| 導購 | 订阅 | 在线投稿
分享
 
 
 

sniffer技術原理及應用,包括編程方法和工具使用(2)

來源:互聯網網民  2006-04-18 05:20:36  評論

sunxufei:

哦,交換機是以MAC地址進行交換的,不是IP那一層的,要IP已經路由器了

現在交換機便宜了,因此以後你想用sniffer抓密碼概率不大了,不過還能多公司仍然是交換機和H

UB一起用的,這樣小範圍內是有效地,至于ADSL CABLE FTTB,我的FTTB是用華爲設計的設備

,呵呵,不僅僅工網IP,只有我和交換機兩個MAC(這次中國人幹的不錯),沒希望找到第三者,很安全,但

不都這樣安全,很多人的網絡還是很糟糕的.

很多加密協議可以用來提高安全性,但老的POP3,SMTP,HTTP,FTP這種協議應用廣泛,不可能在短

時間內完全取代,而且加密也是有待價的,所以對于要求較高的場合,才會加密.

不過sniffer不是給大家偷密碼用的,我當初用來學習網絡,看看包的樣子,後來就用來當作網管工具,

分析網絡的健康與否,其實這樣的話,你知道,很有可能sniffer就是接在我需要探測的網絡上,聽診器

嗎,到處都聽聽,呵呵,因此即使用了交換機,sniffer仍然是有用處的,但不是抓密碼!!

Wincap很簡單,大3的學生不要怕,去他的網站看看,有例子的,VC6編譯,BCB也行的,把lib的格式轉

換一下,不過寫這種程序,你最好先熟悉協議,很多協議在linux裏有現成的源代碼,主要是一些struct

吧,移植時注意VC可不是gcc,有些c的高級語法,編譯選項要注意,否則差一個byte你就得不到正確的

結果.

如果你搞不到sniffer,Win2000 Server也有網絡包查看器的,不比sniffer強大,但簡單的東西入手

也快.

反嗅探和嗅探技術其實很old了,呵呵,不過CSDN經常old的.

注意不要幹壞事,有矛必有盾

sevencat:

網卡的混雜模式好像要通過NDIS設置。

下面是轉貼的。

哪位UP一下,我來貼完。

一、驅動開發網

作者:gjpland

看到很多仁兄提供的數據包的攔截技術,其中最多的是編寫IM DRIVER在NDIS中間層

對MINIPORT(網卡驅動程序)和協議驅動程序之間的數據包進行攔截。這是微軟提供的一種技術

但編寫該過濾程序攔截程序非常的複雜,安裝也很麻煩。

本人簡單的介紹一種更有效的基于NDIS包攔截技術。

大家都知道,NDIS協議驅動程序是通過填寫一張NDIS_PROTOCOL_CHARACTERISTICS的表

,並調用NDIS API

函數NdisRegisterProtocol進行注冊。現在我們來關注一下NDIS_PROTOCOL_CHARACTERI

STICS這張表,

這張表中存有所有協議驅動程序與底層的派發函數的入口。如SendHandler,ReceiveHandler,Bi

ndAdapterHandler等,

當網卡有數據包進入時,會通過表中ReceiveHandle 或ReceivePacketHandler通知協議驅動程

序有一個該協議

的數據包進入,反之協議驅動程序是通過SendHandler或SendPacketsHandler函數向網卡驅動

發送數據包到網絡

上去的,有人會奇怪程序中明明不是調用NdisSend或NdisSendPackets函數發送的嗎?沒錯,

是這樣的,

但是你可以看一下NDIS.H的頭文件裏對這兩個函數的定義就知道了,他們都是一個

宏定義,實際還是通過這表中SendHandler或SendPacketsHandler發送的。

現在我們所要做的事情應該很清楚了,只要我們能夠將每一個協議程序所填寫的NDIS_PROTOCO

L_CHARACTERISTICS

表裏的派發函數指向自己的函數,我們就能成功的對數據包進行攔截。那麽每個協議驅動程序的這張

表到底存放在

那裏呢?太簡單了,看一下下面的我對NdisRegisterProtocol重新給出的原型就很明白了。

struct _NDIS_PROTOCOL_BLOCK

{

PNDIS_OPEN_BLOCK OpenQueue; // queue of opens for this protocol

REFERENCE Ref; // contains spinlock for OpenQueue

UINT Length; // of this NDIS_PROTOCOL_BLOCK struct

NDIS50_PROTOCOL_CHARACTERISTICS ProtocolCharacteristics;// handler

addresses

struct _NDIS_PROTOCOL_BLOCK * NextProtocol; // Link to next

ULONG MaxPatternSize;

#if defined(NDIS_WRAPPER)

//

// Protocol filters

//

struct _NDIS_PROTOCOL_FILTER * ProtocolFilter[NdisMediumMax+1];

WORK_QUEUE_ITEM WorkItem; // Used during NdisRegisterProtocol to

// notify protocols of existing drivers.

KMUTEX Mutex; // For serialization of Bind/Unbind requests

PKEVENT DeregEvent; // Used by NdisDeregisterProtocol

#endif

};

typedef struct _NDIS_PROTOCOL_BLOCK NDIS_PROTOCOL_BLOCK,

*PNDIS_PROTOCOL_BLOCK;

EXPORT

VOID

NdisRegisterProtocol(

OUT PNDIS_STATUS Status,

OUT PNDIS_PROTOCOL_BLOCK NdisProtocolHandle, /*注意NDIS_HANDLE所指向的

就是PNDIS_PROTOCOL_BLOCK的結構,不要有什麽懷疑。*/

IN PNDIS_PROTOCOL_CHARACTERISTICS ProtocolCharacteristics,

IN UINT CharacteristicsLength

);

NDIS_PROTOCOL_BLOCK(協議表)

是NDIS維護所有系統中已注冊協義的單向鏈接表。字段NextProtocol指向下一個協議表。

慶幸的是,當我們注冊一新的協議時,NDIS總是會把新注冊的協義放在鏈表的頭並返回這張表,

所以只要我們注冊一個新的協議

通過新協議注冊返回的鏈表頭就可以輕而易舉的遍曆系統中所有協議表.現在我們所希望得到的每個

協議的

NDIS_PROTOCOL_CHARACTERISTICS表就放在我們面前了,如何勾挂表中的派發函數,我

想不必多說了吧。順便說一句

NDISREGISTERPROTOCOL爲NDIS_PROTOCOL_BLOCK所分配的內存是NonPagedPool

類型的。對于核心DRIVER來說,核心區內存

是一個線性的內存區,所有核心DRIVER是可以隨便訪問核心內存區的任意地址。所要注意的是不

同IRQL級別下對分頁

和非分頁內存。

有人會問這樣就行了嗎?真的攔截下來了嗎?如果有那位仁兄心急現在就寫程序的話,

准會失望的,因爲他會發現結果什麽東西都沒攔截到或偶而會攔截到一些數據包。爲什麽?

因爲NDIS網卡驅動和協議驅動在發送和接收到數居時並不是調用PNDIS_OPEN_BLOCK->Proto

colCharacteristics

裏的派發函數。怎麽辦?

有必要先介紹一下NDIS網卡驅動和協議驅動之間是如何BINDING 的吧,

NdisRegisterProtocol在注冊完一個協議後,不久NDIS會通過調用表中

BindAdapterHandler派發函數,通知協議對每一個網卡進行BINDING。或者當系統通PNP找到

一塊新的網卡時

也會調用BindAdapterHandler對協議進行BINDING。協議在BINDING 調用裏,會根據自己的

需要使用NdisOpenAdapter

將自身綁定到適合的網卡。並返回NdisBindingHandle.NdisBindingHandle是什麽?NdisBin

dingHandl其實是

指向NDIS_OPEN_BLOCK表的一根指針,那麽NDIS_OPEN_BLOCK表有什麽用呢?當協議順

利的綁定後,每個綁定的網卡

和每一個協議之間建立了數據傳輸的通道,而NDIS_OPEN_BLOCK就是用來維護這一數據通道的

表。

struct _NDIS_OPEN_BLOCK

{

PNDIS_MAC_BLOCK MacHandle; // pointer to our MAC

NDIS_HANDLE MacBindingHandle; // context when calling MacXX funcs

PNDIS_ADAPTER_BLOCK AdapterHandle; // pointer to our adapter

PNDIS_PROTOCOL_BLOCK ProtocolHandle; // pointer to our protocol

NDIS_HANDLE ProtocolBindingContext;// context when calling ProtXX funcs

PNDIS_OPEN_BLOCK AdapterNextOpen; // used by adapter's OpenQueue

PNDIS_OPEN_BLOCK ProtocolNextOpen; // used by protocol's OpenQueue

PFILE_OBJECT FileObject; // created by operating system

BOOLEAN Closing; // TRUE when removing this struct

BOOLEAN Unloading; // TRUE when processing unload

BOOLEAN NoProtRsvdOnRcvPkt; // Reflect the protocol_options

NDIS_HANDLE CloseRequestHandle; // 0 indicates an internal close

KSPIN_LOCK SpinLock; // guards Closing

PNDIS_OPEN_BLOCK NextGlobalOpen;

//

// These are optimizations for getting to MAC routines. They are not

// necessary, but are here to save a dereference through the MAC block.

//

SEND_HANDLER SendHandler;

TRANSFER_DATA_HANDLER TransferDataHandler;

//

// These are optimizations for getting to PROTOCOL routines. They are not

// necessary, but are here to save a dereference through the PROTOCOL block.

//

SEND_COMPLETE_HANDLER SendCompleteHandler;

TRANSFER_DATA_COMPLETE_HANDLER TransferDataCompleteHandler;

RECEIVE_HANDLER ReceiveHandler;

RECEIVE_COMPLETE_HANDLER ReceiveCompleteHandler;

//

// Extentions to the OPEN_BLOCK since Product 1.

//

RECEIVE_HANDLER PostNt31ReceiveHandler;

RECEIVE_COMPLETE_HANDLER PostNt31ReceiveCompleteHandler;

//

// NDIS 4.0 extensions

//

RECEIVE_PACKET_HANDLER ReceivePacketHandler;

SEND_PACKETS_HANDLER SendPacketsHandler;

//

// More NDIS 3.0 Cached Handlers

//

RESET_HANDLER ResetHandler;

REQUEST_HANDLER RequestHandler;

//

// Needed for PnP

//

UNICODE_STRING AdapterName; // Upcased name of the adapter we are bound to

};

上面的表結構可以很清楚的看到這張表是一個單向鏈接表,並且存放了和PNDIS_OPEN_BLOCK-

>ProtocolCharacteristics

一樣的數據收發派發函數,當第N塊網卡發送數據包到第N個協議時,就會調用第N個協議與第N個

網卡之間建立的

NDIS_OPEN_BLOCK表裏的SendHandler或SendPacketHandler。所以我們還需要對這張表

裏的派發函數進行處理(勾挂)。

那麽又如何勾挂協議與網卡之間的NDIS_OPEN_BLOCK表呢。我們再回到NDIS_PROTOCOL_

BLOCK這張表中,在

NDIS_PROTOCOL_BLOCK表中字段PNDIS_OPEN_BLOCK OpenQueue;就是所有該協議所

有NDIS_OPEN_BLOCK的表頭。

通過AdapterNextOpen遍曆一下,再勾挂一把。就可以順利攔截了。

值得注意的是。

1。

NDIS_OPEN_BLOCK

NDIS_PROTOCOL_BLOCK

這些結構不同NDIS版本是不同的,

解決方法是在windows 98和windows95下(ndis 3.1)使用windows98ddk 帶的NDIS.H 裏的

定義

在windows me下(ndis 5.0或4。0)請使用WINDOWS 98ddk裏NDIS.H裏的定義

nt(ndis4.0)用NTDDK裏的定議,以此類推,2000(ndis5.0)

2。不要重複勾挂同一個函數。

有問題可以通過

QQ:3955727

mail:gjpland@netease.com

//

//Protocol Wrapper Version 1.05

//Author: gjp

//email: gjpland@netease.com

//

#include "NdisHook.h"

#include "HookRule.h"

#pragma pack(push)

#pragma pack(1)

typedef struct _HOOK_CONTEXT_STRUCT

{

//runtime code

ubyte code1_0x58; //0x58 | pop eax | pop caller IP from stack to

eax

ubyte code2_0x68; //0x68 | push IMM | push our hook context

address

struct _HOOK_CONTEXT_STRUCT *m_pHookContext;//point this

ubyte code3_0x50; //0x50 | push eax | push caller

IP from eax to stack

ubyte code4_0xE9; //0xE9 | jmp HookProc | jump our hook proc

udword m_pHookProcOffset;

//our context data

PVOID m_pOriginalProc;

