WFP框架是微軟推出來(lái)替代TDIHOOK傳輸層驅(qū)動(dòng)接口網(wǎng)絡(luò)通信的方案，其默認(rèn)被設(shè)計(jì)為分層結(jié)構(gòu)，該框架分別提供了用戶態(tài)與內(nèi)核態(tài)相同的AIP函數(shù)，在兩種模式下均可以開(kāi)發(fā)防火墻產(chǎn)品，以下代碼我實(shí)現(xiàn)了一個(gè)簡(jiǎn)單的驅(qū)動(dòng)過(guò)濾防火墻。

WFP 框架分為兩大層次模塊,用戶態(tài)基礎(chǔ)過(guò)濾引擎BFE (BaseFilteringEngine) ,以及內(nèi)核態(tài)過(guò)濾引擎 KMFE (KMFilteringEngine),基礎(chǔ)過(guò)濾引擎對(duì)上提供C語(yǔ)言調(diào)用方式的API以及RPC接口,這些接口都被封裝在FWPUCLNT.dll模塊中,開(kāi)發(fā)時(shí)可以調(diào)用該模塊中的導(dǎo)出函數(shù).

• WFP程序工作流程:
• 使用 FwpmEngineOpen() 開(kāi)啟 WFP 引擎,獲得WFP使用句柄
• 使用 FwpmTransactionBegin() 設(shè)置對(duì)網(wǎng)絡(luò)通信內(nèi)容的過(guò)濾權(quán)限 (只讀/允許修改)
• 使用 FwpsCalloutRegister(),FwpmCalloutAdd(),FwpmFilterAdd() 選擇要過(guò)濾的內(nèi)容,并添加過(guò)濾器對(duì)象和回調(diào)函數(shù).
• 使用 FwpmTransactionCommit() 確認(rèn)剛才的內(nèi)容,讓剛才添加的回調(diào)函數(shù)開(kāi)始生效.
• 使用 FwpmFilterDeleteById(),FwpmCalloutDeleteById(),FwpsCalloutUnregisterById()函數(shù)撤銷對(duì)象和回調(diào)函數(shù).
• 使用 FwpmEngineClose() 關(guān)閉WFP引擎類句柄.

默認(rèn)情況下WFP一次需要注冊(cè)3個(gè)回調(diào)函數(shù),只有一個(gè)是事前回調(diào),另外兩個(gè)是事后回調(diào),通常情況下我們只關(guān)注事前回調(diào)即可,此外WFP能過(guò)濾很對(duì)內(nèi)容,我們需要指定過(guò)濾條件標(biāo)志來(lái)輸出我們所需要的數(shù)據(jù).

• 一般可設(shè)置為FWPM_LAYER_ALE_AUTH_CONNECT_V4意思是設(shè)置IPV4過(guò)濾.
• 還需要設(shè)置一個(gè)GUID值,該值可隨意設(shè)置,名稱為GUID_ALE_AUTH_CONNECT_CALLOUT_V4宏.

首先我們通過(guò)上方的流程實(shí)現(xiàn)一個(gè)簡(jiǎn)單的網(wǎng)絡(luò)控制驅(qū)動(dòng)，該驅(qū)動(dòng)運(yùn)行后可對(duì)自身機(jī)器訪問(wèn)指定地址端口進(jìn)行控制，例如實(shí)現(xiàn)指定應(yīng)用斷網(wǎng)，禁止指定頁(yè)面被訪問(wèn)等，在配置WFP開(kāi)發(fā)環(huán)境時(shí)需要在鏈接器選項(xiàng)卡中的附加依賴項(xiàng)中增加fwpkclnt.lib，uuid.lib這兩個(gè)庫(kù)文件，并且需要使用WDM開(kāi)發(fā)模板，否則編譯將不通過(guò)。

// 署名權(quán)
// right to sign one's name on a piece of work
// PowerBy: LyShark
// Email: me@lyshark.com#define NDIS_SUPPORT_NDIS6 1
#define DEV_NAME L"\\Device\\MY_WFP_DEV_NAME"
#define SYM_NAME L"\\DosDevices\\MY_WFP_SYM_NAME"#include <ntifs.h>
#include <fwpsk.h>
#include <fwpmk.h>
#include <stdio.h>// 過(guò)濾器引擎句柄
HANDLE g_hEngine;// 過(guò)濾器引擎中的callout的運(yùn)行時(shí)標(biāo)識(shí)符
ULONG32 g_AleConnectCalloutId;// 過(guò)濾器的運(yùn)行時(shí)標(biāo)識(shí)符
ULONG64 g_AleConnectFilterId;// 指定唯一UUID值(只要不沖突即可,內(nèi)容可隨意)
GUID GUID_ALE_AUTH_CONNECT_CALLOUT_V4 = { 0x6812fc83, 0x7d3e, 0x499a, 0xa0, 0x12, 0x55, 0xe0, 0xd8, 0x5f, 0x34, 0x8b };// ------------------------------------------------------------------------------
// 頭部函數(shù)聲明
// ------------------------------------------------------------------------------// 注冊(cè)Callout并設(shè)置過(guò)濾點(diǎn)
NTSTATUS RegisterCalloutForLayer(IN PDEVICE_OBJECT pDevObj,IN const GUID *layerKey,IN const GUID *calloutKey,IN FWPS_CALLOUT_CLASSIFY_FN classifyFn,IN FWPS_CALLOUT_NOTIFY_FN notifyFn,IN FWPS_CALLOUT_FLOW_DELETE_NOTIFY_FN flowDeleteNotifyFn,OUT ULONG32 *calloutId,OUT ULONG64 *filterId,OUT HANDLE *engine);// 注冊(cè)Callout
NTSTATUS RegisterCallout(PDEVICE_OBJECT pDevObj,IN const GUID *calloutKey,IN FWPS_CALLOUT_CLASSIFY_FN classifyFn,IN FWPS_CALLOUT_NOTIFY_FN notifyFn,IN FWPS_CALLOUT_FLOW_DELETE_NOTIFY_FN flowDeleteNotifyFn,OUT ULONG32 *calloutId);// 設(shè)置過(guò)濾點(diǎn)
NTSTATUS SetFilter(IN const GUID *layerKey,IN const GUID *calloutKey,OUT ULONG64 *filterId,OUT HANDLE *engine);// Callout函數(shù) flowDeleteFn
VOID NTAPI flowDeleteFn(_In_ UINT16 layerId,_In_ UINT32 calloutId,_In_ UINT64 flowContext);// Callout函數(shù) classifyFn
#if (NTDDI_VERSION >= NTDDI_WIN8)
VOID NTAPI classifyFn(_In_ const FWPS_INCOMING_VALUES0* inFixedValues,_In_ const FWPS_INCOMING_METADATA_VALUES0* inMetaValues,_Inout_opt_ void* layerData,_In_opt_ const void* classifyContext,_In_ const FWPS_FILTER2* filter,_In_ UINT64 flowContext,_Inout_ FWPS_CLASSIFY_OUT0* classifyOut);
#elif (NTDDI_VERSION >= NTDDI_WIN7)                       
VOID NTAPI classifyFn(_In_ const FWPS_INCOMING_VALUES0* inFixedValues,_In_ const FWPS_INCOMING_METADATA_VALUES0* inMetaValues,_Inout_opt_ void* layerData,_In_opt_ const void* classifyContext,_In_ const FWPS_FILTER1* filter,_In_ UINT64 flowContext,_Inout_ FWPS_CLASSIFY_OUT0* classifyOut);
#else
VOID NTAPI classifyFn(_In_ const FWPS_INCOMING_VALUES0* inFixedValues,_In_ const FWPS_INCOMING_METADATA_VALUES0* inMetaValues,_Inout_opt_ void* layerData,_In_ const FWPS_FILTER0* filter,_In_ UINT64 flowContext,_Inout_ FWPS_CLASSIFY_OUT0* classifyOut);
#endif// Callout函數(shù) notifyFn
#if (NTDDI_VERSION >= NTDDI_WIN8)
NTSTATUS NTAPI notifyFn(_In_ FWPS_CALLOUT_NOTIFY_TYPE notifyType,_In_ const GUID* filterKey,_Inout_ FWPS_FILTER2* filter);
#elif (NTDDI_VERSION >= NTDDI_WIN7)
NTSTATUS NTAPI notifyFn(_In_ FWPS_CALLOUT_NOTIFY_TYPE notifyType,_In_ const GUID* filterKey,_Inout_ FWPS_FILTER1* filter);
#else
NTSTATUS NTAPI notifyFn(_In_ FWPS_CALLOUT_NOTIFY_TYPE notifyType,_In_ const GUID* filterKey,_Inout_ FWPS_FILTER0* filter);
#endif// ------------------------------------------------------------------------------
// 函數(shù)實(shí)現(xiàn)部分
// ------------------------------------------------------------------------------// 協(xié)議判斷
NTSTATUS ProtocalIdToName(UINT16 protocalId, PCHAR lpszProtocalName)
{NTSTATUS status = STATUS_SUCCESS;switch (protocalId){case 1:{// ICMPRtlCopyMemory(lpszProtocalName, "ICMP", 5);break;}case 2:{// IGMPRtlCopyMemory(lpszProtocalName, "IGMP", 5);break;}case 6:{// TCPRtlCopyMemory(lpszProtocalName, "TCP", 4);break;}case 17:{// UDPRtlCopyMemory(lpszProtocalName, "UDP", 4);break;}case 27:{// RDPRtlCopyMemory(lpszProtocalName, "RDP", 6);break;}default:{// UNKNOWRtlCopyMemory(lpszProtocalName, "UNKNOWN", 8);break;}}return status;
}// 啟動(dòng)WFP
NTSTATUS WfpLoad(PDEVICE_OBJECT pDevObj)
{NTSTATUS status = STATUS_SUCCESS;// 注冊(cè)Callout并設(shè)置過(guò)濾點(diǎn)// classifyFn, notifyFn, flowDeleteFn 注冊(cè)三個(gè)回調(diào)函數(shù),一個(gè)事前回調(diào),兩個(gè)事后回調(diào)status = RegisterCalloutForLayer(pDevObj, &FWPM_LAYER_ALE_AUTH_CONNECT_V4, &GUID_ALE_AUTH_CONNECT_CALLOUT_V4,classifyFn, notifyFn, flowDeleteFn, &g_AleConnectCalloutId, &g_AleConnectFilterId, &g_hEngine);if (!NT_SUCCESS(status)){DbgPrint("注冊(cè)回調(diào)失敗 \n");return status;}return status;
}// 卸載WFP
NTSTATUS WfpUnload()
