Windows network package filtering technology
(original:
http://www.ndis.com/papers/winpktfilter.htm)
// seems to be translated # 转者 注 :)
// Author: sevencat (seven cats) // Original author is not detailed # 转 注 注
First, User-Mode network package filter
1, Winsock Titting Service Provider
Refer to the documentation and examples on Microsoft Platform SDK
(
http://www.microsoft.com/msdownload/platformsdk/sdkupdate/)
Here are several Microsoft LSP examples, and the latest (probable most bug-free) can often be found here. need
It is known that the core TCPIP driver can be called via TDI, and it can be completely around Winsock, in most cases this
Not a problem. For example: QoS implementation can be on the Winsock LSP.
However, if this is done, the program must check and operate each package, but can not rely on Winsock LSP, they have to
A approach to the core state is achieved.
2, Win2000 package filter interface
Win2000 packet filter interface provides a mechanism that allows user programs or services to specify a series of
"Filtering principles", these filtration principles will be implemented by the low-level TCPIP. This filter is mainly for IP origin.
Site, target address, port number (or port number range) perform pass or DROP operations.
Windows Developer S Journal
"Packet filtering with iphlpapi.dll" Author: Ton plooy, October, 2000, Volume 11, Number 10
.
Win2000 provides a better programmable control for TCPIP, including packet filtering. Unfortunately, about this
A new API document is not easy to find. This article demonstrates how to do specific IP addresses or specific T
The package of the CP port is programmed.
Link: www.wdj.com
The above example download:
FTP: //ftp.wdj.com/pub/webzip/1110/plooy.zip
Hollis's solution:
HTS W2K iphook example demonstrates IP filtering and its hook API, including original files, and free,
Need HTSCPP runtime library (free), download address:
http://www.hollistech.com/
3, Winsock alternative DLL
Before using Winsock LSP, the only way is to replace Microsoft's Winsock DLL with their own DLL.
If you have achieved smooth, your own DLL will receive the user's Winsock call request, and then call the original Winsoc.
K DLL is processed.
However, this is relatively laborious, and there is a difficulty that Microsoft's Winsock DLL often has one.
Some unusless internal functions, a Winsock instead of at least some undisclosed functions to be handled.
With the changes in the Windows system structure, some aspects have been strengthened, such as system file protection, which makes this
Technology becomes less feasible. In general, the use of Winsock DLL is not a bad idea. (Xfilter is used
This technology, the original code may be circulated online, I have seen it before)
Second, kernel-mode network package filter
1. Transport Data Interface (TDI) This is mainly a layer filtering directly on the core TCPIP drive. TDI drive on WinXP is a transmission
The NT style driver uses IRP-based APIs, there are two methods here.
A, IoattachDevicexyz function family using core mode services implements one filtering on TDI.
B. Filter the TDI drive IRP DISPATCH table.
The IoattachDevicexyz function mentioned in many WinNT driver development. These two technologies need to be WINN
T Drive Development Programming Technology is very understandable that the TDI function is quite understanding.
2, NDIS Intermediate Layer (IM)
Please see NDIS IM FAQ for details.
http://www.pcausa.com/resources/ndisimfaq.htm
3, Win2000 Filter-Hook
Please refer to the DDK documentation, there can only be one active filter-hook exist in the system, this technology
Use a serious limit. (This usual DRVIPFLT is used)
4, Win2000 FireWall-Hook
The FireWall-Hook Driver function is very small in the document and is not available in some Win2000 versions.
Please refer to Microsoft's relevant documentation:
http://msdn.microsoft.com/library/default.asp?url=/library
/ en-us/neetwork/hh/neetwork/firewall_3wfb.asp
5, NDIS-Hooking (Fair firewall is using this technology, according to what I know, although I have never seen the original code.
)
Ndis-hooking driver intercepts or called "hook" some functions exported by NDIS packages. Although from the realization means
It is a little informal, but a systematic NDIS-Hooking filter will be very effective.
In addition: Ndis-hooking filter drivers have the following benefits:
A, easy to install (can be dynamically loaded, but sometimes there is a problem, some are still unknown.)
B, support the dial -ppp adapter.
Ndis-hooking technology is very effective and practical under the 98 and ME systems. On these platforms, DDK documents and provi
Ded Services can help you hook your hook by Ndis Wrapper exported functions.
Ndis-hooking technology is equally effective and practical on NT, 2000, and XP. This technology is very similar to the core mode debugging
. The document supports less, and basically will not be certified by WHQL.
PCAUSA provides an example of NDIS PIM driver, which can run success on the existing WIN platform (from 95 to
XP). address:
http://www.pcausa.com/ndispim/default.htm
other:
Network operation and process information:
There are many people who want to know how to connect on the network and WIN process (which is application), for example
For it, you may want to know which process sends or receives data on a specific IP port.
Don't consider whether this technology is useful, or if it is reliable, we believe that the core mode TCPIP drives the upper filter
The program can handle this problem. The filter drove the lower layer of the TCPIP does not see process information at all. Especially pay attention
Some network service operations generate a new process attach to the system process. In this case process information and
Can't tell us which process is originally generated. Especially WIN services separately in core mode (TDI customers)
