C# 从所选进程读取传出数据包
是否可以在C#中从所选进程读取传出数据包?如果是,我应该使用什么api?C# 从所选进程读取传出数据包,c#,tcp,packet-capture,C#,Tcp,Packet Capture,是否可以在C#中从所选进程读取传出数据包?如果是,我应该使用什么api? 提前感谢。您可以使用第三方物流数据流来做到这一点。当然您可以。。。但前提是该进程对其侦听器具有“公共挂钩”。否则,您将不得不创建一个嗅探器:调试可执行文件,查找套接字发送缓冲区的偏移量,并将读取器挂接到它。通过类似防火墙的应用程序更容易做到这一点。我假设您正在尝试执行类似WireShark或Winsock数据包编辑器的操作 简而言之,答案是否定的。绝对没有内置功能的命名空间或程序集 P> >长的答案是是的,但是你必须让你的
提前感谢。您可以使用第三方物流数据流来做到这一点。当然您可以。。。但前提是该进程对其侦听器具有“公共挂钩”。否则,您将不得不创建一个嗅探器:调试可执行文件,查找套接字发送缓冲区的偏移量,并将读取器挂接到它。通过类似防火墙的应用程序更容易做到这一点。我假设您正在尝试执行类似WireShark或Winsock数据包编辑器的操作 简而言之,答案是否定的。绝对没有内置功能的命名空间或程序集 P> >长的答案是<强>是的,但是你必须让你的手有点脏。< /强>你将很可能不得不制作一个C++ DLL,以将其注入到“间谍”的进程中。但是,您可以通过C#与此DLL进行接口,并使您的接口全部位于.NET中
你的第一步是创建C++ DLL,只需要几个出口:
bool InitialzeHook()
{
// TODO: Patch the Import Address Table (IAT) to overwrite
// the address of Winsock's send/recv functions
// with your SpySend/SpyRecv ones instead.
}
bool UninitializeHook()
{
// TODO: Restore the Import Address Table (IAT) to the way you found it.
}
// This function will be called instead of Winsock's recv function once hooked.
int SpySend(SOCKET s, const char *buf, int len, int flags)
{
// TODO: Do something with the data to be sent, like logging it.
// Call the real Winsock send function.
int numberOfBytesSent = send(s, buf, len, flags);
// Return back to the calling process.
return numberOfBytesSent;
}
// This function will be called instead of Winsock's recv function once hooked.
int SpyRecv(SOCKET s, char *buf, int len, int flags)
{
// Call the real Winsock recv function to get the data.
int numberOfBytesReceived = recv(s, buf, len, flags);
// TODO: Do something with the received data, like logging it.
// Return back to the calling process.
return numberOfBytesReceived;
}
其中最困难的部分是修补导入地址表(IAT)的函数。关于如何遍历它并在其中查找函数导入,有各种资源提示:您必须按顺序而不是名称修补Winsock导入
退房并离开
完成所有这些之后,必须将所创建的DLL注入目标进程。下面是C++的pSueDO代码(从我的头顶上):
不过,你也可以通过C#平台调用(pInvoke)来做同样的事情。如何记录数据并将数据传输回C#监控程序取决于您。您可以在C#中使用一些进程间通信,如,NamedPipeClientStream
然而,这将做到这一点,最美妙的部分是,它将适用于几乎任何程序。同样的技术可以应用于任何类型的嗅探,而不仅仅是Winsock。请阅读并重复几次。检查一下
// Get the target window handle (if you don't have the process ID handy).
HWND hWnd = FindWindowA(NULL, "Your Target Window Name");
// Get the process ID from the target window handle.
DWORD processId = 0;
DWORD threadId = GetWindowThreadProcessId(hWnd, &processId);
// Open the process for reading/writing memory.
DWORD accessFlags = PROCESS_VM_OPERATION |
PROCESS_VM_READ |
PROCESS_VM_WRITE |
PROCESS_QUERY_INFORMATION;
HANDLE hProcess = OpenProcess(accessFlags, false, processId);
// Get the base address for Kernel32.dll (always the same for each process).
HMODULE hKernel32 = GetModuleHandleA("kernel32");
// Get the address of LoadLibraryA (always the same for each process).
DWORD loadLibraryAddr = GetProcAddress(hKernel32, "LoadLibraryA");
// Allocate some space in the remote process and write the library string to it.
LPVOID libraryNameBuffer = VirtualAllocEx(hProcess, NULL, 256,
MEM_COMMIT | MEM_RESERVE,
PAGE_EXECUTE_READWRITE);
LPCSTR libraryName = L"MySpyLibrary.dll\0";
DWORD numberOfBytesWritten = 0;
BOOL writeResult = WriteProcessMemory(hProcess, libraryNameBuffer,
(LPCVOID)libraryName,
strlen(libraryName) + 1,
&numberOfBytesWritten);
// Create a thread in the remote process, using LoadLibraryA as the procedure,
// and the parameter is the library name we just wrote to the remote process.
DWORD remoteThreadId = 0;
HANDLE hRemoteThread = CreateRemoteThread(hProcess, NULL, 0,
(LPTHREAD_START_ROUTINE)loadLibraryAddr,
libraryNameBuffer,
0, &remotThreadId);
// Wait for our thread to complete and get the exit code (which is the return value).
DWORD loadedLibraryAddr = 0;
BOOL waitResult = WaitForSingleObject(hRemoteThread, INFINITE);
BOOL exitResult = GetExitCodeThread(hRemoteThread, &loadedLibraryAddr);
// TODO: Check that it was loaded properly
// if(lodadedLibraryAddr == NULL) { ... }
// Cleanup our loose ends here.
VirtualFreeEx(hProcess, libraryNameBuffer, 256, MEM_RELEASE);
CloseHandle(hRemoteThread);
CloseHandle(hProcess);