├── .gitignore ├── Driver ├── exe │ ├── monitor.cpp │ ├── monitor.vcxproj │ ├── monitor.vcxproj.Filters │ └── mtrace.cmd ├── inc │ ├── ioctl.h │ └── mntrguid.h ├── msnmntr.sln └── sys │ ├── ctl.c │ ├── ctl.h │ ├── init.c │ ├── msnmntr.c │ ├── msnmntr.h │ ├── msnmntr.inf │ ├── msnmntr.vcxproj │ ├── msnmntr.vcxproj.Filters │ ├── notify.c │ └── notify.h ├── ImageFolder ├── filter.png ├── main.png ├── r1.png └── r2.png ├── PFirewall.sln ├── PFirewall ├── Alert.cpp ├── Alert.h ├── IPFilter.cpp ├── IPFilter.h ├── PFirewall.aps ├── PFirewall.cpp ├── PFirewall.h ├── PFirewall.rc ├── PFirewall.vcxproj ├── PFirewall.vcxproj.filters ├── PFirewall.vcxproj.user ├── PFirewallDlg.cpp ├── PFirewallDlg.h ├── PortFilter.cpp ├── PortFilter.h ├── ProcessMonitor.cpp ├── ProcessMonitor.h ├── Process_Monitor.cpp ├── Process_Monitor.h ├── ReadMe.txt ├── common.h ├── res │ ├── PFirewall.ico │ └── PFirewall.rc2 ├── resource.h ├── stdafx.cpp ├── stdafx.h └── targetver.h └── README.md /.gitignore: -------------------------------------------------------------------------------- 1 | */ 2 | !.gitignore 3 | !Driver/ 4 | !Driver/inc/ 5 | !Driver/sys/ 6 | !Driver/exe/ 7 | !PFirewall/ 8 | !PFirewall/res 9 | !.sln 10 | !.inf 11 | !README.md -------------------------------------------------------------------------------- /Driver/exe/monitor.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/raymon-tian/WFPFirewall/14ef82f9ffb39f473a5681067dba2abae6826f8f/Driver/exe/monitor.cpp -------------------------------------------------------------------------------- /Driver/exe/monitor.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | {A775BC8D-48D4-4332-B731-6135FDD0C94A} 23 | $(MSBuildProjectName) 24 | Debug 25 | Win32 26 | {2142A4F7-2EDA-43A2-AA9B-237435A8B04E} 27 | 10.0.14393.0 28 | 29 | 30 | 31 | Windows10 32 | False 33 | Desktop 34 | 35 | WindowsApplicationForDrivers10.0 36 | Application 37 | 38 | 39 | Windows10 40 | True 41 | Desktop 42 | 43 | WindowsApplicationForDrivers10.0 44 | Application 45 | 46 | 47 | Windows10 48 | False 49 | Desktop 50 | 51 | WindowsApplicationForDrivers10.0 52 | Application 53 | 54 | 55 | Windows10 56 | True 57 | Desktop 58 | 59 | WindowsApplicationForDrivers10.0 60 | Application 61 | 62 | 63 | 64 | $(IntDir) 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | monitor 81 | 82 | 83 | monitor 84 | 85 | 86 | monitor 87 | 88 | 89 | monitor 90 | 91 | 92 | 93 | %(PreprocessorDefinitions);WIN32 94 | 95 | 96 | %(PreprocessorDefinitions);WIN32 97 | 98 | 99 | %(PreprocessorDefinitions);WIN32 100 | %(AdditionalOptions) -N 101 | 102 | 103 | 104 | 105 | %(PreprocessorDefinitions);WIN32 106 | 107 | 108 | %(PreprocessorDefinitions);WIN32 109 | 110 | 111 | %(PreprocessorDefinitions);WIN32 112 | %(AdditionalOptions) -N 113 | 114 | 115 | 116 | 117 | %(PreprocessorDefinitions);WIN32 118 | 119 | 120 | %(PreprocessorDefinitions);WIN32 121 | 122 | 123 | %(PreprocessorDefinitions);WIN32 124 | %(AdditionalOptions) -N 125 | 126 | 127 | 128 | 129 | %(PreprocessorDefinitions);WIN32 130 | 131 | 132 | %(PreprocessorDefinitions);WIN32 133 | 134 | 135 | %(PreprocessorDefinitions);WIN32 136 | %(AdditionalOptions) -N 137 | 138 | 139 | 140 | 141 | Sync 142 | true 143 | 144 | 145 | 146 | 147 | Sync 148 | true 149 | 150 | 151 | 152 | 153 | Sync 154 | true 155 | 156 | 157 | 158 | 159 | Sync 160 | true 161 | 162 | 163 | 164 | Static 165 | NTDDI_WIN7 166 | 167 | 168 | Static 169 | NTDDI_WIN7 170 | 171 | 172 | Static 173 | NTDDI_WIN7 174 | 175 | 176 | Static 177 | NTDDI_WIN7 178 | 179 | 180 | 181 | %(AdditionalIncludeDirectories);$(SDK_INC_PATH);$(DDK_INC_PATH);..\inc 182 | 183 | 184 | %(AdditionalIncludeDirectories);$(SDK_INC_PATH);$(DDK_INC_PATH);..\inc 185 | 186 | 187 | %(AdditionalIncludeDirectories);$(SDK_INC_PATH);$(DDK_INC_PATH);..\inc 188 | 189 | 190 | %(AdditionalDependencies);advapi32.lib;comctl32.lib;kernel32.lib;netapi32.lib;ole32.lib;oleaut32.lib;user32.lib;uuid.lib;ntdll.lib;kernel32.lib;setupapi.lib;rpcrt4.lib;fwpuclnt.lib 191 | 192 | 193 | 194 | 195 | %(AdditionalIncludeDirectories);$(SDK_INC_PATH);$(DDK_INC_PATH);..\inc 196 | 197 | 198 | %(AdditionalIncludeDirectories);$(SDK_INC_PATH);$(DDK_INC_PATH);..\inc 199 | 200 | 201 | %(AdditionalIncludeDirectories);$(SDK_INC_PATH);$(DDK_INC_PATH);..\inc 202 | 203 | 204 | %(AdditionalDependencies);advapi32.lib;comctl32.lib;kernel32.lib;netapi32.lib;ole32.lib;oleaut32.lib;user32.lib;uuid.lib;ntdll.lib;kernel32.lib;setupapi.lib;rpcrt4.lib;fwpuclnt.lib 205 | 206 | 207 | 208 | 209 | %(AdditionalIncludeDirectories);$(SDK_INC_PATH);$(DDK_INC_PATH);..\inc 210 | 211 | 212 | %(AdditionalIncludeDirectories);$(SDK_INC_PATH);$(DDK_INC_PATH);..\inc 213 | 214 | 215 | %(AdditionalIncludeDirectories);$(SDK_INC_PATH);$(DDK_INC_PATH);..\inc 216 | 217 | 218 | %(AdditionalDependencies);advapi32.lib;comctl32.lib;kernel32.lib;netapi32.lib;ole32.lib;oleaut32.lib;user32.lib;uuid.lib;ntdll.lib;kernel32.lib;setupapi.lib;rpcrt4.lib;fwpuclnt.lib 219 | 220 | 221 | 222 | 223 | %(AdditionalIncludeDirectories);$(SDK_INC_PATH);$(DDK_INC_PATH);..\inc 224 | 225 | 226 | %(AdditionalIncludeDirectories);$(SDK_INC_PATH);$(DDK_INC_PATH);..\inc 227 | 228 | 229 | %(AdditionalIncludeDirectories);$(SDK_INC_PATH);$(DDK_INC_PATH);..\inc 230 | 231 | 232 | %(AdditionalDependencies);advapi32.lib;comctl32.lib;kernel32.lib;netapi32.lib;ole32.lib;oleaut32.lib;user32.lib;uuid.lib;ntdll.lib;kernel32.lib;setupapi.lib;rpcrt4.lib;fwpuclnt.lib 233 | 234 | 235 | 236 | 237 | 238 | 239 | 240 | 241 | 242 | 243 | 244 | 245 | 246 | 247 | 248 | 249 | 250 | 251 | -------------------------------------------------------------------------------- /Driver/exe/monitor.vcxproj.Filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx;* 6 | {23749ED7-3361-4C55-BC65-7FEB41F22410} 7 | 8 | 9 | h;hpp;hxx;hm;inl;inc;xsd 10 | {514D9180-B3CA-48A3-A0A1-6E1693F852C4} 11 | 12 | 13 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms;man;xml 14 | {DB4C51F6-0F6E-404E-9F69-06769044B4B1} 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | -------------------------------------------------------------------------------- /Driver/exe/mtrace.cmd: -------------------------------------------------------------------------------- 1 | @echo off 2 | @setlocal 3 | 4 | @rem ------------------------------------------------------------------------- 5 | @rem OBTAIN INPUT 6 | @rem ------------------------------------------------------------------------- 7 | 8 | set TR_MODULE=%1 9 | shift 10 | set TR_LEVEL=%1 11 | shift 12 | set TR_VERB=%1 13 | 14 | @rem ------------------------------------------------------------------------- 15 | @rem VALIDATE COMPONENT & TRACING LEVEL 16 | @rem ------------------------------------------------------------------------- 17 | 18 | if /i "%TR_MODULE%"=="MONITOR" ( 19 | set TR_GUID={dd65554d-9925-49d1-83b6-46125feb4207} 20 | set TR_MODULE=MsnMntrMonitor 21 | 22 | if "%TR_LEVEL%"=="0" ( 23 | set TR_BITS= 24 | set TR_LEVEL=0 25 | ) else if "%TR_LEVEL%"=="1" ( 26 | set TR_BITS= 27 | set TR_LEVEL=1 28 | ) else if /i "%TR_LEVEL%"=="2" ( 29 | set TR_BITS= 30 | set TR_LEVEL=2 31 | ) else if /i "%TR_LEVEL%"=="9" ( 32 | set TR_BITS= 33 | set TR_LEVEL=9 34 | ) else ( 35 | echo. 36 | echo Error: Monitor component does not support this trace detail. 37 | goto :show_usage_MsnMntrMonitor 38 | ) 39 | ) else if /i "%TR_MODULE%"=="NOTIFY" ( 40 | set TR_GUID={aca2f74a-7a0d-4f47-be4b-66900813b8e5} 41 | set TR_MODULE=MsnMntrNotify 42 | 43 | if "%TR_LEVEL%"=="0" ( 44 | set TR_BITS= 45 | set TR_LEVEL=0 46 | ) else if "%TR_LEVEL%"=="1" ( 47 | set TR_BITS= 48 | set TR_LEVEL=1 49 | ) else if /i "%TR_LEVEL%"=="2" ( 50 | set TR_BITS= 51 | set TR_LEVEL=2 52 | ) else if /i "%TR_LEVEL%"=="3" ( 53 | set TR_BITS= 54 | set TR_LEVEL=3 55 | ) else if /i "%TR_LEVEL%"=="9" ( 56 | set TR_BITS= 57 | set TR_LEVEL=9 58 | ) else ( 59 | echo. 60 | echo Error: Notify component does not support this trace detail. 61 | goto :show_usage_MsnMntrNotify 62 | ) 63 | 64 | ) else if /i "%TR_MODULE%"=="CONTROL" ( 65 | set TR_GUID={eab718af-52de-477c-874d-cb49746bb131} 66 | set TR_MODULE=MsnMntrCtl 67 | 68 | if "%TR_LEVEL%"=="0" ( 69 | set TR_BITS= 70 | set TR_LEVEL=0 71 | ) else if "%TR_LEVEL%"=="1" ( 72 | set TR_BITS= 73 | set TR_LEVEL=1 74 | ) else if /i "%TR_LEVEL%"=="2" ( 75 | set TR_BITS= 76 | set TR_LEVEL=2 77 | ) else if /i "%TR_LEVEL%"=="9" ( 78 | set TR_BITS= 79 | set TR_LEVEL=9 80 | ) else ( 81 | echo. 82 | echo Error: Control component does not support this trace detail. 83 | goto :show_usage_MsnMntrCtl 84 | ) 85 | 86 | ) else if /i "%TR_MODULE%"=="INIT" ( 87 | set TR_GUID={e7db16bb-41be-4c05-b73e-5feca06f8207} 88 | set TR_MODULE=MsnMntrInit 89 | 90 | if "%TR_LEVEL%"=="0" ( 91 | set TR_BITS= 92 | set TR_LEVEL=0 93 | ) else if "%TR_LEVEL%"=="1" ( 94 | set TR_BITS= 95 | set TR_LEVEL=1 96 | ) else if /i "%TR_LEVEL%"=="9" ( 97 | set TR_BITS= 98 | set TR_LEVEL=9 99 | ) else ( 100 | echo. 101 | echo Error: Init component does not support this trace detail. 102 | goto :show_usage_MsnMntrInit 103 | ) 104 | 105 | ) else ( 106 | echo. 107 | echo Error: No module was selected. 108 | goto :show_usage 109 | ) 110 | 111 | set TR_NAME=%TR_MODULE% 112 | set TR_DIR=%SystemRoot%\Tracing\%TR_NAME% 113 | set TR_LOG=%TR_DIR%\%TR_NAME%.etl 114 | set TR_BITS=0xFFFFFFFF 115 | set TR_OPTS= 116 | set TR_RT_OPTS=-rt -ft 1 117 | 118 | set TRACE_FORMAT_PREFIX=%%9!d!:%%3!04X! %%!FUNC!: 119 | set TRACE_FORMAT_SEARCH_PATH=%TR_DIR% 120 | 121 | @rem ------------------------------------------------------------------------- 122 | @rem VALIDATE VERB 123 | @rem ------------------------------------------------------------------------- 124 | 125 | if /i "%TR_VERB%"=="start" ( 126 | call :start_trace 127 | ) else if /i "%TR_VERB%"=="stop" ( 128 | call :stop_trace 129 | ) else if /i "%TR_VERB%"=="pdb" ( 130 | call :extract_format_info %1 131 | ) else if /i "%TR_VERB%"=="rt" ( 132 | call :format_realtime 133 | ) else if /i "%TR_VERB%"=="fmt" ( 134 | call :format_offline 135 | ) else ( 136 | echo. 137 | echo Error: A supported verb has not been specified. 138 | goto :show_usage 139 | ) 140 | 141 | goto :eof 142 | 143 | :ShowSummary 144 | echo. 145 | echo Trace name : %TR_NAME% 146 | echo Trace directory : %TR_DIR% 147 | echo Trace log : %TR_LOG% 148 | echo Trace level : %TR_LEVEL% 149 | 150 | @rem ------------------------------------------------------------------------- 151 | @rem START TRACING 152 | @rem ------------------------------------------------------------------------- 153 | :start_trace 154 | if not exist %TR_DIR% mkdir %TR_DIR% 155 | logman query %TR_NAME% -ets 1 > NUL 156 | if errorlevel 1 ( 157 | logman start %TR_NAME% %TR_OPTS% -p %TR_GUID% %TR_BITS% %TR_LEVEL% -o %TR_LOG% -ets 158 | ) else ( 159 | echo Collection is already started. 160 | ) 161 | goto :eof 162 | 163 | @rem ------------------------------------------------------------------------- 164 | @rem STOP TRACING 165 | @rem ------------------------------------------------------------------------- 166 | :stop_trace 167 | logman query %TR_NAME% -ets 1>NUL 168 | if NOT errorlevel 1 ( 169 | logman stop %TR_NAME% -ets 170 | ) 171 | goto :eof 172 | 173 | @rem ------------------------------------------------------------------------- 174 | @rem EXTRACT FORMAT INFO 175 | @rem ------------------------------------------------------------------------- 176 | :extract_format_info 177 | if "%1" == "" ( 178 | set TR_PDB=.\%TR_MODULE%.pdb 179 | )else ( 180 | set TR_PDB=%1 181 | ) 182 | tracepdb -f %TR_PDB% -p %TR_DIR% 183 | goto :eof 184 | 185 | @rem ------------------------------------------------------------------------- 186 | @rem FORMAT REALTIME 187 | @rem ------------------------------------------------------------------------- 188 | :format_realtime 189 | call :stop_trace 190 | set TR_OPTS=%TR_RT_OPTS% 191 | call :start_trace 192 | start "%TR_NAME% Tracing" /low tracefmt -displayonly -rt %TR_NAME% 193 | goto :eof 194 | 195 | @rem ------------------------------------------------------------------------- 196 | @rem FORMAT OFFLINE 197 | @rem ------------------------------------------------------------------------- 198 | :format_offline 199 | tracefmt -o %TR_NAME%.txt %TR_LOG% -display 200 | goto :eof 201 | 202 | goto :eof 203 | 204 | @rem ------------------------------------------------------------------------- 205 | @rem CONTEXT SENSITIVE HELP 206 | @rem ------------------------------------------------------------------------- 207 | :show_usage 208 | call :show_usage_header 209 | echo 9 Display all trace events 210 | echo Select a component to see individual supported tracing levels. 211 | call :show_usage_footer 212 | 213 | goto :eof 214 | 215 | :show_usage_MsnMntrMonitor 216 | call :show_usage_header 217 | echo 0 Established flow 218 | echo 1 Change of state information 219 | echo 2 Layer notifications 220 | echo 9 Display all trace events 221 | call :show_usage_footer 222 | 223 | goto :eof 224 | 225 | :show_usage_MsnMntrNotify 226 | call :show_usage_header 227 | echo 0 Client to server 228 | echo 1 Peer to peer 229 | echo 2 Unknown 230 | echo 3 All traffic 231 | echo 9 Display all trace events 232 | call :show_usage_footer 233 | 234 | goto :eof 235 | 236 | :show_usage_MsnMntrCtl 237 | call :show_usage_header 238 | echo 0 Initialization 239 | echo 1 Device control 240 | echo 2 State 241 | echo 9 Display all trace events 242 | call :show_usage_footer 243 | 244 | goto :eof 245 | 246 | :show_usage_MsnMntrInit 247 | call :show_usage_header 248 | echo 0 Initialization 249 | echo 1 Shutdown 250 | echo 9 Display all trace events 251 | call :show_usage_footer 252 | 253 | goto :eof 254 | 255 | :show_usage_header 256 | echo. 257 | echo Usage: monitor_trace COMPONENT LEVEL VERB 258 | echo. 259 | echo Components: 260 | echo MONITOR, NOTIFY, CONTROL and INIT 261 | echo. 262 | echo Trace detail: 263 | goto :eof 264 | 265 | :show_usage_footer 266 | echo. 267 | echo Verbs: 268 | echo start Start collection. 