📄 jiurlporthidehook.htm
字号:
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312">
<style type="text/css">
<!--
.title {FONT-FAMILY: "黑体", Arial, sans-serif; FONT-SIZE: 21px; FONT-WEIGHT: bold; LINE-HEIGHT: 48px; TEXT-DECORATION: none;}
.author {font-family: "宋体";font-size: 12px;line-height: 16px;}
.content {FONT-SIZE: 14px; LINE-HEIGHT: 20px;}
-->
</style>
<title>Hook 系统服务隐藏端口</title>
<meta name="keywords" content="jiurl IOCTL_TCP_QUERY_INFORMATION_EX TCPSNMPInfo TCPAddrEntry">
</head>
<body bgcolor="#F7F7F7" topmargin="5">
<div align="center">
<center>
<table border="0" width="96%" cellspacing="0" cellpadding="0" height="29">
<tr>
<td class=title width="100%" height="41">
<p align="center">Hook 系统服务隐藏端口</p>
</td>
</tr>
</center>
<tr>
<td class=author width="100%" height="9">
<p align="center"><font face="宋体">作者: <a href="mailto:jiurl@mail.china.com"> JIURL</a>
</font>
</p>
</td>
</tr>
<tr>
<td class=author width="100%" height="6">
<p align="center"><font face="宋体">
主页: <a href="http://jiurl.yeah.net"> http://jiurl.yeah.net</a>
</font>
</td>
</tr>
<tr>
<td class=author width="100%" height="2">
<p align="center"><font face="宋体"> 日期: 2004-03-30</font>
</td>
</tr>
</table>
</div>
<div align="center">
<center>
<table border="0" width="96%" cellspacing="0" cellpadding="0" height="1">
<tr>
<td width="100%" height="1">
<hr color="#396DA5" size="3">
</td>
</tr>
</table>
</center>
</div>
<div align="center">
<table border="0" width="96%" cellspacing="0" cellpadding="0" class="content" height="200">
<tr>
<td width="131%" height="200" valign="top">
<p> 有时候写程序,调试程序真是一件非常有趣的事,就比如这次,蹦蹦跳跳,笑嘻嘻,意犹未尽的就把这个程序搞好了。<p>
netstat 或者其他各种列举端口的工具,比如fport,或者 sysinternals 的 Tcpview,都是调用 Iphlpapi.dll 中的
API 来完成端口的列举。而 Iphlpapi.dll 中的 API 最终是使用 ZwDeviceIoControlFile ,向设备对象
Device\Tcp 发 IOCTL_TCP_QUERY_INFORMATION_EX 来得到各种信息的。于是我们只要Hook相应的System
Service
,然后对得到的结果做一些处理,弄掉不希望出现的端口信息就可以了。不过真正的问题在于,IOCTL_TCP_QUERY_INFORMATION_EX
和端口相关的各种结构定义,参数含义目前都(大部分)是未公开,没人知道的,也就是Undocumented的。Undocumented??
