📄 filter.c
字号:
#include "ntddk.h"
#include "ntddndis.h"
#include "pfhook.h"
#include "filter.h"
#define PROT_TCP 6
#define NT_DEVICE_NAME L"\\Device\\IbanHook"
#define DOS_DEVICE_NAME L"\\DosDevices\\IbanHookV1"
NTSTATUS DriverEntry(
IN PDRIVER_OBJECT DriverObject,
IN PUNICODE_STRING RegistryPath
)
{
PDEVICE_OBJECT deviceObject=NULL;
NTSTATUS status;
PIPFILTER_INFO deviceInfo;
UNICODE_STRING uniNtNameString;
UNICODE_STRING uniWin32NameString;
UNICODE_STRING uniIPFILTERNameString;
PIRP ipFilterIRP=NULL;
RtlInitUnicodeString(&uniNtNameString,NT_DEVICE_NAME);
//1.创建一个设备
status=IoCreateDevice(DriverObject,
sizeof(deviceInfo),
&uniNtNameString,
FILE_DEVICE_UNKNOWN,
0,
FALSE,
&deviceObject);
if(!NT_SUCCESS(status))
{
return status;
}
DriverObject->MajorFunction[IRP_MJ_CREATE]=SetFilterHook;
DriverObject->MajorFunction[IRP_MJ_CLOSE]=CloseFilterHook;
DriverObject->DriverUnload=FilterUnload;
//2.创建SymbolName
RtlInitUnicodeString(&uniWin32NameString,DOS_DEVICE_NAME);
status=IoCreateSymbolicLink(&uniWin32NameString,&uniNtNameString);
if(!NT_SUCCESS(status))
{
IoDeleteDevice(DriverObject->DeviceObject);
}
deviceInfo=(PIPFILTER_INFO)deviceObject->DeviceExtension;
//添加Hook
if(deviceObject)
{
deviceInfo=(PIPFILTER_INFO)deviceObject->DeviceExtension;
}
RtlInitUnicodeString(&uniIPFILTERNameString,
DD_IPFLTRDRVR_DEVICE_NAME);
status=IoGetDeviceObjectPointer(&uniIPFILTERNameString,
FILE_ALL_ACCESS,
&deviceInfo->ipfilter ,
&deviceInfo->filterObject);
deviceInfo->callback.ExtensionPointer= DropTcpPackets;
ipFilterIRP=IoBuildDeviceIoControlRequest(IOCTL_PF_SET_EXTENSION_POINTER,
deviceInfo->filterObject ,
&deviceInfo->callback ,
sizeof(deviceInfo->callback),
NULL,
0,
FALSE,
NULL,
NULL);
status=IoCallDriver(deviceInfo->filterObject,ipFilterIRP );
if(!NT_SUCCESS(status))
{
IoDeleteSymbolicLink(&uniWin32NameString);
IoDeleteDevice(DriverObject->DeviceObject);
return status;
}
return STATUS_SUCCESS;
}
NTSTATUS FilterUnload(PDRIVER_OBJECT DriverObject)
{
UNICODE_STRING uniWin32NameString;
UNICODE_STRING uniIPFILTERNameString;
PIRP ipFilterIRP=NULL;
NTSTATUS status;
PIPFILTER_INFO deviceInfo;
//删除挂钩
if(DriverObject->DeviceObject)
{
deviceInfo=(PIPFILTER_INFO)(DriverObject->DeviceObject)->DeviceExtension;
}
RtlInitUnicodeString(&uniIPFILTERNameString,
DD_IPFLTRDRVR_DEVICE_NAME);
status=IoGetDeviceObjectPointer(&uniIPFILTERNameString,
FILE_ALL_ACCESS,
&deviceInfo->ipfilter ,
&deviceInfo->filterObject);
deviceInfo->callback.ExtensionPointer= NULL;
ipFilterIRP=IoBuildDeviceIoControlRequest(IOCTL_PF_SET_EXTENSION_POINTER,
deviceInfo->filterObject ,
&deviceInfo->callback ,
sizeof(deviceInfo->callback),
NULL,
0,
FALSE,
NULL,
NULL);
status=IoCallDriver(deviceInfo->filterObject,ipFilterIRP );
RtlInitUnicodeString(&uniWin32NameString,DOS_DEVICE_NAME);
//删除SymbolicLink
IoDeleteSymbolicLink(&uniWin32NameString);
//删除设备
IoDeleteDevice(DriverObject->DeviceObject);
return STATUS_SUCCESS;
}
//处理IRP_MJ_CREATE
NTSTATUS SetFilterHook(IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp)
{
KdPrint(("ooh--create"));
Irp->IoStatus.Status=STATUS_SUCCESS;
Irp->IoStatus.Information=0;
IoCompleteRequest(Irp,IO_NO_INCREMENT);
return STATUS_SUCCESS;
}
//处理IRP_MJ_CLOSE
NTSTATUS CloseFilterHook(IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp)
{
KdPrint(("ooh--Close"));
Irp->IoStatus.Status = STATUS_SUCCESS;
Irp->IoStatus.Information = 0;
IoCompleteRequest( Irp, IO_NO_INCREMENT );
return STATUS_SUCCESS;
}
// Drop all TCP packets
PF_FORWARD_ACTION
DropTcpPackets(
unsigned char *PacketHeader,
unsigned char *Packet,
unsigned int PacketLength,
unsigned int RecvInterfaceIndex,
unsigned int SendInterfaceIndex,
IPAddr RecvLinkNextHop,
IPAddr SendLinkNextHop
)
{
/* if (((IPHeader *)PacketHeader)->iph_protocol == PROT_TCP)
{
KdPrint(("TCP DATA"));
return PF_DROP;
}*/
return PF_DROP;
//return PF_FORWARD;
}
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -