A) Personal firewall technology overview With cyber security issues, the majority of users are increasingly concerned about network security products. The firewall has been favored by everyone as a network security tool. Personal firewalls used on the PC have largely become the security guards of the majority of netizens. Personal firewall under Windows is based on intercepting technology for datagrams. Of course, they have a big difference in specific implementations. In general, it can be divided into two categories of user-level and kernel-level data reports. The kernel level is mainly the TDI filter driver, the NDIS intermediate layer filter driver, NDIS filter hook driver, etc., all of which utilizes network drivers; and user-level filtration includes SPI interface, Windows2000 packet filtering interface, etc. This article mainly tells the SPI-based package filtering, which is a new feature of Winsock 2. 2) WINSOCK 2 SPI introduces that Winsock 2 is an interface instead of a protocol, so it can be used to discover and use the communication capabilities provided by any number of underlying transport protocols. The initial Winsock is run around the TCP / IP protocol, but in Winsock 2 has added support for more transport protocols. Winsock 2 not only provides a Windows Socket Application Programming Interface (API) that supplies the network service, but also includes the WINSOCK service provider interface (SPII) and WS2_32 implemented by the transfer service provider and the name resolution service provider. DLL. This article only discusses the transfer service provider and its applications, and is not analyzed for the name resolution service provider. The Winsock 2's transmission service provider is present in the form of a dynamic link library (DLL), which provides an interface with the Wspstartup function as the upper layer function, while other transport service provider functions are accessible by allocating tables to access WS2_32. DLL. The dynamic link library of the Transport Service Provider is only loaded in memory when the application needs, and it will be automatically uninstalled without need. The following is the WOSA (Windows open service structure) on the transport service provider: ------------------------------------------------------------------------------------------------------------------ | Windows Socket 2 Application | --------------------------- Windows Socket 2 API | WS2_32.DLL | --------- ------------------- Windows Socket 2 Transport SPI | Transport Service Provider (DLL) | ----------------- ----------- Windows Socket SPI uses the following function prefix naming mode in the service provider: WSP (Windows Socket Service Provider), WSC (Windows, WINDOWS) Socket configuration). Every transport service provider has its own transfer protocol, which is implemented using the WSAPROTCOL_INFOW structure. The transmission service provider stores all the relevant information in this structure, and the application is associated with the contents of this structure to associate ourselves. Windows Socket SPI provides three protocols: hierarchical protocols, basic protocols, and protocol chains. The hierarchical protocol is the upper layer of the underlying protocol, relying on the underlying basic protocol to achieve more advanced communication services. Basic protocols are protocols that can implement data communication independent, secure, and remote endpoints, which are relative to the layered protocol.
The protocol chain is a chain structure that connects a range of basic protocols and hierarchical protocols in the order of characteristics, see the following: API ------------------- ----- | WS2_32.DLL | SPI ------------------------ | Layered protocol | SPI --------- ---- | Layered Agreement | SPI ------------------------ | Basic Agreement | -------------------------------------------------------- -------------------- The main function of the data transfer section is to provide traffic management between service providers and applications. Each application is rigorous by WS2_32.dll and a corresponding service provider. WS2_32.dll Select a specific service provider based on the parameters provided when the application is created, and then forward the application's implementation process to the service provider of the selected creation socket. That is, WS2_32.dll is just an intermediate process, and the application is just an interface, and the implementation of data communication is done with service providers. We have said that WS2_32.dll is to determine which service provider used by creating the parameters of the API function wsasocket or socket. The parameters of WSASOCKET / Socket include address family, socket type, and protocol types, which jointly determines the service provider of creating sockets. WS2_32.dll looks for the WSAPROTOCOL_INFOW structure that matches the first three factors in the service provider, then calls the WSPStartup function corresponding to this Wsaprotocol_infow structure, (all data transfer service providers in the form of DLL, their external interface Only Wspstartup, the other service provider functions are called by Wspstartup), which in turn calls the function of Wspsocket to create a socket, WspConnect's function to establish a connection, and more. In addition to traffic management functions, WS2_32.dll also provides other services, such as protocol enumeration, thread-based blocking hook management and version negotiation between WS2_32.DLL and service providers. The functions implemented by the transmission service provider include functions such as connecting, transferring data, implement stream control, and error control. In fact, WS2_32.dll does not know how the service provider's request is implemented, and WS2_32.DLL implements the medium between the application and service providers. The transmission service provider can be divided into two categories: socket descriptors are the provider of installable file system (IFS) handle; the remaining non-IFS providers. A non-IFS provider is selected in our program. It can be seen that the service provider realizes the underlying and network-related protocols. WS2_32.dll provides media level traffic management, which provides information about how to implement network-related operations, which implements the user's desired function. During the implementation of the transport service provider, the installation order is very important. We must not only properly install the service provider, but also must register in the Windows Socket, saved the relevant system information in the database, so that WS2_32.dll can easily obtain the relevant information about the next service provider. A function WSCINSTALLPROVIDER for installing a service provider is provided in WS2_32.dll, which requires the service provider's related data, such as the name and path of the DLL. At the same time, WS2_32.DLL also provides a function of uninstall service providers WSCDEINSTALLPROVIDER, which is deleted from the system from the system when not needed. Why is it important to use the transmission service? WSCENUMPROTOCOLS in the service provider configuration function is used to enumerate all installed service providers in the system, which lists them according to the service provider's installation order.
In front, we also mentioned that WS2_32.dll is in the service provider to search for the service provider that matches the three parameters provided by the WSASocket / Socket in the service provider, so the installation order is determined whether the service provider is determined to a certain extent. The key to correctly call. Windows Socket 2 also provides a dynamic link library sporder.dll that provides rearrangement for all service provider sequences installed (this DLL system is not brought, and there is already available in the CommON directory). T-sporder.exe in the appendix is a tool that queries the currently installed all data transfer service provider properties. The service provider system distinguishes the basic protocol, the hierarchical protocol, and the protocol chain are achieved by the chainlen value of the Protocolchain structure in WSAPROTOCOL_INFOW. The CHAINLEN value of the layered protocol is 0, the value of the base protocol is 1, and the value of the protocol chain is greater than 1. The hierarchical protocol and the base agreement are almost the same in the implementation of the data transfer service provider, and their differences are installed. In Windows, existing system service providers (self-contained) have almost all basic services, so the service provider program we have written can make the data report to properly "modify" after calling system service provider. To complete the most remaining functions, whether the basic service provider or hierarchical service providers can use this technology to eliminate unnecessary labor. The implementation process of the basic service provider is mainly to replace the installation path of the current system service provider to the installation path of your own service provider. Of course, we must save the relevant data of the system server, and uninstall your own service provider. This information is used when restoring the system service provider, such as the name and path of the system server DLL. The protocol chain is different. First we must install all the basic protocols and layered protocols, then construct the WSAPROTOCOL_INFOW structural chain of the protocol chain, each protocol constituting the protocol chain is defined in the protocolchain.chainentries array of protocol chains. The first protocol in the array of protocols should be the first hierarchy service provider. Of course, we do not change the system service provider when installing the hierarchical protocol and protocol chain, just changing the installation order of the system service provider. Here, we take the data transmission service provider's installation process with a hierarchical service provider as an example. WS2_32.dll is the use of standard dynamic link libraries to load the service provider interface DLL to the system and call Wspstartup to initialize. Wspstartup is the initialization function of the Windows Socket 2 application calls the SPI program, that is, the entrance function. Wspstartup parameter LPWSAPROTOCOL_INFOW Pointer Provides the protocol information expected by the application, and then through this structural pointer we can get the Save system service provider's DLL name and path, load the system service provider, find the Wspstartup function of the system SPI program. The pointer, we can associate the Wspstartup functions of your own service provider and the Wspstartup function of the system SPI program, and then call the system of each service provider function. In the implementation of the data transfer service provider, we need two programs, one is the executable to install the transport service provider; the other is the DLL form of data transfer service provider.
III) SPI's advantage SPI technology compares TDI or NDIS to be much difficult, because compilation and debugging for TDI and NDIS is very painful, and SPI is working in the application layer, so the high level of processing There is an advantage in the case of network sealing. For example, I feel that the SPI is very good when I am making an email and send a filter program, because he is an application layer, so it is very straightforward, and NDIS is working in the network layer, and the packets are very It's hard to understand, and since it is a problem with IP fragmentation, if you want to get the entire mail packet, it is very painful. So use SPI technology is very intuitive and convenient. IV) SPI's shortcomings SPI should be compared with the upper layer of network packet technology, it is easy to be bypassed (such as TDI, NDIS, etc.) than its low-level technology, and the application he is working in the application layer, so he can't do parsing network The function of the package is not possible to know what the network packet is in the link layer, the network layer, and the transport layer. It can only simply simply realize the judgment of the SOKCET SENDTO or SEND, the UDP package. Or TCP package, and SPI filtering is also very limited, because he is a function of the Socket service provider so you can only filter the content that can be handled in SOKCET, such as the IP address port number and BUF content, if you want to filter what is The function of the TCP package of the flag is not possible. And the SPI doesn't endure. For example, if I want to monitor the content of the SMTP server, the development of the SMTP package must be restarted to restart the SMTP service. It is necessary to restart the SokCet. Otherwise. Whether you use your Sokcet that has been processed. So if you want to process which network program must first stop it and then put your SPI program and then run the web program so that you can't stand the problem.) The filter also wants to restart the mail server? (gosh)
