Beispiel #1
0
NTSTATUS
DDProxyRegisterDatagramDataCallouts(
   IN const GUID* layerKey,
   IN const GUID* calloutKey,
   IN void* deviceObject,
   OUT UINT32* calloutId
   )
/* ++

   This function registers callouts and filters that intercept TCP traffic at 
   WFP FWPM_LAYER_DATAGRAM_DATA_V4 or FWPM_LAYER_DATAGRAM_DATA_V6 layer.

-- */
{
   NTSTATUS status = STATUS_SUCCESS;

   FWPS_CALLOUT0 sCallout = {0};
   FWPM_CALLOUT0 mCallout = {0};

   FWPM_DISPLAY_DATA0 displayData = {0};

   BOOLEAN calloutRegistered = FALSE;

   sCallout.calloutKey = *calloutKey;
   sCallout.classifyFn = DDProxyClassify;
   sCallout.notifyFn = DDProxyNotify;
   sCallout.flowDeleteFn = DDProxyFlowDelete;
   sCallout.flags = FWP_CALLOUT_FLAG_CONDITIONAL_ON_FLOW;

   status = FwpsCalloutRegister0(
               deviceObject,
               &sCallout,
               calloutId
               );
   if (!NT_SUCCESS(status))
   {
      goto Exit;
   }
   calloutRegistered = TRUE;

   displayData.name = L"Datagram-Data Proxy Callout";
   displayData.description = L"Proxies destination address/port for UDP/ICMP";

   mCallout.calloutKey = *calloutKey;
   mCallout.displayData = displayData;
   mCallout.applicableLayer = *layerKey;

   status = FwpmCalloutAdd0(
               gEngineHandle,
               &mCallout,
               NULL,
               NULL
               );

   if (!NT_SUCCESS(status))
   {
      goto Exit;
   }

   status = DDProxyAddFilter(
               L"Datagram-Data Proxy Filter (Outbound)",
               L"Proxies destination address/port for UDP/ICMP",
               IsEqualGUID(layerKey, &FWPM_LAYER_DATAGRAM_DATA_V4) ? 
                  configInspectDestAddrV4 : configInspectDestAddrV6,
               configInspectDestPort,
               FWP_DIRECTION_OUTBOUND,
               0,
               layerKey,
               calloutKey
               );

   if (!NT_SUCCESS(status))
   {
      goto Exit;
   }

   status = DDProxyAddFilter(
               L"Datagram-Data Proxy Filter (Inbound)",
               L"Proxies destination address/port for UDP/ICMP",
               IsEqualGUID(layerKey, &FWPM_LAYER_DATAGRAM_DATA_V4) ? 
                  configNewDestAddrV4 : configNewDestAddrV6,
               configNewDestPort,
               FWP_DIRECTION_INBOUND,
               0,
               layerKey,
               calloutKey
               );

   if (!NT_SUCCESS(status))
   {
      goto Exit;
   }

Exit:

   if (!NT_SUCCESS(status))
   {
      if (calloutRegistered)
      {
         FwpsCalloutUnregisterById0(*calloutId);
         *calloutId = 0;
      }
   }

   return status;
}
Beispiel #2
0
NTSTATUS
TLInspectRegisterTransportCallouts(
    IN const GUID* layerKey,
    IN const GUID* calloutKey,
    IN void* deviceObject,
    OUT UINT32* calloutId
)
/* ++

   This function registers callouts and filters that intercept transport
   traffic at the following layers --

      FWPM_LAYER_OUTBOUND_TRANSPORT_V4
      FWPM_LAYER_OUTBOUND_TRANSPORT_V6
      FWPM_LAYER_INBOUND_TRANSPORT_V4
      FWPM_LAYER_INBOUND_TRANSPORT_V6

-- */
{
    NTSTATUS status = STATUS_SUCCESS;

    FWPS_CALLOUT0 sCallout = {0};
    FWPM_CALLOUT0 mCallout = {0};

    FWPM_DISPLAY_DATA0 displayData = {0};

