WFP网络过滤

最新推荐文章于 2025-05-11 01:26:20 发布
最新推荐文章于 2025-05-11 01:26:20 发布
阅读量596 收藏 10
点赞数 4
CC 4.0 BY-SA版权
分类专栏: windows内核 文章标签: 网络 驱动开发 windows 安全
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/qq_45844442/article/details/145118940

文章目录

简介

WFP框架整体代码比较死板,直接使用其封装好的API调用,此项目代码整体框架源于WFP网络过滤驱动——限制网站访问,利用WFP框架和IRP通信框架由应用层发送指定的目标IP到驱动层进行封禁访问,也可以对端口、源IP等进行封禁,其中对其代码框架做了初步修改,修改内容如下:

修改内容

增加了封禁和解除封禁目标网站功能,应用层代码从MFC窗口程序转换为普通C项目程序

代码

驱动层Rule.h

#pragma once

#define WFP_TAG	'wfpT'

#pragma pack(push)
#pragma pack(1)
typedef struct _tagWfp_NetInfo
{
	USHORT      m_uSrcPort;	//源端口
	USHORT      m_uRemotePort;	//目标端口
	ULONG       m_ulSrcIPAddr; //源地址
	ULONG       m_ulRemoteIPAddr; //目标地址
	ULONG       m_ulNetWorkType; //协议
	USHORT		m_uDirection;//数据包的方向,0表示发送,1表示接收
	BOOLEAN     m_Open;//开启过滤
} ST_WFP_NETINFO, *PST_WFP_NETINFO;

typedef struct _tagWfp_NetInfoList
{
	LIST_ENTRY		m_linkPointer;
	ST_WFP_NETINFO	m_stWfpNetInfo;

}ST_WFP_NETINFOLIST,*PST_WFP_NETINFOLIST;

#pragma pack(pop)


BOOLEAN InitRuleInfo();

BOOLEAN UninitRuleInfo();

BOOLEAN AddNetRuleInfo(PVOID pRuleInfo,ULONG uLen);

BOOLEAN IsHitRule(ULONG uRemotePort);

驱动层WfpSample.h

#pragma once


#define FILTER_MAJOR_NDIS_VERSION   6

#if defined(NDIS60)
#define FILTER_MINOR_NDIS_VERSION   0
#elseif defined(NDIS620)
#define FILTER_MINOR_NDIS_VERSION   20
#elseif defined(NDIS630)
#define FILTER_MINOR_NDIS_VERSION   30
#endif
#ifndef MAX_PATH
#define MAX_PATH	(260)
#endif

#define WFP_DEVICE_NAME				L"\\Device\\wfp_sample_device"

#define WFP_SYM_LINK_NAME			L"\\DosDevices\\wfp_sample_device"

#define WFP_SAMPLE_ESTABLISHED_CALLOUT_DISPLAY_NAME	L"WfpSampleEstablishedCalloutName"

#define WFP_SAMPLE_SUB_LAYER_DISPLAY_NAME	L"WfpSampleSubLayerName"

#define WFP_SAMPLE_FILTER_ESTABLISH_DISPLAY_NAME	L"WfpSampleFilterEstablishName"

#define HTTP_DEFAULT_PORT	55485
#define HTTP_DEFAULT_PORT2	60210
#define IOCTL_WFP_SAMPLE_ADD_RULE CTL_CODE(FILE_DEVICE_UNKNOWN,0x801,METHOD_BUFFERED,FILE_READ_ACCESS | FILE_WRITE_ACCESS)

// {D969FC67-6FB2-4504-91CE-A97C3C32AD36}
DEFINE_GUID(WFP_SAMPLE_ESTABLITSHE_CALLOUT_V4_GUID, 0xd969fc67, 0x6fb2, 0x4504, 0x91, 0xce, 0xa9, 0x7c, 0x3c, 0x32, 0xad, 0x36);

// {ED6A516A-36D1-4881-BCF0-ACEB4C04C21C}
DEFINE_GUID(WFP_SAMPLE_SUBLAYER_GUID, 
			0xed6a516a, 0x36d1, 0x4881, 0xbc, 0xf0, 0xac, 0xeb, 0x4c, 0x4, 0xc2, 0x1c);



/*函数原型声明*/
void  DriverUnload(__in struct _DRIVER_OBJECT  *DriverObject);

PDEVICE_OBJECT	CreateDevice( __in struct _DRIVER_OBJECT* DriverObject );

NTSTATUS WfpSampleIRPDispatch(IN PDEVICE_OBJECT DeviceObject,IN PIRP Irp);

NTSTATUS WfpRegisterCalloutImple(
								  IN OUT void* deviceObject,
								  IN  FWPS_CALLOUT_CLASSIFY_FN ClassifyFunction,
								  IN  FWPS_CALLOUT_NOTIFY_FN NotifyFunction,
								  IN  FWPS_CALLOUT_FLOW_DELETE_NOTIFY_FN FlowDeleteFunction,
								  IN  const GUID* calloutKey,
								  IN  UINT32 flags,
								  OUT UINT32* calloutId
								  );

NTSTATUS WfpRegisterCallouts( IN OUT void* deviceObject );

VOID NTAPI Wfp_Sample_Established_ClassifyFn_V4(
	IN const FWPS_INCOMING_VALUES0  *inFixedValues,
	IN const FWPS_INCOMING_METADATA_VALUES0  *inMetaValues,
	IN OUT VOID  *layerData,
	IN OPTIONAL const void  *classifyContext,
	IN const FWPS_FILTER1  *filter,
	IN UINT64  flowContext,
	OUT FWPS_CLASSIFY_OUT0  *classifyOut
	);


