如何在Windows中挂接TCP堆栈以嗅探和修改数据包? [英] How do I hook the TCP stack in Windows to sniff and modify packets?
问题描述
我想为Windows编写一个数据包嗅探器和编辑器.我希望能够查看进入和离开系统的所有数据包的内容,并可能对其进行修改.任何语言都可以,但是我希望它运行得足够快,以免给系统造成负担.
I'd like to write a packet sniffer and editor for Windows. I want to able to see the contents of all packets entering and leaving my system and possibly modify them. Any language is fine but I'd like it to run fast enough that it won't burden the system.
我已经阅读了一些有关WinPcap的信息,但是文档声称您不能使用WinPcap来创建防火墙,因为它不能丢弃数据包.哪些工具可以帮助我编写此软件?
I've read a little about WinPcap but the documentation claims that you can't use WinPcap to create a firewall because it can't drop packets. What tools will help me write this software?
推荐答案
在那里完成了:-)早在2000年,我的第一个Windows程序就是
Been there, done that :-) Back in 2000 my first Windows program ever was a filter hook driver.
我所做的是实现过滤器挂钩驱动程序,并编写了一个用户空间应用程序,该应用程序准备了关于允许和禁止的过滤器表.当绕过初始的蓝屏设置时(内核模式下的调试提示,请参见下文),过滤器模式驱动程序非常易于使用...它将每个数据包提供给您编写的函数,并且根据返回代码将其丢弃或让它通过.
What I did was implementing the filter hook driver and writing a userspace application that prepared a filter table on what to allow and what to disallow. When you get around your initial set of blue screens (see below for my debug tip in kernel mode) the filter mode driver is quite easy to use ... it gives each packet to a function you wrote and depending on the return code drops it or lets it pass.
该级别的Unfortunatley数据包是原始数据,片段没有重新组装,看起来更像是网卡"的末端(但不再有以太网头).因此,解码该数据包以使用该解决方案进行过滤将花费大量时间.
Unfortunatley packets at that level are QUITE raw, fragments are not reassembled and it looks more like the "network card" end of things (but no ethernet headers anymore). So you'll have quite a bad time decoding the packets to filter with that solution.
还有此 codeproject文章中讨论的防火墙挂钩驱动程序.
There also is the firewall hook driver, as discussed in this codeproject article.
如果您使用的是Vista或Server 2008,则最好看看WFP(
If you are on Vista or Server 2008 you'd better have a look at WFP (Windows Filtering Platform) instead, that seems to be the mandated API of the day for writing firewalls. I don't know about it other than google turing it up some minutes ago when I googled for the filter hook driver.
更新:忘记了调试提示:
Update: Forgot the debug tip:
Sysinternals DbgView显示了内核模式的DbgPrint输出,更重要的是-它也可以从最后一个蓝屏产生的转储文件中读取它们.因此,将代码与dbgprint一起使用,如果它蓝屏,那么只需将转储加载到dbgview中,以查看其死亡之前发生了什么……非常有用.使用此程序,我无需使用内核调试器就可以进行管理.
Sysinternals DbgView shows kernel-mode DbgPrint output, and more important - it can also read them from the dump file your last blue screen produced. So sprinkle your code with dbgprint and if it bluescreens just load the dump into dbgview to see what happened before it died ... VERY useful. Using this I managed without having a kernel debugger.
这篇关于如何在Windows中挂接TCP堆栈以嗅探和修改数据包?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
