这个限制也是在tcpip.sys中限制的,
windows xp sp2的版本代码如下,留意红色的代码:
INIT:0005F660 ; __stdcall InitTCPConn()
INIT:0005F660 _InitTCPConn@0 proc near ; CODE XREF: IPProcessConfiguration():loc_61DA9p
INIT:0005F660 6A 00 push 0 ; Depth
INIT:0005F662 68 54 43 50 43 push 43504354h ; Tag
INIT:0005F667 6A 44 push 44h ; Size
INIT:0005F669 6A 00 push 0 ; Flags
INIT:0005F66B 68 A0 12 02 00 push offset _TcpConnFree@4 ; Free
INIT:0005F670 68 4A AE 01 00 push offset _TcpConnAllocate@12 ; Allocate
INIT:0005F675 E8 AC 85 FC FF call _PplCreatePool@24 ; PplCreatePool(x,x,x,x,x,x)
INIT:0005F67A 85 C0 test eax, eax
INIT:0005F67C A3 44 45 05 00 mov _TcpConnPool, eax
INIT:0005F681 0F 84 67 37 00 00 jz nullsub_1
INIT:0005F687 56 push esi
INIT:0005F688 8B 35 B0 F2 04 00 mov esi, ds:__imp__KeInitializeSpinLock@4 ; KeInitializeSpinLock(x)
INIT:0005F68E 68 9C 3F 05 00 push offset _ConnTableLock ; SpinLock
INIT:0005F693 FF D6 call esi ; KeInitializeSpinLock(x) ; KeInitializeSpinLock(x)
INIT:0005F695 68 20 44 05 00 push offset _ActiveOpenLock ; SpinLock
INIT:0005F69A FF D6 call esi ; KeInitializeSpinLock(x) ; KeInitializeSpinLock(x)
INIT:0005F69C C7 05 1C 01 05 00 0A 00+ mov _ActiveOpenProgressThreshold, 0Ah <-----就是这里呀.10连接限制
INIT:0005F6A6 B8 20 40 05 00 mov eax, offset _ActiveOpenTable
INIT:0005F6AB 5E pop esi
INIT:0005F6AC
INIT:0005F6AC loc_5F6AC: ; CODE XREF: InitTCPConn()+59j
INIT:0005F6AC 89 40 04 mov [eax+4], eax
INIT:0005F6AF 89 00 mov [eax], eax
INIT:0005F6B1 83 C0 08 add eax, 8
INIT:0005F6B4 3D 20 44 05 00 cmp eax, offset _ActiveOpenLock
INIT:0005F6B9 7C F1 jl short loc_5F6AC
INIT:0005F6BB 57 push edi
INIT:0005F6BC 68 2D C4 04 00 push offset _ActiveOpenLimitLogCallback@8 ; ActiveOpenLimitLogCallback(x,x)
INIT:0005F6C1 68 00 40 05 00 push offset _ActiveOpenLimitLogEvent
INIT:0005F6C6 E8 61 B5 FB FF call _CTEInitEvent@8 ; CTEInitEvent(x,x)
INIT:0005F6CB A1 80 97 05 00 mov eax, _TCPTime
INIT:0005F6D0 05 00 F0 FF FF add eax, 0FFFFF000h
INIT:0005F6D5 6A 14 push 14h
INIT:0005F6D7 A3 24 01 05 00 mov _ActiveOpenLimitLogTick, eax
INIT:0005F6DC 59 pop ecx
INIT:0005F6DD 33 C0 xor eax, eax
INIT:0005F6DF BF A0 3F 05 00 mov edi, offset _ConnectCancelArray
INIT:0005F6E4 F3 AB rep stosd
INIT:0005F6E6 40 inc eax
INIT:0005F6E7 5F pop edi
INIT:0005F6E8 C3 retn
INIT:0005F6E8 _InitTCPConn@0 endp ; sp = -8
win2003 sp1同样有这样的限制.