NTSTATUS NTAPI Wfp_Sample_Established_NotifyFn_V4( IN FWPS_CALLOUT_NOTIFY_TYPE notifyType, IN const GUID* filterKey, IN const FWPS_FILTER* filter);

VOID NTAPI Wfp_Sample_Established_FlowDeleteFn_V4( IN UINT16 layerId, IN UINT32 calloutId, IN UINT64 flowContext );


NTSTATUS WfpAddCallouts();

NTSTATUS WfpRegisterCallouts(IN OUT void* deviceObject);

NTSTATUS WfpAddSubLayer();

NTSTATUS WfpAddFilters();


VOID WfpUnRegisterCallouts();

VOID WfpRemoveCallouts();

VOID WfpRemoveSubLayer();

VOID WfpRemoveFilters();

HANDLE OpenEngine();

void CloseEngine();

NTSTATUS InitWfp();

VOID UninitWfp();

VOID DeleteDevice();

驱动层Rule.c

#include "fltkernel.h"
#include "Rule.h"


LIST_ENTRY	g_WfpRuleList = {0};

KSPIN_LOCK  g_RuleLock = 0;


BOOLEAN InitRuleInfo()
{
	InitializeListHead(&g_WfpRuleList);
	KeInitializeSpinLock(&g_RuleLock);
	return TRUE;
}

BOOLEAN UninitRuleInfo()
{
	do 
	{
		KIRQL	OldIRQL = 0;
		PLIST_ENTRY pInfo = NULL;
		PST_WFP_NETINFOLIST pRule = NULL;
		if( g_WfpRuleList.Blink == NULL || 
			g_WfpRuleList.Flink == NULL )
		{
			break;
		}
		KeAcquireSpinLock(&g_RuleLock,&OldIRQL);
		while( !IsListEmpty(&g_WfpRuleList) )
		{
			pInfo = RemoveHeadList(&g_WfpRuleList);
			if( pInfo == NULL )
			{
				break;
			}
			pRule = CONTAINING_RECORD(pInfo,ST_WFP_NETINFOLIST,m_linkPointer);
			ExFreePoolWithTag(pRule,WFP_TAG);
			pRule = NULL;
			pInfo = NULL;
		}
		KeReleaseSpinLock(&g_RuleLock,OldIRQL);
	} 
	while (FALSE);
	return TRUE;
}

BOOLEAN AddNetRuleInfo(PVOID pBuf,ULONG uLen)
{
	BOOLEAN bSucc = FALSE;
	PST_WFP_NETINFO	pRuleInfo = NULL;
	do 
	{
		PST_WFP_NETINFOLIST pRuleNode = NULL;
		KIRQL	OldIRQL = 0;
		pRuleInfo = (PST_WFP_NETINFO)pBuf;
		if( pRuleInfo == NULL )
		{
			break;
		}
		if( uLen < sizeof(ST_WFP_NETINFO) )
		{
			break;
		}
		//代表准备决定是否插入的链表
		pRuleNode = (PST_WFP_NETINFOLIST)ExAllocatePoolWithTag(NonPagedPool,sizeof(ST_WFP_NETINFOLIST),WFP_TAG);
		if( pRuleNode == NULL )
		{
			break;
		}
		memset(pRuleNode,0,sizeof(ST_WFP_NETINFOLIST));
		pRuleNode->m_stWfpNetInfo.m_uSrcPort = pRuleInfo->m_uSrcPort;
		pRuleNode->m_stWfpNetInfo.m_uRemotePort = pRuleInfo->m_uRemotePort;
		pRuleNode->m_stWfpNetInfo.m_ulSrcIPAddr = pRuleInfo->m_ulSrcIPAddr;
		pRuleNode->m_stWfpNetInfo.m_ulRemoteIPAddr = pRuleInfo->m_ulRemoteIPAddr;
		pRuleNode->m_stWfpNetInfo.m_ulNetWorkType = pRuleInfo->m_ulNetWorkType;
		pRuleNode->m_stWfpNetInfo.m_uDirection = pRuleInfo->m_uDirection;
		pRuleNode->m_stWfpNetInfo.m_Open = pRuleInfo->m_Open;
		KeAcquireSpinLock(&g_RuleLock,&OldIRQL);
		BOOLEAN exit = FALSE;
		//searchValueInList(&g_WfpRuleList,)
		do
		{
			if (g_WfpRuleList.Blink == NULL ||
				g_WfpRuleList.Flink == NULL)
			{
				DbgPrint("q");
				break;
			}

			PLIST_ENTRY	pEntry = NULL;
			pEntry = g_WfpRuleList.Flink;
			while (pEntry != &g_WfpRuleList)
			{
				//pInfo代表当前存在的链表
				PST_WFP_NETINFOLIST pInfo = CONTAINING_RECORD(pEntry, ST_WFP_NETINFOLIST, m_linkPointer);
				//判断链表是否存在,存在就进入里面
				if (pRuleNode->m_stWfpNetInfo.m_ulRemoteIPAddr == pInfo->m_stWfpNetInfo.m_ulRemoteIPAddr)
				{
					pInfo->m_stWfpNetInfo.m_Open = pRuleNode->m_stWfpNetInfo.m_Open;
					exit = TRUE;
					break;
				}
				pEntry = pEntry->Flink;
			}
		} while (FALSE);
		if (exit == FALSE)
		{
			InsertHeadList(&g_WfpRuleList, &pRuleNode->m_linkPointer);
		}
		exit = FALSE;
		KeReleaseSpinLock(&g_RuleLock,OldIRQL);
		bSucc = TRUE;
		break;
	}
	while (FALSE);
	return bSucc;
}

