Windows软件防火墙实现技术简述
2007-07-21 12:46:26 来源:WEB开发网核心提示: 给出一段detour的tdi的dispatch routine的代码:NTSTATUS hook_disp(IN PDEVICE_OBJECT parampdrvob, IN PIRP irp){ .... case IRP_MJ_INTERNAL_DEVICE_CONTROL: swit
给出一段detour的tdi的dispatch routine的代码:
NTSTATUS hook_disp(IN PDEVICE_OBJECT parampdrvob, IN PIRP irp)
{
....
case IRP_MJ_INTERNAL_DEVICE_CONTROL:
switch(irpsp->MinorFunction)
{
///原来想得要监控的几个似乎afd并不使用,而是用set event handler
case TDI_LISTEN:
#ifdef bydbg
DbgPrint("bytdiflt:TDI_LISTEN traped.should caused by kmd other than AFD.
");
#endif
stat=gettcpportbyfile(irpsp->FileObject);
#ifdef bydbg
DbgPrint("bytdiflt:**********TDI_EVENT_CONNECT port:%d.***********
",stat);
#endif
if(stat==0 || stat==-1){break;}//non-tcp or internal error
if(denyport[(unsigned short)stat]==1)//直接失败请求
{
#ifdef bydbg
DbgPrint("bytdiflt:*********port %d blocked!!*********
",stat);
//DbgBreakPoint();
#endif
stat=STATUS_ACCESS_VIOLATION;
irp->IoStatus.Status=stat;
irp->IoStatus.Information=0;
IoCompleteRequest(irp, IO_NO_INCREMENT);
return stat;
}
break;
case TDI_RECEIVE:
#ifdef bydbg
DbgPrint("bytdiflt:TDI_RECEIVE traped.should caused by kmd other than AFD.
");
//DbgBreakPoint();
#endif
break;
case TDI_SET_EVENT_HANDLER:
#ifdef bydbg
DbgPrint("bytdiflt:TDI_SET_EVENT_HANDLER traped.req local_node:%x
",irpsp->FileObject);
DbgPrint("TDI_SET_EVENT_HANDLER EventType:%d EventHandler:%x EventContext:%x
",
((TDI_REQUEST_KERNEL_SET_EVENT*)&(irpsp->Parameters))->EventType,
((TDI_REQUEST_KERNEL_SET_EVENT*)&(irpsp->Parameters))->EventHandler,
((TDI_REQUEST_KERNEL_SET_EVENT*)&(irpsp->Parameters))->EventContext
);
#endif
switch(((TDI_REQUEST_KERNEL_SET_EVENT*)&(irpsp->Parameters))->EventType){
case TDI_EVENT_CONNECT:
tmpstrptr="TDI_EVENT_CONNECT";
stat=gettcpportbyfile(irpsp->FileObject);
#ifdef bydbg
DbgPrint("bytdiflt:**********TDI_EVENT_CONNECT port:%d.***********
",stat);
#endif
if(stat==0 || stat==-1){break;}//non-tcp or internal error
if(denyport[(unsigned short)stat]==1)//完成请求但不做事情
{
#ifdef bydbg
DbgPrint("bytdiflt:*********port %d blocked!!*********
",stat);
//DbgBreakPoint();
#endif
stat=STATUS_SUCCESS;
irp->IoStatus.Status=stat;
irp->IoStatus.Information=0;
IoCompleteRequest(irp, IO_NO_INCREMENT);
return stat;
}
break;
case TDI_EVENT_RECEIVE:
tmpstrptr="TDI_EVENT_RECEIVE";
break;
case TDI_EVENT_CHAINED_RECEIVE:
tmpstrptr="TDI_EVENT_CHAINED_RECEIVE";
break;
case TDI_EVENT_RECEIVE_EXPEDITED:
tmpstrptr="TDI_EVENT_RECEIVE_EXPEDITED";
break;
case TDI_EVENT_CHAINED_RECEIVE_EXPEDITED:
tmpstrptr="TDI_EVENT_CHAINED_RECEIVE_EXPEDITED";
break;
case TDI_EVENT_RECEIVE_DATAGRAM:
tmpstrptr="TDI_EVENT_RECEIVE_DATAGRAM";
break;
default:
tmpstrptr="Other TDI_EVENT";
break;
}
#ifdef bydbg
DbgPrint("EventType is:%s
",tmpstrptr);
#endif
break;
case TDI_CONNECT://处理主动外出连接
stat=gettcpportbyfile(irpsp->FileObject);
#ifdef bydbg
if(stat==0 || stat==-1)//non-tcp or internal error
{DbgPrint("bytdiflt:**********TDI_CONNECT local port UNKNOWN.***********
");}
else
{DbgPrint("bytdiflt:**********TDI_CONNECT local port:%d.************
",stat);}
//DbgBreakPoint();
#endif
break;
....
PsGetCurrentProcessId....//判断进程号
....
}
更多精彩
赞助商链接