NTSTATUS KrnlHlprThreadedDPCQueue(_In_ KDEFERRED_ROUTINE* pDPCFn) { #if DBG DbgPrintEx(DPFLTR_IHVNETWORK_ID, DPFLTR_INFO_LEVEL, " ---> KrnlHlprThreadedDPCQueue()\n"); #endif /// DBG NT_ASSERT(pDPCFn); NTSTATUS status = STATUS_SUCCESS; DPC_DATA* pDPCData = 0; #pragma warning(push) #pragma warning(disable: 6014) /// pDPCData will be freed by caller HLPR_NEW(pDPCData, DPC_DATA, WFPSAMPLER_SYSLIB_TAG); HLPR_BAIL_ON_ALLOC_FAILURE(pDPCData, status); #pragma warning(pop) KeInitializeThreadedDpc(&(pDPCData->kdpc), pDPCFn, 0); KeInsertQueueDpc(&(pDPCData->kdpc), pDPCData, 0); HLPR_BAIL_LABEL: #pragma warning(push) #pragma warning(disable: 6001) /// pDPCData initialized with call to HLPR_NEW if(status != STATUS_SUCCESS && pDPCData) KrnlHlprDPCDataDestroy(&pDPCData); #pragma warning(pop) #if DBG DbgPrintEx(DPFLTR_IHVNETWORK_ID, DPFLTR_INFO_LEVEL, " <--- KrnlHlprThreadedDPCQueue() [status: %#x]\n", status); #endif /// DBG return status; }
NTSTATUS NotifyPendAuthorizationNotification(_In_ FWPS_CALLOUT_NOTIFY_TYPE notificationType, _In_ const GUID* pFilterKey, _Inout_ FWPS_FILTER* pFilter) { #if DBG DbgPrintEx(DPFLTR_IHVNETWORK_ID, DPFLTR_INFO_LEVEL, " ---> NotifyPendAuthorizationNotification()\n"); #endif /// DBG NT_ASSERT(pFilter); NTSTATUS status = STATUS_SUCCESS; NOTIFY_DATA* pNotifyData = 0; #pragma warning(push) #pragma warning(disable: 6014) /// pNotifyData is expected to be cleaned up by caller using PrvPendAuthorizationNotificationWorkItemRoutine HLPR_NEW(pNotifyData, NOTIFY_DATA, WFPSAMPLER_CALLOUT_DRIVER_TAG); HLPR_BAIL_ON_ALLOC_FAILURE(pNotifyData, status); #pragma warning(pop) pNotifyData->notificationType = notificationType; pNotifyData->calloutID = pFilter ? pFilter->action.calloutId : 0; pNotifyData->pFilterKey = pFilterKey; status = KrnlHlprWorkItemQueue(g_pWDMDevice, PrvPendAuthorizationNotificationWorkItemRoutine, pNotifyData); HLPR_BAIL_LABEL: if(status != STATUS_SUCCESS) { HLPR_DELETE(pNotifyData, WFPSAMPLER_CALLOUT_DRIVER_TAG); } #if DBG DbgPrintEx(DPFLTR_IHVNETWORK_ID, DPFLTR_INFO_LEVEL, " <--- NotifyPendAuthorizationNotification() [status: %#x]\n", status); #endif /// DBG return status; }
NTSTATUS KrnlHlprRedirectDataCreate(_Outptr_ REDIRECT_DATA** ppRedirectData, _In_ const VOID* pClassifyContext, _In_ const FWPS_FILTER* pFilter, _In_ FWPS_CLASSIFY_OUT* pClassifyOut) { #if DBG DbgPrintEx(DPFLTR_IHVNETWORK_ID, DPFLTR_INFO_LEVEL, " ---> KrnlHlprRedirectDataCreate()\n"); #endif /// DBG NT_ASSERT(ppRedirectData); NT_ASSERT(pClassifyContext); NT_ASSERT(pFilter); NT_ASSERT(pClassifyOut); NTSTATUS status = STATUS_SUCCESS; HLPR_NEW(*ppRedirectData, REDIRECT_DATA, WFPSAMPLER_SYSLIB_TAG); HLPR_BAIL_ON_ALLOC_FAILURE(*ppRedirectData, status); status = KrnlHlprRedirectDataPopulate(*ppRedirectData, pClassifyContext, pFilter, pClassifyOut); HLPR_BAIL_LABEL: #pragma warning(push) #pragma warning(disable: 6001) /// *ppRedirectData initialized with call to HLPR_NEW & KrnlHlprRedirectDataPopulate if(status != STATUS_SUCCESS && *ppRedirectData) KrnlHlprRedirectDataDestroy(ppRedirectData); #pragma warning(pop) #if DBG DbgPrintEx(DPFLTR_IHVNETWORK_ID, DPFLTR_INFO_LEVEL, " <--- KrnlHlprRedirectDataCreate() [status: %#x]\n", status); #endif /// DBG return status; }
