Personal Firewall in Windows-Overview of network packet interception technology

As network security problems become increasingly serious, network security products have also been paid attention. As the first network security product and the most popular security product, firewall is also favored by users and R & D institutions. From the perspective of firewall applications, there are basically two types: Network-level firewalls and personal firewalls. Windows is the most widely used PC operating system, so there are countless personal firewall products developed under Windows operating system. Some well-known overseas products include atguard, outpost firewall, Zonealarm, Tiny Personal Firewall, Norton Personal firewall, and Sygate Personal Firewall. Many domestic products include Skynet firewall. The core technologies of all Windows-based personal firewalls are network packet interception technology in windows. This article mainly describes the network packet interception technology in the Windows operating system. First, you should have a certain understanding of the Windows Network Architecture and have a certain understanding of the development of Windows drivers. Windows Network Driver Structure Figure 1 shows the network driver structure in Windows 2000. In 1989, Microsoft and 3Com developed a set of Network Driver standards for Windows development, known as NDIS (Network Driver Interface Specification ). NDIS provides a set of standard interfaces for network-driven development, making the network driver more cross-platform. NDIS provides the following APIs: ? 1. NDIS miniport driver ). This is what we often call the NIC Driver. ? 2. NDIS protocol driver ). For example, the TCPIP protocol driver. ? 3. the NDIS intermediate layer driver (intermediate driver ). This is based on the driver between the link layer and the IP layer. From figure 1, we can clearly see the layered structure of the network driver, which provides us with the basic idea of intercepting network packets. In general, to intercept network data packets in Windows, you can perform the following operations at two levels: User-mode and kernel-mode) Network packet interception in user mode There are several methods to intercept network data packets in user mode: 1) Winsock Layered Service Provider (LSP ). This method has a detailed document in msdn and provides an example (SPI. cpp ). The advantage of this method is that you can obtain detailed information about the process that calls Winsock. This can be used for QoS and data stream encryption. However, if the application directly uses the Transport Driver inface (TDI) to call TCPIP to send data packets, this method will be powerless. For some Trojans and viruses, it is easy to directly call TCPIP through TDI. Therefore, most personal firewalls do not use this method. There are also personal firewalls implemented using this method in China, such as xfilter (www.xfilter.com ). 2) Windows 2000 package filtering interface. Windows 2000 iphlp API provides the installation package filter function. However, packet filtering rules have many restrictions, which are far from enough for the personal firewall. 3) Replace the Winsock dynamic connection library that comes with the system. The detailed implementation details can be found in many articles. Obviously, the most critical disadvantage of packet interception in user mode is that it can only be performed at the Winsock level, but cannot be processed for packets of the underlying protocol in the network protocol stack. For some Trojans and viruses, it is easy to avoid this layer of firewall. Use the driver to intercept network packets Most personal firewalls are implemented using network drivers. From figure 1, we can think of the following aspects: ? 1. TDI filter driver) ? 2. NDIS intermediate layer driver (NDIS intermediate driver) ? 3. Win2k filter-hook driver ? 4. NDIS Hook driver The following describes these methods. For detailed implementation, see the Win2k DDK document. TDI filter driver. When an application wants to send or receive network data packets, it uses the interface provided by the protocol driver. The Protocol Driver provides a set of predefined standard interfaces to interact with applications. In Windows 2000/NT, IP, TCP, and UDP are implemented in a driver called TCP. sys, this driver creates several devices: devicerawip, deviceudp, devicetcp, deviceip, and devicemulticast. All network data operations of applications are performed through these devices. Therefore, we only need to develop a filter driver to intercept these interactive interfaces to intercept network data packets. The network data interception at the TDI layer can also obtain detailed information about processes that operate on network data packets, which is also an important feature of the personal firewall. NDIS middle layer driver. The middle layer driver is between the protocol layer driver and the small port driver. It can intercept all network packets (if it is Ethernet, It is Ethernet frame ). The NDIS middle layer driver is widely used, not only for personal firewalls, but also for VPN, Nat, pppoverethernet, and