📄 pa_sys.c
字号:
#include "precomp.h"
#include "stdio.h"
NTSTATUS
PA_Create(
IN PDEVICE_OBJECT DeviceObject,
IN PIRP pIrp
)
{
NTSTATUS status=STATUS_SUCCESS;
PIO_STACK_LOCATION pIrpStack;
KdPrint(("==>PA_Create: \n"));
pIrpStack=IoGetCurrentIrpStackLocation(pIrp);
pIrpStack->FileObject->FsContext=NULL;
pIrpStack->FileObject->FsContext2=NULL;
pIrp->IoStatus.Information=0;
pIrp->IoStatus.Status=status;
IoCompleteRequest(pIrp,IO_NO_INCREMENT);
KdPrint(("<==PA_Create: \n"));
return status;
}
NTSTATUS
PA_Cleanup(
IN PDEVICE_OBJECT DeviceObject,
IN PIRP pIrp
)
{
NTSTATUS status=STATUS_SUCCESS;
PIO_STACK_LOCATION pIrpStack;
DBGPRINT(("==>PA_Cleanup============================================\n"));
pIrpStack=IoGetCurrentIrpStackLocation(pIrp);
if (pGBSYS)
{
pGBSYS->StartCapFlag=FALSE;
// if (pGBSYS->hLogFile!=NULL)
// {
// KdPrint(("PA_Cleanup!关闭文件\n"));
// ZwClose(pGBSYS->hLogFile);
// pGBSYS->hLogFile=NULL;
// }
}
pIrp->IoStatus.Status=status;
pIrp->IoStatus.Information=0;
IoCompleteRequest(pIrp,IO_NO_INCREMENT);
DBGPRINT(("<==PA_Cleanup============================================\n"));
return status;
}
NTSTATUS
PA_Close(
IN PDEVICE_OBJECT DeviceObject,
IN PIRP pIrp
)
{
NTSTATUS status=STATUS_SUCCESS;
PIO_STACK_LOCATION pIrpStack;
KdPrint(("==>PA_Close \n"));
pIrpStack=IoGetCurrentIrpStackLocation(pIrp);
pIrpStack->FileObject->FsContext=NULL;
pIrpStack->FileObject->FsContext2=NULL;
pIrp->IoStatus.Information=0;
pIrp->IoStatus.Status=status;
IoCompleteRequest(pIrp,IO_NO_INCREMENT);
DBGPRINT(("<==DevClose \n"));
return status;
}
NTSTATUS
PA_DevIoControl(
IN PDEVICE_OBJECT Device_Object,
IN PIRP pIrp
)
{
NTSTATUS status=STATUS_INVALID_DEVICE_REQUEST;
NDIS_STATUS ndis_status;
PIO_STACK_LOCATION pIrpStack;
ULONG uIoControlCode;
PVOID pIoBuffer;
ULONG uInSize;
ULONG uOutSize;
ULONG uTransferLen=0;
KdPrint(("<==PA_DevIoControl\n"));
pIrpStack=IoGetCurrentIrpStackLocation(pIrp);
uIoControlCode=pIrpStack->Parameters.DeviceIoControl.IoControlCode;
uInSize=pIrpStack->Parameters.DeviceIoControl.InputBufferLength;
uOutSize=pIrpStack->Parameters.DeviceIoControl.OutputBufferLength;
switch(uIoControlCode)
{
case IOCTL_START_LOG:
KdPrint(("Now Start Log……\n"));
pGBSYS->StartCapFlag=TRUE;
status=STATUS_SUCCESS;
break;
case IOCTL_STOP_LOG:
KdPrint(("Now Stop Log……\n"));
pGBSYS->StartCapFlag=FALSE;
status=STATUS_SUCCESS;
break;
default:
KdPrint(("Other IOCTLs\n"));
}
if(status==STATUS_SUCCESS)
pIrp->IoStatus.Information=uTransferLen;
else
pIrp->IoStatus.Information=0;
pIrp->IoStatus.Status=status;
IoCompleteRequest(pIrp,IO_NO_INCREMENT);
KdPrint(("==>PA_DevIoControl\n"));
return status;
}
void
CopyPacket2Buffer(
IN PNDIS_PACKET pPacket,
IN OUT PUCHAR pBuff,
IN OUT PUINT pLength
)
{
PNDIS_BUFFER BuffDT;// buffer指示符,
PUCHAR BuffVA;//Buffer的虚拟地址
UINT BuffLen;//Buffer的长度
*pLength=0;//数据包内容的总长度,开始先置零
BuffLen=0;//Buffer的长度,开始先置零
NdisQueryPacket(pPacket,NULL,NULL,&BuffDT,NULL);//查询Packet的信息,这里查的是Packet的Buffer指示符的链表第一个的
while(BuffDT!=(PNDIS_BUFFER)NULL)//如果Buffer指示符不为NULL,则读取其中的内容
{
NdisQueryBuffer(BuffDT,&BuffVA,&BuffLen);//得到BuffDT指向的那个Buffer的虚拟地BuffVA,和长度BuffLen
NdisMoveMemory(pBuff,BuffVA,BuffLen);//将BuffVA其中的内容,移动到pBuff指向的那块区域
pBuff=pBuff+BuffLen;//pBuff指针后移,前BuffLen个字节已经填入数据
*pLength+=BuffLen;//记录pBuff中填入数据的总长度
NdisGetNextBuffer(BuffDT,&BuffDT);//获得Buffer指示符链表中的下一个Buffer指示符
}
return;
}
VOID ThreadPacketLogger()
{
PLIST_ENTRY pListEntry;
pPacket_Data pData=NULL;
PIPPacket pkt=NULL;
PTIME_FIELDS pTime=NULL;
IO_STATUS_BLOCK file_status;
OBJECT_ATTRIBUTES obj_attrib;
CCHAR ntNameFile[64] = "\\DosDevices\\c:\\ip_packet.txt";