{if (NULL != g_hEngine){// 刪除FilterIdFwpmFilterDeleteById(g_hEngine, g_AleConnectFilterId);// 刪除CalloutIdFwpmCalloutDeleteById(g_hEngine, g_AleConnectCalloutId);// 清空Filterg_AleConnectFilterId = 0;// 反注冊(cè)CalloutIdFwpsCalloutUnregisterById(g_AleConnectCalloutId);// 清空CalloutIdg_AleConnectCalloutId = 0;// 關(guān)閉引擎FwpmEngineClose(g_hEngine);g_hEngine = NULL;}return STATUS_SUCCESS;
}// 注冊(cè)Callout并設(shè)置過(guò)濾點(diǎn)
NTSTATUS RegisterCalloutForLayer(IN PDEVICE_OBJECT pDevObj, IN const GUID *layerKey, IN const GUID *calloutKey, IN FWPS_CALLOUT_CLASSIFY_FN classifyFn, IN FWPS_CALLOUT_NOTIFY_FN notifyFn, IN FWPS_CALLOUT_FLOW_DELETE_NOTIFY_FN flowDeleteNotifyFn, OUT ULONG32 *calloutId, OUT ULONG64 *filterId, OUT HANDLE *engine)
{NTSTATUS status = STATUS_SUCCESS;// 注冊(cè)Calloutstatus = RegisterCallout(pDevObj, calloutKey, classifyFn, notifyFn, flowDeleteNotifyFn, calloutId);if (!NT_SUCCESS(status)){return status;}// 設(shè)置過(guò)濾點(diǎn)status = SetFilter(layerKey, calloutKey, filterId, engine);if (!NT_SUCCESS(status)){return status;}return status;
}// 注冊(cè)Callout
NTSTATUS RegisterCallout(PDEVICE_OBJECT pDevObj, IN const GUID *calloutKey, IN FWPS_CALLOUT_CLASSIFY_FN classifyFn, IN FWPS_CALLOUT_NOTIFY_FN notifyFn, IN FWPS_CALLOUT_FLOW_DELETE_NOTIFY_FN flowDeleteNotifyFn, OUT ULONG32 *calloutId)
{NTSTATUS status = STATUS_SUCCESS;FWPS_CALLOUT sCallout = { 0 };// 設(shè)置CalloutsCallout.calloutKey = *calloutKey;sCallout.classifyFn = classifyFn;sCallout.flowDeleteFn = flowDeleteNotifyFn;sCallout.notifyFn = notifyFn;// 注冊(cè)Calloutstatus = FwpsCalloutRegister(pDevObj, &sCallout, calloutId);if (!NT_SUCCESS(status)){DbgPrint("注冊(cè)Callout失敗 \n");return status;}return status;
}// 設(shè)置過(guò)濾點(diǎn)
NTSTATUS SetFilter(IN const GUID *layerKey, IN const GUID *calloutKey, OUT ULONG64 *filterId, OUT HANDLE *engine)
{HANDLE hEngine = NULL;NTSTATUS status = STATUS_SUCCESS;FWPM_SESSION session = { 0 };FWPM_FILTER mFilter = { 0 };FWPM_CALLOUT mCallout = { 0 };FWPM_DISPLAY_DATA mDispData = { 0 };// 創(chuàng)建Sessionsession.flags = FWPM_SESSION_FLAG_DYNAMIC;status = FwpmEngineOpen(NULL, RPC_C_AUTHN_WINNT, NULL, &session, &hEngine);if (!NT_SUCCESS(status)){return status;}// 開(kāi)始事務(wù)status = FwpmTransactionBegin(hEngine, 0);if (!NT_SUCCESS(status)){return status;}// 設(shè)置Callout參數(shù)mDispData.name = L"MY WFP LyShark";mDispData.description = L"WORLD OF DEMON";mCallout.applicableLayer = *layerKey;mCallout.calloutKey = *calloutKey;mCallout.displayData = mDispData;// 添加Callout到Session中status = FwpmCalloutAdd(hEngine, &mCallout, NULL, NULL);if (!NT_SUCCESS(status)){return status;}// 設(shè)置過(guò)濾器參數(shù)mFilter.action.calloutKey = *calloutKey;mFilter.action.type = FWP_ACTION_CALLOUT_TERMINATING;mFilter.displayData.name = L"MY WFP LyShark";mFilter.displayData.description = L"WORLD OF DEMON";mFilter.layerKey = *layerKey;mFilter.subLayerKey = FWPM_SUBLAYER_UNIVERSAL;mFilter.weight.type = FWP_EMPTY;// 添加過(guò)濾器status = FwpmFilterAdd(hEngine, &mFilter, NULL, filterId);if (!NT_SUCCESS(status)){return status;}// 提交事務(wù)status = FwpmTransactionCommit(hEngine);if (!NT_SUCCESS(status)){return status;}*engine = hEngine;return status;
}// Callout函數(shù) classifyFn 事前回調(diào)函數(shù)
VOID NTAPI classifyFn(_In_ const FWPS_INCOMING_VALUES0* inFixedValues, _In_ const FWPS_INCOMING_METADATA_VALUES0* inMetaValues, _Inout_opt_ void* layerData, _In_opt_ const void* classifyContext, _In_ const FWPS_FILTER2* filter, _In_ UINT64 flowContext, _Inout_ FWPS_CLASSIFY_OUT0* classifyOut)
{// 數(shù)據(jù)包的方向,取值 FWP_DIRECTION_INBOUND = 1 或 FWP_DIRECTION_OUTBOUND = 0WORD wDirection = inFixedValues->incomingValue[FWPS_FIELD_ALE_FLOW_ESTABLISHED_V4_DIRECTION].value.int8;// 定義本機(jī)地址與本機(jī)端口ULONG ulLocalIp = inFixedValues->incomingValue[FWPS_FIELD_ALE_AUTH_CONNECT_V4_IP_LOCAL_ADDRESS].value.uint32;UINT16 uLocalPort = inFixedValues->incomingValue[FWPS_FIELD_ALE_AUTH_CONNECT_V4_IP_LOCAL_PORT].value.uint16;// 定義對(duì)端地址與對(duì)端端口ULONG ulRemoteIp = inFixedValues->incomingValue[FWPS_FIELD_ALE_AUTH_CONNECT_V4_IP_REMOTE_ADDRESS].value.uint32;UINT16 uRemotePort = inFixedValues->incomingValue[FWPS_FIELD_ALE_AUTH_CONNECT_V4_IP_REMOTE_PORT].value.uint16;// 獲取當(dāng)前進(jìn)程IRQKIRQL kCurrentIrql = KeGetCurrentIrql();// 獲取進(jìn)程IDULONG64 processId = inMetaValues->processId;UCHAR szProcessPath[256] = { 0 };CHAR szProtocalName[256] = { 0 };RtlZeroMemory(szProcessPath, 256);// 獲取進(jìn)程路徑for (ULONG i = 0; i < inMetaValues->processPath->size; i++){// 里面是寬字符存儲(chǔ)的szProcessPath[i] = inMetaValues->processPath->data[i];}// 獲取當(dāng)前協(xié)議類型ProtocalIdToName(inFixedValues->incomingValue[FWPS_FIELD_ALE_AUTH_CONNECT_V4_IP_PROTOCOL].value.uint16, szProtocalName);// 設(shè)置默認(rèn)規(guī)則 允許連接classifyOut->actionType = FWP_ACTION_PERMIT;// 禁止指定進(jìn)程網(wǎng)絡(luò)連接if (NULL != wcsstr((PWCHAR)szProcessPath, L"iexplore.exe")){// 設(shè)置拒絕規(guī)則 拒絕連接classifyOut->actionType = FWP_ACTION_BLOCK;classifyOut->rights = classifyOut->rights & (~FWPS_RIGHT_ACTION_WRITE);classifyOut->flags = classifyOut->flags | FWPS_CLASSIFY_OUT_FLAG_ABSORB;DbgPrint("[LyShark.com] 攔截IE網(wǎng)絡(luò)鏈接請(qǐng)求... \n");}// 輸出對(duì)端地址字符串 并阻斷鏈接char szRemoteAddress[256] = { 0 };char szRemotePort[128] = { 0 };char szLocalAddress[256] = { 0 };char szLocalPort[128] = { 0 };sprintf(szRemoteAddress, "%u.%u.%u.%u", (ulRemoteIp >> 24) & 0xFF, (ulRemoteIp >> 16) & 0xFF, (ulRemoteIp >> 8) & 0xFF, (ulRemoteIp)& 0xFF);sprintf(szRemotePort, "%d", uRemotePort);sprintf(szLocalAddress, "%u.%u.%u.%u", (ulLocalIp >> 24) & 0xFF, (ulLocalIp >> 16) & 0xFF, (ulLocalIp >> 8) & 0xFF, (ulLocalIp)& 0xFF);sprintf(szLocalPort, "%d", uLocalPort);// DbgPrint("本端: %s : %s --> 對(duì)端: %s : %s \n", szLocalAddress, szLocalPort, szRemoteAddress, szRemotePort);// 如果對(duì)端地址是 8.141.58.64 且對(duì)端端口是 443 則拒絕連接if (strcmp(szRemoteAddress, "8.141.58.64") == 0 && strcmp(szRemotePort, "443") == 0){DbgPrint("[LyShark.com] 攔截網(wǎng)站訪問(wèn)請(qǐng)求 --> %s : %s \n", szRemoteAddress, szRemotePort);// 設(shè)置拒絕規(guī)則 拒絕連接classifyOut->actionType = FWP_ACTION_BLOCK;classifyOut->rights = classifyOut->rights & (~FWPS_RIGHT_ACTION_WRITE);classifyOut->flags = classifyOut->flags | FWPS_CLASSIFY_OUT_FLAG_ABSORB;}else if (strcmp(szRemotePort, "0") == 0){DbgPrint("[LyShark.com] 攔截Ping訪問(wèn)請(qǐng)求 --> %s \n", szRemoteAddress);// 設(shè)置拒絕規(guī)則 拒絕連接classifyOut->actionType = FWP_ACTION_BLOCK;classifyOut->rights = classifyOut->rights & (~FWPS_RIGHT_ACTION_WRITE);classifyOut->flags = classifyOut->flags | FWPS_CLASSIFY_OUT_FLAG_ABSORB;}// 顯示DbgPrint("[LyShark.com] 方向: %d -> 協(xié)議類型: %s -> 本端地址: %u.%u.%u.%u:%d -> 對(duì)端地址: %u.%u.%u.%u:%d -> IRQL: %d -> 進(jìn)程ID: %I64d -> 路徑: %S \n",wDirection,szProtocalName,(ulLocalIp >> 24) & 0xFF,(ulLocalIp >> 16) & 0xFF,(ulLocalIp >> 8) & 0xFF,(ulLocalIp)& 0xFF,uLocalPort,(ulRemoteIp >> 24) & 0xFF,(ulRemoteIp >> 16) & 0xFF,(ulRemoteIp >> 8) & 0xFF,(ulRemoteIp)& 0xFF,uRemotePort,kCurrentIrql,processId,(PWCHAR)szProcessPath);}// Callout函數(shù) notifyFn 事后回調(diào)函數(shù)
NTSTATUS NTAPI notifyFn(_In_ FWPS_CALLOUT_NOTIFY_TYPE notifyType, _In_ const GUID* filterKey, _Inout_ FWPS_FILTER2* filter)
{NTSTATUS status = STATUS_SUCCESS;return status;
}// Callout函數(shù) flowDeleteFn 事后回調(diào)函數(shù)
VOID NTAPI flowDeleteFn(_In_ UINT16 layerId, _In_ UINT32 calloutId, _In_ UINT64 flowContext)
{return;
}// 默認(rèn)派遣函數(shù)
NTSTATUS DriverDefaultHandle(PDEVICE_OBJECT pDevObj, PIRP pIrp)
{NTSTATUS status = STATUS_SUCCESS;pIrp->IoStatus.Status = status;pIrp->IoStatus.Information = 0;IoCompleteRequest(pIrp, IO_NO_INCREMENT);return status;
}// 創(chuàng)建設(shè)備
NTSTATUS CreateDevice(PDRIVER_OBJECT pDriverObject)
{NTSTATUS status = STATUS_SUCCESS;PDEVICE_OBJECT pDevObj = NULL;UNICODE_STRING ustrDevName, ustrSymName;RtlInitUnicodeString(&ustrDevName, DEV_NAME);RtlInitUnicodeString(&ustrSymName, SYM_NAME);status = IoCreateDevice(pDriverObject, 0, &ustrDevName, FILE_DEVICE_NETWORK, 0, FALSE, &pDevObj);if (!NT_SUCCESS(status)){return status;}status = IoCreateSymbolicLink(&ustrSymName, &ustrDevName);if (!NT_SUCCESS(status)){return status;}return status;
}// 卸載驅(qū)動(dòng)
VOID UnDriver(PDRIVER_OBJECT driver)
{// 刪除回調(diào)函數(shù)和過(guò)濾器,關(guān)閉引擎WfpUnload();UNICODE_STRING ustrSymName;RtlInitUnicodeString(&ustrSymName, SYM_NAME);IoDeleteSymbolicLink(&ustrSymName);if (driver->DeviceObject){IoDeleteDevice(driver->DeviceObject);}
}// 驅(qū)動(dòng)入口
NTSTATUS DriverEntry(IN PDRIVER_OBJECT Driver, PUNICODE_STRING RegistryPath)
{NTSTATUS status = STATUS_SUCCESS;Driver->DriverUnload = UnDriver;for (ULONG i = 0; i < IRP_MJ_MAXIMUM_FUNCTION; i++){Driver->MajorFunction[i] = DriverDefaultHandle;}// 創(chuàng)建設(shè)備CreateDevice(Driver);// 啟動(dòng)WFPWfpLoad(Driver->DeviceObject);Driver->DriverUnload = UnDriver;return STATUS_SUCCESS;
}

上方代碼是一個(gè)最基本的WFP過(guò)濾框架頭部函數(shù)，聲明部分來(lái)源于微軟的定義此處不做解釋，需要注意GUID_ALE_AUTH_CONNECT_CALLOUT_V4代表的是一個(gè)隨機(jī)UUID值，該值可以任意定義只要不一致即可，驅(qū)動(dòng)程序運(yùn)行后會(huì)率先執(zhí)行WfpLoad()這個(gè)函數(shù)，該函數(shù)內(nèi)部通過(guò)RegisterCalloutForLayer()注冊(cè)了一個(gè)過(guò)濾點(diǎn)，此處我們必須要注意三個(gè)回調(diào)函數(shù)，classifyFn, notifyFn, flowDeleteFn 他們分別的功能時(shí)，事前回調(diào)，事后回調(diào)，事后回調(diào)，而WFP框架中我們最需要注意的也就是對(duì)這三個(gè)函數(shù)進(jìn)行重定義，也就是需要重寫函數(shù)來(lái)實(shí)現(xiàn)我們特定的功能。

NTSTATUS RegisterCalloutForLayer
(IN const GUID* layerKey,IN const GUID* calloutKey,IN FWPS_CALLOUT_CLASSIFY_FN classifyFn,IN FWPS_CALLOUT_NOTIFY_FN notifyFn,IN FWPS_CALLOUT_FLOW_DELETE_NOTIFY_FN flowDeleteNotifyFn,OUT UINT32* calloutId,OUT UINT64* filterId
}

既然是防火墻那么必然classifyFn事前更重要一些，如果需要監(jiān)控網(wǎng)絡(luò)流量則需要在事前函數(shù)中做處理，而如果是監(jiān)視則可以在事后做處理，既然要在事前進(jìn)行處理，那么我們就來(lái)看看事前是如何處理的流量。

// Callout函數(shù) classifyFn 事前回調(diào)函數(shù)
VOID NTAPI classifyFn(_In_ const FWPS_INCOMING_VALUES0* inFixedValues, _In_ const FWPS_INCOMING_METADATA_VALUES0* inMetaValues, _Inout_opt_ void* layerData, _In_opt_ const void* classifyContext, _In_ const FWPS_FILTER2* filter, _In_ UINT64 flowContext, _Inout_ FWPS_CLASSIFY_OUT0* classifyOut)
{// 數(shù)據(jù)包的方向,取值 FWP_DIRECTION_INBOUND = 1 或 FWP_DIRECTION_OUTBOUND = 0WORD wDirection = inFixedValues->incomingValue[FWPS_FIELD_ALE_FLOW_ESTABLISHED_V4_DIRECTION].value.int8;// 定義本機(jī)地址與本機(jī)端口ULONG ulLocalIp = inFixedValues->incomingValue[FWPS_FIELD_ALE_AUTH_CONNECT_V4_IP_LOCAL_ADDRESS].value.uint32;UINT16 uLocalPort = inFixedValues->incomingValue[FWPS_FIELD_ALE_AUTH_CONNECT_V4_IP_LOCAL_PORT].value.uint16;// 定義對(duì)端地址與對(duì)端端口ULONG ulRemoteIp = inFixedValues->incomingValue[FWPS_FIELD_ALE_AUTH_CONNECT_V4_IP_REMOTE_ADDRESS].value.uint32;UINT16 uRemotePort = inFixedValues->incomingValue[FWPS_FIELD_ALE_AUTH_CONNECT_V4_IP_REMOTE_PORT].value.uint16;// 獲取當(dāng)前進(jìn)程IRQKIRQL kCurrentIrql = KeGetCurrentIrql();// 獲取進(jìn)程IDULONG64 processId = inMetaValues->processId;UCHAR szProcessPath[256] = { 0 };CHAR szProtocalName[256] = { 0 };RtlZeroMemory(szProcessPath, 256);// 獲取進(jìn)程路徑for (ULONG i = 0; i < inMetaValues->processPath->size; i++){// 里面是寬字符存儲(chǔ)的szProcessPath[i] = inMetaValues->processPath->data[i];}// 獲取當(dāng)前協(xié)議類型ProtocalIdToName(inFixedValues->incomingValue[FWPS_FIELD_ALE_AUTH_CONNECT_V4_IP_PROTOCOL].value.uint16, szProtocalName);// 設(shè)置默認(rèn)規(guī)則 允許連接classifyOut->actionType = FWP_ACTION_PERMIT;// 禁止指定進(jìn)程網(wǎng)絡(luò)連接if (NULL != wcsstr((PWCHAR)szProcessPath, L"qq.exe")){// 設(shè)置拒絕規(guī)則 拒絕連接classifyOut->actionType = FWP_ACTION_BLOCK;classifyOut->rights = classifyOut->rights & (~FWPS_RIGHT_ACTION_WRITE);classifyOut->flags = classifyOut->flags | FWPS_CLASSIFY_OUT_FLAG_ABSORB;}// 輸出對(duì)端地址字符串 并阻斷鏈接char szRemoteAddress[256] = { 0 };char szRemotePort[128] = { 0 };char szLocalAddress[256] = { 0 };char szLocalPort[128] = { 0 };sprintf(szRemoteAddress, "%u.%u.%u.%u", (ulRemoteIp >> 24) & 0xFF, (ulRemoteIp >> 16) & 0xFF, (ulRemoteIp >> 8) & 0xFF, (ulRemoteIp)& 0xFF);sprintf(szRemotePort, "%d", uRemotePort);sprintf(szLocalAddress, "%u.%u.%u.%u", (ulLocalIp >> 24) & 0xFF, (ulLocalIp >> 16) & 0xFF, (ulLocalIp >> 8) & 0xFF, (ulLocalIp)& 0xFF);sprintf(szLocalPort, "%d", uLocalPort);// DbgPrint("本端: %s : %s --> 對(duì)端: %s : %s \n", szLocalAddress, szLocalPort, szRemoteAddress, szRemotePort);// 如果對(duì)端地址是 8.141.58.64 且對(duì)端端口是 443 則拒絕連接if (strcmp(szRemoteAddress, "8.141.58.64") == 0 && strcmp(szRemotePort, "443") == 0){DbgPrint("攔截網(wǎng)站訪問(wèn)請(qǐng)求 --> %s : %s \n", szRemoteAddress, szRemotePort);// 設(shè)置拒絕規(guī)則 拒絕連接classifyOut->actionType = FWP_ACTION_BLOCK;classifyOut->rights = classifyOut->rights & (~FWPS_RIGHT_ACTION_WRITE);classifyOut->flags = classifyOut->flags | FWPS_CLASSIFY_OUT_FLAG_ABSORB;}else if (strcmp(szRemotePort, "0") == 0){DbgPrint("攔截Ping訪問(wèn)請(qǐng)求 --> %s \n", szRemoteAddress);// 設(shè)置拒絕規(guī)則 拒絕連接classifyOut->actionType = FWP_ACTION_BLOCK;classifyOut->rights = classifyOut->rights & (~FWPS_RIGHT_ACTION_WRITE);classifyOut->flags = classifyOut->flags | FWPS_CLASSIFY_OUT_FLAG_ABSORB;}/*// 顯示DbgPrint("方向: %d -> 協(xié)議類型: %s -> 本端地址: %u.%u.%u.%u:%d -> 對(duì)端地址: %u.%u.%u.%u:%d -> IRQL: %d -> 進(jìn)程ID: %I64d -> 路徑: %S \n",wDirection,szProtocalName,(ulLocalIp >> 24) & 0xFF,(ulLocalIp >> 16) & 0xFF,(ulLocalIp >> 8) & 0xFF,(ulLocalIp)& 0xFF,uLocalPort,(ulRemoteIp >> 24) & 0xFF,(ulRemoteIp >> 16) & 0xFF,(ulRemoteIp >> 8) & 0xFF,(ulRemoteIp)& 0xFF,uRemotePort,kCurrentIrql,processId,(PWCHAR)szProcessPath);*/
}