BOOLEAN IsHitRule(ULONG ulRemoteIPAddress)
{
	BOOLEAN bIsHit = FALSE;
	do 
	{
		
		KIRQL	OldIRQL = 0;
		PLIST_ENTRY	pEntry = NULL;
		if( g_WfpRuleList.Blink == NULL || 
			g_WfpRuleList.Flink == NULL )
		{
			DbgPrint("q");
			break;
		}
		
		KeAcquireSpinLock(&g_RuleLock,&OldIRQL);
		pEntry = g_WfpRuleList.Flink;
		while( pEntry != &g_WfpRuleList )
		{
			PST_WFP_NETINFOLIST pInfo = CONTAINING_RECORD(pEntry,ST_WFP_NETINFOLIST,m_linkPointer);
		
			if ((ulRemoteIPAddress == pInfo->m_stWfpNetInfo.m_ulRemoteIPAddr) && pInfo->m_stWfpNetInfo.m_Open == TRUE)
			{
				bIsHit = TRUE;
				break;
			}
			pEntry = pEntry->Flink;
		}
		KeReleaseSpinLock(&g_RuleLock,OldIRQL);
	} 
	while (FALSE);
	return bIsHit;

}

驱动层WfpSample.c

#define NDIS620
#include<ntifs.h>
#include <fwpmk.h>
#include<fwpmk.h>
#include <fwpsk.h>
#define INITGUID
#include <guiddef.h>
#include "WfpSample.h"
//#include "Fwpmu.h"
#include "Rule.h"
#include<fwpmu.h>

/*
本例子只是为了介绍WFP的用法,在实际应用中,如果只是根据简单的规则拦截数据包的话,
可以通过添加过滤器的方法实现。
*/
PDEVICE_OBJECT g_pDeviceObj = NULL;

UINT32	g_uFwpsEstablishedCallOutId = 0;

UINT32	g_uFwpmEstablishedCallOutId = 0;

UINT64 g_uEstablishedFilterId = 0;

HANDLE	g_hEngine = NULL;

NTSTATUS DriverEntry( __in struct _DRIVER_OBJECT* DriverObject, __in PUNICODE_STRING RegistryPath )
{
	NTSTATUS nStatus = STATUS_UNSUCCESSFUL;
	UNREFERENCED_PARAMETER(RegistryPath);
	do 
	{
		if( DriverObject == NULL )
		{
			break;
		}
		DriverObject->MajorFunction[IRP_MJ_CREATE] = WfpSampleIRPDispatch;
		DriverObject->MajorFunction[IRP_MJ_CLOSE] =  WfpSampleIRPDispatch;
		DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = WfpSampleIRPDispatch;
		if( FALSE == InitRuleInfo() )
		{
			break;
		}
		g_pDeviceObj = CreateDevice(DriverObject);
		if( g_pDeviceObj == NULL )
		{
			break;
		}
		if( InitWfp() != STATUS_SUCCESS )
		{
			break;
		}
		DriverObject->DriverUnload = DriverUnload;
		nStatus = STATUS_SUCCESS;
	} 
	while (FALSE);
	if( nStatus != STATUS_SUCCESS )
	{
		UninitWfp();
		DeleteDevice();
		UninitRuleInfo();
	}
	return nStatus;
}

NTSTATUS WfpSampleIRPDispatch(IN PDEVICE_OBJECT DeviceObject,IN PIRP Irp)
{
	NTSTATUS nStatus = STATUS_SUCCESS;
	ULONG	ulInformation = 0;
	UNREFERENCED_PARAMETER(DeviceObject);
	do 
	{
		PIO_STACK_LOCATION	IrpStack = NULL;
		PVOID pSystemBuffer = NULL;
		ULONG uInLen = 0;
		if( Irp == NULL )
		{
			break;
		}
		pSystemBuffer = Irp->AssociatedIrp.SystemBuffer;
		IrpStack = IoGetCurrentIrpStackLocation( Irp );
		if( IrpStack == NULL )
		{
			break;
		}
		uInLen = IrpStack->Parameters.DeviceIoControl.InputBufferLength;
		if( IrpStack->MajorFunction != IRP_MJ_DEVICE_CONTROL )
		{
			break;
		}
		// 开始处理DeivceIoControl的情况
		switch( IrpStack->Parameters.DeviceIoControl.IoControlCode )
		{
		case IOCTL_WFP_SAMPLE_ADD_RULE:
			{
				BOOLEAN bSucc = FALSE;
				bSucc = AddNetRuleInfo(	pSystemBuffer ,uInLen );
				if( bSucc == FALSE )
				{
					nStatus = STATUS_UNSUCCESSFUL;
				}
				break;
			}
		default:
			{
				ulInformation = 0;
				nStatus = STATUS_UNSUCCESSFUL;
			}
		}
	} 
	while (FALSE);
	if( Irp != NULL )
	{
		Irp->IoStatus.Information = ulInformation;
		Irp->IoStatus.Status = nStatus;
		IoCompleteRequest(Irp, IO_NO_INCREMENT);
	}
	return nStatus;
}

