破解电信、网通、铁通接入商限制共享上网三——修改TTL驱动程序

破解电信、网通、铁通接入商限制共享上网一：/article/8302673.html

破解电信、网通、铁通接入商限制共享上网二 —— PPPOE输入的IP数据包的TTL置0

接入商通过修改IP数据包的TTL为0，限制共享上网。现在我们修改流入的IP的TTL大于0。

多平台（x86、ia64、amd64），在ddk3790下编译通过：

编译好的驱动下载：http://download.csdn.net/detail/kl222/6648507

源码下载：http://download.csdn.net/detail/kl222/6650033

windows xp:

源码下载：http://download.csdn.net/detail/kl222/4449266

驱动程序下载：http://download.csdn.net/detail/kl222/4449316

一 NDIS驱动程序分类.

NDIS(Network Driver Interface Specification)是Windows网络驱动程序接口标准，NDIS驱动程序分为三类：

1. NDIS Miniport NIC Driver: 底层的微端口NIC驱动，这就是网络设备的物理的驱动程序了。

2. NDIS Protocol Driver: 高层的协议驱动，用来实现某个具体的协议栈，如TCP/IP协议栈，

并向上导出TDI接口。

3. NDIS Intermediate Driver: 中间层驱动，位于Miniport Driver和Protocol Driver之间。

二 NDIS驱动结构简介.

TDI(Transport Driver Interface)
_______________________________________________________
|                     |
________|__________    _______|_______
|                   |  |               |
_____  |  LAN Protocols    |  |               |
|    | |___________________|  |               |
|    |_____________________   |    Native     |
|                          |  |    Media      |
| N       LAN Media Type   |  |    Aware      |
| D   _____________________|  |    Protocol   |
| I  |   __________________   |               |
| S  |  |                  |  |               |
|    |  |NDIS Intermediate |  |               |
| I  |  |__________________|  |_______________|
| N  |_________________________________________
| T                                            |
| E             Native Media Type              |
| R  __________________________________________|
| F  |  _________________    __________________
| A  | |                 |  |                  |
| C  | | NDIS Miniport   |  |  NDIS Miniport   |
| E  | |_________________|  |__________________|
|    |_________________________________________
|                                              |
|                NDIS Interface                |
|______________________________________________|
________________    ______________
|                |  |              |
|    NetCard     |  |   NetCard    |
|________________|  |______________|
图一

三 NDIS驱动程序的数据处理流程

________________________    _____
|                        |  |     |
|    Transport Driver    |  |     |
|________________________|  |     |
| Protocol Xxx - Media X |  |     |
+------------------------+  |     |
___________________________|     |
|___________________________      |
|     |
________________________   |     |
| Miniport Xxx - Media X |  |     |
+------------------------|  |     |
|                        |  |     |
|  Intermediate Driver   |  |     |
|________________________|  |     |
| Protocol Xxx - Media Y |  |     |
+------------------------+  |     |
|     |
___________________________|     |
|___________________________      |
|     |
________________________   |     |
| Miniport Xxx - Media Y |  |     |
+------------------------|  |     |
|                        |  |     |
|      NIC Driver        |  |     |
|________________________|  |     |
|     |
___________________________|     |
|_________________________________|
_________________
|                 |
|       NIC       |
|_________________|
图二

程序讲解：

passthru是DDK提供的一个网络ndis中间驱动程序。

PtReceivePacket是底层接收到数据包后，就调用此函数，我们也就在此函数中修改IP的TTL值大于0。ip.c 中的 OnProcessMyPacket 就是我们修改TTL。

INT OnProcessMyPacket(PNDIS_PACKET Packet)
{
int nRet = 0;
UINT nPhysicalBufferCount = 0, nBufferCount = 0, nTotalPacketLength = 0;
PNDIS_BUFFER pFirstBuffer = NULL;
char * pBuf = NULL;
UINT nLen = 0;
struct ip_hdr * ipHdr = NULL;
struct ethhdr * pEthHdr = NULL;
struct ppp_hdr *pPppHdr = NULL;

if(!Packet)
{
return 0;
}

NdisQueryPacket(Packet, &nPhysicalBufferCount, &nBufferCount, &pFirstBuffer, &nTotalPacketLength);
DbgPrint("PtReceivePacket:nPhysicalBufferCount:%d;nBufferCount:%d;nTotalPacketLength:%d\n",
nPhysicalBufferCount, nBufferCount, nTotalPacketLength);

//判断包头是否是正常长度
if(nTotalPacketLength < PPPOE_HEAD_LENGTH)
{
return 0;
} // 结束 if(nTotalPacketLength < PPPOE_HEAD_LENGTH)

//我机器缓存比较大，所有包都在一个BUFFER中，如果你的机器比较差，你需要遍历所有BUFFER
NdisQueryBufferSafe(pFirstBuffer, &pBuf, &nLen, HighPagePriority);

pEthHdr = (struct ethhdr * )pBuf;

//是否是PPPOE荷载包
if(pEthHdr->h_proto != htons(ETH_TYPE_PPPOE))
{
return nRet;
} // 结束 if(pEthHdr->h_proto != htons(ETH_TYPE_PPPOE))

pPppHdr = (struct ppp_hdr * )(pBuf + sizeof(struct ethhdr));
//dump((char*)pBuf,  nLen, "pppoe");
//是否是IP协议包
if(htons(PPPOE_TYPE_IP) != pPppHdr->protol)
{
return nRet;
} // 结束 if(htons(ETH_TYPE_IP) != pppId)

DbgPrint("PtReceivePacket is ip over pppoe packet \n");
ipHdr = (struct ip_hdr * )(pBuf + sizeof(struct ethhdr) + 8);

ipHdr->ip_ttl = 30;//设置TTL

//校验和
ip_checksum(ipHdr);

return nRet;
}

校验和：

/*计算校验和*/
UINT16 checksum(void *buf,int len)
{
UINT32 sum = 0;
UINT16 * cbuf;

dump((char*)buf, len, NULL);
DbgPrint("checksum:head len:%d\n", len);
if(len < IP_HDR_LEN)
{
DbgPrint("ip head len < %d\n", IP_HDR_LEN);
return 0;
} // 结束 if(len < IP_HDR_LEN)

cbuf = (UINT16 * )buf;

while(len>1){
sum += *cbuf++;
len -= 2;
}

if(len)
sum += *(UINT8 * )cbuf;

while(sum >> 16)
{
sum = (sum & 0xffff) + (sum >> 16);
} // 结束 while(sum >> 16)

return ~sum;
}

void ip_checksum(struct ip_hdr * ipHdr)
{
ipHdr->ip_sum = 0;
DbgPrint("checksum:ip->ip_hl:%02X\n", ipHdr->ip_hl);
ipHdr->ip_sum = checksum(ipHdr, ipHdr->ip_hl << 2);

}

程序编译：

本驱动用windows ddk 3790版本编译。

安装windows ddk 3790

在开始菜单中找到ddk，点击相应平台的命令菜单，出现命令行编译环境。

在命令行中切换到此驱动源码目录，运行：

build