passthru发包问题-¥付费问答-看雪-安全社区|安全招聘|kanxue.com

[旧帖] passthru发包问题 0.00雪花

2010-2-4 12:48 5180

[旧帖] passthru发包问题 0.00雪花

maccoray

2010-2-4 12:48

5180

最近接触到一个需求，就是要在每个SYN包前面发送一个自定义用户包，实现代码如下，可是会蓝屏，不知道什么原因，请高手指点：
方法一：
在MPSendPackets一开始的地方就填入如下代码：

PNDIS_PACKET MyPkt1;
PNDIS_BUFFER MyPktBuf1;
PMDL MyPktMDL;
if (pAdapt->PTDeviceState > NdisDeviceStateD0)
{
return;
}

NdisAllocatePacket(&Status,
&MyPkt1,pAdapt->SendPacketPoolHandle);

if(NT_SUCCESS(Status))
{
PSEND_RSVD SendRsvd;
//NdisAllocateBuffer(&Status,&MyPktBuf1,pAdapt->SendPacketPoolHandle,"1234567890",10);
MyPktMDL=IoAllocateMdl("1234567890",10,FALSE,FALSE,NULL);
MmBuildMdlForNonPagedPool(MyPktMDL);
MyPktBuf1=MyPktMDL;
NdisChainBufferAtFront(MyPkt1,MyPktBuf1);
MyPkt1->Private.Head=NULL;
MyPkt1->Private.Tail=NULL;
NdisSetPacketFlags(MyPkt1,NDIS_FLAGS_DONT_LOOPBACK);

SendRsvd = (PSEND_RSVD)(MyPkt1->ProtocolReserved);
SendRsvd->MyPktMDL=MyPktMDL;
NdisSend(&Status,pAdapt->BindingHandle,MyPkt1);//就在这里蓝屏了
}

方法二：
这一段是网上的代码。其实我觉得还是比较有问题的，
其中
NdisAllocatePacket(&status, &pSendPacket, NdisSendPacketPool);
和
NdisAllocateBuffer( &status,
&pSendPacketBuffer,
NdisSendPacketPool,
pSendBuffer,
dwSendBufferLength );
用的都是NdisSendPacketPool，但是我们知道NdisSendPacketPool和NdisSendBufferPool是两个概念。

NDIS_STATUS
MySendPacket (
NDIS_HANDLE    NdisBindingHandle,
NDIS_HANDLE    NdisSendPacketPool,
PVOID          pBuffer,
ULONG          dwBufferLength
)
{
NDIS_STATUS    status;
PNDIS_PACKET pSendPacket = NULL;
PNDIS_BUFFER pSendPacketBuffer = NULL;
PUCHAR       pSendBuffer = NULL;
ULONG          dwSendBufferLength;
NDIS_PHYSICAL_ADDRESS HighestAcceptableAddress;
PSEND_RSVD    SendRsvd = NULL;

if (!NdisBindingHandle)
return NDIS_STATUS_FAILURE;

if (!pBuffer)
return NDIS_STATUS_FAILURE;

if (dwBufferLength > 1024)
return NDIS_STATUS_FAILURE;

HighestAcceptableAddress.QuadPart = -1;
dwSendBufferLength = max(dwBufferLength, 14);

status = NdisAllocateMemory(&pSendBuffer, dwSendBufferLength, 0, HighestAcceptableAddress);
if (status != NDIS_STATUS_SUCCESS)
{
return status;
}

RtlZeroMemory(pSendBuffer, dwSendBufferLength);
RtlMoveMemory(pSendBuffer, pBuffer, dwSendBufferLength);

