废弃层上的标注问题

时间:2019-04-29 13:27:20

标签: c windows kernel driver wfp

我创建我的子图层并为其分配零权重。然后,在以下图层上创建带有标注的过滤器:

  • FWPM_LAYER_IPFORWARD_V4_DISCARD,
  • FWPM_LAYER_INBOUND_IPPACKET_V4_DISCARD,
  • FWPM_LAYER_OUTBOUND_IPPACKET_V4_DISCARD,
  • FWPM_LAYER_INBOUND_TRANSPORT_V4_DISCARD,
  • FWPM_LAYER_INBOUND_TRANSPORT_V4_DISCARD,
  • FWPM_LAYER_OUTBOUND_TRANSPORT_V4_DISCARD,
  • FWPM_LAYER_STREAM_V4_DISCARD,
  • FWPM_LAYER_DATAGRAM_DATA_V4_DISCARD
  • 和ALE上的DISCARDS

所有这些在我的子层分配的过滤器。我没有为过滤器分配任何条件,因为我想捕获所有丢弃的数据包。

为了测试项目,我使用“程序”来阻止所有传出的流量,并且仅在以下层上起作用:

  • FWPM_LAYER_INBOUND_IPPACKET_V4,
  • FWPM_LAYER_OUTBOUND_IPPACKET_V4,
  • FWPM_LAYER_IPFORWARD_V4
  • 以及相应的丢弃物。

在我看来,它必须如此工作:“程序”阻止数据包,数据包进入其他子层,最后数据包通过检查过滤器进入我的子层。我在分类函数中使用DbgPrint()函数来识别是否调用了callout。当我发送一些数据包时,“程序”会丢弃它,但是我的分类功能无法启动。

我还有一些问题:

  1. 我是否清楚所有丢弃的数据包都将丢弃所有子层上的层?

  2. 如果否,如何检查数据包是否被另一个子层上的另一个过滤器丢弃了?

  3. 我可以在其他子层上附加我自己的过滤器吗?

这是我添加和注册标注的功能:

NTSTATUS AddDefault(
    LPCWSTR calloutName,
    LPCWSTR calloutDescription,
    const GUID calloutKey,
    const GUID layerKey,
    LPCWSTR filterName,
    LPCWSTR filterDescription,
    const GUID filterKey
)
{
    NTSTATUS status;
    FWPM_CALLOUT0 callout = { 0 };
    FWPM_FILTER0 filter;

    RtlZeroMemory(&filter, sizeof(FWPM_FILTER0));

    callout.calloutKey = GUIDcallout;
    callout.displayData.name = wstrName;
    callout.displayData.description = wstrDescription;
    callout.applicableLayer = GUIDlayer;
    callout.providerKey = (GUID *)&GUIDprovider;

    status = FwpmCalloutAdd0(g_hEngine, &callout, NULL, NULL);
    if (!NT_SUCCESS(status))
    {
        PRINT_ERR("FwpmCalloutAdd0 failed", status);
        goto Exit;
    }

    filter.providerKey = (GUID *)&GUIDprovider;
    filter.displayData.name = wstrName;
    filter.displayData.description = wstrDescription;
    filter.layerKey = GUIDlayer;
    filter.subLayerKey = GUIDsublayer;
    filter.numFilterConditions = 0;
    filter.filterCondition = NULL;
    filter.action.type = FWP_ACTION_CALLOUT_INSPECTION;\
    filter.action.calloutKey = GUIDcallout;
    filter.filterKey = GUIDfilter;
    filter.weight.type = FWP_EMPTY;
    filter.flags = FWPM_FILTER_FLAG_NONE;

    status = FwpmFilterAdd0(g_hEngine, &filter, NULL, NULL);

    if (!NT_SUCCESS(status))
    {
        PRINT_ERR("FwpmFilterAdd0 failed", status);
        goto Exit;
    }
Exit:
    return status;
}

NTSTATUS RegisterDefault(
    PDEVICE_OBJECT pDevice,
    const GUID calloutKey,
    FWPS_CALLOUT_CLASSIFY_FN0 classifyFn,
    FWPS_CALLOUT_FLOW_DELETE_NOTIFY_FN0 flowDeleteFn,
    FWPS_CALLOUT_NOTIFY_FN0 notifyFn
)
{
    FWPS_CALLOUT0 calloutInitData = { 0 };
    calloutInitData.calloutKey = calloutKey;
    calloutInitData.classifyFn = classifyFn;
    calloutInitData.flowDeleteFn = flowDeleteFn;
    calloutInitData.notifyFn = notifyFn;

    return FwpsCalloutRegister0(pDevice, &calloutInitData, NULL);
}

0 个答案:

没有答案
相关问题
最新问题