问题描述

我一直在修改检查" WFP示例，目的是能够解析某些字符串的所有传入TCP数据包(来自指定IP地址)的有效负载. (我已经修改了检查"，以便仅TCP数据包被 过滤器)

I've been modifying the 'inspect' WFP example with the aim of being able to parse the payload of all incoming TCP packets (from a specified IP address) for certain strings.  (I've already modified 'inspect' such that only TCP packets are caught by the filter)

到目前为止，我的修改已经在"TLInspectTransportClassify"上进行了classifyFn，如下所示.我的目的是要访问捕获到的每个TCP数据包的有效载荷.

So far my modifications have been on the 'TLInspectTransportClassify'  classifyFn, as shown below.  My aim is to have access to the payload of each TCP packet that is caught.

FWPS_STREAM_CALLOUT_IO_PACKET * ioPacket =(FWPS_STREAM_CALLOUT_IO_PACKET *)layerData;
   FWPS_STREAM_DATA * streamData;
   SIZE_T streamLength;
   BYTE *流= NULL;
   SIZE_T bytesCopied = 0;

FWPS_STREAM_CALLOUT_IO_PACKET* ioPacket = (FWPS_STREAM_CALLOUT_IO_PACKET*)layerData;
   FWPS_STREAM_DATA* streamData;
   SIZE_T streamLength;
   BYTE* stream = NULL;
   SIZE_T bytesCopied = 0;

[...]

   if(ioPacket == NULL){
       DbgPrint("ioPacket == NULL \ n");
      返回STATUS_INSUFFICIENT_RESOURCES;
   }
   streamData = ioPacket-> streamData;

[...]

   if(ioPacket == NULL) {
       DbgPrint("ioPacket == NULL\n");
       return STATUS_INSUFFICIENT_RESOURCES;
   }
   streamData = ioPacket->streamData;

   if(！streamData){    //为什么总是总是NULL?我们的有效载荷不应该在这里吗?
       DbgPrint("streamData == NULL:无数据\ n");   
       classifyOut-> actionType = FWP_ACTION_PERMIT;
        classifyOut->权利& =〜FWPS_RIGHT_ACTION_WRITE;
        goto出口；
   }

  DbgPrint("tcp数据包中有一些数据\ n");

   streamLength = streamData-> dataLength;


  流=  ExAllocatePoolWithTag(NonPagedPool，
              nbsp; bsp          streamLength，
              nbsp; bsp          'yftN');

  如果(！stream)
    返回STATUS_INSUFFICIENT_RESOURCES;

   RtlZeroMemory(stream，streamLength);
   FwpsCopyStreamDataToBuffer0(
     streamData，
    流，
     streamLength，
     & bytesCopied);

   //现在应该将我们的tcp有效内容保存在'stream'缓冲区中(?)

   DbgPrint(到达解析代码\ n");

   if(!streamData) {     // why is this always NULL?  shouldn't our payload be here?
       DbgPrint("streamData == NULL: no data\n");   
       classifyOut->actionType = FWP_ACTION_PERMIT;
         classifyOut->rights &= ~FWPS_RIGHT_ACTION_WRITE;
         goto Exit;
   }

  DbgPrint("tcp packet has some data\n");

   streamLength = streamData->dataLength;


   stream =  ExAllocatePoolWithTag(NonPagedPool,
                                   streamLength,
                                   'yftN');

   if (!stream)
      return STATUS_INSUFFICIENT_RESOURCES;

   RtlZeroMemory(stream,streamLength);
   FwpsCopyStreamDataToBuffer0(
      streamData,
      stream,
      streamLength,
      &bytesCopied);

   // should now have our tcp payload in 'stream' buffer(?)

   DbgPrint("reached parsing code\n");

[...]

据我了解，在如上所述声明了ioPacket之后，ioPacket-> streamData应该包含数据包的有效负载.但是，对于我来说，ioPacket-> streamData始终为NULL.如何获取数据包的有效载荷?我在做错什么吗?

From my understanding, after declaring ioPacket as above, ioPacket->streamData should contain the packet's payload.  However, ioPacket->streamData is ALWAYS NULL for me.  How do I get the packet's payload?  Am I doing something wrong.

谢谢.

推荐答案

您找到解决问题的方法了吗?您的电子邮件地址是什么?

Did you find a solution for your problem yet? What is your e-mail address?

此致

Ellay K.

这篇关于修改“检查"样本-有效负载在哪里?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！