當(dāng)有新的網(wǎng)絡(luò)數(shù)據(jù)包路由到事前函數(shù)時(shí)，程序中會(huì)通過(guò)如下案例直接得到我們所需要的數(shù)據(jù)包頭，ProtocalIdToName函數(shù)則是一個(gè)將特定類型數(shù)字轉(zhuǎn)為字符串的轉(zhuǎn)換函數(shù)。

// 數(shù)據(jù)包的方向,取值 FWP_DIRECTION_INBOUND = 1 或 FWP_DIRECTION_OUTBOUND = 0
WORD wDirection = inFixedValues->incomingValue[FWPS_FIELD_ALE_FLOW_ESTABLISHED_V4_DIRECTION].value.int8;// 定義本機(jī)地址與本機(jī)端口
ULONG ulLocalIp = inFixedValues->incomingValue[FWPS_FIELD_ALE_AUTH_CONNECT_V4_IP_LOCAL_ADDRESS].value.uint32;
UINT16 uLocalPort = inFixedValues->incomingValue[FWPS_FIELD_ALE_AUTH_CONNECT_V4_IP_LOCAL_PORT].value.uint16;// 定義對(duì)端地址與對(duì)端端口
ULONG ulRemoteIp = inFixedValues->incomingValue[FWPS_FIELD_ALE_AUTH_CONNECT_V4_IP_REMOTE_ADDRESS].value.uint32;
UINT16 uRemotePort = inFixedValues->incomingValue[FWPS_FIELD_ALE_AUTH_CONNECT_V4_IP_REMOTE_PORT].value.uint16;// 獲取當(dāng)前進(jìn)程IRQ
KIRQL kCurrentIrql = KeGetCurrentIrql();// 獲取進(jìn)程ID
ULONG64 processId = inMetaValues->processId;
UCHAR szProcessPath[256] = { 0 };
CHAR szProtocalName[256] = { 0 };
RtlZeroMemory(szProcessPath, 256);// 獲取進(jìn)程路徑
for (ULONG i = 0; i < inMetaValues->processPath->size; i++)
{// 里面是寬字符存儲(chǔ)的szProcessPath[i] = inMetaValues->processPath->data[i];
}// 獲取當(dāng)前協(xié)議類型
ProtocalIdToName(inFixedValues->incomingValue[FWPS_FIELD_ALE_AUTH_CONNECT_V4_IP_PROTOCOL].value.uint16, szProtocalName);

攔截瀏覽器上網(wǎng)： 防火墻的默認(rèn)規(guī)則我們將其改為放行所有classifyOut->actionType = FWP_ACTION_PERMIT;，當(dāng)我們需要攔截特定進(jìn)程上網(wǎng)時(shí)則只需要判斷調(diào)用原，如果時(shí)特定進(jìn)程則直接設(shè)置拒絕網(wǎng)絡(luò)訪問(wèn)。

