Simple analysis with SPI to achieve firewall
Author: snsins
If there is reproduced, please indicate and keep the article complete
2002.12.5
-------------------------------------------------- -------------------------------------------------- ----
I originally wrote a simple SPI firewall program (only IP filtering function, the package filter function did not do), has given up the study of SPI, but recently, friends asked the SPI firewall implementation, now again Analyze and summarize the SPI.
First look at the general implementation of the firewall
The first is the structure of TCP / IP (OSI7 layer model) -------- | Application layer | ------ EXE program, such as IE -------- | Repayment | --- ---- WS2_32.dll -------- | Conference Layer | ------- SPI -------- | Transportation | ------- TDI (Can't intercept Data of ICMP and other protocols) -------- | Network layer | ------- NDIS (can intercept all network data) -------- | Link layer | ---- Device Drive -------- | Physical Layer | ------- NIC -------- From above we can clearly see how many ways to achieve firewall For example, use the Hook API in the API function of the Layer Hook Winsocket, the session layer is implemented in the standard SPI method provided by Windows, and the SPI relatively Hook API mode is more specific, and the function is more powerful, but still in user model, . In the transport layer, the firewall can be written, although it has arrived in Kernel Model, as in two ways, the data such as ICMP and other protocols cannot be filtered, because the data of the ICMP and other protocols are not transmitted. This way we can see that the most standardized most powerful way to realize the firewall in Windows should be in NDIS (that is, network layer implementation), because NDIS provides some rules, just let us call some write functions The organizational data is OK, but the function is not only powerful, but the device driver of the following link layer is simple, it should be said that the firewall can be achieved in the link layer, but it feels not necessary, too complicated.
Now go back to see the SPI structure -------------------- | WS2_32.dll | --------------- ----- | SPI | -------------------- | SPI | -------- can have a lot of layers, is the so-called hierarchical service Provider ------------------------------------------
There are two kinds of service providers, one is a hierarchical service provider, one is the basic service provider, the above picture is not very accurate, let's understand, the hierarchical service provider must call the basic service provider Or the layered server provider of the following layer, then submit the request to the one layer above (the above layer may be another hierarchical service provider, or may be WS2_32.dll). The basic service provider we wrote must call the system base service provider and then submit the request to WS2_32.dll. Please note that the system may not only have our basic service provider, but also the basic service provider written by others. In the case where multiple hierarchical service providers and multiple basic service providers are installed, the organizational mode of these is different below.
-------------------------------------------------- ----------- | WS2_32.dll | ---------------------------------- ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ - | || Other hierarchical service providers | | --------------------- | | | | ---------- ----------- | || Other hierarchical service providers | | | ---------------------- | | | | | | --------------------- | || Our hierarchical service provider | | | --------------- ------- | | | | | --------------------------------------- ------------------- | Hi-station service provider | | Others' Basic Service Provider | | Our Basic Service Provider | ------------------------- ------------------------------------- | | -------------------------------------------------- ----- | System Basic Service Provider | ------------------------------ If you do this I still don't understand, I don't know.
It can be seen from the above, this SPI's organizational thinking is hierarchical. However, the number of layers of the base service provider is less than the hierarchical service provider, theoretical tiered service providers can have N layers (do not know if n is unlimited)
So how is these layers and layers organized? To connect them through a function that is WSPStartup Here is his prototype int WSPStartup (WORD wVersionRequested, LPWSPDATAW lpWSPData, LPWSAPROTOCOL_INFOW lpProtocolInfo, WSPUPCALLTABLE UpcallTable, LPWSPPROC_TABLE lpProcTable); more important here is the third and last argument lpProtocolInfo Parameters LPPROCTABLE, LPPROTOCOLINFO is left later, this is related to the server installation
Now let's see the API in WS2_32.dll, the API in WS2_32 is eventually mapped into 30 functions in the SPI after calling, and the 30 functions are starting with WSP. Note that the 30 functions in the SPI cannot be called directly by the application, but should be called by WS2_32.dll. LPWSPROC_TABLE is a table that saves these 30 functions. We get 30 function pointers of the next service provider by calling the next layer of service provider's Wspstarup, and we also want to export (SPI is a DLL) this function so that our last layer service provider is called Get these 30 function pointers.
E.g. int WSPStartup (WORD wVersionRequested, LPWSPDATAW lpWSPData, LPWSAPROTOCOL_INFOW lpProtocolInfo, WSPUPCALLTABLE UpcallTable, LPWSPPROC_TABLE lpProcTable) {LPWSPSTARUP WSPStarProc = GetProcAddress (LbHandle, "WSPStartup"); // get WSPStatrup function pointer in the service provider level, remember first LoadLibrary The next layer of service provider's DLL WspstarProc (WversionRequested, LPWSPDATA, LPPROTOCOLINFO, UPCALLTABLE, LPPROTOCOLINFO, UPCALLTABLE, LPPROCTABLE) / / Remember to keep the next floor of the original function pointer, friends who have experienced Hook API should know, just like to save you hook API original address
Wspproc_table systemproc = * lpproctable;
// The then you can set your own processing function, and the Hook API is almost like, such as lpprocTable-> lpwspsend = wspsend;
Return 1;}
Then we realize your own wspsend
int WSPSend (SOCKET s, LPWSABUF lpBuffers, DWORD dwBufferCount, LPDWORD lpNumberOfBytesSent, DWORD dwFlags, LPWSAOVERLAPPED lpOverlapped, LPWSAOVERLAPPED_COMPLETION_ROUTINE lpCompletionRoutine, LPWSATHREADID lpThreadId, LPINT lpErrno) {/ * where we can get this getsockname with other functions and a parameter The ports and IPs of the sockets, and the buffer these things can be handled here, and the IP filter package filtering can be implemented, and then call the corresponding function of the next service provider and return - * / return systemProc .lpwspsend (s, lpbuffers, dwbuffercount, lpnumberofbytessent, dwflags, lpoverlapped, lpCompletionRoutine, lpthreaid, lperrno); To write a callback function, etc., do not discuss these issues, interested in find information
Also, use this can also realize the SNIFFER function, analyze what you are interested in a network protocol such as POP3 and Telnet.
Data is in lpwsabuf lpbuffers, this parameter
Let's give this structure what to know how to analyze the package? Typedef struct __wsabuf {u_long len; char far * buf;} WSABUF, FAR * LPWSABUF
-----------------to be continued.....