269 | echo stop Stop collection. 270 | echo pdb Extract format information from the pdb in the current 271 | echo directory. 272 | echo pdb [file] Like the above, but allows the full path to the pdb 273 | echo to be specified. 274 | echo rt Displays the trace output in real-time. This 275 | echo automatically stops any existing collection and begins 276 | echo a new one with appropriate parameters for real-time. 277 | echo fmt Format the trace logfile to the console. 278 | echo. 279 | echo Note: 280 | echo The most common scenario is to extract the format information from 281 | echo the pdb, and then display the output in real-time. 282 | echo. 283 | echo Example: 284 | echo cd /d MySymbolDir 285 | echo monitor_trace init 0 pdb 286 | echo monitor_trace init 0 rt 287 | 288 | goto :eof -------------------------------------------------------------------------------- /Driver/inc/ioctl.h: -------------------------------------------------------------------------------- 1 | /*++ 2 | 3 | Copyright (c) Microsoft Corporation. All rights reserved 4 | 5 | Abstract: 6 | 7 | Monitor Sample callout driver IOCTL header 8 | 9 | Environment: 10 | 11 | Kernel mode 12 | 13 | --*/ 14 | 15 | #pragma once 16 | 17 | #define MONITOR_DEVICE_NAME L"\\Device\\MonitorSample" 18 | #define MONITOR_SYMBOLIC_NAME L"\\DosDevices\\Global\\MonitorSample" 19 | #define MONITOR_DOS_NAME L"\\\\.\\MonitorSample" 20 | 21 | typedef enum _MONITOR_OPERATION_MODE 22 | { 23 | invalidOperation = 0, 24 | monitorTraffic = 1, 25 | monitorOperationMax 26 | } MONITOR_OPERATION_MODE; 27 | 28 | typedef struct _MONITOR_SETTINGS 29 | { 30 | MONITOR_OPERATION_MODE monitorOperation; 31 | UINT32 flags; 32 | } MONITOR_SETTINGS; 33 | 34 | #define MONITOR_IOCTL_ENABLE_MONITOR CTL_CODE(FILE_DEVICE_NETWORK, 0x1, METHOD_BUFFERED, FILE_ANY_ACCESS) 35 | #define MONITOR_IOCTL_DISABLE_MONITOR CTL_CODE(FILE_DEVICE_NETWORK, 0x2, METHOD_BUFFERED, FILE_ANY_ACCESS) 36 | 37 | -------------------------------------------------------------------------------- /Driver/inc/mntrguid.h: -------------------------------------------------------------------------------- 1 | /*++ 2 | 3 | Copyright (c) Microsoft Corporation. All rights reserved 4 | 5 | Abstract: 6 | 7 | Monitor Sample callout driver IOCTL header 8 | 9 | Environment: 10 | 11 | Kernel mode 12 | 13 | --*/ 14 | 15 | #pragma once 16 | 17 | // b3241f1d-7cd2-4e7a-8721-2e97d07702e5 18 | DEFINE_GUID( 19 | MONITOR_SAMPLE_SUBLAYER, 20 | 0xb3241f1d, 21 | 0x7cd2, 22 | 0x4e7a, 23 | 0x87, 0x21, 0x2e, 0x97, 0xd0, 0x77, 0x02, 0xe5 24 | ); 25 | 26 | // 3aaccbc0-2c29-455f-bb91-0e801c8994a4 27 | DEFINE_GUID( 28 | MONITOR_SAMPLE_FLOW_ESTABLISHED_CALLOUT_V4, 29 | 0x3aaccbc0, 30 | 0x2c29, 31 | 0x455f, 32 | 0xbb, 0x91, 0x0e, 0x80, 0x1c, 0x89, 0x94, 0xa4 33 | ); 34 | 35 | // cea0131a-6ed3-4ed6-b40c-8a8fe8434b0a 36 | DEFINE_GUID( 37 | MONITOR_SAMPLE_STREAM_CALLOUT_V4, 38 | 0xcea0131a, 39 | 0x6ed3, 40 | 0x4ed6, 41 | 0xb4, 0x0c, 0x8a, 0x8f, 0xe8, 0x43, 0x4b, 0x0a 42 | ); 43 | 44 | 45 | -------------------------------------------------------------------------------- /Driver/msnmntr.sln: -------------------------------------------------------------------------------- 1 | 2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio 2013 4 | VisualStudioVersion = 12.0 5 | MinimumVisualStudioVersion = 12.0 6 | Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Exe", "Exe", "{60E53BA1-BED0-47E5-9907-8CEA2995D3A4}" 7 | EndProject 8 | Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Sys", "Sys", "{AD377DD1-7334-4B0B-BDDA-3BF2E96C8247}" 9 | EndProject 10 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "monitor", "exe\monitor.vcxproj", "{A775BC8D-48D4-4332-B731-6135FDD0C94A}" 11 | EndProject 12 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "msnmntr", "sys\msnmntr.vcxproj", "{0334D910-32A8-48D1-945A-A58B9F2FAD22}" 13 | EndProject 14 | Global 15 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 16 | Debug|Win32 = Debug|Win32 17 | Release|Win32 = Release|Win32 18 | Debug|x64 = Debug|x64 19 | Release|x64 = Release|x64 20 | EndGlobalSection 21 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 22 | {A775BC8D-48D4-4332-B731-6135FDD0C94A}.Debug|Win32.ActiveCfg = Debug|Win32 23 | {A775BC8D-48D4-4332-B731-6135FDD0C94A}.Debug|Win32.Build.0 = Debug|Win32 24 | {A775BC8D-48D4-4332-B731-6135FDD0C94A}.Release|Win32.ActiveCfg = Release|Win32 25 | {A775BC8D-48D4-4332-B731-6135FDD0C94A}.Release|Win32.Build.0 = Release|Win32 26 | {A775BC8D-48D4-4332-B731-6135FDD0C94A}.Debug|x64.ActiveCfg = Debug|x64 27 | {A775BC8D-48D4-4332-B731-6135FDD0C94A}.Debug|x64.Build.0 = Debug|x64 28 | {A775BC8D-48D4-4332-B731-6135FDD0C94A}.Release|x64.ActiveCfg = Release|x64 29 | {A775BC8D-48D4-4332-B731-6135FDD0C94A}.Release|x64.Build.0 = Release|x64 30 | {0334D910-32A8-48D1-945A-A58B9F2FAD22}.Debug|Win32.ActiveCfg = Debug|Win32 31 | {0334D910-32A8-48D1-945A-A58B9F2FAD22}.Debug|Win32.Build.0 = Debug|Win32 32 | {0334D910-32A8-48D1-945A-A58B9F2FAD22}.Release|Win32.ActiveCfg = Release|Win32 33 | {0334D910-32A8-48D1-945A-A58B9F2FAD22}.Release|Win32.Build.0 = Release|Win32 34 | {0334D910-32A8-48D1-945A-A58B9F2FAD22}.Debug|x64.ActiveCfg = Debug|x64 35 | {0334D910-32A8-48D1-945A-A58B9F2FAD22}.Debug|x64.Build.0 = Debug|x64 36 | {0334D910-32A8-48D1-945A-A58B9F2FAD22}.Release|x64.ActiveCfg = Release|x64 37 | {0334D910-32A8-48D1-945A-A58B9F2FAD22}.Release|x64.Build.0 = Release|x64 38 | EndGlobalSection 39 | GlobalSection(SolutionProperties) = preSolution 40 | HideSolutionNode = FALSE 41 | EndGlobalSection 42 | GlobalSection(NestedProjects) = preSolution 43 | {A775BC8D-48D4-4332-B731-6135FDD0C94A} = {60E53BA1-BED0-47E5-9907-8CEA2995D3A4} 44 | {0334D910-32A8-48D1-945A-A58B9F2FAD22} = {AD377DD1-7334-4B0B-BDDA-3BF2E96C8247} 45 | EndGlobalSection 46 | EndGlobal 47 | -------------------------------------------------------------------------------- /Driver/sys/ctl.c: -------------------------------------------------------------------------------- 1 | /*++ 2 | 3 | Copyright (c) Microsoft Corporation. All rights reserved 4 | 5 | Abstract: 6 | 7 | Monitor Sample driver IO control routines 8 | 9 | Environment: 10 | 11 | Kernel mode 12 | 13 | --*/ 14 | 15 | #include 16 | #include 17 | 18 | #include 19 | 20 | #pragma warning(push) 21 | #pragma warning(disable:4201) // unnamed struct/union 22 | 23 | #include 24 | 25 | #pragma warning(pop) 26 | 27 | 28 | #include "ioctl.h" 29 | 30 | #include "msnmntr.h" 31 | #include "ctl.h" 32 | 33 | #include "notify.h" 34 | 35 | // 36 | // Software Tracing Definitions 37 | // 38 | #define WPP_CONTROL_GUIDS \ 39 | WPP_DEFINE_CONTROL_GUID(MsnMntrCtl,(eab718af, 52de, 477c, 874d, cb49746bb131), \ 40 | WPP_DEFINE_BIT(TRACE_INIT) \ 41 | WPP_DEFINE_BIT(TRACE_DEVICE_CONTROL) \ 42 | WPP_DEFINE_BIT(TRACE_STATE) ) 43 | 44 | #include "ctl.tmh" 45 | 46 | EVT_WDF_IO_QUEUE_IO_DEVICE_CONTROL MonitorEvtDeviceControl; 47 | 48 | NTSTATUS 49 | MonitorCtlDriverInit( 50 | _In_ WDFDEVICE* pDevice 51 | ) 52 | /*++ 53 | 54 | Routine Description: 55 | 56 | Initializes the request queue for our driver. This is how 57 | DeviceIoControl requests are sent to KMDF drivers. 58 | 59 | Arguments: 60 | 61 | [in] WDFDEVICE* pDevice - Our device. 62 | 63 | --*/ 64 | { 65 | NTSTATUS status; 66 | WDF_IO_QUEUE_CONFIG queueConfig; 67 | 68 | DoTraceMessage(TRACE_INIT, "MonitorSample Control Initialization in progress."); 69 | 70 | WDF_IO_QUEUE_CONFIG_INIT_DEFAULT_QUEUE( 71 | &queueConfig, 72 | WdfIoQueueDispatchSequential 73 | ); 74 | 75 | queueConfig.EvtIoDeviceControl = MonitorEvtDeviceControl; 76 | 77 | status = WdfIoQueueCreate( 78 | *pDevice, 79 | &queueConfig, 80 | WDF_NO_OBJECT_ATTRIBUTES, 81 | NULL 82 | ); 83 | 84 | return status; 85 | } 86 | 87 | VOID 88 | MonitorEvtDeviceControl ( 89 | _In_ WDFQUEUE Queue, 90 | _In_ WDFREQUEST Request, 91 | _In_ size_t OutputBufferLength, 92 | _In_ size_t InputBufferLength, 93 | _In_ ULONG IoControlCode 94 | ) 95 | /*++ 96 | 97 | Handles device IO control requests. This callback drives all communication 98 | between the usermode exe and this driver. 99 | 100 | --*/ 101 | { 102 | NTSTATUS status = STATUS_SUCCESS; 103 | 104 | UNREFERENCED_PARAMETER(Queue); 105 | UNREFERENCED_PARAMETER(OutputBufferLength); 106 | 107 | DoTraceMessage(TRACE_DEVICE_CONTROL, "MonitorSample Dispatch Device Control: 0x%x", IoControlCode); 108 | 109 | switch (IoControlCode) 110 | { 111 | case MONITOR_IOCTL_ENABLE_MONITOR: 112 | { 113 | WDFMEMORY pMemory; 114 | void* pBuffer; 115 | 116 | if (InputBufferLength < sizeof(MONITOR_SETTINGS)) 117 | { 118 | status = STATUS_INVALID_PARAMETER; 119 | } 120 | else 121 | { 122 | status = WdfRequestRetrieveInputMemory(Request, &pMemory); 123 | 124 | if (NT_SUCCESS(status)) 125 | { 126 | pBuffer = WdfMemoryGetBuffer(pMemory, NULL); 127 | status = MonitorCoEnableMonitoring((MONITOR_SETTINGS*) pBuffer); 128 | } 129 | } 130 | break; 131 | } 132 | 133 | case MONITOR_IOCTL_DISABLE_MONITOR: 134 | { 135 | status = STATUS_SUCCESS; 136 | 137 | MonitorCoDisableMonitoring(); 138 | 139 | break; 140 | } 141 | 142 | default: 143 | { 144 | status = STATUS_INVALID_PARAMETER; 145 | } 146 | } 147 | 148 | WdfRequestComplete(Request, status); 149 | } 150 | -------------------------------------------------------------------------------- /Driver/sys/ctl.h: -------------------------------------------------------------------------------- 1 | /*++ 2 | 3 | Copyright (c) Microsoft Corporation. All rights reserved 4 | 5 | Abstract: 6 | 7 | Monitor Sample driver IO control header 8 | 9 | Environment: 10 | 11 | Kernel mode 12 | 13 | --*/ 14 | 15 | NTSTATUS 16 | MonitorCtlDriverInit( 17 | _In_ WDFDEVICE* pDevice 18 | ); 19 | 20 | -------------------------------------------------------------------------------- /Driver/sys/init.c: -------------------------------------------------------------------------------- 1 | /*++ 2 | 3 | Copyright (c) Microsoft Corporation. All rights reserved 4 | 5 | Abstract: 6 | 7 | Monitor Sample driver initialization routines 8 | 9 | Environment: 10 | 11 | Kernel mode 12 | 13 | --*/ 14 | 15 | #include 16 | #include 17 | #include 18 | 19 | #include 20 | 21 | #pragma warning(push) 22 | #pragma warning(disable:4201) // unnamed struct/union 23 | 24 | #include 25 | 26 | #pragma warning(pop) 27 | 28 | #include "ioctl.h" 29 | 30 | #include "msnmntr.h" 31 | #include "ctl.h" 32 | 33 | #include "notify.h" 34 | 35 | // 36 | // Software Tracing Definitions 37 | // 38 | #define WPP_CONTROL_GUIDS \ 39 | WPP_DEFINE_CONTROL_GUID(MsnMntrInit,(e7db16bb, 41be, 4c05, b73e, 5feca06f8207), \ 40 | WPP_DEFINE_BIT(TRACE_INIT) \ 41 | WPP_DEFINE_BIT(TRACE_SHUTDOWN) ) 42 | 43 | #include "init.tmh" 44 | 45 | DEVICE_OBJECT* gWdmDevice; 46 | 47 | // =========================================================================== 48 | // 49 | // LOCAL PROTOTYPES 50 | // 51 | // =========================================================================== 52 | 53 | DRIVER_INITIALIZE DriverEntry; 54 | EVT_WDF_DRIVER_UNLOAD MonitorEvtDriverUnload; 55 | 56 | // We're using what looks like a EVT_WDF_DRIVER_DEVICE_ADD callback, to keep 57 | // this looking like a normal KMDF driver. However, since this is a non-pnp 58 | // driver, it will not be used as a callback; we will call it ourselves at the 59 | // end of DriverEntry. So, do not declare it as a callback. 60 | // The NONPNP sample demonstrates this as well. 61 | NTSTATUS 62 | MonitorEvtDeviceAdd( 63 | _In_ PWDFDEVICE_INIT pInit 64 | ); 65 | 66 | // =========================================================================== 67 | // 68 | // PUBLIC FUNCTIONS 69 | // 70 | // =========================================================================== 71 | 72 | NTSTATUS 73 | DriverEntry( 74 | _In_ DRIVER_OBJECT* driverObject, 75 | _In_ UNICODE_STRING* registryPath 76 | ) 77 | /*++ 78 | 79 | Routine Description: 80 | 81 | Main driver entry point. Called at driver load time 82 | 83 | Arguments: 84 | 85 | driverObject Our driver 86 | registryPath A reg key where we can keep parameters 87 | 88 | Return Value: 89 | 90 | status of our initialization. A status != STATUS_SUCCESS aborts the 91 | driver load and we don't get called again. 92 | 93 | Each component is responsible for logging any error that causes the 94 | driver load to fail. 95 | 96 | --*/ 97 | { 98 | NTSTATUS status; 99 | WDF_DRIVER_CONFIG config; 100 | WDFDRIVER driver; 101 | PWDFDEVICE_INIT pInit = NULL; 102 | 103 | // Request NX Non-Paged Pool when available 104 | ExInitializeDriverRuntime(DrvRtPoolNxOptIn); 105 | 106 | // 107 | // This macro is required to initialize software tracing on XP and beyond 108 | // For XP and beyond use the DriverObject as the first argument. 109 | // 110 | 111 | WPP_INIT_TRACING(driverObject,registryPath); 112 | 113 | DoTraceMessage(TRACE_INIT, "Initializing MonitorSample Driver"); 114 | 115 | WDF_DRIVER_CONFIG_INIT(&config, WDF_NO_EVENT_CALLBACK); 116 | config.DriverInitFlags |= WdfDriverInitNonPnpDriver; 117 | config.EvtDriverUnload = MonitorEvtDriverUnload; 118 | 119 | status = WdfDriverCreate( 120 | driverObject, 121 | registryPath, 122 | WDF_NO_OBJECT_ATTRIBUTES, 123 | &config, 124 | &driver 125 | ); 126 | 127 | if (!NT_SUCCESS(status)) 128 | { 129 | goto cleanup; 130 | } 131 | 132 | pInit = WdfControlDeviceInitAllocate(driver, &SDDL_DEVOBJ_SYS_ALL_ADM_ALL); 133 | 134 | if (!pInit) 135 | { 136 | status = STATUS_INSUFFICIENT_RESOURCES; 137 | goto cleanup; 138 | } 139 | 140 | status = MonitorEvtDeviceAdd(pInit); 141 | 142 | cleanup: 143 | if (!NT_SUCCESS(status)) 144 | { 145 | DoTraceMessage(TRACE_INIT, "MonitorSample Initialization Failed."); 146 | 147 | WPP_CLEANUP(driverObject); 148 | } 149 | 150 | return status; 151 | } 152 | 153 | NTSTATUS 154 | MonitorEvtDeviceAdd( 155 | _In_ PWDFDEVICE_INIT pInit 156 | ) 157 | { 158 | NTSTATUS status; 159 | WDFDEVICE device; 160 | DECLARE_CONST_UNICODE_STRING(ntDeviceName, MONITOR_DEVICE_NAME); 161 | DECLARE_CONST_UNICODE_STRING(symbolicName, MONITOR_SYMBOLIC_NAME); 162 | 163 | WdfDeviceInitSetDeviceType(pInit, FILE_DEVICE_NETWORK); 164 | WdfDeviceInitSetCharacteristics(pInit, FILE_DEVICE_SECURE_OPEN, FALSE); 165 | status = WdfDeviceInitAssignName(pInit, &ntDeviceName); 166 | if (!NT_SUCCESS(status)) 167 | { 168 | goto cleanup; 169 | } 170 | 171 | status = WdfDeviceCreate(&pInit, WDF_NO_OBJECT_ATTRIBUTES, &device); 172 | if (!NT_SUCCESS(status)) 173 | { 174 | goto cleanup; 175 | } 176 | 177 | status = WdfDeviceCreateSymbolicLink(device, &symbolicName); 178 | if (!NT_SUCCESS(status)) 179 | { 180 | goto cleanup; 181 | } 182 | 183 | status = MonitorCtlDriverInit(&device); 184 | if (!NT_SUCCESS(status)) 185 | { 186 | goto cleanup; 187 | } 188 | 189 | gWdmDevice = WdfDeviceWdmGetDeviceObject(device); 190 | status = MonitorCoInitialize(gWdmDevice); 191 | if (!NT_SUCCESS(status)) 192 | { 193 | goto cleanup; 194 | } 195 | 196 | status = MonitorNfInitialize(gWdmDevice); 197 | if (!NT_SUCCESS(status)) 198 | { 199 | goto cleanup; 200 | } 201 | 202 | WdfControlFinishInitializing(device); 203 | 204 | cleanup: 205 | // If WdfDeviceCreate was successful, it will set pInit to NULL. 206 | if (pInit) 207 | { 208 | WdfDeviceInitFree(pInit); 209 | } 210 | 211 | return status; 212 | } 213 | 214 | void 215 | MonitorEvtDriverUnload( 216 | _In_ WDFDRIVER Driver 217 | ) 218 | /*++ 219 | 220 | Routine Description: 221 | 222 | Called to indicate that we are being unloaded and to cause an orderly 223 | shutdown 224 | 225 | Arguments: 226 | 227 | driverObject Our driver 228 | 229 | Return Value: 230 | 231 | None 232 | 233 | --*/ 234 | { 235 | DRIVER_OBJECT* driverObject; 236 | 237 | MonitorCoUninitialize(); 238 | MonitorNfUninitialize(); 239 | 240 | DoTraceMessage(TRACE_SHUTDOWN, "MonitorSample Driver Shutting Down"); 241 | 242 | driverObject = WdfDriverWdmGetDriverObject(Driver); 243 | WPP_CLEANUP(driverObject); 244 | } 245 | -------------------------------------------------------------------------------- /Driver/sys/msnmntr.c: -------------------------------------------------------------------------------- 1 | /*++ 2 | Copyright (c) Microsoft Corporation. All rights reserved 3 | 4 | Abstract: 5 | 6 | Monitor Sample driver callout routines 7 | 8 | Environment: 9 | 10 | Kernel mode 11 | --*/ 12 | 13 | #include 14 | #include 15 | 16 | #include 17 | 18 | #pragma warning(push) 19 | #pragma warning(disable:4201) // unnamed struct/union 20 | 21 | #include 22 | 23 | #pragma warning(pop) 24 | 25 | #include "ioctl.h" 26 | 27 | #include "msnmntr.h" 28 | #include "notify.h" 29 | #include "intsafe.h" 30 | 31 | #define INITGUID 32 | #include 33 | #include "mntrguid.h" 34 | 35 | // 36 | // Software Tracing Definitions 37 | // 38 | #define WPP_CONTROL_GUIDS \ 39 | WPP_DEFINE_CONTROL_GUID(MsnMntrMonitor,(dd65554d, 9925, 49d1, 83b6, 46125feb4207), \ 40 | WPP_DEFINE_BIT(TRACE_FLOW_ESTABLISHED) \ 41 | WPP_DEFINE_BIT(TRACE_STATE_CHANGE) \ 42 | WPP_DEFINE_BIT(TRACE_LAYER_NOTIFY) ) 43 | 44 | #include "msnmntr.tmh" 45 | 46 | #define TAG_NAME_CALLOUT 'CnoM' 47 | 48 | UINT32 flowEstablishedId = 0; 49 | UINT32 streamId = 0; 50 | long monitoringEnabled = 0; 51 | LIST_ENTRY flowContextList; 52 | KSPIN_LOCK flowContextListLock; 53 | 54 | NTSTATUS MonitorCoFlowEstablishedNotifyV4( 55 | _In_ FWPS_CALLOUT_NOTIFY_TYPE notifyType, 56 | _In_ const GUID* filterKey, 57 | _Inout_ const FWPS_FILTER* filter); 58 | 59 | NTSTATUS MonitorCoStreamNotifyV4( 60 | _In_ FWPS_CALLOUT_NOTIFY_TYPE notifyType, 61 | _In_ const GUID* filterKey, 62 | _Inout_ const FWPS_FILTER* filter); 63 | 64 | void MonitorCoStreamFlowDeletion( 65 | _In_ UINT16 layerId, 66 | _In_ UINT32 calloutId, 67 | _In_ UINT64 flowContext); 68 | 69 | #if(NTDDI_VERSION >= NTDDI_WIN7) 70 | 71 | NTSTATUS MonitorCoFlowEstablishedCalloutV4( 72 | _In_ const FWPS_INCOMING_VALUES* inFixedValues, 73 | _In_ const FWPS_INCOMING_METADATA_VALUES* inMetaValues, 74 | _Inout_opt_ void* packet, 75 | _In_opt_ const void* classifyContext, 76 | _In_ const FWPS_FILTER* filter, 77 | _In_ UINT64 flowContext, 78 | _Inout_ FWPS_CLASSIFY_OUT* classifyOut); 79 | 80 | NTSTATUS MonitorCoStreamCalloutV4( 81 | _In_ const FWPS_INCOMING_VALUES* inFixedValues, 82 | _In_ const FWPS_INCOMING_METADATA_VALUES* inMetaValues, 83 | _Inout_opt_ void* packet, 84 | _In_opt_ const void* classifyContext, 85 | _In_ const FWPS_FILTER* filter, 86 | _In_ UINT64 flowContext, 87 | _Inout_ FWPS_CLASSIFY_OUT* classifyOut); 88 | 89 | #else 90 | 91 | NTSTATUS MonitorCoFlowEstablishedCalloutV4( 92 | _In_ const FWPS_INCOMING_VALUES* inFixedValues, 93 | _In_ const FWPS_INCOMING_METADATA_VALUES* inMetaValues, 94 | _Inout_opt_ void* packet, 95 | _In_ const FWPS_FILTER* filter, 96 | _In_ UINT64 flowContext, 97 | _Inout_ FWPS_CLASSIFY_OUT* classifyOut); 98 | 99 | NTSTATUS MonitorCoStreamCalloutV4( 100 | _In_ const FWPS_INCOMING_VALUES* inFixedValues, 101 | _In_ const FWPS_INCOMING_METADATA_VALUES* inMetaValues, 102 | _Inout_opt_ void* packet, 103 | _In_ const FWPS_FILTER* filter, 104 | _In_ UINT64 flowContext, 105 | _Inout_ FWPS_CLASSIFY_OUT* classifyOut); 106 | 107 | #endif /// (NTDDI_VERSION >= NTDDI_WIN7) 108 | 109 | NTSTATUS 110 | MonitorCoRegisterCallout( 111 | _Inout_ void* deviceObject, 112 | _In_ FWPS_CALLOUT_CLASSIFY_FN ClassifyFunction, 113 | _In_ FWPS_CALLOUT_NOTIFY_FN NotifyFunction, 114 | _In_opt_ FWPS_CALLOUT_FLOW_DELETE_NOTIFY_FN FlowDeleteFunction, 115 | _In_ const GUID* calloutKey, 116 | _In_ UINT32 flags, 117 | _Out_ UINT32* calloutId 118 | ) 119 | { 120 | FWPS_CALLOUT sCallout; 121 | NTSTATUS status = STATUS_SUCCESS; 122 | 123 | memset(&sCallout, 0, sizeof(FWPS_CALLOUT)); 124 | 125 | sCallout.calloutKey = *calloutKey; 126 | sCallout.flags = flags; 127 | sCallout.classifyFn = ClassifyFunction; 128 | sCallout.notifyFn = NotifyFunction; 129 | sCallout.flowDeleteFn = FlowDeleteFunction; 130 | 131 | status = FwpsCalloutRegister(deviceObject, &sCallout, calloutId); 132 | 133 | return status; 134 | } 135 | 136 | NTSTATUS 137 | MonitorCoRegisterCallouts( 138 | _Inout_ void* deviceObject 139 | ) 140 | { 141 | NTSTATUS status; 142 | 143 | // 144 | // We won't be called for flow deletion for the flow established layer 145 | // since we only establish a flow for the stream layer, so we don't 146 | // specify a flow deletion function. 147 | // 148 | status = MonitorCoRegisterCallout(deviceObject, 149 | MonitorCoFlowEstablishedCalloutV4, 150 | MonitorCoFlowEstablishedNotifyV4, 151 | NULL, // We don't need a flow delete function at this layer. 152 | &MONITOR_SAMPLE_FLOW_ESTABLISHED_CALLOUT_V4, 153 | 0, // No flags. 154 | &flowEstablishedId); 155 | 156 | if (NT_SUCCESS(status)) 157 | { 158 | status = MonitorCoRegisterCallout(deviceObject, 159 | MonitorCoStreamCalloutV4, 160 | MonitorCoStreamNotifyV4, 161 | MonitorCoStreamFlowDeletion, 162 | &MONITOR_SAMPLE_STREAM_CALLOUT_V4, 163 | FWP_CALLOUT_FLAG_CONDITIONAL_ON_FLOW, 164 | &streamId); 165 | } 166 | 167 | return status; 168 | } 169 | 170 | NTSTATUS 171 | MonitorCoUnregisterCallout( 172 | _In_ const GUID* calloutKey 173 | ) 174 | { 175 | NTSTATUS status; 176 | 177 | status = FwpsCalloutUnregisterByKey(calloutKey); 178 | 179 | return status; 180 | } 181 | 182 | NTSTATUS 183 | MonitorCoUnregisterCallouts(void) 184 | { 185 | NTSTATUS status; 186 | 187 | status = MonitorCoUnregisterCallout(&MONITOR_SAMPLE_FLOW_ESTABLISHED_CALLOUT_V4); 188 | 189 | if (NT_SUCCESS(status)) 190 | { 191 | status = MonitorCoUnregisterCallout(&MONITOR_SAMPLE_STREAM_CALLOUT_V4); 192 | } 193 | 194 | return status; 195 | } 196 | 197 | 198 | NTSTATUS 199 | MonitorCoInsertFlowContext( 200 | _Inout_ FLOW_DATA* flowContext) 201 | { 202 | KLOCK_QUEUE_HANDLE lockHandle; 203 | NTSTATUS status; 204 | 205 | KeAcquireInStackQueuedSpinLock(&flowContextListLock, &lockHandle); 206 | 207 | // Catch the case where we disabled monitoring after we had intended to 208 | // associate the context to the flow so that we don't bugcheck due to 209 | // our driver being unloaded and then receiving a call for a particular 210 | // flow or leak the memory because we unloaded without freeing it. 211 | if (monitoringEnabled) 212 | { 213 | DoTraceMessage(TRACE_FLOW_ESTABLISHED, "Creating flow for traffic.\r\n"); 214 | 215 | InsertTailList(&flowContextList, &flowContext->listEntry); 216 | status = STATUS_SUCCESS; 217 | } 218 | else 219 | { 220 | DoTraceMessage(TRACE_FLOW_ESTABLISHED, "Unable to create flow, driver shutting down.\r\n"); 221 | 222 | // Our driver is shutting down. 223 | status = STATUS_SHUTDOWN_IN_PROGRESS; 224 | } 225 | 226 | KeReleaseInStackQueuedSpinLock(&lockHandle); 227 | return status; 228 | } 229 | 230 | void 231 | MonitorCoCleanupFlowContext( 232 | _In_ __drv_freesMem(Mem) FLOW_DATA* flowContext 233 | ) 234 | /* 235 | Routine Description 236 | 237 | Called to cleanup a flow context on flow deletion. ProcessPath is passed 238 | as a second parameter so Prefast can see that it's being freed here. 239 | 240 | */ 241 | { 242 | if (flowContext->processPath) 243 | { 244 | ExFreePoolWithTag(flowContext->processPath, TAG_NAME_CALLOUT); 245 | } 246 | ExFreePoolWithTag(flowContext, TAG_NAME_CALLOUT); 247 | } 248 | 249 | NTSTATUS 250 | MonitorCoAllocFlowContext( 251 | _In_ SIZE_T processPathSize, 252 | _Out_ FLOW_DATA** flowContextOut 253 | ) 254 | { 255 | NTSTATUS status = STATUS_SUCCESS; 256 | FLOW_DATA* flowContext = NULL; 257 | 258 | *flowContextOut = NULL; 259 | 260 | flowContext = ExAllocatePoolWithTag(NonPagedPool, 261 | sizeof(FLOW_DATA), 262 | TAG_NAME_CALLOUT); 263 | 264 | if (!flowContext) 265 | { 266 | status = STATUS_NO_MEMORY; 267 | goto cleanup; 268 | } 269 | 270 | RtlZeroMemory(flowContext, 271 | sizeof(FLOW_DATA)); 272 | 273 | 274 | flowContext->processPath = ExAllocatePoolWithTag(NonPagedPool, 275 | processPathSize, 276 | TAG_NAME_CALLOUT); 277 | if (!flowContext->processPath) 278 | { 279 | status = STATUS_NO_MEMORY; 280 | goto cleanup; 281 | 282 | } 283 | 284 | *flowContextOut = flowContext; 285 | 286 | cleanup: 287 | if (!NT_SUCCESS(status)) 288 | { 289 | if (flowContext) 290 | { 291 | if (flowContext->processPath) 292 | { 293 | ExFreePoolWithTag(flowContext->processPath, TAG_NAME_CALLOUT); 294 | } 295 | ExFreePoolWithTag(flowContext, TAG_NAME_CALLOUT); 296 | } 297 | } 298 | 299 | return status; 300 | } 301 | 302 | 303 | UINT64 304 | MonitorCoCreateFlowContext( 305 | _In_ const FWPS_INCOMING_VALUES* inFixedValues, 306 | _In_ const FWPS_INCOMING_METADATA_VALUES* inMetaValues, 307 | _Out_ UINT64* flowHandle) 308 | /* 309 | Routine Description 310 | 311 | Creates a flow context that is associated with the current flow 312 | 313 | Arguments 314 | [IN] FWPS_CALLOUT_NOTIFY_TYPE notifyType - Type of notification 315 | 316 | [IN] GUID* filterKey - Key of the filter that was 317 | added/deleted/modified. 318 | 319 | [IN] struct FWPS_FILTER_* filter - pointer to the Filter itself. 320 | 321 | Return values 322 | 323 | STATUS_SUCCESS or a specific error code. 324 | 325 | Notes 326 | 327 | 328 | */ 329 | { 330 | FLOW_DATA* flowContext = NULL; 331 | NTSTATUS status; 332 | FWP_BYTE_BLOB* processPath; 333 | UINT32 index; 334 | 335 | *flowHandle = 0; 336 | 337 | if (!FWPS_IS_METADATA_FIELD_PRESENT(inMetaValues, FWPS_METADATA_FIELD_PROCESS_PATH)) 338 | { 339 | status = STATUS_NOT_FOUND; 340 | goto cleanup; 341 | } 342 | 343 | processPath = inMetaValues->processPath; 344 | 345 | status = MonitorCoAllocFlowContext(processPath->size, &flowContext); 346 | if (!NT_SUCCESS(status)) 347 | { 348 | goto cleanup; 349 | } 350 | 351 | // Flow context is always created at the Flow established layer. 352 | 353 | // flowContext gets deleted in MonitorCoCleanupFlowContext 354 | 355 | flowContext->deleting = FALSE; 356 | flowContext->flowHandle = inMetaValues->flowHandle; 357 | *flowHandle = flowContext->flowHandle; 358 | 359 | index = FWPS_FIELD_ALE_FLOW_ESTABLISHED_V4_IP_LOCAL_ADDRESS; 360 | flowContext->localAddressV4 = inFixedValues->incomingValue[index].value.uint32; 361 | 362 | 363 | index = FWPS_FIELD_ALE_FLOW_ESTABLISHED_V4_IP_LOCAL_PORT; 364 | flowContext->localPort = inFixedValues->incomingValue[index].value.uint16; 365 | 366 | index = FWPS_FIELD_ALE_FLOW_ESTABLISHED_V4_IP_REMOTE_ADDRESS; 367 | flowContext->remoteAddressV4 = inFixedValues->incomingValue[index].value.uint32; 368 | 369 | index = FWPS_FIELD_ALE_FLOW_ESTABLISHED_V4_IP_REMOTE_PORT; 370 | flowContext->remotePort = inFixedValues->incomingValue[index].value.uint16; 371 | 372 | index = FWPS_FIELD_ALE_FLOW_ESTABLISHED_V4_IP_PROTOCOL; 373 | flowContext->ipProto = inFixedValues->incomingValue[index].value.uint16; 374 | 375 | // flowContext->processPath gets deleted in MonitorCoCleanupFlowContext 376 | memcpy(flowContext->processPath, processPath->data, processPath->size); 377 | 378 | status = MonitorCoInsertFlowContext(flowContext); 379 | 380 | cleanup: 381 | 382 | if (!NT_SUCCESS(status)) 383 | { 384 | flowContext = NULL; 385 | } 386 | 387 | return (UINT64) flowContext; 388 | } 389 | 390 | NTSTATUS MonitorCoInitialize(_Inout_ DEVICE_OBJECT* deviceObject) 391 | /* 392 | Routine Description 393 | 394 | Initializes our flow tracking so that we can handle the case where 395 | the driver is shutdown with flows that are still active. 396 | 397 | Arguments 398 | 399 | None. 400 | 401 | Return values 402 | 403 | STATUS_SUCCESS or a specific error code. 404 | 405 | Notes 406 | 407 | 408 | */ 409 | { 410 | NTSTATUS status; 411 | 412 | // Initialize the flow context list and lock. We need this to be able 413 | // to handle the case where our driver is stopped while we still have 414 | // contexts associated with flows. 