PDEVICE_OBJECT	CreateDevice( __in struct _DRIVER_OBJECT* DriverObject )
{
	UNICODE_STRING	uDeviceName = {0};
	UNICODE_STRING	uSymbolName = {0};
	PDEVICE_OBJECT	pDeviceObj = NULL;
	NTSTATUS nStatsus = STATUS_UNSUCCESSFUL;
	RtlInitUnicodeString(&uDeviceName,WFP_DEVICE_NAME);
	RtlInitUnicodeString(&uSymbolName,WFP_SYM_LINK_NAME);
	nStatsus = IoCreateDevice(DriverObject,0,&uDeviceName,FILE_DEVICE_UNKNOWN,0,FALSE,&pDeviceObj);
	if( pDeviceObj != NULL )
	{
		pDeviceObj->Flags |= DO_BUFFERED_IO;
	}
	IoCreateSymbolicLink(&uSymbolName,&uDeviceName);
	return pDeviceObj;
}

VOID DeleteDevice()
{
	UNICODE_STRING uSymbolName = {0};
	RtlInitUnicodeString(&uSymbolName,WFP_SYM_LINK_NAME);
	IoDeleteSymbolicLink(&uSymbolName);
	if( g_pDeviceObj != NULL )
	{
		IoDeleteDevice(g_pDeviceObj);
	}
	g_pDeviceObj = NULL;
}

NTSTATUS InitWfp()
{
	NTSTATUS nStatus = STATUS_UNSUCCESSFUL;
	do 
	{
		g_hEngine = OpenEngine();
		if( g_hEngine == NULL )
		{
			break;
		}
		//注册呼出接口
		if (STATUS_SUCCESS  != WfpRegisterCallouts(g_pDeviceObj) )
		{
			break;
		}
		//添加呼出接口
		if( STATUS_SUCCESS != WfpAddCallouts() )
		{
			break;
		}
		//添加子层
		if( STATUS_SUCCESS != WfpAddSubLayer() )
		{
			break;
		}
		//添加过滤引擎
		if( STATUS_SUCCESS != WfpAddFilters() )
		{
			break;
		}
		nStatus = STATUS_SUCCESS;
	} 
	while (FALSE);
	return nStatus;
}

VOID UninitWfp()
{
	WfpRemoveFilters();
	WfpRemoveSubLayer();
	WfpRemoveCallouts();
	WfpUnRegisterCallouts();
	CloseEngine();
}

void  DriverUnload(__in struct _DRIVER_OBJECT  *DriverObject)
{
	UninitWfp();
	DeleteDevice();
	UninitRuleInfo();
	return;
}


HANDLE OpenEngine()
{
	FWPM_SESSION0 Session = {0};
	HANDLE hEngine = NULL;
	FwpmEngineOpen(NULL,RPC_C_AUTHN_WINNT,NULL,&Session,&hEngine);
	return hEngine;
}

void CloseEngine()
{
	if( g_hEngine != NULL )
	{
		FwpmEngineClose(g_hEngine);
	}
	g_hEngine = NULL;
}


NTSTATUS WfpRegisterCalloutImple(
	IN OUT void* deviceObject,
	IN  FWPS_CALLOUT_CLASSIFY_FN ClassifyFunction,
	IN  FWPS_CALLOUT_NOTIFY_FN NotifyFunction,
	IN  FWPS_CALLOUT_FLOW_DELETE_NOTIFY_FN FlowDeleteFunction,
	IN  const GUID* calloutKey,
	IN  UINT32 flags,
	OUT UINT32* calloutId
)
{
	FWPS_CALLOUT sCallout;
	NTSTATUS status = STATUS_SUCCESS;

	memset(&sCallout, 0, sizeof(FWPS_CALLOUT));

	sCallout.calloutKey = *calloutKey;
	sCallout.flags = flags;
	sCallout.classifyFn = ClassifyFunction;
	sCallout.notifyFn = NotifyFunction;
	sCallout.flowDeleteFn = FlowDeleteFunction;

	status = FwpsCalloutRegister(deviceObject, &sCallout, calloutId);

	return status;
 }

NTSTATUS WfpRegisterCallouts(IN OUT void* deviceObject)
{
	NTSTATUS status = STATUS_UNSUCCESSFUL;
	do 
	{
		if( deviceObject == NULL )
		{
			break;
		}
		
		//注册呼出接口
		status = WfpRegisterCalloutImple(deviceObject,
			Wfp_Sample_Established_ClassifyFn_V4,
			Wfp_Sample_Established_NotifyFn_V4,
			Wfp_Sample_Established_FlowDeleteFn_V4,
			&WFP_SAMPLE_ESTABLITSHE_CALLOUT_V4_GUID,
			0,
			&g_uFwpsEstablishedCallOutId);
		if( status != STATUS_SUCCESS )
		{
			break;
		}
		status = STATUS_SUCCESS;
	} 
	while (FALSE);
	return status;
}

VOID WfpUnRegisterCallouts()
{
	FwpsCalloutUnregisterById(g_uFwpsEstablishedCallOutId);
	g_uFwpsEstablishedCallOutId = 0;
}


NTSTATUS WfpAddCallouts()
{
	NTSTATUS status = STATUS_SUCCESS;
	FWPM_CALLOUT fwpmCallout = {0};
	fwpmCallout.flags = 0;
	do 
	{
		if( g_hEngine == NULL )
		{
			break;
		}
		fwpmCallout.displayData.name = (wchar_t * )WFP_SAMPLE_ESTABLISHED_CALLOUT_DISPLAY_NAME;
		fwpmCallout.displayData.description = (wchar_t * )WFP_SAMPLE_ESTABLISHED_CALLOUT_DISPLAY_NAME;
		fwpmCallout.calloutKey = WFP_SAMPLE_ESTABLITSHE_CALLOUT_V4_GUID;
		fwpmCallout.applicableLayer = FWPM_LAYER_ALE_FLOW_ESTABLISHED_V4;
		status = FwpmCalloutAdd(g_hEngine, &fwpmCallout, NULL, &g_uFwpmEstablishedCallOutId);
		if( !NT_SUCCESS(status) && (status != STATUS_FWP_ALREADY_EXISTS) )
		{
			break;
		}
		status = STATUS_SUCCESS;
	} 
	while (FALSE);
	return status;
}

VOID WfpRemoveCallouts()
{
	if( g_hEngine != NULL )
	{
		FwpmCalloutDeleteById(g_hEngine,g_uFwpmEstablishedCallOutId);
		g_uFwpmEstablishedCallOutId = 0;
	}
	
}

NTSTATUS WfpAddSubLayer()
{
	NTSTATUS nStatus = STATUS_UNSUCCESSFUL;
	FWPM_SUBLAYER SubLayer = {0};
	SubLayer.flags = 0;
	SubLayer.displayData.description = WFP_SAMPLE_SUB_LAYER_DISPLAY_NAME;
	SubLayer.displayData.name = WFP_SAMPLE_SUB_LAYER_DISPLAY_NAME;
	SubLayer.subLayerKey = WFP_SAMPLE_SUBLAYER_GUID;
	SubLayer.weight = 65535;
	if( g_hEngine != NULL )
	{
		nStatus = FwpmSubLayerAdd(g_hEngine,&SubLayer,NULL);
	}
	return nStatus;

}

VOID WfpRemoveSubLayer()
{
	if( g_hEngine != NULL )
	{
		FwpmSubLayerDeleteByKey(g_hEngine,&WFP_SAMPLE_SUBLAYER_GUID);
	}
}


NTSTATUS WfpAddFilters()
{
	NTSTATUS nStatus = STATUS_UNSUCCESSFUL;
	do 
	{
		FWPM_FILTER0 Filter = {0};
		FWPM_FILTER_CONDITION FilterCondition[1] = {0};
		FWP_V4_ADDR_AND_MASK AddrAndMask = {0};
		if( g_hEngine == NULL )
		{
			break;
		}
		Filter.displayData.description = WFP_SAMPLE_FILTER_ESTABLISH_DISPLAY_NAME;
		Filter.displayData.name = WFP_SAMPLE_FILTER_ESTABLISH_DISPLAY_NAME;
		Filter.flags = 0;
		Filter.layerKey = FWPM_LAYER_ALE_FLOW_ESTABLISHED_V4;
		Filter.subLayerKey = WFP_SAMPLE_SUBLAYER_GUID;
		Filter.weight.type = FWP_EMPTY;
		Filter.numFilterConditions = 1;
		Filter.filterCondition = FilterCondition;
		Filter.action.type = FWP_ACTION_CALLOUT_TERMINATING;
		Filter.action.calloutKey = WFP_SAMPLE_ESTABLITSHE_CALLOUT_V4_GUID;
		
		FilterCondition[0].fieldKey = FWPM_CONDITION_IP_REMOTE_ADDRESS;
		FilterCondition[0].matchType = FWP_MATCH_EQUAL;
		FilterCondition[0].conditionValue.type = FWP_V4_ADDR_MASK;//要检测的类型
		FilterCondition[0].conditionValue.v4AddrMask = &AddrAndMask;//要检测的值
		nStatus = FwpmFilterAdd(g_hEngine,&Filter,NULL,&g_uEstablishedFilterId);
		if( STATUS_SUCCESS  !=  nStatus )
		{
			break;
		}
		nStatus = STATUS_SUCCESS;
	} 
	while (FALSE);
	return nStatus;
}

VOID WfpRemoveFilters()
{
	if( g_hEngine != NULL )
	{
		FwpmFilterDeleteById(g_hEngine,g_uEstablishedFilterId);
	}
}

VOID NTAPI Wfp_Sample_Established_ClassifyFn_V4(
	IN const FWPS_INCOMING_VALUES0* inFixedValues,
	IN const FWPS_INCOMING_METADATA_VALUES0* inMetaValues,
	IN OUT VOID* layerData,
	IN OPTIONAL const void* classifyContext,
	IN const FWPS_FILTER1* filter,
	IN UINT64  flowContext,
	OUT FWPS_CLASSIFY_OUT0* classifyOut
)

{
	WORD	wDirection	= 0;
	WORD	wRemotePort	= 0;
	WORD	wSrcPort = 0;
	WORD	wProtocol   = 0;
	ULONG	ulSrcIPAddress = 0;
	ULONG	ulRemoteIPAddress = 0;
	if (!(classifyOut->rights & FWPS_RIGHT_ACTION_WRITE))
	{
		return;
	}
	//wDirection表示数据包的方向,取值为	//FWP_DIRECTION_INBOUND/FWP_DIRECTION_OUTBOUND
	wDirection  = 	inFixedValues->incomingValue[FWPS_FIELD_ALE_FLOW_ESTABLISHED_V4_DIRECTION].value.int8;

	//wSrcPort表示本地端口,主机序
	wSrcPort	=	inFixedValues->incomingValue[FWPS_FIELD_ALE_FLOW_ESTABLISHED_V4_IP_LOCAL_PORT].value.uint16;

