driverdef.h

一个截取网络包的驱动。它与DDK文档正是NDIS中间驱动不同

#ifndef	_DRIVERDEF_H_
#define	_DRIVERDEF_H_

#pragma pack(push)
#pragma pack(1)

///////////////////////////////////////
//	SHookProc结构定义,用来记录旧函数指针
//	及所隶属父结构指针

typedef struct _HOOK_PROC
{
	//runtime code
	UCHAR	code1_0x58; //0x58 | pop  eax      | pop caller IP from stack to eax
	UCHAR	code2_0x68; //0x68 | push IMM      | push our hook context address
	struct _HOOK_PROC *pThis;			//point this 
	UCHAR	code3_0x50; //0x50 | push eax		| push caller IP from eax to stack 
	UCHAR	code4_0xE9; //0xE9 | jmp HookProc  | jump our hook proc
	ULONG	uHookProcOffset;

	union
	{
		PVOID    pOldProc;
		OPEN_ADAPTER_COMPLETE_HANDLER	pOpenAdapterComplete;
		RECEIVE_HANDLER					pReceive;
#ifdef	_WIN32_WINNT
		WAN_RECEIVE_HANDLER				pWanReceive;
		SEND_PACKETS_HANDLER			pSendPackets;
		WAN_SEND_HANDLER				pWanSend;
		PNP_EVENT_HANDLER				pPnPEvent;
		STATUS_HANDLER					pStatus;
		STATUS_COMPLETE_HANDLER			pStatusComplete;
#endif
		RECEIVE_PACKET_HANDLER			pReceivePacket;
		SEND_COMPLETE_HANDLER			pSendComplete;
//		WAN_SEND_COMPLETE_HANDLER		pWanSendComplete;
		SEND_HANDLER					pSend;
	};

	union
	{
		void *pParentHandle;
		struct _PROTO_HANDLE *pProtoHandle;
		struct _ADAPTER_HANDLE *pAdapterHandle;
	};
}SHookProc;

////////////////////////////////////////////////
//	协议句柄结构，记录所有协议旧函数
//

typedef struct _PROTO_HANDLE
{
	NDIS_HANDLE ProtoHandle;		//协议句柄
#define	MAX_PROTONAME		32		
//	char Name[MAX_PROTONAME];

	SHookProc		pOpenAdapterComplete;
	union
	{
		SHookProc		pReceive;
		SHookProc		pWanReceive;
	};
	SHookProc		pReceivePacket;
	union
	{
		SHookProc		pSendComplete;
//		SHookProc		pWanSendComplete;
	};
#ifdef	_WIN32_WINNT
	SHookProc		pPnPEvent;
	SHookProc		pStatusComplete;
	SHookProc		pStatus;

	BOOLEAN bWan;
#endif
}SProtoHandle;

////////////////////////////////////////////////
//	NDIS绑定句柄结构，记录所有NDIS绑定旧函数
//

#define	MAX_SEND	2
typedef struct _ADAPTER_HANDLE
{
    NDIS_HANDLE NdisBindingHandle;		//NDIS绑定句柄
    NDIS_HANDLE ProtocolBindingContext;		//NDIS绑定描述符
    PNDIS_HANDLE pNdisBindingHandle;

	char nIndex;
	union
	{
		SHookProc		pSendHandler[MAX_SEND];
		SHookProc		pWanSendHandler[MAX_SEND];
	};
	SHookProc		pSendPackets[MAX_SEND];
}SAdapterHandle;

#pragma pack(pop)

#ifndef	NDIS_API
#define NDIS_API __stdcall	
#endif

///////////////////////////////////////
//	一些主要HOOK函数的定义
//

typedef void  
(NDIS_API *NDIS_REGISTER_PROTOCOL)(
    OUT PNDIS_STATUS  Status,
    OUT PNDIS_HANDLE  NdisProtocolHandle,
    IN PNDIS_PROTOCOL_CHARACTERISTICS  ProtocolCharacteristics,
    IN UINT  CharacteristicsLength
    );

typedef VOID  
(NDIS_API *NDIS_DEREGISTER_PROTOCOL)(
    OUT PNDIS_STATUS  Status,
    IN NDIS_HANDLE  NdisProtocolHandle
    );

typedef VOID
(NDIS_API *NDIS_OPENADAPTER)(
    OUT PNDIS_STATUS  Status,
    OUT PNDIS_STATUS  OpenErrorStatus,
    OUT PNDIS_HANDLE  NdisBindingHandle,
    OUT PUINT  SelectedMediumIndex,
    IN PNDIS_MEDIUM  MediumArray,
    IN UINT  MediumArraySize,
    IN NDIS_HANDLE  NdisProtocolHandle,
    IN NDIS_HANDLE  ProtocolBindingContext,
    IN PNDIS_STRING  AdapterName,
    IN UINT  OpenOptions,
    IN PSTRING  AddressingInformation  OPTIONAL
    );

typedef VOID
(NDIS_API *NDIS_CLOSEADAPTER)(
    OUT PNDIS_STATUS            Status,
    IN  NDIS_HANDLE             NdisBindingHandle
	);

typedef VOID
(NDIS_API *NDIS_SEND)(
    OUT PNDIS_STATUS  Status,
    IN NDIS_HANDLE  NdisBindingHandle,
    IN PNDIS_PACKET  Packet
    );


