Many of the other Windows Filtering Platform functions that are available to user-mode management applications are also available to callout drivers. This enables a callout driver to perform management tasks, such as adding filters to the filter engine. The only difference between the user-mode and kernel-mode versions of these functions is the data type that is returned. The user-mode functions return Win32 error codes, whereas the kernel-mode functions return the equivalent NTSTATUS codes.
许多用户模式使用的WFP函数对于callout driver也是可以使用的,这使callout driver可以执行向过滤引擎添加过滤器的操作。这些函数在用户模式和内核模式之间的不同仅仅是返回类型不同,用户模式返回win32错误码,而内核返回NTSTATUS值。
Most of the Windows Filtering Platform management functions require a handle to an open session to the filter engine as a parameter. The following topics discuss how a callout driver can open and close a session to the filter engine.
许多WFP管理函数需要一个打开过滤引擎的会话句柄。
A callout driver must open a session to the filter engine to perform management tasks such as adding filters to the filter engine. A callout driver opens a session to the filter engine by calling the FwpmEngineOpen0 function. For example:
callout驱动可以调用FwpmEngineOpen0函数打开一个会话,然后可以后续执行添加过滤器的操作。
HANDLE engineHandle;
NTSTATUS status;
// Open a session to the filter engine
status =
FwpmEngineOpen0(
NULL, // The filter engine on the local system
RPC_C_AUTHN_WINNT, // Use the Windows authentication service
NULL, // Use the calling thread's credentials
NULL, // There are no session-specific parameters
&engineHandle // Pointer to a variable to receive the handle
);
After a callout driver has successfully opened a session to the filter engine, it can use the returned handle to call the other Windows Filtering Platform management functions.
After a callout driver has performed the desired management tasks, it should close the session to the filter engine. A callout driver does this by calling the FwpmEngineClose0 function. For example:
执行完必须的操作后,应该关闭会话。调用FwpmEngineClose0关闭会话。
status =
FwpmEngineClose0(
engineHandle // An handle to the open session
);