-
-
[分享][分享]Windows 7下的NDIS-HOOK的重要结构:NDIS_PROTOCOL_BLOCK
-
发表于: 2010-4-20 03:15
-
好像都没发过帖子,今天发一个。。。
NDIS-HOOK中协议表(NDIS_PROTOCOL_BLOCK)的结构至关重要,但它却是非公开的,而且随系统版本的不同也会产生变化,XP和Windows7的协议表的结构就差好多。
网上几乎很难找到NDIS_PROTOCOL_BLOCK 的结构定义,曾看过一牛人dump过这个结构。
不过这些东西都在pdb文件里,真不懂微软的“非公开”还有什么意义
以下是Windows7的NDIS_PROTOCOL_BLOCK ,红色的三个字段是HOOK的关键点,具体的太多,就不在这多讲了。。。
struct _NDIS_PROTOCOL_BLOCK // 0x188
{
struct _NDIS_OBJECT_HEADER Header; // +0x0(0x4)
void* ProtocolDriverContext; // +0x4(0x4)
struct _NDIS_PROTOCOL_BLOCK* NextProtocol; // +0x8(0x4)
struct _NDIS_OPEN_BLOCK* OpenQueue; // +0xc(0x4)
struct _REFERENCE Ref; // +0x10(0x8)
BYTE MajorNdisVersion; // +0x18(0x1)
BYTE MinorNdisVersion; // +0x19(0x1)
BYTE MajorDriverVersion; // +0x1a(0x1)
BYTE MinorDriverVersion; // +0x1b(0x1)
DWORD Reserved; // +0x1c(0x4)
DWORD Flags; // +0x20(0x4)
struct _UNICODE_STRING Name; // +0x24(0x8)
BYTE IsIPv4; // +0x2c(0x1)
BYTE IsIPv6; // +0x2d(0x1)
BYTE IsNdisTest6; // +0x2e(0x1)
int (__stdcall * BindAdapterHandlerEx)(void*, void*, struct _NDIS_BIND_PARAMETERS*); // +0x30(0x4)
int (__stdcall * UnbindAdapterHandlerEx)(void*, void*); // +0x34(0x4)
void (__stdcall * OpenAdapterCompleteHandlerEx)(void*, int); // +0x38(0x4)
void (__stdcall * CloseAdapterCompleteHandlerEx)(void*); // +0x3c(0x4)
int (__stdcall * PnPEventHandler)(void*, struct _NET_PNP_EVENT*); // +0x40(0x4)
int (__stdcall * NetPnPEventHandler)(void*, struct _NET_PNP_EVENT_NOTIFICATION*); // +0x40(0x4)
void (__stdcall * UnloadHandler)(void); // +0x44(0x4)
void (__stdcall * UninstallHandler)(void); // +0x48(0x4)
void (__stdcall * RequestCompleteHandler)(void*, struct _NDIS_REQUEST*, int); // +0x4c(0x4)
void (__stdcall * StatusHandlerEx)(void*, struct _NDIS_STATUS_INDICATION*); // +0x50(0x4)
void (__stdcall * StatusHandler)(void*, int, void*, DWORD); // +0x50(0x4)
void (__stdcall * StatusCompleteHandler)(void*); // +0x54(0x4)
void (__stdcall * ReceiveNetBufferListsHandler)(void*, struct _NET_BUFFER_LIST*, ULONG, ULONG, ULONG); // +0x58(0x4)
void (__stdcall * SendNetBufferListsCompleteHandler)(void*, struct _NET_BUFFER_LIST*, ULONG); // +0x5c(0x4)
void (__stdcall * CoStatusHandlerEx)(void*, void*, struct _NDIS_STATUS_INDICATION*); // +0x60(0x4)
void (__stdcall * CoStatusHandler)(void*, void*, int, void*, DWORD); // +0x60(0x4)
void (__stdcall * CoAfRegisterNotifyHandler)(void*, struct CO_ADDRESS_FAMILY*); // +0x64(0x4)
void (__stdcall * CoReceiveNetBufferListsHandler)(void*, void*, struct _NET_BUFFER_LIST*, ULONG, ULONG); // +0x68(0x4)
