Drive layer complete get Process network traffic Module (summary)

Using the Tdi,win 7 platform is the WFP model under the XP platform

Ideas under the WFP framework

Gets the process ID gets the upload data size and download data size of the process and then stores it in the linked list

The node structure in the linked list is as follows:

typedef struct TAGFLOWINFOITEM
{
/** Linked list structure
*/
List_entry M_listentry;

/** Process ID
*/
HANDLE M_processid;

/** uploaded traffic, byte units
*/
UINT64 M_uploadflow;

/** downloaded traffic, in bytes
*/
UINT64 M_downloadflow;

/** upload speed, in bytes
*/
ULONG M_uploadspeed;

/** download speed, in bytes
*/
ULONG M_downloadspeed;

/** limit upload speed, in bytes
*/
ULONG M_limituploadspeed;

/** Limited download speed, in bytes
*/
ULONG M_limitdownloadspeed;
} Flowinfoitem;

WFP is required to register the callout function, the process ID is obtained at the FWPM_LAYER_ALE_FLOW_ESTABLISHED_V4 layer, while UDP and TCP stream data information (such as size, content) is in the FWPM_LAYER_DATAGRAM_ Data_v4 and FWPM_LAYER_STREAM_V4 layers to get the

, the problem comes, we can get the size of the data in the callout function of the stream registration, but the problem is, how to correspond the process ID and the corresponding process data???

//////////////////////////////////////////////////////////////////////////////////////////////////////

Constantly looking for data, research WDK documentation, WDK examples, various search and QQ groups to consult, (*^__^*) hehe ...

//////////////////////////////////////////////////////////////////////////////////////////////////////

Finally, the example of the WDK is found with the relevant code to refer to,

The catalogue is as follows: C:\WinDDK\7600.16385.1\src\network\trans\msnmntr

The main use of a FwpsFlowAssociateContext0 function, the specific usage of the MSDN or the sample code used, very simple

Must be very careful to see Oh, this function has a very important place to pay attention to, otherwise, blue and blue more healthy Oh, (about the DELETEFN function registration and notation)

The purpose of this FwpsFlowAssociateContext0 function is to pass the process ID from the fwpm_layer_ale_flow_established_v4 layer to the fwpm_layer_ Datagram_data_v4 and FWPM_LAYER_STREAM_V4 layers, then we can use the linked list structure to correlate process IDs with process data.

So how do you identify whether you're uploading data or downloading data? Good question.

There is a flag bit in the Streamdata,streamdata in the parse Layerdata,

Upload data to judge:

and system-defined macros Fwps_stream_flag_send and fwps_stream_flag_send_expedited and (&) operation, can you get the upload?

Download the data to judge:

and upload data in a similar way.

Finally, in the operation of the linked list, remember to add locks.

XP is much simpler than Win7, and TDI has much more information. It's easier to realize.

VOID analyzenetworkirp (pirp Irp)
{
Peprocess Process;
Pio_stack_location iostacklocation;
Network_usage_information networkusageinformation;
memset (&networkusageinformation,0,sizeof (network_usage_information));

Iostacklocation = Iogetcurrentirpstacklocation (IRP);

ASSERT (iostacklocation->majorfunction = = Irp_mj_internal_device_control);

Process = Psgetcurrentprocess ();


if (Queryprocessnetworkusage (Process, &networkusageinformation) = = FALSE)
{
networkusageinformation.bytesreceived = 0;
networkusageinformation.bytessent = 0;
}

if (iostacklocation->minorfunction = = tdi_receive)//Tdi_receive
{
Dbgprint ("Enter TCP receive!\n");
Ptdi_request_kernel_receive Parameters;
Parameters = (ptdi_request_kernel_receive) &IoStackLocation->Parameters;
networkusageinformation.bytesreceived + = parameters->receivelength;
}
else if (iostacklocation->minorfunction = = tdi_send)//tdi_send
{
Dbgprint ("Enter TCP send!\n");
Ptdi_request_kernel_send Parameters;
Parameters = (ptdi_request_kernel_send) &IoStackLocation->Parameters;
Networkusageinformation.bytessent + = parameters->sendlength;
}
else if (iostacklocation->minorfunction = = Tdi_receive_datagram)//tdi_receive_datagram
{
Dbgprint ("Enter UDP receive!\n");
PTDI_REQUEST_KERNEL_RECEIVEDG Parameters;
Parameters = (PTDI_REQUEST_KERNEL_RECEIVEDG) &IoStackLocation->Parameters;
networkusageinformation.bytesreceived + = parameters->receivelength;
}
else if (iostacklocation->minorfunction = = Tdi_send_datagram)//tdi_send_datagram
{
Dbgprint ("Enter UDP send!\n");
PTDI_REQUEST_KERNEL_SENDDG Parameters;
Parameters = (PTDI_REQUEST_KERNEL_SENDDG) &IoStackLocation->Parameters;
Networkusageinformation.bytessent + = parameters->sendlength;
}
else if (iostacklocation->minorfunction = = tdi_connect)//Natively initiate connection request to the outside world
{
Dbgprint ("Enter connect!\n");
PTDI_REQUEST_KERNEL_SENDDG Parameters;
Parameters = (PTDI_REQUEST_KERNEL_SENDDG) &IoStackLocation->Parameters;
Networkusageinformation.bytessent + = parameters->sendlength;
}
else if (iostacklocation->minorfunction = = tdi_accept)//external Shanben initiate connection request
{
Dbgprint ("Enter accept!\n");
PTDI_REQUEST_KERNEL_RECEIVEDG Parameters;
Parameters = (PTDI_REQUEST_KERNEL_RECEIVEDG) &IoStackLocation->Parameters;
networkusageinformation.bytesreceived + = parameters->receivelength;
}

Network usage of the update process
Updateprocessnetworkusage (Process, &networkusageinformation);

Return
}

VOID Updateprocessnetworkusage (
__in peprocess Process,
__in pnetwork_usage_information networkusageinformation
)
{
Klock_queue_handle Lockhandle;

Keacquireinstackqueuedspinlock (&networkusagegenerictable.tablelock,&lockhandle);

Updateprocessnetworkusageunsafe (Process, networkusageinformation);

Kereleaseinstackqueuedspinlock (&lockhandle);
Return
}

VOID Updateprocessnetworkusageunsafe (
__in peprocess Process,
__in pnetwork_usage_information networkusageinformation
)
{
Network_usage_generic_table_node Tablenode;
PVOID Entryfound;

tablenode.process = Process;
Tablenode.networkusageinformation = *networkusageinformation;

Entryfound = rtllookupelementgenerictable (&networkusagegenerictable.table,
(PVOID) &tablenode);

if (Entryfound)
{
BOOLEAN Status;

Status = rtldeleteelementgenerictable (&networkusagegenerictable.table, Entryfound);

ASSERT (Status = = TRUE);
}

(VOID) Rtlinsertelementgenerictable (&networkusagegenerictable.table,
(PVOID) &tablenode, sizeof (Network_usage_generic_table_node), NULL);

Return
}

Network usage Structure definition
typedef struct _NETWORK_USAGE_INFORMATION {

ULONGLONG BytesSent;
ULONGLONG bytesreceived;
} network_usage_information, *pnetwork_usage_information;


typedef struct _NETWORK_USAGE_GENERIC_TABLE_NODE {
Peprocess Process;
UINT32 Uprocessid;
Network_usage_information networkusageinformation;
} Network_usage_generic_table_node, *pnetwork_usage_generic_table_node;


typedef struct _NETWORK_USAGE_GENERIC_TABLE {
Rtl_generic_table TABLE;

Kspin_lock Tablelock;
Kspin_lock Trafficlock;
} network_usage_generic_table, *pnetwork_usage_generic_table;

Network_usage_generic_table networkusagegenerictable;

Thinking so, the realization of the TDI is not difficult, I will not say more, it seems very nagging annoying, hey

Drive layer complete get Process network traffic Module (summary)