-
-
[求助]关于ndis miniport hook的问题
-
发表于:
2014-3-2 01:53
4160
-
[求助]关于ndis miniport hook的问题
目前已对协议hook了
代码如下
发现只能勾住PtRecivice和PtRevicivePacket
怎么能才能勾住像passthru里面的MPSend和MPSendPacket呢
NTSTATUS HookNdis ()
{
ULONG ulProtocolPtr;
NDIS_HANDLE hFakeProtocol = NULL;
PNDIS_OPEN_BLOCK pNdisOpenBlock = NULL;
PNDIS_HOOK_LIST_NODE pNode;
ULONG ulMagic = 0x10; // Hardcoded offset. Only valid with NDIS 5.0, Windows XP.
NTSTATUS status;
PNDIS_MINIPORT_BLOCK pMini;
// register a fake NDIS protocol in older to obtain a pointer to the NdisOpenBlock structure.
//注册假协议获取链表头部
hFakeProtocol = RegisterFakeNDISProtocol();
if (hFakeProtocol == NULL)
return STATUS_UNSUCCESSFUL;
//ulProtocolPtr :NextProtocol : Ptr32 _NDIS_PROTOCOL_BLOCK
ulProtocolPtr = *(PULONG)((ULONG)hFakeProtocol + ulMagic);
// traverse NDIS protocols to hook all the protocol routines.
while (ulProtocolPtr != 0)
{
pNdisOpenBlock = *(PNDIS_OPEN_BLOCK *)ulProtocolPtr;
if (pNdisOpenBlock != NULL)
{
pNode = (PNDIS_HOOK_LIST_NODE)ExAllocatePoolWithTag(NonPagedPool, sizeof(NDIS_HOOK_LIST_NODE), '!nmN');
if (pNode != NULL)
{
pNode->ProtocolBindingContext = pNdisOpenBlock->Reserved8;
pNode->MacBindingHandle = pNdisOpenBlock->BindingHandle;
pNode->pOpenBlock = pNdisOpenBlock;
// Hook NDIS protocols
pNode->ulRealReceiveHandler = (ULONG)InterlockedExchange((PLONG)&pNdisOpenBlock->ReceiveHandler, (LONG)FakeNDISReceiveHandler);
// pNode->ulRealWanReceivePacketHandler = (ULONG)InterlockedExchange((PLONG)&pNdisOpenBlock->WanReceiveHandler, (LONG)FakeNDISWanReceivePacketHandler);
pNode->ulRealProtocolReceiveHandler = (ULONG)InterlockedExchange((PLONG)&pNdisOpenBlock->ReceivePacketHandler, (LONG)FakeNDISProtocolReceiveHandler);
pNode->ulRealTransferDataCompleteHandler = (ULONG)InterlockedExchange((PLONG)&pNdisOpenBlock->TransferDataCompleteHandler, (LONG)FakeNDISTransferDataCompleteHandler);
ExInterlockedInsertTailList(&g_linkListHead, &pNode->ListEntry, &g_lock);
}
}
ulProtocolPtr = ulProtocolPtr + ulMagic;
ulProtocolPtr = *(PULONG)ulProtocolPtr;
}
// unregister the fake NDIS protocol.
NdisDeregisterProtocol(&status, hFakeProtocol);
return STATUS_SUCCESS;
}
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
