新书推介:《语义网技术体系》
作者:瞿裕忠,胡伟,程龚
   >>中国XML论坛<<     W3CHINA.ORG讨论区     计算机科学论坛     SOAChina论坛     Blog     开放翻译计划     新浪微博  
 
  • 首页
  • 登录
  • 注册
  • 软件下载
  • 资料下载
  • 核心成员
  • 帮助
  •   Add to Google

    >> 讨论密码学、密码协议、入侵检测、访问控制等与安全理论研究有关的主题
    [返回] 中文XML论坛 - 专业的XML技术讨论区计算机理论与工程『 安全理论 』 → [转帖]sniffer技术原理及应用,包括编程方法和工具使用(三) 查看新帖用户列表

      发表一个新主题  发表一个新投票  回复主题  (订阅本版) 您是本帖的第 5832 个阅读者浏览上一篇主题  刷新本主题   树形显示贴子 浏览下一篇主题
     * 贴子主题: [转帖]sniffer技术原理及应用,包括编程方法和工具使用(三) 举报  打印  推荐  IE收藏夹 
       本主题类别:     
     binaryluo 帅哥哟,离线,有人找我吗?
      
      
      威望:6
      等级:研二(Pi-Calculus看得一头雾水)(版主)
      文章:679
      积分:5543
      门派:IEEE.ORG.CN
      注册:2005/2/19

    姓名:(无权查看)
    城市:(无权查看)
    院校:(无权查看)
    给binaryluo发送一个短消息 把binaryluo加入好友 查看binaryluo的个人资料 搜索binaryluo在『 安全理论 』的所有贴子 引用回复这个贴子 回复这个贴子 查看binaryluo的博客楼主
    发贴心情 [转帖]sniffer技术原理及应用,包括编程方法和工具使用(三)

    sunxufei:
    哦,交换机是以MAC地址进行交换的,不是IP那一层的,要IP已经路由器了
    现在交换机便宜了,因此以后你想用sniffer抓密码概率不大了,不过还能多公司仍然是交换机和H

    UB一起用的,这样小范围内是有效地,至于ADSL CABLE FTTB,我的FTTB是用华为设计的设备

    ,呵呵,不仅仅工网IP,只有我和交换机两个MAC(这次中国人干的不错),没希望找到第三者,很安全,但

    不都这样安全,很多人的网络还是很糟糕的.
    很多加密协议可以用来提高安全性,但老的POP3,SMTP,HTTP,FTP这种协议应用广泛,不可能在短

    时间内完全取代,而且加密也是有待价的,所以对于要求较高的场合,才会加密.
    不过sniffer不是给大家偷密码用的,我当初用来学习网络,看看包的样子,后来就用来当作网管工具,

    分析网络的健康与否,其实这样的话,你知道,很有可能sniffer就是接在我需要探测的网络上,听诊器

    吗,到处都听听,呵呵,因此即使用了交换机,sniffer仍然是有用处的,但不是抓密码!!
    Wincap很简单,大3的学生不要怕,去他的网站看看,有例子的,VC6编译,BCB也行的,把lib的格式转

    换一下,不过写这种程序,你最好先熟悉协议,很多协议在linux里有现成的源代码,主要是一些struct

    吧,移植时注意VC可不是gcc,有些c的高级语法,编译选项要注意,否则差一个byte你就得不到正确的

    结果.
    如果你搞不到sniffer,Win2000 Server也有网络包查看器的,不比sniffer强大,但简单的东西入手

    也快.
    反嗅探和嗅探技术其实很old了,呵呵,不过CSDN经常old的.
    注意不要干坏事,有矛必有盾

    sevencat:
    网卡的混杂模式好像要通过NDIS设置。
    下面是转贴的。
    哪位UP一下,我来贴完。
    一、驱动开发网
    作者:gjpland
    看到很多仁兄提供的数据包的拦截技术,其中最多的是编写IM DRIVER在NDIS中间层
    对MINIPORT(网卡驱动程序)和协议驱动程序之间的数据包进行拦截。这是微软提供的一种技术
    但编写该过滤程序拦截程序非常的复杂,安装也很麻烦。

    本人简单的介绍一种更有效的基于NDIS包拦截技术。

    大家都知道,NDIS协议驱动程序是通过填写一张NDIS_PROTOCOL_CHARACTERISTICS的表

    ,并调用NDIS API
    函数NdisRegisterProtocol进行注册。现在我们来关注一下NDIS_PROTOCOL_CHARACTERI

    STICS这张表,
    这张表中存有所有协议驱动程序与底层的派发函数的入口。如SendHandler,ReceiveHandler,Bi

    ndAdapterHandler等,
    当网卡有数据包进入时,会通过表中ReceiveHandle 或ReceivePacketHandler通知协议驱动程

    序有一个该协议
    的数据包进入,反之协议驱动程序是通过SendHandler或SendPacketsHandler函数向网卡驱动

    发送数据包到网络
    上去的,有人会奇怪程序中明明不是调用NdisSend或NdisSendPackets函数发送的吗?没错,

    是这样的,
    但是你可以看一下NDIS.H的头文件里对这两个函数的定义就知道了,他们都是一个
    宏定义,实际还是通过这表中SendHandler或SendPacketsHandler发送的。

    现在我们所要做的事情应该很清楚了,只要我们能够将每一个协议程序所填写的NDIS_PROTOCO

    L_CHARACTERISTICS
    表里的派发函数指向自己的函数,我们就能成功的对数据包进行拦截。那么每个协议驱动程序的这张

    表到底存放在
    那里呢?太简单了,看一下下面的我对NdisRegisterProtocol重新给出的原型就很明白了。

    struct _NDIS_PROTOCOL_BLOCK
    {
    PNDIS_OPEN_BLOCK OpenQueue; // queue of opens for this protocol
    REFERENCE Ref; // contains spinlock for OpenQueue
    UINT Length; // of this NDIS_PROTOCOL_BLOCK struct
    NDIS50_PROTOCOL_CHARACTERISTICS ProtocolCharacteristics;// handler

    addresses

    struct _NDIS_PROTOCOL_BLOCK * NextProtocol; // Link to next
    ULONG MaxPatternSize;
    #if defined(NDIS_WRAPPER)
    //
    // Protocol filters
    //
    struct _NDIS_PROTOCOL_FILTER * ProtocolFilter[NdisMediumMax+1];
    WORK_QUEUE_ITEM WorkItem; // Used during NdisRegisterProtocol to
    // notify protocols of existing drivers.
    KMUTEX Mutex; // For serialization of Bind/Unbind requests
    PKEVENT DeregEvent; // Used by NdisDeregisterProtocol
    #endif
    };
    typedef struct _NDIS_PROTOCOL_BLOCK NDIS_PROTOCOL_BLOCK,

    *PNDIS_PROTOCOL_BLOCK;

    EXPORT
    VOID
    NdisRegisterProtocol(
    OUT PNDIS_STATUS Status,
    OUT PNDIS_PROTOCOL_BLOCK NdisProtocolHandle, /*注意NDIS_HANDLE所指向的

    就是PNDIS_PROTOCOL_BLOCK的结构,不要有什么怀疑。*/
    IN PNDIS_PROTOCOL_CHARACTERISTICS ProtocolCharacteristics,
    IN UINT CharacteristicsLength
    );


