能力值:
( LV2,RANK:10 )
|
-
-
2 楼
好像Win7得用IRP HOOK
|
能力值:
( LV2,RANK:10 )
|
-
-
3 楼
一些结构体:
typedef struct _TDI_ADDRESS_IP {
USHORT sin_port;
ULONG in_addr;
UCHAR sin_zero[8];
} TDI_ADDRESS_IP, *PTDI_ADDRESS_IP;
typedef struct _TA_ADDRESS {
USHORT AddressLength;
USHORT AddressType;
UCHAR Address[1];
} TA_ADDRESS, *PTA_ADDRESS;
typedef struct _TRANSPORT_ADDRESS {
LONG TAAddressCount;
TA_ADDRESS Address[1];
} TRANSPORT_ADDRESS, *PTRANSPORT_ADDRESS;
typedef struct _AFD_CONNECT_INFO {
BOOLEAN UseSAN;
ULONG Root;
ULONG Unknown;
TRANSPORT_ADDRESS RemoteAddress;
} AFD_CONNECT_INFO , *PAFD_CONNECT_INFO ;
|
能力值:
( LV2,RANK:10 )
|
-
-
4 楼
获取端口和IP则这样:
if (IoControlCode == 0x12007)//connect
{
if (InputBufferLength == 0x22)//真正的connect
{
PAFD_CONNECT_INFO ConnectInfo = (PAFD_CONNECT_INFO)InputBuffer;
TRANSPORT_ADDRESS TrAddr = ConnectInfo->RemoteAddress;
struct sockaddr name;
RtlZeroMemory(&name,sizeof(struct sockaddr));
name.sa_family = ConnectInfo->RemoteAddress.Address[0].AddressType ;
RtlCopyMemory(&name.sa_data,ConnectInfo->RemoteAddress.Address[0].Address,sizeof(name.sa_data));
struct sockaddr_in *rIP = (struct sockaddr_in *)&name;
//端口:
int iPort = ntohs(rIP->sin_port);
//IP:
LPSTR szIP = inet_ntoa(rIP->sin_addr);
}
}
|
能力值:
( LV2,RANK:10 )
|
-
-
5 楼
额,没注意看,SSDT?那个是IAT Hook吧
上面的代码就是在那基础上用的
|
能力值:
( LV2,RANK:10 )
|
-
-
6 楼
HOOK思路差不多的 IAT 和SSDT差距不是很大
关键是buffer如何提取出有用的信息的问题
目前我也就是在connect这里拿了TCP的IP了
UDP的也照样子做了一下(code用的revc和send的),还没验证
另外那个真正的connect是怎么回事?
|
能力值:
( LV2,RANK:10 )
|
-
-
7 楼
建立连接其实有多次调用NtDeviceIoControlFile,当(InputBufferLength == 0x22)的时候,才能拿到PAFD_CONNECT_INF这个结构,得到IP和端口.具体看nt4的源码还是哪个,时间长了我也记不清了,这是从以前一个代码里扒下来的
|
能力值:
( LV2,RANK:10 )
|
-
-
8 楼
回复很有用 谢了哈~
|
|
|