PVOID m_pHookProc;

PVOID m_pBindAdaptHandle;

PVOID m_pProtocolContent;

PVOID *m_ppOriginPtr;

struct _HOOK_CONTEXT_STRUCT *m_pHookNext;

}HOOK_CONTEXT_STRUCT;

#pragma pack(pop)

HOOK_CONTEXT_STRUCT *m_pOurAllOfHookContext = NULL;

dword m_IsFilterEnabled = FALSE;

NDIS_HANDLE m_ourPacketPoolHandle = NULL;

NDIS_HANDLE m_ourBufferPoolHandle = NULL;

PNDIS_PACKET m_ourPacketHandle = NULL;

PNDIS_BUFFER m_ourBufferHandle = NULL;

PVOID m_ourBuffer = NULL;

void ReadPacket(PNDIS_PACKET Packet,PVOID pBuffer,udword dwBufSize);

uword wswap(uword value);

void HookUnload(void)

{

ReleaseHookFunc();

if( m_ourBufferHandle )

{

NdisFreeBuffer(m_ourBufferHandle);

m_ourBufferHandle = NULL;

}

if( m_ourBuffer )

{

NdisFreeMemory(m_ourBuffer,MAX_PACKET_SIZE,0);

m_ourBuffer = NULL;

}

if( m_ourPacketHandle )

{

NdisFreePacket(m_ourPacketHandle);

m_ourPacketHandle = NULL;

}

if( m_ourBufferPoolHandle )

{

NdisFreeBufferPool(m_ourBufferPoolHandle);

m_ourBufferPoolHandle = NULL;

}

if( m_ourPacketPoolHandle )

{

NdisFreePacketPool(m_ourPacketPoolHandle);

m_ourPacketPoolHandle = NULL;

}

return;

}

dword HookInit(void)

{

NTSTATUS status;

m_ourPacketPoolHandle = NULL;

NdisAllocatePacketPool(&status,&m_ourPacketPoolHandle,0xFFF,0x10);

if( status != NDIS_STATUS_SUCCESS )

return FALSE;

m_ourBufferPoolHandle = NULL;

NdisAllocateBufferPool(&status,&m_ourBufferPoolHandle,0x10);

if( status != NDIS_STATUS_SUCCESS )

return FALSE;

m_ourBuffer = NULL;

status =

NdisAllocateMemoryWithTag(&m_ourBuffer,MAX_PACKET_SIZE,'NAMW');

if( status != NDIS_STATUS_SUCCESS )

return FALSE;

m_ourBufferHandle = NULL;

NdisAllocateBuffer(&status,&m_ourBufferHandle,m_ourBufferPoolHandle,m_ourBuff

er,MAX_PACKET_SIZE);

if( status != NDIS_STATUS_SUCCESS )

return FALSE;

m_ourPacketHandle = NULL;

NdisAllocatePacket(&status,&m_ourPacketHandle,m_ourPacketPoolHandle);

if( status != NDIS_STATUS_SUCCESS )

return FALSE;

NdisChainBufferAtFront(m_ourPacketHandle,m_ourBufferHandle);

return TRUE;

}

typedef struct _NDIS41_PROTOCOL_CHARACTERISTICS

{

#ifdef __cplusplus

NDIS40_PROTOCOL_CHARACTERISTICS Ndis40Chars;

#else

NDIS40_PROTOCOL_CHARACTERISTICS;

#endif

//

// Start of NDIS 4.1 extensions.

//

CO_SEND_COMPLETE_HANDLER

CoSendCompleteHandler;

CO_STATUS_HANDLER

CoStatusHandler;

CO_RECEIVE_PACKET_HANDLER

CoReceivePacketHandler;

CO_REQUEST_HANDLER

CoRequestHandler;

CO_REQUEST_COMPLETE_HANDLER

CoRequestCompleteHandler;

} NDIS41_PROTOCOL_CHARACTERISTICS;

dword HookProtocol(void)

{

//Default ndis version is 5.0

NDIS_PROTOCOL_CHARACTERISTICS ourNPC;

NDIS_STRING protoName = NDIS_STRING_CONST("HdFw_Slot");

NDIS_STATUS Status;

NDIS_HANDLE ourProtocolHandle = NULL;

byte *ProtocolChain;

dword offset;

dword len;

// NDIS_PROTOCOL_BLOCK *pNdisBlock = NULL;

// pNdisBlock = pNdisBlock->NextProtocol;

// pNdisBlock->NextProtocol = NULL;

memset(&ourNPC,0,sizeof(NDIS_PROTOCOL_CHARACTERISTICS));

if( m_dwMajorVersion == 0x03 )

{

len = sizeof(NDIS30_PROTOCOL_CHARACTERISTICS);

//We must need at least ndis version 3.10

ourNPC.MajorNdisVersion = 0x03;

ourNPC.MinorNdisVersion = 0x0A;

}

else

if( m_dwMajorVersion == 0x04 )

{

len = sizeof(NDIS40_PROTOCOL_CHARACTERISTICS);

ourNPC.MajorNdisVersion = 0x04;

ourNPC.MinorNdisVersion = 0x00;

}

else

{ //treat as version 5.0

len = sizeof(NDIS50_PROTOCOL_CHARACTERISTICS);

ourNPC.MajorNdisVersion = 0x05;

ourNPC.MinorNdisVersion = 0x00;

}

ourNPC.Name = protoName;

ourNPC.OpenAdapterCompleteHandler = PtOpenAdapterComplete;

ourNPC.CloseAdapterCompleteHandler = PtCloseAdapterComplete;

ourNPC.SendCompleteHandler = PtSendComplete;

ourNPC.TransferDataCompleteHandler = PtTransferDataComplete;

ourNPC.ResetCompleteHandler = PtResetComplete;

ourNPC.RequestCompleteHandler = PtRequestComplete;

ourNPC.ReceiveHandler = PtReceive;

ourNPC.ReceiveCompleteHandler = PtReceiveComplete;

ourNPC.StatusHandler = PtStatus;

ourNPC.StatusCompleteHandler = PtStatusComplete;

ourNPC.BindAdapterHandler = PtBindAdapter;

ourNPC.UnbindAdapterHandler = PtUnbindAdapter;

ourNPC.UnloadHandler = PtUnload;

ourNPC.ReceivePacketHandler = PtReceivePacket;

ourNPC.PnPEventHandler = PtPNPHandler;

NdisRegisterProtocol(&Status,&ourProtocolHandle,&ourNPC,len);

if( !NT_SUCCESS(Status) || ourProtocolHandle == NULL )

return FALSE;

//NdisRegisterProtocol return hand reference of

NDIS_PROTOCOL_BLOCK;

ProtocolChain = (byte *)ourProtocolHandle;

while(1)

{

DebugInfoCount++;

//Obtain pointer to next protocol link.

if( m_dwMajorVersion == 0x03 )

offset = 4;

else

if( m_dwMajorVersion == 0x04 )

{

if( m_dwMinorVersion == 0x01 )

offset = 0x8C;

else

offset = 0x60;

}

else

if( m_dwMajorVersion == 0x05 )

//NDIS_PROTOCOL_BLOCK->NextProtocol

offset = 0x10;

else

//Error

break;

ProtocolChain = ((byte **)(ProtocolChain + offset))[0];

if( ProtocolChain == NULL )

break;

HookFuncBlock(ProtocolChain);

}

if( m_dwMajorVersion != 4 )

NdisDeregisterProtocol(&Status,ourProtocolHandle);

else

{

// ((byte *)ourProtocolHandle)[0x0C] = 0x01;

// NdisDeregisterProtocol(&Status,ourProtocolHandle);

}

return TRUE;

}

// ProtocolContent

// Version NextChain offset NDIS_PROTOCOL_CHARACTERISTICS offset

BindingAdaptHandle offset

// NDIS 3.XX 0x04

0x14

0x08

// NDIS 4.XX 0x60

0x14

0x00

// NDIS 4.01 0x8C

0x14

0x00

// NDIS 5.XX 0x10

0x14

0x00

//-----

VOID HookProtocolSendPackets(

IN HOOK_CONTEXT_STRUCT *pOurContext,

IN NDIS_HANDLE

MiniportAdapterContext,

IN PPNDIS_PACKET PacketArray,

IN UINT

NumberOfPackets

);

NDIS_STATUS HookProtocolWanSend(

IN HOOK_CONTEXT_STRUCT *pOurContext,

IN NDIS_HANDLE

MacBindingHandle,

IN NDIS_HANDLE LinkHandle,

IN PVOID Packet

);

NDIS_STATUS HookProtocolSend(

IN HOOK_CONTEXT_STRUCT *pOurContext,

IN NDIS_HANDLE

MacBindingHandle,

IN PNDIS_PACKET Packet

);

NDIS_STATUS HookProtocolReceive(

IN HOOK_CONTEXT_STRUCT *pOurContext,

IN NDIS_HANDLE ProtocolBindingContext,

IN NDIS_HANDLE MacReceiveContext,

IN PVOID HeaderBuffer,

IN UINT HeaderBufferSize,

IN PVOID LookAheadBuffer,

IN UINT LookaheadBufferSize,

IN UINT PacketSize

);

NDIS_STATUS HookWanReceive(

IN HOOK_CONTEXT_STRUCT *pOurContext,

IN NDIS_HANDLE

NdisLinkHandle,

IN PUCHAR

Packet,

IN ULONG

PacketSize

);

INT HookProtocolReceivePacket(

IN HOOK_CONTEXT_STRUCT *pOurContext,

IN NDIS_HANDLE

ProtocolBindingContext,

IN PNDIS_PACKET Packet

);

VOID HookBindAdapterHandler(

IN

HOOK_CONTEXT_STRUCT *pOurContext,

OUT

PNDIS_STATUS Status,

IN

NDIS_HANDLE BindContext,

IN

PNDIS_STRING DeviceName,

IN PVOID

SystemSpecific1,

IN PVOID

SystemSpecific2);

VOID HookSendComplete(

IN HOOK_CONTEXT_STRUCT *pOurContext,

IN NDIS_HANDLE ProtocolBindingContext,

IN PNDIS_PACKET Packet,

IN NDIS_STATUS Status

);

void ReleaseHookFunc(void)

{

HOOK_CONTEXT_STRUCT *pHookContext,*pNext;

pHookContext = m_pOurAllOfHookContext;

m_pOurAllOfHookContext = NULL;

while(pHookContext)

{

pNext = pHookContext->m_pHookNext;

pHookContext->m_ppOriginPtr[0] =

pHookContext->m_pOriginalProc;

ExFreePool(pHookContext);

pHookContext = pNext;

}

return;

}

HOOK_CONTEXT_STRUCT *IsHookedNdisFunc(PVOID pAddr)

{

HOOK_CONTEXT_STRUCT *pHookContext;

pHookContext = m_pOurAllOfHookContext;

while(pHookContext)

{

if( pHookContext == pAddr )

break;

pHookContext = pHookContext->m_pHookNext;

}

return pHookContext;

}

HOOK_CONTEXT_STRUCT *IsHookedNdisFuncEx(PVOID *pAddr)

{

HOOK_CONTEXT_STRUCT *pHookContext;

pHookContext = m_pOurAllOfHookContext;

while(pHookContext)

{

if( pHookContext->m_ppOriginPtr == pAddr )

break;

pHookContext = pHookContext->m_pHookNext;

}

return pHookContext;

}

HOOK_CONTEXT_STRUCT *HookNdisFunc(PVOID pHookProc,PVOID

*ppOrigProc,PVOID pBindAdaptHandle,PVOID pProtocolContent)

{

HOOK_CONTEXT_STRUCT *pHookContext;

PVOID OrgFunc;

pHookContext = IsHookedNdisFunc(ppOrigProc[0]);

if( pHookContext )

OrgFunc = pHookContext->m_pOriginalProc;

else

OrgFunc = ppOrigProc[0];

if( OrgFunc == NULL )

return NULL;

pHookContext = IsHookedNdisFuncEx(ppOrigProc);

if( pHookContext )

return pHookContext;

pHookContext =

ExAllocatePoolWithTag(NonPagedPool,sizeof(HOOK_CONTEXT_STRUCT),'HCSP');

if( pHookContext == NULL )

return NULL;

memset(pHookContext,0,sizeof(HOOK_CONTEXT_STRUCT));

pHookContext->code1_0x58 = 0x58;

pHookContext->code2_0x68 = 0x68;

pHookContext->code3_0x50 = 0x50;

pHookContext->code4_0xE9 = 0xE9;

pHookContext->m_pHookContext = pHookContext;

pHookContext->m_pHookProcOffset = ((udword)pHookProc) -

(((udword)&pHookContext->m_pHookProcOffset) + sizeof(udword));

pHookContext->m_pBindAdaptHandle = pBindAdaptHandle;

pHookContext->m_pProtocolContent = pProtocolContent;

pHookContext->m_pOriginalProc = OrgFunc;//ppOrigProc[0];

pHookContext->m_ppOriginPtr = ppOrigProc;

pHookContext->m_pHookProc = pHookProc;

pHookContext->m_pHookNext = m_pOurAllOfHookContext;

m_pOurAllOfHookContext = pHookContext;

ppOrigProc[0] = pHookContext;

return pHookContext;

}

typedef

struct _NDIS40_OPEN_BLOCK

{

PNDIS_MAC_BLOCK MacHandle;

// pointer to our MAC

NDIS_HANDLE

MacBindingHandle; // context when calling MacXX funcs

PNDIS_ADAPTER_BLOCK AdapterHandle;

// pointer to our adapter

PNDIS_PROTOCOL_BLOCK ProtocolHandle; //

pointer to our protocol

NDIS_HANDLE

ProtocolBindingContext;// context when calling ProtXX funcs

PNDIS_OPEN_BLOCK AdapterNextOpen; //

used by adapter's OpenQueue

PNDIS_OPEN_BLOCK ProtocolNextOpen; //

used by protocol's OpenQueue

PFILE_OBJECT FileObject;

// created by operating system

BOOLEAN

Closing; // TRUE when removing this struct

BOOLEAN

Unloading; // TRUE when processing unload

NDIS_HANDLE

CloseRequestHandle; // 0 indicates an internal close

KSPIN_LOCK SpinLock;

// guards Closing

PNDIS_OPEN_BLOCK NextGlobalOpen;

//

// These are optimizations for getting to MAC routines. They are not

// necessary, but are here to save a dereference through the MAC block.

