在世界粮食计划署的DATAGRAM_DATA层重写数据包时出现蓝屏

Question

我一直试图通过世界粮食计划署的DATAGRAM_DATA层修改传出的DNS数据包，但是在重写传出数据包中的目标ip时，我得到了蓝屏错误。我做错了什么？

我承认我发现FwpsInjectTransportSendAsync的参数有点混乱，也不确定sendParams参数到底要放入什么--尽管我认为我的参数看起来是对的。

RtlIpv4StringToAddressExW(
L"1.1.1.1", // hard-coding the new (rewritten) dns server for now
FALSE,
&sin4.sin_addr,
&sin4.sin_port);

RtlIpv4StringToAddressExW(
    L"8.8.8.8",        // hard-coding the original dns server for now
    FALSE,
    &origSin4.sin_addr,
    &origSin4.sin_port);

if ((Direction == FWP_DIRECTION_OUTBOUND) && (PacketInjectionState == FWPS_PACKET_NOT_INJECTED) && (RemotePort == 53) && (RemoteAddress == origSin4.sin_addr.S_un.S_addr))
{

    UINT32 IpHeaderSize = inMetaValues->ipHeaderSize;
    UINT32 TransportHeaderSize = inMetaValues->transportHeaderSize;
    UINT64 endpointHandle = inMetaValues->transportEndpointHandle;

    PNET_BUFFER NetBuffer = NET_BUFFER_LIST_FIRST_NB((PNET_BUFFER_LIST)layerData);
    NdisRetreatNetBufferDataStart(NetBuffer, IpHeaderSize + TransportHeaderSize, 0, NULL);

    PNET_BUFFER_LIST NetBufferList = NULL;
    NTSTATUS Status = FwpsAllocateCloneNetBufferList(layerData, NULL, NULL, 0, &NetBufferList);
    if (!NT_SUCCESS(Status))
    {
        return;
    }

    NdisAdvanceNetBufferDataStart(NetBuffer, IpHeaderSize + TransportHeaderSize, FALSE, NULL);

    if (!NetBufferList)
    {
        return;
    }

    NetBuffer = NET_BUFFER_LIST_FIRST_NB(NetBufferList);

    PIPV4_HEADER IpHeader = NdisGetDataBuffer(NetBuffer, sizeof(IPV4_HEADER), NULL, 1, 0);

    // Rewriting the dest ip
    IpHeader->DestinationAddress = sin4.sin_addr.S_un.S_addr;

    // Updating the IP checksum
    UpdateIpv4HeaderChecksum(IpHeader, sizeof(IPV4_HEADER));

    // not 100% sure the sendParams argument is setup correctly, the docs are slightly unclear
    FWPS_TRANSPORT_SEND_PARAMS sendParams = {
        .remoteAddress = (UCHAR*)IpHeader->DestinationAddress,
        .remoteScopeId = inMetaValues->remoteScopeId,
        .controlData = inMetaValues->controlData,
        .controlDataLength = inMetaValues->controlDataLength,
        .headerIncludeHeader = inMetaValues->headerIncludeHeader,
        .headerIncludeHeaderLength = inMetaValues->headerIncludeHeaderLength
    };

    Status = FwpsInjectTransportSendAsync(g_InjectionHandle, NULL, endpointHandle, 0, &sendParams, AF_INET, inMetaValues->compartmentId, NetBufferList, DriverDatagramDataInjectComplete, NULL);
    if (!NT_SUCCESS(Status))
    {
        FwpsFreeCloneNetBufferList(NetBufferList, 0);
    }

    classifyOut->actionType = FWP_ACTION_BLOCK;
    classifyOut->rights &= ~FWPS_RIGHT_ACTION_WRITE;
    classifyOut->flags |= FWPS_CLASSIFY_OUT_FLAG_ABSORB;
}

Answer 1

有两件事对我来说很突出，这两件事都是在sendParams中。

首先，remoteAddress是错误的。它需要一个指向地址的指针，所以它应该是(UCHAR*)&IpHeader->DestinationAddress。

其次，FwpsInjectTransportSendAsync()是异步的，所以您传递给它的任何参数都需要保持有效，直到它完成，这可能是在调用函数返回之后。通常，您会分配一些上下文结构，其中包含sendParams和相关成员(remoteAddress和controlData)的深层副本。将它作为上下文传递给完成例程，在那里释放它。