NTSTATUS KrnlHlprWorkItemDataCreate(_Outptr_ WORKITEM_DATA** ppWorkItemData, _In_ CLASSIFY_DATA* pClassifyData, _In_ REDIRECT_DATA* pRedirectData, _In_opt_ PIO_WORKITEM pIOWorkItem, /* 0 */ _In_opt_ VOID* pContext) /* 0 */ { #if DBG DbgPrintEx(DPFLTR_IHVNETWORK_ID, DPFLTR_INFO_LEVEL, " ---> KrnlHlprWorkItemDataCreate()\n"); #endif /// DBG NT_ASSERT(ppWorkItemData); NT_ASSERT(pClassifyData); NT_ASSERT(pRedirectData); NTSTATUS status = STATUS_SUCCESS; HLPR_NEW(*ppWorkItemData, WORKITEM_DATA, WFPSAMPLER_SYSLIB_TAG); HLPR_BAIL_ON_ALLOC_FAILURE(*ppWorkItemData, status); KrnlHlprWorkItemDataPopulate(*ppWorkItemData, pClassifyData, pRedirectData, pIOWorkItem, pContext); HLPR_BAIL_LABEL: if(status != STATUS_SUCCESS) KrnlHlprWorkItemDataDestroy(ppWorkItemData); #if DBG DbgPrintEx(DPFLTR_IHVNETWORK_ID, DPFLTR_INFO_LEVEL, " <--- KrnlHlprWorkItemDataCreate() [status: %#x]\n", status); #endif /// DBG return status; }
NTSTATUS KrnlHlprDPCDataCreate(_Outptr_ DPC_DATA** ppDPCData, _In_ CLASSIFY_DATA* pClassifyData, _In_ PEND_DATA* pPendData, _In_opt_ VOID* pContext) /* 0 */ { #if DBG DbgPrintEx(DPFLTR_IHVNETWORK_ID, DPFLTR_INFO_LEVEL, " ---> KrnlHlprDPCDataCreate()\n"); #endif /// DBG NT_ASSERT(ppDPCData); NT_ASSERT(pClassifyData); NT_ASSERT(pPendData); NTSTATUS status = STATUS_SUCCESS; HLPR_NEW(*ppDPCData, DPC_DATA, WFPSAMPLER_SYSLIB_TAG); HLPR_BAIL_ON_ALLOC_FAILURE(*ppDPCData, status); KrnlHlprDPCDataPopulate(*ppDPCData, pClassifyData, pPendData, pContext); HLPR_BAIL_LABEL: if(status != STATUS_SUCCESS) KrnlHlprDPCDataDestroy(ppDPCData); #if DBG DbgPrintEx(DPFLTR_IHVNETWORK_ID, DPFLTR_INFO_LEVEL, " <--- KrnlHlprDPCDataCreate() [status: %#x]\n", status); #endif /// DBG return status; }
NTSTATUS KrnlHlprNDISPoolDataCreate(_Outptr_ NDIS_POOL_DATA** ppNDISPoolData, _In_opt_ UINT32 memoryTag) /* WFPSAMPLER_NDIS_POOL_TAG */ { #if DBG DbgPrintEx(DPFLTR_IHVNETWORK_ID, DPFLTR_INFO_LEVEL, " ---> KrnlHlprNDISPoolDataCreate()\n"); #endif /// DBG NT_ASSERT(ppNDISPoolData); NTSTATUS status = STATUS_SUCCESS; HLPR_NEW(*ppNDISPoolData, NDIS_POOL_DATA, WFPSAMPLER_SYSLIB_TAG); HLPR_BAIL_ON_ALLOC_FAILURE(*ppNDISPoolData, status); status = KrnlHlprNDISPoolDataPopulate(*ppNDISPoolData, memoryTag); HLPR_BAIL_LABEL: #pragma warning(push) #pragma warning(disable: 6001) /// *ppNDISPoolData initialized with calls to HLPR_NEW & KrnlHlprNDISPoolDataPopulate if(status != STATUS_SUCCESS && *ppNDISPoolData) KrnlHlprNDISPoolDataDestroy(ppNDISPoolData); #pragma warning(pop) #if DBG DbgPrintEx(DPFLTR_IHVNETWORK_ID, DPFLTR_INFO_LEVEL, " <--- KrnlHlprNDISPoolDataCreate() [status: %#x]\n", status); #endif /// DBG return status; }
UINT32 HlprThreadPoolDataCreate(_Outptr_ THREADPOOL_DATA** ppThreadPoolData, _In_ const PTP_CLEANUP_GROUP_CANCEL_CALLBACK pGroupCancelFn) { ASSERT(ppThreadPoolData); UINT32 status = NO_ERROR; HLPR_NEW(*ppThreadPoolData, THREADPOOL_DATA); HLPR_BAIL_ON_ALLOC_FAILURE(*ppThreadPoolData, status); status = HlprThreadPoolDataPopulate(*ppThreadPoolData, pGroupCancelFn); HLPR_BAIL_LABEL: if(status != NO_ERROR) HlprThreadPoolDataDestroy(ppThreadPoolData); return status; }