//

SEND_HANDLER SendHandler;

TRANSFER_DATA_HANDLER TransferDataHandler;

//

// These are optimizations for getting to PROTOCOL routines. They are

not

// necessary, but are here to save a dereference through the PROTOCOL

block.

//

SEND_COMPLETE_HANDLER SendCompleteHandler;

TRANSFER_DATA_COMPLETE_HANDLER TransferDataCompleteHandler;

RECEIVE_HANDLER

ReceiveHandler;

RECEIVE_COMPLETE_HANDLER ReceiveCompleteHandler;

//

// Extentions to the OPEN_BLOCK since Product 1.

//

RECEIVE_HANDLER

PostNt31ReceiveHandler;

RECEIVE_COMPLETE_HANDLER PostNt31ReceiveCompleteHandler;

//

// NDIS 4.0 extensions

//

RECEIVE_PACKET_HANDLER ReceivePacketHandler;

SEND_PACKETS_HANDLER SendPacketsHandler;

//

// Needed for PnP

//

UNICODE_STRING AdapterName;

// Upcased name of the adapter we are bound to

}NDIS40_OPEN_BLOCK,*PNDIS40_OPEN_BLOCK;

void HookFuncBlock(byte *ProtocolContent)

{

PNDIS_PROTOCOL_CHARACTERISTICS pProChar;

dword IsWan;

NDIS_STRING WanString = NDIS_STRING_CONST("NDISWAN");

NDIS_STRING DeviceWanString =

NDIS_STRING_CONST("\\DEVICE\\NDISWAN");

NDIS_STRING TcpipString = NDIS_STRING_CONST("Tcpip");

NDIS_STRING TcpArpString = NDIS_STRING_CONST("TCPIP_WANARP");

NDIS_STRING RasArpString = NDIS_STRING_CONST("RASARP");

if( ProtocolContent == NULL )

return;

//Get pointer to NDIS_PROTOCOL_CHARACTERISTICS from protocol

content

pProChar = (PNDIS_PROTOCOL_CHARACTERISTICS)(ProtocolContent +

0x14);

if( KeGetCurrentIrql() == PASSIVE_LEVEL )

{

//Check protocol name whether is Wan Lan protocol so that we

can correctly hook our function

if(

!RtlCompareUnicodeString(&pProChar->Name,&WanString,TRUE) ||

!RtlCompareUnicodeString(&pProChar->Name,&DeviceWanString,TRUE) )

{

IsWan = 1;

}

else

IsWan = 0;

//We r only interest in following protocol

if(

!(!RtlCompareUnicodeString(&pProChar->Name,&TcpipString,TRUE) ||

!RtlCompareUnicodeString(&pProChar->Name,&TcpArpString,TRUE) ||

!RtlCompareUnicodeString(&pProChar->Name,&RasArpString,TRUE)) )

{

return;

}

}

else

IsWan = 0;

//

if( !IsWan )

{

HookNdisFunc(HookProtocolReceive,(PVOID

*)&pProChar->ReceiveHandler,NULL,ProtocolContent);

//{{added by gjp 6.24

// __asm int 3;

// HookNdisFunc(HookSendComplete,(PVOID

*)&pProChar->SendCompleteHandler,NULL,ProtocolContent);

//}}

}

else

HookNdisFunc(HookWanReceive,(PVOID

*)&pProChar->WanReceiveHandler,NULL,ProtocolContent);

if(pProChar->MajorNdisVersion > 0x03 )

{

HookNdisFunc(HookProtocolReceivePacket,(PVOID

*)&pProChar->ReceivePacketHandler,NULL,ProtocolContent);

HookNdisFunc(HookBindAdapterHandler,(PVOID

*)&pProChar->BindAdapterHandler,NULL,ProtocolContent);

}

zihan:

Guniffer我做過修改,用線程實現,還比較好用.是bcb做的

//---------------------------------------------------------------------------

#include <vcl.h>

#pragma hdrstop

#include "SnifferThread.h"

#include "Main.h"

#pragma package(smart_init)

//---------------------------------------------------------------------------

__fastcall TSniffer::TSniffer(bool CreateSuspended)

: TThread(CreateSuspended)

{

MParamTcp = true; // 關注TCP 報文

MParamUdp = true; // 關注UDP 報文

MParamIcmp = true; // 關注ICMP報文

MParamDecode = true;

FreeOnTerminate = true;

strcpy(TcpFlag, "FSRPAU");

//TcpFlag[6]={'F','S','R','P','A','U'}; //定義TCP標志位

strFromIpFilter = NULL; // 源IP地址過濾

strDestIpFilter = NULL; // 目的地址過濾

strSensitive = NULL; // 敏感字符串

iPortFilter = 0; // 端口過濾

RecvBuf[MAX_PACK_LEN] = NULL;

}

//---------------------------------------------------------------------------

void __fastcall TSniffer::Execute()

{

//---- Place thread code here ----

//偵聽IP報文

SnifferInit();

while(!Terminated)

{

ReceiveData();

}

Form1->ListView1->AddItem("線程結束,停止截獲...", 0);

}

void TSniffer::SnifferInit()

{

//初始化SOCKET

WSADATA wsaData;

iErrorCode = WSAStartup(MAKEWORD(2,1),&wsaData);

CheckSockError(iErrorCode, "WSAStartup");

SockRaw = socket(AF_INET , SOCK_RAW , IPPROTO_IP);

CheckSockError(SockRaw, "socket");

//獲取本機IP地址

char FAR name[MAX_HOSTNAME_LAN];

iErrorCode = gethostname(name, MAX_HOSTNAME_LAN);

CheckSockError(iErrorCode, "gethostname");

struct hostent FAR * pHostent;

pHostent = (struct hostent * )malloc(sizeof(struct hostent));

pHostent = gethostbyname(name);

SOCKADDR_IN sa;

sa.sin_family = AF_INET;

sa.sin_port = htons(6000);

memcpy(&sa.sin_addr.S_un.S_addr, pHostent->h_addr_list[0],

pHostent->h_length);

free(pHostent);

iErrorCode = bind(SockRaw, (PSOCKADDR)&sa, sizeof(sa));

CheckSockError(iErrorCode, "bind");

//設置SOCK_RAW爲SIO_RCVALL,以便接收所有的IP包

LPVOID dwBufferLen[10] ;

DWORD dwBufferInLen = 1 ;

DWORD dwBytesReturned = 0 ;

iErrorCode = WSAIoctl(SockRaw, SIO_RCVALL, &dwBufferInLen,

sizeof(dwBufferInLen),

&dwBufferLen, sizeof(dwBufferLen), &dwBytesReturned , NULL,

NULL);

CheckSockError(iErrorCode, "Ioctl");

}

//IP解包程序

int TSniffer::DecodeIpPack(char *buf, int iBufSize)

{

IP_HEADER *pIpheader;

SOCKADDR_IN saSource, saDest;

pIpheader = (IP_HEADER *)buf;

//協議甄別

iProtocol = pIpheader->proto;

strncpy(szProtocol, CheckProtocol(iProtocol), MAX_PROTO_TEXT_LEN);

if((iProtocol == IPPROTO_TCP) && (!MParamTcp))

return true;

if((iProtocol == IPPROTO_UDP) && (!MParamUdp))

return true;

if((iProtocol == IPPROTO_ICMP) && (!MParamIcmp))

return true;

//源地址

saSource.sin_addr.s_addr = pIpheader->sourceIP;

strncpy(szSourceIP, inet_ntoa(saSource.sin_addr), MAX_ADDR_LEN);

if (strFromIpFilter)

if (strcmp(strFromIpFilter,szSourceIP)) return true;

//目的地址

saDest.sin_addr.s_addr = pIpheader->destIP;

strncpy(szDestIP, inet_ntoa(saDest.sin_addr), MAX_ADDR_LEN);

if (strDestIpFilter)

if (strcmp(strDestIpFilter,szDestIP)) return true;

iTTL = pIpheader->ttl;

//計算IP首部的長度

int iIphLen = sizeof(unsigned long) * (pIpheader->h_lenver & 0xf);

//根據協議類型分別調用相應的函數

switch(iProtocol)

{

case IPPROTO_TCP :DecodeTcpPack(buf+iIphLen,

iBufSize);break;

case IPPROTO_UDP :DecodeUdpPack(buf+iIphLen,

iBufSize);break;

case IPPROTO_ICMP :DecodeIcmpPack(buf+iIphLen,

iBufSize);break;

default :break;

}

return true;

}

//協議識別程序

char* TSniffer::CheckProtocol(int iProtocol)

{

for(int i=0; i<MAX_PROTO_NUM; i++)

if(ProtoMap[i].ProtoNum==iProtocol)

return ProtoMap[i].ProtoText;

return "";

}

//TCP解包程序

int TSniffer::DecodeTcpPack(char * TcpBuf, int iBufSize)

{

TCP_HEADER * pTcpHeader;

int i;

int iSourcePort,iDestPort;

RECEIVEINFO *ReceiveInfo = new RECEIVEINFO;

pTcpHeader = (TCP_HEADER * )TcpBuf;

//計算TCP首部長度

int TcpHeaderLen = pTcpHeader->th_lenres>>4;

TcpHeaderLen *= sizeof(unsigned long);

char * TcpData=TcpBuf+TcpHeaderLen;

//如果過濾敏感字符串則判斷是否包含

if (strSensitive)

if ((strstr(TcpData, strSensitive))==NULL) return true;

//對端口進行過濾

iSourcePort = ntohs(pTcpHeader->th_sport);

iDestPort = ntohs(pTcpHeader->th_dport);

if ((iPortFilter) && (iSourcePort!=iPortFilter) && (iDestPort!=iPortFilter))

return true;

//輸出

//sprintf(OtherInfo, "%s ", szProtocol);

//sprintf(OtherInfo, "%15s:%5d ->%15s:%5d ", szSourceIP, iSourcePort,

szDestIP, iDestPort);

//sprintf(OtherInfo, "TTL=%3d ", iTTL);

ReceiveInfo->szProtocol = szProtocol;

ReceiveInfo->szSourceIP = szSourceIP;

ReceiveInfo->szDestIP = szDestIP;

ReceiveInfo->iSourcePort = iSourcePort;

ReceiveInfo->iDestPort = iDestPort;

ReceiveInfo->iTTL = iTTL;

//判斷TCP標志位

unsigned char FlagMask = 1;

for( i=0; i<6; i++ )

{

if((pTcpHeader->th_flag) & FlagMask)

{

//sprintf(OtherInfo, "%c",TcpFlag[i]);

ReceiveInfo->TcpFlag[i] = TcpFlag[i];

}

else

{

//sprintf(OtherInfo, "-");

ReceiveInfo->TcpFlag[i] = '-';

}

FlagMask=FlagMask<<1;

}

//sprintf(OtherInfo, " bytes=%4d\n", iBufSize);

ReceiveInfo->iBufSize = iBufSize;

