基于SPI的网络封包拦截,小于1460字节不用分片的包没问题(取lpNumberOfBytesRecvd值),大于1460字节的包,返回的长度有问题。
同一端口lpNumberOfBytesRecvd多次接收8192字节数据,测试打开百度网页,用别的抓包工具查看,同一端口最大的一个包也不超过10K。
lpBuffers[0].len也不准确。
执行NextProcTable.lpWSPRecv之后判断lpNumberOfBytesRecvd和lpBuffers[0].len;
安装的协议是基础协议,接收数据包时发现WSPSelect也被调用。
int iRet = NextProcTable.lpWSPRecv(s, lpBuffers, dwBufferCount, lpNumberOfBytesRecvd,
lpFlags,lpOverlapped, lpCompletionRoutine, lpThreadId, lpErrno);
///////////////////////////////////////////////////////////////////////
重写的WSPRecv代码如下:
int WSPAPI WSPRecv(
SOCKET s,
LPWSABUF lpBuffers,
DWORD dwBufferCount,
LPDWORD lpNumberOfBytesRecvd,
LPDWORD lpFlags,
LPWSAOVERLAPPED lpOverlapped,
LPWSAOVERLAPPED_COMPLETION_ROUTINE lpCompletionRoutine,
LPWSATHREADID lpThreadId,
LPINT lpErrno
)
{
char szLocalIP[32] = {'\0'};
char szRemoteIP[32] = {'\0'};
DWORD dwLocalPort = 0;
DWORD dwRemotePort = 0;
getIPPort(s,szLocalIP,szRemoteIP,dwLocalPort,dwRemotePort);
char szLogInfo[10*1024] = {'\0'};
BOOL IsSetCompletionRoutine = FALSE;
if(lpOverlapped && lpCompletionRoutine && m_Overlapped.AddOverlapped(s
, lpBuffers, dwBufferCount, lpNumberOfBytesRecvd, lpFlags
, lpOverlapped, lpCompletionRoutine, NULL,NULL,0)
)
{
lpCompletionRoutine = CompletionRoutine;
IsSetCompletionRoutine = TRUE;
fwrite("###### Set CompletionRoutine######\r\n", strlen("###### Set CompletionRoutine######\r\n") ,1, pfRecvData);
fflush(pfRecvData);
}
if (!lpOverlapped && !lpCompletionRoutine)
{
fwrite("###### nonOverlapd ###### \r\n", strlen("###### nonOverlapd ###### \r\n") ,1, pfRecvData);
fflush(pfRecvData);
}
int iRet = NextProcTable.lpWSPRecv(s, lpBuffers, dwBufferCount, lpNumberOfBytesRecvd, lpFlags,lpOverlapped, lpCompletionRoutine, lpThreadId, lpErrno);
//PrintSocketData(s, *lpNumberOfBytesRecvd, "WSPRecv", lpBuffers, dwBufferCount);
if (strcmp(szLocalIP, "127.0.0.1") && strcmp(szRemoteIP, "127.0.0.1") && dwLocalPort != dwRemotePort && iRet == 0)
{
memset(szLogInfo, '\0',sizeof(szLogInfo));
sprintf(szLogInfo, "iRet[%d] [%s:%u] <====== [%s:%u] dwBufferCount[%d] lpNumberOfBytesRecvd[%u] lpBuffers[0].len[%d] lpFlags[%d] lpErrno[%d]\r\n",
iRet,szLocalIP, dwLocalPort, szRemoteIP, dwRemotePort, dwBufferCount, *lpNumberOfBytesRecvd, lpBuffers[0].len, *lpFlags, *lpErrno);
fwrite(szLogInfo, strlen(szLogInfo) ,1, pfRecvData);
fflush(pfRecvData);
//打开百度网页时候,多个包返回-1,还有一些ip时127.0.0.1的包
//返回的数据包长度,跟用其他工具抓包看到的不一致!
//lpNumberOfBytesRecvd多个包返回 8192
}
if(iRet == SOCKET_ERROR || IsSetCompletionRoutine == TRUE)
{
fwrite("###### iRet == SOCKET_ERROR ###### \r\n", strlen("###### iRet == SOCKET_ERROR ###### \r\n") ,1, pfRecvData);
fflush(pfRecvData);
return iRet;
}
return iRet;
}
[课程]Android-CTF解题方法汇总!