void (__stdcall * CoSendNetBufferListsCompleteHandler)(void*, struct _NET_BUFFER_LIST*, ULONG); // +0x6c(0x4)
void (__stdcall * OpenAdapterCompleteHandler)(void*, int, int); // +0x70(0x4)
void (__stdcall * CloseAdapterCompleteHandler)(void*, int); // +0x74(0x4)
void (__stdcall * SendCompleteHandler)(void*, struct _NDIS_PACKET*, int); // +0x78(0x4)
void (__stdcall * WanSendCompleteHandler)(void*, struct _NDIS_WAN_PACKET*, int); // +0x78(0x4)
void (__stdcall * TransferDataCompleteHandler)(void*, struct _NDIS_PACKET*, int, DWORD); // +0x7c(0x4)
void (__stdcall * WanTransferDataCompleteHandler)(void); // +0x7c(0x4)
void (__stdcall * ResetCompleteHandler)(void*, int); // +0x80(0x4)
int (__stdcall * ReceiveHandler)(void*, void*, void*, DWORD, void*, DWORD, DWORD); // +0x84(0x4)
int (__stdcall * WanReceiveHandler)(void*, BYTE*, ULONG); // +0x84(0x4)
void (__stdcall * ReceiveCompleteHandler)(void*); // +0x88(0x4)
int (__stdcall * ReceivePacketHandler)(void*, struct _NDIS_PACKET*); // +0x8c(0x4)
void (__stdcall * BindAdapterHandler)(int*, void*, struct _UNICODE_STRING*, void*, void*); // +0x90(0x4)
void (__stdcall * UnbindAdapterHandler)(int*, void*, void*); // +0x94(0x4)
void (__stdcall * CoSendCompleteHandler)(int, void*, struct _NDIS_PACKET*); // +0x98(0x4)
DWORD (__stdcall * CoReceivePacketHandler)(void*, void*, struct _NDIS_PACKET*); // +0x9c(0x4)
void (__stdcall * OidRequestCompleteHandler)(void*, struct _NDIS_OID_REQUEST*, int); // +0xa0(0x4)
struct _WORK_QUEUE_ITEM WorkItem; // +0xa4(0x10)
struct _KMUTANT Mutex; // +0xb4(0x20)
void* MutexOwnerThread; // +0xd4(0x4)
ULONG MutexOwnerCount; // +0xd8(0x4)
ULONG MutexOwner; // +0xdc(0x4)
struct _UNICODE_STRING* BindDeviceName; // +0xe0(0x4)
struct _UNICODE_STRING* RootDeviceName; // +0xe4(0x4)
struct _NDIS_M_DRIVER_BLOCK* AssociatedMiniDriver; // +0xe8(0x4)
struct _NDIS_MINIPORT_BLOCK* BindingAdapter; // +0xec(0x4)
struct _KEVENT* DeregEvent; // +0xf0(0x4)
struct _NDIS_CO_CLIENT_OPTIONAL_HANDLERS ClientChars; // +0xf4(0x54)
struct _NDIS_CO_CALL_MANAGER_OPTIONAL_HANDLERS CallMgrChars; // +0xf4(0x4c)
void (__stdcall * InitiateOffloadCompleteHandler)(void*, struct _NDIS_PROTOCOL_OFFLOAD_BLOCK_LIST*); // +0x148(0x4)
void (__stdcall * TerminateOffloadCompleteHandler)(void*, struct _NDIS_PROTOCOL_OFFLOAD_BLOCK_LIST*); // +0x14c(0x4)
void (__stdcall * UpdateOffloadCompleteHandler)(void*, struct _NDIS_PROTOCOL_OFFLOAD_BLOCK_LIST*); // +0x150(0x4)
