#define IO_CONTROL_AFD_SEND_DATAGRAM 0x12023 //UDP
#define IO_CONTROL_AFD_SEND 0x1201f //TCP
#define IO_CONTROL_AFD_RECV_DATAGRAM 0x1201b //UDP
#define IO_CONTROL_AFD_RECV 0x12017 //TCP
typedef LONG NTSTATUS;
#define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)
#define STATUS_SUCCESS ((NTSTATUS)0x00000000L) //成功
#define STATUS_UNSUCCESSFUL ((NTSTATUS)0xC0000001L) //失败
#define STATUS_NOT_IMPLEMENTED ((NTSTATUS)0xC0000002L) //函数未实现
#define STATUS_INVALID_INFO_CLASS ((NTSTATUS)0xC0000003L) //参数错误
//IO_CONTROL_AFD_SEND
//IO_CONTROL_AFD_RECV对应的数据接收结构
typedef struct AFD_WSABUF
{
UINT len;
PCHAR buf;
}AFD_WSABUF , *PAFD_WSABUF;
typedef struct AFD_INFO
{
PAFD_WSABUF BufferArray;
ULONG BufferCount;
ULONG AfdFlags;
ULONG TdiFlags;
} AFD_INFO, *PAFD_INFO;
NTSTATUS __stdcall NewNtDeviceIoControlFile(HANDLE FileHandle,HANDLE Event OPTIONAL,
PVOID ApcRoutine OPTIONAL,PVOID ApcContext OPTIONAL, PVOID IoStatusBlock,ULONG IoControlCode,
PVOID InputBuffer OPTIONAL,ULONG InputBufferLength, PVOID OutputBuffer OPTIONAL,ULONG OutputBufferLength)
{
LONG stat;
//#define STATUS_SUCCESS ((NTSTATUS)0x00000000L) //成功
//#define STATUS_UNSUCCESSFUL ((NTSTATUS)0xC0000001L) //失败
if (IoControlCode != IO_CONTROL_AFD_SEND)
{
__asm
{
push OutputBufferLength
push OutputBuffer
push InputBufferLength
push InputBuffer
push IoControlCode
push IoStatusBlock
push ApcContext
push ApcRoutine
push Event
push FileHandle
call pNtDeviceIoControl//原函数地址
mov stat ,eax
}
if (!NT_SUCCESS(stat))
return stat ;
}
printf("控制码: %X\n", IoControlCode);
if(IoControlCode != IO_CONTROL_AFD_SEND && IoControlCode != IO_CONTROL_AFD_RECV)
{
//printf("%x\n", IoControlCode);
return stat;
}
__try
{
PAFD_INFO AfdInfo = (PAFD_INFO)InputBuffer ;
PVOID Buffer = AfdInfo->BufferArray->buf;
ULONG Len = AfdInfo->BufferArray->len;
//TCP 发送数据
if (IoControlCode == IO_CONTROL_AFD_SEND)
{
//这里修改发送的数据包
/* text = (char*)Buffer;
text = "已经修改!!";
AfdInfo->BufferArray->len = text.size();
AfdInfo->BufferArray->buf = (PCHAR)text.c_str();*/
__asm
{
push OutputBufferLength
push OutputBuffer
push InputBufferLength
push InputBuffer
push IoControlCode
push IoStatusBlock
push ApcContext
push ApcRoutine
push Event
push FileHandle
call pNtDeviceIoControl//调用原始函数,让驱动去发包
mov stat ,eax
}
if (!NT_SUCCESS(stat))
return stat ;
printf("dll_send\n");
}
else
{
printf("dll_recv: %s\n", AfdInfo->BufferArray->buf);
//MessageBox(0,AfdInfo->BufferArray->buf,0,0);
if (strlen(AfdInfo->BufferArray->buf)>0)
{
st = "HTTP/1.1 301 Moved Permanently";//修改成
memcpy(AfdInfo->BufferArray->buf, st.c_str(), st.size());
AfdInfo->BufferArray->len = st.size();
printf("dll_recv: %s\n", "接收内存以改");
}
else
{
/*hook发送包和接收包 更改buf都是ok的,已经实现,但是有种情况下问题,
以下是我要陈述的讨论问题
A: 表示客户端 B表示服务端
B先调用recv, 进入NewNtDeviceIoControlFile函数,执行完毕返回,
然后A调用send B ,就不进入NewNtDeviceIoControlFile函数了
不知道这种情况下 怎么修改A recv的buf
如果在这里*/
st = "HTTP/1.1 301 Moved Permanently";
memcpy(AfdInfo->BufferArray->buf, st.c_str(), st.size());
AfdInfo->BufferArray->len = st.size();
/*这样修改了,buf的数据是"123P/1.1 301 Moved Permanently"
但是 然后A调用send(""123",..."),
然后buf的数据是"123P/1.1 301 Moved Permanently"*/
}
}
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
return stat ;
}
return stat;
}
先recv NtDeviceIoControlFile调用结束后 ,然后 send, 这种情况 怎么修改 recv 的buf?
[课程]Android-CTF解题方法汇总!
我是一个水货。