415 | InitializeListHead(&flowContextList); 416 | KeInitializeSpinLock(&flowContextListLock); 417 | 418 | status = MonitorCoRegisterCallouts(deviceObject); 419 | 420 | return status; 421 | } 422 | 423 | void MonitorCoUninitialize(void) 424 | /* 425 | Routine Description 426 | 427 | Uninitializes the callouts module (this module) by ensuring that all 428 | flow contexts are no longer associated with a flow to ensure that 429 | our driver is not called after it is unloaded. 430 | 431 | Arguments 432 | 433 | None. 434 | 435 | Return values 436 | 437 | STATUS_SUCCESS or a specific error code. 438 | 439 | Notes 440 | 441 | 442 | */ 443 | { 444 | LIST_ENTRY list; 445 | KLOCK_QUEUE_HANDLE lockHandle; 446 | 447 | // Make sure we don't associate any more contexts to flows. 448 | MonitorCoDisableMonitoring(); 449 | 450 | InitializeListHead(&list); 451 | 452 | KeAcquireInStackQueuedSpinLock(&flowContextListLock, &lockHandle); 453 | 454 | while (!IsListEmpty(&flowContextList)) 455 | { 456 | FLOW_DATA* flowContext; 457 | LIST_ENTRY* entry; 458 | 459 | entry = RemoveHeadList(&flowContextList); 460 | 461 | flowContext = CONTAINING_RECORD(entry, FLOW_DATA, listEntry); 462 | flowContext->deleting = TRUE; // We don't want our flow deletion function 463 | // to try to remove this from the list. 464 | 465 | InsertHeadList(&list, entry); 466 | } 467 | 468 | KeReleaseInStackQueuedSpinLock(&lockHandle); 469 | 470 | while (!IsListEmpty(&list)) 471 | { 472 | FLOW_DATA* flowContext; 473 | LIST_ENTRY* entry; 474 | NTSTATUS status; 475 | 476 | entry = RemoveHeadList(&list); 477 | 478 | flowContext = CONTAINING_RECORD(entry, FLOW_DATA, listEntry); 479 | 480 | status = FwpsFlowRemoveContext(flowContext->flowHandle, 481 | FWPS_LAYER_STREAM_V4, 482 | streamId); 483 | NT_ASSERT(NT_SUCCESS(status)); 484 | _Analysis_assume_(NT_SUCCESS(status)); 485 | } 486 | 487 | MonitorCoUnregisterCallouts(); 488 | } 489 | 490 | NTSTATUS MonitorCoEnableMonitoring( 491 | _In_ MONITOR_SETTINGS* monitorSettings) 492 | /* 493 | Routine Description 494 | 495 | Enables monitoring of traffic. Before this is called the driver will not 496 | associate any context to flows and will therefore not do any inspection. 497 | Once this is called we will start to track flows for the applications that 498 | we are interested in. 499 | 500 | Arguments 501 | [IN] MONITOR_SETTINS monitorSettings - Settings that govern our behavior. 502 | Nothing is specified at this time. 503 | 504 | Return values 505 | 506 | STATUS_SUCCESS or a specific error code. 507 | 508 | Notes 509 | 510 | 511 | */ 512 | { 513 | KLOCK_QUEUE_HANDLE lockHandle; 514 | 515 | if (!monitorSettings) 516 | { 517 | return STATUS_INVALID_PARAMETER; 518 | } 519 | 520 | DoTraceMessage(TRACE_STATE_CHANGE, "Enabling monitoring.\r\n"); 521 | 522 | KeAcquireInStackQueuedSpinLock(&flowContextListLock, &lockHandle); 523 | 524 | monitoringEnabled = 1; 525 | 526 | KeReleaseInStackQueuedSpinLock(&lockHandle); 527 | 528 | return STATUS_SUCCESS; 529 | } 530 | 531 | void 532 | MonitorCoDisableMonitoring(void) 533 | /* 534 | Routine Description 535 | 536 | Disables monitoring of new connections so that we can safely shutdown. 537 | 538 | Arguments 539 | 540 | None. 541 | 542 | Return values 543 | 544 | None. 545 | 546 | Notes 547 | 548 | 549 | */ 550 | { 551 | KLOCK_QUEUE_HANDLE lockHandle; 552 | 553 | DoTraceMessage(TRACE_STATE_CHANGE, "Disabling monitoring.\r\n"); 554 | 555 | KeAcquireInStackQueuedSpinLock(&flowContextListLock, &lockHandle); 556 | 557 | monitoringEnabled = 0; 558 | 559 | KeReleaseInStackQueuedSpinLock(&lockHandle); 560 | } 561 | 562 | #if(NTDDI_VERSION >= NTDDI_WIN7) 563 | 564 | NTSTATUS MonitorCoFlowEstablishedCalloutV4( 565 | _In_ const FWPS_INCOMING_VALUES* inFixedValues, 566 | _In_ const FWPS_INCOMING_METADATA_VALUES* inMetaValues, 567 | _Inout_opt_ void* packet, 568 | _In_opt_ const void* classifyContext, 569 | _In_ const FWPS_FILTER* filter, 570 | _In_ UINT64 flowContext, 571 | _Inout_ FWPS_CLASSIFY_OUT* classifyOut) 572 | 573 | #else 574 | 575 | NTSTATUS MonitorCoFlowEstablishedCalloutV4( 576 | _In_ const FWPS_INCOMING_VALUES* inFixedValues, 577 | _In_ const FWPS_INCOMING_METADATA_VALUES* inMetaValues, 578 | _Inout_opt_ void* packet, 579 | _In_ const FWPS_FILTER* filter, 580 | _In_ UINT64 flowContext, 581 | _Inout_ FWPS_CLASSIFY_OUT* classifyOut) 582 | 583 | 584 | #endif /// (NTDDI_VERSION >= NTDDI_WIN7) 585 | /* 586 | Routine Description 587 | 588 | Our flow established callout for Ipv4 traffic. 589 | 590 | Arguments 591 | [IN] const FWPS_INCOMING_VALUES* inFixedValues - The fixed values passed in 592 | based on the traffic. 593 | [IN] const FWPS_INCOMING_METADATA_VALUES* inMetaValues - Metadata the 594 | provides additional 595 | information about the 596 | connection. 597 | [IN] void* packet - Depending on the layer and protocol this can be NULL or a 598 | layer specific type. 599 | [IN, OPTIONAL] const VOID* classifyContext - context data associated with the callout driver 600 | [IN] const FWPS_FILTER* filter - The filter that has specified this callout. 601 | [IN] UINT64 flowContext - Flow context associated with a flow 602 | [OUT] FWPS_CLASSIFY_OUT* classifyOut - Out parameter that is used to inform 603 | the filter engine of our decision 604 | 605 | Return values 606 | 607 | STATUS_SUCCESS or a specific error code. 608 | 609 | Notes 610 | 611 | 612 | */ 613 | { 614 | 615 | NTSTATUS status = STATUS_SUCCESS; 616 | UINT64 flowHandle; 617 | UINT64 flowContextLocal; 618 | 619 | UNREFERENCED_PARAMETER(packet); 620 | #if(NTDDI_VERSION >= NTDDI_WIN7) 621 | UNREFERENCED_PARAMETER(classifyContext); 622 | #endif /// (NTDDI_VERSION >= NTDDI_WIN7) 623 | UNREFERENCED_PARAMETER(flowContext); 624 | 625 | if (monitoringEnabled) 626 | { 627 | flowContextLocal = MonitorCoCreateFlowContext(inFixedValues, inMetaValues, &flowHandle); 628 | 629 | if (!flowContextLocal) 630 | { 631 | classifyOut->actionType = FWP_ACTION_CONTINUE; 632 | goto cleanup; 633 | } 634 | 635 | status = FwpsFlowAssociateContext(flowHandle, 636 | FWPS_LAYER_STREAM_V4, 637 | streamId, 638 | flowContextLocal); 639 | if (!NT_SUCCESS(status)) 640 | { 641 | classifyOut->actionType = FWP_ACTION_CONTINUE; 642 | goto cleanup; 643 | } 644 | } 645 | 646 | classifyOut->actionType = FWP_ACTION_PERMIT; 647 | 648 | if (filter->flags & FWPS_FILTER_FLAG_CLEAR_ACTION_RIGHT) 649 | { 650 | classifyOut->rights &= ~FWPS_RIGHT_ACTION_WRITE; 651 | } 652 | 653 | cleanup: 654 | 655 | return status; 656 | } 657 | 658 | #if(NTDDI_VERSION >= NTDDI_WIN7) 659 | 660 | NTSTATUS MonitorCoStreamCalloutV4( 661 | _In_ const FWPS_INCOMING_VALUES* inFixedValues, 662 | _In_ const FWPS_INCOMING_METADATA_VALUES* inMetaValues, 663 | _Inout_opt_ void* packet, 664 | _In_opt_ const void* classifyContext, 665 | _In_ const FWPS_FILTER* filter, 666 | _In_ UINT64 flowContext, 667 | _Inout_ FWPS_CLASSIFY_OUT* classifyOut) 668 | 669 | #else 670 | 671 | NTSTATUS MonitorCoStreamCalloutV4( 672 | _In_ const FWPS_INCOMING_VALUES* inFixedValues, 673 | _In_ const FWPS_INCOMING_METADATA_VALUES* inMetaValues, 674 | _Inout_opt_ void* packet, 675 | _In_ const FWPS_FILTER* filter, 676 | _In_ UINT64 flowContext, 677 | _Inout_ FWPS_CLASSIFY_OUT* classifyOut) 678 | 679 | #endif /// (NTDDI_VERSION >= NTDDI_WIN7) 680 | /* 681 | Routine Description 682 | 683 | Our stream layer callout for traffic to/from the application we're 684 | interested in. Since we specified the filter that matches this callout 685 | as conditional on flow, we only get called if we've associated a flow with 686 | the traffic. 687 | 688 | Arguments 689 | [IN] const FWPS_INCOMING_VALUES* inFixedValues - The fixed values passed in 690 | based on the traffic. 691 | [IN] const FWPS_INCOMING_METADATA_VALUES* inMetaValues - Metadata the 692 | provides additional 693 | information about the 694 | connection. 695 | [IN] void* packet - Depending on the layer and protocol this can be NULL or a 696 | layer specific type. 697 | [IN] const FWPS_FILTER* filter - The filter that has specified this callout. 698 | [IN, OPTIONAL] const VOID* classifyContext - context data associated with the callout driver 699 | [IN] UINT64 flowContext - Flow context associated with a flow 700 | [OUT] FWPS_CLASSIFY_OUT* classifyOut - Out parameter that is used to inform 701 | the filter engine of our decision 702 | 703 | Return values 704 | 705 | STATUS_SUCCESS or a specific error code. 706 | 707 | Notes 708 | 709 | 710 | */ 711 | { 712 | FLOW_DATA* flowData; 713 | FWPS_STREAM_CALLOUT_IO_PACKET* streamPacket; 714 | NTSTATUS status = STATUS_SUCCESS; 715 | BOOLEAN inbound; 716 | 717 | UNREFERENCED_PARAMETER(inFixedValues); 718 | UNREFERENCED_PARAMETER(inMetaValues); 719 | #if(NTDDI_VERSION >= NTDDI_WIN7) 720 | UNREFERENCED_PARAMETER(classifyContext); 721 | #endif /// (NTDDI_VERSION >= NTDDI_WIN7) 722 | UNREFERENCED_PARAMETER(filter); 723 | UNREFERENCED_PARAMETER(flowContext); 724 | 725 | _Analysis_assume_(packet != NULL); 726 | 727 | if (!monitoringEnabled) 728 | { 729 | goto cleanup; 730 | } 731 | 732 | streamPacket = (FWPS_STREAM_CALLOUT_IO_PACKET*) packet; 733 | 734 | if (streamPacket->streamData != NULL && 735 | streamPacket->streamData->dataLength != 0) 736 | { 737 | flowData = *(FLOW_DATA**)(UINT64*) &flowContext; 738 | 739 | inbound = (BOOLEAN) ((streamPacket->streamData->flags & FWPS_STREAM_FLAG_RECEIVE) == FWPS_STREAM_FLAG_RECEIVE); 740 | 741 | status = MonitorNfNotifyMessage(streamPacket->streamData, 742 | inbound, 743 | flowData->localPort, 744 | flowData->remotePort); 745 | } 746 | 747 | cleanup: 748 | 749 | // Return CONTINUE to the filter engine, we're just monitoring. 750 | 751 | classifyOut->actionType = FWP_ACTION_CONTINUE; 752 | 753 | return status; 754 | } 755 | 756 | NTSTATUS MonitorCoFlowEstablishedNotifyV4( 757 | _In_ FWPS_CALLOUT_NOTIFY_TYPE notifyType, 758 | _In_ const GUID* filterKey, 759 | _Inout_ const FWPS_FILTER* filter) 760 | /* 761 | Routine Description 762 | 763 | Notification routine that is called whenever a filter is added, deleted or 764 | modified on the layer that our callout is registered against. 765 | 766 | Arguments 767 | [IN] FWPS_CALLOUT_NOTIFY_TYPE notifyType - Type of notification 768 | 769 | [IN] GUID* filterKey - Key of the filter that was 770 | added/deleted/modified. 771 | 772 | [IN] struct FWPS_FILTER_* filter - pointer to the Filter itself. 773 | 774 | Return values 775 | 776 | STATUS_SUCCESS or a specific error code. 777 | 778 | Notes 779 | 780 | 781 | */ 782 | { 783 | UNREFERENCED_PARAMETER(filterKey); 784 | UNREFERENCED_PARAMETER(filter); 785 | 786 | switch (notifyType) 787 | { 788 | case FWPS_CALLOUT_NOTIFY_ADD_FILTER: 789 | DoTraceMessage(TRACE_LAYER_NOTIFY, 790 | "Filter Added to Flow Established layer.\r\n"); 791 | 792 | break; 793 | case FWPS_CALLOUT_NOTIFY_DELETE_FILTER: 794 | DoTraceMessage(TRACE_LAYER_NOTIFY, 795 | "Filter Deleted from Flow Established layer.\r\n"); 796 | break; 797 | } 798 | 799 | return STATUS_SUCCESS; 800 | } 801 | 802 | void MonitorCoStreamFlowDeletion( 803 | _In_ UINT16 layerId, 804 | _In_ UINT32 calloutId, 805 | _In_ UINT64 flowContext) 806 | { 807 | KLOCK_QUEUE_HANDLE lockHandle; 808 | FLOW_DATA* flowData; 809 | HRESULT result; 810 | ULONG_PTR flowPtr; 811 | 812 | 813 | UNREFERENCED_PARAMETER(layerId); 814 | UNREFERENCED_PARAMETER(calloutId); 815 | 816 | result = ULongLongToULongPtr(flowContext, &flowPtr); 817 | ASSERT(result == S_OK); 818 | _Analysis_assume_(result == S_OK); 819 | 820 | 821 | flowData = ((FLOW_DATA*)flowPtr); 822 | 823 | // 824 | // If we're already being deleted from the list then we mustn't try to 825 | // remove ourselves here. 826 | // 827 | KeAcquireInStackQueuedSpinLock(&flowContextListLock, &lockHandle); 828 | 829 | if (!flowData->deleting) 830 | { 831 | RemoveEntryList(&flowData->listEntry); 832 | } 833 | 834 | KeReleaseInStackQueuedSpinLock(&lockHandle); 835 | 836 | MonitorCoCleanupFlowContext(flowData); 837 | } 838 | 839 | NTSTATUS MonitorCoStreamNotifyV4( 840 | _In_ FWPS_CALLOUT_NOTIFY_TYPE notifyType, 841 | _In_ const GUID* filterKey, 842 | _Inout_ const FWPS_FILTER* filter) 843 | /* 844 | Routine Description 845 | 846 | Notification routine that is called whenever a filter is added, deleted or 847 | modified on the layer that our callout is registered against. 848 | 849 | Arguments 850 | [IN] FWPS_CALLOUT_NOTIFY_TYPE notifyType - Type of notification 851 | 852 | [IN] GUID* filterKey - Key of the filter that was 853 | added/deleted/modified. 854 | 855 | [IN] struct FWPS_FILTER_* filter - pointer to the Filter itself. 856 | 857 | Return values 858 | 859 | STATUS_SUCCESS or a specific error code. 860 | 861 | Notes 862 | 863 | 864 | */ 865 | { 866 | UNREFERENCED_PARAMETER(notifyType); 867 | UNREFERENCED_PARAMETER(filterKey); 868 | UNREFERENCED_PARAMETER(filter); 869 | 870 | switch (notifyType) 871 | { 872 | case FWPS_CALLOUT_NOTIFY_ADD_FILTER: 873 | DoTraceMessage(TRACE_LAYER_NOTIFY, 874 | "Filter Added to Stream layer.\r\n"); 875 | 876 | break; 877 | case FWPS_CALLOUT_NOTIFY_DELETE_FILTER: 878 | DoTraceMessage(TRACE_LAYER_NOTIFY, 879 | "Filter Deleted from Stream layer.