ring3调试,我熟啊。ring0调试,我熟啊。Windows驱动,我熟啊。Windows系统,我熟啊。我怕谁啊我。Undocumented??爽,要的就是Undocumented。<p>
通过ring3调试,分析Iphlpapi.dll是如何使用 IOCTL_TCP_QUERY_INFORMATION_EX
相关的各种参数,结合msdn中的一些信息,于是很轻松的搞清了需要了解的结构。用我自己写的awx建一个VC的驱动项目,写好了Hook部分。<p>
关于本例中使用的解决Hook在各种Windows版本下运行的方法,在很多地方很多地方都出现了,我不清楚最早是谁想出来的,我是在<span class="BoldText">《Undocumented
Windows NT》一书的源码中第一次看到这种方法的。</span><p><span class="BoldText">
下面是实现源码,很简单,我就不多说什么了。</span><p><span class="BoldText">#if 0
//================================================================<br>
Copyright (c) JIURL, All Rights Reserved<br>
========================================================================<br>
<br>
/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/<br>
<br>
Module Name:<br>
<br>
Jiurl_tcpioctl.h<br>
<br>
About:<br>
<br>
- 这个驱动项目由一个我写的 AppWizard 创建。<br>
<br>
[ HomePage ] http://jiurl.yeah.net<br>
~~~~~~~~~~~~~~~~~~~~~<br>
[ Email ] jiurl@mail.china.com<br>
~~~~~~~~~~~~~~~~~~~~<br>
[ Forum ] http://jiurl.cosoft.org.cn/forum/index.php<br>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br>
<br>
- 有偿定制 AppWizard ,请发邮件联系 。<br>
<br>
Comments:<br>
<br>
本文件中的所有内容目前都是未公开的,由我分析得出,是隐藏端口的关键内容。<br>
Undocumented?? 爽!要的就是 Undocumented 。<br>
<br>
/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/<br>
#endif<br>
<br>
<br>
// jiurl // IPSNMPInfo 结构的定义是根据 RFC 2011 <br>
// jiurl // 所以我根据 RFC 2022 ,仿 IPSNMPInfo, 定义结构 TCPSNMPInfo <br>
// jiurl // 再通过一些分析得到一些扩展部分的定义<br>
<br>
typedef struct TCPSNMPInfo {<br>
ULONG tcpsi_RtoAlgorithm;<br>
ULONG tcpsi_RtoMin;<br>
ULONG tcpsi_RtoMax;<br>
ULONG tcpsi_MaxConn;<br>
ULONG tcpsi_ActiveOpens;<br>
ULONG tcpsi_PassiveOpens;<br>
ULONG tcpsi_AttemptFails;<br>
ULONG tcpsi_EstabResets;<br>
ULONG tcpsi_CurrEstab;<br>
ULONG tcpsi_InSegs;<br>
ULONG tcpsi_OutSegs;<br>
ULONG tcpsi_RetransSegs;<br>
ULONG tcpsi_unknown1;<br>
ULONG tcpsi_unknown2;<br>
ULONG tcpsi_numconn;<br>
} TCPSNMPInfo;<br>
<br>
#define tcpRtoAlgorithm_other 1 // none of the following<br>
#define tcpRtoAlgorithm_constant 2 // a constant rto<br>
#define tcpRtoAlgorithm_rsre 3 // MIL-STD-1778, Appendix B<br>
#define tcpRtoAlgorithm_vanj 4 // Van Jacobson's algorithm<br>
<br>
#define TCP_MIB_STATS_ID 1<br>
#define TCP_MIB_ADDRTABLE_ENTRY_ID 0x101<br>
#define TCP_MIB_ADDRTABLE_ENTRY_EX_ID 0x102<br>
<br>
<br>
typedef struct TCPAddrEntry {<br>
ULONG tae_ConnState;<br>
ULONG tae_ConnLocalAddress;<br>
ULONG tae_ConnLocalPort;<br>
ULONG tae_ConnRemAddress;<br>
ULONG tae_ConnRemPort;<br>
} TCPAddrEntry;<br>
<br>
#define tcpConnState_closed 1<br>
#define tcpConnState_listen 2<br>
#define tcpConnState_synSent 3<br>
#define tcpConnState_synReceived 4<br>
#define tcpConnState_established 5<br>
#define tcpConnState_finWait1 6<br>
#define tcpConnState_finWait2 7<br>
#define tcpConnState_closeWait 8<br>
#define tcpConnState_lastAck 9<br>
#define tcpConnState_closing 10<br>
#define tcpConnState_timeWait 11<br>
#define tcpConnState_deleteTCB 12<br>
<br>
typedef struct TCPAddrExEntry {<br>
ULONG tae_ConnState;<br>