    BOOLEAN calloutRegistered = FALSE;

    sCallout.calloutKey = *calloutKey;
    sCallout.classifyFn = TLInspectTransportClassify;
    sCallout.notifyFn = TLInspectTransportNotify;

    status = FwpsCalloutRegister0(
                 deviceObject,
                 &sCallout,
                 calloutId
             );
    if (!NT_SUCCESS(status))
    {
        goto Exit;
    }
    calloutRegistered = TRUE;

    displayData.name = L"Transport Inspect Callout";
    displayData.description = L"Inspect inbound/outbound transport traffic";

    mCallout.calloutKey = *calloutKey;
    mCallout.displayData = displayData;
    mCallout.applicableLayer = *layerKey;

    status = FwpmCalloutAdd0(
                 gEngineHandle,
                 &mCallout,
                 NULL,
                 NULL
             );

    if (!NT_SUCCESS(status))
    {
        goto Exit;
    }

    status = TLInspectAddFilter(
                 L"Transport Inspect Filter (Outbound)",
                 L"Inspect inbound/outbound transport traffic",
                 (IsEqualGUID(layerKey, &FWPM_LAYER_OUTBOUND_TRANSPORT_V4) ||
                  IsEqualGUID(layerKey, &FWPM_LAYER_INBOUND_TRANSPORT_V4))?
                 configInspectRemoteAddrV4 : configInspectRemoteAddrV6,
                 0,
                 layerKey,
                 calloutKey
             );

    if (!NT_SUCCESS(status))
    {
        goto Exit;
    }

Exit:

    if (!NT_SUCCESS(status))
    {
        if (calloutRegistered)
        {
            FwpsCalloutUnregisterById0(*calloutId);
            *calloutId = 0;
        }
    }

    return status;
}
Beispiel #3
0
NTSTATUS
DDProxyRegisterFlowEstablishedCallouts(
   IN const GUID* layerKey,
   IN const GUID* calloutKey,
   IN void* deviceObject,
   OUT UINT32* calloutId
   )
/* ++

   This function registers callouts and filters at the following layers 
   to intercept flow creations for the original and the proxy flows.
   
      FWPM_LAYER_ALE_FLOW_ESTABLISHED_V4
      FWPM_LAYER_ALE_FLOW_ESTABLISHED_V6

-- */
{
   NTSTATUS status = STATUS_SUCCESS;

   FWPS_CALLOUT0 sCallout = {0};
   FWPM_CALLOUT0 mCallout = {0};

   FWPM_DISPLAY_DATA0 displayData = {0};

   BOOLEAN calloutRegistered = FALSE;

   sCallout.calloutKey = *calloutKey;
   sCallout.classifyFn = DDProxyFlowEstablishedClassify;
   sCallout.notifyFn = DDProxyFlowEstablishedNotify;

   status = FwpsCalloutRegister0(
               deviceObject,
               &sCallout,
               calloutId
               );
   if (!NT_SUCCESS(status))
   {
      goto Exit;
   }
   calloutRegistered = TRUE;

   displayData.name = L"Datagram-Data Proxy Flow-Established Callout";
   displayData.description = 
      L"Intercepts flow creations for the original and the proxy flows";

   mCallout.calloutKey = *calloutKey;
   mCallout.displayData = displayData;
   mCallout.applicableLayer = *layerKey;

   status = FwpmCalloutAdd0(
               gEngineHandle,
               &mCallout,
               NULL,
               NULL
               );

   if (!NT_SUCCESS(status))
   {
      goto Exit;
   }

   status = DDProxyAddFilter(
               L"Datagram-Data Proxy Flow-Established Filter (Original Flow)",
               L"Intercepts flow creations for the original flow",
               IsEqualGUID(layerKey, &FWPM_LAYER_ALE_FLOW_ESTABLISHED_V4) ? 
                  configInspectDestAddrV4 : configInspectDestAddrV6,
               configInspectDestPort,
               FWP_DIRECTION_OUTBOUND,
               DD_PROXY_FLOW_ORIGINAL,
               layerKey,
               calloutKey
               );