	//wRemotePort表示远端端口,主机序
	wRemotePort = 	inFixedValues->incomingValue[FWPS_FIELD_ALE_FLOW_ESTABLISHED_V4_IP_REMOTE_PORT].value.uint16;

	//ulSrcIPAddress 表示源IP
	ulSrcIPAddress = inFixedValues->incomingValue[FWPS_FIELD_ALE_FLOW_ESTABLISHED_V4_IP_LOCAL_ADDRESS].value.uint32;

	//ulRemoteIPAddress 表示远端IP
	ulRemoteIPAddress = inFixedValues->incomingValue[FWPS_FIELD_ALE_FLOW_ESTABLISHED_V4_IP_REMOTE_ADDRESS].value.uint32;
	DbgPrint("remote ip is %x\n", ulRemoteIPAddress);
	
	//wProtocol表示网络协议,可以取值是IPPROTO_ICMP/IPPROTO_UDP/IPPROTO_TCP
	wProtocol = 	inFixedValues->incomingValue[FWPS_FIELD_ALE_FLOW_ESTABLISHED_V4_IP_PROTOCOL].value.uint8;
	
	//默认"允许"(PERMIT)
	classifyOut->actionType = FWP_ACTION_PERMIT;


	if (IsHitRule(ulRemoteIPAddress))
	{
		classifyOut->actionType = FWP_ACTION_BLOCK;
	}

	
	//清除FWPS_RIGHT_ACTION_WRITE标记
	if (filter->flags & FWPS_FILTER_FLAG_CLEAR_ACTION_RIGHT)
	{
		classifyOut->rights &= ~FWPS_RIGHT_ACTION_WRITE;
	}
	return ;	
}



NTSTATUS NTAPI Wfp_Sample_Established_NotifyFn_V4(
	IN  FWPS_CALLOUT_NOTIFY_TYPE        notifyType,
	IN  const GUID*             filterKey,
	IN  const FWPS_FILTER*     filter)
{
	return STATUS_SUCCESS;
}

VOID NTAPI Wfp_Sample_Established_FlowDeleteFn_V4(
			 IN UINT16  layerId,
			 IN UINT32  calloutId,
			 IN UINT64  flowContext
			 )
{

}

应用层代码

#include<stdio.h>
#include<ws2tcpip.h>
#include<windows.h>
#pragma comment(lib,"ws2_32.lib")
typedef struct _tagWfp_NetInfo
{
	USHORT      m_uSrcPort;	//源端口
	USHORT      m_uRemotePort;	//目标端口
	ULONG       m_ulSrcIPAddr; //源地址
	ULONG       m_ulRemoteIPAddr; //目标地址
	ULONG       m_ulNetWorkType; //协议
	USHORT		m_uDirection;//数据包的方向,0表示发送,1表示接收
	BOOLEAN     m_Open;//开启过滤
} ST_WFP_NETINFO, * PST_WFP_NETINFO;
#define IOCTL_WFP_SAMPLE_ADD_RULE CTL_CODE(FILE_DEVICE_UNKNOWN,0x801,METHOD_BUFFERED,FILE_READ_ACCESS | FILE_WRITE_ACCESS)

int main()
{
	// TODO: Add your control notification handler code here
	//获取端口号
	char** pptr;
	char temp[100] = {0};
	char	str[INET_ADDRSTRLEN];

	printf("请输入你要禁用的网站地址:");
	scanf("%s", temp);
	printf("\r\n");

	WORD wVersionRequested;
	WSADATA wsaData;
	int err;
	wVersionRequested = MAKEWORD(1, 1);

	err = WSAStartup(wVersionRequested, &wsaData);
	if (err != 0) {
		printf_s("初始化网络库错误\n");
		system("pause");
		return -1;
	}
	
	hostent * host = gethostbyname(temp);

	switch (host->h_addrtype) {
	case AF_INET:
		for (pptr = host->h_addr_list; *pptr != NULL; pptr++) {
			printf("\taddress: %s\n",
				inet_ntop(host->h_addrtype, *pptr, str, sizeof(str)));
		}
		break;
	default:
		printf("unknown address type\n");
		break;
	}

	ULONG a[10] = { 0 };
	int x = 0;
	for (x;; x++)
	{

		ULONG c1 = inet_addr(inet_ntoa(*((in_addr*)host->h_addr_list[x])));


		a[x] = htonl(c1);


		if (host->h_addr_list[x] + host->h_length >= host->h_name)
		{
			break;
		}
	}
	printf("解除禁用过滤请输入0,开启禁用过滤请输入1\r\n");
	int open = 1;
	scanf("%d", &open);

	HANDLE hFile = CreateFile(L"\\\\.\\wfp_sample_device", GENERIC_ALL, 0, NULL, OPEN_EXISTING, 0, NULL);
	if (hFile == INVALID_HANDLE_VALUE)
	{
		printf_s("打开文件wfp_sample_device失败\r\n");
		system("pause");
		return -1;
	}

	// 读者可以在此基础上增加其他域的过滤,如IP,协议类型、数据包方向等
	// Info.m_uRemotePort = uPort;
	for (x; x >= 0; x--)
	{
		ST_WFP_NETINFO Info = { 0 };
		Info.m_ulRemoteIPAddr = a[x];
		DWORD dwNeedSize = 0;
		if (open == 0)
		{
			Info.m_Open = FALSE;
		}
		else
		{
			Info.m_Open = TRUE;
		}
		BOOL rValue = DeviceIoControl(hFile, IOCTL_WFP_SAMPLE_ADD_RULE, (LPVOID)&Info, sizeof(Info), NULL, 0, &dwNeedSize, NULL);
		if (rValue == 0)
		{
			printf_s("failed in x:%d\r\n", x);
			system("pause");
			return -1;
		}
		else
		{
			char* str[] = { "解除禁用","禁用"};
			printf_s("目标主机 %x %s成功\r\n", a[x], str[open]);
		}
	}

	CloseHandle(hFile);
	hFile = INVALID_HANDLE_VALUE;
	system("pause");
	return 0;
}

参考资料

VS驱动开发错误解决
WFP网络过滤驱动——限制网站访问

Windows过滤平台(WFP)
zhangyihu321的专栏
08-16 2691
wfp windows 驱动
windows网络驱动开发
wwpp的博客
04-16 1030
Windows过滤平台(Windows Filtering Platform, WFP),是从Vista系统后新增的一套系统API和服务。开发者可以在WFP框架已划分的不同分层中进行网络数据包,以实现防火墙、入侵检测系统、网络监控等软件。(Windows内核安全驱动开发
wfp网络过滤框架总结(一)
zhangge3663的博客
09-18 4623
一、基本术语定义 callout为扩展wfp性能提供的一个功能,由一系列call function和一个guid key组成,wfp内置了几个callouts。用户可以通过callout drivers自己添加callout。 callout driver实现一个或者多个callouts的内核驱动,这个驱动通过向filter engine注册callouts,来通知filter engine当...
WFP驱动--进程规则拦截资源文件:守护系统安全的关键一步
gitblog_06713的博客
05-11 348
WFP驱动--进程规则拦截资源文件:守护系统安全的关键一步 【下载地址】WFP驱动--进程规则拦截资源文件介绍 “WFP驱动--进程规则拦截”是一款基于Windows Filtering Platform (WFP) 技术开发的开源工具,专注于系统进程的管理与控制。它能够高效获取系统中运行的进程详细信息,包括进程名称、进...
驱动开发Windows过滤平台(WFPWindows Filtering Platform)
qq_42814021的博客
04-13 4926
TDI:Transport Driver Interface,传输层接口。TDI在Windows Vista之后就不再支持了,之后的版本中被WFP取代。socket可以指定某种方式开始传输用户的数据(比如TCP或UDP),这就是传输层。传输层的特点是:用户只需要关心实际需要传输的用户数据,而不用担心数据实际的发送次数、如何封装、如何确定发送正确性、出错何重发等。Windows过滤平台(Windows Filter Platform),是从Vista系统后新增的一套系统API和服务,为网络数据包过滤
WFP过滤框架
qq_41490873的博客
09-18 2676
WFP框架图 垫片 垫片是一种特殊的内核模块,被安插在系统的网络协议栈(如TCP/IP)的不同层(栈)中, 主要作用是获取网络协议栈的数据。如垫片被安插在传输层,可以获取TCP/UDP等协议数据: 垫片被安插在网络层,可以获取IP协议等数据。安插在不同协议层的垫片,获取到的数据不同, 垫片获取到数据后,会通过内核态过滤引擎提供的分类API,把数据传递到相应的WFP分层中。 垫片除了能获取网络数据传递给内核态过滤引擎外,还有更重要的一个作用是把内核态过 滤引擎的过滤结果反馈给网络协议栈。比如,内核态过滤引擎
WFP网络过滤驱动-限制网站访问
大草的博客
02-23 2552
WFP网络过滤驱动-限制网站访问
wfp驱动网络防火墙监控参考
06-13
wfp驱动网络防火墙监控参考,详细代码涉及到了防火墙,网络过滤等,只做参考使用。
WFP驱动--进程规则拦截
03-20
Windows Filtering Platform(WFP)是微软从Windows Vista开始引入的一种强大的系统级过滤框架,它允许开发者创建内核驱动程序来拦截和控制网络、文件系统以及系统级别的各种事件。在"进程规则拦截"的场景中,WFP...
精选_基于 WFP 实现的网络监控_源码打包
03-09
WFP是Microsoft从Windows Vista开始引入的一种底层网络过滤框架。它为开发者提供了创建网络策略和控制网络数据包的能力,涵盖了入站、出站、本地以及远程通信的各个层面。WFP的主要特点包括: 1. **深度包检测 ...
WFP防火墙在应用层的增删过滤器操作
阶乘的闲庭信步
04-25 3153
WFP防火墙的作用 WFP防火墙是在Vista/Win2008之后的操作系统中才引入的一套流量管控平台。提供一套API接口供开发人员调用。应用层和驱动层都有不同的模块可以调用。用于取代之前的LSP过滤器、TDI过滤器、NDIS过滤器等。通过WFP API,可以实现防火墙、网络管控工具等流量管控服务。 使用WFP防火墙时注意的事项 WFP防火墙仅在Vista/Win 2008以后的系统中方可生效。 在Vista/Win 2008中,过滤器的添加不支持"或"策略。如果需求中包含对个IP段、多个端口号、多个协议
wfp 禁用ip_wfp过滤驱动程序阻塞数据包由某个端口和ip
weixin_39614561的博客
12-20 302
hi alli register a callout in wfp filter driverby FWPM_LAYER_ALE_AUTH_CONNECT_V4 i register a callout ALEConnectClassifyin ALEConnectClassify i want to block a packet by some rules of firewallALEConn...