\r\n"); 880 | break; 881 | } 882 | return STATUS_SUCCESS; 883 | } 884 | -------------------------------------------------------------------------------- /Driver/sys/msnmntr.h: -------------------------------------------------------------------------------- 1 | /*++ 2 | 3 | Copyright (c) Microsoft Corporation. All rights reserved 4 | 5 | Abstract: 6 | 7 | Monitor Sample driver callout header 8 | 9 | Environment: 10 | 11 | Kernel mode 12 | 13 | --*/ 14 | 15 | #pragma once 16 | 17 | typedef struct _FLOW_DATA 18 | { 19 | UINT64 flowHandle; 20 | UINT64 flowContext; 21 | UINT64 calloutId; 22 | ULONG localAddressV4; 23 | USHORT localPort; 24 | USHORT ipProto; 25 | ULONG remoteAddressV4; 26 | USHORT remotePort; 27 | WCHAR* processPath; 28 | LIST_ENTRY listEntry; 29 | BOOLEAN deleting; 30 | } FLOW_DATA; 31 | 32 | NTSTATUS 33 | MonitorCoInitialize(_Inout_ DEVICE_OBJECT* deviceObject); 34 | 35 | void 36 | MonitorCoUninitialize(void); 37 | 38 | NTSTATUS 39 | MonitorCoRegisterCallouts(_Inout_ void* deviceObject); 40 | 41 | NTSTATUS 42 | MonitorCoUnregisterCallouts(void); 43 | 44 | NTSTATUS 45 | MonitorCoSetApplication( 46 | _In_reads_(size) wchar_t* fileName, 47 | _In_ ULONG size); 48 | 49 | NTSTATUS 50 | MonitorCoEnableMonitoring( 51 | _In_ MONITOR_SETTINGS* monitorSettings); 52 | 53 | void 54 | MonitorCoDisableMonitoring(void); 55 | 56 | -------------------------------------------------------------------------------- /Driver/sys/msnmntr.inf: -------------------------------------------------------------------------------- 1 | ;;; 2 | ;;; Copyright (c) Microsoft Corporation. All rights reserved 3 | ;;; 4 | ;;; Abstract: 5 | ;;; Monitor Callout sample driver install configuration. 6 | ;;; 7 | 8 | [Version] 9 | Signature = "$Windows NT$" 10 | Class = WFPCALLOUTS 11 | ClassGuid = {57465043-616C-6C6F-7574-5F636C617373} 12 | Provider = %ProviderString% 13 | CatalogFile = MSNMntr.cat 14 | DriverVer = 11/24/2014,14.24.55.836 15 | 16 | [SourceDisksNames] 17 | 1 = %MSNMntrDisk%,,,"" 18 | 19 | [SourceDisksFiles] 20 | MSNMntr.sys = 1,, 21 | 22 | [DestinationDirs] 23 | DefaultDestDir = 12 ; %WinDir%\System32\Drivers 24 | MSNMntr.DriverFiles = 12 ; %WinDir%\System32\Drivers 25 | 26 | [DefaultInstall] 27 | OptionDesc = %MSNMntrServiceDesc% 28 | CopyFiles = MSNMntr.DriverFiles 29 | 30 | [DefaultInstall.Services] 31 | AddService = %MSNMntrServiceName%,,MSNMntr.Service 32 | 33 | [DefaultUninstall] 34 | DelFiles = MSNMntr.DriverFiles 35 | 36 | [DefaultUninstall.Services] 37 | DelService = %MSNMntrServiceName%,0x200 ; SPSVCINST_STOPSERVICE 38 | 39 | [MSNMntr.DriverFiles] 40 | MSNMntr.sys,,,0x00000040 ; COPYFLG_OVERWRITE_OLDER_ONLY 41 | 42 | [MSNMntr.Service] 43 | DisplayName = %MSNMntrServiceName% 44 | Description = %MSNMntrServiceDesc% 45 | ServiceType = 1 ; SERVICE_KERNEL_DRIVER 46 | StartType = 3 ; SERVICE_DEMAND_START 47 | ErrorControl = 1 ; SERVICE_ERROR_NORMAL 48 | ServiceBinary = %12%\MSNMntr.sys ; %WinDir%\System32\Drivers\MSNMntr.sys 49 | 50 | [Strings] 51 | ProviderString = "TODO-Set-Provider" 52 | MSNMntrDisk = "Monitor Installation Disk" 53 | MSNMntrServiceDesc = "Monitor Callout Driver" 54 | MSNMntrServiceName = "MSNMntr" -------------------------------------------------------------------------------- /Driver/sys/msnmntr.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | {0334D910-32A8-48D1-945A-A58B9F2FAD22} 23 | $(MSBuildProjectName) 24 | 1 25 | Debug 26 | Win32 27 | {E5A95292-DFAE-41E4-A0B2-62D97EC6575F} 28 | 29 | 30 | 31 | Windows10 32 | False 33 | Desktop 34 | KMDF 35 | WindowsKernelModeDriver10.0 36 | Driver 37 | 38 | 39 | Windows10 40 | True 41 | Desktop 42 | KMDF 43 | WindowsKernelModeDriver10.0 44 | Driver 45 | 46 | 47 | Windows10 48 | False 49 | Desktop 50 | KMDF 51 | WindowsKernelModeDriver10.0 52 | Driver 53 | 54 | 55 | Windows10 56 | True 57 | Desktop 58 | KMDF 59 | WindowsKernelModeDriver10.0 60 | Driver 61 | 62 | 63 | 64 | $(IntDir) 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | true 81 | true 82 | 83 | 84 | 85 | msnmntr 86 | 87 | 88 | msnmntr 89 | 90 | 91 | msnmntr 92 | 93 | 94 | msnmntr 95 | 96 | 97 | 98 | true 99 | Level4 100 | %(AdditionalIncludeDirectories);$(DDK_INC_PATH);..\inc 101 | %(PreprocessorDefinitions);BINARY_COMPATIBLE=0;NT;UNICODE;_UNICODE;NDIS60;NDIS_SUPPORT_NDIS6;POOL_NX_OPTIN_AUTO 102 | 103 | 104 | 105 | 106 | %(AdditionalIncludeDirectories);$(DDK_INC_PATH);..\inc 107 | %(PreprocessorDefinitions);BINARY_COMPATIBLE=0;NT;UNICODE;_UNICODE;NDIS60;NDIS_SUPPORT_NDIS6;POOL_NX_OPTIN_AUTO 108 | 109 | 110 | %(AdditionalIncludeDirectories);$(DDK_INC_PATH);..\inc 111 | %(PreprocessorDefinitions);BINARY_COMPATIBLE=0;NT;UNICODE;_UNICODE;NDIS60;NDIS_SUPPORT_NDIS6;POOL_NX_OPTIN_AUTO 112 | 113 | 114 | %(AdditionalDependencies);$(DDK_LIB_PATH)\ntoskrnl.lib;$(DDK_LIB_PATH)\wdmsec.lib;$(DDK_LIB_PATH)\fwpkclnt.lib;$(SDK_LIB_PATH)\uuid.lib 115 | 116 | 117 | 118 | 119 | true 120 | Level4 121 | %(AdditionalIncludeDirectories);$(DDK_INC_PATH);..\inc 122 | %(PreprocessorDefinitions);BINARY_COMPATIBLE=0;NT;UNICODE;_UNICODE;NDIS60;NDIS_SUPPORT_NDIS6;POOL_NX_OPTIN_AUTO 123 | 124 | 125 | 126 | 127 | %(AdditionalIncludeDirectories);$(DDK_INC_PATH);..\inc 128 | %(PreprocessorDefinitions);BINARY_COMPATIBLE=0;NT;UNICODE;_UNICODE;NDIS60;NDIS_SUPPORT_NDIS6;POOL_NX_OPTIN_AUTO 129 | 130 | 131 | %(AdditionalIncludeDirectories);$(DDK_INC_PATH);..\inc 132 | %(PreprocessorDefinitions);BINARY_COMPATIBLE=0;NT;UNICODE;_UNICODE;NDIS60;NDIS_SUPPORT_NDIS6;POOL_NX_OPTIN_AUTO 133 | 134 | 135 | %(AdditionalDependencies);$(DDK_LIB_PATH)\ntoskrnl.lib;$(DDK_LIB_PATH)\wdmsec.lib;$(DDK_LIB_PATH)\fwpkclnt.lib;$(SDK_LIB_PATH)\uuid.lib 136 | 137 | 138 | 139 | 140 | true 141 | Level4 142 | %(AdditionalIncludeDirectories);$(DDK_INC_PATH);..\inc 143 | %(PreprocessorDefinitions);BINARY_COMPATIBLE=0;NT;UNICODE;_UNICODE;NDIS60;NDIS_SUPPORT_NDIS6;POOL_NX_OPTIN_AUTO 144 | 145 | 146 | 147 | 148 | %(AdditionalIncludeDirectories);$(DDK_INC_PATH);..\inc 149 | %(PreprocessorDefinitions);BINARY_COMPATIBLE=0;NT;UNICODE;_UNICODE;NDIS60;NDIS_SUPPORT_NDIS6;POOL_NX_OPTIN_AUTO 150 | 151 | 152 | %(AdditionalIncludeDirectories);$(DDK_INC_PATH);..\inc 153 | %(PreprocessorDefinitions);BINARY_COMPATIBLE=0;NT;UNICODE;_UNICODE;NDIS60;NDIS_SUPPORT_NDIS6;POOL_NX_OPTIN_AUTO 154 | 155 | 156 | %(AdditionalDependencies);$(DDK_LIB_PATH)\ntoskrnl.lib;$(DDK_LIB_PATH)\wdmsec.lib;$(DDK_LIB_PATH)\fwpkclnt.lib;$(SDK_LIB_PATH)\uuid.lib 157 | 158 | 159 | 160 | 161 | true 162 | Level4 163 | %(AdditionalIncludeDirectories);$(DDK_INC_PATH);..\inc 164 | %(PreprocessorDefinitions);BINARY_COMPATIBLE=0;NT;UNICODE;_UNICODE;NDIS60;NDIS_SUPPORT_NDIS6;POOL_NX_OPTIN_AUTO 165 | 166 | 167 | 168 | 169 | %(AdditionalIncludeDirectories);$(DDK_INC_PATH);..\inc 170 | %(PreprocessorDefinitions);BINARY_COMPATIBLE=0;NT;UNICODE;_UNICODE;NDIS60;NDIS_SUPPORT_NDIS6;POOL_NX_OPTIN_AUTO 171 | 172 | 173 | %(AdditionalIncludeDirectories);$(DDK_INC_PATH);..\inc 174 | %(PreprocessorDefinitions);BINARY_COMPATIBLE=0;NT;UNICODE;_UNICODE;NDIS60;NDIS_SUPPORT_NDIS6;POOL_NX_OPTIN_AUTO 175 | 176 | 177 | %(AdditionalDependencies);$(DDK_LIB_PATH)\ntoskrnl.lib;$(DDK_LIB_PATH)\wdmsec.lib;$(DDK_LIB_PATH)\fwpkclnt.lib;$(SDK_LIB_PATH)\uuid.lib 178 | 179 | 180 | 181 | 182 | 183 | 184 | 185 | 186 | 187 | 188 | 189 | 190 | 191 | 192 | 193 | -------------------------------------------------------------------------------- /Driver/sys/msnmntr.vcxproj.Filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx;* 6 | {57260C1A-8BC8-4BFB-8443-187F6386E3CD} 7 | 8 | 9 | h;hpp;hxx;hm;inl;inc;xsd 10 | {E379C1F3-41C5-407E-A95E-087A8732A4CE} 11 | 12 | 13 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms;man;xml 14 | {552405F1-D8E0-402D-85DD-0B8E345F0634} 15 | 16 | 17 | inf;inv;inx;mof;mc; 18 | {F56EC5D2-6494-433C-9F61-D4F039E15BE3} 19 | 20 | 21 | 22 | 23 | Source Files 24 | 25 | 26 | Source Files 27 | 28 | 29 | Source Files 30 | 31 | 32 | Source Files 33 | 34 | 35 | -------------------------------------------------------------------------------- /Driver/sys/notify.c: -------------------------------------------------------------------------------- 1 | /*++ 2 | 3 | Copyright (c) Microsoft Corporation. All rights reserved 4 | 5 | Abstract: 6 | 7 | Monitor Sample driver notification routines 8 | 9 | Environment: 10 | 11 | Kernel mode 12 | 13 | --*/ 14 | 15 | #include 16 | 17 | #include 18 | 19 | #pragma warning(push) 20 | #pragma warning(disable:4201) // unnamed struct/union 21 | 22 | #include 23 | 24 | #pragma warning(pop) 25 | 26 | 27 | #include "ioctl.h" 28 | 29 | #include "msnmntr.h" 30 | 31 | #include "notify.h" 32 | 33 | // 34 | // Software Tracing Definitions 35 | // 36 | #define WPP_CONTROL_GUIDS \ 37 | WPP_DEFINE_CONTROL_GUID(MsnMntrNotify,(aca2f74a, 7a0d, 4f47, be4b, 66900813b8e5), \ 38 | WPP_DEFINE_BIT(TRACE_CLIENT_SERVER) \ 39 | WPP_DEFINE_BIT(TRACE_PEER_TO_PEER) \ 40 | WPP_DEFINE_BIT(TRACE_UNKNOWN) \ 41 | WPP_DEFINE_BIT(TRACE_ALL_TRAFFIC) ) 42 | 43 | #include "notify.tmh" // This file will be auto generated 44 | 45 | 46 | #define TAG_NAME_NOTIFY 'oNnM' 47 | 48 | NTSTATUS 49 | MonitorNfInitialize( 50 | _In_ DEVICE_OBJECT* deviceObject) 51 | { 52 | UNREFERENCED_PARAMETER(deviceObject); 53 | 54 | return STATUS_SUCCESS; 55 | } 56 | 57 | NTSTATUS 58 | MonitorNfUninitialize(void) 59 | { 60 | return STATUS_SUCCESS; 61 | } 62 | 63 | __forceinline 64 | void* 65 | MonitorNfpFindCharacters( 66 | _In_reads_bytes_(streamLength) const char* stream, 67 | _In_ size_t streamLength, 68 | _In_reads_bytes_(subStreamLength) const char* subStream, 69 | _In_ size_t subStreamLength, 70 | _Out_ size_t* bytesLeft) 71 | { 72 | size_t currentOffset = 0; 73 | void* subStreamPtr = NULL; 74 | 75 | *bytesLeft = streamLength; 76 | 77 | if (subStreamLength > streamLength) 78 | { 79 | return NULL; 80 | } 81 | 82 | while (currentOffset+subStreamLength <= streamLength) 83 | { 84 | if (0 == memcmp((void*)(stream+currentOffset), subStream, subStreamLength)) 85 | { 86 | subStreamPtr = (void*)(char*)(stream+currentOffset); 87 | *bytesLeft = streamLength; 88 | *bytesLeft -= currentOffset; 89 | *bytesLeft -= subStreamLength; 90 | break; 91 | } 92 | currentOffset += subStreamLength; 93 | } 94 | 95 | return subStreamPtr; 96 | } 97 | 98 | NTSTATUS 99 | MonitorNfParseMessageInbound( 100 | _In_reads_bytes_(streamLength) BYTE* stream, 101 | _In_ size_t streamLength, 102 | _In_ USHORT localPort, 103 | _In_ USHORT remotePort) 104 | { 105 | UNREFERENCED_PARAMETER(stream); 106 | 107 | DoTraceMessage(TRACE_CLIENT_SERVER, 108 | "%Id bytes received. Local Port: %d Remote Port: %d.", 109 | streamLength, 110 | localPort, 111 | remotePort); 112 | return STATUS_SUCCESS; 113 | } 114 | 115 | NTSTATUS 116 | MonitorNfParseMessageInboundHttpHeader( 117 | _In_reads_bytes_(streamLength) BYTE* stream, 118 | _In_ size_t streamLength, 119 | _In_ USHORT localPort, 120 | _In_ USHORT remotePort) 121 | { 122 | BYTE* msgStart = NULL; 123 | size_t bytesLeft; 124 | NTSTATUS status = STATUS_INVALID_PARAMETER; 125 | 126 | // Walk past the HTTP header. 127 | msgStart = (BYTE*) MonitorNfpFindCharacters((char*)stream, 128 | streamLength, 129 | "\r\n\r\n", 130 | (ULONG)strlen("\r\n\r\n"), 131 | &bytesLeft); 132 | if (msgStart && (bytesLeft > 0)) 133 | { 134 | size_t msgLength; 135 | 136 | msgStart += 4; // step past \r\n\r\n. 137 | 138 | msgLength = streamLength - (ULONG)(ULONG_PTR)(msgStart - stream); 139 | 140 | // Do the final inbound message processing. 141 | status = MonitorNfParseMessageInbound(msgStart, 142 | msgLength, 143 | localPort, 144 | remotePort); 145 | } 146 | 147 | return status; 148 | } 149 | 150 | NTSTATUS 151 | MonitorNfParseMessageOutbound( 152 | _In_reads_bytes_(streamLength) BYTE* stream, 153 | _In_ size_t streamLength, 154 | _In_ USHORT localPort, 155 | _In_ USHORT remotePort) 156 | { 157 | UNREFERENCED_PARAMETER(stream); 158 | 159 | DoTraceMessage(TRACE_CLIENT_SERVER, 160 | "%Id bytes sent. Local Port: %d Remote Port: %d.", 161 | streamLength, 162 | localPort, 163 | remotePort); 164 | return STATUS_SUCCESS; 165 | } 166 | 167 | NTSTATUS 168 | MonitorNfParseMessageOutboundHttpHeader( 169 | _In_reads_bytes_(streamLength) BYTE* stream, 170 | _In_ size_t streamLength, 171 | _In_ USHORT localPort, 172 | _In_ USHORT remotePort) 173 | { 174 | BYTE* msgStart = NULL; 175 | size_t bytesLeft; 176 | NTSTATUS status = STATUS_SUCCESS; 177 | 178 | // Walk past the HTTP header. 179 | msgStart = (BYTE*) MonitorNfpFindCharacters((char*)stream, 180 | streamLength, 181 | "\r\n\r\n", 182 | (ULONG)strlen("\r\n\r\n"), 183 | &bytesLeft); 184 | if (msgStart && (bytesLeft > 0)) 185 | { 186 | size_t msgLength; 187 | 188 | msgStart += 4; // step past \r\n\r\n. 189 | 190 | msgLength = streamLength - (ULONG)(ULONG_PTR)(msgStart - stream); 191 | status = MonitorNfParseMessageOutbound(msgStart, 192 | msgLength, 193 | localPort, 194 | remotePort); 195 | } 196 | 197 | return status; 198 | } 199 | 200 | NTSTATUS 201 | MonitorNfParseStreamAndTraceMessage( 202 | _In_reads_bytes_(streamLength) BYTE* stream, 203 | _In_ size_t streamLength, 204 | _In_ BOOLEAN inbound, 205 | _In_ USHORT localPort, 206 | _In_ USHORT remotePort) 207 | { 208 | NTSTATUS status; 209 | 210 | if (!inbound) 211 | { 212 | if ((_strnicmp((const char*)stream, "POST", streamLength) == 0) 213 | || (_strnicmp((const char*)stream, "GET", streamLength) == 0)) 214 | { 215 | if ((MonitorNfParseMessageOutboundHttpHeader(stream, 216 | streamLength, 217 | localPort, 218 | remotePort)) != STATUS_SUCCESS) 219 | return STATUS_INSUFFICIENT_RESOURCES; 220 | } 221 | else 222 | { 223 | if ((MonitorNfParseMessageOutbound(stream, 224 | streamLength, 225 | localPort, 226 | remotePort)!