Windows Filtering Platform 结构和简介

Windows Filtering Platform 结构和简介[转]

  (2011-05-10 11:00:33)

转载▼

标签：  杂谈

vista中的替代方案Windows Filtering Platform。

         下面这张图是Windows Filtering Platform的结构图：

         按照微软的说法,图中Filter Engine是 Windows Filter Platform的核心。它来执行网络数据的过滤操作，它处于网络堆栈的过滤层(filter layer）。而真正值得 我们关注的是图中的"Callout",Windows中有内置的"Callout”，而第三方也可以开 发"Callout Driver"，"Callout Driver“向Filter Engine注册一个"Callout",并标明这 个"Callout"感兴趣的数据类型，那么Filter Engine收到这一类的数据时就会传给对应的"Callout”处理。

     

        我看了一下Windows vista中内置的callout,太多了就不在这里列举了，给个链接吧:http://msdn2.microsoft.com/en-us/library/aa504917.aspx 

        

       "Callout Driver"有如下的用途:

      1.深度检查:对网络数据做复杂的检查，比如杀毒软件可以用它扫描病毒特征码。

      2.修改网络消息包,比如可以修改IP包的包头。

      3.修改网络流数据:比如保护少年儿童上网的产品可以过滤网络数据流中的成人内容。

      4.数据日志:记录网络交互的数据到日志中去。

This information applies for the following operating systems:
Microsoft Windows Vista
Microsoft Windows Server 2008

Introducing the Windows Filtering Platform

This paper provides information about the Windows Filtering Platform (WFP) for Microsoft Windows Vista.

WFP is a new architecture in Windows Vista that allows unprecedented access to the TCP/IP packet processing path, wherein outgoing and incoming packets can be examined or changed before allowing them to be processed further. By tapping into the TCP/IP processing path, ISVs can create firewalls, antivirus software, diagnostic software, and other types of applications and services.

WFP provides APIs so that third-party ISVs can participate in the filtering decisions that take place at several layers in the TCP/IP protocol stack and throughout the operating system. The platform also integrates and provides support for next-generation firewall features such as authenticated communication and dynamic firewall configuration based on applications’ use of the Windows Sockets API (application-based policy).  

WFP is not a firewall. It is a set of system services and APIs to enable firewalls to be developed by Microsoft and third parties. The Windows Firewall, the successor to the Internet Connection Firewall and Windows Firewall in Windows XP, will be built using WFP.

Why Should You Convert Your Applications and Services to WFP?

Windows Vista includes a completely new architecture for the TCP/IP protocol stack, which now is an integrated implementation of both IPv4 and IPv6, known as a dual Internet layer stack.

This means that the methods of accessing the TCP/IP protocol stack for packet processing have changed significantly. These methods include the firewall hook, the filter hook, and other methods that involve custom solutions based on reverse engineering the current Windows TCP/IP protocol stack. For correct operation and to perform the equivalent function in Windows Vista, you must change your application, service, or driver.

The specific methods for changing your existing code are described in the "Converting Applications to Use WFP" section of this paper. In most cases, it is a matter of mapping the current method of hooking into the TCP/IP packet processing path for the equivalent way for Windows Vista. For reverse-engineered solutions, you must either substantially revise the way in which your code works or take advantage of WFP to provide the equivalent functionality.

Although it might be inconvenient for you to have to revise your component, the new TCP/IP protocol and WFP architecture offer new opportunities for value-added components and applications that rely on the TCP/IP packet processing path, opportunities that might not have existed prior to Windows Vista.

The benefits of using WFP are the following:

