18,356
社区成员
发帖
与我相关
我的任务
分享关于利用windows提供的filtler接口来实现包过滤编程中的问题(30分)
在msdn中搜到一个关于在用户层下就能实现对网络数据包进行拦截的一系列函数,他们分别如下:
HRESULT CreateInterface(
LPGUID pguidInterface,
BSTR bstrName,
LONG* pUserData,
LPUNKNOWN* ppInterface
);
DWORD PfBindInterfaceToIPAddress(
INTERFACE_HANDLE pInterface,
PFADDRESSTYPE pfatType,
PBYTE IPAddress
);
DWORD PfAddFiltersToInterface(
INTERFACE_HANDLE ih,
DWORD cInFilters,
PPF_FILTER_DESCRIPTOR pfiltIn,
DWORD cOutFilters,
PPF_FILTER_DESCRIPTOR pfiltOut,
PFILTER_HANDLE pfHandle
);
还有一个重要的结构体用来填充访问规则的,类似于ip安全策略中的设置源ip源端口掩码以及各种要拦截的协议等.其具体如下:
typedef struct _PF_FILTER_DESCRIPTOR {
DWORD dwFilterFlags;
DWORD dwRule;
PFADDRESSTYPE pfatType;
PBYTE SrcAddr;
PBYTE SrcMask;
PBYTE DstAddr;
PBYTE DstMask;
DWORD dwProtocol;
DWORD fLateBound;
WORD wSrcPort;
WORD wDstPort;
WORD wSrcPortHighRange;
WORD wDstPortHighRange;
} PF_FILTER_DESCRIPTOR, *PPF_FILTER_DESCRIPTOR;
以及对应的资源释放api如下:
PfRemoveFilterHandles(hInterface, 1, &fHandle);
PfUnBindInterface(hInterface);
PfDeleteInterface(hInterface);
思路是这样的:首先安装一个接口;
然后把该接口绑定到一个ip地址;
接着定义一个PF_FILTER_DESCRIPTOR结构,并在其中设置访问规则;
然后把过滤器添加到前面的接口;
实施拦截 (这里会有严重问题);
移除过滤器;
取消绑定接口;
删除接口;
小弟自己写了段小程序,想拦截http协议(tcp 80),代码如下,但是有一个严重的问题是:无论我怎么设置访问规则,也就是对该结构体PF_FILTER_DESCRIPTOR无论怎么填充,程序都会拦截网络所有包,包括其他的一些icmp,udp包等.小弟百试不得其解,望论坛的高人指教,小弟感激不尽!
代码:
--------------------------------------------
#include <stdio.h>
#include <windows.h>
#include "Fltdefs.h"
#pragma comment(lib,"iphlpapi.lib")
int main(int argc, char* argv[])
{
DWORD dwErrorLook = NO_ERROR;
// 一个创建网络包过滤接口
INTERFACE_HANDLE hInterface;
PfCreateInterface(0,
PF_ACTION_DROP,//PF_ACTION_FORWARD,
PF_ACTION_DROP,//PF_ACTION_FORWARD,
FALSE,
TRUE,
&hInterface);
// 绑定需要网络包过滤的IP地址
BYTE LocalIp[] = {10 , 43 , 125, 41 };
//这里来设置对应的规则:包括起始ip,目标端口,源端口,掩码等等,无论怎么设置都不行
BYTE ScrIp[] = {202, 181, 29 , 154};
BYTE ScrMask[] = {255, 255, 255, 0 };
WORD ScrPort = 80;
WORD ScrPortHighRange = 0;
BYTE TarIp[] = {10 , 43 , 125, 41 };
BYTE TarMask[] = {255, 0 , 0 , 0 };
WORD TarPort = 1;
WORD TarPortHighRange = 5000;
dwErrorLook = PfBindInterfaceToIPAddress(hInterface, PF_IPV4, LocalIp);
if( dwErrorLook != NO_ERROR)
{
printf("PfBindInterfaceToIPAddress error: %d\n", dwErrorLook);
PfDeleteInterface(hInterface);
return -1;
}
FILTER_HANDLE fHandle;
// 填充过滤包的规则结构
PF_FILTER_DESCRIPTOR inFilter;
inFilter.dwFilterFlags = FD_FLAGS_NOSYN; //一直添这个值
inFilter.dwRule = 0; //一直添这个值
inFilter.pfatType = PF_IPV4; //用 ipV4 地址
inFilter.SrcAddr = ScrIp; //设置来源IP地址
inFilter.SrcMask = ScrMask; //设置来源子网掩码
inFilter.wSrcPort = ScrPort; //任意来源端口
inFilter.wSrcPortHighRange = ScrPortHighRange;
inFilter.DstAddr = TarIp; //目标ip地址
inFilter.DstMask = TarMask;//目标子网掩码
inFilter.wDstPort = TarPort; //目标端口
inFilter.wDstPortHighRange = TarPortHighRange;
inFilter.dwProtocol = FILTER_PROTO_TCP; // 过滤的协议
// 加入一个过滤接口
dwErrorLook = PfAddFiltersToInterface(hInterface, 1, &inFilter, 0, NULL, &fHandle);
if( dwErrorLook != NO_ERROR)
{
printf("PfAddFiltersToInterface error: %d\n", dwErrorLook);
PfUnBindInterface(hInterface);
PfDeleteInterface(hInterface);
return -1;
}
getchar();
// 移除过滤接口
PfRemoveFilterHandles(hInterface, 1, &fHandle);
PfUnBindInterface(hInterface);
