我一直在修改'inspect'WFP示例(与WinDDK捆绑在一起),目的是能够解析某些字符串的所有传入TCP数据包(来自指定的IP地址)的有效负载。 (我已经修改了'inspect',这样过滤器只捕获了TCP数据包)
到目前为止,我的修改已经在'TLInspectTransportClassify'classifyFn上,如下所示。我的目标是访问捕获的每个TCP数据包的有效负载。
FWPS_STREAM_CALLOUT_IO_PACKET* ioPacket = (FWPS_STREAM_CALLOUT_IO_PACKET*)layerData;
FWPS_STREAM_DATA* streamData;
SIZE_T streamLength;
BYTE* stream = NULL;
SIZE_T bytesCopied = 0;
[...]
if(ioPacket == NULL) {
DbgPrint("ioPacket == NULL\n");
return STATUS_INSUFFICIENT_RESOURCES;
}
streamData = ioPacket->streamData;
if(!streamData) { // why is this always NULL? shouldn't our payload be here?
DbgPrint("streamData == NULL: no data\n");
classifyOut->actionType = FWP_ACTION_PERMIT;
classifyOut->rights &= ~FWPS_RIGHT_ACTION_WRITE;
goto Exit;
}
DbgPrint("tcp packet has some data\n");
streamLength = streamData->dataLength;
stream = ExAllocatePoolWithTag(NonPagedPool,
streamLength,
'yftN');
if (!stream)
return STATUS_INSUFFICIENT_RESOURCES;
RtlZeroMemory(stream,streamLength);
FwpsCopyStreamDataToBuffer0(
streamData,
stream,
streamLength,
&bytesCopied);
// should now have our tcp payload in 'stream' buffer(?)
DbgPrint("reached parsing code\n");
[...]
根据我的理解,在如上所述声明ioPacket之后,ioPacket-> streamData应包含数据包的有效负载。但是,ioPacket-> streamData对我来说总是空的。如何获取数据包的有效负载?我做错了什么。
提前致谢。
答案 0 :(得分:3)
' TLInspectTransportClassify '位于 TRANSPORT_LAYER ,其中 layerData 应投放到 NET_BUFFER_LIST 。
FWPS_STREAM_CALLOUT_IO_PACKET 适用于FWPM_LAYER_STREAM_V4 / FWPM_LAYER_STREAM_V6
请参阅MSDN classifyFn0。 http://msdn.microsoft.com/en-us/library/ff544890(VS.85).aspx
管理过滤层标识符 http://msdn.microsoft.com/en-us/library/ff557101(VS.85).aspx