    NDIS_PROTOCOL_BLOCK(协议表)

    是NDIS维护所有系统中已注册协义的单向链接表。字段NextProtocol指向下一个协议表。
    庆幸的是,当我们注册一新的协议时,NDIS总是会把新注册的协义放在链表的头并返回这张表,

    所以只要我们注册一个新的协议
    通过新协议注册返回的链表头就可以轻而易举的遍历系统中所有协议表.现在我们所希望得到的每个

    协议的
    NDIS_PROTOCOL_CHARACTERISTICS表就放在我们面前了,如何勾挂表中的派发函数,我

    想不必多说了吧。顺便说一句
    NDISREGISTERPROTOCOL为NDIS_PROTOCOL_BLOCK所分配的内存是NonPagedPool

    类型的。对于核心DRIVER来说,核心区内存
    是一个线性的内存区,所有核心DRIVER是可以随便访问核心内存区的任意地址。所要注意的是不

    同IRQL级别下对分页
    和非分页内存。

    有人会问这样就行了吗?真的拦截下来了吗?如果有那位仁兄心急现在就写程序的话,
    准会失望的,因为他会发现结果什么东西都没拦截到或偶而会拦截到一些数据包。为什么?
    因为NDIS网卡驱动和协议驱动在发送和接收到数居时并不是调用PNDIS_OPEN_BLOCK->Proto

    colCharacteristics
    里的派发函数。怎么办?
    有必要先介绍一下NDIS网卡驱动和协议驱动之间是如何BINDING 的吧,
    NdisRegisterProtocol在注册完一个协议后,不久NDIS会通过调用表中
    BindAdapterHandler派发函数,通知协议对每一个网卡进行BINDING。或者当系统通PNP找到

    一块新的网卡时
    也会调用BindAdapterHandler对协议进行BINDING。协议在BINDING 调用里,会根据自己的

    需要使用NdisOpenAdapter
    将自身绑定到适合的网卡。并返回NdisBindingHandle.NdisBindingHandle是什么?NdisBin

    dingHandl其实是
    指向NDIS_OPEN_BLOCK表的一根指针,那么NDIS_OPEN_BLOCK表有什么用呢?当协议顺

    利的绑定后,每个绑定的网卡
    和每一个协议之间建立了数据传输的通道,而NDIS_OPEN_BLOCK就是用来维护这一数据通道的

    表。
    struct _NDIS_OPEN_BLOCK
    {
    PNDIS_MAC_BLOCK MacHandle; // pointer to our MAC
    NDIS_HANDLE MacBindingHandle; // context when calling MacXX funcs
    PNDIS_ADAPTER_BLOCK AdapterHandle; // pointer to our adapter
    PNDIS_PROTOCOL_BLOCK ProtocolHandle; // pointer to our protocol
    NDIS_HANDLE ProtocolBindingContext;// context when calling ProtXX funcs
    PNDIS_OPEN_BLOCK AdapterNextOpen; // used by adapter's OpenQueue
    PNDIS_OPEN_BLOCK ProtocolNextOpen; // used by protocol's OpenQueue
    PFILE_OBJECT FileObject; // created by operating system
    BOOLEAN Closing; // TRUE when removing this struct
    BOOLEAN Unloading; // TRUE when processing unload
    BOOLEAN NoProtRsvdOnRcvPkt; // Reflect the protocol_options
    NDIS_HANDLE CloseRequestHandle; // 0 indicates an internal close
    KSPIN_LOCK SpinLock; // guards Closing
    PNDIS_OPEN_BLOCK NextGlobalOpen;

    //
    // These are optimizations for getting to MAC routines. They are not
    // necessary, but are here to save a dereference through the MAC block.
    //
    SEND_HANDLER SendHandler;
    TRANSFER_DATA_HANDLER TransferDataHandler;

    //
    // These are optimizations for getting to PROTOCOL routines. They are not
    // necessary, but are here to save a dereference through the PROTOCOL block.
    //
    SEND_COMPLETE_HANDLER SendCompleteHandler;
    TRANSFER_DATA_COMPLETE_HANDLER TransferDataCompleteHandler;
    RECEIVE_HANDLER ReceiveHandler;
    RECEIVE_COMPLETE_HANDLER ReceiveCompleteHandler;

    //
    // Extentions to the OPEN_BLOCK since Product 1.
    //
    RECEIVE_HANDLER PostNt31ReceiveHandler;
    RECEIVE_COMPLETE_HANDLER PostNt31ReceiveCompleteHandler;

    //
    // NDIS 4.0 extensions
    //
    RECEIVE_PACKET_HANDLER ReceivePacketHandler;
    SEND_PACKETS_HANDLER SendPacketsHandler;

    //
    // More NDIS 3.0 Cached Handlers
    //
    RESET_HANDLER ResetHandler;
    REQUEST_HANDLER RequestHandler;

    //
    // Needed for PnP
    //
    UNICODE_STRING AdapterName; // Upcased name of the adapter we are bound to
    };


    上面的表结构可以很清楚的看到这张表是一个单向链接表,并且存放了和PNDIS_OPEN_BLOCK-

    >ProtocolCharacteristics
    一样的数据收发派发函数,当第N块网卡发送数据包到第N个协议时,就会调用第N个协议与第N个

    网卡之间建立的
    NDIS_OPEN_BLOCK表里的SendHandler或SendPacketHandler。所以我们还需要对这张表

    里的派发函数进行处理(勾挂)。
    那么又如何勾挂协议与网卡之间的NDIS_OPEN_BLOCK表呢。我们再回到NDIS_PROTOCOL_

    BLOCK这张表中,在
    NDIS_PROTOCOL_BLOCK表中字段PNDIS_OPEN_BLOCK OpenQueue;就是所有该协议所

    有NDIS_OPEN_BLOCK的表头。
    通过AdapterNextOpen遍历一下,再勾挂一把。就可以顺利拦截了。

    值得注意的是。
    1。
    NDIS_OPEN_BLOCK
    NDIS_PROTOCOL_BLOCK
    这些结构不同NDIS版本是不同的,
    解决方法是在windows 98和windows95下(ndis 3.1)使用windows98ddk 带的NDIS.H 里的

    定义
    在windows me下(ndis 5.0或4。0)请使用WINDOWS 98ddk里NDIS.H里的定义
    nt(ndis4.0)用NTDDK里的定议,以此类推,2000(ndis5.0)
    2。不要重复勾挂同一个函数。

    有问题可以通过
    QQ:3955727
    mail:gjpland@netease.com

    //
    //Protocol Wrapper Version 1.05
    //Author:  gjp
    //email:   gjpland@netease.com
    //


    #include "NdisHook.h"
    #include "HookRule.h"

    #pragma pack(push)
    #pragma pack(1)
    typedef struct _HOOK_CONTEXT_STRUCT
    {
    //runtime code
    ubyte    code1_0x58; //0x58 | pop  eax      | pop caller IP from stack to

    eax
    ubyte    code2_0x68; //0x68 | push IMM      | push our hook context

    address
    struct _HOOK_CONTEXT_STRUCT *m_pHookContext;//point this
    ubyte    code3_0x50; //0x50 | push eax  | push caller