= STATUS_SUCCESS)) 227 | return STATUS_INSUFFICIENT_RESOURCES; 228 | } 229 | } 230 | else 231 | { 232 | if (_strnicmp((const char*)stream, "HTTP", streamLength) == 0) 233 | { 234 | if ((MonitorNfParseMessageInboundHttpHeader(stream, 235 | streamLength, 236 | localPort, 237 | remotePort)) != STATUS_SUCCESS) 238 | return STATUS_INSUFFICIENT_RESOURCES; 239 | } 240 | else 241 | { 242 | if ((MonitorNfParseMessageInbound(stream, 243 | streamLength, 244 | localPort, 245 | remotePort)) != STATUS_SUCCESS) 246 | return STATUS_INSUFFICIENT_RESOURCES; 247 | } 248 | } 249 | 250 | { 251 | status = STATUS_SUCCESS; 252 | } 253 | 254 | return status; 255 | } 256 | 257 | 258 | NTSTATUS MonitorNfNotifyMessage( 259 | _In_ const FWPS_STREAM_DATA* streamBuffer, 260 | _In_ BOOLEAN inbound, 261 | _In_ USHORT localPort, 262 | _In_ USHORT remotePort 263 | ) 264 | { 265 | NTSTATUS status = STATUS_SUCCESS; 266 | BYTE* stream = NULL; 267 | SIZE_T streamLength = streamBuffer->dataLength; 268 | SIZE_T bytesCopied = 0; 269 | 270 | if(streamLength == 0) 271 | return status; 272 | 273 | stream = ExAllocatePoolWithTag(NonPagedPool, 274 | streamLength, 275 | TAG_NAME_NOTIFY); 276 | if (!stream) 277 | return STATUS_INSUFFICIENT_RESOURCES; 278 | 279 | RtlZeroMemory(stream,streamLength); 280 | 281 | FwpsCopyStreamDataToBuffer( 282 | streamBuffer, 283 | stream, 284 | streamLength, 285 | &bytesCopied); 286 | 287 | NT_ASSERT(bytesCopied == streamLength); 288 | 289 | status = MonitorNfParseStreamAndTraceMessage(stream, streamLength, inbound, localPort, remotePort); 290 | 291 | ExFreePoolWithTag(stream, TAG_NAME_NOTIFY); 292 | 293 | return status; 294 | } 295 | -------------------------------------------------------------------------------- /Driver/sys/notify.h: -------------------------------------------------------------------------------- 1 | /*++ 2 | 3 | Copyright (c) Microsoft Corporation. All rights reserved 4 | 5 | Abstract: 6 | 7 | Monitor Sample driver notification header 8 | 9 | Environment: 10 | 11 | Kernel mode 12 | 13 | --*/ 14 | 15 | #pragma once 16 | 17 | #define TAG_NOTIFY 'yftN' 18 | 19 | NTSTATUS 20 | MonitorNfInitialize( 21 | _In_ DEVICE_OBJECT* deviceObject); 22 | 23 | NTSTATUS 24 | MonitorNfUninitialize(void); 25 | 26 | NTSTATUS MonitorNfNotifyMessage( 27 | _In_ const FWPS_STREAM_DATA* streamBuffer, 28 | _In_ BOOLEAN inbound, 29 | _In_ USHORT localPort, 30 | _In_ USHORT remotePort); 31 | 32 | 33 | -------------------------------------------------------------------------------- /ImageFolder/filter.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/raymon-tian/WFPFirewall/14ef82f9ffb39f473a5681067dba2abae6826f8f/ImageFolder/filter.png -------------------------------------------------------------------------------- /ImageFolder/main.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/raymon-tian/WFPFirewall/14ef82f9ffb39f473a5681067dba2abae6826f8f/ImageFolder/main.png -------------------------------------------------------------------------------- /ImageFolder/r1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/raymon-tian/WFPFirewall/14ef82f9ffb39f473a5681067dba2abae6826f8f/ImageFolder/r1.png -------------------------------------------------------------------------------- /ImageFolder/r2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/raymon-tian/WFPFirewall/14ef82f9ffb39f473a5681067dba2abae6826f8f/ImageFolder/r2.png -------------------------------------------------------------------------------- /PFirewall.sln: -------------------------------------------------------------------------------- 1 | 2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio 14 4 | VisualStudioVersion = 14.0.25420.1 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "PFirewall", "PFirewall\PFirewall.vcxproj", "{0C970333-0CA1-40EB-9916-A2B5E474ABF9}" 7 | EndProject 8 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "msnmntr", "Driver\sys\msnmntr.vcxproj", "{0334D910-32A8-48D1-945A-A58B9F2FAD22}" 9 | EndProject 10 | Global 11 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 12 | Debug|x64 = Debug|x64 13 | Debug|x86 = Debug|x86 14 | Release|x64 = Release|x64 15 | Release|x86 = Release|x86 16 | EndGlobalSection 17 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 18 | {0C970333-0CA1-40EB-9916-A2B5E474ABF9}.Debug|x64.ActiveCfg = Debug|x64 19 | {0C970333-0CA1-40EB-9916-A2B5E474ABF9}.Debug|x64.Build.0 = Debug|x64 20 | {0C970333-0CA1-40EB-9916-A2B5E474ABF9}.Debug|x86.ActiveCfg = Debug|Win32 21 | {0C970333-0CA1-40EB-9916-A2B5E474ABF9}.Debug|x86.Build.0 = Debug|Win32 22 | {0C970333-0CA1-40EB-9916-A2B5E474ABF9}.Release|x64.ActiveCfg = Release|x64 23 | {0C970333-0CA1-40EB-9916-A2B5E474ABF9}.Release|x64.Build.0 = Release|x64 24 | {0C970333-0CA1-40EB-9916-A2B5E474ABF9}.Release|x86.ActiveCfg = Release|Win32 25 | {0C970333-0CA1-40EB-9916-A2B5E474ABF9}.Release|x86.Build.0 = Release|Win32 26 | {0334D910-32A8-48D1-945A-A58B9F2FAD22}.Debug|x64.ActiveCfg = Debug|x64 27 | {0334D910-32A8-48D1-945A-A58B9F2FAD22}.Debug|x64.Build.0 = Debug|x64 28 | {0334D910-32A8-48D1-945A-A58B9F2FAD22}.Debug|x64.Deploy.0 = Debug|x64 29 | {0334D910-32A8-48D1-945A-A58B9F2FAD22}.Debug|x86.ActiveCfg = Debug|Win32 30 | {0334D910-32A8-48D1-945A-A58B9F2FAD22}.Debug|x86.Build.0 = Debug|Win32 31 | {0334D910-32A8-48D1-945A-A58B9F2FAD22}.Debug|x86.Deploy.0 = Debug|Win32 32 | {0334D910-32A8-48D1-945A-A58B9F2FAD22}.Release|x64.ActiveCfg = Release|x64 33 | {0334D910-32A8-48D1-945A-A58B9F2FAD22}.Release|x64.Build.0 = Release|x64 34 | {0334D910-32A8-48D1-945A-A58B9F2FAD22}.Release|x64.Deploy.0 = Release|x64 35 | {0334D910-32A8-48D1-945A-A58B9F2FAD22}.Release|x86.ActiveCfg = Release|Win32 36 | {0334D910-32A8-48D1-945A-A58B9F2FAD22}.Release|x86.Build.0 = Release|Win32 37 | {0334D910-32A8-48D1-945A-A58B9F2FAD22}.Release|x86.Deploy.0 = Release|Win32 38 | EndGlobalSection 39 | GlobalSection(SolutionProperties) = preSolution 40 | HideSolutionNode = FALSE 41 | EndGlobalSection 42 | EndGlobal 43 | -------------------------------------------------------------------------------- /PFirewall/Alert.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/raymon-tian/WFPFirewall/14ef82f9ffb39f473a5681067dba2abae6826f8f/PFirewall/Alert.cpp -------------------------------------------------------------------------------- /PFirewall/Alert.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/raymon-tian/WFPFirewall/14ef82f9ffb39f473a5681067dba2abae6826f8f/PFirewall/Alert.h -------------------------------------------------------------------------------- /PFirewall/IPFilter.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/raymon-tian/WFPFirewall/14ef82f9ffb39f473a5681067dba2abae6826f8f/PFirewall/IPFilter.cpp -------------------------------------------------------------------------------- /PFirewall/IPFilter.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/raymon-tian/WFPFirewall/14ef82f9ffb39f473a5681067dba2abae6826f8f/PFirewall/IPFilter.h -------------------------------------------------------------------------------- /PFirewall/PFirewall.aps: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/raymon-tian/WFPFirewall/14ef82f9ffb39f473a5681067dba2abae6826f8f/PFirewall/PFirewall.aps -------------------------------------------------------------------------------- /PFirewall/PFirewall.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/raymon-tian/WFPFirewall/14ef82f9ffb39f473a5681067dba2abae6826f8f/PFirewall/PFirewall.cpp -------------------------------------------------------------------------------- /PFirewall/PFirewall.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/raymon-tian/WFPFirewall/14ef82f9ffb39f473a5681067dba2abae6826f8f/PFirewall/PFirewall.h -------------------------------------------------------------------------------- /PFirewall/PFirewall.rc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/raymon-tian/WFPFirewall/14ef82f9ffb39f473a5681067dba2abae6826f8f/PFirewall/PFirewall.rc -------------------------------------------------------------------------------- /PFirewall/PFirewall.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | {0C970333-0CA1-40EB-9916-A2B5E474ABF9} 23 | PFirewall 24 | 8.1 25 | MFCProj 26 | 27 | 28 | 29 | Application 30 | true 31 | v140 32 | Unicode 33 | Dynamic 34 | 35 | 36 | Application 37 | false 38 | v140 39 | true 40 | Unicode 41 | Dynamic 42 | 43 | 44 | Application 45 | true 46 | v140 47 | Unicode 48 | Dynamic 49 | 50 | 51 | Application 52 | false 53 | v140 54 | true 55 | Unicode 56 | Dynamic 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | true 78 | 79 | 80 | true 81 | 82 | 83 | false 84 | 85 | 86 | false 87 | 88 | 89 | 90 | Use 91 | Level3 92 | Disabled 93 | WIN32;_WINDOWS;_DEBUG;%(PreprocessorDefinitions) 94 | true 95 | 96 | 97 | Windows 98 | true 99 | 100 | 101 | false 102 | true 103 | _DEBUG;%(PreprocessorDefinitions) 104 | 105 | 106 | 0x0804 107 | _DEBUG;%(PreprocessorDefinitions) 108 | $(IntDir);%(AdditionalIncludeDirectories) 109 | 110 | 111 | 112 | 113 | Use 114 | Level3 115 | Disabled 116 | _WINDOWS;_DEBUG;%(PreprocessorDefinitions) 117 | true 118 | 119 | 120 | Windows 121 | true 122 | 123 | 124 | false 125 | true 126 | _DEBUG;%(PreprocessorDefinitions) 127 | 128 | 129 | 0x0804 130 | _DEBUG;%(PreprocessorDefinitions) 131 | $(IntDir);%(AdditionalIncludeDirectories) 132 | 133 | 134 | 135 | 136 | Level3 137 | Use 138 | MaxSpeed 139 | true 140 | true 141 | WIN32;_WINDOWS;NDEBUG;%(PreprocessorDefinitions) 142 | true 143 | 144 | 145 | Windows 146 | true 147 | true 148 | true 149 | 150 | 151 | false 152 | true 153 | NDEBUG;%(PreprocessorDefinitions) 154 | 155 | 156 | 0x0804 157 | NDEBUG;%(PreprocessorDefinitions) 158 | $(IntDir);%(AdditionalIncludeDirectories) 159 | 160 | 161 | 162 | 163 | Level3 164 | Use 165 | MaxSpeed 166 | true 167 | true 168 | _WINDOWS;NDEBUG;%(PreprocessorDefinitions) 169 | true 170 | 171 | 172 | Windows 173 | true 174 | true 175 | true 176 | 177 | 178 | false 179 | true 180 | NDEBUG;%(PreprocessorDefinitions) 181 | 182 | 183 | 0x0804 184 | NDEBUG;%(PreprocessorDefinitions) 185 | $(IntDir);%(AdditionalIncludeDirectories) 186 | 187 | 188 | 189 | 190 | 191 | 192 | 193 | 194 | 195 | 196 | 197 | 198 | 199 | 200 | 201 | 202 | 203 | 204 | 205 | 206 | 207 | 208 | 209 | Create 210 | Create 211 | Create 212 | Create 213 | 214 | 215 | 216 | 217 | 218 | 219 | 220 | 221 | 222 | 223 | 224 | 225 | 226 | 227 | 228 | 229 | 230 | 231 | 232 | 233 | -------------------------------------------------------------------------------- /PFirewall/PFirewall.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;hm;inl;inc;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 头文件 23 | 24 | 25 | 头文件 26 | 27 | 28 | 头文件 29 | 30 | 31 | 头文件 32 | 33 | 34 | 头文件 35 | 36 | 37 | 头文件 38 | 39 | 40 | 头文件 41 | 42 | 43 | 头文件 44 | 45 | 46 | 头文件 47 | 48 | 49 | 50 | 51 | 源文件 52 | 53 | 54 | 源文件 55 | 56 | 57 | 源文件 58 | 59 | 60 | 源文件 61 | 62 | 63 | 源文件 64 | 65 | 66 | 源文件 67 | 68 | 69 | 70 | 71 | 资源文件 72 | 73 | 74 | 75 | 76 | 资源文件 77 | 78 | 79 | 80 | 81 | 82 | 资源文件 83 | 84 | 85 | -------------------------------------------------------------------------------- /PFirewall/PFirewall.vcxproj.user: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | false 5 | 6 | -------------------------------------------------------------------------------- /PFirewall/PFirewallDlg.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/raymon-tian/WFPFirewall/14ef82f9ffb39f473a5681067dba2abae6826f8f/PFirewall/PFirewallDlg.cpp -------------------------------------------------------------------------------- /PFirewall/PFirewallDlg.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/raymon-tian/WFPFirewall/14ef82f9ffb39f473a5681067dba2abae6826f8f/PFirewall/PFirewallDlg.h -------------------------------------------------------------------------------- /PFirewall/PortFilter.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/raymon-tian/WFPFirewall/14ef82f9ffb39f473a5681067dba2abae6826f8f/PFirewall/PortFilter.cpp -------------------------------------------------------------------------------- /PFirewall/PortFilter.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/raymon-tian/WFPFirewall/14ef82f9ffb39f473a5681067dba2abae6826f8f/PFirewall/PortFilter.h -------------------------------------------------------------------------------- /PFirewall/ProcessMonitor.cpp: -------------------------------------------------------------------------------- 1 | // ProcessMonitor.cpp : ʵ��ļ� 2 | // 3 | 4 | #include "stdafx.h" 5 | #include "PFirewall.h" 6 | #include "ProcessMonitor.h" 7 | #include "afxdialogex.h" 8 | #include "windows.h" 9 | #include "winioctl.h" 10 | #include "strsafe.h" 11 | 12 | #ifndef _CTYPE_DISABLE_MACROS 13 | #define _CTYPE_DISABLE_MACROS 14 | #endif 15 | 16 | #include "fwpmu.h" 17 | #include "winsock2.h" 18 | #include "ws2def.h" 19 | #include 20 | #include 21 | //#include "ioctl.h" 22 | #define INITGUID 23 | #include 24 | //#include "mntrguid.h" 25 | 26 | //ioctl.h�� 27 | #define MONITOR_FLOW_ESTABLISHED_CALLOUT_DESCRIPTION L"Monitor Sample - Flow Established Callout" 28 | #define MONITOR_FLOW_ESTABLISHED_CALLOUT_NAME L"Flow Established Callout" 29 | 30 | #define MONITOR_STREAM_CALLOUT_DESCRIPTION L"Monitor Sample - Stream Callout" 31 | #define MONITOR_STREAM_CALLOUT_NAME L"Stream Callout" 32 | 33 | #define MONITOR_DEVICE_NAME L"\\Device\\MonitorSample" 34 | #define MONITOR_SYMBOLIC_NAME L"\\DosDevices\\Global\\MonitorSample" 35 | #define MONITOR_DOS_NAME L"\\\\.\\MonitorSample" 36 | 37 | typedef enum _MONITOR_OPERATION_MODE 38 | { 39 | invalidOperation = 0, 40 | monitorTraffic = 1, 41 | monitorOperationMax 42 | } MONITOR_OPERATION_MODE; 43 | 44 | typedef struct _MONITOR_SETTINGS 45 | { 46 | MONITOR_OPERATION_MODE monitorOperation; 47 | UINT32 flags; 48 | } MONITOR_SETTINGS; 49 | 50 | #define MONITOR_IOCTL_ENABLE_MONITOR CTL_CODE(FILE_DEVICE_NETWORK, 0x1, METHOD_BUFFERED, FILE_ANY_ACCESS) 51 | #define MONITOR_IOCTL_DISABLE_MONITOR CTL_CODE(FILE_DEVICE_NETWORK, 0x2, METHOD_BUFFERED, FILE_ANY_ACCESS) 52 | 53 | //mntrguid.h�� 54 | // b3241f1d-7cd2-4e7a-8721-2e97d07702e5 55 | DEFINE_GUID( 56 | MONITOR_SAMPLE_SUBLAYER, 57 | 0xb3241f1d, 58 | 0x7cd2, 59 | 0x4e7a, 60 | 0x87, 0x21, 0x2e, 0x97, 0xd0, 0x77, 0x02, 0xe5 61 | ); 62 | 63 | // 3aaccbc0-2c29-455f-bb91-0e801c8994a4 64 | DEFINE_GUID( 65 | MONITOR_SAMPLE_FLOW_ESTABLISHED_CALLOUT_V4, 66 | 0x3aaccbc0, 67 | 0x2c29, 68 | 0x455f, 69 | 0xbb, 0x91, 0x0e, 0x80, 0x1c, 0x89, 0x94, 0xa4 70 | ); 71 | 72 | // cea0131a-6ed3-4ed6-b40c-8a8fe8434b0a 73 | DEFINE_GUID( 74 | MONITOR_SAMPLE_STREAM_CALLOUT_V4, 75 | 0xcea0131a, 76 | 0x6ed3, 77 | 0x4ed6, 78 | 0xb4, 0x0c, 0x8a, 0x8f, 0xe8, 0x43, 0x4b, 0x0a 79 | ); 80 | 81 | HANDLE quitEvent; 82 | 83 | // ProcessMonitor �Ի�� 84 | 85 | IMPLEMENT_DYNAMIC(ProcessMonitor, CDialogEx) 86 | 87 | ProcessMonitor::ProcessMonitor(CWnd* pParent /*=NULL*/) 88 | : CDialogEx(IDD_ProcessMonitor, pParent) 89 | { 90 | 91 | } 92 | 93 | ProcessMonitor::~ProcessMonitor() 94 | { 95 | } 96 | 97 | void ProcessMonitor::DoDataExchange(CDataExchange* pDX) 98 | { 99 | CDialogEx::DoDataExchange(pDX); 100 | } 101 | 102 | 103 | BEGIN_MESSAGE_MAP(ProcessMonitor, CDialogEx) 104 | ON_BN_CLICKED(IDC_Btngetfolder, &ProcessMonitor::OnBnClickedBtngetfolder) 105 | ON_BN_CLICKED(IDC_BtnStart, &ProcessMonitor::OnBnClickedBtnstart) 106 | ON_BN_CLICKED(IDC_BtnStop, &ProcessMonitor::OnBnClickedBtnstop) 107 | ON_BN_CLICKED(IDC_BtnAddcallouts, &ProcessMonitor::OnBnClickedBtnaddcallouts) 108 | ON_BN_CLICKED(IDC_BtnDelcallouts, &ProcessMonitor::OnBnClickedBtndelcallouts) 109 | END_MESSAGE_MAP() 110 | 111 | 112 | // ProcessMonitor ��Ϣ�� 113 | 114 | DWORD MonitorAppOpenMonitorDevice(_Out_ HANDLE* monitorDevice) 115 | /*++ 116 | 117 | Routine Description: 118 | 119 | Opens the Monitor Sample monitorDevice 120 | 121 | Arguments: 122 | 123 | [out] HANDLE* monitorDevice 124 | 125 | Return Value: 126 | 127 | NO_ERROR, ERROR_INVALID_PARAMETER or a CreateFile specific result. 