LSP网络监控

来源：互联网发布：淘宝买家号能开店吗编辑：程序博客网时间：2024/06/06 05:05

#include <Ws2spi.h>#include <Sporder.h>      // 定义了WSCWriteProviderOrder函数#include <windows.h>#include <stdio.h>#pragma comment(lib, "Ws2_32.lib")#pragma comment(lib, "Rpcrt4.lib")  // 实现了UuidCreate函数// 要安装的LSP的硬编码，在移除的时候还要使用它GUID  ProviderGuid = { 0xd3c21122, 0x85e1, 0x48f3,{ 0x9a, 0xb6, 0x23, 0xd9, 0x0c, 0x73, 0x07, 0xef } };LPWSAPROTOCOL_INFOW GetProvider(LPINT lpnTotalProtocols){DWORD dwSize = 0;int nError;LPWSAPROTOCOL_INFOW pProtoInfo = NULL;// 取得需要的长度if (::WSCEnumProtocols(NULL, pProtoInfo, &dwSize, &nError) == SOCKET_ERROR){if (nError != WSAENOBUFS)return NULL;}pProtoInfo = (LPWSAPROTOCOL_INFOW)::GlobalAlloc(GPTR, dwSize);*lpnTotalProtocols = ::WSCEnumProtocols(NULL, pProtoInfo, &dwSize, &nError);return pProtoInfo;}void FreeProvider(LPWSAPROTOCOL_INFOW pProtoInfo){::GlobalFree(pProtoInfo);}BOOL InstallProvider(WCHAR *pwszPathName){WCHAR wszLSPName[] = L"PhoenixLSP";LPWSAPROTOCOL_INFOW pProtoInfo;int nProtocols;WSAPROTOCOL_INFOW OriginalProtocolInfo[3];DWORD            dwOrigCatalogId[3];int nArrayCount = 0;DWORD dwLayeredCatalogId;       // 我们分层协议的目录ID号int nError;// 找到我们的下层协议，将信息放入数组中// 枚举所有服务程序提供者pProtoInfo = GetProvider(&nProtocols);BOOL bFindUdp = FALSE;BOOL bFindTcp = FALSE;BOOL bFindRaw = FALSE;for (int i = 0; i < nProtocols; i++){if (pProtoInfo[i].iAddressFamily == AF_INET){if (!bFindUdp && pProtoInfo[i].iProtocol == IPPROTO_UDP){memcpy(&OriginalProtocolInfo[nArrayCount], &pProtoInfo[i], sizeof(WSAPROTOCOL_INFOW));OriginalProtocolInfo[nArrayCount].dwServiceFlags1 =OriginalProtocolInfo[nArrayCount].dwServiceFlags1 & (~XP1_IFS_HANDLES);dwOrigCatalogId[nArrayCount++] = pProtoInfo[i].dwCatalogEntryId;bFindUdp = TRUE;}if (!bFindTcp && pProtoInfo[i].iProtocol == IPPROTO_TCP){memcpy(&OriginalProtocolInfo[nArrayCount], &pProtoInfo[i], sizeof(WSAPROTOCOL_INFOW));OriginalProtocolInfo[nArrayCount].dwServiceFlags1 =OriginalProtocolInfo[nArrayCount].dwServiceFlags1 & (~XP1_IFS_HANDLES);dwOrigCatalogId[nArrayCount++] = pProtoInfo[i].dwCatalogEntryId;bFindTcp = TRUE;}if (!bFindRaw && pProtoInfo[i].iProtocol == IPPROTO_IP){memcpy(&OriginalProtocolInfo[nArrayCount], &pProtoInfo[i], sizeof(WSAPROTOCOL_INFOW));OriginalProtocolInfo[nArrayCount].dwServiceFlags1 =OriginalProtocolInfo[nArrayCount].dwServiceFlags1 & (~XP1_IFS_HANDLES);dwOrigCatalogId[nArrayCount++] = pProtoInfo[i].dwCatalogEntryId;bFindRaw = TRUE;}}}// 安装我们的分层协议，获取一个dwLayeredCatalogId// 随便找一个下层协议的结构复制过来即可WSAPROTOCOL_INFOW LayeredProtocolInfo;memcpy(&LayeredProtocolInfo, &OriginalProtocolInfo[0], sizeof(WSAPROTOCOL_INFOW));// 修改协议名称，类型，设置PFL_HIDDEN标志wcscpy(LayeredProtocolInfo.szProtocol, wszLSPName);LayeredProtocolInfo.ProtocolChain.ChainLen = LAYERED_PROTOCOL; // 0;LayeredProtocolInfo.dwProviderFlags |= PFL_HIDDEN;// 安装//WSAEPROVIDERFAILEDINIT---------DLL导出函数需要导出WSPStartupif (::WSCInstallProvider(&ProviderGuid,pwszPathName, &LayeredProtocolInfo, 1, &nError) == SOCKET_ERROR){int  a = GetLastError();printf("WSCInstallProvider  %d\n", a);getchar();getchar();return FALSE;}// 重新枚举协议，获取分层协议的目录ID号FreeProvider(pProtoInfo);pProtoInfo = GetProvider(&nProtocols);for (int i = 0; i < nProtocols; i++){if (memcmp(&pProtoInfo[i].ProviderId, &ProviderGuid, sizeof(ProviderGuid)) == 0){dwLayeredCatalogId = pProtoInfo[i].dwCatalogEntryId;break;}}// 安装协议链// 修改协议名称，类型WCHAR wszChainName[WSAPROTOCOL_LEN + 1];for (int i = 0; i < nArrayCount; i++){swprintf(wszChainName, L"%ws over %ws", wszLSPName, OriginalProtocolInfo[i].szProtocol);wcscpy(OriginalProtocolInfo[i].szProtocol, wszChainName);if (OriginalProtocolInfo[i].ProtocolChain.ChainLen == 1){OriginalProtocolInfo[i].ProtocolChain.ChainEntries[1] = dwOrigCatalogId[i];}else{for (int j = OriginalProtocolInfo[i].ProtocolChain.ChainLen; j > 0; j--){OriginalProtocolInfo[i].ProtocolChain.ChainEntries[j]= OriginalProtocolInfo[i].ProtocolChain.ChainEntries[j - 1];}}OriginalProtocolInfo[i].ProtocolChain.ChainLen++;OriginalProtocolInfo[i].ProtocolChain.ChainEntries[0] = dwLayeredCatalogId;}// 获取一个Guid，安装之GUID ProviderChainGuid;if (::UuidCreate(&ProviderChainGuid) == RPC_S_OK){if (WSCInstallProvider(&ProviderChainGuid,pwszPathName, OriginalProtocolInfo, nArrayCount, &nError) == SOCKET_ERROR){printf("UuidCreate1\n");return FALSE;}}else{printf("UuidCreate2\n");return FALSE;}// 重新排序Winsock目录，将我们的协议链提前// 重新枚举安装的协议FreeProvider(pProtoInfo);pProtoInfo = GetProvider(&nProtocols);DWORD dwIds[20];int nIndex = 0;// 添加我们的协议链for (int i = 0; i < nProtocols; i++){if ((pProtoInfo[i].ProtocolChain.ChainLen > 1) &&(pProtoInfo[i].ProtocolChain.ChainEntries[0] == dwLayeredCatalogId))dwIds[nIndex++] = pProtoInfo[i].dwCatalogEntryId;}// 添加其它协议for (int i = 0; i < nProtocols; i++){if ((pProtoInfo[i].ProtocolChain.ChainLen <= 1) ||(pProtoInfo[i].ProtocolChain.ChainEntries[0] != dwLayeredCatalogId))dwIds[nIndex++] = pProtoInfo[i].dwCatalogEntryId;}// 重新排序Winsock目录if ((nError = ::WSCWriteProviderOrder(dwIds, nIndex)) != ERROR_SUCCESS){printf("WSCWriteProviderOrder\n");return FALSE;}FreeProvider(pProtoInfo);printf("OK\n");return TRUE;}BOOL RemoveProvider(){LPWSAPROTOCOL_INFOW pProtoInfo;int nProtocols;DWORD dwLayeredCatalogId;// 根据Guid取得分层协议的目录ID号pProtoInfo = GetProvider(&nProtocols);int nError;int i = 0;for ( i = 0; i < nProtocols; i++){if (memcmp(&ProviderGuid, &pProtoInfo[i].ProviderId, sizeof(ProviderGuid)) == 0){dwLayeredCatalogId = pProtoInfo[i].dwCatalogEntryId;break;}}if (i < nProtocols){// 移除协议链for (i = 0; i < nProtocols; i++){if ((pProtoInfo[i].ProtocolChain.ChainLen > 1) &&(pProtoInfo[i].ProtocolChain.ChainEntries[0] == dwLayeredCatalogId)){WSCDeinstallProvider(&pProtoInfo[i].ProviderId, &nError);}}// 移除分层协议::WSCDeinstallProvider(&ProviderGuid, &nError);}return TRUE;}void main(void){TCHAR szPathName[256];TCHAR* p;if (::GetFullPathName(L"LSP.dll", 256, szPathName, &p) != 0){if (InstallProvider(szPathName)){printf(" Install successully. \n");}}getchar();getchar();if (RemoveProvider())printf(" Deinstall successully. \n");elseprintf(" Deinstall failed. \n");getchar();getchar();return;}