//對于長度大于40字節的包進行數據分析(IP_HEADER+TCP_HEADER=40)

if ((MParamDecode) && (iBufSize>40))

{

//分析TCP數據段

if ((!strSensitive) || (strstr(TcpData,strSensitive)))

{

//sprintf(OtherInfo, "[DATA]\n");

//sprintf(OtherInfo, "%s%s", OtherInfo, TcpData);

//sprintf(OtherInfo, "%s\n [DATA END]\n\n\n",

OtherInfo);

ReceiveInfo->ReceiveData = TcpData;

}

}

//Form1->Memo1->Lines->Add(OtherInfo);

AddReceiveData(ReceiveInfo);

delete ReceiveInfo;

return true;

}

//UDP解包程序

int TSniffer::DecodeUdpPack(char * UdpBuf, int iBufSize)

{

UDP_HEADER *pUdpHeader;

pUdpHeader = (UDP_HEADER * )UdpBuf;

int iSourcePort = ntohs(pUdpHeader->uh_sport);

int iDestPort = ntohs(pUdpHeader->uh_dport);

RECEIVEINFO *ReceiveInfo = new RECEIVEINFO;

//對端口進行過濾

if(iPortFilter)

if ((iSourcePort!=iPortFilter) && (iDestPort!=iPortFilter))

return true;

//printf("%s ", szProtocol);

//printf("%15s:%5d ->%15s:%5d ", szSourceIP, iSourcePort, szDestIP,

iDestPort);

//printf("TTL=%3d ", iTTL);

//printf("Len=%4d ", ntohs(pUdpHeader->uh_len));

//printf("bytes=%4d", iBufSize);

//printf("\n");

ReceiveInfo->szProtocol = szProtocol;

ReceiveInfo->szSourceIP = szSourceIP;

ReceiveInfo->iSourcePort = iSourcePort;

ReceiveInfo->szDestIP = szDestIP;

ReceiveInfo->iDestPort = iDestPort;

ReceiveInfo->iTTL = iTTL;

ReceiveInfo->Length = ntohs(pUdpHeader->uh_len);

ReceiveInfo->iBufSize = iBufSize;

//對于長度大于28字節的包進行數據分析(IP_HEADER+UDP_HEADER>28)

if ((MParamDecode) && (iBufSize>28))

{

//printf(" [DATA]\n");

//UDP首部長度爲8

char * UdpData=UdpBuf+8;

//分析UDP數據段

ReceiveInfo->ReceiveData = UdpData;

TStringStream *DataStringStream = new TStringStream(NULL);

try{

DataStringStream->Write(UdpData, sizeof(UdpData));

//DataStringStream->CopyFrom(UdpData, sizeof(UdpData))}

ReceiveInfo->ReceiveUdpData = DataStringStream->DataString;}

__finally{

delete DataStringStream;}

for(unsigned int i=0;i<(iBufSize-sizeof(UDP_HEADER));i++)

{

//if (!(i%8)) sprintf(OtherInfo, "%s\n", OtherInfo);

//memset(OtherInfo, 0, strlen(OtherInfo));

if ( (UdpData[i]>33) && (UdpData[i]<122) )

//sprintf(OtherInfo, "%c", UdpData[i]);

;

else

//sprintf(UdpData, "[%3x]", abs(UdpData[i]));

UdpData[i] = '_';

}

//printf("\n [DATA END]\n\n\n");

}

AddReceiveData(ReceiveInfo);

delete ReceiveInfo;

return true;

}

//ICMP解包程序

int TSniffer::DecodeIcmpPack(char * IcmpBuf, int iBufSize)

{

ICMP_HEADER * pIcmpHeader;

pIcmpHeader = (ICMP_HEADER * )IcmpBuf;

int iIcmpType = pIcmpHeader->i_type;

int iIcmpCode = pIcmpHeader->i_code;

RECEIVEINFO *ReceiveInfo = new RECEIVEINFO;

//對類型進行過濾

if ((iPortFilter) && (iIcmpType!=iPortFilter)) return true;

//printf("%s ", szProtocol);

//printf("%15s Type%d ->%15s Code%d ", szSourceIP, iIcmpType,

szDestIP, iIcmpCode);

//printf("%15s ->%15s ", szSourceIP, szDestIP);

//printf("TTL=%3d ", iTTL);

//printf("Type%2d,%d ",iIcmpType,iIcmpCode);

//printf("bytes=%4d", iBufSize);

//printf("\n");

ReceiveInfo->szProtocol = szProtocol;

ReceiveInfo->szSourceIP = szSourceIP;

ReceiveInfo->iIcmpType = iIcmpType;

ReceiveInfo->szDestIP = szDestIP;

ReceiveInfo->iIcmpCode = iIcmpCode;

ReceiveInfo->iTTL = iTTL;

ReceiveInfo->iBufSize = iBufSize;

//對于包含數據段的包進行數據分析

if ((MParamDecode) && (iBufSize>28))

{

char * IcmpData=IcmpBuf+4;

//分析ICMP數據段

//printf(" [DATA]");

//for(unsigned int i=0;i<(iBufSize-sizeof(ICMP_HEADER));i++)

//{

// if (!(i%8)) printf("\n");

// if ( (IcmpData[i]>33) && (IcmpData[i]<122) )

// printf("%3c [%3x]", IcmpData[i],

IcmpData[i]);

// else printf(" [%3x]", abs(IcmpData[i]));

//}

//printf("\n [DATA END]\n\n\n");

ReceiveInfo->ReceiveData = IcmpData;

}

AddReceiveData(ReceiveInfo);

delete ReceiveInfo;

return true;

}

//SOCK錯誤處理程序

void TSniffer::CheckSockError(int iErrorCode, char *pErrorMsg)

{

if(iErrorCode==SOCKET_ERROR)

{

//printf("%s Error:%d\n", pErrorMsg, GetLastError());

Form1->ListView1->AddItem(pErrorMsg,0);

closesocket(SockRaw);

exit(0);

}

}

void TSniffer::AddReceiveData(RECEIVEINFO *ReceiveInfo)

{

TListItem *Item;

Item = Form1->ListView1->Items->Add();

Item->Caption = ReceiveInfo->szProtocol;

Item->SubItems->Add(ReceiveInfo->szSourceIP);

Item->SubItems->Add(IntToStr(ReceiveInfo->iSourcePort));

Item->SubItems->Add(ReceiveInfo->szDestIP);

Item->SubItems->Add(IntToStr(ReceiveInfo->iDestPort));

Item->SubItems->Add(IntToStr(ReceiveInfo->iTTL));

Item->SubItems->Add(IntToStr(ReceiveInfo->iBufSize));

Item->SubItems->Add(ReceiveInfo->TcpFlag);

Item->SubItems->Add(IntToStr(ReceiveInfo->Length));

Item->SubItems->Add(ReceiveInfo->iIcmpType);

Item->SubItems->Add(ReceiveInfo->iIcmpCode);

try{

Item->SubItems->Add(ReceiveInfo->ReceiveData);

Item->SubItems->Add(ReceiveInfo->ReceiveUdpData);

}

catch(...){}

}

void TSniffer::ReceiveData()

{

memset(RecvBuf, 0, sizeof(RecvBuf));

iErrorCode = recv(SockRaw, RecvBuf, sizeof(RecvBuf), 0);

CheckSockError(iErrorCode, "recv");

iErrorCode = DecodeIpPack(RecvBuf, iErrorCode);

CheckSockError(iErrorCode, "Decode");

}

頭文件

//---------------------------------------------------------------------------

#ifndef SnifferThreadH

#define SnifferThreadH

//---------------------------------------------------------------------------

#include <Classes.hpp>

#include <ComCtrls.hpp>

//---------------------------------------------------------------------------

#include <Winsock2.h>

#include "MSTcpIP.h"

#define STATUS_FAILED 0xFFFF //定義異常出錯代碼

#define MAX_PACK_LEN 655350 //接收的最大IP報文

#define MAX_ADDR_LEN 16 //點分十進制地址的最大長度

#define MAX_PROTO_TEXT_LEN 16 //子協議名稱(如"TCP")最

大長度

#define MAX_PROTO_NUM 12 //子協議數量

#define MAX_HOSTNAME_LAN 255 //最大主機名長度

#define CMD_PARAM_HELP true

typedef struct _iphdr

{

unsigned char h_lenver; //4位首部長度+4位IP版本號

unsigned char tos; //8位服務類型TOS

unsigned short total_len; //16位總長度(字節)

unsigned short ident; //16位標識

unsigned short frag_and_flags; //3位標志位

unsigned char ttl; //8位生存時間 TTL

unsigned char proto; //8位協議 (TCP, UDP 或

其他)

unsigned short checksum; //16位IP首部校驗和

unsigned int sourceIP; //32位源IP地址

unsigned int destIP; //32位目的IP地址

}IP_HEADER;

typedef struct _tcphdr //定義TCP首部

{

USHORT th_sport; //16位源端口

USHORT th_dport; //16位目的端口

unsigned int th_seq; //32位序列號

unsigned int th_ack; //32位確認號

unsigned char th_lenres; //4位首部長度/6位保留字

unsigned char th_flag; //6位標志位

USHORT th_win; //16位窗口大

USHORT th_sum; //16位校驗和

USHORT th_urp; //16位緊急數

據偏移量

}TCP_HEADER;

typedef struct _udphdr //定義UDP首部

{

unsigned short uh_sport; //16位源端口

unsigned short uh_dport; //16位目的端口

unsigned short uh_len; //16位長度

unsigned short uh_sum; //16位校驗和

} UDP_HEADER;

typedef struct _icmphdr //定義ICMP首部

{

BYTE i_type; //8位類型

BYTE i_code; //8位代碼

USHORT i_cksum; //16位校驗和

USHORT i_id; //識別號(一般

用進程號作爲識別號)

USHORT i_seq; //報文序列號

ULONG timestamp; //時間戳

}ICMP_HEADER;

typedef struct _protomap //定義子協議映射表

{

int ProtoNum;

char ProtoText[MAX_PROTO_TEXT_LEN];

}PROTOMAP;

typedef struct _receiveinfo

{

char* szProtocol;

char* szSourceIP;

int iSourcePort;

char* szDestIP;

int iDestPort;

int iTTL;

int Length;

char TcpFlag[6] ;

int iBufSize;

char iIcmpType;

char iIcmpCode;

char* ReceiveData;

AnsiString ReceiveUdpData;

}RECEIVEINFO;

PROTOMAP ProtoMap[MAX_PROTO_NUM]={ //爲子協議映射表賦值

{ IPPROTO_IP , "IP " },

{ IPPROTO_ICMP , "ICMP" },

{ IPPROTO_IGMP , "IGMP" },

{ IPPROTO_GGP , "GGP " },

{ IPPROTO_TCP , "TCP " },

{ IPPROTO_PUP , "PUP " },

{ IPPROTO_UDP , "UDP " },

{ IPPROTO_IDP , "IDP " },

{ IPPROTO_ND , "NP " },

{ IPPROTO_RAW , "RAW " },

{ IPPROTO_MAX , "MAX " },

{ NULL , "" } };

class TSniffer : public TThread

{

private:

int DecodeIpPack(char *, int); //IP解包函數

int DecodeTcpPack(char *, int); //TCP解包函數

int DecodeUdpPack(char *, int); //UDP解包函數

int DecodeIcmpPack(char *, int); //ICMP解包函數

void CheckSockError(int, char*); //出錯處理函數

char * CheckProtocol(int); //協議檢查

void SnifferInit();

void AddReceiveData(RECEIVEINFO *ReceiveInfo);

void ReceiveData();

protected:

void __fastcall Execute();

public:

SOCKET SockRaw;

bool MParamTcp; // 關注TCP 報文

bool MParamUdp; // 關注UDP 報文

bool MParamIcmp; // 關注ICMP報文

bool MParamDecode; // 對協議進行解碼

char TcpFlag[6]; //定義TCP標志位

char *strFromIpFilter; // 源IP地址過濾

char *strDestIpFilter; // 目的地址過濾

char *strSensitive; // 敏感字符串

int iPortFilter; // 端口過濾

int iProtocol, iTTL;

char szProtocol[MAX_PROTO_TEXT_LEN];

char szSourceIP[MAX_ADDR_LEN], szDestIP[MAX_ADDR_LEN];

char OtherInfo[100];

int iErrorCode;

char RecvBuf[MAX_PACK_LEN];

__fastcall TSniffer(bool CreateSuspended);

};

//---------------------------------------------------------------------------

#endif

lovemaggic:

向大家推薦ethereal 0.9.14,它也是調用winpcap3.0,

它現在版本支持各種抓包軟件的數據文件,包括

tcpdump and Ethereal

snoop (including Shomiti) and atmsnoop

LanAlyzer

Sniffer (compressed or uncompressed)

Microsoft Network Monitor

AIX’s iptrace

NetXray

Sniffer Pro

RADCOM’s WAN/LAN analyzer

Lucent/Ascend router debug output

HP-UX’s nettl

the dump output from Toshiba’s ISDN routers

i4btrace from the ISDN4BSD project

而且它是從Linux下移植過來的,有免費的源代碼。

前幾天整理了一下winpcap的文檔,如果有誰想要的話,請到專題開發版給列留言:
http://expert.csdn.net/Expert/topic/2465/2465797.xml?temp=.4748651

希望大家有空沒空有事沒事常去[專題開發]版討論問題。

專題開發版新開發網絡安全和數據庫版塊,希望各位能人前往交流!!