// 設(shè)置默認(rèn)規(guī)則 允許連接
classifyOut->actionType = FWP_ACTION_PERMIT;// 禁止指定進(jìn)程網(wǎng)絡(luò)連接
if (NULL != wcsstr((PWCHAR)szProcessPath, L"iexplore.exe"))
{// 設(shè)置拒絕規(guī)則 拒絕連接classifyOut->actionType = FWP_ACTION_BLOCK;classifyOut->rights = classifyOut->rights & (~FWPS_RIGHT_ACTION_WRITE);classifyOut->flags = classifyOut->flags | FWPS_CLASSIFY_OUT_FLAG_ABSORB;DbgPrint("[LyShark.com] 攔截IE網(wǎng)絡(luò)鏈接請(qǐng)求... \n");
}

當(dāng)這段驅(qū)動(dòng)程序被加載后，則用戶使用IE訪問(wèn)任何頁(yè)面都將提示無(wú)法訪問(wèn)。

攔截指定IP地址： 防火墻的另一個(gè)重要功能就是攔截主機(jī)自身訪問(wèn)特定網(wǎng)段，此功能只需要增加過(guò)濾條件即可實(shí)現(xiàn)，如下當(dāng)用戶訪問(wèn)8.141.58.64這個(gè)IP地址是則會(huì)被攔截，如果監(jiān)測(cè)到用戶時(shí)Ping請(qǐng)求則也會(huì)被攔截。

// 如果對(duì)端地址是 8.141.58.64 且對(duì)端端口是 443 則拒絕連接
if (strcmp(szRemoteAddress, "8.141.58.64") == 0 && strcmp(szRemotePort, "443") == 0)
{DbgPrint("攔截網(wǎng)站訪問(wèn)請(qǐng)求 --> %s : %s \n", szRemoteAddress, szRemotePort);// 設(shè)置拒絕規(guī)則 拒絕連接classifyOut->actionType = FWP_ACTION_BLOCK;classifyOut->rights = classifyOut->rights & (~FWPS_RIGHT_ACTION_WRITE);classifyOut->flags = classifyOut->flags | FWPS_CLASSIFY_OUT_FLAG_ABSORB;
}
else if (strcmp(szRemotePort, "0") == 0)
{DbgPrint("攔截Ping訪問(wèn)請(qǐng)求 --> %s \n", szRemoteAddress);// 設(shè)置拒絕規(guī)則 拒絕連接classifyOut->actionType = FWP_ACTION_BLOCK;classifyOut->rights = classifyOut->rights & (~FWPS_RIGHT_ACTION_WRITE);classifyOut->flags = classifyOut->flags | FWPS_CLASSIFY_OUT_FLAG_ABSORB;
}

當(dāng)這段驅(qū)動(dòng)程序被加載后，則用戶主機(jī)無(wú)法訪問(wèn)8.141.58.64且無(wú)法使用ping命令。

抓取底層數(shù)據(jù)包： 如果僅僅只是想要輸出流經(jīng)自身主機(jī)的數(shù)據(jù)包，則只需要對(duì)特定數(shù)據(jù)包進(jìn)行解碼即可得到原始數(shù)據(jù)。

// 輸出對(duì)端地址字符串 并阻斷鏈接
char szRemoteAddress[256] = { 0 };
char szRemotePort[128] = { 0 };char szLocalAddress[256] = { 0 };
char szLocalPort[128] = { 0 };sprintf(szRemoteAddress, "%u.%u.%u.%u", (ulRemoteIp >> 24) & 0xFF, (ulRemoteIp >> 16) & 0xFF, (ulRemoteIp >> 8) & 0xFF, (ulRemoteIp)& 0xFF);
sprintf(szRemotePort, "%d", uRemotePort);sprintf(szLocalAddress, "%u.%u.%u.%u", (ulLocalIp >> 24) & 0xFF, (ulLocalIp >> 16) & 0xFF, (ulLocalIp >> 8) & 0xFF, (ulLocalIp)& 0xFF);
sprintf(szLocalPort, "%d", uLocalPort);// 顯示
DbgPrint("[LyShark.com] 方向: %d -> 協(xié)議類型: %s -> 本端地址: %u.%u.%u.%u:%d -> 對(duì)端地址: %u.%u.%u.%u:%d -> IRQL: %d -> 進(jìn)程ID: %I64d -> 路徑: %S \n",
wDirection,
szProtocalName,
(ulLocalIp >> 24) & 0xFF,
(ulLocalIp >> 16) & 0xFF,
(ulLocalIp >> 8) & 0xFF,
(ulLocalIp)& 0xFF,
uLocalPort,
(ulRemoteIp >> 24) & 0xFF,
(ulRemoteIp >> 16) & 0xFF,
(ulRemoteIp >> 8) & 0xFF,
(ulRemoteIp)& 0xFF,
uRemotePort,
kCurrentIrql,
processId,
(PWCHAR)szProcessPath);

當(dāng)這段驅(qū)動(dòng)程序被加載后，則用戶可看到流經(jīng)本機(jī)的所有數(shù)據(jù)包。