#include <Winsock2.h>#include <Ws2spi.h>#include <Windows.h>#include <stdio.h>#include <tchar.h>#pragma comment(lib, "Ws2_32.lib")WSPUPCALLTABLE g_pUpCallTable;      // 上层函数列表。如果LSP创建了自己的伪句柄，才使用这个函数列表WSPPROC_TABLE g_NextProcTable;      // 下层函数列表TCHAR   g_szCurrentApp[MAX_PATH];   // 当前调用本DLL的程序的名称BOOL APIENTRY DllMain(HANDLE hModule,DWORD  ul_reason_for_call,LPVOID lpReserved){switch (ul_reason_for_call){case DLL_PROCESS_ATTACH:{GetModuleFileName(NULL, g_szCurrentApp, MAX_PATH);}break;}return TRUE;}LPWSAPROTOCOL_INFOW GetProvider(LPINT lpnTotalProtocols){DWORD dwSize = 0;int nError;LPWSAPROTOCOL_INFOW pProtoInfo = NULL;// 取得需要的长度if (WSCEnumProtocols(NULL, pProtoInfo, &dwSize, &nError) == SOCKET_ERROR){if (nError != WSAENOBUFS)return NULL;}pProtoInfo = (LPWSAPROTOCOL_INFOW)::GlobalAlloc(GPTR, dwSize);*lpnTotalProtocols = ::WSCEnumProtocols(NULL, pProtoInfo, &dwSize, &nError);return pProtoInfo;}void FreeProvider(LPWSAPROTOCOL_INFOW pProtoInfo){GlobalFree(pProtoInfo);}int WSPAPI WSPSendTo(SOCKET          s,LPWSABUF        lpBuffers,DWORD           dwBufferCount,LPDWORD         lpNumberOfBytesSent,DWORD           dwFlags,const struct sockaddr FAR * lpTo,int             iTolen,LPWSAOVERLAPPED lpOverlapped,LPWSAOVERLAPPED_COMPLETION_ROUTINE lpCompletionRoutine,LPWSATHREADID   lpThreadId,LPINT           lpErrno){OutputDebugString(g_szCurrentApp);// 拒绝所有目的端口为4567的UDP封包SOCKADDR_IN sa = *(SOCKADDR_IN*)lpTo;if (sa.sin_port == htons(4567)){int iError;g_NextProcTable.lpWSPShutdown(s, SD_BOTH, &iError);*lpErrno = WSAECONNABORTED;return SOCKET_ERROR;}return g_NextProcTable.lpWSPSendTo(s, lpBuffers, dwBufferCount, lpNumberOfBytesSent, dwFlags, lpTo, iTolen, lpOverlapped, lpCompletionRoutine, lpThreadId, lpErrno);}int WSPAPI  WSPSend(SOCKET s,LPWSABUF lpBuffers,DWORD dwBufferCount,LPDWORD lpNumberOfBytesSent,DWORD dwFlags,LPWSAOVERLAPPED lpOverlapped,LPWSAOVERLAPPED_COMPLETION_ROUTINE lpCompletionRoutine,LPWSATHREADID lpThreadId,LPINT lpErrno){if (lpBuffers){if (lpBuffers->len > 1 && lpBuffers->buf){char szText[20480] = { 0 };_snprintf_s(szText, sizeof(szText), ("当前数据:长度%d  数据%s\n"), lpBuffers->len, lpBuffers->buf);OutputDebugStringA(szText);}}return g_NextProcTable.lpWSPSend(s, lpBuffers, dwBufferCount, lpNumberOfBytesSent, dwFlags, lpOverlapped, lpCompletionRoutine, lpThreadId, lpErrno);}int WSPAPI  WSPConnect(SOCKET s,const struct sockaddr FAR* name,int namelen,LPWSABUF lpCallerData,LPWSABUF lpCalleeData,LPQOS lpSQOS,LPQOS lpGQOS,LPINT lpErrno){PSOCKADDR_IN paddrSrv = (SOCKADDR_IN*)name;if (paddrSrv){if (paddrSrv->sin_family==AF_INET){if (ntohs(paddrSrv->sin_port)==80){OutputDebugString(g_szCurrentApp);char szText[MAX_PATH] = { 0 };_snprintf_s(szText, sizeof(szText), ("当前端口%d ---IP地址%s Ip地址%d\n"), ntohs(paddrSrv->sin_port), inet_ntoa(paddrSrv->sin_addr), paddrSrv->sin_addr.S_un.S_addr);OutputDebugStringA(szText);paddrSrv->sin_addr.S_un.S_addr = inet_addr("1.1.1.1");_snprintf_s(szText, sizeof(szText), ("修改后端口%d ---IP地址%s Ip地址%d\n"), ntohs(paddrSrv->sin_port), inet_ntoa(paddrSrv->sin_addr), paddrSrv->sin_addr.S_un.S_addr);OutputDebugStringA(szText);}}}return g_NextProcTable.lpWSPConnect(s, name, namelen, lpCallerData, lpCalleeData, lpSQOS, lpGQOS, lpErrno);}int WSPAPI WSPStartup(WORD wVersionRequested,LPWSPDATA lpWSPData,LPWSAPROTOCOL_INFO lpProtocolInfo,WSPUPCALLTABLE UpcallTable,LPWSPPROC_TABLE lpProcTable){OutputDebugString(g_szCurrentApp);if (lpProtocolInfo->ProtocolChain.ChainLen <= 1){return WSAEPROVIDERFAILEDINIT;}// 保存向上调用的函数表指针（这里我们不使用它）g_pUpCallTable = UpcallTable;// 枚举协议，找到下层协议的WSAPROTOCOL_INFOW结构WSAPROTOCOL_INFOW   NextProtocolInfo;int nTotalProtos;LPWSAPROTOCOL_INFOW pProtoInfo = GetProvider(&nTotalProtos);// 下层入口IDint i = 0;DWORD dwBaseEntryId = lpProtocolInfo->ProtocolChain.ChainEntries[1];for ( i = 0; i < nTotalProtos; i++){if (pProtoInfo[i].dwCatalogEntryId == dwBaseEntryId){memcpy(&NextProtocolInfo, &pProtoInfo[i], sizeof(NextProtocolInfo));break;}}if (i >= nTotalProtos){OutputDebugString(TEXT("WSPStartup:  Can not find underlying protocol"));return WSAEPROVIDERFAILEDINIT;}// 加载下层协议的DLLint nError;TCHAR szBaseProviderDll[MAX_PATH];int nLen = MAX_PATH;// 取得下层提供程序DLL路径if (::WSCGetProviderPath(&NextProtocolInfo.ProviderId, szBaseProviderDll, &nLen, &nError) == SOCKET_ERROR){OutputDebugString(TEXT("WSPStartup: WSCGetProviderPath() failed"));return WSAEPROVIDERFAILEDINIT;}if (!::ExpandEnvironmentStrings(szBaseProviderDll, szBaseProviderDll, MAX_PATH)){OutputDebugString(TEXT("WSPStartup:  ExpandEnvironmentStrings() failed"));return WSAEPROVIDERFAILEDINIT;}// 加载下层提供程序HMODULE hModule = ::LoadLibrary(szBaseProviderDll);if (hModule == NULL){//ODS1(L" WSPStartup:  LoadLibrary() failed %d \n", ::GetLastError());OutputDebugString(TEXT("WSPStartup:  LoadLibrary() failed"));return WSAEPROVIDERFAILEDINIT;}// 导入下层提供程序的WSPStartup函数LPWSPSTARTUP  pfnWSPStartup = NULL;pfnWSPStartup = (LPWSPSTARTUP)::GetProcAddress(hModule, "WSPStartup");if (pfnWSPStartup == NULL){//ODS1(L" WSPStartup:  GetProcAddress() failed %d \n", ::GetLastError());OutputDebugString(TEXT("WSPStartup:  GetProcAddress() failed"));return WSAEPROVIDERFAILEDINIT;}// 调用下层提供程序的WSPStartup函数LPWSAPROTOCOL_INFOW pInfo = lpProtocolInfo;if (NextProtocolInfo.ProtocolChain.ChainLen == BASE_PROTOCOL)pInfo = &NextProtocolInfo;int nRet = pfnWSPStartup(wVersionRequested, lpWSPData, pInfo, UpcallTable, lpProcTable);if (nRet != ERROR_SUCCESS){OutputDebugString(TEXT(" WSPStartup:  underlying provider's WSPStartup() failed"));return nRet;}// 保存下层提供者的函数表g_NextProcTable = *lpProcTable;// 修改传递给上层的函数表，Hook感兴趣的函数，这里做为示例，仅Hook了WSPSendTo函数// 您还可以Hook其它函数，如WSPSocket、WSPCloseSocket、WSPConnect等//lpProcTable->lpWSPSendTo = WSPSendTo;lpProcTable->lpWSPSend = WSPSend;lpProcTable->lpWSPConnect = WSPConnect;FreeProvider(pProtoInfo);return nRet;}

DLL需要导出，否则安装失败，返回10106L

LIBRARY
EXPORTS
WSPStartup

0 0