STRING ntNameString;
UNICODE_STRING uFileName;
NTSTATUS status;
IO_STATUS_BLOCK io_status;
PUCHAR Buffer=NULL;
while(TRUE)
{
KeWaitForSingleObject(&pGBSYS->semQueue,Executive,KernelMode,FALSE,NULL);
pListEntry = ExInterlockedRemoveHeadList(&pGBSYS->QueueListHead,
&pGBSYS->lockQueue);
if(pGBSYS->bThreadTerminate == TRUE)
{
PsTerminateSystemThread(STATUS_SUCCESS);
}
pData = CONTAINING_RECORD(pListEntry,Packet_Data,ListEntry);
if(pData != NULL)
{
pTime=(PTIME_FIELDS)pData->CurCapIPTime;
KdPrint(("Packet Time: %4d-%2d-%2d %2d-%2d-%2d\n",pTime->Year,pTime->Month,pTime->Day,pTime->Hour,pTime->Minute,pTime->Second));
pkt=(PIPPacket)pData->IPBuffer;
KdPrint(("Packet: H_frame_type %x L_frame_type %x\n",pkt->H_frame_type,pkt-> L_frame_type));
KdPrint(("Packet: proto %d\n",pkt->proto));
// if (pGBSYS->hLogFile==NULL)
// {
KdPrint(("Thread!打开文件\n"));
RtlInitAnsiString( &ntNameString, ntNameFile);
RtlAnsiStringToUnicodeString(&uFileName, &ntNameString, TRUE );
InitializeObjectAttributes(&obj_attrib, &uFileName, OBJ_CASE_INSENSITIVE, NULL, NULL);
status = ZwCreateFile(&pGBSYS->hLogFile,FILE_APPEND_DATA,&obj_attrib,&file_status,NULL,FILE_ATTRIBUTE_NORMAL,0,FILE_OPEN_IF,FILE_SYNCHRONOUS_IO_NONALERT,NULL,0);
if (!NT_SUCCESS(status))
{
KdPrint(("status: %x\n",status));
KdPrint(("file_status: %x\n",file_status.Status));
PsTerminateSystemThread(STATUS_SUCCESS);
}
else
{
KdPrint(("thread!pGBSYS->hLogFile:%x\n",pGBSYS->hLogFile));
}
RtlFreeUnicodeString(&uFileName);
/* }*/
Buffer=(PUCHAR)ExAllocatePoolWithTag(NonPagedPool,1024,TAG);
sprintf(Buffer,"抓包时间: %04d-%02d-%02d %02d-%02d-%02d\r\n 目的MAC地址: %02x:%02x:%02x:%02x:%02x:%02x 源MAC地址: %02x:%02x:%02x:%02x:%02x:%02x\r\n总长度(字节) %d: 源IP地址: %02d.%02d.%02d.%02d 目的IP地址:%02d.%02d.%02d.%02d\r\n\r\n\r\n\0",pTime->Year,pTime->Month,pTime->Day,pTime->Hour,pTime->Minute,pTime->Second,
pkt->targ_hw_addr[0],pkt->targ_hw_addr[1],pkt->targ_hw_addr[2],pkt->targ_hw_addr[3],pkt->targ_hw_addr[4],pkt->targ_hw_addr[5],pkt->src_hw_addr[0],pkt->src_hw_addr[1],pkt->src_hw_addr[2],pkt->src_hw_addr[3],pkt->src_hw_addr[4],pkt->src_hw_addr[5],
pkt->total_len,pkt->sourceIP[0],pkt->sourceIP[1],pkt->sourceIP[2],pkt->sourceIP[3],pkt->destIP[0],pkt->destIP[1],pkt->destIP[2],pkt->destIP[3]);
KdPrint(("Buffer: %s\n",Buffer));
status = ZwWriteFile(pGBSYS->hLogFile,NULL,NULL,NULL,
&io_status,Buffer,strlen(Buffer)+1,NULL,NULL);
if(status != STATUS_SUCCESS)
{
KdPrint(("Writing ip Packet to file...status: %x pGBSYS->hLogFile: %x\n\n",status,pGBSYS->hLogFile));
}
else
{
KdPrint(("successfully written to file.\n\n"));
ZwClose(pGBSYS->hLogFile);
}
ExFreePool(Buffer);
ExFreePool(pData->CurCapIPTime);
ExFreePool(pData->IPBuffer);
ExFreePool(pData);
pData=NULL;
}//end if
}//end while
return;
}
NTSTATUS InitThreadPacketLogger()
{
HANDLE hThread;
NTSTATUS status;
pGBSYS->bThreadTerminate=FALSE;
status = PsCreateSystemThread(&hThread,(ACCESS_MASK)0,NULL,NULL,NULL,(PKSTART_ROUTINE)ThreadPacketLogger,NULL);
if(!NT_SUCCESS(status))
return status;
KdPrint(("Log Thread Create successfully!\n"));
ObReferenceObjectByHandle(hThread,THREAD_ALL_ACCESS,NULL,KernelMode,(PVOID*)&pGBSYS->pThreadObj, NULL);
KdPrint(("IP Packet logger thread initialized; pThreadObject = %x\n",pGBSYS->pThreadObj));
//We don't need the thread handle
ZwClose(hThread);
return status;
}
VOID CurCapIPTime(PTIME_FIELDS pTime)
{
LARGE_INTEGER snow,now;
KeQuerySystemTime(&snow);
ExSystemTimeToLocalTime(&snow,&now);
RtlTimeToTimeFields(&now,pTime);
}
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -