第一个WFP驱动

最新推荐文章于 2024-04-16 11:12:11 发布
最新推荐文章于 2024-04-16 11:12:11 发布
阅读量586 收藏 1
点赞数 1
分类专栏: 驱动编程
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/qq_41490873/article/details/108656845
版权

转载于原文地址

main.h

#ifndef __MAIN_H__
#define __MAIN_H__
 
#include <ntifs.h>
#include <ip2string.h>
 
#pragma warning(push)
#pragma warning(disable: 4201)
#pragma warning(disable: 4324)
#include <fwpsk.h>
#include <fwpmk.h>
#pragma warning(pop)
 
#define INITGUID
#include <guiddef.h>
 
// 
// Callout and sublayer GUIDs
//
 
DEFINE_GUID(
    SF_ALE_CONNECT_CALLOUT_V4,
    0x76b743d4,
    0x1249,
    0x4610,
    0xa6, 0x32, 0x6f, 0x9c, 0x4d, 0x08, 0xd2, 0x5a
    );
 
DEFINE_GUID(
    SF_ALE_RECV_ACCEPT_CALLOUT_V4,
    0x7ec7f7f5,
    0x1249,
    0x4614,
    0xa6, 0x32, 0x6f, 0x9c, 0x4d, 0x08, 0xd2, 0x5a
    );
    
DEFINE_GUID(
    SF_ALE_ESTABLISHED_CALLOUT_V4,
    0x7ec7f7f5,
    0x1249,
    0x4618,
    0xa6, 0x32, 0x6f, 0x9c, 0x4d, 0x08, 0xd2, 0x5a
    );
 
DEFINE_GUID(
    SF_SUBLAYER,
    0x7ec7f7f5,
    0x1249,
    0x4620,
    0xa6, 0x32, 0x6f, 0x9c, 0x4d, 0x08, 0xd2, 0x5a
    );
    
typedef enum _OP_TYPE
{
    OP_NONE = 0,
    OP_CONNECT = 1,
    OP_ACCEPT = 2,
    OP_ESTABLISHED = 3,
}OP_TYPE;
 
typedef struct _CALLOUT_INFO
{
    LIST_ENTRY    List;
    LARGE_INTEGER Time;
    OP_TYPE       Type;
    ULONG         ProcessId; 
    //UINT64        calloutId;       
    ULONG         localAddressV4;
    USHORT        localPort;
    ULONG         remoteAddressV4;
    USHORT        remotePort;
    USHORT        ipProto;    
    WCHAR         ProcessPath[1];
} CALLOUT_INFO, *PCALLOUT_INFO;
 
NTSTATUS
DriverEntry(
    __in PDRIVER_OBJECT DriverObject,
    __in PUNICODE_STRING RegistryPath
    );
 
VOID 
DriverUnload(
    __in PDRIVER_OBJECT DriverObject
    );
 
NTSTATUS
DeviceDispatch(
    __in PDEVICE_OBJECT DeviceObject,
    __in PIRP Irp
    );
 
NTSTATUS
SFRegistryCallouts(
    __in PDEVICE_OBJECT DeviceObject
    );
 
void
SFDeregistryCallouts(
    __in PDEVICE_OBJECT DeviceObject
    );
 
NTSTATUS
SFRegisterALEClassifyCallouts(
    __in const GUID* layerKey,
    __in const GUID* calloutKey,
    __in void* DeviceObject,
    __out UINT32* calloutId
    );
    
NTSTATUS
SFAddFilter(
    __in const wchar_t* filterName,
    __in const wchar_t* filterDesc,
    __in const GUID* layerKey,
    __in const GUID* calloutKey
    );
 
NTSTATUS
SFALEConnectNotify(
    __in FWPS_CALLOUT_NOTIFY_TYPE notifyType,
    __in const GUID* filterKey,
    __in const FWPS_FILTER0* filter
    );
 
NTSTATUS
SFALERecvAcceptNotify(
    __in FWPS_CALLOUT_NOTIFY_TYPE notifyType,
    __in const GUID* filterKey,
    __in const FWPS_FILTER0* filter
    );
 
NTSTATUS
SFALEEstablishedNotify(
    __in FWPS_CALLOUT_NOTIFY_TYPE notifyType,
    __in const GUID* filterKey,
    __in const FWPS_FILTER0* filter
    );
    
void
SFALEConnectClassify(
    __in const FWPS_INCOMING_VALUES0* inFixedValues,
    __in const FWPS_INCOMING_METADATA_VALUES0* inMetaValues,
    __inout void* layerData,
    __in const FWPS_FILTER0* filter,
    __in UINT64 flowContext,
    __in FWPS_CLASSIFY_OUT0* classifyOut
    );
    
void
SFALERecvAcceptClassify(
    __in const FWPS_INCOMING_VALUES0* inFixedValues,
    __in const FWPS_INCOMING_METADATA_VALUES0* inMetaValues,
    __inout void* layerData,
    __in const FWPS_FILTER0* filter,
    __in UINT64 flowContext,
    __inout FWPS_CLASSIFY_OUT0* classifyOut
    );
    
void
SFALEEstablishedClassify(
    __in const FWPS_INCOMING_VALUES0* inFixedValues,
    __in const FWPS_INCOMING_METADATA_VALUES0* inMetaValues,
    __inout void* layerData,
    __in const FWPS_FILTER0* filter,
    __in UINT64 flowContext,
    __inout FWPS_CLASSIFY_OUT0* classifyOut
    );
    
VOID
ThreadStart(
   IN PVOID StartContext
   );
    
#endif//__MAIN_H__

main.c

#include "main.h"

HANDLE     gInjectionHandle;
HANDLE     gEngineHandle;
UINT32     gAleConnectCalloutIdV4;
UINT32     gAleRecvAcceptCalloutIdV4;
UINT32     gAleEstablishedCalloutIdV4;

LIST_ENTRY gCalloutInfoList;
KSPIN_LOCK gCalloutInfoLock;
KEVENT     gWorkerEvent;

NTSTATUS
DriverEntry(
__in PDRIVER_OBJECT DriverObject,
__in PUNICODE_STRING RegistryPath
)
{
	PDEVICE_OBJECT  DeviceObject = NULL;
	NTSTATUS        Status;
	HANDLE          ThreadHandle;
	UNICODE_STRING  DeviceName;

	//
	// Initialize the driver object with this driver's entry points.
	//

	DriverObject->MajorFunction[IRP_MJ_CREATE] = DeviceDispatch;
	DriverObject->MajorFunction[IRP_MJ_CLOSE] = DeviceDispatch;
	DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DeviceDispatch;

	DriverObject->DriverUnload = DriverUnload;

	//
	//  Create control device object
	//

	RtlInitUnicodeString(&DeviceName, L"\\Device\\NetFlow");

	Status = IoCreateDevice(DriverObject,
		sizeof(HANDLE)+sizeof(LONG),
		&DeviceName,
		FILE_DEVICE_UNKNOWN,
		FILE_DEVICE_SECURE_OPEN,
		FALSE,
		&DeviceObject);

	if (NT_SUCCESS(Status))
	{
		InitializeListHead(&gCalloutInfoList);
		KeInitializeSpinLock(&gCalloutInfoLock);
		KeInitializeEvent(&gWorkerEvent, NotificationEvent, FALSE); //KdBreakPoint();

		Status = SFRegistryCallouts(DeviceObject);

		if (NT_SUCCESS(Status))
		{
			*(PLONG)((PCH)DeviceObject->DeviceExtension + sizeof(HANDLE)) = FALSE;

			Status = PsCreateSystemThread(&ThreadHandle,
				THREAD_ALL_ACCESS,
				NULL,
				NULL,
				NULL,
				ThreadStart,
				(PVOID)((PCH)DeviceObject->DeviceExtension + sizeof(HANDLE)));
			if (!NT_SUCCESS(Status))
			{
				SFDeregistryCallouts(DeviceObject);
			}
			else
			{
				*(PHANDLE)DeviceObject->DeviceExtension = ThreadHandle;
			}
		}

		if (!NT_SUCCESS(Status))
		{
			IoDeleteDevice(DeviceObject);
		}
	}

	return Status;
}

VOID
DriverUnload(
__in PDRIVER_OBJECT DriverObject
)
{
	KIRQL          OldIrql;
	PLIST_ENTRY    lpEntry;
	PDEVICE_OBJECT DeviceObject = DriverObject->DeviceObject;
	HANDLE         ThreadHandle = *(PHANDLE)DeviceObject->DeviceExtension;
	PLONG          pbUnloading = (PLONG)((PCH)DeviceObject->DeviceExtension + sizeof(HANDLE));

	SFDeregistryCallouts(DeviceObject);

	InterlockedExchange(pbUnloading, TRUE);
	KeSetEvent(&gWorkerEvent, IO_NO_INCREMENT, FALSE);

	ZwWaitForSingleObject(ThreadHandle, FALSE, NULL);
	ZwClose(ThreadHandle);

	KeAcquireSpinLock(&gCalloutInfoLock, &OldIrql);
	while (!IsListEmpty(&gCalloutInfoList))
	{
		lpEntry = RemoveHeadList(&gCalloutInfoList);

		KeReleaseSpinLock(&gCalloutInfoLock, OldIrql);

		ExFreePoolWithTag(lpEntry, ' lT ');

		KeAcquireSpinLock(&gCalloutInfoLock, &OldIrql);
	}
	KeReleaseSpinLock(&gCalloutInfoLock, OldIrql);

	IoDeleteDevice(DeviceObject);
}

NTSTATUS
DeviceDispatch(
__in PDEVICE_OBJECT DeviceObject,
__in PIRP Irp
)
{
	PIO_STACK_LOCATION irpsp = IoGetCurrentIrpStackLocation(Irp);
	NTSTATUS Status = STATUS_NOT_SUPPORTED;

	Irp->IoStatus.Information = 0;

	switch (irpsp->MajorFunction)
	{
	case IRP_MJ_CREATE:
	case IRP_MJ_CLOSE:
		Status = STATUS_SUCCESS;
		break;
	case IRP_MJ_DEVICE_CONTROL:
		Status = STATUS_INVALID_DEVICE_REQUEST;
		break;
	}

	Irp->IoStatus.Status = Status;
	IoCompleteRequest(Irp, IO_NO_INCREMENT);
	return Status;
}

NTSTATUS
SFRegistryCallouts(
__in PDEVICE_OBJECT DeviceObject
)
{
	NTSTATUS        Status = STATUS_SUCCESS;
	BOOLEAN         EngineOpened = FALSE;
	BOOLEAN         InTransaction = FALSE;
	FWPM_SESSION0   Session = { 0 };
	FWPM_SUBLAYER0  FirewallSubLayer;

	Session.flags = FWPM_SESSION_FLAG_DYNAMIC;

	Status = FwpmEngineOpen0(NULL,
		RPC_C_AUTHN_WINNT,
		NULL,
		&Session,
		&gEngineHandle);

	if (!NT_SUCCESS(Status))
	{
		goto Exit;
	}

	EngineOpened = TRUE;

	Status = FwpmTransactionBegin0(gEngineHandle, 0);

	if (!NT_SUCCESS(Status))
	{
		goto Exit;
	}

	InTransaction = TRUE;

	RtlZeroMemory(&FirewallSubLayer, sizeof(FWPM_SUBLAYER0));

	FirewallSubLayer.subLayerKey = SF_SUBLAYER;
	FirewallSubLayer.displayData.name = L"Transport SimpleFirewall Sub-Layer";
	FirewallSubLayer.displayData.description = L"Sub-Layer for use by Transport SimpleFirewall callouts";
	FirewallSubLayer.flags = 0;
	FirewallSubLayer.weight = 0;

	Status = FwpmSubLayerAdd0(gEngineHandle, &FirewallSubLayer, NULL);

	if (!NT_SUCCESS(Status))
	{
		goto Exit;
	}

	Status = SFRegisterALEClassifyCallouts(&FWPM_LAYER_ALE_AUTH_CONNECT_V4,
		&SF_ALE_CONNECT_CALLOUT_V4,
		DeviceObject,
		&gAleConnectCalloutIdV4);

	if (!NT_SUCCESS(Status))
	{
		goto Exit;
	}

	Status = SFRegisterALEClassifyCallouts(&FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4,
		&SF_ALE_RECV_ACCEPT_CALLOUT_V4,
		DeviceObject,
		&gAleRecvAcceptCalloutIdV4);

	if (!NT_SUCCESS(Status))
	{
		goto Exit;
	}

	Status = SFRegisterALEClassifyCallouts(&FWPM_LAYER_ALE_FLOW_ESTABLISHED_V4,
		&SF_ALE_ESTABLISHED_CALLOUT_V4,
		DeviceObject,
		&gAleEstablishedCalloutIdV4);

	if (!NT_SUCCESS(Status))
	{
		goto Exit;
	}

	Status = FwpmTransactionCommit0(gEngineHandle);

	if (!NT_SUCCESS(Status))
	{
		goto Exit;
	}

	InTransaction = FALSE;

Exit:

	if (!NT_SUCCESS(Status))
	{
		if (InTransaction)
		{
			FwpmTransactionAbort0(gEngineHandle);
		}

		if (EngineOpened)
		{
			FwpmEngineClose0(gEngineHandle);
			gEngineHandle = NULL;
		}
	}

	return Status;
}

void
SFDeregistryCallouts(
__in PDEVICE_OBJECT DeviceObject
)
{
	UNREFERENCED_PARAMETER(DeviceObject);

	FwpmEngineClose0(gEngineHandle);
	gEngineHandle = NULL;

	FwpsCalloutUnregisterById0(gAleConnectCalloutIdV4);
	FwpsCalloutUnregisterById0(gAleRecvAcceptCalloutIdV4);
	FwpsCalloutUnregisterById0(gAleEstablishedCalloutIdV4);
}

NTSTATUS
SFRegisterALEClassifyCallouts(
__in const GUID* layerKey,
__in const GUID* calloutKey,
__in void* DeviceObject,
__out UINT32* calloutId
)
{
	NTSTATUS Status = STATUS_SUCCESS;

	FWPS_CALLOUT0 sCallout = { 0 };
	FWPM_CALLOUT0 mCallout = { 0 };

	FWPM_DISPLAY_DATA0 DisplayData = { 0 };

	BOOLEAN calloutRegistered = FALSE;

	sCallout.calloutKey = *calloutKey;

	if (IsEqualGUID(layerKey, &FWPM_LAYER_ALE_AUTH_CONNECT_V4))
	{
		sCallout.classifyFn = SFALEConnectClassify;
		sCallout.notifyFn = SFALEConnectNotify;
	}
	else if (IsEqualGUID(layerKey, &FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4))
	{
		sCallout.classifyFn = SFALERecvAcceptClassify;
		sCallout.notifyFn = SFALERecvAcceptNotify;
	}
	else
	{
		sCallout.classifyFn = SFALEEstablishedClassify;
		sCallout.notifyFn = SFALEEstablishedNotify;
	}

	Status = FwpsCalloutRegister0(DeviceObject,
		&sCallout,
		calloutId);

	if (NT_SUCCESS(Status))
	{
		DisplayData.name = L"Transport SimpleFirewall ALE Classify Callout";
		DisplayData.description = L"Intercepts inbound or outbound connect attempts";

		mCallout.calloutKey = *calloutKey;
		mCallout.displayData = DisplayData;
		mCallout.applicableLayer = *layerKey;

		Status = FwpmCalloutAdd0(gEngineHandle,
			&mCallout,
			NULL,
			NULL);

		if (NT_SUCCESS(Status))
		{
			//没有Filter(FwpmFilterAdd0), ClassifyFn/NotifyFn就处于未激活状态

			Status = SFAddFilter(L"Transport SimpleFirewall ALE Classify",
				L"Intercepts inbound or outbound connect attempts",
				layerKey,
				calloutKey);
		}

		if (!NT_SUCCESS(Status))
		{
			FwpsCalloutUnregisterById0(*calloutId);
			*calloutId = 0;
		}
	}

	return Status;
}

NTSTATUS
SFAddFilter(
__in const wchar_t* filterName,
__in const wchar_t* filterDesc,
__in const GUID* layerKey,
__in const GUID* calloutKey
)
{
	FWPM_FILTER0 Filter = { 0 };

	Filter.layerKey = *layerKey;
	Filter.displayData.name = (wchar_t*)filterName;
	Filter.displayData.description = (wchar_t*)filterDesc;

	Filter.action.type = FWP_ACTION_CALLOUT_TERMINATING;
	Filter.action.calloutKey = *calloutKey;
	Filter.subLayerKey = SF_SUBLAYER;
	Filter.weight.type = FWP_EMPTY;
	Filter.rawContext = 0;

	return FwpmFilterAdd0(gEngineHandle, &Filter, NULL, NULL);
}

NTSTATUS
SFALERecvAcceptNotify(
__in FWPS_CALLOUT_NOTIFY_TYPE notifyType,
__in const GUID* filterKey,
__in const FWPS_FILTER0* filter
)
{
	UNREFERENCED_PARAMETER(notifyType);
	UNREFERENCED_PARAMETER(filterKey);
	UNREFERENCED_PARAMETER(filter);

	return STATUS_SUCCESS;
}

NTSTATUS
SFALEConnectNotify(
__in FWPS_CALLOUT_NOTIFY_TYPE notifyType,
__in const GUID* filterKey,
__in const FWPS_FILTER0* filter
)
{
	UNREFERENCED_PARAMETER(notifyType);
	UNREFERENCED_PARAMETER(filterKey);
	UNREFERENCED_PARAMETER(filter);

	return STATUS_SUCCESS;
}

NTSTATUS
SFALEEstablishedNotify(
__in FWPS_CALLOUT_NOTIFY_TYPE notifyType,
__in const GUID* filterKey,
__in const FWPS_FILTER0* filter
)
{
	UNREFERENCED_PARAMETER(notifyType);
	UNREFERENCED_PARAMETER(filterKey);
	UNREFERENCED_PARAMETER(filter);

	return STATUS_SUCCESS;
}

void
SFALEConnectClassify(
__in const FWPS_INCOMING_VALUES0* inFixedValues,
__in const FWPS_INCOMING_METADATA_VALUES0* inMetaValues,
__inout void* layerData,
__in const FWPS_FILTER0* filter,
__in UINT64 flowContext,
__in FWPS_CLASSIFY_OUT0* classifyOut
)
{
	NTSTATUS status = STATUS_SUCCESS;
	KIRQL    OldIrql;
	UINT32   index;
	ULONG    Length;
	PCALLOUT_INFO Info;


	//classifyOut->actionType = FWP_ACTION_CONTINUE;
	classifyOut->actionType = FWP_ACTION_PERMIT;

	//
	// We don't have the necessary right to alter the classify, exit.
	//
	if ((classifyOut->rights & FWPS_RIGHT_ACTION_WRITE) == 0)
	{
		return;
	}

	if (!FWPS_IS_METADATA_FIELD_PRESENT(inMetaValues, FWPS_METADATA_FIELD_PROCESS_ID))
	{
		return;
	}
	if (!FWPS_IS_METADATA_FIELD_PRESENT(inMetaValues, FWPS_METADATA_FIELD_PROCESS_PATH))
	{
		return;
	}

	Length = sizeof(CALLOUT_INFO)+inMetaValues->processPath->size;
	Info = ExAllocatePoolWithTag(NonPagedPool, Length, ' lT ');

	if (Info == NULL)
	{
		return;
	}

	RtlZeroMemory(Info, Length);
	RtlCopyMemory(Info->ProcessPath, inMetaValues->processPath->data, inMetaValues->processPath->size);

	Info->Type = OP_CONNECT;
	Info->ProcessId = (ULONG)inMetaValues->processId;

	index = FWPS_FIELD_ALE_AUTH_CONNECT_V4_IP_LOCAL_ADDRESS;
	Info->localAddressV4 = RtlUlongByteSwap(inFixedValues->incomingValue[index].value.uint32);

	index = FWPS_FIELD_ALE_AUTH_CONNECT_V4_IP_LOCAL_PORT;
	Info->localPort = inFixedValues->incomingValue[index].value.uint16;

	index = FWPS_FIELD_ALE_AUTH_CONNECT_V4_IP_REMOTE_ADDRESS;
	Info->remoteAddressV4 = RtlUlongByteSwap(inFixedValues->incomingValue[index].value.uint32);

	index = FWPS_FIELD_ALE_AUTH_CONNECT_V4_IP_REMOTE_PORT;
	Info->remotePort = inFixedValues->incomingValue[index].value.uint16;

	index = FWPS_FIELD_ALE_AUTH_CONNECT_V4_IP_PROTOCOL;
	Info->ipProto = inFixedValues->incomingValue[index].value.uint8;

	KeQuerySystemTime(&Info->Time);
	InitializeListHead(&Info->List);

	KeAcquireSpinLock(&gCalloutInfoLock, &OldIrql);
	InsertTailList(&gCalloutInfoList, &Info->List);
	KeReleaseSpinLock(&gCalloutInfoLock, OldIrql);

	//if ( KeGetCurrentIrql() <= APC_LEVEL )
	{
		KeSetEvent(&gWorkerEvent, IO_NO_INCREMENT, FALSE);
	}
}

void
SFALERecvAcceptClassify(
__in const FWPS_INCOMING_VALUES0* inFixedValues,
__in const FWPS_INCOMING_METADATA_VALUES0* inMetaValues,
__inout void* layerData,
__in const FWPS_FILTER0* filter,
__in UINT64 flowContext,
__inout FWPS_CLASSIFY_OUT0* classifyOut
)
{
	NTSTATUS status = STATUS_SUCCESS;
	KIRQL    OldIrql;
	UINT32   index;
	ULONG    Length;
	PCALLOUT_INFO Info;


	//classifyOut->actionType = FWP_ACTION_CONTINUE;
	classifyOut->actionType = FWP_ACTION_PERMIT;

	//
	// We don't have the necessary right to alter the classify, exit.
	//
	if ((classifyOut->rights & FWPS_RIGHT_ACTION_WRITE) == 0)
	{
		return;
	}

	if (!FWPS_IS_METADATA_FIELD_PRESENT(inMetaValues, FWPS_METADATA_FIELD_PROCESS_ID))
	{
		return;
	}
	if (!FWPS_IS_METADATA_FIELD_PRESENT(inMetaValues, FWPS_METADATA_FIELD_PROCESS_PATH))
	{
		return;
	}

	Length = sizeof(CALLOUT_INFO)+inMetaValues->processPath->size;
	Info = ExAllocatePoolWithTag(NonPagedPool, Length, ' lT ');

	if (Info == NULL)
	{
		return;
	}

	RtlZeroMemory(Info, Length);
	RtlCopyMemory(Info->ProcessPath, inMetaValues->processPath->data, inMetaValues->processPath->size);

	Info->Type = OP_ACCEPT;
	Info->ProcessId = (ULONG)inMetaValues->processId;

	index = FWPS_FIELD_ALE_AUTH_RECV_ACCEPT_V4_IP_LOCAL_ADDRESS;
	Info->localAddressV4 = RtlUlongByteSwap(inFixedValues->incomingValue[index].value.uint32);

	index = FWPS_FIELD_ALE_AUTH_RECV_ACCEPT_V4_IP_LOCAL_PORT;
	Info->localPort = inFixedValues->incomingValue[index].value.uint16;

	index = FWPS_FIELD_ALE_AUTH_RECV_ACCEPT_V4_IP_REMOTE_ADDRESS;
	Info->remoteAddressV4 = RtlUlongByteSwap(inFixedValues->incomingValue[index].value.uint32);

	index = FWPS_FIELD_ALE_AUTH_RECV_ACCEPT_V4_IP_REMOTE_PORT;
	Info->remotePort = inFixedValues->incomingValue[index].value.uint16;

	index = FWPS_FIELD_ALE_AUTH_RECV_ACCEPT_V4_IP_PROTOCOL;
	Info->ipProto = inFixedValues->incomingValue[index].value.uint8;

	KeQuerySystemTime(&Info->Time);
	InitializeListHead(&Info->List);

	KeAcquireSpinLock(&gCalloutInfoLock, &OldIrql);
	InsertTailList(&gCalloutInfoList, &Info->List);
	KeReleaseSpinLock(&gCalloutInfoLock, OldIrql);

	//if ( KeGetCurrentIrql() <= APC_LEVEL )
	{
		KeSetEvent(&gWorkerEvent, IO_NO_INCREMENT, FALSE);
	}
}

void
SFALEEstablishedClassify(
__in const FWPS_INCOMING_VALUES0* inFixedValues,
__in const FWPS_INCOMING_METADATA_VALUES0* inMetaValues,
__inout void* layerData,
__in const FWPS_FILTER0* filter,
__in UINT64 flowContext,
__inout FWPS_CLASSIFY_OUT0* classifyOut
)
{
	NTSTATUS status = STATUS_SUCCESS;
	KIRQL    OldIrql;
	UINT32   index;
	ULONG    Length;
	PCALLOUT_INFO Info;

	//classifyOut->actionType = FWP_ACTION_CONTINUE;
	classifyOut->actionType = FWP_ACTION_PERMIT;

	//
	// We don't have the necessary right to alter the classify, exit.
	//
	if ((classifyOut->rights & FWPS_RIGHT_ACTION_WRITE) == 0)
	{
		return;
	}

	if (!FWPS_IS_METADATA_FIELD_PRESENT(inMetaValues, FWPS_METADATA_FIELD_PROCESS_ID))
	{
		return;
	}
	if (!FWPS_IS_METADATA_FIELD_PRESENT(inMetaValues, FWPS_METADATA_FIELD_PROCESS_PATH))
	{
		return;
	}

	Length = sizeof(CALLOUT_INFO)+inMetaValues->processPath->size;
	Info = ExAllocatePoolWithTag(NonPagedPool, Length, ' lT ');

	if (Info == NULL)
	{
		return;
	}

	RtlZeroMemory(Info, Length);
	RtlCopyMemory(Info->ProcessPath, inMetaValues->processPath->data, inMetaValues->processPath->size);

	Info->Type = OP_ESTABLISHED;
	Info->ProcessId = (ULONG)inMetaValues->processId;

	index = FWPS_FIELD_ALE_FLOW_ESTABLISHED_V4_IP_LOCAL_ADDRESS;
	Info->localAddressV4 = RtlUlongByteSwap(inFixedValues->incomingValue[index].value.uint32);

	index = FWPS_FIELD_ALE_FLOW_ESTABLISHED_V4_IP_LOCAL_PORT;
	Info->localPort = inFixedValues->incomingValue[index].value.uint16;

	index = FWPS_FIELD_ALE_FLOW_ESTABLISHED_V4_IP_REMOTE_ADDRESS;
	Info->remoteAddressV4 = RtlUlongByteSwap(inFixedValues->incomingValue[index].value.uint32);

	index = FWPS_FIELD_ALE_FLOW_ESTABLISHED_V4_IP_REMOTE_PORT;
	Info->remotePort = inFixedValues->incomingValue[index].value.uint16;

	index = FWPS_FIELD_ALE_FLOW_ESTABLISHED_V4_IP_PROTOCOL;
	Info->ipProto = inFixedValues->incomingValue[index].value.uint8;

	KeQuerySystemTime(&Info->Time);
	InitializeListHead(&Info->List);

	KeAcquireSpinLock(&gCalloutInfoLock, &OldIrql);
	InsertTailList(&gCalloutInfoList, &Info->List);
	KeReleaseSpinLock(&gCalloutInfoLock, OldIrql);

	//if ( KeGetCurrentIrql() <= APC_LEVEL )
	{
		KeSetEvent(&gWorkerEvent, IO_NO_INCREMENT, FALSE);
	}
}

VOID
HandleCalloutInfo(
IN PVOID Context
)
{
	PCWSTR OpType[4] = { L"N/A", L"Connect", L"Accept", L"Established" };
	PCALLOUT_INFO Info = Context;

	WCHAR szlocalAddressV4[24] = { 0 };
	WCHAR szremoteAddressV4[24] = { 0 };

	RtlIpv4AddressToStringW((PIN_ADDR)&Info->localAddressV4, szlocalAddressV4);
	RtlIpv4AddressToStringW((PIN_ADDR)&Info->remoteAddressV4, szremoteAddressV4);

	DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[@] %ws(%d) <-%d-> %ws(%d), %ws : %d, %ws\r\n",
		szlocalAddressV4,
		Info->localPort,
		Info->ipProto,
		szremoteAddressV4,
		Info->remotePort,
		OpType[Info->Type],
		Info->ProcessId,
		Info->ProcessPath);
}