    IP from eax to stack
    ubyte    code4_0xE9; //0xE9 | jmp HookProc  | jump our hook proc
    udword   m_pHookProcOffset;

    //our context data

    PVOID    m_pOriginalProc;
    PVOID    m_pHookProc;
    PVOID    m_pBindAdaptHandle;
    PVOID    m_pProtocolContent;
    PVOID   *m_ppOriginPtr;

    struct _HOOK_CONTEXT_STRUCT *m_pHookNext;

    }HOOK_CONTEXT_STRUCT;
    #pragma pack(pop)

    HOOK_CONTEXT_STRUCT *m_pOurAllOfHookContext = NULL;

    dword     m_IsFilterEnabled     = FALSE;
    NDIS_HANDLE    m_ourPacketPoolHandle = NULL;
    NDIS_HANDLE    m_ourBufferPoolHandle = NULL;
    PNDIS_PACKET   m_ourPacketHandle     = NULL;
    PNDIS_BUFFER   m_ourBufferHandle     = NULL;
    PVOID          m_ourBuffer       = NULL;

    void      ReadPacket(PNDIS_PACKET Packet,PVOID pBuffer,udword dwBufSize);
    uword     wswap(uword value);

    void HookUnload(void)
    {
    ReleaseHookFunc();

    if( m_ourBufferHandle )
    {
      NdisFreeBuffer(m_ourBufferHandle);
      m_ourBufferHandle = NULL;
    }
    if( m_ourBuffer )
    {
      NdisFreeMemory(m_ourBuffer,MAX_PACKET_SIZE,0);
      m_ourBuffer = NULL;
    }
    if( m_ourPacketHandle )
    {
      NdisFreePacket(m_ourPacketHandle);
      m_ourPacketHandle = NULL;
    }
    if( m_ourBufferPoolHandle )
    {
      NdisFreeBufferPool(m_ourBufferPoolHandle);
      m_ourBufferPoolHandle = NULL;
    }
    if( m_ourPacketPoolHandle )
    {
      NdisFreePacketPool(m_ourPacketPoolHandle);
      m_ourPacketPoolHandle = NULL;
    }
    return;
    }
    dword HookInit(void)
    {
    NTSTATUS status;

    m_ourPacketPoolHandle = NULL;
    NdisAllocatePacketPool(&status,&m_ourPacketPoolHandle,0xFFF,0x10);
    if( status != NDIS_STATUS_SUCCESS )
      return FALSE;

    m_ourBufferPoolHandle = NULL;
    NdisAllocateBufferPool(&status,&m_ourBufferPoolHandle,0x10);
    if( status != NDIS_STATUS_SUCCESS )
      return FALSE;

    m_ourBuffer = NULL;
    status =

    NdisAllocateMemoryWithTag(&m_ourBuffer,MAX_PACKET_SIZE,'NAMW');
    if( status != NDIS_STATUS_SUCCESS )
      return FALSE;

    m_ourBufferHandle = NULL;

    NdisAllocateBuffer(&status,&m_ourBufferHandle,m_ourBufferPoolHandle,m_ourBuff

    er,MAX_PACKET_SIZE);
        if( status != NDIS_STATUS_SUCCESS )
      return FALSE;

    m_ourPacketHandle = NULL;

    NdisAllocatePacket(&status,&m_ourPacketHandle,m_ourPacketPoolHandle);
    if( status != NDIS_STATUS_SUCCESS )
      return FALSE;

    NdisChainBufferAtFront(m_ourPacketHandle,m_ourBufferHandle);
    return TRUE;
    }

    typedef struct _NDIS41_PROTOCOL_CHARACTERISTICS
    {
    #ifdef __cplusplus
    NDIS40_PROTOCOL_CHARACTERISTICS Ndis40Chars;
    #else
    NDIS40_PROTOCOL_CHARACTERISTICS;
    #endif

    //
    // Start of NDIS 4.1 extensions.
    //

    CO_SEND_COMPLETE_HANDLER  

    CoSendCompleteHandler;
    CO_STATUS_HANDLER    

    CoStatusHandler;
    CO_RECEIVE_PACKET_HANDLER  

    CoReceivePacketHandler;
    CO_REQUEST_HANDLER    

    CoRequestHandler;
    CO_REQUEST_COMPLETE_HANDLER  

    CoRequestCompleteHandler;

    } NDIS41_PROTOCOL_CHARACTERISTICS;

    dword HookProtocol(void)
    {
    //Default ndis version is 5.0
    NDIS_PROTOCOL_CHARACTERISTICS ourNPC;
    NDIS_STRING protoName = NDIS_STRING_CONST("HdFw_Slot");
    NDIS_STATUS Status;
    NDIS_HANDLE ourProtocolHandle = NULL;
    byte  *ProtocolChain;
    dword  offset;
    dword  len;

    // NDIS_PROTOCOL_BLOCK *pNdisBlock = NULL;

    // pNdisBlock = pNdisBlock->NextProtocol;
    // pNdisBlock->NextProtocol = NULL;

    memset(&ourNPC,0,sizeof(NDIS_PROTOCOL_CHARACTERISTICS));


    if( m_dwMajorVersion == 0x03 )
    {
      len = sizeof(NDIS30_PROTOCOL_CHARACTERISTICS);
      //We must need at least ndis version 3.10
      ourNPC.MajorNdisVersion = 0x03;
      ourNPC.MinorNdisVersion = 0x0A;
    }
    else
    if( m_dwMajorVersion == 0x04 )
    {
      len = sizeof(NDIS40_PROTOCOL_CHARACTERISTICS);

      ourNPC.MajorNdisVersion = 0x04;
      ourNPC.MinorNdisVersion = 0x00;
    }
    else
    { //treat as version 5.0
      len = sizeof(NDIS50_PROTOCOL_CHARACTERISTICS);
      
      ourNPC.MajorNdisVersion = 0x05;
      ourNPC.MinorNdisVersion = 0x00;
    }

        ourNPC.Name                        = protoName;
        ourNPC.OpenAdapterCompleteHandler  = PtOpenAdapterComplete;
        ourNPC.CloseAdapterCompleteHandler = PtCloseAdapterComplete;
        ourNPC.SendCompleteHandler         = PtSendComplete;
        ourNPC.TransferDataCompleteHandler = PtTransferDataComplete;
        ourNPC.ResetCompleteHandler        = PtResetComplete;
        ourNPC.RequestCompleteHandler      = PtRequestComplete;
        ourNPC.ReceiveHandler              = PtReceive;
        ourNPC.ReceiveCompleteHandler      = PtReceiveComplete;
        ourNPC.StatusHandler               = PtStatus;
        ourNPC.StatusCompleteHandler       = PtStatusComplete;
        ourNPC.BindAdapterHandler          = PtBindAdapter;
        ourNPC.UnbindAdapterHandler        = PtUnbindAdapter;
        ourNPC.UnloadHandler               = PtUnload;
        ourNPC.ReceivePacketHandler        = PtReceivePacket;
        ourNPC.PnPEventHandler             = PtPNPHandler;

    NdisRegisterProtocol(&Status,&ourProtocolHandle,&ourNPC,len);
    if( !NT_SUCCESS(Status) || ourProtocolHandle == NULL )
      return FALSE;

