如何在 Windows 中挂钩 TCP 堆栈以嗅探和修改数据包?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/695057/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How do I hook the TCP stack in Windows to sniff and modify packets?
提问by Eyal
I'd like to write a packet sniffer and editor for Windows. I want to able to see the contents of all packets entering and leaving my system and possibly modify them. Any language is fine but I'd like it to run fast enough that it won't burden the system.
我想为 Windows 编写一个数据包嗅探器和编辑器。我希望能够看到进入和离开我的系统的所有数据包的内容,并可能对其进行修改。任何语言都可以,但我希望它运行得足够快,以免给系统带来负担。
I've read a little about WinPcap but the documentation claims that you can't use WinPcap to create a firewall because it can't drop packets. What tools will help me write this software?
我已经阅读了一些关于 WinPcap 的内容,但是文档声称您不能使用 WinPcap 来创建防火墙,因为它不能丢弃数据包。什么工具可以帮助我编写这个软件?
回答by froh42
Been there, done that :-) Back in 2000 my first Windows program ever was a filter hook driver.
去过那里,做到了 :-) 早在 2000 年,我的第一个 Windows 程序就是过滤器挂钩驱动程序。
What I did was implementing the filter hook driver and writing a userspace application that prepared a filter table on what to allow and what to disallow. When you get around your initial set of blue screens (see below for my debug tip in kernel mode) the filter mode driver is quite easy to use ... it gives each packet to a function you wrote and depending on the return code drops it or lets it pass.
我所做的是实现过滤器挂钩驱动程序并编写一个用户空间应用程序,该应用程序准备了一个关于允许和禁止的过滤表。当您绕过最初的一组蓝屏时(请参阅下面的内核模式调试技巧),过滤模式驱动程序非常易于使用……它将每个数据包提供给您编写的函数,并根据返回码丢弃它或者让它过去。
Unfortunatley packets at that level are QUITE raw, fragments are not reassembled and it looks more like the "network card" end of things (but no ethernet headers anymore). So you'll have quite a bad time decoding the packets to filter with that solution.
不幸的是,该级别的数据包非常原始,碎片没有重新组装,看起来更像是事物的“网卡”端(但不再有以太网标头)。因此,您将很难解码数据包以使用该解决方案进行过滤。
There also is the firewall hook driver, as discussed in this codeproject article.
还有防火墙挂钩驱动程序,如本codeproject 文章中所述。
If you are on Vista or Server 2008 you'd better have a look at WFP (Windows Filtering Platform) instead, that seems to be the mandated API of the day for writing firewalls. I don't know about it other than google turing it up some minutes ago when I googled for the filter hook driver.
如果您使用的是 Vista 或 Server 2008,则最好查看 WFP(Windows 过滤平台),这似乎是当今编写防火墙的强制 API。除了几分钟前我在谷歌上搜索过滤器钩子驱动程序时,我不知道它。
Update: Forgot the debug tip:
更新:忘记调试提示:
Sysinternals DbgView shows kernel-mode DbgPrint output, and more important - it can also read them from the dump file your last blue screen produced. So sprinkle your code with dbgprint and if it bluescreens just load the dump into dbgview to see what happened before it died ... VERY useful. Using this I managed without having a kernel debugger.
Sysinternals DbgView 显示内核模式 DbgPrint 输出,更重要的是 - 它还可以从上次蓝屏生成的转储文件中读取它们。因此,将您的代码撒上 dbgprint,如果它出现蓝屏,只需将转储加载到 dbgview 中以查看在它死之前发生了什么......非常有用。使用它,我在没有内核调试器的情况下进行了管理。
回答by Frank Schwieterman
I'm pretty sure you'd need to write a filter driver. http://en.wikipedia.org/wiki/Filter_driverI don't know much more than that :). It would definitely be a C/C++ Win32 app and you'd likely being doing some kernel side work. Start by downloading the DDK and finding some of the sample filter drivers.
我很确定您需要编写过滤器驱动程序。 http://en.wikipedia.org/wiki/Filter_driver我不知道更多:)。它肯定是一个 C/C++ Win32 应用程序,您可能正在做一些内核方面的工作。首先下载 DDK 并找到一些示例过滤器驱动程序。
If you just want to monitor what goes in and out of IIS, consider an ISAPI filter. Still C/C++ in Win32, but relatively easier than writing a device driver.
如果您只想监控进出 IIS 的内容,请考虑使用 ISAPI 过滤器。在 Win32 中仍然是 C/C++,但比编写设备驱动程序相对容易。
回答by Hyman BeNimble
I actually did this, several years ago. I'm hazy on the details at this point, but I had to develop a filter/pass-thru/intermediate driver using the Windows DDK. I got a lot of good information from pcausa. Here's a url which points to their product that does this: http://www.pcausa.com/pcasim/Default.htm
几年前,我确实这样做了。目前我对细节还不清楚,但我必须使用 Windows DDK 开发过滤器/直通/中间驱动程序。我从 pcausa 那里得到了很多很好的信息。这是一个指向他们执行此操作的产品的网址:http: //www.pcausa.com/pcasim/Default.htm
回答by John Saunders
If you're doing this for practical reasons, and not just for fun, then you should take a look at Microsoft Network Monitor. The home page talks about the version 3.3 beta, but you can download version 3.2 from the Downloads page. There is also an SDK for NM, and the ability to write parsers for your own network protocols.
如果您这样做是出于实际原因,而不仅仅是为了好玩,那么您应该看看Microsoft Network Monitor。主页介绍了 3.3 版测试版,但您可以从下载页面下载 3.2 版。还有一个用于 NM 的 SDK,以及为您自己的网络协议编写解析器的能力。
回答by John Saunders
There's a question you need to ask which you don't know you need to ask; do you want to know which applications sockets belong to? or are you happy to be restricted to the IP:port quad for a connection?
有一个你不知道你需要问的问题;您想知道套接字属于哪些应用程序吗?或者你很高兴被限制在 IP:port quad 进行连接?
If you want to know applications, you need to write a TDI filter driver, but that makes handling the receive almost impossible, since you can't block on the receive path.
如果您想了解应用程序,您需要编写一个 TDI 过滤器驱动程序,但这使得处理接收几乎不可能,因为您无法阻止接收路径。
If you're happy with IP:port, go in at the NDIS level, and I believe you can block on receive to your hearts content.
如果您对 IP:port 感到满意,请进入 NDIS 级别,我相信您可以阻止接收到您的内心内容。
A word of warning; if you have no prior kernel experience, writing either of these drivers (although TDI is significantly harder) will take about two years, full time.
一句警告;如果您之前没有内核经验,编写这些驱动程序中的任何一个(尽管 TDI 明显更难)都需要大约两年的全职时间。
回答by dragonfly
this:
这个:
TdiFw is a simple TDI-Based Open Source Personal Firewall for Windows NT4/2000/XP/2003
TdiFw 是一个简单的基于 TDI 的开源个人防火墙,适用于 Windows NT4/2000/XP/2003
may help you
可能会帮助你