VLAN. The middle-layer driver concept is available only after window NT SP4, so Windows 9x cannot directly use the Middle-layer driver function. Windows DDK provides two well-known intermediate-layer driver examples: passthru and MUX. Developers can develop on the basis of passthru, while MUX implements VLAN functions. Currently, this technology is rarely used in Personal Firewall Products, mainly because the installation of the middle layer driver is too complex, especially in Windows NT. In Windows 2000, you can use a program to automatically install the driver. However, if the driver does not undergo a digital signature, the system will prompt you to continue the installation. The powerful driver of the middle layer should be the trend of personal firewall technology in the future, especially the implementation of some additional functions. Win2k filter-hook driver. This is a kind of driver provided by the system starting from Windows2000. The driver mainly intercepts network data packets by using the functions provided by ipfiltdrv. sys. The filter-hook driver has a simple structure and is easy to implement. However, microsfot does not recommend filter-hook driver because its structure is too simple and dependent on ipfiltdrv. sys. NDIS Hook driver. This is currently the method used by most personal firewalls. The concept of Hook is very popular in Windows 9x and easy to implement. In Windows 9x, the driver (VxD) can use hook_device_service to mount all the services provided by NDIS. In Windows NT/2000, how does one implement hook? There are two different ideas: 1) modify the export table of NDIS. sys. In Windows NT/2000, executable files (including DLL and sys) comply with the PE (portable executable) format. All drivers that provide interfaces to other operating system components have export tables. Therefore, you only need to modify the export table of NDIS. sys to mount the key NDIS APIs. Since the Protocol Driver calls ndisregisterprotocol to register with the system when the system starts, the key to this method is to modify the NDIS. start address of the ndisregisterprotocol/ndisderegisterprotocol/ndisopenadapter/ndiscloseadapter/ndissend function provided by sys. We know that you can use some APIs to modify the PE file format in user mode, while NDIS. sys is located in the core memory area of the system, so you need to modify NDIS. sys has to write the driver to implement it, which requires us to have a deep understanding of the PE file format. When using this method, pay attention to the loading sequence of the driver. Obviously, the hook driver must be loaded after NDIS. sys, before the Protocol Driver such as tcpip. sys is loaded. In addition, Windows2000 also provides a system file protection mechanism. Therefore, you must modify the Registry to shield the system file protection mechanism when modifying NDIS. sys. 2) register a false protocol with the system ). In the Windows Kernel, all registered protocols are maintained through a one-way Protocol linked list. This one-way linked list stores the addresses of all the ndis_protocol_block structures of the registered protocols, and stores the addresses of the corresponding dispatch functions specified by the Protocol Driver, such as receive_handler. In addition, each protocol driver corresponds to a one-way linked list of ndis_open_block to maintain the information of the network card it is bound. After the protocol driver calls ndisregisterprotocol, NDIS always puts the newly registered protocol in the header of the Protocol linked list and returns this table, so as long as we register a new protocol and register the returned chain table header through the new protocol, we can easily traverse all the Protocol tables in the system. However, to successfully mount the dispatch function, you also need to mount the dispatch function in the ndis_open_block structure corresponding to the Protocol, because NDIS does not directly call the dispatch function address registered by the protocol driver in ndis_protocol_characteristics, rather it calls the dispatch function in ndis_open_block. It is worth noting that in DDK of Windows9x/ME/NT, the definition of ndis_protocol_block is clear, while in DDK of Windows 2000/XP, there is no detailed definition of this structure. That is to say, this structure is not public under Windows2000/xp. Therefore, developers need to use various debugging tools to explore the detailed definition of this structure. This is precisely because this method is highly reliant on the platform and requires different structural definitions to be used to determine different operating system versions in the program. Summary This article focuses on the core technology of Personal Firewall under WindowsNT/2000/XP-network packet interception technology, and analyzes the advantages and disadvantages of various methods and methods, in fact, many personal firewalls use several different technologies to intercept network packets at different layers. It is worth noting that the network packet interception technology can be used not only to develop a personal firewall, but also to develop other products.