   if (!NT_SUCCESS(status))
   {
      goto Exit;
   }

   status = DDProxyAddFilter(
               L"Datagram-Data Proxy Flow-Established Filter (Proxy Flow)",
               L"Intercepts flow creations for the proxy flow",
               IsEqualGUID(layerKey, &FWPM_LAYER_ALE_FLOW_ESTABLISHED_V4) ? 
                  configNewDestAddrV4 : configNewDestAddrV6,
               configNewDestPort,
               FWP_DIRECTION_OUTBOUND,
               DD_PROXY_FLOW_PROXY,
               layerKey,
               calloutKey
               );

   if (!NT_SUCCESS(status))
   {
      goto Exit;
   }

Exit:

   if (!NT_SUCCESS(status))
   {
      if (calloutRegistered)
      {
         FwpsCalloutUnregisterById0(*calloutId);
         *calloutId = 0;
      }
   }

   return status;
}
Beispiel #4
0
NTSTATUS
TLInspectRegisterALEClassifyCallouts(
    IN const GUID* layerKey,
    IN const GUID* calloutKey,
    IN void* deviceObject,
    OUT UINT32* calloutId
)
/* ++

   This function registers callouts and filters at the following layers
   to intercept inbound or outbound connect attempts.

      FWPM_LAYER_ALE_AUTH_CONNECT_V4
      FWPM_LAYER_ALE_AUTH_CONNECT_V6
      FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4
      FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6

-- */
{
    NTSTATUS status = STATUS_SUCCESS;

    FWPS_CALLOUT0 sCallout = {0};
    FWPM_CALLOUT0 mCallout = {0};

    FWPM_DISPLAY_DATA0 displayData = {0};

    BOOLEAN calloutRegistered = FALSE;

    sCallout.calloutKey = *calloutKey;

    if (IsEqualGUID(layerKey, &FWPM_LAYER_ALE_AUTH_CONNECT_V4) ||
            IsEqualGUID(layerKey, &FWPM_LAYER_ALE_AUTH_CONNECT_V6))
    {
        sCallout.classifyFn = TLInspectALEConnectClassify;
        sCallout.notifyFn = TLInspectALEConnectNotify;
    }
    else
    {
        sCallout.classifyFn = TLInspectALERecvAcceptClassify;
        sCallout.notifyFn = TLInspectALERecvAcceptNotify;
    }

    status = FwpsCalloutRegister0(
                 deviceObject,
                 &sCallout,
                 calloutId
             );
    if (!NT_SUCCESS(status))
    {
        goto Exit;
    }
    calloutRegistered = TRUE;

    displayData.name = L"Transport Inspect ALE Classify Callout";
    displayData.description =
        L"Intercepts inbound or outbound connect attempts";

    mCallout.calloutKey = *calloutKey;
    mCallout.displayData = displayData;
    mCallout.applicableLayer = *layerKey;

    status = FwpmCalloutAdd0(
                 gEngineHandle,
                 &mCallout,
                 NULL,
                 NULL
             );

    if (!NT_SUCCESS(status))
    {
        goto Exit;
    }

    status = TLInspectAddFilter(
                 L"Transport Inspect ALE Classify",
                 L"Intercepts inbound or outbound connect attempts",
                 (IsEqualGUID(layerKey, &FWPM_LAYER_ALE_AUTH_CONNECT_V4) ||
                  IsEqualGUID(layerKey, &FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4)) ?
                 configInspectRemoteAddrV4 : configInspectRemoteAddrV6,
                 0,
                 layerKey,
                 calloutKey
             );

    if (!NT_SUCCESS(status))
    {
        goto Exit;
    }

Exit:

    if (!NT_SUCCESS(status))
    {
        if (calloutRegistered)
        {
            FwpsCalloutUnregisterById0(*calloutId);
            *calloutId = 0;
        }
    }

    return status;
}