基于WDF驱动模型使用WFP框架进行网络层数据修改

已于 2022-07-20 15:52:09 修改
阅读量2.7k 收藏 15
点赞数 7
分类专栏: Windows开发 驱动开发 文章标签: c语言 驱动开发 网络
于 2022-07-20 15:41:51 首次发布
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/sunkaijie123/article/details/125892261
版权

一、WDF驱动模型介绍:

        WDF驱动模型是微软推出的驱动程序开发环境,是Vista及其以后OS的驱动模型。在visia之前win2000之后用的是WDM驱动模型。WDF是以WDM为基础进行了建模和封装,降低了开发难度。WDF将驱动程序与操作系统内核之间进行了分离,驱动程序与操作系统交互工作交给框架内封装的方法(函数)完成,这样驱动开发者只需专注处理硬件的行为即可。

二、WFP网络过滤平台介绍:

        WFP网络过滤平台是一组 API 和系统服务,提供用于创建网络筛选应用程序的平台。 WFP API 允许开发人员编写与操作系统网络堆栈中多个层发生的数据包处理交互的代码。 可以在网络数据到达目标之前对其进行筛选和修改。WFP 旨在取代以前的数据包筛选技术,例如LSP、TDI(不能对包内容进行查看,只能对已知协议进行过滤)、NDIS Filter(需要与TDI配合才能查看进程信息)。 

        WFP有一个内置的过滤引擎(Filter Engine)提供支持。该框架包括用户层API和内核层API,应用层可以使用该框架完成简单过滤,涉及包内容修改等需要在内核完成。(例如开源项目windivert,本文代码主要借鉴该项目过滤思想)。

        WFP在TCP/IP栈各个位置添加了垫片(Shim),使得整个网络数据从应用层生成到发送至网卡,或者从网卡接收数据到应用层收到数据,WFP都能够通过Shim拿到关于数据的信息以及相关数据。即在不同的分层(Layer)能够获取不同的数据那么,我们可以在感兴趣的位置,注册callout,进行过滤。

三、常见分层标识 

数据层:
FWPM_LAYER_STREAM_V4
FWPM_LAYER_DATAGRAM_DATA_V4
ALE
FWPM_LAYER_ALE_AUTH_CONNECT_V4
FWPM_LAYER_ALE_FLOW_ESTABLISHED_V4
传输层
FWPM_LAYER_INBOUND_TRANSPORT_V4
FWPM_LAYER_ OUT BOUND_TRANSPORT_V4
网络层
FWPM_LAYER_INBOUND_IPPACKET_V4

                FWPM_LAYER_OUTBOUND_IPPACKET_V4

四、示意图     

          

 五、开发流程

        主要针对网络层的子层FWPM_LAYER_INBOUND_IPPACKET_V4和FWPM_LAYER_OUTBOUND_IPPACKET_V4进行数据拦截、修改和注入。主要流程为:

  • WDF驱动模型初始化
  • 注册WFP子层
  • 打开过滤引擎
  • 注册呼出函数
  • 在呼出函数中对拦截到的数据进行解析,修改
  • 将修改后的数据重新注入到原始路径

下面是各模块主要代码:

        1、WDF驱动模型初始化

WDF_DRIVER_CONFIG_INIT(&config,
                           WDF_NO_EVENT_CALLBACK
                           );

    config.DriverInitFlags |= WdfDriverInitNonPnpDriver;
    config.EvtDriverUnload = DrEnc_unload;
    // 创建驱动对象
    status = WdfDriverCreate(DriverObject,
                             RegistryPath,
                             WDF_NO_OBJECT_ATTRIBUTES,
                             &config,
                             &driver
                             );

    if (!NT_SUCCESS(status)) 
    {
        goto driver_entry_exit;
    }

    // 分配一个WDFDEVICE_INIT结构,驱动程序在创建一个新的控制设备对象时使用这个结构。
    device_init = WdfControlDeviceInitAllocate(driver,
        &SDDL_DEVOBJ_SYS_ALL_ADM_ALL);
    if (device_init == NULL)
    {
        status = STATUS_INSUFFICIENT_RESOURCES;
        KdPrint(("[DrEnc] failed to allocate WDF control device init structure\n"));
        goto driver_entry_exit;
    }
    // 为指定的设备设置设备类型。
    WdfDeviceInitSetDeviceType(device_init, FILE_DEVICE_NETWORK);
    // 设置驱动程序如何访问包含在指定设备的读写请求中的数据缓冲区的方法或首选项。WdfDeviceIoDirect:直接I/O将用于访问数据缓冲区。
    WdfDeviceInitSetIoType(device_init, WdfDeviceIoDirect);
    // 将设备名称分配给设备的设备对象。
    status = WdfDeviceInitAssignName(device_init, &device_name);
    if (!NT_SUCCESS(status))
    {
        KdPrint(("[DrEnc] failed to create WDF device name\n"));
        WdfDeviceInitFree(device_init);
        goto driver_entry_exit;
    }

    WDF_OBJECT_ATTRIBUTES_INIT(&obj_attrs);
    // 创建一个框架设备对象。
    status = WdfDeviceCreate(&device_init, &obj_attrs, &device);
    if (!NT_SUCCESS(status))
    {
        KdPrint(("[DrEnc] failed to create WDF control device\n"));
        WdfDeviceInitFree(device_init);
        goto driver_entry_exit;
    }

    WDF_IO_QUEUE_CONFIG_INIT_DEFAULT_QUEUE(&queue_config,
        WdfIoQueueDispatchParallel);
    queue_config.EvtIoRead = NULL;
    queue_config.EvtIoWrite = NULL;
    queue_config.EvtIoDeviceControl = DrEnc_ioctl;
    WDF_OBJECT_ATTRIBUTES_INIT(&obj_attrs);
    obj_attrs.ExecutionLevel = WdfExecutionLevelPassive;
    obj_attrs.SynchronizationScope = WdfSynchronizationScopeNone;
    // 为指定设备创建和配置I/O队列
    status = WdfIoQueueCreate(device, &queue_config, &obj_attrs, &queue);
    if (!NT_SUCCESS(status))
    {
        KdPrint(("[DrEnc] failed to create default WDF queue\n"));
        goto driver_entry_exit;
    }
    // 创建到指定设备的符号链接
    status = WdfDeviceCreateSymbolicLink(device, &dos_device_name);
    if (!NT_SUCCESS(status))
    {
        KdPrint(("[DrEnc] failed to create device symbolic link\n"));
        goto driver_entry_exit;
    }
    // 通知框架驱动程序已经完成了指定控制设备对象的初始化
    WdfControlFinishInitializing(device);

        2、注册WFP子层

// 创建一个句柄,该句柄可用于报文注入函数将报文或流数据注入到TCP/IP网络栈中,
    // 也可用于FwpsQueryPacketInjectionState函数查询报文注入状态。
    status = FwpsInjectionHandleCreate(AF_INET,
        FWPS_INJECTION_TYPE_NETWORK | FWPS_INJECTION_TYPE_FORWARD,
        &inject_handle_forward);
    if (!NT_SUCCESS(status))
    {
        KdPrint(("[DrEnc] failed to create WFP forward packet injection handle, %ld\n", status));
        goto driver_entry_exit;
    }
    status = FwpsInjectionHandleCreate(AF_INET,
        FWPS_INJECTION_TYPE_NETWORK | FWPS_INJECTION_TYPE_FORWARD,
        &inject_handle_in);
    if (!NT_SUCCESS(status))
    {
        KdPrint(("[DrEnc] failed to create WFP inbound packet injection handle, %ld\n", status));
        goto driver_entry_exit;
    }
    status = FwpsInjectionHandleCreate(AF_INET,
        FWPS_INJECTION_TYPE_NETWORK | FWPS_INJECTION_TYPE_FORWARD,
        &inject_handle_out);
    if (!NT_SUCCESS(status))
    {
        KdPrint(("[DrEnc] failed to create WFP outbound packet injection handle, %ld\n", status));
        goto driver_entry_exit;
    }

    // Create a NET_BUFFER_LIST pool handle.
    RtlZeroMemory(&nbl_pool_params, sizeof(nbl_pool_params));
    nbl_pool_params.Header.Type = NDIS_OBJECT_TYPE_DEFAULT;
    nbl_pool_params.Header.Revision =
        NET_BUFFER_LIST_POOL_PARAMETERS_REVISION_1;
    nbl_pool_params.Header.Size = sizeof(nbl_pool_params);
    nbl_pool_params.fAllocateNetBuffer = TRUE;
    nbl_pool_params.PoolTag = WINDIVERT_TAG;
    nbl_pool_params.DataSize = 0;
    nbl_pool_handle = NdisAllocateNetBufferListPool(NULL, &nbl_pool_params);
    if (nbl_pool_handle == NULL)
    {
        status = STATUS_INSUFFICIENT_RESOURCES;
        KdPrint(("[DrEnc] failed to allocate net buffer list pool, %ld\n", status));
        goto driver_entry_exit;
    }

    // Create a NET_BUFFER pool handle.
    RtlZeroMemory(&nb_pool_params, sizeof(nb_pool_params));
    nb_pool_params.Header.Type = NDIS_OBJECT_TYPE_DEFAULT;
    nb_pool_params.Header.Revision = NET_BUFFER_POOL_PARAMETERS_REVISION_1;
    nb_pool_params.Header.Size =
        NDIS_SIZEOF_NET_BUFFER_POOL_PARAMETERS_REVISION_1;
    nb_pool_params.PoolTag = WINDIVERT_TAG;
    nb_pool_params.DataSize = 0;
    nb_pool_handle = NdisAllocateNetBufferPool(NULL, &nb_pool_params);
    if (nb_pool_handle == NULL)
    {
        status = STATUS_INSUFFICIENT_RESOURCES;
        KdPrint(("[DrEnc] failed to allocate net buffer pool, %ld\n", status));
        goto driver_entry_exit;
    }

    // Open a handle to the filter engine:
    status = FwpmEngineOpen(NULL, RPC_C_AUTHN_DEFAULT, NULL, NULL,
        &engine_handle);
    if (!NT_SUCCESS(status))
    {
        KdPrint(("[DrEnc] failed to create WFP engine handle, %ld\n", status));
        goto driver_entry_exit;
    }

    // Register WFP sub-layers:
    status = FwpmTransactionBegin(engine_handle, 0);
    if (!NT_SUCCESS(status))
    {
        KdPrint(("[DrEnc] failed to begin WFP transaction, %ld\n", status));
        FwpmTransactionAbort(engine_handle);
        goto driver_entry_exit;
    }

    status = DrEnc_install_provider();
    if (!NT_SUCCESS(status))
    {
        KdPrint(("[DrEnc] failed to install provider, %ld\n", status));
        FwpmTransactionAbort(engine_handle);
        goto driver_entry_exit;
    }

    status = DrEnc_install_sublayer(WINDIVERT_LAYER_INBOUND_NETWORK_IPV4);
    if (!NT_SUCCESS(status))
    {
    driver_entry_sublayer_error:
        KdPrint(("[DrEnc] failed to install WFP sub-layer, %ld\n", status));
        FwpmTransactionAbort(engine_handle);
        goto driver_entry_exit;
    }
    status = DrEnc_install_sublayer(WINDIVERT_LAYER_OUTBOUND_NETWORK_IPV4);
    if (!NT_SUCCESS(status))
    {
        goto driver_entry_sublayer_error;
    }

    // 提交当前会话中的当前事务
    status = FwpmTransactionCommit(engine_handle);
    if (!NT_SUCCESS(status))
    {
        KdPrint(("[DrEnc] failed to commit WFP transaction, %ld\n", status));
        FwpmTransactionAbort(engine_handle);
        goto driver_entry_exit;
    }

        3、打开过滤引擎    

    RtlZeroMemory(&session, sizeof(session));
    session.flags |= FWPM_SESSION_FLAG_DYNAMIC;
    status = FwpmEngineOpen(NULL, RPC_C_AUTHN_DEFAULT, NULL, &session,
        &g_engine_handle);
    if (!NT_SUCCESS(status))
    {
        KdPrint(("[DrEnc] failed to create WFP engine handle, %ld\n", status));
        goto windivert_create_exit;
    }

        4、注册呼出函数

    HANDLE engine;
    FWPS_CALLOUT scallout;
    FWPM_CALLOUT mcallout;
    UINT32 callout_id;
    GUID callout_guid, filter_guid;
    FWPM_FILTER filter;
    UINT32 priority;
    UINT64 weight;
    NTSTATUS status = STATUS_SUCCESS;

    engine = g_engine_handle;
    priority = 1;
    weight = (UINT64)priority;

    callout_guid = g_callout_guid[idx];
    filter_guid = g_filter_guid[idx];
    RtlZeroMemory(&scallout, sizeof(scallout));
    scallout.calloutKey = callout_guid;
    scallout.classifyFn = layer->classify;
    scallout.notifyFn = windivert_notify;
    scallout.flowDeleteFn = layer->flow_delete;
    RtlZeroMemory(&mcallout, sizeof(mcallout));
    mcallout.calloutKey = callout_guid;
    mcallout.displayData.name = layer->callout_name;
    mcallout.displayData.description = layer->callout_desc;
    mcallout.applicableLayer = *(layer->layer_guid);
    RtlZeroMemory(&filter, sizeof(filter));
    filter.filterKey = filter_guid;
    filter.layerKey = *(layer->layer_guid);
    filter.displayData.name = layer->filter_name;
    filter.displayData.description = layer->filter_desc;
    filter.action.type = FWP_ACTION_CALLOUT_UNKNOWN;
    filter.action.calloutKey = callout_guid;
    filter.subLayerKey = *(layer->sublayer_guid);
    filter.weight.type = FWP_UINT64;
    filter.weight.uint64 = &weight;
    //filter.rawContext = (UINT64)context;

    status = FwpsCalloutRegister(WdfDeviceWdmGetDeviceObject(g_device),
        &scallout, &callout_id);
    if (!NT_SUCCESS(status))
    {
        KdPrint(("[DrEnc] failed to install WFP callout, %ld\n", status));
        return status;
    }

    status = FwpmTransactionBegin(engine, 0);
    if (!NT_SUCCESS(status))
    {
        KdPrint(("[DrEnc] failed to begin WFP transaction, %ld\n", status));
        goto windivert_install_callout_error;
    }

    status = FwpmCalloutAdd(engine, &mcallout, NULL, NULL);
    if (!NT_SUCCESS(status))
    {
        KdPrint(("[DrEnc] failed to add WFP callout, %ld\n", status));
        goto windivert_install_callout_error;
    }

    status = FwpmFilterAdd(engine, &filter, NULL, NULL);
    if (!NT_SUCCESS(status))
    {
        KdPrint(("[DrEnc] failed to add WFP filter, %ld\n", status));
        goto windivert_install_callout_error;
    }

    status = FwpmTransactionCommit(engine);
    if (!NT_SUCCESS(status))
    {
        KdPrint(("[DrEnc] failed to commit WFP transaction, %ld\n", status));
        goto windivert_install_callout_error;
    }

    g_nCalloutNum++;
    return STATUS_SUCCESS;

windivert_install_callout_error:

    if (!NT_SUCCESS(status))
    {
        KdPrint(("[DrEnc] failed to DrEnc_install_callouts, %ld\n", status));
    }

    FwpmTransactionAbort(engine);
    FwpsCalloutUnregisterByKey(&callout_guid);
    return status;

        5、在呼出函数中对拦截到的数据进行解析,修改

    PNET_BUFFER_LIST buffers;
    PNET_BUFFER buffer, buffer_itr;
    ULONG packet_len;
    ULONG packet_size;
    packet_t work;
    UINT8* work_data;
    WINDIVERT_PACKET info;
    NTSTATUS status;
    FWPS_PACKET_INJECTION_STATE packet_state;
    HANDLE packet_context;
    LONGLONG timestamp;
    BOOL match;
    INT32 packet_priority;
    BOOL impostor;
    UINT64 flags;
    NDIS_TCP_IP_CHECKSUM_NET_BUFFER_LIST_INFO checksums;
    BOOL sniffed, ip_checksum, tcp_checksum, udp_checksum;

    result->actionType = FWP_ACTION_CONTINUE;
    flags = 0;
    buffers = (PNET_BUFFER_LIST)data;
    buffer = NET_BUFFER_LIST_FIRST_NB(buffers);
    if (NET_BUFFER_LIST_NEXT_NBL(buffers) != NULL)
    {
        // This is a fragment group.  This can be ignored since each fragment
        // should have already been indicated.
        return;
    }

    if (outbound)
    {
        packet_state = FwpsQueryPacketInjectionState(inject_handle_out,
            buffers, &packet_context);
    }
    else
    {
        packet_state = FwpsQueryPacketInjectionState(inject_handle_in,
            buffers, &packet_context);
    }

    impostor = FALSE;
    if (packet_state == FWPS_PACKET_INJECTED_BY_SELF ||
        packet_state == FWPS_PACKET_PREVIOUSLY_INJECTED_BY_SELF)
    {
        packet_priority = (UINT32)(ULONG_PTR)packet_context;
        if (packet_priority <= priority)
        {
            //WdfObjectDereference(object);
            return;
        }
    }
    else if (packet_state == FWPS_PACKET_INJECTED_BY_OTHER)
    {
        // This is a packet injected by another driver, possibly an older
        // version of WinDivert.  To prevent block-clone-reinject infinite
        // loops, we mark this packet as an "impostor".
        impostor = TRUE;
    }

    // Get the timestamp.
    timestamp = KeQueryPerformanceCounter(NULL).QuadPart;

    // Retreat the NET_BUFFER to the IP header, if necessary.
    // If (advance != 0) then this must be in the inbound path, and the
    // NET_BUFFER_LIST must contain exactly one NET_BUFFER.
    if (advance != 0)
    {
        status = NdisRetreatNetBufferDataStart(buffer, advance, 0, NULL);
        if (!NT_SUCCESS(status))
        {
            //WdfObjectDereference(object);
            return;
        }
    }


    sniffed = ((flags & WINDIVERT_FLAG_SNIFF) != 0);

    buffer_itr = buffer;
    while (buffer_itr != NULL)
    {
        match = FALSE;
        packet_len = NET_BUFFER_DATA_LENGTH(buffer_itr);
        if (packet_len > WINDIVERT_MTU_MAX)
        {
            // Cannot handle oversized packet
            break;
        }
        packet_size = WINDIVERT_PACKET_SIZE(WINDIVERT_DATA_NETWORK,
            packet_len);
        work = (packet_t)windivert_malloc(packet_size, FALSE);
        if (work == NULL)
        {
            goto next_buffer;
        }
        work->packet_len = (UINT32)packet_len;
        work_data = WINDIVERT_LAYER_DATA_PTR(work);
        RtlCopyMemory(work_data, network_data, sizeof(WINDIVERT_DATA_NETWORK));
        work_data = WINDIVERT_PACKET_DATA_PTR(WINDIVERT_DATA_NETWORK, work);
        if (!windivert_copy_data(buffer_itr, work_data, packet_len))
        {
            windivert_free(work);
            goto next_buffer;
        }

        if (WinDivertHelperParsePacketEx(work_data, packet_len, &info) == FALSE)
        {
            KdPrint(("[DrEnc] WinDivertHelperParsePacketEx failed\n"));
            windivert_free(work);
            goto next_buffer;
        }

        if (info.PayloadLength <= 0)
        {
            //KdPrint(("[DrEnc] WinDivertHelperParsePacketEx failed\n"));
            windivert_free(work);
            goto next_buffer;
        }

        if (info.Protocol == IPPROTO_TCP || info.Protocol == IPPROTO_UDP)
        {
            if (outbound && MatchPolicy(&info))
            {
                //KdPrint(("[DrEnc] outbound\n"));
                match = ChangeMatchData(&info);
            }
            else if (!outbound && MatchPolicy(&info))
            {
                //KdPrint(("[DrEnc] inbound\n"));
                match = ChangeMatchData(&info);
            }
        }

        if (match)
        {
            checksums.Value = NET_BUFFER_LIST_INFO(buffers,
                TcpIpChecksumNetBufferListInfo);
            if (outbound)
            {
                ip_checksum = (checksums.Transmit.IpHeaderChecksum == 0);
                tcp_checksum = (checksums.Transmit.TcpChecksum == 0);
                udp_checksum = (checksums.Transmit.UdpChecksum == 0);
            }
            else
            {
                ip_checksum = (checksums.Receive.IpChecksumSucceeded == 0);
                tcp_checksum = (checksums.Receive.TcpChecksumSucceeded == 0);
                udp_checksum = (checksums.Receive.UdpChecksumSucceeded == 0);
            }

            work->sniffed = (sniffed ? 1 : 0);
            work->outbound = (outbound ? 1 : 0);
            work->loopback = (loopback ? 1 : 0);
            work->impostor = (impostor ? 1 : 0);
            work->ipv6 = 0;
            work->ip_checksum = (ip_checksum ? 1 : 0);
            work->tcp_checksum = (tcp_checksum ? 1 : 0);
            work->udp_checksum = (udp_checksum ? 1 : 0);
            work->icmp_checksum = 1;
            work->match = match;
            work->packet_size = packet_size;
            work->priority = priority;
            work->timestamp = timestamp;

            WinDivertHelperCalcChecksums(work_data, packet_len, NULL, 0);
            windivert_inject_packet(work);
        }
        else
        {
            //WdfWorkItemEnqueue(work);

            windivert_free(work);
        }

 next_buffer:
        buffer_itr = NET_BUFFER_NEXT_NB(buffer_itr);
    }

    if (advance != 0)
    {
        // Advance the NET_BUFFER to its original position.  Note that we can
        // do this here, since if (advance != 0) then there is only one
        // NET_BUFFER in the NET_BUFFER_LIST, meaning that STEPS (1) and (3)
        // will be empty.
        NdisAdvanceNetBufferDataStart(buffer, advance, FALSE, NULL);
    }

    if (match)
    {
        result->actionType = FWP_ACTION_BLOCK;
        result->flags |= FWPS_CLASSIFY_OUT_FLAG_ABSORB;
        result->rights &= ~FWPS_RIGHT_ACTION_WRITE;
    }

       6、将修改后的数据重新注入到原始路径

    NTSTATUS status = 0;
    UINT8* packet_data;
    UINT32 packet_len;
    UINT64 checksums;
    PWINDIVERT_DATA_NETWORK network_data;
    PMDL mdl;
    PNET_BUFFER_LIST buffers;
    HANDLE handle;
    UINT32 priority;

    //if (packet->layer != WINDIVERT_LAYER_NETWORK &&
    //    packet->layer != WINDIVERT_LAYER_NETWORK_FORWARD)
    //{
    //    KdPrint(("[DrEnc] packet->layer != WINDIVERT_LAYER_NETWORK\n"));
    //    windivert_free_packet(packet);
    //    return STATUS_INVALID_PARAMETER;
    //}

    network_data = (PWINDIVERT_DATA_NETWORK)WINDIVERT_LAYER_DATA_PTR(packet);
    packet_data = WINDIVERT_PACKET_DATA_PTR(WINDIVERT_DATA_NETWORK, packet);
    packet_len = packet->packet_len;

    // Fix checksums:
    checksums =
        (packet->ip_checksum == 0 ? 0 : WINDIVERT_HELPER_NO_IP_CHECKSUM) |
        (packet->tcp_checksum == 0 ? 0 : WINDIVERT_HELPER_NO_TCP_CHECKSUM) |
        (packet->udp_checksum == 0 ? 0 : WINDIVERT_HELPER_NO_UDP_CHECKSUM) |
        (packet->icmp_checksum == 0 ? 0 : WINDIVERT_HELPER_NO_ICMP_CHECKSUM |
            WINDIVERT_HELPER_NO_ICMPV6_CHECKSUM);
    //WinDivertHelperCalcChecksums(packet_data, packet_len, NULL, checksums);
    if (WinDivertHelperCalcChecksums(packet_data, packet_len, NULL, checksums) == FALSE)
    {
        KdPrint(("[DrEnc] CalcChecksums failed\n"));
        return STATUS_INVALID_PARAMETER;
    }

    // Decrement TTL for impostor packets:
    if (packet->impostor != 0 &&
        !WinDivertHelperDecrementTTL(packet_data, packet_len))
    {
        status = STATUS_HOPLIMIT_EXCEEDED;
        KdPrint(("[DrEnc] failed to inject ttl-exceeded impostor packet , %ld\n", status));
        windivert_free_packet(packet);
        return status;
    }

    // Inject packet:
    mdl = IoAllocateMdl(packet_data, packet_len, FALSE, FALSE, NULL);
    if (mdl == NULL)
    {
        status = STATUS_INSUFFICIENT_RESOURCES;
        KdPrint(("[DrEnc] failed to allocate MDL for injected packet , %ld\n", status));
        windivert_free_packet(packet);
        return status;
    }
    MmBuildMdlForNonPagedPool(mdl);
    status = FwpsAllocateNetBufferAndNetBufferList(nbl_pool_handle, 0, 0,
        mdl, 0, packet_len, &buffers);
    if (!NT_SUCCESS(status))
    {
        KdPrint(("[DrEnc] failed to create NET_BUFFER_LIST for injected packet , %ld\n", status));
        IoFreeMdl(mdl);
        windivert_free_packet(packet);
        return status;
    }
    priority = packet->priority;
    if (packet->layer == WINDIVERT_LAYER_NETWORK_FORWARD)
    {
        handle = inject_handle_forward;
        status = FwpsInjectForwardAsync(handle, (HANDLE)priority, 0,
            (packet->ipv6 ? AF_INET6 : AF_INET), UNSPECIFIED_COMPARTMENT_ID,
            network_data->IfIdx, buffers, windivert_inject_complete,
            (HANDLE)packet);
    }
    else if (packet->outbound)
    {
        handle = inject_handle_out;
        status = FwpsInjectNetworkSendAsync(handle, (HANDLE)priority, 0,
            UNSPECIFIED_COMPARTMENT_ID, buffers, windivert_inject_complete,
            (HANDLE)packet);
    }
    else
    {
        handle = inject_handle_in;
        status = FwpsInjectNetworkReceiveAsync(handle, (HANDLE)priority, 0,
            UNSPECIFIED_COMPARTMENT_ID, network_data->IfIdx,
            network_data->SubIfIdx, buffers, windivert_inject_complete,
            (HANDLE)packet);
    }

    if (!NT_SUCCESS(status))
    {
        KdPrint(("[DrEnc] failed to inject (packet=%p) , %ld\n", packet, status));
        FwpsFreeNetBufferList(buffers);
        IoFreeMdl(mdl);
        windivert_free_packet(packet);
    }
    //KdPrint(("[DrEnc] windivert_inject_packet success\n"));
    return status;

        以上代码仅为作此开发的同仁提供思路及方向,作者开发的实现也是将windivert开源项目下大功夫研究之后,取其精华部分从零开始重构得来。希望能为致力于此道者提供帮助。

古道青阳
关注
专栏目录
window filter platform (wfp修改TCP数据包的方法
lxf20054658的专栏
12-28 1万+
问题描述:使用WFP重定向了TCP链接到本地localhost后,为了能够告诉应用层原始链接的地址和端口,需要修改数据包,即在三次握手后插入一个自定义包。在实现这个小小功能时,遇到了不少问题,走了很多弯路,希望在此记录一下,以备不时之需,也希望能够对有需要的朋友有所帮忙,因为WFP驱动,基本没有中文资料,所有的资料和问题都需要亲自到MSDN找,也是大费周折。 很显然,TCP的重定向,参考了MSDN
基于WFP的windows驱动对TCP数据的抓取,修改以及注意事项
Mr_oOo_的博客
12-24 6388
这里讲了很多干货:checksum offload的问题; WFP过滤驱动;修改tcp报头;
Windows过滤平台(WFP)
最新发布
zhangyihu321的专栏
08-16 1417
wfp windows 驱动
精选_基于 WFP 实现的网络监控_源码打包
03-09
基于 WFP 实现的网络监控
wfp框架解析
要把所有那些负面的信息当做对自身行为的评价,而不是对自身价值的评判。
08-31 781
与此函数相对的是FwpmEngineClose,关闭引擎。此函数参数为FWPM_CALLOUT0,而FwpsCalloutRegister0的参数为FWPS_CALLOUT0。我一直对wfp框架含混不清,搞驱动开发有一段时间了,拿着老板的钱,到对自己手头工作的一些基础概念都弄不明白,实在是说不过去,寝食难安,特此加深一下记忆和理解。FwpsCalloutRegister0:注册回调函数。此函数参数比较复杂,主要是用来注册实现网络过滤功能操作的回调函数。这6个API参数比较复杂,详细的参数可自行MSDN。
WPF数据修改demo
wanglei_smartfish的专栏
07-28 752
今天晚上研究了下wpf,现在把代码贴出来供大家学习参考 sql语句: create table userinfos (  ContactID  int primary key identity(1,1), FirstName varchar(100), LastName varchar(100), EmailAddress varchar(100) ) go insert in
驱动开发】Windows过滤平台(WFP,Windows Filtering Platform)
qq_42814021的博客
04-13 3584
TDI:Transport Driver Interface,传输层接口。TDI在Windows Vista之后就不再支持了,之后的版本中被WFP取代。socket可以指定某种方式开始传输用户的数据(比如TCP或UDP),这就是传输层。传输层的特点是:用户只需要关心实际需要传输的用户数据,而不用担心数据实际的发送次数、如何封装、如何确定发送正确性、出错何重发等。Windows过滤平台(Windows Filter Platform),是从Vista系统后新增的一套系统API和服务,为网络数据包过滤。
WFP过滤框架
qq_41490873的博客
09-18 2433
WFP框架图 垫片 垫片是一种特殊的内核模块,被安插在系统的网络协议栈(如TCP/IP)的不同层(栈)中, 主要作用是获取网络协议栈的数据。如垫片被安插在传输层,可以获取TCP/UDP等协议数据: 垫片被安插在网络层,可以获取IP协议等数据。安插在不同协议层的垫片,获取到的数据不同, 垫片获取到数据后,会通过内核态过滤引擎提供的分类API,把数据传递到相应的WFP分层中。 垫片除了能获取网络数据传递给内核态过滤引擎外,还有更重要的一个作用是把内核态过 滤引擎的过滤结果反馈给网络协议栈。比如,内核态过滤引擎
Windows驱动开发框架WDF源码,来自微软Github
12-18
Windows驱动开发框架(Windows Driver Framework,简称WDF)是微软推出的一种现代化的驱动程序开发模型,旨在简化驱动程序的编写,提高驱动程序的稳定性和安全性。这个框架建立在Windows Driver Model(WDM)的基础...
基于WDF的PCIe接口高速数据传输卡的驱动程序开发
04-03
WDF 设备驱动程序的开发技术进行了分析和论述,深入剖析了 WDF 驱动程序模型的基本框架和运行机理,从驱动程序的初始化、IRP 的处理、中断响应、DMA 操作以及应用程序接口等方面详细讨论了高速数据传输卡驱动程序的...
基于WDF的PCIe驱动程序开发.docx
07-24
### 基于WDF的PCIe驱动程序开发 #### WDF与WDM对比 - **WDM(Windows Driver Model)**:自Windows 2000以来的标准驱动程序模型,要求开发者同时处理硬件交互与操作系统内核的操作,增加了驱动程序开发的复杂度和...
微软WDF驱动模型开源代码
03-21
此外,源代码还揭示了如何使用WDF进行并发控制、内存管理和错误处理,这些都是构建稳定驱动的关键。 总之,微软的WDF驱动模型开源代码是一个宝贵的资源,它使开发者能够更深入地理解和利用这个框架,从而提高驱动...
WFP体系结构
nuvage的专栏
02-20 1724
WFP体系结构     上图显示了WFP的基本体系结构。 过滤引擎 过滤引擎包含用户模式组件和内核模式组件,共同执行网络数据的所有过滤操作。过滤引擎包含多个过滤层,较为松散地映射到操作系统的网络栈层。按照所属的过滤引擎组件,过滤引擎层分为用户模式层和内核模式层。   用户模式组件执行远程过程调用和IPsec过滤,过滤引擎大约包含10个用户模式过滤层。 内核模式组件在TCP/IP栈的
wfp网络过滤框架总结(一)
zhangge3663的博客
09-18 4091
一、基本术语定义 callout为扩展wfp性能提供的一个功能,由一系列call function和一个guid key组成,wfp内置了几个callouts。用户可以通过callout drivers自己添加callout。 callout driver实现一个或者多个callouts的内核驱动,这个驱动通过向filter engine注册callouts,来通知filter engine当...
wpf和wdf的区别
Welcome to here !
06-25 2286
wpf&&wdf是两个不同产品,一个是webphere portlet factory,后者则是Workplace Dashboard Framework。他们的前身是bowstreet(Gartner Group评估的六家Web服务领域最领先的企业之一)的产品,原名是bowstreet portlet factory。后bowstreet被IBM收购,于是portlet factory也...
Windows驱动_WFP之四WFP代码基本流程的剖析
热门推荐
Z18_28_19的专栏
10-23 1万+
总说程序员是孤独的,因为,大部分的时间都在和机器打交道。大部分的时间都在自言自语。我的内心需要足够的强大。这种强大时建立的自信的基础上的。而自信又是建立在实力基础上的。实力又是建立在积累的基础上。积累又是建立在时间的基础上。所以归根结底,就是,需要花费更多的时间。第二,需要有足够的兴趣爱好。这两点对于现在的我来说,都有。既然,自己选择了这条路,就应该义无反顾的走下去,坚持的走下去。孤独,我不怕,困
Windows过滤驱动 WFP代码基本流程的剖析 bypass前期准备
sway913的博客
05-12 2304
今天实际看一下,WFP的Callout驱动的代码。先从DriverEntry开始: 1,在DriverEntry需要创建驱动对象和设备对象, 1.1 由于不是PNP设备,需要设置创建驱动对象的标志为config.DriverInitFlags |= WdfDriverInitNonPnpDriver. 1.2 调用WdfDriverCreate创建驱动对象。 1.3 调用WdfControlDeviceInitAllocate通过驱动对象创建 WDFDEVICE_IN...
WDF驱动技术:面向对象的USB开发框架详解
本文主要探讨了Windows Driver Framework (WDF) 的USB驱动程序设计,该框架是由微软推出的一种先进的驱动程序开发模型WDF在Windows操作系统中扮演着核心角色,特别是对于内核模式驱动程序的开发,提供了面向对象和...
评论 9
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包

打赏作者

古道青阳

你的鼓励将是我创作的最大动力

¥1 ¥2 ¥4 ¥6 ¥10 ¥20
扫码支付:¥1
获取中
扫码支付

您的余额不足,请更换扫码支付或充值

打赏作者

实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值