceObject(DeviceObject);
IoSkipCurrentIrpStackLocation( irp );
IoCallDriver( OrginalDevice, irp );
// KdPrint(("DeviceCleanUpFilter\n"));
return STATUS_SUCCESS;
}
PDEVICE_OBJECT GetOrginalDeviceObject( PDEVICE_OBJECT FilterObject)
{
PDEVICE_OBJECT result;
if ( FilterObject == gTcpfltObj )
{
result = gTcpOldObj;
}
else if( FilterObject == gUdpfltObj )
{
result = gUdpOldObj;
}
else if( FilterObject == gIpfltObj )
{
result = gIpOldObj;
}
else
{
result = NULL;
}
return result;
}
NTSTATUS
tdi_create_addrobj_complete(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp, IN PVOID Context)
{
NTSTATUS status;
PIO_STACK_LOCATION irps = IoGetCurrentIrpStackLocation( Irp );
PIRP query_irp =(PIRP) Context;
PDEVICE_OBJECT devobj = GetOrginalDeviceObject(irps->DeviceObject);
TDI_ADDRESS_INFO* tdi;
PMDL mdl;
tdi = (TDI_ADDRESS_INFO *)ExAllocatePool(NonPagedPool, sizeof( TDI_ADDRESS_INFO));
if (tdi == NULL) {
KdPrint(("[tdi_fw] tdi_create_addrobj_complete: ExAllocatePool!\n"));
status = STATUS_INSUFFICIENT_RESOURCES;
return status;
}
KdPrint(("tdi_create_addrobj_complete : ExAllocatePool\n"));
mdl = IoAllocateMdl(tdi, sizeof(TDI_ADDRESS_INFO), FALSE, FALSE, NULL);
if (mdl == NULL) {
KdPrint(("[tdi_fw] tdi_create_addrobj_complete: IoAllocateMdl!\n"));
status = STATUS_INSUFFICIENT_RESOURCES;
return status;
}
MmBuildMdlForNonPagedPool(mdl);
TdiBuildQueryInformation(query_irp, devobj, irps->FileObject, tdi_create_addrobj_complete2, Context,
TDI_QUERY_ADDRESS_INFO, mdl );
KdPrint(("tdi_create_addrobj_complete : TdiBuildQueryInformation\n"));
IoCallDriver( devobj, query_irp );
return STATUS_SUCCESS;
}
NTSTATUS
tdi_create_addrobj_complete2(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp, IN PVOID Context)
{
NTSTATUS status = STATUS_SUCCESS;
KdPrint(("tdi_create_addrobj_complete2 OK\n"));
if( Irp->MdlAddress )
{
TDI_ADDRESS_INFO *tdi = (TDI_ADDRESS_INFO*) MmGetSystemAddressForMdl( Irp->MdlAddress );
TA_ADDRESS * addr = tdi->Address.Address;
KdPrint(("Address: %x%u\n", ntohl_me(((TDI_ADDRESS_IP*)(addr->Address))->in_addr), ntohs_me(((TDI_ADDRESS_IP*)(addr->Address))->sin_port) ));
}
return status;
}
unsigned long
ntohl_me (unsigned long netlong)
{
unsigned long result = 0;
((char *)&result)[0] = ((char *)&netlong)[3];
((char *)&result)[1] = ((char *)&netlong)[2];
((char *)&result)[2] = ((char *)&netlong)[1];
((char *)&result)[3] = ((char *)&netlong)[0];
return result;
}
unsigned short
ntohs_me (unsigned short netshort)
{
unsigned short result = 0;
((char *)&result)[0] = ((char *)&netshort)[1];
((char *)&result)[1] = ((char *)&netshort)[0];
return result;
}
void
d_n_d_device(PDRIVER_OBJECT DriverObject, PDEVICE_OBJECT oldobj, PDEVICE_OBJECT fltobj)
{
if (oldobj != NULL)
IoDetachDevice(oldobj);
if (fltobj != NULL)
IoDeleteDevice(fltobj);
}
[课程]Linux pwn 探索篇!