A brief introduction to the implementation technology of Windows software firewall

From the birth of Windows software firewall, this kind of security protection products are following the continuous deepening of hacker and anti-black anti-drug fight, evolving and upgrading. From the earliest analysis only source address, port number and the original message of the packet filtering firewall, and then there are different applications can set different access to network permissions technology; In recent years by ZoneAlarm and other foreign well-known brands led, Also began to popular with unknown attack interception capability of intelligent behavior Monitoring firewall; Finally, due to the recent prevalence of spam plug-ins and rogue software, many firewalls are considering the ability to block their own rogue software. In summary, Windows software firewall from the beginning of a simple packet packet loss, interception of IP and port tools, developed into today's powerful overall security suite.

Next, this article gives a brief technical introduction to these components that a Windows software firewall should have.

Packet Filtration Technology

Packet-filtering technology is the first feature owned by the most primitive firewalls. But the feature is simple and powerful, and until now it is an essential feature of any firewall.

To intercept a network packet before it reaches the application, install a filter hook on the system's network protocol stack. For the Windows NT family kernel, it is possible to install a filter hook that is roughly the number of places from top to bottom: SPI layer (early Skynet firewall), AfD layer (lack of data, no examples), TDI layer (many domestic walls), NDIS layer (ZoneAlarm, Outpost, etc.). The more at the top, the lower the difficulty of product development, but the weaker the function, the easier it is to be traversed by attackers. Because the NDIS firewall has powerful, not easy to penetrate and other advantages, the recent trend of the major firewall manufacturers are to choose the NDIS layer to do packet filtering.

At present, there are two kinds of NDIS hook technology which are more popular. One is to hook up the Ndis.sys module's export function, thereby replacing its send (packets) handler and receive (packet) handler by intercepting the registration process for each NDIS protocol registration. The disadvantage of this method is that it cannot take effect immediately after the first security, it must be repeated, and must be reset if it is to be disabled.

In December 2004, a hacker above Www.rootkit.com published a famous article: "Hooking into NDIS and TDI, Part 1." This article was meant to provide a way for rootkit authors to hook up the underlying driver to implement port reuse, but this article reveals a new technology: by dynamically registering the NDIS fake protocol, you can get the list address of NDIS protocol. With this address, you can replace and monitor the Send (packets) handler and receive (packet) handler for each NDIS protocol without a reboot, and you can uninstall the monitoring module dynamically without needing to reboot. After this article appeared, many firewall manufacturers have quietly upgraded their products. The current ZoneAlarm and other products are the use of this technology, can be installed immediately after the role. This example is more fully reflected that hackers and anti-black technology is inherently complementary, the same origin.

Here's a code example that looks for the header of the list:

The ndis_handle returned by this function is the list header address.

Ndis_handle Registerbogusndisprotocol (void)
{
NTSTATUS Status = status_success;
Ndis_handle hbogusprotocol = NULL;
Ndis_protocol_characteristics Bogusprotocol;
Ndis_string ProtocolName;
Ndiszeromemory (&bogusprotocol,sizeof (ndis_protocol_characteristics));
Bogusprotocol.majorndisversion = 0x04;
Bogusprotocol.minorndisversion = 0x0;
Ndisinitunicodestring (&protocolname,l "Bogusprotocol");
Bogusprotocol.name = ProtocolName;
Bogusprotocol.receivehandler = dummyndisprotocolreceive;
Bogusprotocol.bindadapterhandler = dummyptbindadapt;
Bogusprotocol.unbindadapterhandler = dummyptunbindadapt;
Ndisregisterprotocol (&status,&hbogusprotocol,&bogusprotocol,
sizeof (ndis_protocol_characteristics));
if (Status = = status_success) {return hbogusprotocol;}
else {
#ifdef bydbg
Dbgprint ("Ndishook:cannot register bogus Protocol:%x
", Status);
DbgBreakPoint ();
#endif
return NULL;
}
}