Windows网络数据包修改

发布于 2024-08-16 19:48:35 字数 348 浏览 6 评论 0 原文

我正在编写一个小程序,它将拦截网络数据包(在本地计算机上)并在它们进入网络之前对其进行修改。我还需要能够修改标题,而不仅仅是数据。

我已经研究了几种可能性,但不确定最好选择哪一种。那里有开源数据包过滤器,但过滤似乎只能允许或拒绝数据包,除此之外别无其他。

另一个解决方案是编写一个 NDIS 中间驱动程序,但编写驱动程序超出了我的能力范围。即使是 WinDDK 中简单的传递示例也有数千行。我也不希望不断地重新安装驱动程序并重新启动来测试我的代码。

理想情况下,我希望该程序是独立的,而不依赖于第三方驱动程序/软件/其他内容的安装。

因此,如果你们能给我指出正确的方向,向我提供一些有用的链接,无论如何,我将不胜感激。

I'm looking to write a small program which will intercept network packets (on the local machine) and modify them before they go out on the network. I need to be able to modify the headers as well, not just the data.

I've already looked through several possibilities but am unsure which one is best to pursue. There are open source packet filters out there, but filtering only seems to be able to either allow or reject packets, not much else.

The other solution would be to write an NDIS intermediate driver, but writing drivers is a beyond me. Even the simple pass-thru example in the WinDDK is thousands of lines. I'm also not looking forward to having to constantly reinstall a driver and reboot to test my code.

I'd ideally like the program to be self contained, and not rely on the installation of 3rd party drivers/software/whatever.

So if you people could point me in the right direction, throw some helpful links my way, whatever, I'd appreciate it.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(4

风月客 2024-08-23 19:48:35

取决于您要过滤/修改哪种数据包。

如果您需要应用程序级过滤,并且想要获得 HTTP 或类似的数据包,那么您最好的选择可能是 LSP。但请注意,遵循此路径有某些缺点。首先MS似乎正试图摆脱这项技术,而IIRC Windows 7徽标要求的一部分是“您的产品中没有LSP”,他们似乎正在推广Windows 过滤平台。其次,您会对在第 3 方 LSP 兼容性方面遇到的麻烦感到非常惊讶。第三,非常的虚拟 LSP 仍然在 2 KLOC 左右:)

如果您需要 IP 级别的数据包过滤,则需要寻找驱动程序。

Windows 筛选平台为您提供了这两种情况所需的功能。但是,它仅适用于 Windows Vista 及更高版本的产品,因此 XP 上不支持。另一件需要考虑的事情是,WFP 只能在用户态允许/拒绝数据包,如果您需要修改它们,则需要进入内核模式。 (至少当时的情况是这样的,也许他们现在已经有所改善)。

Depends what kind of packets do you want to filter/modify.

If you're after application-level filtering, and want to get your hands on HTTP or similar packets, your best bet would probably be an LSP. Note however, following this path has certain disadvantages. First MS seems to be trying to get rid of this technology, and IIRC a part of Windows 7 logo requirements is "no LSP in your product", they seem to be promoting the Windows Filtering Platform. Second, you'd be very surprised with how much trouble you're getting into in terms of 3rd party LSP compatibility. Third, a very dummy LSP is still around 2 KLOC :)

If you're after an IP level packet filtering you'd need to go for a driver.

Windows Filtering Platform provides you with functionality needed in either case. However, it's only available on Windows Vista and later products, so no XP there. Another thing to take into consideration, WFP was only capable of allow/reject packets in user-land, and if you need to modify them, you'd need to go kernel-mode. (At least that what the situation was at the time it appeared, maybe they've improved something by now).

掩耳倾听 2024-08-23 19:48:35

恕我直言,如果你想修改数据包,你需要一些东西来与硬件对话,某种驱动程序。如果您不想使用自己的驱动程序,则应该使用第三方驱动程序进行互操作。

对于过滤,有一些库,例如:winpcap 或 libpcap。

另请查看此处:http://www.ntkernel.com/w& p.php?id=7

另一个链接:http://bittwist.sourceforge.net/

希望这有帮助!

IMHO, If you want to modify packets you'll need something to talk to the hardware, a driver of some kind. If you do not want to use your own, you should get a 3rd party driver to inter-operate with.

For filtering there's libraries like: winpcap or libpcap.

Also have a look here: http://www.ntkernel.com/w&p.php?id=7

Another link: http://bittwist.sourceforge.net/

Hope this helps!

梨涡少年 2024-08-23 19:48:35

winpcap 只能过滤具有预编译条件的数据包。你需要的是编写LSP级别的网络驱动程序。您不需要每次重新安装它时都重新启动,但它确实可以在数据包发送到网络之前对其进行修改。
更多信息请参见:http://blogs.msdn.com/ wndp/archive/2006/02/09/529031.aspx 或此处:http://www.microsoft.com/msj/0599/LayeredService/LayeredService.aspx

winpcap is only able to filter packets with precompiled conditions. What you need is to write LSP-level network driver. You won't need to reboot every time you reinstall it, but it can really modify packets before they go out to the network.
More info here: http://blogs.msdn.com/wndp/archive/2006/02/09/529031.aspx or here: http://www.microsoft.com/msj/0599/LayeredService/LayeredService.aspx

归途 2024-08-23 19:48:35

我不是专家,但我希望在我的局域网上做类似的事情。我想拦截来自一个固定 IP 的数据包并在它们进入我的路由器然后进入互联网之前对其进行修改。我还想在允许返回的数据包到达我的主机之前捕获并修改它们。我设想的方法是这样的...

  1. ARP 毒害了主机和路由器,所以我的嗅探机让所有数据包都通过它。
  2. 分析我将来想要修改的数据包,并查找这些数据包的独特特征,以便我可以捕获它们。
  3. 编写一个宏/脚本来实时查找所述特征,然后在发送之前对其进行动态修改。

我知道 Windows 版 Cain&Abel 能够(哈哈)进行 ARP 毒害,但我不确定它是否可以提供数据包内容的原始转储。 Wireshark 能够转储所有内容,但不确定它是否可以 ARP 毒害,以便得到我想要的东西,如果不能,那么我可以轻松地将我想要拦截的主机通过以太网连接到我的嗅探器机器,然后通过共享互联网嗅探器,以便所有数据包无论如何都会通过嗅探器机器。

所以第 1 步可以完成,我不知道所述程序是否有能力根据具体情况进行过滤,但我猜它们有。

据我所知。希望这对某人有帮助,也许其他人可以更进一步?

I'm no expert but I'm looking to do something similar on my LAN. I want to intercept packets form one single fixed IP and modify them before they go to my router then out onto the internet. I also want to capture and modify the returning packets prior to allowing them through to my host. The method I had envisaged was something like this...

  1. ARP poison the host and router so my sniffing machine was having all packets passed through it.
  2. Analyse the packets that I will want to modify in future and look for unique characteristics to those packets so I can catch just them.
  3. Write a macro/script that looked for said characteristic in real-time and then modified it on the fly before sending it on its' way.

I know Cain&Abel for Windows is able (haha) to ARP poison but I'm not sure if it can provide raw dump of packet contents. Wireshark is able to dump all but not sure if it can ARP poison so as just to get what I'm after, if not then I can easily connect the host I want to intercept to my sniffer machine via ethernet and then share the internet via the sniffer so that all packets will go through the sniffer machine anyway.

So step 1 can be accomplished, I don't know if said programs have the ability to filter based on specifics yet but I'm guessing they do.

That's as far as I am with it. Hope this is of help to someone and maybe someone else can take this further?

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文