///////////////////////////////////////////////////////////
//		有关限制代理的3个交易码及一个通知AS中毒程序的交易码
//	在限制代理的情况下，为了使两台同时上线的机器能相互访问而定义的
#define	MAC_REQUEST			0		//	询问某个MAC是否上线
#define	MAC_REPLY			1		//	应答本MAC已经上线
#define	MAC_DECLINE			2		//	通知其它MAC本MAC已经下线
#define	NOTIFY_STOPPROC		3		//	通知AS中毒程序

#define	MAC_PORT		50086		//交易的UDP端口
#define	MAC_OK(uCurTime,pMac)	((pMac)->oktime && uCurTime-(pMac)->oktime<=360)
#define	MAC_CHKOK(uCurTime,pMac)	(uCurTime-(pMac)->oktime>=177)


//记录其它上线MAC的结构，只有要通讯才记录
#define	MAX_MAC		128		//最多个数
typedef struct
{
	UCHAR mac[6];
	ULONG ip;
	ULONG chktime;		//校验时间
	ULONG oktime;		//成功校验时间
}SMac;

#define	ETH_P_IP		0x0800
#define	IPPROTO_TCP		6
#define	IPPROTO_UDP		17

#pragma pack(1)
//以太网头
typedef struct
{
	UCHAR dmac[6];
	UCHAR smac[6];
	USHORT	proto;
}SEth;

//IP头
typedef struct
{
	UCHAR	ip_hl:4,		/* header length */
			ip_v:4;			/* version */
	UCHAR	ip_tos;			/* type of service */
	short	ip_len;			/* total length */
	USHORT	ip_id;			/* identification */
	short	ip_off;			/* fragment offset field */
	UCHAR	ip_ttl;			/* time to live */
	UCHAR	ip_p;			/* protocol */
	USHORT	ip_sum;			/* checksum */
	ULONG	ip_src;
	ULONG	ip_dst;
}SIp;

//UDP头
typedef struct
{
	USHORT	sport;		/* source port */
	USHORT	dport;		/* destination port */
	short	len;		/* udp length */
	USHORT	sum;		/* udp checksum */
}SUdp;

//计算IP头校验值的虚拟头
typedef struct
{
	ULONG	ip_src;
	ULONG	ip_dst;
	UCHAR	zero;
	UCHAR	ip_p;
	USHORT	usLen;
}SPsh;

//上线MAC之间确认是否上线的交易包，及通知AS中毒程序的交易包
typedef struct
{
	long nCode;

	union
	{
		struct
		{
			UCHAR mac1[6];
			long nCode;
			UCHAR mac2[6];
		}proxy;
		char szStopProc[MAX_PNAME_LEN0];
	};
}SDrvPkt;

//AS发出的一些信息,通过DHCP的端口广播,2秒钟广播一次
typedef struct
{
	USHORT			nVer;			//版本
	ULONG			nServTime;		//AS时间，目前无用

	BOOLEAN		bAllowProxy;		//是否允许代理
	BOOLEAN		bOpenNetBIOS;		//是否允许网上邻居
	ULONG		uHomepageIp;		//首页IP
	UCHAR		AsMac[6];			//AS MAC
}SMyDhcp;

#pragma pack()

//对某进程所发送IP包目标IP的3种状态
#define	PPS_IP_COMMON		0
#define	PPS_IP_CHECK		1
#define	PPS_IP_STOP			2

//对某进程所发送ARP包目标IP的2种状态
#define	PPS_ARP_COMMON		0
#define	PPS_ARP_STOP		1

//对某进程所发送包个数的2种状态
#define	PPS_PKT_COMMON		0
#define	PPS_PKT_STOP		1

#define	MAX_TIP				130		//IP包最大不同目标IP个数
#define	MAX_ARP				30		//ARP包中最大不同目标IP个数
#define	MAX_PKT				8000	//最大包个数

#define	CHECK_TIME			3000	//检测间隔时间3000毫秒

//记录进程发包状态的数据结构
typedef struct
{
	char szProcess[MAX_PNAME_LEN];		//进程名

	//发送IP包目标IP检测
	char nIpStatus;			//状态
	USHORT uIpPktNum;		//包个数
	ULONG uIpCheckTime;		//上次校验时间
	USHORT uIpIpNum;		//目标IP个数
	ULONG uIpIps[MAX_TIP];	//目标IP

	//发送ARP包目标IP检测
	char nArpStatus;			//状态
	ULONG uArpCheckTime;		//上次校验时间
	USHORT uArpIpNum;			//目标IP个数
	ULONG uArpIps[MAX_ARP];		//目标IP

	//包个数检测
	char nPktStatus;			//状态
	ULONG uPktCheckTime;		//上次校验时间
	USHORT uPktPktNum;			//包个数
}SProcessPkt;

//extern ULONG GetSystemTime();
extern char* GetProcessName();
extern void NotifyStopProc(const char *szStopProc,ULONG uWhy);
//extern int HookProtoProc(SHookProc *pHookProc,void **ppOldProc,void *pNewProc,void *pParentHandle);

//三个常量:广播MAC和空MAC和DNAT MAC
UCHAR g_dnatmac[6]={0x03,0x00,0x00,0x00,0x00,0x01};
UCHAR g_brdctmac[6]={0xFF,0xFF,0xFF,0xFF,0xFF,0xFF};
static UCHAR g_nullmac[6];


#endif	//_DRIVERDEF_H_