2004年12月的时候,www.rootkit.com上面的一名黑客发表了一篇著名的文章:“Hooking into NDIS and TDI, part 1。这篇文章本意是为rootkit作者们提供一种挂接底层驱动实现端口重用的方法,但是这篇文章揭示了一个全新的技术:通过动态的注册ndis假协议,可以获得ndis protocol的链表地址。得到这个地址之后就能不通过重起,就能替换并监控每个ndis protocol的send(packets)handler和receive(packet)handler,并且可以动态的卸载监控模块不需要重起。在这篇文章出现之后,很多防火墙厂商都悄悄地对自己的产品进行了升级。目前的ZoneAlarm等产品就是使用这种技术,可以在安装后即时发挥作用。这个例子更充分的体现了,黑客和反黑技术本来就是相辅相成的,本源同一的。
// // The stuff below is for CO drivers/protocols. This part is not allocated for CL drivers. // struct _NDIS_OPEN_CO { .... }; #endif };
typedef struct _NDIS_COMMON_OPEN_BLOCK { PVOID MacHandle; // needed for backward compatibility NDIS_HANDLE BindingHandle; // Miniport's open context PNDIS_MINIPORT_BLOCK MiniportHandle; // pointer to the miniport PNDIS_PROTOCOL_BLOCK ProtocolHandle; // pointer to our protocol NDIS_HANDLE ProtocolBindingContext;// context when calling ProtXX funcs PNDIS_OPEN_BLOCK MiniportNextOpen; // used by adapter's OpenQueue PNDIS_OPEN_BLOCK ProtocolNextOpen; // used by protocol's OpenQueue NDIS_HANDLE MiniportAdapterContext; // context for miniport BOOLEAN Reserved1; BOOLEAN Reserved2; BOOLEAN Reserved3; BOOLEAN Reserved4; PNDIS_STRING BindDeviceName; KSPIN_LOCK Reserved5; PNDIS_STRING RootDeviceName;
// // These are referenced by the macros used by protocols to call. // All of the ones referenced by the macros are internal NDIS handlers for the miniports // union { SEND_HANDLER SendHandler; WAN_SEND_HANDLER WanSendHandler; }; TRANSFER_DATA_HANDLER TransferDataHandler;
// // These are referenced internally by NDIS // SEND_COMPLETE_HANDLER SendCompleteHandler; TRANSFER_DATA_COMPLETE_HANDLER TransferDataCompleteHandler; RECEIVE_HANDLER ReceiveHandler; RECEIVE_COMPLETE_HANDLER ReceiveCompleteHandler; WAN_RECEIVE_HANDLER WanReceiveHandler; REQUEST_COMPLETE_HANDLER RequestCompleteHandler;