128 | 129 | --*/ 130 | { 131 | if (!monitorDevice) 132 | { 133 | return ERROR_INVALID_PARAMETER; 134 | } 135 | *monitorDevice = CreateFileW(MONITOR_DOS_NAME, 136 | GENERIC_READ | GENERIC_WRITE, 137 | FILE_SHARE_READ | FILE_SHARE_WRITE, 138 | NULL, 139 | OPEN_EXISTING, 140 | 0, 141 | NULL); 142 | 143 | if (*monitorDevice == INVALID_HANDLE_VALUE) 144 | { 145 | return GetLastError(); 146 | } 147 | 148 | return NO_ERROR; 149 | } 150 | 151 | BOOL MonitorAppCloseMonitorDevice(_In_ HANDLE monitorDevice) 152 | /*++ 153 | 154 | Routine Description: 155 | 156 | Closes the Monitor Sample monitorDevice 157 | 158 | Arguments: 159 | 160 | Return Value: 161 | 162 | None. 163 | 164 | --*/ 165 | { 166 | return CloseHandle(monitorDevice); 167 | } 168 | 169 | DWORD MonitorAppAddCallouts() 170 | /*++ 171 | 172 | Routine Description: 173 | 174 | Adds the callouts during installation 175 | 176 | Arguments: 177 | 178 | [in] PCWSTR AppPath - The path to the application to monitor. 179 | 180 | Return Value: 181 | 182 | NO_ERROR or a specific FWP result. 183 | 184 | --*/ 185 | { 186 | FWPM_CALLOUT callout; 187 | DWORD result; 188 | FWPM_DISPLAY_DATA displayData; 189 | HANDLE engineHandle = NULL; 190 | FWPM_SESSION session; 191 | RtlZeroMemory(&session, sizeof(FWPM_SESSION)); 192 | 193 | session.displayData.name = L"Monitor Sample Non-Dynamic Session"; 194 | session.displayData.description = L"For Adding callouts"; 195 | 196 | //MessageBox("Opening Filtering Engine"); 197 | ::MessageBox(NULL, _T("Opening Filtering Engine"), _T("demo"), MB_OK); 198 | result = FwpmEngineOpen( 199 | NULL, 200 | RPC_C_AUTHN_WINNT, 201 | NULL, 202 | &session, 203 | &engineHandle 204 | ); 205 | 206 | if (NO_ERROR != result) 207 | { 208 | goto cleanup; 209 | } 210 | 211 | //printf("Starting Transaction for adding callouts\n"); 212 | ::MessageBox(NULL, _T("Starting Transaction for adding callouts"), _T("demo"), MB_OK); 213 | result = FwpmTransactionBegin(engineHandle, 0); 214 | if (NO_ERROR != result) 215 | { 216 | goto abort; 217 | } 218 | 219 | ::MessageBox(NULL,_T("Successfully started the Transaction"),_T("demo"),MB_OK); 220 | 221 | RtlZeroMemory(&callout, sizeof(FWPM_CALLOUT)); 222 | displayData.description = MONITOR_FLOW_ESTABLISHED_CALLOUT_DESCRIPTION; 223 | displayData.name = MONITOR_FLOW_ESTABLISHED_CALLOUT_NAME; 224 | 225 | callout.calloutKey = MONITOR_SAMPLE_FLOW_ESTABLISHED_CALLOUT_V4; 226 | callout.displayData = displayData; 227 | callout.applicableLayer = FWPM_LAYER_ALE_FLOW_ESTABLISHED_V4; 228 | callout.flags = FWPM_CALLOUT_FLAG_PERSISTENT; // Make this a persistent callout. 229 | 230 | //printf("Adding Persistent Flow Established callout through the Filtering Engine\n"); 231 | ::MessageBox(NULL, _T("Adding Persistent Flow Established callout through the Filtering Engine"), _T("demo"), MB_OK); 232 | 233 | result = FwpmCalloutAdd(engineHandle, &callout, NULL, NULL); 234 | if (NO_ERROR != result) 235 | { 236 | goto abort; 237 | } 238 | 239 | //printf("Successfully Added Persistent Flow Established callout.\n"); 240 | ::MessageBox(NULL, _T("Successfully Added Persistent Flow Established callout."), _T("demo"), MB_OK); 241 | 242 | RtlZeroMemory(&callout, sizeof(FWPM_CALLOUT)); 243 | 244 | displayData.description = MONITOR_STREAM_CALLOUT_DESCRIPTION; 245 | displayData.name = MONITOR_STREAM_CALLOUT_DESCRIPTION; 246 | 247 | callout.calloutKey = MONITOR_SAMPLE_STREAM_CALLOUT_V4; 248 | callout.displayData = displayData; 249 | callout.applicableLayer = FWPM_LAYER_STREAM_V4; 250 | callout.flags = FWPM_CALLOUT_FLAG_PERSISTENT; // Make this a persistent callout. 251 | 252 | //printf("Adding Persistent Stream callout through the Filtering Engine\n"); 253 | ::MessageBox(NULL, _T("Adding Persistent Stream callout through the Filtering Engine"), _T("demo"), MB_OK); 254 | 255 | result = FwpmCalloutAdd(engineHandle, &callout, NULL, NULL); 256 | if (NO_ERROR != result) 257 | { 258 | goto abort; 259 | } 260 | 261 | //printf("Successfully Added Persistent Stream callout.\n"); 262 | ::MessageBox(NULL, _T("Successfully Added Persistent Stream callout."), _T("demo"), MB_OK); 263 | 264 | printf("Committing Transaction\n"); 265 | ::MessageBox(NULL, _T("Committing Transaction��"), _T("demo"), MB_OK); 266 | 267 | result = FwpmTransactionCommit(engineHandle); 268 | if (NO_ERROR == result) 269 | { 270 | //printf("Successfully Committed Transaction.\n"); 271 | ::MessageBox(NULL, _T("Successfully Committed Transaction."), _T("demo"), MB_OK); 272 | } 273 | goto cleanup; 274 | 275 | abort: 276 | //printf("Aborting Transaction\n"); 277 | ::MessageBox(NULL, _T("Aborting Transaction"), _T("demo"), MB_OK); 278 | result = FwpmTransactionAbort(engineHandle); 279 | if (NO_ERROR == result) 280 | { 281 | //printf("Successfully Aborted Transaction.\n"); 282 | ::MessageBox(NULL, _T("Successfully Aborted Transaction."), _T("demo"), MB_OK); 283 | } 284 | 285 | cleanup: 286 | 287 | if (engineHandle) 288 | { 289 | FwpmEngineClose(engineHandle); 290 | } 291 | return result; 292 | } 293 | 294 | DWORD MonitorAppRemoveCallouts() 295 | /*++ 296 | 297 | Routine Description: 298 | 299 | Sets the kernel callout ID's through the Monitor Sample device 300 | 301 | Arguments: 302 | 303 | [in] HANDLE monitorDevice - Monitor Sample device 304 | [in] CALLOUTS* callouts - Callout structure with ID's set 305 | [in] DWORD size - Size of the callout structure. 306 | 307 | Return Value: 308 | 309 | NO_ERROR or a specific DeviceIoControl result. 310 | 311 | --*/ 312 | { 313 | DWORD result; 314 | HANDLE engineHandle = NULL; 315 | FWPM_SESSION session; 316 | 317 | RtlZeroMemory(&session, sizeof(FWPM_SESSION)); 318 | 319 | session.displayData.name = L"Monitor Sample Non-Dynamic Session"; 320 | session.displayData.description = L"For Adding callouts"; 321 | 322 | //printf("Opening Filtering Engine\n"); 323 | result = FwpmEngineOpen( 324 | NULL, 325 | RPC_C_AUTHN_WINNT, 326 | NULL, 327 | &session, 328 | &engineHandle 329 | ); 330 | 331 | if (NO_ERROR != result) 332 | { 333 | goto cleanup; 334 | } 335 | 336 | //printf("Starting Transaction for Removing callouts\n"); 337 | 338 | result = FwpmTransactionBegin(engineHandle, 0); 339 | if (NO_ERROR != result) 340 | { 341 | goto abort; 342 | } 343 | //printf("Successfully started the Transaction\n"); 344 | 345 | //printf("Deleting Flow Established callout\n"); 346 | result = FwpmCalloutDeleteByKey(engineHandle, 347 | &MONITOR_SAMPLE_FLOW_ESTABLISHED_CALLOUT_V4); 348 | if (NO_ERROR != result) 349 | { 350 | goto abort; 351 | } 352 | 353 | //printf("Successfully Deleted Flow Established callout\n"); 354 | 355 | //printf("Deleting Stream callout\n"); 356 | 357 | result = FwpmCalloutDeleteByKey(engineHandle, 358 | &MONITOR_SAMPLE_STREAM_CALLOUT_V4); 359 | if (NO_ERROR != result) 360 | { 361 | goto abort; 362 | } 363 | //printf("Successfully Deleted Stream callout\n"); 364 | 365 | //printf("Committing Transaction\n"); 366 | result = FwpmTransactionCommit(engineHandle); 367 | if (NO_ERROR == result) 368 | { 369 | //printf("Successfully Committed Transaction.\n"); 370 | } 371 | goto cleanup; 372 | 373 | abort: 374 | //printf("Aborting Transaction\n"); 375 | result = FwpmTransactionAbort(engineHandle); 376 | if (NO_ERROR == result) 377 | { 378 | //printf("Successfully Aborted Transaction.\n"); 379 | } 380 | 381 | cleanup: 382 | 383 | if (engineHandle) 384 | { 385 | FwpmEngineClose(engineHandle); 386 | } 387 | 388 | return result; 389 | } 390 | 391 | DWORD MonitorAppEnableMonitoring( 392 | _In_ HANDLE monitorDevice, 393 | _In_ MONITOR_SETTINGS* monitorSettings) 394 | /*++ 395 | 396 | Routine Description: 397 | 398 | Enables monitoring on new connections. 399 | 400 | Arguments: 401 | 402 | [in] HANDLE monitorDevice - Monitor Sample device 403 | [in] MONITOR_SETTINGS* monitorSettings - Settings for the Monitor Sample driver. 404 | 405 | Return Value: 406 | 407 | NO_ERROR or a specific DeviceIoControl result. 408 | 409 | --*/ 410 | { 411 | DWORD bytesReturned; 412 | 413 | if (!DeviceIoControl(monitorDevice, 414 | MONITOR_IOCTL_ENABLE_MONITOR, 415 | monitorSettings, 416 | sizeof(MONITOR_SETTINGS), 417 | NULL, 418 | 0, 419 | &bytesReturned, 420 | NULL)) 421 | { 422 | return GetLastError(); 423 | } 424 | 425 | return NO_ERROR; 426 | } 427 | 428 | DWORD MonitorAppDisableMonitoring(_In_ HANDLE monitorDevice) 429 | /*++ 430 | 431 | Routine Description: 432 | 433 | Disables monitoring of new flows (existing flows will continue to be 434 | monitored until the driver is stopped or the flows end). 435 | 436 | Arguments: 437 | 438 | [in] HANDLE monitorDevice - Monitor Sample device handle. 439 | 440 | Return Value: 441 | 442 | NO_ERROR or DeviceIoControl specific code. 443 | 444 | --*/ 445 | { 446 | DWORD bytesReturned; 447 | 448 | if (!DeviceIoControl(monitorDevice, 449 | MONITOR_IOCTL_DISABLE_MONITOR, 450 | NULL, 451 | 0, 452 | NULL, 453 | 0, 454 | &bytesReturned, 455 | NULL)) 456 | { 457 | return GetLastError(); 458 | } 459 | 460 | return NO_ERROR; 461 | } 462 | 463 | DWORD MonitorAppAddFilters( 464 | _In_ HANDLE engineHandle, 465 | _In_ FWP_BYTE_BLOB* applicationPath) 466 | /*++ 467 | 468 | Routine Description: 469 | 470 | Adds the required sublayer, filters and callouts to the Windows 471 | Filtering Platform (WFP). 472 | 473 | Arguments: 474 | 475 | [in] HANDLE engineHandle - Handle to the base Filtering engine 476 | [in] FWP_BYTE_BLOB* applicationPath - full path to the application including 477 | the NULL terminator and size also 478 | including the NULL the terminator 479 | [in] CALLOUTS* callouts - The callouts that need to be added. 480 | 481 | Return Value: 482 | 483 | NO_ERROR or a specific result 484 | 485 | --*/ 486 | { 487 | DWORD result = NO_ERROR; 488 | FWPM_SUBLAYER monitorSubLayer; 489 | FWPM_FILTER filter; 490 | FWPM_FILTER_CONDITION filterConditions[2]; // We only need two for this call. 491 | 492 | RtlZeroMemory(&monitorSubLayer, sizeof(FWPM_SUBLAYER)); 493 | 494 | monitorSubLayer.subLayerKey = MONITOR_SAMPLE_SUBLAYER; 495 | monitorSubLayer.displayData.name = L"Monitor Sample Sub layer"; 496 | monitorSubLayer.displayData.description = L"Monitor Sample Sub layer"; 497 | monitorSubLayer.flags = 0; 498 | // We don't really mind what the order of invocation is. 499 | monitorSubLayer.weight = 0; 500 | 501 | //printf("Starting Transaction\n"); 502 | ::MessageBox(NULL, _T("Starting Transaction"), _T("demo"), MB_OK); 503 | 504 | result = FwpmTransactionBegin(engineHandle, 0); 505 | if (NO_ERROR != result) 506 | { 507 | goto abort; 508 | } 509 | //printf("Successfully Started Transaction\n"); 510 | ::MessageBox(NULL, _T("Successfully Started Transaction"), _T("demo"), MB_OK); 511 | //printf("Adding Sublayer\n"); 512 | ::MessageBox(NULL, _T("Adding Sublayer"), _T("demo"), MB_OK); 513 | 514 | result = FwpmSubLayerAdd(engineHandle, &monitorSubLayer, NULL); 515 | if (NO_ERROR != result) 516 | { 517 | goto abort; 518 | } 519 | 520 | //printf("Sucessfully added Sublayer\n"); 521 | ::MessageBox(NULL, _T("Sucessfully added Sublayer"), _T("demo"), MB_OK); 522 | 523 | RtlZeroMemory(&filter, sizeof(FWPM_FILTER)); 524 | 525 | filter.layerKey = FWPM_LAYER_ALE_FLOW_ESTABLISHED_V4; 526 | filter.displayData.name = L"Flow established filter."; 527 | filter.displayData.description = L"Sets up flow for traffic that we are interested in."; 528 | filter.action.type = FWP_ACTION_CALLOUT_INSPECTION; // We're only doing inspection. 529 | filter.action.calloutKey = MONITOR_SAMPLE_FLOW_ESTABLISHED_CALLOUT_V4; 530 | filter.filterCondition = filterConditions; 531 | filter.subLayerKey = monitorSubLayer.subLayerKey; 532 | filter.weight.type = FWP_EMPTY; // auto-weight. 533 | 534 | filter.numFilterConditions = 2; 535 | 536 | RtlZeroMemory(filterConditions, sizeof(filterConditions)); 537 | 538 | // 539 | // Add the application path to the filter conditions. 540 | // 541 | filterConditions[0].fieldKey = FWPM_CONDITION_ALE_APP_ID; 542 | filterConditions[0].matchType = FWP_MATCH_EQUAL; 543 | filterConditions[0].conditionValue.type = FWP_BYTE_BLOB_TYPE; 544 | filterConditions[0].conditionValue.byteBlob = applicationPath; 545 | 546 | // 547 | // For the purposes of this sample, we will monitor TCP traffic only. 548 | // 549 | filterConditions[1].fieldKey = FWPM_CONDITION_IP_PROTOCOL; 550 | filterConditions[1].matchType = FWP_MATCH_EQUAL; 551 | filterConditions[1].conditionValue.type = FWP_UINT8; 552 | filterConditions[1].conditionValue.uint8 = IPPROTO_TCP; 553 | 554 | //printf("Adding Flow Established Filter\n"); 555 | ::MessageBox(NULL, _T("Adding Flow Established Filter"), _T("demo"), MB_OK); 556 | result = FwpmFilterAdd(engineHandle, 557 | &filter, 558 | NULL, 559 | NULL); 560 | 561 | if (NO_ERROR != result) 562 | { 563 | goto abort; 564 | } 565 | 566 | //printf("Successfully added Flow Established filter\n"); 567 | ::MessageBox(NULL, _T("Successfully added Flow Established filter"), _T("demo"), MB_OK); 568 | RtlZeroMemory(&filter, sizeof(FWPM_FILTER)); 569 | 570 | filter.layerKey = FWPM_LAYER_STREAM_V4; 571 | filter.action.type = FWP_ACTION_CALLOUT_INSPECTION; // We're only doing inspection. 