VOID
ThreadStart(
IN PVOID StartContext
)
{
	PLONG         pbUnloading = StartContext;
	LARGE_INTEGER Interval = { (ULONG)(-5 * 1000 * 1000 * 10), -1 };
	KIRQL         OldIrql;
	PLIST_ENTRY   lpEntry;

	while (TRUE)
	{
		KeWaitForSingleObject(&gWorkerEvent, Executive, KernelMode, FALSE, &Interval);

		if (InterlockedCompareExchange(pbUnloading, TRUE, TRUE))
		{
			break;
		}

		KeAcquireSpinLock(&gCalloutInfoLock, &OldIrql);
		while (!IsListEmpty(&gCalloutInfoList))
		{
			lpEntry = RemoveHeadList(&gCalloutInfoList);

			KeReleaseSpinLock(&gCalloutInfoLock, OldIrql);

			HandleCalloutInfo(lpEntry);

			ExFreePoolWithTag(lpEntry, ' lT ');

			KeAcquireSpinLock(&gCalloutInfoLock, &OldIrql);
		}
		KeReleaseSpinLock(&gCalloutInfoLock, OldIrql);
	}
}

sources文件

TARGETNAME=netflow
TARGETTYPE=DRIVER
TARGETPATH=..
 
INCLUDES=\
   $(DDK_INC_PATH);
 
TARGETLIBS=\
    $(DDK_LIB_PATH)\ntoskrnl.lib \
    $(DDK_LIB_PATH)\ndis.lib \
    $(DDK_LIB_PATH)\fwpkclnt.lib \
    $(SDK_LIB_PATH)\uuid.lib
 