    //NdisRegisterProtocol  return hand reference of

    NDIS_PROTOCOL_BLOCK;
    ProtocolChain = (byte *)ourProtocolHandle;
    while(1)
    {
      DebugInfoCount++;

      //Obtain pointer to next protocol link.
      if( m_dwMajorVersion == 0x03 )
       offset = 4;
      else
      if( m_dwMajorVersion == 0x04 )
      {
       if( m_dwMinorVersion == 0x01 )
        offset = 0x8C;
       else
        offset = 0x60;
      }
      else
      if( m_dwMajorVersion == 0x05 )
       //NDIS_PROTOCOL_BLOCK->NextProtocol
       offset = 0x10;
      else
       //Error
       break;

      ProtocolChain = ((byte **)(ProtocolChain + offset))[0];
      if( ProtocolChain == NULL )
       break;

      HookFuncBlock(ProtocolChain);
    }
    if( m_dwMajorVersion != 4 )
      NdisDeregisterProtocol(&Status,ourProtocolHandle);
    else
    {
    //  ((byte *)ourProtocolHandle)[0x0C] = 0x01;
    //  NdisDeregisterProtocol(&Status,ourProtocolHandle);
    }
    return TRUE;
    }
    // ProtocolContent
    // Version      NextChain offset    NDIS_PROTOCOL_CHARACTERISTICS offset  

    BindingAdaptHandle offset
    // NDIS 3.XX    0x04       

    0x14         

    0x08
    // NDIS 4.XX    0x60       

    0x14         

    0x00
    // NDIS 4.01       0x8C       

    0x14         

    0x00
    // NDIS 5.XX       0x10       

    0x14         

    0x00


    //-----
    VOID HookProtocolSendPackets(
        IN  HOOK_CONTEXT_STRUCT    *pOurContext,    
    IN NDIS_HANDLE    

    MiniportAdapterContext,
    IN PPNDIS_PACKET   PacketArray,
    IN UINT      

    NumberOfPackets
    );

    NDIS_STATUS HookProtocolWanSend(
        IN  HOOK_CONTEXT_STRUCT    *pOurContext,    
    IN NDIS_HANDLE    

    MacBindingHandle,
    IN NDIS_HANDLE    LinkHandle,
    IN PVOID     Packet
    );
    NDIS_STATUS HookProtocolSend(
        IN  HOOK_CONTEXT_STRUCT    *pOurContext,    
    IN NDIS_HANDLE    

    MacBindingHandle,
    IN PNDIS_PACKET   Packet
    );

    NDIS_STATUS  HookProtocolReceive(
       IN HOOK_CONTEXT_STRUCT *pOurContext,    
       IN NDIS_HANDLE  ProtocolBindingContext,
          IN NDIS_HANDLE  MacReceiveContext,
          IN PVOID    HeaderBuffer,
          IN UINT    HeaderBufferSize,
          IN PVOID    LookAheadBuffer,
          IN UINT    LookaheadBufferSize,
          IN UINT    PacketSize
          );
    NDIS_STATUS  HookWanReceive(
         IN  HOOK_CONTEXT_STRUCT    *pOurContext,    
      IN NDIS_HANDLE    

    NdisLinkHandle,
      IN PUCHAR     

    Packet,
      IN ULONG     

    PacketSize
      );
    INT HookProtocolReceivePacket(
        IN  HOOK_CONTEXT_STRUCT    *pOurContext,    
    IN NDIS_HANDLE    

    ProtocolBindingContext,
    IN PNDIS_PACKET   Packet
    );


    VOID HookBindAdapterHandler(
              IN

    HOOK_CONTEXT_STRUCT *pOurContext,    
           OUT

    PNDIS_STATUS Status,
           IN

    NDIS_HANDLE  BindContext,
           IN

    PNDIS_STRING DeviceName,
           IN  PVOID

      SystemSpecific1,
           IN  PVOID

      SystemSpecific2);

    VOID  HookSendComplete(
          IN  HOOK_CONTEXT_STRUCT *pOurContext,    
          IN NDIS_HANDLE  ProtocolBindingContext,
          IN PNDIS_PACKET  Packet,
          IN NDIS_STATUS Status
          );


    void   ReleaseHookFunc(void)
    {

    HOOK_CONTEXT_STRUCT *pHookContext,*pNext;

    pHookContext = m_pOurAllOfHookContext;
    m_pOurAllOfHookContext = NULL;
    while(pHookContext)
    {
      pNext = pHookContext->m_pHookNext;
      pHookContext->m_ppOriginPtr[0] =

    pHookContext->m_pOriginalProc;
      ExFreePool(pHookContext);
      pHookContext = pNext;
    }
    return;
    }

    HOOK_CONTEXT_STRUCT *IsHookedNdisFunc(PVOID pAddr)
    {

    HOOK_CONTEXT_STRUCT *pHookContext;

    pHookContext = m_pOurAllOfHookContext;
    while(pHookContext)
    {
      if( pHookContext == pAddr )
       break;
      pHookContext = pHookContext->m_pHookNext;
    }
    return pHookContext;
    }
    HOOK_CONTEXT_STRUCT *IsHookedNdisFuncEx(PVOID *pAddr)
    {

    HOOK_CONTEXT_STRUCT *pHookContext;

    pHookContext = m_pOurAllOfHookContext;
    while(pHookContext)
    {
      if( pHookContext->m_ppOriginPtr == pAddr )
       break;
      pHookContext = pHookContext->m_pHookNext;
    }
    return pHookContext;
    }

    HOOK_CONTEXT_STRUCT *HookNdisFunc(PVOID pHookProc,PVOID

    *ppOrigProc,PVOID pBindAdaptHandle,PVOID pProtocolContent)
    {

    HOOK_CONTEXT_STRUCT *pHookContext;
    PVOID OrgFunc;

    pHookContext = IsHookedNdisFunc(ppOrigProc[0]);
    if( pHookContext )
      OrgFunc = pHookContext->m_pOriginalProc;
    else
      OrgFunc = ppOrigProc[0];
    if( OrgFunc == NULL )
      return NULL;

    pHookContext = IsHookedNdisFuncEx(ppOrigProc);
    if( pHookContext )
      return pHookContext;
    pHookContext =

    ExAllocatePoolWithTag(NonPagedPool,sizeof(HOOK_CONTEXT_STRUCT),'HCSP');
    if( pHookContext == NULL )
      return NULL;
    memset(pHookContext,0,sizeof(HOOK_CONTEXT_STRUCT));

    pHookContext->code1_0x58 = 0x58;
    pHookContext->code2_0x68 = 0x68;
    pHookContext->code3_0x50 = 0x50;
    pHookContext->code4_0xE9 = 0xE9;

    pHookContext->m_pHookContext     = pHookContext;
    pHookContext->m_pHookProcOffset  = ((udword)pHookProc) -

    (((udword)&pHookContext->m_pHookProcOffset) + sizeof(udword));
    pHookContext->m_pBindAdaptHandle = pBindAdaptHandle;
    pHookContext->m_pProtocolContent = pProtocolContent;
    pHookContext->m_pOriginalProc    = OrgFunc;//ppOrigProc[0];
    pHookContext->m_ppOriginPtr      = ppOrigProc;
    pHookContext->m_pHookProc        = pHookProc;
    pHookContext->m_pHookNext        = m_pOurAllOfHookContext;
    m_pOurAllOfHookContext    = pHookContext;

    ppOrigProc[0] = pHookContext;
    return pHookContext;
    }

    typedef
    struct _NDIS40_OPEN_BLOCK
    {
    PNDIS_MAC_BLOCK    MacHandle;