 
免责声明:本文为网络用户发布,其观点仅代表作者个人观点,与本站无关,本站仅提供信息存储服务。文中陈述内容未经本站证实,其真实性、完整性、及时性本站不作任何保证或承诺,请读者仅作参考,并请自行核实相关内容。
 
sunxufei: 哦,交換機是以MAC地址進行交換的,不是IP那一層的,要IP已經路由器了 現在交換機便宜了,因此以後你想用sniffer抓密碼概率不大了,不過還能多公司仍然是交換機和H UB一起用的,這樣小範圍內是有效地,至于ADSL CABLE FTTB,我的FTTB是用華爲設計的設備 ,呵呵,不僅僅工網IP,只有我和交換機兩個MAC(這次中國人幹的不錯),沒希望找到第三者,很安全,但 不都這樣安全,很多人的網絡還是很糟糕的. 很多加密協議可以用來提高安全性,但老的POP3,SMTP,HTTP,FTP這種協議應用廣泛,不可能在短 時間內完全取代,而且加密也是有待價的,所以對于要求較高的場合,才會加密. 不過sniffer不是給大家偷密碼用的,我當初用來學習網絡,看看包的樣子,後來就用來當作網管工具, 分析網絡的健康與否,其實這樣的話,你知道,很有可能sniffer就是接在我需要探測的網絡上,聽診器 嗎,到處都聽聽,呵呵,因此即使用了交換機,sniffer仍然是有用處的,但不是抓密碼!! Wincap很簡單,大3的學生不要怕,去他的網站看看,有例子的,VC6編譯,BCB也行的,把lib的格式轉 換一下,不過寫這種程序,你最好先熟悉協議,很多協議在linux裏有現成的源代碼,主要是一些struct 吧,移植時注意VC可不是gcc,有些c的高級語法,編譯選項要注意,否則差一個byte你就得不到正確的 結果. 如果你搞不到sniffer,Win2000 Server也有網絡包查看器的,不比sniffer強大,但簡單的東西入手 也快. 反嗅探和嗅探技術其實很old了,呵呵,不過CSDN經常old的. 注意不要幹壞事,有矛必有盾 sevencat: 網卡的混雜模式好像要通過NDIS設置。 下面是轉貼的。 哪位UP一下,我來貼完。 一、驅動開發網 作者:gjpland 看到很多仁兄提供的數據包的攔截技術,其中最多的是編寫IM DRIVER在NDIS中間層 對MINIPORT(網卡驅動程序)和協議驅動程序之間的數據包進行攔截。這是微軟提供的一種技術 但編寫該過濾程序攔截程序非常的複雜,安裝也很麻煩。 本人簡單的介紹一種更有效的基于NDIS包攔截技術。 大家都知道,NDIS協議驅動程序是通過填寫一張NDIS_PROTOCOL_CHARACTERISTICS的表 ,並調用NDIS API 函數NdisRegisterProtocol進行注冊。現在我們來關注一下NDIS_PROTOCOL_CHARACTERI STICS這張表, 這張表中存有所有協議驅動程序與底層的派發函數的入口。如SendHandler,ReceiveHandler,Bi ndAdapterHandler等, 當網卡有數據包進入時,會通過表中ReceiveHandle 或ReceivePacketHandler通知協議驅動程 序有一個該協議 的數據包進入,反之協議驅動程序是通過SendHandler或SendPacketsHandler函數向網卡驅動 發送數據包到網絡 上去的,有人會奇怪程序中明明不是調用NdisSend或NdisSendPackets函數發送的嗎?沒錯, 是這樣的, 但是你可以看一下NDIS.H的頭文件裏對這兩個函數的定義就知道了,他們都是一個 宏定義,實際還是通過這表中SendHandler或SendPacketsHandler發送的。 現在我們所要做的事情應該很清楚了,只要我們能夠將每一個協議程序所填寫的NDIS_PROTOCO L_CHARACTERISTICS 表裏的派發函數指向自己的函數,我們就能成功的對數據包進行攔截。那麽每個協議驅動程序的這張 表到底存放在 那裏呢?太簡單了,看一下下面的我對NdisRegisterProtocol重新給出的原型就很明白了。 struct _NDIS_PROTOCOL_BLOCK { PNDIS_OPEN_BLOCK OpenQueue; // queue of opens for this protocol REFERENCE Ref; // contains spinlock for OpenQueue UINT Length; // of this NDIS_PROTOCOL_BLOCK struct NDIS50_PROTOCOL_CHARACTERISTICS ProtocolCharacteristics;// handler addresses struct _NDIS_PROTOCOL_BLOCK * NextProtocol; // Link to next ULONG MaxPatternSize; #if defined(NDIS_WRAPPER) // // Protocol filters // struct _NDIS_PROTOCOL_FILTER * ProtocolFilter[NdisMediumMax+1]; WORK_QUEUE_ITEM WorkItem; // Used during NdisRegisterProtocol to // notify protocols of existing drivers. KMUTEX Mutex; // For serialization of Bind/Unbind requests PKEVENT DeregEvent; // Used by NdisDeregisterProtocol #endif }; typedef struct _NDIS_PROTOCOL_BLOCK NDIS_PROTOCOL_BLOCK, *PNDIS_PROTOCOL_BLOCK; EXPORT VOID NdisRegisterProtocol( OUT PNDIS_STATUS Status, OUT PNDIS_PROTOCOL_BLOCK NdisProtocolHandle, /*注意NDIS_HANDLE所指向的 就是PNDIS_PROTOCOL_BLOCK的結構,不要有什麽懷疑。*/ IN PNDIS_PROTOCOL_CHARACTERISTICS ProtocolCharacteristics, IN UINT CharacteristicsLength ); NDIS_PROTOCOL_BLOCK(協議表) 是NDIS維護所有系統中已注冊協義的單向鏈接表。字段NextProtocol指向下一個協議表。 慶幸的是,當我們注冊一新的協議時,NDIS總是會把新注冊的協義放在鏈表的頭並返回這張表, 所以只要我們注冊一個新的協議 通過新協議注冊返回的鏈表頭就可以輕而易舉的遍曆系統中所有協議表.現在我們所希望得到的每個 協議的 NDIS_PROTOCOL_CHARACTERISTICS表就放在我們面前了,如何勾挂表中的派發函數,我 想不必多說了吧。順便說一句 NDISREGISTERPROTOCOL爲NDIS_PROTOCOL_BLOCK所分配的內存是NonPagedPool 類型的。對于核心DRIVER來說,核心區內存 是一個線性的內存區,所有核心DRIVER是可以隨便訪問核心內存區的任意地址。所要注意的是不 同IRQL級別下對分頁 和非分頁內存。 有人會問這樣就行了嗎?真的攔截下來了嗎?如果有那位仁兄心急現在就寫程序的話, 准會失望的,因爲他會發現結果什麽東西都沒攔截到或偶而會攔截到一些數據包。爲什麽? 因爲NDIS網卡驅動和協議驅動在發送和接收到數居時並不是調用PNDIS_OPEN_BLOCK->Proto colCharacteristics 裏的派發函數。怎麽辦? 有必要先介紹一下NDIS網卡驅動和協議驅動之間是如何BINDING 的吧, NdisRegisterProtocol在注冊完一個協議後,不久NDIS會通過調用表中 BindAdapterHandler派發函數,通知協議對每一個網卡進行BINDING。或者當系統通PNP找到 一塊新的網卡時 也會調用BindAdapterHandler對協議進行BINDING。協議在BINDING 調用裏,會根據自己的 需要使用NdisOpenAdapter 將自身綁定到適合的網卡。並返回NdisBindingHandle.NdisBindingHandle是什麽?NdisBin dingHandl其實是 指向NDIS_OPEN_BLOCK表的一根指針,那麽NDIS_OPEN_BLOCK表有什麽用呢?當協議順 利的綁定後,每個綁定的網卡 和每一個協議之間建立了數據傳輸的通道,而NDIS_OPEN_BLOCK就是用來維護這一數據通道的 表。 struct _NDIS_OPEN_BLOCK { PNDIS_MAC_BLOCK MacHandle; // pointer to our MAC NDIS_HANDLE MacBindingHandle; // context when calling MacXX funcs PNDIS_ADAPTER_BLOCK AdapterHandle; // pointer to our adapter PNDIS_PROTOCOL_BLOCK ProtocolHandle; // pointer to our protocol NDIS_HANDLE ProtocolBindingContext;// context when calling ProtXX funcs PNDIS_OPEN_BLOCK AdapterNextOpen; // used by adapter's OpenQueue PNDIS_OPEN_BLOCK ProtocolNextOpen; // used by protocol's OpenQueue PFILE_OBJECT FileObject; // created by operating system BOOLEAN Closing; // TRUE when removing this struct BOOLEAN Unloading; // TRUE when processing unload BOOLEAN NoProtRsvdOnRcvPkt; // Reflect the protocol_options NDIS_HANDLE CloseRequestHandle; // 0 indicates an internal close KSPIN_LOCK SpinLock; // guards Closing PNDIS_OPEN_BLOCK NextGlobalOpen; // // These are optimizations for getting to MAC routines. They are not // necessary, but are here to save a dereference through the MAC block. // SEND_HANDLER SendHandler; TRANSFER_DATA_HANDLER TransferDataHandler; // // These are optimizations for getting to PROTOCOL routines. They are not // necessary, but are here to save a dereference through the PROTOCOL block. // SEND_COMPLETE_HANDLER SendCompleteHandler; TRANSFER_DATA_COMPLETE_HANDLER TransferDataCompleteHandler; RECEIVE_HANDLER ReceiveHandler; RECEIVE_COMPLETE_HANDLER ReceiveCompleteHandler; // // Extentions to the OPEN_BLOCK since Product 1. // RECEIVE_HANDLER PostNt31ReceiveHandler; RECEIVE_COMPLETE_HANDLER PostNt31ReceiveCompleteHandler; // // NDIS 4.0 extensions // RECEIVE_PACKET_HANDLER ReceivePacketHandler; SEND_PACKETS_HANDLER SendPacketsHandler; // // More NDIS 3.0 Cached Handlers // RESET_HANDLER ResetHandler; REQUEST_HANDLER RequestHandler; // // Needed for PnP // UNICODE_STRING AdapterName; // Upcased name of the adapter we are bound to }; 上面的表結構可以很清楚的看到這張表是一個單向鏈接表,並且存放了和PNDIS_OPEN_BLOCK- >ProtocolCharacteristics 一樣的數據收發派發函數,當第N塊網卡發送數據包到第N個協議時,就會調用第N個協議與第N個 網卡之間建立的 NDIS_OPEN_BLOCK表裏的SendHandler或SendPacketHandler。所以我們還需要對這張表 裏的派發函數進行處理(勾挂)。 那麽又如何勾挂協議與網卡之間的NDIS_OPEN_BLOCK表呢。我們再回到NDIS_PROTOCOL_ BLOCK這張表中,在 NDIS_PROTOCOL_BLOCK表中字段PNDIS_OPEN_BLOCK OpenQueue;就是所有該協議所 有NDIS_OPEN_BLOCK的表頭。 通過AdapterNextOpen遍曆一下,再勾挂一把。就可以順利攔截了。 值得注意的是。 1。 NDIS_OPEN_BLOCK NDIS_PROTOCOL_BLOCK 這些結構不同NDIS版本是不同的, 解決方法是在windows 98和windows95下(ndis 3.1)使用windows98ddk 帶的NDIS.H 裏的 定義 在windows me下(ndis 5.0或4。0)請使用WINDOWS 98ddk裏NDIS.H裏的定義 nt(ndis4.0)用NTDDK裏的定議,以此類推,2000(ndis5.0) 2。不要重複勾挂同一個函數。 有問題可以通過 QQ:3955727 mail:gjpland@netease.com // //Protocol Wrapper Version 1.05 //Author: gjp //email: gjpland@netease.com // #include "NdisHook.h" #include "HookRule.h" #pragma pack(push) #pragma pack(1) typedef struct _HOOK_CONTEXT_STRUCT { //runtime code ubyte code1_0x58; //0x58 | pop eax | pop caller IP from stack to eax ubyte code2_0x68; //0x68 | push IMM | push our hook context address struct _HOOK_CONTEXT_STRUCT *m_pHookContext;//point this ubyte code3_0x50; //0x50 | push eax | push caller IP from eax to stack ubyte code4_0xE9; //0xE9 | jmp HookProc | jump our hook proc udword m_pHookProcOffset; //our context data PVOID m_pOriginalProc; PVOID m_pHookProc; PVOID m_pBindAdaptHandle; PVOID m_pProtocolContent; PVOID *m_ppOriginPtr; struct _HOOK_CONTEXT_STRUCT *m_pHookNext; }HOOK_CONTEXT_STRUCT; #pragma pack(pop) HOOK_CONTEXT_STRUCT *m_pOurAllOfHookContext = NULL; dword m_IsFilterEnabled = FALSE; NDIS_HANDLE m_ourPacketPoolHandle = NULL; NDIS_HANDLE m_ourBufferPoolHandle = NULL; PNDIS_PACKET m_ourPacketHandle = NULL; PNDIS_BUFFER m_ourBufferHandle = NULL; PVOID m_ourBuffer = NULL; void ReadPacket(PNDIS_PACKET Packet,PVOID pBuffer,udword dwBufSize); uword wswap(uword value); void HookUnload(void) { ReleaseHookFunc(); if( m_ourBufferHandle ) { NdisFreeBuffer(m_ourBufferHandle); m_ourBufferHandle = NULL; } if( m_ourBuffer ) { NdisFreeMemory(m_ourBuffer,MAX_PACKET_SIZE,0); m_ourBuffer = NULL; } if( m_ourPacketHandle ) { NdisFreePacket(m_ourPacketHandle); m_ourPacketHandle = NULL; } if( m_ourBufferPoolHandle ) { NdisFreeBufferPool(m_ourBufferPoolHandle); m_ourBufferPoolHandle = NULL; } if( m_ourPacketPoolHandle ) { NdisFreePacketPool(m_ourPacketPoolHandle); m_ourPacketPoolHandle = NULL; } return; } dword HookInit(void) { NTSTATUS status; m_ourPacketPoolHandle = NULL; NdisAllocatePacketPool(&status,&m_ourPacketPoolHandle,0xFFF,0x10); if( status != NDIS_STATUS_SUCCESS ) return FALSE; m_ourBufferPoolHandle = NULL; NdisAllocateBufferPool(&status,&m_ourBufferPoolHandle,0x10); if( status != NDIS_STATUS_SUCCESS ) return FALSE; m_ourBuffer = NULL; status = NdisAllocateMemoryWithTag(&m_ourBuffer,MAX_PACKET_SIZE,'NAMW'); if( status != NDIS_STATUS_SUCCESS ) return FALSE; m_ourBufferHandle = NULL; NdisAllocateBuffer(&status,&m_ourBufferHandle,m_ourBufferPoolHandle,m_ourBuff er,MAX_PACKET_SIZE); if( status != NDIS_STATUS_SUCCESS ) return FALSE; m_ourPacketHandle = NULL; NdisAllocatePacket(&status,&m_ourPacketHandle,m_ourPacketPoolHandle); if( status != NDIS_STATUS_SUCCESS ) return FALSE; NdisChainBufferAtFront(m_ourPacketHandle,m_ourBufferHandle); return TRUE; } typedef struct _NDIS41_PROTOCOL_CHARACTERISTICS { #ifdef __cplusplus NDIS40_PROTOCOL_CHARACTERISTICS Ndis40Chars; #else NDIS40_PROTOCOL_CHARACTERISTICS; #endif // // Start of NDIS 4.1 extensions. // CO_SEND_COMPLETE_HANDLER CoSendCompleteHandler; CO_STATUS_HANDLER CoStatusHandler; CO_RECEIVE_PACKET_HANDLER CoReceivePacketHandler; CO_REQUEST_HANDLER CoRequestHandler; CO_REQUEST_COMPLETE_HANDLER CoRequestCompleteHandler; } NDIS41_PROTOCOL_CHARACTERISTICS; dword HookProtocol(void) { //Default ndis version is 5.0 NDIS_PROTOCOL_CHARACTERISTICS ourNPC; NDIS_STRING protoName = NDIS_STRING_CONST("HdFw_Slot"); NDIS_STATUS Status; NDIS_HANDLE ourProtocolHandle = NULL; byte *ProtocolChain; dword offset; dword len; // NDIS_PROTOCOL_BLOCK *pNdisBlock = NULL; // pNdisBlock = pNdisBlock->NextProtocol; // pNdisBlock->NextProtocol = NULL; memset(&ourNPC,0,sizeof(NDIS_PROTOCOL_CHARACTERISTICS)); if( m_dwMajorVersion == 0x03 ) { len = sizeof(NDIS30_PROTOCOL_CHARACTERISTICS); //We must need at least ndis version 3.10 ourNPC.MajorNdisVersion = 0x03; ourNPC.MinorNdisVersion = 0x0A; } else if( m_dwMajorVersion == 0x04 ) { len = sizeof(NDIS40_PROTOCOL_CHARACTERISTICS); ourNPC.MajorNdisVersion = 0x04; ourNPC.MinorNdisVersion = 0x00; } else { //treat as version 5.0 len = sizeof(NDIS50_PROTOCOL_CHARACTERISTICS); ourNPC.MajorNdisVersion = 0x05; ourNPC.MinorNdisVersion = 0x00; } ourNPC.Name = protoName; ourNPC.OpenAdapterCompleteHandler = PtOpenAdapterComplete; ourNPC.CloseAdapterCompleteHandler = PtCloseAdapterComplete; ourNPC.SendCompleteHandler = PtSendComplete; ourNPC.TransferDataCompleteHandler = PtTransferDataComplete; ourNPC.ResetCompleteHandler = PtResetComplete; ourNPC.RequestCompleteHandler = PtRequestComplete; ourNPC.ReceiveHandler = PtReceive; ourNPC.ReceiveCompleteHandler = PtReceiveComplete; ourNPC.StatusHandler = PtStatus; ourNPC.StatusCompleteHandler = PtStatusComplete; ourNPC.BindAdapterHandler = PtBindAdapter; ourNPC.UnbindAdapterHandler = PtUnbindAdapter; ourNPC.UnloadHandler = PtUnload; ourNPC.ReceivePacketHandler = PtReceivePacket; ourNPC.PnPEventHandler = PtPNPHandler; NdisRegisterProtocol(&Status,&ourProtocolHandle,&ourNPC,len); if( !NT_SUCCESS(Status) || ourProtocolHandle == NULL ) return FALSE; //NdisRegisterProtocol return hand reference of NDIS_PROTOCOL_BLOCK; ProtocolChain = (byte *)ourProtocolHandle; while(1) { DebugInfoCount++; //Obtain pointer to next protocol link. if( m_dwMajorVersion == 0x03 ) offset = 4; else if( m_dwMajorVersion == 0x04 ) { if( m_dwMinorVersion == 0x01 ) offset = 0x8C; else offset = 0x60; } else if( m_dwMajorVersion == 0x05 ) //NDIS_PROTOCOL_BLOCK->NextProtocol offset = 0x10; else //Error break; ProtocolChain = ((byte **)(ProtocolChain + offset))[0]; if( ProtocolChain == NULL ) break; HookFuncBlock(ProtocolChain); } if( m_dwMajorVersion != 4 ) NdisDeregisterProtocol(&Status,ourProtocolHandle); else { // ((byte *)ourProtocolHandle)[0x0C] = 0x01; // NdisDeregisterProtocol(&Status,ourProtocolHandle); } return TRUE; } // ProtocolContent // Version NextChain offset NDIS_PROTOCOL_CHARACTERISTICS offset BindingAdaptHandle offset // NDIS 3.XX 0x04 0x14 0x08 // NDIS 4.XX 0x60 0x14 0x00 // NDIS 4.01 0x8C 0x14 0x00 // NDIS 5.XX 0x10 0x14 0x00 //----- VOID HookProtocolSendPackets( IN HOOK_CONTEXT_STRUCT *pOurContext, IN NDIS_HANDLE MiniportAdapterContext, IN PPNDIS_PACKET PacketArray, IN UINT NumberOfPackets ); NDIS_STATUS HookProtocolWanSend( IN HOOK_CONTEXT_STRUCT *pOurContext, IN NDIS_HANDLE MacBindingHandle, IN NDIS_HANDLE LinkHandle, IN PVOID Packet ); NDIS_STATUS HookProtocolSend( IN HOOK_CONTEXT_STRUCT *pOurContext, IN NDIS_HANDLE MacBindingHandle, IN PNDIS_PACKET Packet ); NDIS_STATUS HookProtocolReceive( IN HOOK_CONTEXT_STRUCT *pOurContext, IN NDIS_HANDLE ProtocolBindingContext, IN NDIS_HANDLE MacReceiveContext, IN PVOID HeaderBuffer, IN UINT HeaderBufferSize, IN PVOID LookAheadBuffer, IN UINT LookaheadBufferSize, IN UINT PacketSize ); NDIS_STATUS HookWanReceive( IN HOOK_CONTEXT_STRUCT *pOurContext, IN NDIS_HANDLE NdisLinkHandle, IN PUCHAR Packet, IN ULONG PacketSize ); INT HookProtocolReceivePacket( IN HOOK_CONTEXT_STRUCT *pOurContext, IN NDIS_HANDLE ProtocolBindingContext, IN PNDIS_PACKET Packet ); VOID HookBindAdapterHandler( IN HOOK_CONTEXT_STRUCT *pOurContext, OUT PNDIS_STATUS Status, IN NDIS_HANDLE BindContext, IN PNDIS_STRING DeviceName, IN PVOID SystemSpecific1, IN PVOID SystemSpecific2); VOID HookSendComplete( IN HOOK_CONTEXT_STRUCT *pOurContext, IN NDIS_HANDLE ProtocolBindingContext, IN PNDIS_PACKET Packet, IN NDIS_STATUS Status ); void ReleaseHookFunc(void) { HOOK_CONTEXT_STRUCT *pHookContext,*pNext; pHookContext = m_pOurAllOfHookContext; m_pOurAllOfHookContext = NULL; while(pHookContext) { pNext = pHookContext->m_pHookNext; pHookContext->m_ppOriginPtr[0] = pHookContext->m_pOriginalProc; ExFreePool(pHookContext); pHookContext = pNext; } return; } HOOK_CONTEXT_STRUCT *IsHookedNdisFunc(PVOID pAddr) { HOOK_CONTEXT_STRUCT *pHookContext; pHookContext = m_pOurAllOfHookContext; while(pHookContext) { if( pHookContext == pAddr ) break; pHookContext = pHookContext->m_pHookNext; } return pHookContext; } HOOK_CONTEXT_STRUCT *IsHookedNdisFuncEx(PVOID *pAddr) { HOOK_CONTEXT_STRUCT *pHookContext; pHookContext = m_pOurAllOfHookContext; while(pHookContext) { if( pHookContext->m_ppOriginPtr == pAddr ) break; pHookContext = pHookContext->m_pHookNext; } return pHookContext; } HOOK_CONTEXT_STRUCT *HookNdisFunc(PVOID pHookProc,PVOID *ppOrigProc,PVOID pBindAdaptHandle,PVOID pProtocolContent) { HOOK_CONTEXT_STRUCT *pHookContext; PVOID OrgFunc; pHookContext = IsHookedNdisFunc(ppOrigProc[0]); if( pHookContext ) OrgFunc = pHookContext->m_pOriginalProc; else OrgFunc = ppOrigProc[0]; if( OrgFunc == NULL ) return NULL; pHookContext = IsHookedNdisFuncEx(ppOrigProc); if( pHookContext ) return pHookContext; pHookContext = ExAllocatePoolWithTag(NonPagedPool,sizeof(HOOK_CONTEXT_STRUCT),'HCSP'); if( pHookContext == NULL ) return NULL; memset(pHookContext,0,sizeof(HOOK_CONTEXT_STRUCT)); pHookContext->code1_0x58 = 0x58; pHookContext->code2_0x68 = 0x68; pHookContext->code3_0x50 = 0x50; pHookContext->code4_0xE9 = 0xE9; pHookContext->m_pHookContext = pHookContext; pHookContext->m_pHookProcOffset = ((udword)pHookProc) - (((udword)&pHookContext->m_pHookProcOffset) + sizeof(udword)); pHookContext->m_pBindAdaptHandle = pBindAdaptHandle; pHookContext->m_pProtocolContent = pProtocolContent; pHookContext->m_pOriginalProc = OrgFunc;//ppOrigProc[0]; pHookContext->m_ppOriginPtr = ppOrigProc; pHookContext->m_pHookProc = pHookProc; pHookContext->m_pHookNext = m_pOurAllOfHookContext; m_pOurAllOfHookContext = pHookContext; ppOrigProc[0] = pHookContext; return pHookContext; } typedef struct _NDIS40_OPEN_BLOCK { PNDIS_MAC_BLOCK MacHandle; // pointer to our MAC NDIS_HANDLE MacBindingHandle; // context when calling MacXX funcs PNDIS_ADAPTER_BLOCK AdapterHandle; // pointer to our adapter PNDIS_PROTOCOL_BLOCK ProtocolHandle; // pointer to our protocol NDIS_HANDLE ProtocolBindingContext;// context when calling ProtXX funcs PNDIS_OPEN_BLOCK AdapterNextOpen; // used by adapter's OpenQueue PNDIS_OPEN_BLOCK ProtocolNextOpen; // used by protocol's OpenQueue PFILE_OBJECT FileObject; // created by operating system BOOLEAN Closing; // TRUE when removing this struct BOOLEAN Unloading; // TRUE when processing unload NDIS_HANDLE CloseRequestHandle; // 0 indicates an internal close KSPIN_LOCK SpinLock; // guards Closing PNDIS_OPEN_BLOCK NextGlobalOpen; // // These are optimizations for getting to MAC routines. They are not // necessary, but are here to save a