Windows7以上使用WFP驱动框架实现IP数据包截取(二)
热门推荐
fanxiushu的专栏
10-25 1万+
by fanxiushu 2017-10-23 转载或引用请注明原是作者。 接上文。 上文所说只要挂载其中的6个WFP过滤点,就可以截获IP层的所有数据包。 再把截获的数据包转发到应用层,应用层处理之后,再发给内核驱动,经过这样的过程,就完成一个数据包的处理过程。 IP数据包到达应用层之后,我们就可以随心所欲的实现某些功能。比如做流量分析,可以细化到端口和具体IP等, 可以做NAT转发,
一个完整的WFP驱动(详细注释)
qq_41490873的博客
11-14 3921
#include <ntddk.h> #pragma warning(push) #pragma warning(disable:4201) // unnamed struct/union #pragma warning(disable:4995) #include <fwpsk.h> #pragma warning(pop) #include <ndis.h> #include <fwpmk.h> #include <limits.h&gt
WFP 驱动翻译第一章-关于Windows网络流量处理平台
weixin_42133300的博客
10-26 1300
WFP过滤驱动的学习。MSDN的翻译比较生硬,其他的博客可能又没有形成体系,所以,我来了。
wfp 禁用ip_Win64 驱动内核编程-16.WFP网络监控驱动(防火墙)
weixin_39898550的博客
12-20 747
WFP驱动监控网络WFP是微软推出来替代TDIHOOK、NDISHOOK等拦截网络通信的方案,WFP框架非常庞大,在RING3和RING0各有一套类似的函数,令人兴奋的是,即使在R3使用WFP,也可以做到全局拦截访问网络。由于WFP的范围太广,实在难以一言概括,感兴趣的朋友可以自行到MSDN上查看微软对它的官方概述。本文的目的,是给大家理顺WFP框架,并利用WFP拦截指定进程访问网络,或...
WFP开发学习笔记
zhangge3663的博客
09-18 1447
自己在开发学习过程中得到的经验,供新手参考,老鸟请指点不足之处: 1.如何关联数据(路径、进程ID等)到其他层? 答:使用函数FwpsFlowAssociateContext。 2.FlowContext关联的数据是否可以关联到FWPS_LAYER_*任意层? 答:经过实践测试,发现数据可以关联到TRANSPORT以上层,但不能关联到IPPACKET层(原因未知,微软没有给出明确说明)。 ...
wfp过滤
最新发布
05-18
### WFP过滤实现方式及相关教程 Windows Filtering Platform (WFP) 是一种由 Microsoft 提供的强大网络过滤框架,能够支持开发者在网络协议栈的不同层次上执行复杂的过滤逻辑。以下是关于 WFP 过滤机制的实现方式以及一些常见的示例。 #### 1. **基本概念** WFP 提供了一种分层架构来处理网络流量。这些层包括传输层、网络层和应用层等[^1]。每一层都可以注册回调函数(Callout),以便在特定事件发生时触发自定义行为。例如,当一个数据包进入或离开系统时,可以通过 Callout 函数对其进行分析并决定是否放行。 #### 2. **核心组件** - **Filter Conditions**: 定义哪些类型的流量应该被拦截或者检查。 - **Actions**: 对匹配条件的数据流采取的操作,比如允许通行、丢弃或是进一步加工。 - **Callouts**: 用户编写的代码片段,用来扩展默认的功能集;每当符合条件的新连接建立起来的时候就会调用相应的 Callout 方法[^3]。 #### 3. **具体实现步骤** ##### 注册一个新的 Filter 和关联的 Callout 下面是一个简单的例子展示如何设置基础的 IP 地址过滤器: ```c++ // 创建 filter 条件对象 FWPM_FILTER_CONDITION0 condition; condition.fieldKey = FWPM_FIELD_IP_REMOTE_ADDRESS; // 设置字段关键字为目标地址 condition.matchType = FWP_MATCH_EQUAL; // 使用等于比较运算符 condition.conditionValue.type = FWP_UINT32_TYPE; condition.conditionValue.uint32 = inet_addr("192.168.1.1"); // 构建完整的 filters 结构体数组 FWP_VALUE0 values[] = { ... }; // 初始化其他必要参数... UINT32 numFilters = sizeof(values)/sizeof(FWP_VALUE0); FWPM_FILTER0* pFilter = new FWPM_FILTER0[numFilters]; for(UINT i=0;i<numFilters;++i){ memset(&pFilter[i], 0, sizeof(FWPM_FILTER0)); ... } // 调用 API 将其加入到系统中生效 HRESULT hr = FwpmFilterAdd(engineHandle,&filter,NULL,&id); if(SUCCEEDED(hr)){ printf("Successfully added filter with ID %llu\n", id.QuadPart); } else{ fprintf(stderr,"Failed adding filter! Error code:%X\n",hr); } ``` 此段伪代码展示了怎样构建基于远程IP地址的具体规则,并将其提交给操作系统以实际运用。注意这里省略了许多细节部分如错误检测等等[^5]。 另外还有一种情况涉及到长时间决策过程的情况,则可能需要用到异步完成模型即所谓的ALE Pend/Complete Mechanism[^4]。在这种模式下,初始阶段仅做初步判定并将请求挂起等待最终裁定结果出来后再继续后续动作。 #### 4. **参考资料链接** 虽然提到过几个项目资源但并未详细介绍,如果想更深入了解实践案例的话可以从官方文档入手学习更多高级特性[^2]。 ---
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值