NdisAllocatePacket(&status, &pSendPacket, NdisSendPacketPool);
if (status != NDIS_STATUS_SUCCESS)
{
NdisFreeMemory(pSendBuffer, dwSendBufferLength, 0);

return status;
}

NdisAllocateBuffer( &status,
&pSendPacketBuffer,
NdisSendPacketPool,
pSendBuffer,
dwSendBufferLength );
if (status != NDIS_STATUS_SUCCESS)
{
NdisFreeMemory(pSendBuffer, dwSendBufferLength, 0);
NdisDprFreePacket(pSendPacket);

return status;
}

NdisChainBufferAtFront(pSendPacket, pSendPacketBuffer);

SendRsvd = (PSEND_RSVD)(pSendPacket->ProtocolReserved);
SendRsvd->OriginalPkt = NULL; //注意这里

pSendPacket->Private.Head->Next=NULL;
pSendPacket->Private.Tail=NULL;

//NDIS_SET_PACKET_HEADER_SIZE(pSendPacket, 14);
NdisSetPacketFlags(pSendPacket, NDIS_FLAGS_DONT_LOOPBACK);

NdisSend(&status, NdisBindingHandle, pSendPacket);//就在这里蓝屏了
if (status != STATUS_PENDING)
{
NdisUnchainBufferAtFront(pSendPacket ,&pSendPacketBuffer);
NdisQueryBufferSafe( pSendPacketBuffer,
(PVOID *)&pSendBuffer,
&dwSendBufferLength,
HighPagePriority );
NdisFreeBuffer(pSendPacketBuffer);
NdisFreeMemory(pSendBuffer, dwSendBufferLength, 0);
NdisDprFreePacket(pSendPacket);
}

return status;
}

最后的结果都是在NdisSend的时候蓝屏。可能有人说在PtSendComplete没有释放造成的，但是我做了释放的代码也一样，而且崩溃的时候并不是在PtSendComplete里面。而是在NdisSend的同时。
下面黏贴两种方法的释放，都放在PtSendComplete的开头处：
第一种方法：
PSEND_RSVD SendRsvd1;
PNDIS_BUFFER pMySendPacketBuffer;
PVOID pMySendBuffer;
UINT dwMySendBufferLength;
SendRsvd1 = (PSEND_RSVD)(Packet->ProtocolReserved);
if(SendRsvd1->MyPktMDL)
{
NdisUnchainBufferAtFront(Packet, &SendRsvd1->MyPktMDL);
IoFreeMdl(SendRsvd1->MyPktMDL);

NdisDprFreePacket(Packet);
NdisMSendComplete(pAdapt->MiniportHandle,
Packet,Status);
return;
}
第二种方法：
PSEND_RSVD SendRsvd1;
PNDIS_BUFFER pMySendPacketBuffer;
PVOID pMySendBuffer;
UINT dwMySendBufferLength;
SendRsvd1 = (PSEND_RSVD)(Packet->ProtocolReserved);
Pkt = SendRsvd1->OriginalPkt;

if (!Pkt)
{
NdisUnchainBufferAtFront(Packet, &pMySendPacketBuffer);

if (pMySendPacketBuffer)
{
NdisQueryBufferSafe( pMySendPacketBuffer,
(PVOID *)&pMySendBuffer,
&dwMySendBufferLength,
HighPagePriority );
if (pMySendBuffer && dwMySendBufferLength)
{
NdisFreeMemory(pMySendBuffer, dwMySendBufferLength,0);
}

NdisFreeBuffer( pMySendPacketBuffer );
}

NdisDprFreePacket(Packet);
NdisMSendComplete(pAdapt->MiniportHandle,
Pkt,Status);
return;
}

[CTF入门培训]顶尖高校博士及硕士团队亲授《30小时教你玩转CTF》，视频+靶场+题目！助力进入CTF世界

收藏・1

点赞・0

打赏

最新回复 (1)
maccoray 雪币： 232 活跃值： (10) 能力值： ( LV6，RANK：90 ) 在线值：发帖 15 回帖 42 粉丝 1 关注私信	maccoray 2 2010-2-4 15:13 2 楼 0 有没有人回答，自己先顶一个。
	游客登录 \| 注册方可回帖　回帖　表情雪币赚取及消费高级回复