dereference through the MAC block. // SEND_HANDLER SendHandler; TRANSFER_DATA_HANDLER TransferDataHandler; // // These are optimizations for getting to PROTOCOL routines. They are not // necessary, but are here to save a dereference through the PROTOCOL block. // SEND_COMPLETE_HANDLER SendCompleteHandler; TRANSFER_DATA_COMPLETE_HANDLER TransferDataCompleteHandler; RECEIVE_HANDLER ReceiveHandler; RECEIVE_COMPLETE_HANDLER ReceiveCompleteHandler; // // Extentions to the OPEN_BLOCK since Product 1. // RECEIVE_HANDLER PostNt31ReceiveHandler; RECEIVE_COMPLETE_HANDLER PostNt31ReceiveCompleteHandler; // // NDIS 4.0 extensions // RECEIVE_PACKET_HANDLER ReceivePacketHandler; SEND_PACKETS_HANDLER SendPacketsHandler; // // Needed for PnP // UNICODE_STRING AdapterName; // Upcased name of the adapter we are bound to }NDIS40_OPEN_BLOCK,*PNDIS40_OPEN_BLOCK; void HookFuncBlock(byte *ProtocolContent) { PNDIS_PROTOCOL_CHARACTERISTICS pProChar; dword IsWan; NDIS_STRING WanString = NDIS_STRING_CONST("NDISWAN"); NDIS_STRING DeviceWanString = NDIS_STRING_CONST("\\DEVICE\\NDISWAN"); NDIS_STRING TcpipString = NDIS_STRING_CONST("Tcpip"); NDIS_STRING TcpArpString = NDIS_STRING_CONST("TCPIP_WANARP"); NDIS_STRING RasArpString = NDIS_STRING_CONST("RASARP"); if( ProtocolContent == NULL ) return; //Get pointer to NDIS_PROTOCOL_CHARACTERISTICS from protocol content pProChar = (PNDIS_PROTOCOL_CHARACTERISTICS)(ProtocolContent + 0x14); if( KeGetCurrentIrql() == PASSIVE_LEVEL ) { //Check protocol name whether is Wan Lan protocol so that we can correctly hook our function if( !RtlCompareUnicodeString(&pProChar->Name,&WanString,TRUE) || !RtlCompareUnicodeString(&pProChar->Name,&DeviceWanString,TRUE) ) { IsWan = 1; } else IsWan = 0; //We r only interest in following protocol if( !(!RtlCompareUnicodeString(&pProChar->Name,&TcpipString,TRUE) || !RtlCompareUnicodeString(&pProChar->Name,&TcpArpString,TRUE) || !RtlCompareUnicodeString(&pProChar->Name,&RasArpString,TRUE)) ) { return; } } else IsWan = 0; // if( !IsWan ) { HookNdisFunc(HookProtocolReceive,(PVOID *)&pProChar->ReceiveHandler,NULL,ProtocolContent); //{{added by gjp 6.24 // __asm int 3; // HookNdisFunc(HookSendComplete,(PVOID *)&pProChar->SendCompleteHandler,NULL,ProtocolContent); //}} } else HookNdisFunc(HookWanReceive,(PVOID *)&pProChar->WanReceiveHandler,NULL,ProtocolContent); if(pProChar->MajorNdisVersion > 0x03 ) { HookNdisFunc(HookProtocolReceivePacket,(PVOID *)&pProChar->ReceivePacketHandler,NULL,ProtocolContent); HookNdisFunc(HookBindAdapterHandler,(PVOID *)&pProChar->BindAdapterHandler,NULL,ProtocolContent); } zihan: Guniffer我做過修改,用線程實現,還比較好用.是bcb做的 //--------------------------------------------------------------------------- #include <vcl.h> #pragma hdrstop #include "SnifferThread.h" #include "Main.h" #pragma package(smart_init) //--------------------------------------------------------------------------- __fastcall TSniffer::TSniffer(bool CreateSuspended) : TThread(CreateSuspended) { MParamTcp = true; // 關注TCP 報文 MParamUdp = true; // 關注UDP 報文 MParamIcmp = true; // 關注ICMP報文 MParamDecode = true; FreeOnTerminate = true; strcpy(TcpFlag, "FSRPAU"); //TcpFlag[6]={'F','S','R','P','A','U'}; //定義TCP標志位 strFromIpFilter = NULL; // 源IP地址過濾 strDestIpFilter = NULL; // 目的地址過濾 strSensitive = NULL; // 敏感字符串 iPortFilter = 0; // 端口過濾 RecvBuf[MAX_PACK_LEN] = NULL; } //--------------------------------------------------------------------------- void __fastcall TSniffer::Execute() { //---- Place thread code here ---- //偵聽IP報文 SnifferInit(); while(!Terminated) { ReceiveData(); } Form1->ListView1->AddItem("線程結束,停止截獲...", 0); } void TSniffer::SnifferInit() { //初始化SOCKET WSADATA wsaData; iErrorCode = WSAStartup(MAKEWORD(2,1),&wsaData); CheckSockError(iErrorCode, "WSAStartup"); SockRaw = socket(AF_INET , SOCK_RAW , IPPROTO_IP); CheckSockError(SockRaw, "socket"); //獲取本機IP地址 char FAR name[MAX_HOSTNAME_LAN]; iErrorCode = gethostname(name, MAX_HOSTNAME_LAN); CheckSockError(iErrorCode, "gethostname"); struct hostent FAR * pHostent; pHostent = (struct hostent * )malloc(sizeof(struct hostent)); pHostent = gethostbyname(name); SOCKADDR_IN sa; sa.sin_family = AF_INET; sa.sin_port = htons(6000); memcpy(&sa.sin_addr.S_un.S_addr, pHostent->h_addr_list[0], pHostent->h_length); free(pHostent); iErrorCode = bind(SockRaw, (PSOCKADDR)&sa, sizeof(sa)); CheckSockError(iErrorCode, "bind"); //設置SOCK_RAW爲SIO_RCVALL,以便接收所有的IP包 LPVOID dwBufferLen[10] ; DWORD dwBufferInLen = 1 ; DWORD dwBytesReturned = 0 ; iErrorCode = WSAIoctl(SockRaw, SIO_RCVALL, &dwBufferInLen, sizeof(dwBufferInLen), &dwBufferLen, sizeof(dwBufferLen), &dwBytesReturned , NULL, NULL); CheckSockError(iErrorCode, "Ioctl"); } //IP解包程序 int TSniffer::DecodeIpPack(char *buf, int iBufSize) { IP_HEADER *pIpheader; SOCKADDR_IN saSource, saDest; pIpheader = (IP_HEADER *)buf; //協議甄別 iProtocol = pIpheader->proto; strncpy(szProtocol, CheckProtocol(iProtocol), MAX_PROTO_TEXT_LEN); if((iProtocol == IPPROTO_TCP) && (!MParamTcp)) return true; if((iProtocol == IPPROTO_UDP) && (!MParamUdp)) return true; if((iProtocol == IPPROTO_ICMP) && (!MParamIcmp)) return true; //源地址 saSource.sin_addr.s_addr = pIpheader->sourceIP; strncpy(szSourceIP, inet_ntoa(saSource.sin_addr), MAX_ADDR_LEN); if (strFromIpFilter) if (strcmp(strFromIpFilter,szSourceIP)) return true; //目的地址 saDest.sin_addr.s_addr = pIpheader->destIP; strncpy(szDestIP, inet_ntoa(saDest.sin_addr), MAX_ADDR_LEN); if (strDestIpFilter) if (strcmp(strDestIpFilter,szDestIP)) return true; iTTL = pIpheader->ttl; //計算IP首部的長度 int iIphLen = sizeof(unsigned long) * (pIpheader->h_lenver & 0xf); //根據協議類型分別調用相應的函數 switch(iProtocol) { case IPPROTO_TCP :DecodeTcpPack(buf+iIphLen, iBufSize);break; case IPPROTO_UDP :DecodeUdpPack(buf+iIphLen, iBufSize);break; case IPPROTO_ICMP :DecodeIcmpPack(buf+iIphLen, iBufSize);break; default :break; } return true; } //協議識別程序 char* TSniffer::CheckProtocol(int iProtocol) { for(int i=0; i<MAX_PROTO_NUM; i++) if(ProtoMap[i].ProtoNum==iProtocol) return ProtoMap[i].ProtoText; return ""; } //TCP解包程序 int TSniffer::DecodeTcpPack(char * TcpBuf, int iBufSize) { TCP_HEADER * pTcpHeader; int i; int iSourcePort,iDestPort; RECEIVEINFO *ReceiveInfo = new RECEIVEINFO; pTcpHeader = (TCP_HEADER * )TcpBuf; //計算TCP首部長度 int TcpHeaderLen = pTcpHeader->th_lenres>>4; TcpHeaderLen *= sizeof(unsigned long); char * TcpData=TcpBuf+TcpHeaderLen; //如果過濾敏感字符串則判斷是否包含 if (strSensitive) if ((strstr(TcpData, strSensitive))==NULL) return true; //對端口進行過濾 iSourcePort = ntohs(pTcpHeader->th_sport); iDestPort = ntohs(pTcpHeader->th_dport); if ((iPortFilter) && (iSourcePort!=iPortFilter) && (iDestPort!=iPortFilter)) return true; //輸出 //sprintf(OtherInfo, "%s ", szProtocol); //sprintf(OtherInfo, "%15s:%5d ->%15s:%5d ", szSourceIP, iSourcePort, szDestIP, iDestPort); //sprintf(OtherInfo, "TTL=%3d ", iTTL); ReceiveInfo->szProtocol = szProtocol; ReceiveInfo->szSourceIP = szSourceIP; ReceiveInfo->szDestIP = szDestIP; ReceiveInfo->iSourcePort = iSourcePort; ReceiveInfo->iDestPort = iDestPort; ReceiveInfo->iTTL = iTTL; //判斷TCP標志位 unsigned char FlagMask = 1; for( i=0; i<6; i++ ) { if((pTcpHeader->th_flag) & FlagMask) { //sprintf(OtherInfo, "%c",TcpFlag[i]); ReceiveInfo->TcpFlag[i] = TcpFlag[i]; } else { //sprintf(OtherInfo, "-"); ReceiveInfo->TcpFlag[i] = '-'; } FlagMask=FlagMask<<1; } //sprintf(OtherInfo, " bytes=%4d\n", iBufSize); ReceiveInfo->iBufSize = iBufSize; //對于長度大于40字節的包進行數據分析(IP_HEADER+TCP_HEADER=40) if ((MParamDecode) && (iBufSize>40)) { //分析TCP數據段 if ((!strSensitive) || (strstr(TcpData,strSensitive))) { //sprintf(OtherInfo, "[DATA]\n"); //sprintf(OtherInfo, "%s%s", OtherInfo, TcpData); //sprintf(OtherInfo, "%s\n [DATA END]\n\n\n", OtherInfo); ReceiveInfo->ReceiveData = TcpData; } } //Form1->Memo1->Lines->Add(OtherInfo); AddReceiveData(ReceiveInfo); delete ReceiveInfo; return true; } //UDP解包程序 int TSniffer::DecodeUdpPack(char * UdpBuf, int iBufSize) { UDP_HEADER *pUdpHeader; pUdpHeader = (UDP_HEADER * )UdpBuf; int iSourcePort = ntohs(pUdpHeader->uh_sport); int iDestPort = ntohs(pUdpHeader->uh_dport); RECEIVEINFO *ReceiveInfo = new RECEIVEINFO; //對端口進行過濾 if(iPortFilter) if ((iSourcePort!=iPortFilter) && (iDestPort!