      // pointer to our MAC
    NDIS_HANDLE     

    MacBindingHandle; // context when calling MacXX funcs
    PNDIS_ADAPTER_BLOCK   AdapterHandle;  

    // pointer to our adapter
    PNDIS_PROTOCOL_BLOCK  ProtocolHandle;  //

    pointer to our protocol
    NDIS_HANDLE     

    ProtocolBindingContext;// context when calling ProtXX funcs
    PNDIS_OPEN_BLOCK   AdapterNextOpen; //

    used by adapter's OpenQueue
    PNDIS_OPEN_BLOCK   ProtocolNextOpen; //

    used by protocol's OpenQueue
    PFILE_OBJECT    FileObject;  

    // created by operating system
    BOOLEAN      

    Closing;   // TRUE when removing this struct
    BOOLEAN      

    Unloading;   // TRUE when processing unload
    NDIS_HANDLE     

    CloseRequestHandle; // 0 indicates an internal close
    KSPIN_LOCK     SpinLock;

      // guards Closing
    PNDIS_OPEN_BLOCK   NextGlobalOpen;

    //
    // These are optimizations for getting to MAC routines. They are not
    // necessary, but are here to save a dereference through the MAC block.
    //

    SEND_HANDLER    SendHandler;
    TRANSFER_DATA_HANDLER  TransferDataHandler;

    //
    // These are optimizations for getting to PROTOCOL routines.  They are

    not
    // necessary, but are here to save a dereference through the PROTOCOL

    block.
    //

    SEND_COMPLETE_HANDLER  SendCompleteHandler;
    TRANSFER_DATA_COMPLETE_HANDLER TransferDataCompleteHandler;
    RECEIVE_HANDLER    

    ReceiveHandler;
    RECEIVE_COMPLETE_HANDLER ReceiveCompleteHandler;

    //
    // Extentions to the OPEN_BLOCK since Product 1.
    //
    RECEIVE_HANDLER    

    PostNt31ReceiveHandler;
    RECEIVE_COMPLETE_HANDLER PostNt31ReceiveCompleteHandler;

    //
    // NDIS 4.0 extensions
    //
    RECEIVE_PACKET_HANDLER  ReceivePacketHandler;
    SEND_PACKETS_HANDLER  SendPacketsHandler;

    //
    // Needed for PnP
    //
    UNICODE_STRING    AdapterName;  

    // Upcased name of the adapter we are bound to
    }NDIS40_OPEN_BLOCK,*PNDIS40_OPEN_BLOCK;

    void HookFuncBlock(byte *ProtocolContent)
    {

    PNDIS_PROTOCOL_CHARACTERISTICS pProChar;
    dword IsWan;
    NDIS_STRING WanString       = NDIS_STRING_CONST("NDISWAN");
    NDIS_STRING DeviceWanString =

    NDIS_STRING_CONST("\\DEVICE\\NDISWAN");

    NDIS_STRING TcpipString     = NDIS_STRING_CONST("Tcpip");
    NDIS_STRING TcpArpString    = NDIS_STRING_CONST("TCPIP_WANARP");
    NDIS_STRING RasArpString    = NDIS_STRING_CONST("RASARP");

    if( ProtocolContent == NULL )
      return;
    //Get pointer to NDIS_PROTOCOL_CHARACTERISTICS from protocol

    content
    pProChar = (PNDIS_PROTOCOL_CHARACTERISTICS)(ProtocolContent +

    0x14);

    if( KeGetCurrentIrql() == PASSIVE_LEVEL )
    {
      //Check protocol name whether is Wan Lan protocol so that we

    can correctly hook our function
      if(

    !RtlCompareUnicodeString(&pProChar->Name,&WanString,TRUE) ||
       

    !RtlCompareUnicodeString(&pProChar->Name,&DeviceWanString,TRUE) )
      {
       IsWan = 1;
      }
      else
       IsWan = 0;

      //We r only interest in following protocol
      if(

    !(!RtlCompareUnicodeString(&pProChar->Name,&TcpipString,TRUE) ||
       

    !RtlCompareUnicodeString(&pProChar->Name,&TcpArpString,TRUE) ||
       

    !RtlCompareUnicodeString(&pProChar->Name,&RasArpString,TRUE)) )
      {
       return;
      }
    }
    else
      IsWan = 0;

    //
    if( !IsWan )
    {
      HookNdisFunc(HookProtocolReceive,(PVOID

    *)&pProChar->ReceiveHandler,NULL,ProtocolContent);

      //{{added by gjp 6.24
    //  __asm int 3;
    //  HookNdisFunc(HookSendComplete,(PVOID

    *)&pProChar->SendCompleteHandler,NULL,ProtocolContent);
      //}}
    }
    else
      HookNdisFunc(HookWanReceive,(PVOID

    *)&pProChar->WanReceiveHandler,NULL,ProtocolContent);

    if(pProChar->MajorNdisVersion > 0x03 )
    {
      HookNdisFunc(HookProtocolReceivePacket,(PVOID

    *)&pProChar->ReceivePacketHandler,NULL,ProtocolContent);
      HookNdisFunc(HookBindAdapterHandler,(PVOID

    *)&pProChar->BindAdapterHandler,NULL,ProtocolContent);
      
    }


    zihan:
    Guniffer我做过修改,用线程实现,还比较好用.是bcb做的
    //---------------------------------------------------------------------------

    #include <vcl.h>
    #pragma hdrstop
    #include "SnifferThread.h"
    #include "Main.h"
    #pragma package(smart_init)

    //---------------------------------------------------------------------------

    __fastcall TSniffer::TSniffer(bool CreateSuspended)
            : TThread(CreateSuspended)
    {
            MParamTcp = true;    // 关注TCP 报文
            MParamUdp  = true;    // 关注UDP 报文
            MParamIcmp = true;    // 关注ICMP报文
            MParamDecode = true;
            FreeOnTerminate = true;
            strcpy(TcpFlag, "FSRPAU");
            //TcpFlag[6]={'F','S','R','P','A','U'}; //定义TCP标志位
            strFromIpFilter = NULL;   // 源IP地址过滤
            strDestIpFilter = NULL;   // 目的地址过滤
            strSensitive = NULL;   // 敏感字符串
            iPortFilter = 0;     // 端口过滤
            RecvBuf[MAX_PACK_LEN] = NULL;
    }
    //---------------------------------------------------------------------------
    void __fastcall TSniffer::Execute()
    {
            //---- Place thread code here ----
             //侦听IP报文
            SnifferInit();
    while(!Terminated)
    {
             ReceiveData();
    }
            Form1->ListView1->AddItem("线程结束,停止截获...", 0);
    }
    void TSniffer::SnifferInit()
    {
    //初始化SOCKET
    WSADATA wsaData;
    iErrorCode = WSAStartup(MAKEWORD(2,1),&wsaData);
    CheckSockError(iErrorCode, "WSAStartup");
    SockRaw = socket(AF_INET , SOCK_RAW , IPPROTO_IP);
    CheckSockError(SockRaw, "socket");

