Windows Network Packet Filtering Technology

Windows Network Packet Filtering Technology

(Original: http://www.ndis.com/papers/winpktfilter.htm)
// It seems to be translated # Note by the forwarder :)
// Prepared by: sevencat (seven cats) // unknown original author # REPORTER note

I. User-mode network packet filtering
1. Winsock Layered Service Provider
Refer to the documentation and examples on Microsoft platform SDK.
Http://www.microsoft.com/msdownload/platformsdk/sdkupdate)
Here are several Microsoft LSP examples. The latest (probably the most bug-free) is often found here. Yes
We know that the core TCPIP driver can be called through TDI, and Winsock can be completely bypassed. In most cases, this
Not a problem. For example, QoS can be implemented on Winsock LSP.
However, in this case, the program must view and operate each package, instead of relying on Winsock LSP.
Method that is close to the core state.
2. Win2000 packet filtering Interface
The Win2000 packet filtering interface provides a mechanism that allows user-mode programs or services to specify a series
"Filtering principles" are implemented by Low-layer TCPIP to filter packets. This type of filter is mainly for the IP address
Address, target address, and port number (or port number range.
Windows developer S Journal
《Use iphlpapi. DLL for package filteringAuthor: ton plooy, October, 2000, Volume 11, Number 10
.
Win2000 provides a better programmable control over TCPIP, including packet filtering. Unfortunately
New API documentation is not easy to find. This article shows you how to configure a specific IP address or a specific T
CP port package for blocking programming.
Link: www.wdj.com
Download this example above: ftp://ftp.wdj.com/pub/webzip/1110/plooy.zip
Holis solution:
The HTS w2k iphook example demonstrates IP filtering and Its hook api, including the original file, and is free of charge,
Need htscpp Runtime Library (free),: http://www.hollistech.com/
3. Replace DLL with Winsock
Before using Winsock LSP, the only way is to replace Microsoft WinSock DLL with its own DLL.
If the Implementation succeeds, your dll will receive the user's Winsock call request, and then you can call the original winsoc
K DLL.
However, this implementation is quite laborious. One of the difficulties is that Microsoft's Winsock DLL often has
Some undisclosed internal functions. A Winsock should at least process some undisclosed functions in place of the DLL.

With the change of Windows system structure, some aspects have been enhanced, such as system file protection, which makes such
The technology is becoming infeasible. In general, replacing with Winsock DLL is not a bad idea. (Xfilter is used
The original code may be circulated on the Internet. I have seen it before)
Ii. kernel-mode network packet filtering
1. Transport Data Interface (TDI)
This is a layer of filter driver directly on the core TCPIP driver. On WINXP, the TDI driver is a type of data transfer
The system's NT-style driver uses IRP-based APIs. There are two methods to achieve this.
A. Use the ioattachdevicexyz Function Family of the core mode service to implement a filter on TDI.
B. filter the TDI-driven IRP dispatch table.
The ioattachdevicexyz function is mentioned in many winnt driver development books. Both of these technologies need
T-driven development programming technology is very familiar with TDI functions.
2. NDIS intermediate layer (IM)
Please refer to NDIS im FAQ: http://www.pcausa.com/resources/ndisimfaq.htm
3. Win2000 filter-hook
See the DDK document. Only one active filter-hook exists in the system.
There are severe restrictions on use. (The drvipflt we usually see is used)
4, Win2000 FIREWALL-HOOK
Firewall-hook driver functions are rarely described in this document and are unavailable in some Win2000 versions.
Refer to Microsoft documentation: http://msdn.microsoft.com/library/default.asp? Url =/Library
/En-US/Network/hh/Network/firewall_3wfb.asp
5, NDIS-HOOKING (ferer firewall is using this technology, as far as I know, although I did not see the original code.
)
NDIS-hooking driver interception or "Hook" is a number of functions exported by the NDIS encapsulation program. Although from the implementation method
Some are not formal, but a systematic NDIS-hooking filter will be very effective.
In addition, the NDIS-hooking filter driver has the following benefits:
A. It is easy to install (it can be dynamically loaded and loaded, but sometimes there may be problems. Some of the problems are unknown now .)
B. Supports dial-up-PPP adapters.
NDIS-hooking technology is very effective and practical in 98 and me systems. On these platforms, DDK documentation and provi
DED services can help you hook functions exported by NDIS wrapper.
NDIS-hooking technology is equally effective and practical in NT, 2000, and XP. This technology is similar to debugging in the core mode.
. The documentation supports a small amount of data and is basically not certified by WHQL.
Pcausa provides a set of ndis pim driver examples that can run successfully on the existing win platform (from 95
XP ). Address: http://www.pcausa.com/ndispim/Default.htm

Others:
Network Operation and process information:
Many people want to know how operations on the network are linked with win processes (that is, applications ).
You may want to know which process sends or receives data on a specific IP port.
We do not consider whether this technology is useful or reliable. We believe that the core model TCPIP drives the upper layer filter.
The program can handle this problem. The filter program at the lower layer of the TCPIP driver cannot see the process information at all. Special notes
Some network service operations generate a new process attach to the system process. In this case, process information and
We cannot tell which process was originally generated. Especially for the win Service (TDI customers) in the core mode)