ULONG tae_ConnLocalAddress;<br>
ULONG tae_ConnLocalPort;<br>
ULONG tae_ConnRemAddress;<br>
ULONG tae_ConnRemPort;<br>
ULONG pid;<br>
} TCPAddrExEntry;<br>
<br>
#if 0 //================================================================<br>
Copyright (c) JIURL, All Rights Reserved<br>
========================================================================<br>
<br>
/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/<br>
<br>
Module Name:<br>
<br>
JiurlPortHide.h<br>
<br>
About:<br>
<br>
- 这个驱动项目由一个我写的 AppWizard 创建。<br>
<br>
[ HomePage ] http://jiurl.yeah.net<br>
~~~~~~~~~~~~~~~~~~~~~<br>
[ Email ] jiurl@mail.china.com<br>
~~~~~~~~~~~~~~~~~~~~<br>
[ Forum ] http://jiurl.cosoft.org.cn/forum/index.php<br>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br>
<br>
- 有偿定制 AppWizard ,请发邮件联系 。<br>
<br>
/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/<br>
#endif<br>
<br>
#define PORTHIDE 139<br>
<br>
#pragma pack(1)<br>
typedef struct ServiceDescriptorEntry {<br>
unsigned int *ServiceTableBase;<br>
unsigned int *ServiceCounterTableBase; //Used only in checked build<br>
unsigned int NumberOfServices;<br>
unsigned char *ParamTableBase;<br>
} ServiceDescriptorTableEntry_t, *PServiceDescriptorTableEntry_t;<br>
#pragma pack()<br>
<br>
__declspec(dllimport) ServiceDescriptorTableEntry_t
KeServiceDescriptorTable;<br>
<br>
<br>
NTSYSAPI<br>
NTSTATUS<br>
NTAPI<br>
ZwDeviceIoControlFile(<br>
IN HANDLE FileHandle,<br>
IN HANDLE Event OPTIONAL,<br>
IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,<br>
IN PVOID ApcContext OPTIONAL,<br>
OUT PIO_STATUS_BLOCK IoStatusBlock,<br>
IN ULONG IoControlCode,<br>
IN PVOID InputBuffer OPTIONAL,<br>
IN ULONG InputBufferLength,<br>
OUT PVOID OutputBuffer OPTIONAL,<br>
IN ULONG OutputBufferLength<br>
);<br>
<br>
typedef NTSTATUS (*ZWDEVICEIOCONTROLFILE)(<br>
IN HANDLE FileHandle,<br>
IN HANDLE Event OPTIONAL,<br>
IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,<br>
IN PVOID ApcContext OPTIONAL,<br>
OUT PIO_STATUS_BLOCK IoStatusBlock,<br>
IN ULONG IoControlCode,<br>
IN PVOID InputBuffer OPTIONAL,<br>
IN ULONG InputBufferLength,<br>
OUT PVOID OutputBuffer OPTIONAL,<br>
IN ULONG OutputBufferLength<br>
);<br>
<br>
ZWDEVICEIOCONTROLFILE OldZwDeviceIoControlFile;<br>
<br>
void DriverUnload(IN PDRIVER_OBJECT DriverObject);<br>
<br>
NTSTATUS<br>
DriverDispatch(IN PDEVICE_OBJECT DeviceObject,IN PIRP Irp);<br>
<br>
NTSTATUS NewZwDeviceIoControlFile(<br>
IN HANDLE FileHandle,<br>
IN HANDLE Event OPTIONAL,<br>
IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,<br>
IN PVOID ApcContext OPTIONAL,<br>
OUT PIO_STATUS_BLOCK IoStatusBlock,<br>
IN ULONG IoControlCode,<br>
IN PVOID InputBuffer OPTIONAL,<br>
IN ULONG InputBufferLength,<br>
OUT PVOID OutputBuffer OPTIONAL,<br>
IN ULONG OutputBufferLength<br>
);<br>
<br>
<br>
// jiurl // from addrconv.cpp<br>
#define ntohs(s) \<br>
( ( ((s) >> 8) & 0x00FF ) | \<br>
( ((s) << 8) & 0xFF00 ) )<br>
<br>
<br>
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -