Phoenix Fire Wall (Phoenix firewall) Principle Analysis

Phoenix firewall principles

 

 

Application Layer Principle

WinSock 2 Service Provider Interface (SPI) provides services for applications.
The architecture of SPI is:
(Protocol level)
WinSock 2 API-> ws2_32.dll-> SPI-> transport, layered protocol, SPI-> baseprotocol

 

(WinSock 2 structure)
WinSock 2 Application-> WinSock 2 API-> WinSock 2 DLL-> WinSock 2 transport function SPI-> transport service provider

The layered service provider installs itself on the basic provider in the Winsock directory and intercepts Winsock API calls from the application.
When a user creates a socket, the socket creation function searches for the appropriate protocol in the Winsock directory, and then calls the function exported by the provider of this Protocol to complete various functions.

 

The LSP installation process is as follows:
1. Install a layer-based protocol, and then install the Protocol chain. wscinstallprovider
2. Sort the wscwriteproviderorder directory again.

Remove LSP use wscdeinstallprovider

 

The specific LSP compilation process is to export the wspstartup function. In this function, modify the address of the WinSock 2 API function pointed to by wspproc_table and point to your own function.

 

 

 

Driver layer Principle

The NDIS Network Driver abstracts the network hardware for the network driver and the underlying driver for the management hardware.

Transport Driver Interface (TDI)
|
NDIS Interface
|
Netcard

The middle layer driver is located between the micro-port driver and the transmission driver. It is based on the driver between the link layer and the network layer.
One of the main purposes of the middle layer driver is to filter network packets, which can intercept all network packets.

 

Passthru is the intermediate layer of DDK,
In passthru, four packets can be intercepted.
Mpsend
Mpsendpackets
Ptreceive
Ptreceivepacket

 

The function for obtaining network data packets is ndisquerybuffersafe. The network data packets are stored in the ndis_buffer type linked list in the system. After the data packets are retrieved, the system checks the data packets according to the filter rules and pushes the data packets to the next layer, disallow directly discarding.

-----------------------------------------------

Code Analysis:

Phoenixfw has three modules:
Phoenixfw.exe phoenixlsp. dll Passthru. sys

Phoenixlsp. dll exports wspstartup, wspstartup saves the function table of the lower-level provider, and modifies the address of the Winsock API Function

G_nextproctable = * lpproctable;
Lpproctable-> lpwspsocket = wspsocket;
Lpproctable-> lpwspclosesocket = wspclosesocket;
Lpproctable-> lpwspbind = wspbind;
Lpproctable-> lpwspaccept = wspaccept;
Lpproctable-> lpwspconnect = wspconnect;
Lpproctable-> lpwspsendto = wspsendto;
Lpproctable-> lpwsprecvfrom = wsprecvfrom;

 

TCP uses the connect function to initiate external connections, and connect uses wspconnect,
Wspconnect
{
// Check whether the remote host can be connected according to the rules
// If pass is allowed, the original lower-level function is called directly; otherwise, socket_error is directly returned.
Return g_nextproctable.lpwspconnect
}
Accept the connection and use accept to call wspaccept;

 

Sendto is used for UDP outbound packet sending, and sendto is used to call wspsendto
The recvfrom function that receives UDP packets calls wsprecvfrom.

 

Phoenixlsp. dll uses the # pragma command to set the shared memory to communicate with the main module phoenixfw.exe.

# Pragma data_seg (". initdata ")
Hwnd g_hphoenixwnd = NULL; // Main Window handle
Int g_nworkmode = pf_pass_all; // Working Mode
# Pragma data_seg ()

# Pragma bss_seg (". uinitdata ")
Rule_item g_rule [max_rule_count]; // application layer rules
Ulong g_rulecount;
Query_session g_querysession [max_query_session]; // used to send a session query to the main program
Session g_sessionbuffer [max_session_buffer]; // used to send session information to the main program
Tchar g_szphoenixfw [max_path]; // record the main program path
# Pragma bss_seg ()

Extern tchar g_szcurrentapp [max_path];

Every time an application calls the WinSock 2 API, it automatically loads phoenixlsp. dll and records the path of the process.
Case dll_process_attach:
{
// Obtain the name of the main module
: Getmodulefilename (null, g_szcurrentapp, max_path );
}

The data_seg and bss_seg segments have only one copy regardless of how many processes load the DLL. That is to say, as long as one module modifies the content, other modules will change.

Phoenixlsp. dll exports a function to modify the data_seg and bss_seg segments.
_ Declspec (dllexport) int _ stdcall plspiocontrol (struct lsp_io_control * piocontrol, int ntype );
Int _ stdcall plspiocontrol (struct lsp_io_control * piocontrol, int ntype)
{
Switch (ntype)
{
Case io_control_set_rule_file: // you can specify rules for the application layer.
Break;
Case io_control_set_work_mode: // sets the working mode.
Break;
Case io_control_get_work_mode: // get the Working Mode
Break;
Case io_control_set_phoenix_instance: // sets the master module information.
Break;
Case io_control_get_session: // get a session
Break;
Case io_control_set_query_session: // return the DLL Query Result
Break;
Case io_control_get_query_session: // gets the query session
Break;
}
Return 0;
}
Phoenixlsp. dll checks the application's permissions. Based on the rules, if the rules are found, they are processed according to the rules. Otherwise, the postmessage is sent to phoenixfw.exe to ask how to perform the operation;

Phoenixfw.exe uses class cpiocontrol to communicate with phoenixlsp. dll, which is used to change the data_seg and bss_seg segments.

 

Passthru. sys uses a linked list to save the rule content.

// Filter rules
Typedef struct _ passthrufilter
{
Ushort protocol; // protocol used

// It is inconvenient to operate tchar strings in the driver, so it is changed to ulong type.
Ulong sourceipfrom;
Ulong sourceipto;
Ulong destipfrom;
Ulong destipto;

Ushort sourceport; // source port number
Ushort destinationport; // destination port number
 
Boolean bdrop; // whether to discard the packet

} Passthrufilter, * ppassthrufilter;

// Filter the rule list
Typedef struct _ passthrufilterlist
{
Passthrufilter filter;
Struct _ passthrufilterlist * pnext;

} Passthrufilterlist, * ppassthrufilterlist;

 

Phoenixfw.exe uses createfile to open the handle of the device controlled by the driver, enumerate all the adapters, open the handle of each control device object, and use the deviceiocontrol function to add filter rules.
Passthru add our own dispatch function entry
Dispatchtable [irp_mj_device_control] = devicontrol;

Devicontrol
{
Switch (uiocontrolcode)
{
Case ioctl_ptuserio_enumerate: // enumeration Adapter
Break;
Case ioctl_ptuserio_open_adapter: // open the adapter
Break;
Case ioctl_ptuserio_query_oid: // obtain the oId
Case ioctl_ptuserio_set_oid: // sets the oId
Break;
Default:
Return fltdevicontrol (pdeviceobject, pirp); // process other control commands
}
}

Fltdevicontrol
{
Switch (uiocontrolcode)
{
Case ioctl_ptuserio_query_statistics: // obtain the network activity status
Break;
Case ioctl_ptuserio_reset_statistics: // reset the network activity status
Break;
Case ioctl_ptuserio_add_filter: // Add a filter rule
Break;
Case ioctl_ptuserio_clear_filter: // clear the filter rule
Break;
}
}

Function for sending a single packet
Mpsend
{
If (! Fltfiltersendpacket (padapt, packet, true ))
{
//
// If the message is rejected, the upper layer will be spoofed to say that the message has been successfully sent (although it is not actually sent)
//
Return ndis_status_success;
}
}

Fltfiltersendpacket
{
Fltreadpacketdata
Bpass = fltcheckfilterrules
Return bpass;
}

Fltreadpacketdata
{
// Use ndisquerybuffersafe to obtain the data ethheader + ipheader + TCP/UDP header + net in the network packet linked list
}

Fltcheckfilterrules
{
// Check the source IP address, destination IP address, source port, and destination port of the network packet according to the filter rule.
// Because the IP addresses obtained here are in the network byte order, we need to convert the cost to the machine byte order to determine whether the IP address is within the specified IP address range, for example, 192.168.1.2-192.168.1.254.
# Define ntohl (Val, X, Y, m, n) (VAL) & (x) <24) |/
(VAL) & (y)> 8) <16) |/
(VAL) & (M)> 16) <8) |/
(VAL) & (N)> 24)

Int X, Y, M, N;
X = 0xff;
Y = 0xff <8;
M = 0xff <16;
N = 0xff <24;
Ipsource = piphdr-> ipsource;
Ipsource = ntohl (ipsource, X, Y, m, n );
// Because the destination IP address of the source IP address set in phoenixfw.exe is the order in which packets are sent by default, when receiving packets, compare the source IP address in the rule with the destination IP address in the packet.
 
Return! Pfilterlist-> filter. bdrop;
}
Mpsendpackets
Ptreceive
{
Bpass = fltfilterreceive
If (! Bpass)
{
// Reject this packet
Status = ndis_status_success;
Break;
}
}

Fltfilterreceive
{
Bpass = fltcheckfilterrules
Return bpass;
}