void (__stdcall * InvalidateOffloadCompleteHandler)(void*, struct _NDIS_PROTOCOL_OFFLOAD_BLOCK_LIST*); // +0x154(0x4)
void (__stdcall * QueryOffloadCompleteHandler)(void*, struct _NDIS_PROTOCOL_OFFLOAD_BLOCK_LIST*); // +0x158(0x4)
void (__stdcall * IndicateOffloadEventHandler)(void*, struct _NDIS_PROTOCOL_OFFLOAD_BLOCK_LIST*, ULONG); // +0x15c(0x4)
void (__stdcall * TcpOffloadSendCompleteHandler)(void*, struct _NET_BUFFER_LIST*); // +0x160(0x4)
void (__stdcall * TcpOffloadReceiveCompleteHandler)(void*, struct _NET_BUFFER_LIST*); // +0x164(0x4)
void (__stdcall * TcpOffloadDisconnectCompleteHandler)(void*, struct _NET_BUFFER_LIST*); // +0x168(0x4)
void (__stdcall * TcpOffloadForwardCompleteHandler)(void*, struct _NET_BUFFER_LIST*); // +0x16c(0x4)
void (__stdcall * TcpOffloadEventHandler)(void*, ULONG, ULONG); // +0x170(0x4)
int (__stdcall * TcpOffloadReceiveIndicateHandler)(void*, struct _NET_BUFFER_LIST*, int, ULONG*); // +0x174(0x4)
void (__stdcall * DirectOidRequestCompleteHandler)(void*, struct _NDIS_OID_REQUEST*, int); // +0x178(0x4)
int (__stdcall * AllocateSharedMemoryHandler)(void*, struct _NDIS_SHARED_MEMORY_PARAMETERS*, void**); // +0x17c(0x4)
void (__stdcall * FreeSharedMemoryHandler)(void*, void*); // +0x180(0x4)
void* AllocateSharedMemoryContext; // +0x184(0x4)
};
NDIS-HOOK中协议表(NDIS_PROTOCOL_BLOCK)的结构至关重要,但它却是非公开的,而且随系统版本的不同也会产生变化,XP和Windows7的协议表的结构就差好多。
网上几乎很难找到NDIS_PROTOCOL_BLOCK 的结构定义,曾看过一牛人dump过这个结构。
不过这些东西都在pdb文件里,真不懂微软的“非公开”还有什么意义
以下是Windows7的NDIS_PROTOCOL_BLOCK ,红色的三个字段是HOOK的关键点,具体的太多,就不在这多讲了。。。
struct _NDIS_PROTOCOL_BLOCK // 0x188
{
struct _NDIS_OBJECT_HEADER Header; // +0x0(0x4)
void* ProtocolDriverContext; // +0x4(0x4)
struct _NDIS_PROTOCOL_BLOCK* NextProtocol; // +0x8(0x4)
struct _NDIS_OPEN_BLOCK* OpenQueue; // +0xc(0x4)
struct _REFERENCE Ref; // +0x10(0x8)
BYTE MajorNdisVersion; // +0x18(0x1)
BYTE MinorNdisVersion; // +0x19(0x1)
BYTE MajorDriverVersion; // +0x1a(0x1)
BYTE MinorDriverVersion; // +0x1b(0x1)
DWORD Reserved; // +0x1c(0x4)
DWORD Flags; // +0x20(0x4)
struct _UNICODE_STRING Name; // +0x24(0x8)
BYTE IsIPv4; // +0x2c(0x1)
BYTE IsIPv6; // +0x2d(0x1)
BYTE IsNdisTest6; // +0x2e(0x1)
int (__stdcall * BindAdapterHandlerEx)(void*, void*, struct _NDIS_BIND_PARAMETERS*); // +0x30(0x4)
int (__stdcall * UnbindAdapterHandlerEx)(void*, void*); // +0x34(0x4)
void (__stdcall * OpenAdapterCompleteHandlerEx)(void*, int); // +0x38(0x4)
void (__stdcall * CloseAdapterCompleteHandlerEx)(void*); // +0x3c(0x4)
int (__stdcall * PnPEventHandler)(void*, struct _NET_PNP_EVENT*); // +0x40(0x4)