IT:00095361 ; __stdcall InitTCPConn()
INIT:00095361 _InitTCPConn@0 proc near ; CODE XREF: InitAddr():loc_974D7p
INIT:00095361 6A 00 push 0 ; Depth
INIT:00095363 68 54 43 50 43 push 43504354h ; Tag
INIT:00095368 6A 48 push 48h ; Size
INIT:0009536A 6A 00 push 0 ; Flags
INIT:0009536C 68 67 E3 02 00 push offset _TcpConnFree@4 ; Free
INIT:00095371 68 B5 01 02 00 push offset _TcpConnAllocate@12 ; Allocate
INIT:00095376 E8 6A F2 F7 FF call _PplCreatePool@24 ; PplCreatePool(x,x,x,x,x,x)
INIT:0009537B 85 C0 test eax, eax
INIT:0009537D A3 64 CC 08 00 mov _TcpConnPool, eax
INIT:00095382 0F 84 3D 2F 00 00 jz locret_982C5
INIT:00095388 56 push esi
INIT:00095389 8B 35 40 E2 05 00 mov esi, ds:__imp__KeInitializeSpinLock@4 ; KeInitializeSpinLock(x)
INIT:0009538F 68 90 C6 08 00 push offset _ConnTableLock ; SpinLock
INIT:00095394 FF D6 call esi ; KeInitializeSpinLock(x) ; KeInitializeSpinLock(x)
INIT:00095396 68 40 CB 08 00 push offset _ActiveOpenLock ; SpinLock
INIT:0009539B FF D6 call esi ; KeInitializeSpinLock(x) ; KeInitializeSpinLock(x)
INIT:0009539D C7 05 98 10 06 00 0A 00 00 00 mov _ActiveOpenProgressThreshold, 0Ah
INIT:000953A7 B8 40 C7 08 00 mov eax, offset _ActiveOpenTable
INIT:000953AC 5E pop esi
INIT:000953AD
INIT:000953AD loc_953AD: ; CODE XREF: InitTCPConn()+59j
INIT:000953AD 89 40 04 mov [eax+4], eax
INIT:000953B0 89 00 mov [eax], eax
INIT:000953B2 83 C0 08 add eax, 8
INIT:000953B5 3D 40 CB 08 00 cmp eax, offset _ActiveOpenLock
INIT:000953BA 7C F1 jl short loc_953AD
INIT:000953BC 57 push edi
INIT:000953BD 68 5E 55 05 00 push offset _ActiveOpenLimitLogCallback@8 ; ActiveOpenLimitLogCallback(x,x)
INIT:000953C2 68 20 C7 08 00 push offset _ActiveOpenLimitLogEvent
INIT:000953C7 FF 15 20 E3 05 00 call ds:__imp__CTEInitEvent@8 ; CTEInitEvent(x,x)
INIT:000953CD A1 E0 C5 08 00 mov eax, _TCPTime
INIT:000953D2 05 00 F0 FF FF add eax, 0FFFFF000h
INIT:000953D7 6A 14 push 14h
INIT:000953D9 A3 A0 10 06 00 mov _ActiveOpenLimitLogTick, eax
INIT:000953DE 59 pop ecx
INIT:000953DF 33 C0 xor eax, eax
INIT:000953E1 BF C0 C6 08 00 mov edi, offset _ConnectCancelArray
INIT:000953E6 F3 AB rep stosd
INIT:000953E8 40 inc eax
INIT:000953E9 5F pop edi
INIT:000953EA C3 retn
INIT:000953EA _InitTCPConn@0 endp
要绕过这个限制很容易,改一下tcpip.sys就可以了,如
把:
mov _ActiveOpenProgressThreshold, 0Ah
改成:
mov _ActiveOpenProgressThreshold, 0x7FFFFFFFh就可以了。改了之后记得修正tcpip.sys的checksum