遇到一个样本“搞”网络协议TCPIP的一些处理函数,刚开始半天对着汇编看半天感觉数据结构对不上,就拿起ida打开ndis.sys看了下NdisRegisterProtocol的内部实现。发现确实不一样,我想应该是该样本针对的系统不一样,于是就写了个demo.
/*
只在win7 32 sp1 上测试有效,其他系统版本可能因为内部数据结构差异,存在问题.
具体的系统版本数据结构详细,可以参看NdisRegisterProtocol的内部实现
*/
VOID mBindAdapterHandler(PNDIS_STATUS status,NDIS_HANDLE BindContext,PUNICODE_STRING DeviceName,PVOID SystemSpecific1,PVOID SystemSpecific2)
{
}
VOID mUnbindAdapterHandler(PNDIS_HANDLER,NDIS_HANDLE,NDIS_HANDLE)
{
}
NTSTATUS mReceiveHandler(NDIS_HANDLE ProtocolBindingContext,NDIS_HANDLE MacReceiveContext,PVOID HeaderBuffer,
UINT HeaderBufferSize,PVOID LookAheadBuffer,UINT LookaheadBufferSize,UINT PacketSize)
{
}
VOID mCloseAdapterCompleteHandler(NDIS_HANDLE ProtocolBindingContext,NDIS_STATUS status)
{
}
VOID mOpenAdapterCompleteHandler(NDIS_HANDLE ProtocolBindingContext,NDIS_STATUS Status,NDIS_STATUS OpenErrorStatus)
{
}
VOID mRequestCompleteHandler(NDIS_HANDLE ProtocolBindingContext,PNDIS_REQUEST NdisRequest,NDIS_STATUS Status)
{
}
VOID mResetCompleteHandler(NDIS_HANDLE ProtocolBindingContext,NDIS_STATUS Status)
{
}
VOID mStatusHandler(NDIS_HANDLE ProtocolBindingContext,NDIS_STATUS GeneralStatus,PVOID StatusBuffer,UINT statusBufferSize)
{
}
VOID mStatusCompleteHandler(NDIS_HANDLE ProtocolBindingContext)
{
}
PNDIS_HANDLE EnumRegisteredProtocol()
{
ULONG index=0;
UNICODE_STRING DestinationString;
NDIS_HANDLE NdisProtocolHandle,temp=NULL;
NDIS_STATUS status;
NDIS_PROTOCOL_CHARACTERISTICS ProtocolCharacteristics;
PVOID funcs[13];
/*
RECEIVE_PACKET_HANDLER ReceivePacketHandler;
BIND_HANDLER mBindHandler;
UNBIND_HANDLER mUnbindHandler;
PNP_EVENT_HANDLER PnpEventHandler;
UNLOAD_PROTOCOL_HANDLER mUnloadhanler;
PVOID ReservedHandler[4];
CO_SEND_COMPLETE_HANDLER mCoSendCompleteHandler;
CO_STATUS_HANDLER mCoStatusHandler;
CO_RECEIVE_PACKET_HANDLER mCoReceivePacketHandler;
CO_AF_REGISTER_NOTIFY_HANDLER mCoAfRegisterNotifyHandler;
*/
status=STATUS_SUCCESS;
NdisProtocolHandle=NULL;
memset(&ProtocolCharacteristics,0,0x6c);
RtlInitUnicodeString(&ProtocolCharacteristics.Name,KAPERSKY);
ProtocolCharacteristics.MajorNdisVersion=0x5;
ProtocolCharacteristics.MinorNdisVersion=0x0;
//ProtocolCharacteristics.Name.Length=DestinationString.Length;
//ProtocolCharacteristics.Name.Buffer=DestinationString.Buffer;
ProtocolCharacteristics.BindAdapterHandler=mBindAdapterHandler;
ProtocolCharacteristics.UnbindAdapterHandler=mUnbindAdapterHandler;
ProtocolCharacteristics.ReceiveHandler=mReceiveHandler;
ProtocolCharacteristics.CloseAdapterCompleteHandler=mCloseAdapterCompleteHandler;
ProtocolCharacteristics.OpenAdapterCompleteHandler=mOpenAdapterCompleteHandler;
ProtocolCharacteristics.RequestCompleteHandler=mRequestCompleteHandler;
ProtocolCharacteristics.StatusHandler=mStatusHandler;
ProtocolCharacteristics.StatusCompleteHandler=mStatusCompleteHandler;
// *(BIND_HANDLER*)((ULONG)&ProtocolCharacteristics+0x38+0x4)=mBindAdapterHandler;
// *(UNBIND_HANDLER*)((ULONG)&ProtocolCharacteristics+0x38+0x8)=mUnbindAdapterHandler;
NdisRegisterProtocol(&status,&NdisProtocolHandle,&ProtocolCharacteristics,0x6c);
if(STATUS_SUCCESS==status)
{
//KdPrint(("addr of ProtocolCharacteristics.MajorVersion is 0x%x\n",ProtocolCharacteristics.MajorNdisVersion));
KdPrint(("begin to enum the ndisProtocolList.\n"));
if(NdisProtocolHandle!=NULL)
{
temp=NdisProtocolHandle;
do
{
KdPrint(("ProtocolDriverHandle is 0x%x ProtocolName is %wZ\n",(ULONG)temp,(PUNICODE_STRING)((ULONG)temp+0x24)));
//KdPrint(("data NdisProtocolHandle+0x8 0x%x\n",*(ULONG*)((ULONG)NdisProtocolHandle+0x8)));
temp=(NDIS_HANDLE)*(ULONG*)((ULONG)temp+0x8);//下一个ProtocolHandle
if(temp==NULL)
KdPrint(("ndisProtocolList is a SingleLinkedList!\n"));
}while(temp!=NULL&&temp!=NdisProtocolHandle);
NdisDeregisterProtocol(&status,NdisProtocolHandle);//注销协议
}
}
else
{
KdPrint(("RegisterProtocol fails,error is 0x%x\n",status));
}
return NULL;
}
结果:
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
