Filter-hook driver in Windows
In Windows 2000 and Windows XP, IPFLTDRV.sys under the System32 / Drivers directory is the IP protocol filter driver provided by Microsoft. It allows users to register their own IP datagram handlers. In the MSDN, there is a short description of this aspect, in the Filter-Hook Driver Reference chapter. This section describes the document discusses the callback function of the Filter-Hook driver and the I / O control code for the driver to register the callback function. The callback function is the main part of such a drive. The IP filter driver provided by the operating system uses this filter hook to determine how the IP packet is handled.
The registered filter hook is defined by the PacketFilterextensionPTR data type. Since the address of the function is used instead of the name of the function registers the entry point of the filter hook, it is free to name the hook function. The data structure of the hook and the I / O control code registered the hook will be described below.
PacketfilTeRextensionPtr
Here is his definition.
TypedEf pf_forward_action (* packetfilterextensionptr)
Unsigned char * packetheader,
Unsigned char * packet,
Unsigned int packetlength,
Unsigned int RECVINTERFACEIDEX,
Unsigned int sendInterfaceIndex,
Ipaddr recvlinknexthop,
Ipaddr sendlinknexthop
);
This type is the callback function of the hook, and he decides that the fate of all IP packets passed is continuing, or throws it, or allows IP filter drivers to continue processing.
Parameter
Packetheader
Pointer to the IP header of the packet. The Filter-Hook driver can be converted to the Ipheader structure pointer type.
Packet
The Filter-Hook driver receives a buffer pointer containing packet information. The buffer does not include the IP protocol headed by the PacketHeader pointer.
Packetlength
The length of the Packet buffer in bytes. This length does not contain the size of the IP protocol header.
RecvinterfaceIndex
The serial number of the interface adapter reaches the data package. The Filter-Hook driver uses this serial number to access the adapter that receives the packet.
For the transmitted packet, the parameter is invalid_pf_if_index, and the value of the parameter recvlinknexthop is meaningless.
SendinterfaceIndex
The serial number of the interface adapter sent by the packet. If the packet needs to pass through the adapter route, the routing table can be queried by a Simple Network Protocol (SNMP).
For the received packet, this parameter is invalid_pf_if_index, and the value of the parameter sendlinknexthop is meaningless.
RecvlinkNexthop
If the interface adapter is a multi-point (binding multiple IP addresses?) Interface, this parameter receives the IP address when the adapter receives the packet. Otherwise, this parameter is ZERO_PF_IP_ADDR.
SendlinkNexthop
If the interface adapter is a multi-point (binding multiple IP addresses?) Interface, this parameter is an IP address when the adapter is sent to the packet. Otherwise, this parameter is ZERO_PF_IP_ADDR.
2. Return value
Returns the value of the PF_FORWARD_ACITION enumeration type:
Pf_forward
The return value indicates that the IP filter driver should immediately forward the packet into the IP protocol stack. If the packet is the packet you need for this unit, the IP protocol forwards it to the upper layer protocol process. If it is not to the local packet, the IP will route the data packet (if the routing function is opened). PF_DROP
The return value indicates that the IP filter driver will immediately discard the IP protocol stack. At this time, the IP protocol will discard the packet.
PF_pass
The return value indicates that the IP filter driver processes the packet and returns the result action to the IP protocol stack. This value should be returned if the Filter-Hook driver is not required to process the packet.
3. Notes
If the Filter-Hook driver returns PF_PASS, the IP filter driver will process the packet. In this case, the user state application can pass the Packet Filtering API control package filtering action (iPhlPAPI.LIB). You can create and manage the input and output of the IP packet through these API functions. Each IP adapter interface can have one or more filters associated with it. The filter can include an IP address, an address mask, a port number, a protocol marker. More information Reference Platform SDK.
IP filter drivers can pass the IP header information of the packet using the iPheader structure.
4. ipHeader
The buffer pointed to the PacketHeader parameter is typically defined as the Ipheader structure. This structure provides detail information for packets. It is defined as follows:
Typedef struct iphdr {
Uchar iph_verlen; // version and length
Uchar iph_tos; // type of service
Ushort iph_length; // Total DataGram Length
Ushort iPh_id; // identification
Ushort iPh_offset; // flags, fragment offset
Uchar iph_ttl; // time to live
Uchar iph_protocol; // protocol
Ushort iph_xsum; //Header Checksum
Ulong iPh_src; // source address
Ulong iPh_Dest; // Destination Address
} iphdr;
The meaning of the member of this structure refers to the comments followed by it. There is a detailed description in the Linux source or other books that explain the TCP / IP protocol.
IOCTL_PF_SET_EXTENSION_POINTER
Filter-hook uses this I / O control code to establish an IRP and submit it to the IP filter driver. Usually the Filter-Hook driver uses the IOBUILDDEVICEIOCONTROLREQUEST function to establish the required IRP.
The control code registers the filter hook callback function to the IP filter driver. When the packet is sent or received, the IP filter driver is called to call these callback functions. Also, the control code is also used to clear the callback function from the IP filter driver.
For the convenience of comparison, give the prototype of the IOBUILDDEVICECONTROLREQUEST function:
Pirp IobuildDeviceiocontrolRequest
In Ulong IoControlcode,
In PDEvice_Object DeviceObject,
In Pvoid InputBuffer Optional,
In Ulong InputBufferLength,
Out Pvoid OutputBuffer Optional,
In Ulong OutputBufferLength, in Boolean InternalDeviceioControl,
In Pkevent Event,
OUT PIO_STATUS_BLOCK IOSTATUSBLOCK
);
Here, when using the IObuildDeviceiocontrolRequest function, its parameters are as follows:
PIRP = IOBUILDDEVICEIOCONTROLREQUEST
IOCTL_PF_SET_EXTENSION_POINTER,
PtargetDeviceObject,
& HookInfo, Sizeof (pf_set_extension_hook_info),
NULL, 0,
False,
NULL,
& Iostatusblock);
Among them, PTargetDeviceObject points to the device object of the IP filter driver; hookInfo is the PF_SET_EXTENSION_HOOK_INFO structure, which contains the address of the callback function. When the callback function is cleared, the function pointer in this structure is assigned to NULL.
The Filter-Hook driver establishes the IRP by calling the IobuildDeviceIocontrolRequest function, and the Filter-Hook driver will incorporate the required parameters. One of the device objects for IP filtering drivers, Filter-Hook drivers can use the IoGetDeviceObjectPointer function. At this time, the name of the device object of the IP filtering drum is to be incorporated as the parameters, as well as synchronize, generic_read and generic_write. These parameters indicate that these three access rights are required. If the call is successful, IOGETDEVICEOBJECTPOINTER returns the target device object and the file object. The name of the device object of the IP filter driver requires the Unicode string of / device / ipfilterdriver.
Then submit the IRP using the IocallDriver function.
The PF_SET_EXTENSION_HOOK_INFO structure is defined as follows, including pointers of the callback function:
Typedef struct _pf_set_extension_hook_info
{
Packetfilterextensionptr extensionPointer;
} Pf_set_extension_hook_info, * ppf_set_extension_hook_info;
Members ExtensionPointer is a pointer to the Hook callback function. The hook function is registered to the IP filter driver through this structure. If the ExtensionPointer is NULL, the callback function is cleared from the IP filter driver.
