Windows 过滤平台 - 我的数据包负载在哪里?
我一直在修改“检查”WFP 示例(与 WinDDK 捆绑在一起),目的是能够解析所有传入 TCP 数据包(来自指定 IP 地址)的负载以获取某些字符串。 (我已经修改了“inspect”,以便过滤器仅捕获 TCP 数据包)
到目前为止,我的修改是在“TLInspectTransportClassify”classifyFn 上,如下所示。我的目标是访问捕获的每个 TCP 数据包的有效负载。
FWPS_STREAM_CALLOUT_IO_PACKET* ioPacket = (FWPS_STREAM_CALLOUT_IO_PACKET*)layerData;
FWPS_STREAM_DATA* streamData;
SIZE_T streamLength;
BYTE* stream = NULL;
SIZE_T bytesCopied = 0;
[...]
if(ioPacket == NULL) {
DbgPrint("ioPacket == NULL\n");
return STATUS_INSUFFICIENT_RESOURCES;
}
streamData = ioPacket->streamData;
if(!streamData) { // why is this always NULL? shouldn't our payload be here?
DbgPrint("streamData == NULL: no data\n");
classifyOut->actionType = FWP_ACTION_PERMIT;
classifyOut->rights &= ~FWPS_RIGHT_ACTION_WRITE;
goto Exit;
}
DbgPrint("tcp packet has some data\n");
streamLength = streamData->dataLength;
stream = ExAllocatePoolWithTag(NonPagedPool,
streamLength,
'yftN');
if (!stream)
return STATUS_INSUFFICIENT_RESOURCES;
RtlZeroMemory(stream,streamLength);
FwpsCopyStreamDataToBuffer0(
streamData,
stream,
streamLength,
&bytesCopied);
// should now have our tcp payload in 'stream' buffer(?)
DbgPrint("reached parsing code\n");
[...]
根据我的理解,在如上所述声明 ioPacket 后,ioPacket->streamData 应该包含数据包的有效负载。但是,ioPacket->streamData 对我来说始终为 NULL。如何获取数据包的有效负载?我做错了什么吗?
提前致谢。
I've been modifying the 'inspect' WFP example (bundled with the WinDDK) with the aim of being able to parse the payload of all incoming TCP packets (from a specified IP address) for certain strings. (I've already modified 'inspect' such that only TCP packets are caught by the filter)
So far my modifications have been on the 'TLInspectTransportClassify' classifyFn, as shown below. My aim is to have access to the payload of each TCP packet that is caught.
FWPS_STREAM_CALLOUT_IO_PACKET* ioPacket = (FWPS_STREAM_CALLOUT_IO_PACKET*)layerData;
FWPS_STREAM_DATA* streamData;
SIZE_T streamLength;
BYTE* stream = NULL;
SIZE_T bytesCopied = 0;
[...]
if(ioPacket == NULL) {
DbgPrint("ioPacket == NULL\n");
return STATUS_INSUFFICIENT_RESOURCES;
}
streamData = ioPacket->streamData;
if(!streamData) { // why is this always NULL? shouldn't our payload be here?
DbgPrint("streamData == NULL: no data\n");
classifyOut->actionType = FWP_ACTION_PERMIT;
classifyOut->rights &= ~FWPS_RIGHT_ACTION_WRITE;
goto Exit;
}
DbgPrint("tcp packet has some data\n");
streamLength = streamData->dataLength;
stream = ExAllocatePoolWithTag(NonPagedPool,
streamLength,
'yftN');
if (!stream)
return STATUS_INSUFFICIENT_RESOURCES;
RtlZeroMemory(stream,streamLength);
FwpsCopyStreamDataToBuffer0(
streamData,
stream,
streamLength,
&bytesCopied);
// should now have our tcp payload in 'stream' buffer(?)
DbgPrint("reached parsing code\n");
[...]
From my understanding, after declaring ioPacket as above, ioPacket->streamData should contain the packet's payload. However, ioPacket->streamData is ALWAYS NULL for me. How do I get the packet's payload? Am I doing something wrong.
Thanks in advance.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
“TLInspectTransportClassify”位于 TRANSPORT_LAYER 上,其中 layerData 应转换为 NET_BUFFER_LIST。
FWPS_STREAM_CALLOUT_IO_PACKET 适用于 FWPM_LAYER_STREAM_V4/FWPM_LAYER_STREAM_V6
请参阅 MSDN ClassifyFn0。
http://msdn.microsoft.com/en-us/ library/ff544890(VS.85).aspx
管理过滤层标识符
http://msdn.microsoft.com/en-us/库/ff557101(VS.85).aspx
'TLInspectTransportClassify' is on TRANSPORT_LAYER where layerData should be casted into NET_BUFFER_LIST.
FWPS_STREAM_CALLOUT_IO_PACKET is for FWPM_LAYER_STREAM_V4/FWPM_LAYER_STREAM_V6
See MSDN classifyFn0.
http://msdn.microsoft.com/en-us/library/ff544890(VS.85).aspx
Management Filtering Layer Identifiers
http://msdn.microsoft.com/en-us/library/ff557101(VS.85).aspx