    //获取本机IP地址
    char FAR name[MAX_HOSTNAME_LAN];
    iErrorCode = gethostname(name, MAX_HOSTNAME_LAN);
    CheckSockError(iErrorCode, "gethostname");
    struct hostent FAR * pHostent;
    pHostent = (struct hostent * )malloc(sizeof(struct hostent));
    pHostent = gethostbyname(name);
    SOCKADDR_IN sa;
    sa.sin_family = AF_INET;
      sa.sin_port = htons(6000);
    memcpy(&sa.sin_addr.S_un.S_addr, pHostent->h_addr_list[0],

    pHostent->h_length);
    free(pHostent);
    iErrorCode = bind(SockRaw, (PSOCKADDR)&sa, sizeof(sa));
    CheckSockError(iErrorCode, "bind");

    //设置SOCK_RAW为SIO_RCVALL,以便接收所有的IP包
    LPVOID dwBufferLen[10] ;
    DWORD dwBufferInLen = 1 ;
    DWORD dwBytesReturned = 0 ;
    iErrorCode = WSAIoctl(SockRaw, SIO_RCVALL, &dwBufferInLen,

    sizeof(dwBufferInLen),
                            &dwBufferLen, sizeof(dwBufferLen), &dwBytesReturned , NULL,

    NULL);
    CheckSockError(iErrorCode, "Ioctl");
    }

    //IP解包程序
    int TSniffer::DecodeIpPack(char *buf, int iBufSize)
    {
    IP_HEADER *pIpheader;
    SOCKADDR_IN saSource, saDest;
    pIpheader = (IP_HEADER *)buf;

    //协议甄别
    iProtocol = pIpheader->proto;
    strncpy(szProtocol, CheckProtocol(iProtocol), MAX_PROTO_TEXT_LEN);
            if((iProtocol == IPPROTO_TCP) && (!MParamTcp))
                    return true;
    if((iProtocol == IPPROTO_UDP) && (!MParamUdp))
                    return true;
    if((iProtocol == IPPROTO_ICMP) && (!MParamIcmp))
                    return true;
    //源地址
    saSource.sin_addr.s_addr = pIpheader->sourceIP;
    strncpy(szSourceIP, inet_ntoa(saSource.sin_addr), MAX_ADDR_LEN);
    if (strFromIpFilter)
      if (strcmp(strFromIpFilter,szSourceIP)) return true;
    //目的地址
    saDest.sin_addr.s_addr = pIpheader->destIP;
    strncpy(szDestIP, inet_ntoa(saDest.sin_addr), MAX_ADDR_LEN);
    if (strDestIpFilter)
      if (strcmp(strDestIpFilter,szDestIP)) return true;
    iTTL = pIpheader->ttl;
    //计算IP首部的长度
    int iIphLen = sizeof(unsigned long) * (pIpheader->h_lenver & 0xf);
    //根据协议类型分别调用相应的函数
    switch(iProtocol)
    {
      case IPPROTO_TCP :DecodeTcpPack(buf+iIphLen,

    iBufSize);break;
      case IPPROTO_UDP :DecodeUdpPack(buf+iIphLen,

    iBufSize);break;
      case IPPROTO_ICMP :DecodeIcmpPack(buf+iIphLen,

    iBufSize);break;
      default    :break;
    }
    return true;
    }

    //协议识别程序
    char* TSniffer::CheckProtocol(int iProtocol)
    {
    for(int i=0; i<MAX_PROTO_NUM; i++)
       if(ProtoMap[i].ProtoNum==iProtocol)
        return ProtoMap[i].ProtoText;
    return "";
    }

    //TCP解包程序
    int TSniffer::DecodeTcpPack(char * TcpBuf, int iBufSize)
    {
    TCP_HEADER * pTcpHeader;
    int i;
    int iSourcePort,iDestPort;
            RECEIVEINFO *ReceiveInfo = new RECEIVEINFO;

    pTcpHeader = (TCP_HEADER * )TcpBuf;
    //计算TCP首部长度
    int TcpHeaderLen =  pTcpHeader->th_lenres>>4;
    TcpHeaderLen *= sizeof(unsigned long);
    char * TcpData=TcpBuf+TcpHeaderLen;
    //如果过滤敏感字符串则判断是否包含
    if (strSensitive)
      if ((strstr(TcpData, strSensitive))==NULL) return true;
    //对端口进行过滤
    iSourcePort = ntohs(pTcpHeader->th_sport);
    iDestPort = ntohs(pTcpHeader->th_dport);
    if ((iPortFilter) && (iSourcePort!=iPortFilter) && (iDestPort!=iPortFilter))
      return true;
    //输出
    //sprintf(OtherInfo, "%s ", szProtocol);
    //sprintf(OtherInfo, "%15s:%5d ->%15s:%5d  ", szSourceIP, iSourcePort,

    szDestIP, iDestPort);
    //sprintf(OtherInfo, "TTL=%3d  ", iTTL);
            ReceiveInfo->szProtocol = szProtocol;
            ReceiveInfo->szSourceIP = szSourceIP;
            ReceiveInfo->szDestIP = szDestIP;
            ReceiveInfo->iSourcePort = iSourcePort;
            ReceiveInfo->iDestPort = iDestPort;
            ReceiveInfo->iTTL = iTTL;

    //判断TCP标志位
    unsigned char FlagMask = 1;
    for( i=0; i<6; i++ )
    {
      if((pTcpHeader->th_flag) & FlagMask)
                    {
                            //sprintf(OtherInfo, "%c",TcpFlag[i]);
                            ReceiveInfo->TcpFlag[i] = TcpFlag[i];
                    }
      else
                    {
                            //sprintf(OtherInfo, "-");
                            ReceiveInfo->TcpFlag[i] = '-';
                    }
      FlagMask=FlagMask<<1;
    }
    //sprintf(OtherInfo, "  bytes=%4d\n", iBufSize);
            ReceiveInfo->iBufSize = iBufSize;

    //对于长度大于40字节的包进行数据分析(IP_HEADER+TCP_HEADER=40)
    if ((MParamDecode) && (iBufSize>40))
    {
      //分析TCP数据段
      if ((!strSensitive) || (strstr(TcpData,strSensitive)))
      {
       //sprintf(OtherInfo, "[DATA]\n");
       //sprintf(OtherInfo, "%s%s", OtherInfo, TcpData);
       //sprintf(OtherInfo, "%s\n [DATA END]\n\n\n",

    OtherInfo);
                            ReceiveInfo->ReceiveData = TcpData;
      }
    }
            //Form1->Memo1->Lines->Add(OtherInfo);
            AddReceiveData(ReceiveInfo);
            delete ReceiveInfo;
    return true;
    }

    //UDP解包程序
    int TSniffer::DecodeUdpPack(char * UdpBuf, int iBufSize)
    {
    UDP_HEADER *pUdpHeader;
    pUdpHeader = (UDP_HEADER * )UdpBuf;
    int iSourcePort = ntohs(pUdpHeader->uh_sport);
    int iDestPort = ntohs(pUdpHeader->uh_dport);

            RECEIVEINFO *ReceiveInfo = new RECEIVEINFO;
           