int (__stdcall * NetPnPEventHandler)(void*, struct _NET_PNP_EVENT_NOTIFICATION*); // +0x40(0x4)
void (__stdcall * UnloadHandler)(void); // +0x44(0x4)
void (__stdcall * UninstallHandler)(void); // +0x48(0x4)
void (__stdcall * RequestCompleteHandler)(void*, struct _NDIS_REQUEST*, int); // +0x4c(0x4)
void (__stdcall * StatusHandlerEx)(void*, struct _NDIS_STATUS_INDICATION*); // +0x50(0x4)
void (__stdcall * StatusHandler)(void*, int, void*, DWORD); // +0x50(0x4)
void (__stdcall * StatusCompleteHandler)(void*); // +0x54(0x4)
void (__stdcall * ReceiveNetBufferListsHandler)(void*, struct _NET_BUFFER_LIST*, ULONG, ULONG, ULONG); // +0x58(0x4)
void (__stdcall * SendNetBufferListsCompleteHandler)(void*, struct _NET_BUFFER_LIST*, ULONG); // +0x5c(0x4)
void (__stdcall * CoStatusHandlerEx)(void*, void*, struct _NDIS_STATUS_INDICATION*); // +0x60(0x4)
void (__stdcall * CoStatusHandler)(void*, void*, int, void*, DWORD); // +0x60(0x4)
void (__stdcall * CoAfRegisterNotifyHandler)(void*, struct CO_ADDRESS_FAMILY*); // +0x64(0x4)
void (__stdcall * CoReceiveNetBufferListsHandler)(void*, void*, struct _NET_BUFFER_LIST*, ULONG, ULONG); // +0x68(0x4)
void (__stdcall * CoSendNetBufferListsCompleteHandler)(void*, struct _NET_BUFFER_LIST*, ULONG); // +0x6c(0x4)
void (__stdcall * OpenAdapterCompleteHandler)(void*, int, int); // +0x70(0x4)
void (__stdcall * CloseAdapterCompleteHandler)(void*, int); // +0x74(0x4)
void (__stdcall * SendCompleteHandler)(void*, struct _NDIS_PACKET*, int); // +0x78(0x4)
void (__stdcall * WanSendCompleteHandler)(void*, struct _NDIS_WAN_PACKET*, int); // +0x78(0x4)
void (__stdcall * TransferDataCompleteHandler)(void*, struct _NDIS_PACKET*, int, DWORD); // +0x7c(0x4)
void (__stdcall * WanTransferDataCompleteHandler)(void); // +0x7c(0x4)
void (__stdcall * ResetCompleteHandler)(void*, int); // +0x80(0x4)
int (__stdcall * ReceiveHandler)(void*, void*, void*, DWORD, void*, DWORD, DWORD); // +0x84(0x4)
int (__stdcall * WanReceiveHandler)(void*, BYTE*, ULONG); // +0x84(0x4)
void (__stdcall * ReceiveCompleteHandler)(void*); // +0x88(0x4)
int (__stdcall * ReceivePacketHandler)(void*, struct _NDIS_PACKET*); // +0x8c(0x4)
void (__stdcall * BindAdapterHandler)(int*, void*, struct _UNICODE_STRING*, void*, void*); // +0x90(0x4)
void (__stdcall * UnbindAdapterHandler)(int*, void*, void*); // +0x94(0x4)
void (__stdcall * CoSendCompleteHandler)(int, void*, struct _NDIS_PACKET*); // +0x98(0x4)