•	You have a fine level of access control to the TCP/IP packet processing path.
•	Because WFP already provides a filtering engine, you do not have to build the filtering logic. You can just tap into the WFP filtering engine and concentrate on the value added by your component.
•	In previous and current versions of Windows, existing hooks into TCP/IP packet processing path are poorly documented and supported. Microsoft is committed to supporting WFP in Windows Vista.
•	When you use WFP instead of unconventional hooks into existing TCP/IP stack, there is much less risk of breaking your component with a service pack release.
•	It is much easier to implement a firewall or packet filtering value-added solution because the filtering logic and hooks into the various layers of the TCP/IP protocol are already in place.
•	Depending on your component, it might be possible to move it out of kernel mode and into user mode, in which a component crash does not affect the entire Windows system.
•	Because all the applications and services use the same filtering engine, it is easier to determine if there are other applications or services performing the same function. WFP Architecture Figure 1 shows the WFP architecture and where third-party applications, services, and drivers can plug in. Figure 1. Architecture of the WFP for Third-Party Components The WFP architecture consists of the following components: • Vista API Within the Vista API, there are filtering APIs that a third-party firewall or other application that performs packet filtering or processing can use to create filters within the Base Filtering Engine. An example of a WFP application is the proposed Windows Firewall, which replaces the Internet Connection Firewall in Windows XP prior to Service Pack 2 (SP2) and the Windows Firewall in Windows XP SP2 and later. • Base Filtering Engine This user-mode component implements the filter requests made by filtering applications by plumbing filters into the Generic Filter Engine. • Generic Filter Engine This kernel mode component within the new TCP/IP protocol stack stores the filters created by filtering applications via the Base Filtering Engine and interacts with the various layers of the new TCP/IP stack and the set of installed callout drivers. For example, as a packet is being processed up the new TCP/IP stack, each layer encountered contacts the Generic Filter Engine to see whether the packet is to be permitted or dropped. The Generic Filter Engine checks the configured filters and the installed callout modules to verify whether the packet is permitted or should be dropped. • Callout Modules Callout modules are used when just filtering the packet—checking the packet against filtering criteria to see whether the packet should be permitted or dropped—is not enough. Callout modules are needed when you need to perform deep inspection of packet contents or data modification. An example is antivirus software, which must inspect application layer data to ensure that no viruses or worms are present in the incoming data stream. There are two main ways that third-party ISVs can use the WFP architecture to build applications or service: • For applications and services that only perform filtering functions, all that is required is a user mode application or service that uses the Vista APIs to set filters at the appropriate layers in the new TCP/IP stack. No kernel mode callout drivers are needed. • For applications and services that perform deep packet content inspection or modification, you must create a user-mode application or service and one or more callout drivers. The user mode application or service uses the Vista APIs to set filters at the appropriate layers in the new TCP/IP stack, subject to further inspection by a specified callout driver. When incoming or outgoing traffic matches these filters, the Generic Filtering Engine hands the packet to the callout driver, which performs inspection or modification functions before handing the packet back to the Generic Filter Engine. Converting Applications to Use WFP The following table lists the ways in which existing third-party TCP/IP packet processing components written for the Windows XP or Windows Server 2003 TCP/IP protocol must be modified to work with the new WFP architecture. Changes to Existing Stack Interfaces Existing method New method NDIS intermediate driver NDIS layer in the new TCP/IP protocol stack (see Figure 1) Firewall hook or filter hook IP Transport or Forwarding layers TDI Application Layer Enforcement (ALE) Windows Sockets Layered Service Provider (one that is providing firewall functionality) ALE or Stream layer

Using WFP benefits you in the following situations:

•	Your component needs to examine TCP/IP traffic at a specific layer of the new TCP/IP protocol stack.
•	Your component works with encrypted traffic. A significant portion of the network traffic for Windows Vista will be encrypted. For example, all RPC traffic is encrypted by default in Windows Vista.
•	You want to perform packet processing after decryption.
•	You want to do IPv6 packet filtering, and want to take advantage of a built-in IPv6 filtering engine, rather than building one yourself. References Call to Action • For firewall and filtering developers: Convert your existing filtering or packet inspection drivers to use the new callout APIs in Windows Vista.

我下载的微软的WDK 8.1 和Visual Studio Professional 2013，在vs2012以后，微软已经把驱动编译器移植到vs中了，所以我只能安装新版本的wdk和vs。其实还有msbuild.exe方式来编译驱动，微软有路径：http://msdn.microsoft.com/en-us/library/windows/hardware/ff554644。

使用2013编译驱动还是很简单的。1、只要先选择编译方式

2、设置使用的目标操作系统：选择编译属性=》项目右键属性=》driver model setting=》

  

3、编译时候会有警告，我是先把警告不视为错误，就忽略过去了。可以载项目的属性里设置：

4、编译生成。

5、成功后，需要安装驱动，点击inspect.inf右键选择安装，安装后会遇见问题。

6、按照说明中的启动驱动的方式，命令行中输入：net start inspect 遇见错误提示。

原因是没有使用管理员启动命令行。启动方式昨天已经写了一个快捷方式，就是在运行中输入cmd然后按shift+ctrl+enter。

7、这次启动驱动时候会提示另外一个错误：

经过分析，原来是在安装的时候，有两个注册表项没有添加上去，一个是 是否允许通信permitTraffic，一个是禁止目标的ip地址remoteAddressToInspect。可以设置如下：

这次在输入启动驱动net start inspect 启动成功。

PS：问题分析，为什么会返回参数错误。

代码中，在驱动DriverEntry入口函数中，函数TLInspectLoadConfig对从注册表中取ip地址进行了判断，如果没有取得成功，则返回

status为失败。并会向外抛出STATUS_DEVICE_CONFIGURATION_ERROR错误。错误的意思是：输入输出设备配置错误或者驱动配置参数错误。如下：

所以，驱动最后会返回错误87。