C_DEFINES=$(C_DEFINES) -DBINARY_COMPATIBLE=0 -DNT -DUNICODE -D_UNICODE -DNDIS60 -DNDIS_SUPPORT_NDIS6
 
SOURCES = main.c

使用WDK7600 checked 64编译通过,win7 64正常运行
有多个源文件的情况下sources需要像下面这么编写

SOURCES = TL_drv.c\
inspect.c\
utils.c
qq_857305819
关注
  • 1
    点赞
  • 1
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
专栏目录
NetFilter SDK 1.4.0.0 + ProtocolFilters 1.0.8.1 - Full Sources.7z
06-22
NetFilter SDK 1.4.0.0 + ProtocolFilters 1.0.8.1 - Full Sources.7z
基于WFP等网络驱动实现局域网内所有设备通过代理上网
fanxiushu的专栏
10-15 3141
by fanxiushu 2020-10-13 转载或引用请注明原始作者 开始之前,我们先来理解标题是什么意思。 这里所说的局域网内的所有设备通过代理上网,并不是在每台设备上安装某个代理软件然后再通过代理服务端来上网。 而是所有这些设备的网关IP设置到某个主机上,这样所有设备的网络数据都会转发到这个主机上。 而这个主机的软件再通过代理服务端转发所有这些设备的网络数据...
WFP学习记录
weixin_34315189的博客
03-26 604
为什么80%的码农都做不了架构师?>>> ...
VS驱动开发错误解决
jmhIcoding
03-07 876
1. NET_BUFFER_LIST未定义 方法:在内核的入口处,所有include 之前添加如下代码: #define NDIS620 例如在DriverEntry 函数定义的文件最开始添加。 #define NDIS620 #include &lt;ntddk.h&gt; #include &lt;fwpsk.h&gt; #include &lt;fwpmk.h&gt; #include &...
wfp 驱动编译报错 解决方案.
苦逼码农
11-08 4372
C:\Program Files (x86)\Windows Kits\8.0\Include\KM\fwpsk.h(2075): error C2065: “NET_BUFFER_LIST”: 未声明的标识符 1>C:\Program Files (x86)\Windows Kits\8.0\Include\KM\fwpsk.h(2075): error C2065: “packetList”
WFP驱动--进程规则拦截
03-20
1. **注册提供者**: 开发者首先需要编写一个WFP驱动,注册为WFP提供者,这样驱动就可以接收来自WFP的事件通知。 2. **定义过滤条件**: 过滤条件是拦截操作的基础,可以基于进程ID、文件名、网络地址等多种因素设置...
WinPcap-NDIS-WFP-Drivers-master_NDISWFP_ndis_wfp_wfp驱动_WFPNDIS_源
10-03
总之,这个源代码包为那些希望深入理解Windows网络驱动开发的开发者提供了一个宝贵的实践平台,可以帮助他们掌握WinPcap、NDIS和WFP的精髓,从而在网络安全、监控和性能优化等领域发挥出更大的创造力。通过学习和...
wfp驱动网络防火墙监控参考
06-13
wfp驱动网络防火墙监控参考,详细代码涉及到了防火墙,网络过滤等,只做参考使用。
WFP-Traffic-Redirection-Driver:WFP流量重定向驱动程序用于基于Windows筛选平台(WFP)重定向网络层和成帧层上的NIC流量
05-09
WFP流量重定向驱动程序WFP流量重定向驱动程序用于基于Windows筛选平台(WFP)重定向网络层和成帧层上的NIC流量。 该项目是从派生的。特征灵活且可配置反流量嗅探(WinPcap / Npcap / Rawsock嗅探)如何建立/部署要求...
wfp_wfp_
09-29
【标题】:“wfp_wfp_” 指的可能是 Windows Filtering Platform (WFP) 的相关文档,这是一个在Windows操作系统中用于网络数据包过滤和网络安全的重要组件。 【描述】:“wfp使用文档,包含创建和使用,中文ppt” ...
SuperDriver_防火墙_windowsdriver_firewall_wfp
09-11
WFP网络驱动防火墙源码,可以拿去参考
一个完整的WFP驱动(详细注释)
qq_41490873的博客
11-14 3266
#include <ntddk.h> #pragma warning(push) #pragma warning(disable:4201) // unnamed struct/union #pragma warning(disable:4995) #include <fwpsk.h> #pragma warning(pop) #include <ndis.h> #include <fwpmk.h> #include <limits.h&gt
驱动开发】Windows过滤平台(WFP,Windows Filtering Platform)
qq_42814021的博客
04-13 2787
TDI:Transport Driver Interface,传输层接口。TDI在Windows Vista之后就不再支持了,之后的版本中被WFP取代。socket可以指定某种方式开始传输用户的数据(比如TCP或UDP),这就是传输层。传输层的特点是:用户只需要关心实际需要传输的用户数据,而不用担心数据实际的发送次数、如何封装、如何确定发送正确性、出错何重发等。Windows过滤平台(Windows Filter Platform),是从Vista系统后新增的一套系统API和服务,为网络数据包过滤。
WFP 驱动翻译第一章-关于Windows网络流量处理平台
weixin_42133300的博客
10-26 362
WFP过滤驱动的学习。MSDN的翻译比较生硬,其他的博客可能又没有形成体系,所以,我来了。
驱动开发:内核封装WFP防火墙入门
CSDN
06-08 9471
注册了一个过滤点,此处我们必须要注意三个回调函数,classifyFn, notifyFn, flowDeleteFn 他们分别的功能时,事前回调,事后回调,事后回调,而WFP框架中我们最需要注意的也就是对这三个函数进行重定义,也就是需要重写函数来实现我们特定的功能。事前更重要一些,如果需要监控网络流量则需要在事前函数中做处理,而如果是监视则可以在事后做处理,既然要在事前进行处理,那么我们就来看看事前是如何处理的流量。当有新的网络数据包路由到事前函数时,程序中会通过如下案例直接得到我们所需要的数据包头,
windows网络驱动开发
最新发布
wwpp的博客
04-16 630
Windows过滤平台(Windows Filtering Platform, WFP),是从Vista系统后新增的一套系统API和服务。开发者可以在WFP框架已划分的不同分层中进行网络数据包,以实现防火墙、入侵检测系统、网络监控等软件。(Windows内核安全与驱动开发)
Windows驱动_WFP之四WFP代码基本流程的剖析
Z18_28_19的专栏
10-23 1万+
总说程序员是孤独的,因为,大部分的时间都在和机器打交道。大部分的时间都在自言自语。我的内心需要足够的强大。这种强大时建立的自信的基础上的。而自信又是建立在实力基础上的。实力又是建立在积累的基础上。积累又是建立在时间的基础上。所以归根结底,就是,需要花费更多的时间。第二,需要有足够的兴趣爱好。这两点对于现在的我来说,都有。既然,自己选择了这条路,就应该义无反顾的走下去,坚持的走下去。孤独,我不怕,困
Windows过滤驱动 WFP代码基本流程的剖析 bypass前期准备
sway913的博客
05-12 2148
今天实际看一下,WFP的Callout驱动的代码。先从DriverEntry开始: 1,在DriverEntry需要创建驱动对象和设备对象, 1.1 由于不是PNP设备,需要设置创建驱动对象的标志为config.DriverInitFlags |= WdfDriverInitNonPnpDriver. 1.2 调用WdfDriverCreate创建驱动对象。 1.3 调用WdfControlDeviceInitAllocate通过驱动对象创建 WDFDEVICE_IN...
Windows驱动_WFP之一WFP是什么
热门推荐
Z18_28_19的专栏
10-10 2万+
每天进步一点点,一步一步来,慢慢的就会有从量变到质变的过程。我应该勇于去接受挑战,这个世界,没有人会同情弱者,只会去赞美强者,羡慕强者。适者生存。如果你不想被世界淘汰。那就赶紧去淘汰别人,淘汰你身边的人。克服你的困难。做坚强的自己。                 现在的网络安全问题,越来越受到重视,微软在VISTA以后,使用了WFP平台来代替之前XP和03中的基于包过滤的技术,比如Tran
写一个WFP驱动,拦截网络
02-07
要写一个 WFP 驱动,需要先学习 Windows 驱动开发的相关知识,了解 WFP 的工作原理和使用方法。 简单地说,WFP 驱动的开发步骤如下: 1. 实现 WFP 驱动的核心功能 2. 在 Windows 中注册驱动 3. 在 WFP 中注册过滤器...

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值