572 | filter.action.calloutKey = MONITOR_SAMPLE_STREAM_CALLOUT_V4; 573 | filter.subLayerKey = monitorSubLayer.subLayerKey; 574 | filter.weight.type = FWP_EMPTY; // auto-weight. 575 | 576 | filter.numFilterConditions = 0; 577 | 578 | RtlZeroMemory(filterConditions, sizeof(filterConditions)); 579 | 580 | filter.filterCondition = filterConditions; 581 | 582 | filter.displayData.name = L"Stream Layer Filter"; 583 | filter.displayData.description = L"Monitors TCP traffic."; 584 | 585 | //printf("Adding Stream Filter\n"); 586 | ::MessageBox(NULL, _T("Adding Stream Filter"), _T("demo"), MB_OK); 587 | result = FwpmFilterAdd(engineHandle, 588 | &filter, 589 | NULL, 590 | NULL); 591 | 592 | if (NO_ERROR != result) 593 | { 594 | goto abort; 595 | } 596 | 597 | //printf("Successfully added Stream filter\n"); 598 | ::MessageBox(NULL, _T("Successfully added Stream filter"), _T("demo"), MB_OK); 599 | //printf("Committing Transaction\n"); 600 | ::MessageBox(NULL, _T("Committing Transaction"), _T("demo"), MB_OK); 601 | 602 | result = FwpmTransactionCommit(engineHandle); 603 | if (NO_ERROR == result) 604 | { 605 | //printf("Successfully Committed Transaction\n"); 606 | ::MessageBox(NULL, _T("Successfully Committed Transaction"), _T("demo"), MB_OK); 607 | } 608 | goto cleanup; 609 | 610 | abort: 611 | //printf("Aborting Transaction\n"); 612 | ::MessageBox(NULL, _T("Aborting Transaction"), _T("demo"), MB_OK); 613 | result = FwpmTransactionAbort(engineHandle); 614 | if (NO_ERROR == result) 615 | { 616 | //printf("Successfully Aborted Transaction\n"); 617 | ::MessageBox(NULL, _T("Successfully Aborted Transaction"), _T("demo"), MB_OK); 618 | } 619 | 620 | cleanup: 621 | 622 | return result; 623 | } 624 | 625 | /*��·��ȡappId*/ 626 | DWORD MonitorAppIDFromPath( 627 | _In_ PCWSTR fileName, 628 | _Out_ FWP_BYTE_BLOB** appId) 629 | { 630 | DWORD result = NO_ERROR; 631 | 632 | result = FwpmGetAppIdFromFileName(fileName, appId); 633 | 634 | return result; 635 | } 636 | 637 | /*��һ��Ӧ��*/ 638 | DWORD MonitorAppDoMonitoring(PCWSTR AppPath) 639 | { 640 | HANDLE monitorDevice = NULL; 641 | HANDLE engineHandle = NULL; 642 | DWORD result; 643 | MONITOR_SETTINGS monitorSettings; 644 | FWPM_SESSION session; 645 | FWP_BYTE_BLOB* applicationId = NULL; 646 | 647 | RtlZeroMemory(&monitorSettings, sizeof(MONITOR_SETTINGS)); 648 | RtlZeroMemory(&session, sizeof(FWPM_SESSION)); 649 | 650 | session.displayData.name = L"Monitor Sample Session"; 651 | session.displayData.description = L"Monitors traffic at the Stream layer."; 652 | 653 | // Let the Base Filtering Engine cleanup after us. 654 | session.flags = FWPM_SESSION_FLAG_DYNAMIC; 655 | 656 | //printf("Opening Filtering Engine\n"); 657 | ::MessageBox(NULL, _T("Opening Filtering Engine"), _T("demo"), MB_OK); 658 | result = FwpmEngineOpen( 659 | NULL, 660 | RPC_C_AUTHN_WINNT, 661 | NULL, 662 | &session, 663 | &engineHandle 664 | ); 665 | 666 | if (NO_ERROR != result) 667 | { 668 | goto cleanup; 669 | } 670 | 671 | //printf("Successfully opened Filtering Engine\n"); 672 | ::MessageBox(NULL, _T("Successfully opened Filtering Engine"), _T("demo"), MB_OK); 673 | 674 | //printf("Looking up Application ID from BFE\n"); 675 | ::MessageBox(NULL, _T("Looking up Application ID from BFE"), _T("demo"), MB_OK); 676 | result = MonitorAppIDFromPath(AppPath, &applicationId); 677 | 678 | if (NO_ERROR != result) 679 | { 680 | goto cleanup; 681 | } 682 | 683 | //printf("Successfully retrieved Application ID\n"); 684 | ::MessageBox(NULL, _T("Successfully retrieved Application ID"), _T("demo"), MB_OK); 685 | //printf("Opening Monitor Sample Device\n"); 686 | ::MessageBox(NULL, _T("Opening Monitor Sample Device"), _T("demo"), MB_OK); 687 | //��ļ��߶��󣬻�� #define MONITOR_DOS_NAME L"\\\\.\\MonitorSample" 688 | result = MonitorAppOpenMonitorDevice(&monitorDevice); 689 | if (NO_ERROR != result) 690 | { 691 | goto cleanup; 692 | } 693 | 694 | //printf("Successfully opened Monitor Device\n"); 695 | ::MessageBox(NULL, _T("Successfully opened Monitor Device"), _T("demo"), MB_OK); 696 | //printf("Adding Filters through the Filtering Engine\n"); 697 | ::MessageBox(NULL, _T("Adding Filters through the Filtering Engine"), _T("demo"), MB_OK); 698 | result = MonitorAppAddFilters(engineHandle, 699 | applicationId); 700 | 701 | if (NO_ERROR != result) 702 | { 703 | goto cleanup; 704 | } 705 | 706 | //printf("Successfully added Filters through the Filtering Engine\n"); 707 | ::MessageBox(NULL, _T("Successfully added Filters through the Filtering Engine"), _T("demo"), MB_OK); 708 | //printf("Enabling monitoring through the Monitor Sample Device\n"); 709 | ::MessageBox(NULL, _T("Enabling monitoring through the Monitor Sample Device"), _T("demo"), MB_OK); 710 | monitorSettings.monitorOperation = monitorTraffic; 711 | 712 | result = MonitorAppEnableMonitoring(monitorDevice, 713 | &monitorSettings); 714 | if (NO_ERROR != result) 715 | { 716 | goto cleanup; 717 | } 718 | 719 | //printf("Successfully enabled monitoring.\n"); 720 | ::MessageBox(NULL, _T("Successfully enabled monitoring."), _T("demo"), MB_OK); 721 | //printf("Events will be traced through WMI. Please press any key to exit and cleanup filters.\n"); 722 | ::MessageBox(NULL, _T("Events will be traced through WMI. Please press any key to exit and cleanup filters."), _T("demo"), MB_OK); 723 | 724 | #pragma prefast(push) 725 | #pragma prefast(disable:6031, "by design the return value of _getch() is ignored here") 726 | _getch(); 727 | #pragma prefast(pop) 728 | 729 | cleanup: 730 | 731 | if (NO_ERROR != result) 732 | { 733 | //printf("Monitor.\tError 0x%x occurred during execution\n", result); 734 | ::MessageBox(NULL, _T("Error occurred during execution"), _T("demo"), MB_OK); 735 | } 736 | 737 | if (monitorDevice) 738 | { 739 | MonitorAppCloseMonitorDevice(monitorDevice); 740 | } 741 | 742 | // 743 | // Free the application Id that we retrieved. 744 | // 745 | if (applicationId) 746 | { 747 | FwpmFreeMemory((void**)&applicationId); 748 | } 749 | 750 | if (engineHandle) 751 | { 752 | result = FwpmEngineClose(engineHandle); 753 | engineHandle = NULL; 754 | } 755 | 756 | return result; 757 | } 758 | 759 | CString path; 760 | /*��ť ��ȡ��̵�·��*/ 761 | void ProcessMonitor::OnBnClickedBtngetfolder() 762 | { 763 | CFileDialog dlg(TRUE, NULL, NULL, NULL, NULL); 764 | CEdit* FilePath; 765 | FilePath = (CEdit*)GetDlgItem(IDC_EDIT1); 766 | dlg.DoModal(); 767 | path = dlg.GetPathName(); 768 | FilePath->SetWindowText(path); 769 | } 770 | 771 | void ProcessMonitor::OnBnClickedBtnstart() 772 | { 773 | GetDlgItem(IDC_EDIT1)->GetWindowText(path); 774 | if (path == "") 775 | MessageBox(_T("选择路径为空，请选择路径")); 776 | else 777 | MonitorAppDoMonitoring(path); 778 | //"C:\Users\11401\AppData\Local\Google\Chrome\Application\chrome.exe" 779 | } 780 | 781 | 782 | void ProcessMonitor::OnBnClickedBtnstop() 783 | { 784 | 785 | } 786 | 787 | 788 | void ProcessMonitor::OnBnClickedBtnaddcallouts() 789 | { 790 | MonitorAppAddCallouts(); 791 | } 792 | 793 | 794 | void ProcessMonitor::OnBnClickedBtndelcallouts() 795 | { 796 | MonitorAppRemoveCallouts(); 797 | } 798 | -------------------------------------------------------------------------------- /PFirewall/ProcessMonitor.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/raymon-tian/WFPFirewall/14ef82f9ffb39f473a5681067dba2abae6826f8f/PFirewall/ProcessMonitor.h -------------------------------------------------------------------------------- /PFirewall/Process_Monitor.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/raymon-tian/WFPFirewall/14ef82f9ffb39f473a5681067dba2abae6826f8f/PFirewall/Process_Monitor.cpp -------------------------------------------------------------------------------- /PFirewall/Process_Monitor.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/raymon-tian/WFPFirewall/14ef82f9ffb39f473a5681067dba2abae6826f8f/PFirewall/Process_Monitor.h -------------------------------------------------------------------------------- /PFirewall/ReadMe.txt: -------------------------------------------------------------------------------- 1 | ================================================================================ 2 | MICROSOFT 基础类库 : PFirewall 项目概述 3 | =============================================================================== 4 | 5 | 应用程序向导已为您创建了此 PFirewall 应用程序。此应用程序不仅演示 Microsoft 基础类的基本使用方法，还可作为您编写应用程序的起点。 6 | 7 | 本文件概要介绍组成 PFirewall 应用程序的每个文件的内容。 8 | 9 | PFirewall.vcxproj 10 | 这是使用应用程序向导生成的 VC++ 项目的主项目文件，其中包含生成该文件的 Visual C++ 的版本信息，以及有关使用应用程序向导选择的平台、配置和项目功能的信息。 11 | 12 | PFirewall.vcxproj.filters 13 | 这是使用“应用程序向导”生成的 VC++ 项目筛选器文件。它包含有关项目文件与筛选器之间的关联信息。在 IDE 中，通过这种关联，在特定节点下以分组形式显示具有相似扩展名的文件。例如，“.cpp”文件与“源文件”筛选器关联。 14 | 15 | PFirewall.h 16 | 这是应用程序的主头文件。 17 | 其中包括其他项目特定的标头（包括 Resource.h），并声明 CPFirewallApp 应用程序类。 18 | 19 | PFirewall.cpp 20 | 这是包含应用程序类 CPFirewallApp 的主应用程序源文件。 21 | 22 | PFirewall.rc 23 | 这是程序使用的所有 Microsoft Windows 资源的列表。它包括 RES 子目录中存储的图标、位图和光标。此文件可以直接在 Microsoft Visual C++ 中进行编辑。项目资源包含在 2052 中。 24 | 25 | res\PFirewall.ico 26 | 这是用作应用程序图标的图标文件。此图标包括在主资源文件 PFirewall.rc 中。 27 | 28 | res\PFirewall.rc2 29 | 此文件包含不在 Microsoft Visual C++ 中进行编辑的资源。您应该将不可由资源编辑器编辑的所有资源放在此文件中。 30 | 31 | 32 | ///////////////////////////////////////////////////////////////////////////// 33 | 34 | 应用程序向导创建一个对话框类： 35 | 36 | PFirewallDlg.h、PFirewallDlg.cpp - 对话框 37 | 这些文件包含 CPFirewallDlg 类。此类定义应用程序的主对话框的行为。对话框模板包含在 PFirewall.rc 中，该文件可以在 Microsoft Visual C++ 中编辑。 38 | 39 | ///////////////////////////////////////////////////////////////////////////// 40 | 41 | 其他功能： 42 | 43 | Windows 套接字 44 | 应用程序包含对通过 TCP/IP 网络建立通信的支持。 45 | 46 | ///////////////////////////////////////////////////////////////////////////// 47 | 48 | 其他标准文件: 49 | 50 | StdAfx.h, StdAfx.cpp 51 | 这些文件用于生成名为 PFirewall.pch 的预编译头 (PCH) 文件和名为 StdAfx.obj 的预编译类型文件。 52 | 53 | Resource.h 54 | 这是标准头文件，可用于定义新的资源 ID。Microsoft Visual C++ 将读取并更新此文件。 55 | 56 | PFirewall.manifest 57 | Windows XP 使用应用程序清单文件来描述特定版本的并行程序集的应用程序依赖项。加载程序使用这些信息来从程序集缓存中加载相应的程序集，并保护其不被应用程序访问。应用程序清单可能会包含在内，以作为与应用程序可执行文件安装在同一文件夹中的外部 .manifest 文件进行重新分发，它还可能以资源的形式包含在可执行文件中。 58 | ///////////////////////////////////////////////////////////////////////////// 59 | 60 | 其他注释: 61 | 62 | 应用程序向导使用“TODO:”来指示应添加或自定义的源代码部分。 63 | 64 | 如果应用程序使用共享 DLL 中的 MFC，您将需要重新分发 MFC DLL。如果应用程序所使用的语言与操作系统的区域设置不同，则还需要重新分发相应的本地化资源 mfc110XXX.DLL。 65 | 有关上述话题的更多信息，请参见 MSDN 文档中有关重新分发 Visual C++ 应用程序的部分。 66 | 67 | ///////////////////////////////////////////////////////////////////////////// 68 | -------------------------------------------------------------------------------- /PFirewall/common.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | #include 6 | 7 | 8 | #pragma comment(lib, "Fwpuclnt.lib") 9 | #pragma comment(lib, "Rpcrt4.lib") 10 | #pragma comment(lib, "Ws2_32.lib") 11 | 12 | -------------------------------------------------------------------------------- /PFirewall/res/PFirewall.ico: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/raymon-tian/WFPFirewall/14ef82f9ffb39f473a5681067dba2abae6826f8f/PFirewall/res/PFirewall.ico -------------------------------------------------------------------------------- /PFirewall/res/PFirewall.rc2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/raymon-tian/WFPFirewall/14ef82f9ffb39f473a5681067dba2abae6826f8f/PFirewall/res/PFirewall.rc2 -------------------------------------------------------------------------------- /PFirewall/resource.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/raymon-tian/WFPFirewall/14ef82f9ffb39f473a5681067dba2abae6826f8f/PFirewall/resource.h -------------------------------------------------------------------------------- /PFirewall/stdafx.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/raymon-tian/WFPFirewall/14ef82f9ffb39f473a5681067dba2abae6826f8f/PFirewall/stdafx.cpp -------------------------------------------------------------------------------- /PFirewall/stdafx.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/raymon-tian/WFPFirewall/14ef82f9ffb39f473a5681067dba2abae6826f8f/PFirewall/stdafx.h -------------------------------------------------------------------------------- /PFirewall/targetver.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/raymon-tian/WFPFirewall/14ef82f9ffb39f473a5681067dba2abae6826f8f/PFirewall/targetver.h -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # WFPFirewall 2 | 基于WFP(Windows Filter Platform)的个人防火墙系统 3 | 4 | # 摘要 5 | 该工程为专业综合实验课程设计，用以实现一个基于WFP(Windows Filter Platform)的个人防火墙系统，主要分为基于规则的过滤模块以及进程网络访问的监控模块（另外还有一些简易的功能模块）。 6 | 其中，进程网络访问的监控模块使用 Microsoft的msnmntr样例，详情请见[msnmntr](https://github.com/Microsoft/Windows-driver-samples/tree/master/network/trans/msnmntr)，对于msnmntr中的EXE项目，本工程进行了代码嵌入，已实现其功能；对于msnmntr中的驱动项目sys，本工程直接将其加入使用，编译生成.sys文件，再安装驱动即可。 7 | 8 | # 流程 9 | * 生成项目msnmntr，获得msnmntr的驱动安装包(.sys，.inf，.cat等文件)，安装驱动。
10 | * 生成项目PFirewall，获得PFirewall.exe
11 | 对于进程网络访问的监控模块，详见[msnmntr](https://github.com/Microsoft/Windows-driver-samples/tree/master/network/trans/msnmntr)，本工程对其只是实现了一个GUI接口。 12 | 13 | # 程序主界面 14 | ![Image text](https://github.com/raymon-tian/WFPFirewall/blob/master/ImageFolder/main.png) 15 | # 过滤功能演示 16 | * 过滤出防火墙的源IP分别为 [180.97.33.108](http://180.97.33.108/) 和 [115.159.241.25](http://115.159.241.95/)的IP数据包和TCP数据包
17 | ![Image text](https://github.com/raymon-tian/WFPFirewall/blob/master/ImageFolder/filter.png)
18 | ![Image text](https://github.com/raymon-tian/WFPFirewall/blob/master/ImageFolder/r1.png)
19 | ![Image text](https://github.com/raymon-tian/WFPFirewall/blob/master/ImageFolder/r2.png)
20 | --------------------------------------------------------------------------------