PfDeleteInterface(hInterface);
return 0;
}
HRESULT CreateInterface(
LPGUID pguidInterface,
BSTR bstrName,
LONG* pUserData,
LPUNKNOWN* ppInterface
);
DWORD PfBindInterfaceToIPAddress(
INTERFACE_HANDLE pInterface,
PFADDRESSTYPE pfatType,
PBYTE IPAddress
);
DWORD PfAddFiltersToInterface(
INTERFACE_HANDLE ih,
DWORD cInFilters,
PPF_FILTER_DESCRIPTOR pfiltIn,
DWORD cOutFilters,
PPF_FILTER_DESCRIPTOR pfiltOut,
PFILTER_HANDLE pfHandle
);
还有一个重要的结构体用来填充访问规则的,类似于ip安全策略中的设置源ip源端口掩码以及各种要拦截的协议等.其具体如下:
typedef struct _PF_FILTER_DESCRIPTOR {
DWORD dwFilterFlags;
DWORD dwRule;
PFADDRESSTYPE pfatType;
PBYTE SrcAddr;
PBYTE SrcMask;
PBYTE DstAddr;
PBYTE DstMask;
DWORD dwProtocol;
DWORD fLateBound;
WORD wSrcPort;
WORD wDstPort;
WORD wSrcPortHighRange;
WORD wDstPortHighRange;
} PF_FILTER_DESCRIPTOR, *PPF_FILTER_DESCRIPTOR;
以及对应的资源释放api如下:
PfRemoveFilterHandles(hInterface, 1, &fHandle);
PfUnBindInterface(hInterface);
PfDeleteInterface(hInterface);
思路是这样的:首先安装一个接口;
然后把该接口绑定到一个ip地址;
接着定义一个PF_FILTER_DESCRIPTOR结构,并在其中设置访问规则;
然后把过滤器添加到前面的接口;
实施拦截 (这里会有严重问题);
移除过滤器;
取消绑定接口;
删除接口;
小弟自己写了段小程序,想拦截http协议(tcp 80),代码如下,但是有一个严重的问题是:无论我怎么设置访问规则,也就是对该结构体PF_FILTER_DESCRIPTOR无论怎么填充,程序都会拦截网络所有包,包括其他的一些icmp,udp包等.小弟百试不得其解,望论坛的高人指教,小弟感激不尽!
代码:
--------------------------------------------
#include <stdio.h>
#include <windows.h>
#include "Fltdefs.h"
#pragma comment(lib,"iphlpapi.lib")
int main(int argc, char* argv[])
{
DWORD dwErrorLook = NO_ERROR;
// 一个创建网络包过滤接口
INTERFACE_HANDLE hInterface;
PfCreateInterface(0,
PF_ACTION_DROP,//PF_ACTION_FORWARD,
PF_ACTION_DROP,//PF_ACTION_FORWARD,
FALSE,
TRUE,
&hInterface);
// 绑定需要网络包过滤的IP地址
BYTE LocalIp[] = {10 , 43 , 125, 41 };
//这里来设置对应的规则:包括起始ip,目标端口,源端口,掩码等等,无论怎么设置都不行
BYTE ScrIp[] = {202, 181, 29 , 154};
BYTE ScrMask[] = {255, 255, 255, 0 };
WORD ScrPort = 80;
WORD ScrPortHighRange = 0;
BYTE TarIp[] = {10 , 43 , 125, 41 };
BYTE TarMask[] = {255, 0 , 0 , 0 };
WORD TarPort = 1;
WORD TarPortHighRange = 5000;
dwErrorLook = PfBindInterfaceToIPAddress(hInterface, PF_IPV4, LocalIp);
if( dwErrorLook != NO_ERROR)
{
printf("PfBindInterfaceToIPAddress error: %d\n", dwErrorLook);
PfDeleteInterface(hInterface);
return -1;
}
FILTER_HANDLE fHandle;
// 填充过滤包的规则结构
PF_FILTER_DESCRIPTOR inFilter;
inFilter.dwFilterFlags = FD_FLAGS_NOSYN; //一直添这个值
inFilter.dwRule = 0; //一直添这个值
inFilter.pfatType = PF_IPV4; //用 ipV4 地址
inFilter.SrcAddr = ScrIp; //设置来源IP地址
inFilter.SrcMask = ScrMask; //设置来源子网掩码
inFilter.wSrcPort = ScrPort; //任意来源端口
inFilter.wSrcPortHighRange = ScrPortHighRange;
inFilter.DstAddr = TarIp; //目标ip地址
inFilter.DstMask = TarMask;//目标子网掩码
inFilter.wDstPort = TarPort; //目标端口
inFilter.wDstPortHighRange = TarPortHighRange;
inFilter.dwProtocol = FILTER_PROTO_TCP; // 过滤的协议
// 加入一个过滤接口
dwErrorLook = PfAddFiltersToInterface(hInterface, 1, &inFilter, 0, NULL, &fHandle);
if( dwErrorLook != NO_ERROR)
{
printf("PfAddFiltersToInterface error: %d\n", dwErrorLook);
PfUnBindInterface(hInterface);
PfDeleteInterface(hInterface);
return -1;
}
getchar();
// 移除过滤接口
PfRemoveFilterHandles(hInterface, 1, &fHandle);
PfUnBindInterface(hInterface);
PfDeleteInterface(hInterface);
return 0;
}
...全文
请发表友善的回复…
发表回复
