WEB开发网
开发学院网络安全防火墙 Windows软件防火墙实现技术简述 阅读

Windows软件防火墙实现技术简述

 2007-07-21 12:46:26 来源:WEB开发网   
核心提示: 给出一段detour的tdi的dispatch routine的代码:NTSTATUS hook_disp(IN PDEVICE_OBJECT parampdrvob, IN PIRP irp){ .... case IRP_MJ_INTERNAL_DEVICE_CONTROL: swit

给出一段detour的tdi的dispatch routine的代码:

NTSTATUS hook_disp(IN PDEVICE_OBJECT parampdrvob, IN PIRP irp)
{
   ....
   case IRP_MJ_INTERNAL_DEVICE_CONTROL:
     switch(irpsp->MinorFunction)
   {
       ///原来想得要监控的几个似乎afd并不使用,而是用set event handler
     case TDI_LISTEN:
#ifdef bydbg
       DbgPrint("bytdiflt:TDI_LISTEN traped.should caused by kmd other than AFD.
");
#endif
       stat=gettcpportbyfile(irpsp->FileObject);
#ifdef bydbg
       DbgPrint("bytdiflt:**********TDI_EVENT_CONNECT port:%d.***********
",stat);
#endif
       if(stat==0 || stat==-1){break;}//non-tcp or internal error
       if(denyport[(unsigned short)stat]==1)//直接失败请求
       {
#ifdef bydbg
         DbgPrint("bytdiflt:*********port %d blocked!!*********
",stat);
         //DbgBreakPoint();
#endif
         stat=STATUS_ACCESS_VIOLATION;
         irp->IoStatus.Status=stat;
         irp->IoStatus.Information=0;
         IoCompleteRequest(irp, IO_NO_INCREMENT);
         return stat;
       }
       break;
     case TDI_RECEIVE:
#ifdef bydbg
       DbgPrint("bytdiflt:TDI_RECEIVE traped.should caused by kmd other than AFD.
");
       //DbgBreakPoint();
#endif
       break;
     case TDI_SET_EVENT_HANDLER:
#ifdef bydbg
       DbgPrint("bytdiflt:TDI_SET_EVENT_HANDLER traped.req local_node:%x
",irpsp->FileObject);
       DbgPrint("TDI_SET_EVENT_HANDLER EventType:%d EventHandler:%x EventContext:%x
",
         ((TDI_REQUEST_KERNEL_SET_EVENT*)&(irpsp->Parameters))->EventType,
         ((TDI_REQUEST_KERNEL_SET_EVENT*)&(irpsp->Parameters))->EventHandler,
         ((TDI_REQUEST_KERNEL_SET_EVENT*)&(irpsp->Parameters))->EventContext
         );
#endif
       switch(((TDI_REQUEST_KERNEL_SET_EVENT*)&(irpsp->Parameters))->EventType){
       case TDI_EVENT_CONNECT:
         tmpstrptr="TDI_EVENT_CONNECT";
         stat=gettcpportbyfile(irpsp->FileObject);
#ifdef bydbg
         DbgPrint("bytdiflt:**********TDI_EVENT_CONNECT port:%d.***********
",stat);
#endif
         if(stat==0 || stat==-1){break;}//non-tcp or internal error
         if(denyport[(unsigned short)stat]==1)//完成请求但不做事情
         {
#ifdef bydbg
           DbgPrint("bytdiflt:*********port %d blocked!!*********
",stat);
           //DbgBreakPoint();
#endif
           stat=STATUS_SUCCESS;
           irp->IoStatus.Status=stat;
           irp->IoStatus.Information=0;
           IoCompleteRequest(irp, IO_NO_INCREMENT);
           return stat;
         }
         break;
       case TDI_EVENT_RECEIVE:
         tmpstrptr="TDI_EVENT_RECEIVE";
         break;
       case TDI_EVENT_CHAINED_RECEIVE:
         tmpstrptr="TDI_EVENT_CHAINED_RECEIVE";
         break;
       case TDI_EVENT_RECEIVE_EXPEDITED:
         tmpstrptr="TDI_EVENT_RECEIVE_EXPEDITED";
         break;
       case TDI_EVENT_CHAINED_RECEIVE_EXPEDITED:
         tmpstrptr="TDI_EVENT_CHAINED_RECEIVE_EXPEDITED";
         break;
       case TDI_EVENT_RECEIVE_DATAGRAM:
         tmpstrptr="TDI_EVENT_RECEIVE_DATAGRAM";
         break;
       default:
         tmpstrptr="Other TDI_EVENT";
         break;
       }
#ifdef bydbg
       DbgPrint("EventType is:%s
",tmpstrptr);
#endif
       break;
     case TDI_CONNECT://处理主动外出连接
       stat=gettcpportbyfile(irpsp->FileObject);
#ifdef bydbg
       if(stat==0 || stat==-1)//non-tcp or internal error
       {DbgPrint("bytdiflt:**********TDI_CONNECT local port UNKNOWN.***********
");}
       else
       {DbgPrint("bytdiflt:**********TDI_CONNECT local port:%d.************
",stat);}
       //DbgBreakPoint();
#endif
       break;
   ....
   PsGetCurrentProcessId....//判断进程号
   ....
}

上一页  1 2 3 4 5 6  下一页

Tags:Windows 软件 防火墙

编辑录入:爽爽 [复制链接] [打 印]
赞助商链接