    //对端口进行过滤
    if(iPortFilter)
      if ((iSourcePort!=iPortFilter) && (iDestPort!=iPortFilter))
       return true;
    //printf("%s ", szProtocol);
    //printf("%15s:%5d ->%15s:%5d  ", szSourceIP, iSourcePort, szDestIP,

    iDestPort);
    //printf("TTL=%3d ", iTTL);
    //printf("Len=%4d ", ntohs(pUdpHeader->uh_len));
    //printf("bytes=%4d", iBufSize);
    //printf("\n");
            ReceiveInfo->szProtocol = szProtocol;
            ReceiveInfo->szSourceIP = szSourceIP;
            ReceiveInfo->iSourcePort = iSourcePort;
            ReceiveInfo->szDestIP = szDestIP;
            ReceiveInfo->iDestPort = iDestPort;
            ReceiveInfo->iTTL = iTTL;
            ReceiveInfo->Length = ntohs(pUdpHeader->uh_len);
            ReceiveInfo->iBufSize = iBufSize;

    //对于长度大于28字节的包进行数据分析(IP_HEADER+UDP_HEADER>28)
    if ((MParamDecode) && (iBufSize>28))
    {
      //printf(" [DATA]\n");
      //UDP首部长度为8
      char * UdpData=UdpBuf+8;
      //分析UDP数据段
                    ReceiveInfo->ReceiveData = UdpData;
                    TStringStream *DataStringStream = new TStringStream(NULL);
                    try{
                            DataStringStream->Write(UdpData, sizeof(UdpData));
                            //DataStringStream->CopyFrom(UdpData, sizeof(UdpData))}
                            ReceiveInfo->ReceiveUdpData = DataStringStream->DataString;}
                    __finally{
                    delete DataStringStream;}
                    for(unsigned int i=0;i<(iBufSize-sizeof(UDP_HEADER));i++)
      {
       //if (!(i%8)) sprintf(OtherInfo, "%s\n", OtherInfo);
                            //memset(OtherInfo, 0, strlen(OtherInfo));
       if ( (UdpData[i]>33) && (UdpData[i]<122) )
                                    //sprintf(OtherInfo, "%c", UdpData[i]);
                                    ;
       else
                                    //sprintf(UdpData, "[%3x]", abs(UdpData[i]));
                                    UdpData[i] = '_';
      }
      //printf("\n [DATA END]\n\n\n");
    }
            AddReceiveData(ReceiveInfo);
            delete ReceiveInfo;
    return true;
    }

    //ICMP解包程序
    int TSniffer::DecodeIcmpPack(char * IcmpBuf, int iBufSize)
    {
    ICMP_HEADER * pIcmpHeader;
    pIcmpHeader = (ICMP_HEADER * )IcmpBuf;
    int iIcmpType = pIcmpHeader->i_type;
    int iIcmpCode = pIcmpHeader->i_code;

            RECEIVEINFO *ReceiveInfo = new RECEIVEINFO;
    //对类型进行过滤
    if ((iPortFilter) && (iIcmpType!=iPortFilter)) return true;
    //printf("%s ", szProtocol);
    //printf("%15s Type%d ->%15s Code%d  ", szSourceIP, iIcmpType,

    szDestIP, iIcmpCode);
    //printf("%15s       ->%15s        ", szSourceIP, szDestIP);
    //printf("TTL=%3d ", iTTL);
    //printf("Type%2d,%d ",iIcmpType,iIcmpCode);
    //printf("bytes=%4d", iBufSize);
    //printf("\n");
            ReceiveInfo->szProtocol = szProtocol;
            ReceiveInfo->szSourceIP = szSourceIP;
            ReceiveInfo->iIcmpType = iIcmpType;
            ReceiveInfo->szDestIP = szDestIP;
            ReceiveInfo->iIcmpCode = iIcmpCode;
            ReceiveInfo->iTTL = iTTL;
            ReceiveInfo->iBufSize = iBufSize;

    //对于包含数据段的包进行数据分析
    if ((MParamDecode) && (iBufSize>28))
    {
      char * IcmpData=IcmpBuf+4;
      //分析ICMP数据段
      //printf(" [DATA]");
      //for(unsigned int i=0;i<(iBufSize-sizeof(ICMP_HEADER));i++)
      //{
      // if (!(i%8)) printf("\n");
      // if ( (IcmpData[i]>33) && (IcmpData[i]<122) )
      //   printf("%3c [%3x]", IcmpData[i],

    IcmpData[i]);
      // else printf("    [%3x]", abs(IcmpData[i]));
      //}
      //printf("\n [DATA END]\n\n\n");
                    ReceiveInfo->ReceiveData = IcmpData;
    }
            AddReceiveData(ReceiveInfo);
            delete ReceiveInfo;
    return true;
    }
    //SOCK错误处理程序
    void TSniffer::CheckSockError(int iErrorCode, char *pErrorMsg)
    {
    if(iErrorCode==SOCKET_ERROR)
    {
      //printf("%s Error:%d\n", pErrorMsg, GetLastError());
                    Form1->ListView1->AddItem(pErrorMsg,0);
      closesocket(SockRaw);
      exit(0);
    }

    }

    void TSniffer::AddReceiveData(RECEIVEINFO *ReceiveInfo)
    {
            TListItem *Item;
            Item = Form1->ListView1->Items->Add();
            Item->Caption = ReceiveInfo->szProtocol;
            Item->SubItems->Add(ReceiveInfo->szSourceIP);
            Item->SubItems->Add(IntToStr(ReceiveInfo->iSourcePort));
            Item->SubItems->Add(ReceiveInfo->szDestIP);
            Item->SubItems->Add(IntToStr(ReceiveInfo->iDestPort));
            Item->SubItems->Add(IntToStr(ReceiveInfo->iTTL));
            Item->SubItems->Add(IntToStr(ReceiveInfo->iBufSize));
            Item->SubItems->Add(ReceiveInfo->TcpFlag);
            Item->SubItems->Add(IntToStr(ReceiveInfo->Length));
            Item->SubItems->Add(ReceiveInfo->iIcmpType);
            Item->SubItems->Add(ReceiveInfo->iIcmpCode);
            try{
                    Item->SubItems->Add(ReceiveInfo->ReceiveData);
                    Item->SubItems->Add(ReceiveInfo->ReceiveUdpData);
            }
            catch(...){}
    }

    void TSniffer::ReceiveData()
    {
            memset(RecvBuf, 0, sizeof(RecvBuf));
            iErrorCode = recv(SockRaw, RecvBuf, sizeof(RecvBuf), 0);
            CheckSockError(iErrorCode, "recv");
            iErrorCode = DecodeIpPack(RecvBuf, iErrorCode);
            CheckSockError(iErrorCode, "Decode");
    }


    头文件
    //---------------------------------------------------------------------------

    #ifndef SnifferThreadH
    #define SnifferThreadH
    //---------------------------------------------------------------------------
    #include <Classes.hpp>
    #include <ComCtrls.hpp>
    //---------------------------------------------------------------------------
    #include <Winsock2.h>
    #include "MSTcpIP.h"