DWORD (__stdcall * CoReceivePacketHandler)(void*, void*, struct _NDIS_PACKET*); // +0x9c(0x4)
void (__stdcall * OidRequestCompleteHandler)(void*, struct _NDIS_OID_REQUEST*, int); // +0xa0(0x4)
struct _WORK_QUEUE_ITEM WorkItem; // +0xa4(0x10)
struct _KMUTANT Mutex; // +0xb4(0x20)
void* MutexOwnerThread; // +0xd4(0x4)
ULONG MutexOwnerCount; // +0xd8(0x4)
ULONG MutexOwner; // +0xdc(0x4)
struct _UNICODE_STRING* BindDeviceName; // +0xe0(0x4)
struct _UNICODE_STRING* RootDeviceName; // +0xe4(0x4)
struct _NDIS_M_DRIVER_BLOCK* AssociatedMiniDriver; // +0xe8(0x4)
struct _NDIS_MINIPORT_BLOCK* BindingAdapter; // +0xec(0x4)
struct _KEVENT* DeregEvent; // +0xf0(0x4)
struct _NDIS_CO_CLIENT_OPTIONAL_HANDLERS ClientChars; // +0xf4(0x54)
struct _NDIS_CO_CALL_MANAGER_OPTIONAL_HANDLERS CallMgrChars; // +0xf4(0x4c)
void (__stdcall * InitiateOffloadCompleteHandler)(void*, struct _NDIS_PROTOCOL_OFFLOAD_BLOCK_LIST*); // +0x148(0x4)
void (__stdcall * TerminateOffloadCompleteHandler)(void*, struct _NDIS_PROTOCOL_OFFLOAD_BLOCK_LIST*); // +0x14c(0x4)
void (__stdcall * UpdateOffloadCompleteHandler)(void*, struct _NDIS_PROTOCOL_OFFLOAD_BLOCK_LIST*); // +0x150(0x4)
void (__stdcall * InvalidateOffloadCompleteHandler)(void*, struct _NDIS_PROTOCOL_OFFLOAD_BLOCK_LIST*); // +0x154(0x4)
void (__stdcall * QueryOffloadCompleteHandler)(void*, struct _NDIS_PROTOCOL_OFFLOAD_BLOCK_LIST*); // +0x158(0x4)
void (__stdcall * IndicateOffloadEventHandler)(void*, struct _NDIS_PROTOCOL_OFFLOAD_BLOCK_LIST*, ULONG); // +0x15c(0x4)
void (__stdcall * TcpOffloadSendCompleteHandler)(void*, struct _NET_BUFFER_LIST*); // +0x160(0x4)
void (__stdcall * TcpOffloadReceiveCompleteHandler)(void*, struct _NET_BUFFER_LIST*); // +0x164(0x4)
void (__stdcall * TcpOffloadDisconnectCompleteHandler)(void*, struct _NET_BUFFER_LIST*); // +0x168(0x4)
void (__stdcall * TcpOffloadForwardCompleteHandler)(void*, struct _NET_BUFFER_LIST*); // +0x16c(0x4)
void (__stdcall * TcpOffloadEventHandler)(void*, ULONG, ULONG); // +0x170(0x4)
int (__stdcall * TcpOffloadReceiveIndicateHandler)(void*, struct _NET_BUFFER_LIST*, int, ULONG*); // +0x174(0x4)
void (__stdcall * DirectOidRequestCompleteHandler)(void*, struct _NDIS_OID_REQUEST*, int); // +0x178(0x4)
int (__stdcall * AllocateSharedMemoryHandler)(void*, struct _NDIS_SHARED_MEMORY_PARAMETERS*, void**); // +0x17c(0x4)
void (__stdcall * FreeSharedMemoryHandler)(void*, void*); // +0x180(0x4)
void* AllocateSharedMemoryContext; // +0x184(0x4)
};
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
|
|
|---|---|