=iPortFilter)) return true; //printf("%s ", szProtocol); //printf("%15s:%5d ->%15s:%5d ", szSourceIP, iSourcePort, szDestIP, iDestPort); //printf("TTL=%3d ", iTTL); //printf("Len=%4d ", ntohs(pUdpHeader->uh_len)); //printf("bytes=%4d", iBufSize); //printf("\n"); ReceiveInfo->szProtocol = szProtocol; ReceiveInfo->szSourceIP = szSourceIP; ReceiveInfo->iSourcePort = iSourcePort; ReceiveInfo->szDestIP = szDestIP; ReceiveInfo->iDestPort = iDestPort; ReceiveInfo->iTTL = iTTL; ReceiveInfo->Length = ntohs(pUdpHeader->uh_len); ReceiveInfo->iBufSize = iBufSize; //對于長度大于28字節的包進行數據分析(IP_HEADER+UDP_HEADER>28) if ((MParamDecode) && (iBufSize>28)) { //printf(" [DATA]\n"); //UDP首部長度爲8 char * UdpData=UdpBuf+8; //分析UDP數據段 ReceiveInfo->ReceiveData = UdpData; TStringStream *DataStringStream = new TStringStream(NULL); try{ DataStringStream->Write(UdpData, sizeof(UdpData)); //DataStringStream->CopyFrom(UdpData, sizeof(UdpData))} ReceiveInfo->ReceiveUdpData = DataStringStream->DataString;} __finally{ delete DataStringStream;} for(unsigned int i=0;i<(iBufSize-sizeof(UDP_HEADER));i++) { //if (!(i%8)) sprintf(OtherInfo, "%s\n", OtherInfo); //memset(OtherInfo, 0, strlen(OtherInfo)); if ( (UdpData[i]>33) && (UdpData[i]<122) ) //sprintf(OtherInfo, "%c", UdpData[i]); ; else //sprintf(UdpData, "[%3x]", abs(UdpData[i])); UdpData[i] = '_'; } //printf("\n [DATA END]\n\n\n"); } AddReceiveData(ReceiveInfo); delete ReceiveInfo; return true; } //ICMP解包程序 int TSniffer::DecodeIcmpPack(char * IcmpBuf, int iBufSize) { ICMP_HEADER * pIcmpHeader; pIcmpHeader = (ICMP_HEADER * )IcmpBuf; int iIcmpType = pIcmpHeader->i_type; int iIcmpCode = pIcmpHeader->i_code; RECEIVEINFO *ReceiveInfo = new RECEIVEINFO; //對類型進行過濾 if ((iPortFilter) && (iIcmpType!=iPortFilter)) return true; //printf("%s ", szProtocol); //printf("%15s Type%d ->%15s Code%d ", szSourceIP, iIcmpType, szDestIP, iIcmpCode); //printf("%15s ->%15s ", szSourceIP, szDestIP); //printf("TTL=%3d ", iTTL); //printf("Type%2d,%d ",iIcmpType,iIcmpCode); //printf("bytes=%4d", iBufSize); //printf("\n"); ReceiveInfo->szProtocol = szProtocol; ReceiveInfo->szSourceIP = szSourceIP; ReceiveInfo->iIcmpType = iIcmpType; ReceiveInfo->szDestIP = szDestIP; ReceiveInfo->iIcmpCode = iIcmpCode; ReceiveInfo->iTTL = iTTL; ReceiveInfo->iBufSize = iBufSize; //對于包含數據段的包進行數據分析 if ((MParamDecode) && (iBufSize>28)) { char * IcmpData=IcmpBuf+4; //分析ICMP數據段 //printf(" [DATA]"); //for(unsigned int i=0;i<(iBufSize-sizeof(ICMP_HEADER));i++) //{ // if (!(i%8)) printf("\n"); // if ( (IcmpData[i]>33) && (IcmpData[i]<122) ) // printf("%3c [%3x]", IcmpData[i], IcmpData[i]); // else printf(" [%3x]", abs(IcmpData[i])); //} //printf("\n [DATA END]\n\n\n"); ReceiveInfo->ReceiveData = IcmpData; } AddReceiveData(ReceiveInfo); delete ReceiveInfo; return true; } //SOCK錯誤處理程序 void TSniffer::CheckSockError(int iErrorCode, char *pErrorMsg) { if(iErrorCode==SOCKET_ERROR) { //printf("%s Error:%d\n", pErrorMsg, GetLastError()); Form1->ListView1->AddItem(pErrorMsg,0); closesocket(SockRaw); exit(0); } } void TSniffer::AddReceiveData(RECEIVEINFO *ReceiveInfo) { TListItem *Item; Item = Form1->ListView1->Items->Add(); Item->Caption = ReceiveInfo->szProtocol; Item->SubItems->Add(ReceiveInfo->szSourceIP); Item->SubItems->Add(IntToStr(ReceiveInfo->iSourcePort)); Item->SubItems->Add(ReceiveInfo->szDestIP); Item->SubItems->Add(IntToStr(ReceiveInfo->iDestPort)); Item->SubItems->Add(IntToStr(ReceiveInfo->iTTL)); Item->SubItems->Add(IntToStr(ReceiveInfo->iBufSize)); Item->SubItems->Add(ReceiveInfo->TcpFlag); Item->SubItems->Add(IntToStr(ReceiveInfo->Length)); Item->SubItems->Add(ReceiveInfo->iIcmpType); Item->SubItems->Add(ReceiveInfo->iIcmpCode); try{ Item->SubItems->Add(ReceiveInfo->ReceiveData); Item->SubItems->Add(ReceiveInfo->ReceiveUdpData); } catch(...){} } void TSniffer::ReceiveData() { memset(RecvBuf, 0, sizeof(RecvBuf)); iErrorCode = recv(SockRaw, RecvBuf, sizeof(RecvBuf), 0); CheckSockError(iErrorCode, "recv"); iErrorCode = DecodeIpPack(RecvBuf, iErrorCode); CheckSockError(iErrorCode, "Decode"); } 頭文件 //--------------------------------------------------------------------------- #ifndef SnifferThreadH #define SnifferThreadH //--------------------------------------------------------------------------- #include <Classes.hpp> #include <ComCtrls.hpp> //--------------------------------------------------------------------------- #include <Winsock2.h> #include "MSTcpIP.h" #define STATUS_FAILED 0xFFFF //定義異常出錯代碼 #define MAX_PACK_LEN 655350 //接收的最大IP報文 #define MAX_ADDR_LEN 16 //點分十進制地址的最大長度 #define MAX_PROTO_TEXT_LEN 16 //子協議名稱(如"TCP")最 大長度 #define MAX_PROTO_NUM 12 //子協議數量 #define MAX_HOSTNAME_LAN 255 //最大主機名長度 #define CMD_PARAM_HELP true typedef struct _iphdr { unsigned char h_lenver; //4位首部長度+4位IP版本號 unsigned char tos; //8位服務類型TOS unsigned short total_len; //16位總長度(字節) unsigned short ident; //16位標識 unsigned short frag_and_flags; //3位標志位 unsigned char ttl; //8位生存時間 TTL unsigned char proto; //8位協議 (TCP, UDP 或 其他) unsigned short checksum; //16位IP首部校驗和 unsigned int sourceIP; //32位源IP地址 unsigned int destIP; //32位目的IP地址 }IP_HEADER; typedef struct _tcphdr //定義TCP首部 { USHORT th_sport; //16位源端口 USHORT th_dport; //16位目的端口 unsigned int th_seq; //32位序列號 unsigned int th_ack; //32位確認號 unsigned char th_lenres; //4位首部長度/6位保留字 unsigned char th_flag; //6位標志位 USHORT th_win; //16位窗口大 小 USHORT th_sum; //16位校驗和 USHORT th_urp; //16位緊急數 據偏移量 }TCP_HEADER; typedef struct _udphdr //定義UDP首部 { unsigned short uh_sport; //16位源端口 unsigned short uh_dport; //16位目的端口 unsigned short uh_len; //16位長度 unsigned short uh_sum; //16位校驗和 } UDP_HEADER; typedef struct _icmphdr //定義ICMP首部 { BYTE i_type; //8位類型 BYTE i_code; //8位代碼 USHORT i_cksum; //16位校驗和 USHORT i_id; //識別號(一般 用進程號作爲識別號) USHORT i_seq; //報文序列號 ULONG timestamp; //時間戳 }ICMP_HEADER; typedef struct _protomap //定義子協議映射表 { int ProtoNum; char ProtoText[MAX_PROTO_TEXT_LEN]; }PROTOMAP; typedef struct _receiveinfo { char* szProtocol; char* szSourceIP; int iSourcePort; char* szDestIP; int iDestPort; int iTTL; int Length; char TcpFlag[6] ; int iBufSize; char iIcmpType; char iIcmpCode; char* ReceiveData; AnsiString ReceiveUdpData; }RECEIVEINFO; PROTOMAP ProtoMap[MAX_PROTO_NUM]={ //爲子協議映射表賦值 { IPPROTO_IP , "IP " }, { IPPROTO_ICMP , "ICMP" }, { IPPROTO_IGMP , "IGMP" }, { IPPROTO_GGP , "GGP " }, { IPPROTO_TCP , "TCP " }, { IPPROTO_PUP , "PUP " }, { IPPROTO_UDP , "UDP " }, { IPPROTO_IDP , "IDP " }, { IPPROTO_ND , "NP " }, { IPPROTO_RAW , "RAW " }, { IPPROTO_MAX , "MAX " }, { NULL , "" } }; class TSniffer : public TThread { private: int DecodeIpPack(char *, int); //IP解包函數 int DecodeTcpPack(char *, int); //TCP解包函數 int DecodeUdpPack(char *, int); //UDP解包函數 int DecodeIcmpPack(char *, int); //ICMP解包函數 void CheckSockError(int, char*); //出錯處理函數 char * CheckProtocol(int); //協議檢查 void SnifferInit(); void AddReceiveData(RECEIVEINFO *ReceiveInfo); void ReceiveData(); protected: void __fastcall Execute(); public: SOCKET SockRaw; bool MParamTcp; // 關注TCP 報文 bool MParamUdp; // 關注UDP 報文 bool MParamIcmp; // 關注ICMP報文 bool MParamDecode; // 對協議進行解碼 char TcpFlag[6]; //定義TCP標志位 char *strFromIpFilter; // 源IP地址過濾 char *strDestIpFilter; // 目的地址過濾 char *strSensitive; // 敏感字符串 int iPortFilter; // 端口過濾 int iProtocol, iTTL; char szProtocol[MAX_PROTO_TEXT_LEN]; char szSourceIP[MAX_ADDR_LEN], szDestIP[MAX_ADDR_LEN]; char OtherInfo[100]; int iErrorCode; char RecvBuf[MAX_PACK_LEN]; __fastcall TSniffer(bool CreateSuspended); }; //--------------------------------------------------------------------------- #endif lovemaggic: 向大家推薦ethereal 0.9.14,它也是調用winpcap3.0, 它現在版本支持各種抓包軟件的數據文件,包括 tcpdump and Ethereal snoop (including Shomiti) and atmsnoop LanAlyzer Sniffer (compressed or uncompressed) Microsoft Network Monitor AIX’s iptrace NetXray Sniffer Pro RADCOM’s WAN/LAN analyzer Lucent/Ascend router debug output HP-UX’s nettl the dump output from Toshiba’s ISDN routers i4btrace from the ISDN4BSD project 而且它是從Linux下移植過來的,有免費的源代碼。 前幾天整理了一下winpcap的文檔,如果有誰想要的話,請到專題開發版給列留言: [url=http://expert.csdn.net/Expert/topic/2465/2465797.xml?temp=.4748651]http://expert.csdn.net/Expert/topic/2465/2465797.xml?temp=.4748651[/url] 希望大家有空沒空有事沒事常去[專題開發]版討論問題。 專題開發版新開發網絡安全和數據庫版塊,希望各位能人前往交流!!
󰈣󰈤
王朝萬家燈火計劃
期待原創作者加盟
 
 
 
>>返回首頁<<
 
 
 
 
 
 熱帖排行
 
 
靜靜地坐在廢墟上,四周的荒凉一望無際,忽然覺得,淒涼也很美
© 2005- 王朝網路 版權所有