    #define STATUS_FAILED 0xFFFF  //定义异常出错代码
    #define MAX_PACK_LEN  655350   //接收的最大IP报文
    #define MAX_ADDR_LEN  16   //点分十进制地址的最大长度
    #define MAX_PROTO_TEXT_LEN 16  //子协议名称(如"TCP")最

    大长度
    #define MAX_PROTO_NUM 12   //子协议数量
    #define MAX_HOSTNAME_LAN 255  //最大主机名长度
    #define CMD_PARAM_HELP true


    typedef struct _iphdr
    {
    unsigned char h_lenver;  //4位首部长度+4位IP版本号
    unsigned char tos;   //8位服务类型TOS
    unsigned short total_len;  //16位总长度(字节)
    unsigned short ident;   //16位标识
    unsigned short frag_and_flags; //3位标志位
    unsigned char ttl;   //8位生存时间 TTL
    unsigned char proto;   //8位协议 (TCP, UDP 或

    其他)
    unsigned short checksum;  //16位IP首部校验和
    unsigned int sourceIP;  //32位源IP地址
    unsigned int destIP;   //32位目的IP地址
    }IP_HEADER;

    typedef struct _tcphdr    //定义TCP首部
    {
    USHORT th_sport;    //16位源端口
    USHORT th_dport;    //16位目的端口
    unsigned int  th_seq;   //32位序列号
    unsigned int  th_ack;   //32位确认号
    unsigned char th_lenres;  //4位首部长度/6位保留字
    unsigned char th_flag;   //6位标志位
    USHORT th_win;     //16位窗口大


    USHORT th_sum;     //16位校验和
    USHORT th_urp;     //16位紧急数

    据偏移量
    }TCP_HEADER;

    typedef struct _udphdr    //定义UDP首部
    {
        unsigned short uh_sport;  //16位源端口
        unsigned short uh_dport;  //16位目的端口
        unsigned short uh_len;   //16位长度
        unsigned short uh_sum;   //16位校验和
    } UDP_HEADER;

    typedef struct _icmphdr    //定义ICMP首部
    {
    BYTE   i_type;     //8位类型
    BYTE   i_code;     //8位代码
    USHORT i_cksum;     //16位校验和
    USHORT i_id;     //识别号(一般

    用进程号作为识别号)
    USHORT i_seq;     //报文序列号
    ULONG  timestamp;    //时间戳
    }ICMP_HEADER;

    typedef struct _protomap   //定义子协议映射表
    {
    int  ProtoNum;
    char ProtoText[MAX_PROTO_TEXT_LEN];
    }PROTOMAP;

    typedef struct _receiveinfo
    {
            char* szProtocol;
            char* szSourceIP;
            int iSourcePort;
            char* szDestIP;
            int iDestPort;
            int iTTL;
            int Length;
            char TcpFlag[6] ;
            int iBufSize;
            char iIcmpType;
            char iIcmpCode;
            char* ReceiveData;
            AnsiString ReceiveUdpData;
    }RECEIVEINFO;

    PROTOMAP ProtoMap[MAX_PROTO_NUM]={ //为子协议映射表赋值
      { IPPROTO_IP   , "IP  " },
      { IPPROTO_ICMP , "ICMP" },
      { IPPROTO_IGMP , "IGMP" },
      { IPPROTO_GGP  , "GGP " },
      { IPPROTO_TCP  , "TCP " },
      { IPPROTO_PUP  , "PUP " },
      { IPPROTO_UDP  , "UDP " },
      { IPPROTO_IDP  , "IDP " },
      { IPPROTO_ND   , "NP  " },
      { IPPROTO_RAW  , "RAW " },
      { IPPROTO_MAX  , "MAX " },
      { NULL , "" } };

    class TSniffer : public TThread
    {           
    private:
            int DecodeIpPack(char *, int);  //IP解包函数
            int DecodeTcpPack(char *, int);  //TCP解包函数
            int DecodeUdpPack(char *, int);  //UDP解包函数
            int DecodeIcmpPack(char *, int); //ICMP解包函数
            void CheckSockError(int, char*); //出错处理函数
            char * CheckProtocol(int);   //协议检查
            void SnifferInit();
            void  AddReceiveData(RECEIVEINFO *ReceiveInfo);
            void ReceiveData();
    protected:
            void __fastcall Execute();
    public:
            SOCKET SockRaw;
            bool MParamTcp;    // 关注TCP 报文
            bool MParamUdp;    // 关注UDP 报文
            bool MParamIcmp;    // 关注ICMP报文
            bool MParamDecode;          // 对协议进行解码
            char TcpFlag[6]; //定义TCP标志位
            char *strFromIpFilter;   // 源IP地址过滤
            char *strDestIpFilter;   // 目的地址过滤
            char *strSensitive;   // 敏感字符串
            int  iPortFilter;     // 端口过滤
            int iProtocol, iTTL;    
            char szProtocol[MAX_PROTO_TEXT_LEN];
            char szSourceIP[MAX_ADDR_LEN], szDestIP[MAX_ADDR_LEN];
            char OtherInfo[100];
            int iErrorCode;
            char RecvBuf[MAX_PACK_LEN];
            __fastcall TSniffer(bool CreateSuspended);
    };
    //---------------------------------------------------------------------------
    #endif

    lovemaggic:
    向大家推荐ethereal 0.9.14,它也是调用winpcap3.0,
    它现在版本支持各种抓包软件的数据文件,包括
    tcpdump and Ethereal
    snoop (including Shomiti) and atmsnoop
    LanAlyzer
    Sniffer (compressed or uncompressed)
    Microsoft Network Monitor
    AIX’s iptrace
    NetXray
    Sniffer Pro
    RADCOM’s WAN/LAN analyzer
    Lucent/Ascend router debug output
    HP-UX’s nettl
    the dump output from Toshiba’s ISDN routers
    i4btrace from the ISDN4BSD project
    而且它是从Linux下移植过来的,有免费的源代码。

    前几天整理了一下winpcap的文档,如果有谁想要的话,请到专题开发版给列留言:
    http://expert.csdn.net/Expert/topic/2465/2465797.xml?temp=.4748651

    希望大家有空没空有事没事常去[专题开发]版讨论问题。

    专题开发版新开发网络安全和数据库版块,希望各位能人前往交流!!


       收藏   分享  
    顶(0)
      




    点击查看用户来源及管理<br>发贴IP:*.*.*.* 2005/12/30 23:47:00
     
     GoogleAdSense
      
      
      等级:大一新生
      文章:1
      积分:50
      门派:无门无派
      院校:未填写
      注册:2007-01-01
    给Google AdSense发送一个短消息 把Google AdSense加入好友 查看Google AdSense的个人资料 搜索Google AdSense在『 安全理论 』的所有贴子 访问Google AdSense的主页 引用回复这个贴子 回复这个贴子 查看Google AdSense的博客广告
    2024/11/22 20:39:47

    本主题贴数1,分页: [1]

    管理选项修改tag | 锁定 | 解锁 | 提升 | 删除 | 移动 | 固顶 | 总固顶 | 奖励 | 惩罚 | 发布公告
    W3C Contributing Supporter! W 3 C h i n a ( since 2003 ) 旗 下 站 点
    苏ICP备05006046号《全国人大常委会关于维护互联网安全的决定》《计算机信息网络国际联网安全保护管理办法》
    171.875ms