当前位置: 首页 > 文档资料 > WinPcap 中文手册 >

WinPcap: NPF驱动核心指南

优质
小牛编辑
134浏览
2023-12-01

模块

NPF 结构与定义
NPF 函数

数据结构

structbinary_stream
A stream of X86 binary code. More...
structJIT_BPF_Filter
Structure describing a x86 filtering program created by the jitter. More...

定义

#defineEAX0
#defineECX1
#defineEDX2
#defineEBX3
#defineESP4
#defineEBP5
#defineESI6
#defineEDI7
#defineAX0
#defineCX1
#defineDX2
#defineBX3
#defineSP4
#defineBP5
#defineSI6
#defineDI7
#defineAL0
#defineCL1
#defineDL2
#defineBL3
#defineMOVid(r32, i32)emitm(&stream, 11 << 4 | 1 << 3 | r32 & 0x7, 1); emitm(&stream, i32, 4);
mov r32,i32
#defineMOVrd(dr32, sr32)emitm(&stream, 8 << 4 | 3 | 1 << 3, 1); emitm(&stream, 3 << 6 | (dr32 & 0x7) << 3 | sr32 & 0x7, 1);
mov dr32,sr32
#defineMOVodd(dr32, sr32, off)
mov dr32,sr32[off]
#defineMOVobd(dr32, sr32, or32)
mov dr32,sr32[or32]
#defineMOVobw(dr32, sr32, or32)
mov dr16,sr32[or32]
#defineMOVobb(dr8, sr32, or32)
mov dr8,sr32[or32]
#defineMOVomd(dr32, or32, sr32)
mov [dr32][or32],sr32
#defineBSWAP(dr32)
bswap dr32
#defineSWAP_AX()
xchg al,ah
#definePUSH(r32)emitm(&stream, 5 << 4 | 0 << 3 | r32 & 0x7, 1);
push r32
#definePOP(r32)emitm(&stream, 5 << 4 | 1 << 3 | r32 & 0x7, 1);
pop r32
#defineRET()emitm(&stream, 12 << 4 | 0 << 3 | 3, 1);
ret
#defineADDrd(dr32, sr32)
add dr32,sr32
#defineADD_EAXi(i32)
add eax,i32
#defineADDid(r32, i32)
add r32,i32
#defineADDib(r32, i8)
add r32,i8
#defineSUBrd(dr32, sr32)
sub dr32,sr32
#defineSUB_EAXi(i32)
sub eax,i32
#defineMULrd(r32)
mul r32
#defineDIVrd(r32)
div r32
#defineANDib(r8, i8)
and r8,i8
#defineANDid(r32, i32)
and r32,i32
#defineANDrd(dr32, sr32)
and dr32,sr32
#defineORrd(dr32, sr32)
or dr32,sr32
#defineORid(r32, i32)
or r32,i32
#defineSHLib(r32, i8)
shl r32,i8
#defineSHL_CLrb(dr32)
shl dr32,cl
#defineSHRib(r32, i8)
shr r32,i8
#defineSHR_CLrb(dr32)
shr dr32,cl
#defineNEGd(r32)
neg r32
#defineCMPodd(dr32, sr32, off)
cmp dr32,sr32[off]
#defineCMPrd(dr32, sr32)
cmp dr32,sr32
#defineCMPid(dr32, i32)
cmp dr32,i32
#defineJNEb(off8)
jne off32
#defineJE(off32)
je off32
#defineJLE(off32)
jle off32
#defineJLEb(off8)
jle off8
#defineJA(off32)
ja off32
#defineJAE(off32)
jae off32
#defineJG(off32)
jg off32
#defineJGE(off32)
jge off32
#defineJMP(off32)
jmp off32

自定义类型

typedef UINT(__cdecl *)BPF_filter_function (PVOID *, ULONG, UINT)
Prototype of a filtering function created by the jitter.
typedef void(*)emit_func (binary_stream *stream, ULONG value, UINT n)
Prototype of the emit functions.