NTSTATUS PrvCloneAuthorizedNBLAndInject(_Inout_ CLASSIFY_DATA** ppClassifyData, _Inout_ INJECTION_DATA** ppInjectionData) { #if DBG DbgPrintEx(DPFLTR_IHVNETWORK_ID, DPFLTR_INFO_LEVEL, " ---> PrvCloneAuthorizedNBLAndInject()\n"); #endif /// DBG NT_ASSERT(ppClassifyData); NT_ASSERT(ppInjectionData); NT_ASSERT(*ppClassifyData); NT_ASSERT(*ppInjectionData); NTSTATUS status = STATUS_SUCCESS; FWPS_INCOMING_VALUES* pClassifyValues = (FWPS_INCOMING_VALUES*)(*ppClassifyData)->pClassifyValues; FWPS_INCOMING_METADATA_VALUES* pMetadata = (FWPS_INCOMING_METADATA_VALUES*)(*ppClassifyData)->pMetadataValues; UINT32 bytesRetreated = 0; COMPARTMENT_ID compartmentID = UNSPECIFIED_COMPARTMENT_ID; BOOLEAN isInbound = FALSE; NET_BUFFER_LIST* pNetBufferList = 0; PEND_AUTHORIZATION_COMPLETION_DATA* pCompletionData = 0; FWPS_TRANSPORT_SEND_PARAMS* pSendParams = 0; BYTE* pRemoteAddress = 0; #pragma warning(push) #pragma warning(disable: 6014) /// pCompletionData will be freed in completionFn using PendAuthorizationCompletionDataDestroy HLPR_NEW(pCompletionData, PEND_AUTHORIZATION_COMPLETION_DATA, WFPSAMPLER_CALLOUT_DRIVER_TAG); HLPR_BAIL_ON_ALLOC_FAILURE(pCompletionData, status); HLPR_NEW(pSendParams, FWPS_TRANSPORT_SEND_PARAMS, WFPSAMPLER_CALLOUT_DRIVER_TAG); HLPR_BAIL_ON_ALLOC_FAILURE(pSendParams, status); #pragma warning(pop) KeInitializeSpinLock(&(pCompletionData->spinLock)); pCompletionData->performedInline = FALSE; pCompletionData->pClassifyData = *ppClassifyData; pCompletionData->pInjectionData = *ppInjectionData; pCompletionData->pSendParams = pSendParams; /// Responsibility for freeing this memory has been transferred to the pCompletionData *ppClassifyData = 0; *ppInjectionData = 0; pSendParams = 0; if(pCompletionData->pInjectionData->direction == FWP_DIRECTION_INBOUND) isInbound = TRUE; if(FWPS_IS_METADATA_FIELD_PRESENT(pMetadata, FWPS_METADATA_FIELD_COMPARTMENT_ID)) compartmentID = (COMPARTMENT_ID)pMetadata->compartmentId; if(FWPS_IS_METADATA_FIELD_PRESENT(pMetadata, FWPS_METADATA_FIELD_IP_HEADER_SIZE)) bytesRetreated = pMetadata->ipHeaderSize; if(FWPS_IS_METADATA_FIELD_PRESENT(pMetadata, FWPS_METADATA_FIELD_TRANSPORT_HEADER_SIZE)) bytesRetreated += pMetadata->transportHeaderSize; if(pClassifyValues->layerId == FWPS_LAYER_ALE_AUTH_RECV_ACCEPT_V4 || pClassifyValues->layerId == FWPS_LAYER_ALE_AUTH_RECV_ACCEPT_V6) { if(isInbound) /// NBL offset is at the start of the transport header ... { if(bytesRetreated) { /// so retreat (size of IP Header) to clone the whole NBL status = NdisRetreatNetBufferDataStart(NET_BUFFER_LIST_FIRST_NB((NET_BUFFER_LIST*)pCompletionData->pClassifyData->pPacket), bytesRetreated, 0, 0); if(status != STATUS_SUCCESS) { DbgPrintEx(DPFLTR_IHVNETWORK_ID, DPFLTR_ERROR_LEVEL, " !!!! PrvCloneAuthorizedNBLAndInject: NdisRetreatNetBufferDataStart() [status: %#x]\n", status); HLPR_BAIL; } } } } else if(pClassifyValues->layerId == FWPS_LAYER_ALE_AUTH_CONNECT_V4 || pClassifyValues->layerId == FWPS_LAYER_ALE_AUTH_CONNECT_V6) { /// NBL offset is at the Transport Header, and no IP Header is present yet bytesRetreated = 0; isInbound = FALSE; } else { status = STATUS_FWP_INCOMPATIBLE_LAYER; HLPR_BAIL; } status = FwpsAllocateCloneNetBufferList((NET_BUFFER_LIST*)(pCompletionData->pClassifyData->pPacket), g_pNDISPoolData->nblPoolHandle, g_pNDISPoolData->nbPoolHandle, 0, &pNetBufferList); if(bytesRetreated) { /// Advance the NBL offset so we are back at the expected position in the NET_BUFFER_LIST NdisAdvanceNetBufferDataStart(NET_BUFFER_LIST_FIRST_NB((NET_BUFFER_LIST*)pCompletionData->pClassifyData->pPacket), bytesRetreated, FALSE, 0); } if(status != STATUS_SUCCESS) { DbgPrintEx(DPFLTR_IHVNETWORK_ID, DPFLTR_ERROR_LEVEL, " !!!! PrvCloneAuthorizedNBLAndInject : FwpsAllocateCloneNetBufferList() [status: %#x]\n", status); HLPR_BAIL; } if(isInbound) { FWP_VALUE* pInterfaceIndex = KrnlHlprFwpValueGetFromFwpsIncomingValues(pClassifyValues, &FWPM_CONDITION_INTERFACE_INDEX); FWP_VALUE* pSubInterfaceIndex = KrnlHlprFwpValueGetFromFwpsIncomingValues(pClassifyValues, &FWPM_CONDITION_SUB_INTERFACE_INDEX); IF_INDEX interfaceIndex = 0; IF_INDEX subInterfaceIndex = 0; if(pInterfaceIndex && pInterfaceIndex->type == FWP_UINT32) interfaceIndex = (IF_INDEX)pInterfaceIndex->uint32; if(pSubInterfaceIndex && pSubInterfaceIndex->type == FWP_UINT32) subInterfaceIndex = (IF_INDEX)pSubInterfaceIndex->uint32; status = FwpsInjectTransportReceiveAsync(pCompletionData->pInjectionData->injectionHandle, pCompletionData->pInjectionData->injectionContext, 0, 0, pCompletionData->pInjectionData->addressFamily, compartmentID, interfaceIndex, subInterfaceIndex, pNetBufferList, CompletePendAuthorization, pCompletionData); } else { UINT64 endpointHandle = 0; FWP_VALUE* pAddressValue = 0; if(FWPS_IS_METADATA_FIELD_PRESENT(pMetadata, FWPS_METADATA_FIELD_TRANSPORT_ENDPOINT_HANDLE)) endpointHandle = pMetadata->transportEndpointHandle; pAddressValue = KrnlHlprFwpValueGetFromFwpsIncomingValues(pClassifyValues, &FWPM_CONDITION_IP_REMOTE_ADDRESS); if(pAddressValue) { if(pCompletionData->pInjectionData->addressFamily == AF_INET) { UINT32 tempAddress = htonl(pAddressValue->uint32); #pragma warning(push) #pragma warning(disable: 6014) /// pRemoteAddress will be freed in completionFn using PendAuthorizationCompletionDataDestroy HLPR_NEW_ARRAY(pRemoteAddress, BYTE, IPV4_ADDRESS_SIZE, WFPSAMPLER_CALLOUT_DRIVER_TAG); HLPR_BAIL_ON_ALLOC_FAILURE(pRemoteAddress, status); #pragma warning(pop) RtlCopyMemory(pRemoteAddress, &tempAddress, IPV4_ADDRESS_SIZE); } else { #pragma warning(push) #pragma warning(disable: 6014) /// pRemoteAddress will be freed in completionFn using PendAuthorizationCompletionDataDestroy HLPR_NEW_ARRAY(pRemoteAddress, BYTE, IPV6_ADDRESS_SIZE, WFPSAMPLER_CALLOUT_DRIVER_TAG); HLPR_BAIL_ON_ALLOC_FAILURE(pRemoteAddress, status); #pragma warning(pop) RtlCopyMemory(pRemoteAddress, pAddressValue->byteArray16->byteArray16, IPV6_ADDRESS_SIZE); if(FWPS_IS_METADATA_FIELD_PRESENT(pMetadata, FWPS_METADATA_FIELD_REMOTE_SCOPE_ID)) pCompletionData->pSendParams->remoteScopeId = pMetadata->remoteScopeId; } pCompletionData->pSendParams->remoteAddress = pRemoteAddress; } pCompletionData->refCount = KrnlHlprNBLGetRequiredRefCount(pNetBufferList); status = FwpsInjectTransportSendAsync(pCompletionData->pInjectionData->injectionHandle, pCompletionData->pInjectionData->injectionContext, endpointHandle, 0, pCompletionData->pSendParams, pCompletionData->pInjectionData->addressFamily, compartmentID, pNetBufferList, CompletePendAuthorization, pCompletionData); } HLPR_BAIL_LABEL: if(status != STATUS_SUCCESS) { if(pNetBufferList) { FwpsFreeCloneNetBufferList(pNetBufferList, 0); pNetBufferList = 0; } if(pCompletionData) PendAuthorizationCompletionDataDestroy(&pCompletionData, TRUE); } #if DBG DbgPrintEx(DPFLTR_IHVNETWORK_ID, DPFLTR_INFO_LEVEL, " <--- PrvCloneAuthorizedNBLAndInject() [status: %#x]\n", status); #endif /// DBG return status; }
NTSTATUS KrnlHlprClassifyDataCreateLocalCopy(_Outptr_ CLASSIFY_DATA** ppClassifyData, _In_ const FWPS_INCOMING_VALUES* pClassifyValues, _In_ const FWPS_INCOMING_METADATA_VALUES* pMetadata, _In_opt_ VOID* pPacket, _In_opt_ const VOID* pClassifyContext, _In_ const FWPS_FILTER* pFilter, _In_ const UINT64 flowContext, _In_ FWPS_CLASSIFY_OUT* pClassifyOut) { #if DBG DbgPrintEx(DPFLTR_IHVNETWORK_ID, DPFLTR_INFO_LEVEL, " ---> KrnlHlprClassifyDataCreateLocalCopy()\n"); #endif /// DBG NT_ASSERT(ppClassifyData); NT_ASSERT(pClassifyValues); NT_ASSERT(pMetadata); NT_ASSERT(pFilter); NT_ASSERT(pClassifyOut); NTSTATUS status = STATUS_SUCCESS; HLPR_NEW(*ppClassifyData, CLASSIFY_DATA, WFPSAMPLER_SYSLIB_TAG); HLPR_BAIL_ON_ALLOC_FAILURE(*ppClassifyData, status); status = KrnlHlprClassifyDataAcquireLocalCopy(*ppClassifyData, pClassifyValues, pMetadata, pPacket, pClassifyContext, pFilter, flowContext, pClassifyOut); HLPR_BAIL_LABEL: #pragma warning(push) #pragma warning(disable: 6001) /// *ppClassifyData initialized with call to HLPR_NEW & KrnlHlprClassifyDataAcquireLocalCopy if(status != STATUS_SUCCESS && *ppClassifyData) KrnlHlprClassifyDataDestroyLocalCopy(ppClassifyData); #pragma warning(pop) #if DBG DbgPrintEx(DPFLTR_IHVNETWORK_ID, DPFLTR_INFO_LEVEL, " ---> KrnlHlprClassifyDataCreateLocalCopy() [status: %#x]\n", status); #endif /// DBG return status; }
UINT32 WindowsFirewallAcquireFirewallCategory() { UINT32 status = NO_ERROR; if(HlprServiceQueryState(L"MPSSvc") == SERVICE_RUNNING) { BSTR pProductName = SysAllocString(g_pServiceName); INetFwProduct* pNetFwProduct = 0; INetFwProducts* pNetFwProducts = 0; SAFEARRAY* pFirewallCategory = 0; SAFEARRAY* pBootTimeCategory = 0; SAFEARRAYBOUND boundary = {0}; VARIANT firewallCategory = {0}; VARIANT boottimeCategory = {0}; if(pProductName == 0) { status = ERROR_GEN_FAILURE; ServiceEventLogError(L"WindowsFirewallAcquireFirewallCategory : SysAllocString()", status); HLPR_BAIL; } boundary.lLbound = 0; boundary.cElements = 1; pBootTimeCategory = SafeArrayCreate(VT_VARIANT, 1, &boundary); if(pBootTimeCategory == 0) { status = ERROR_GEN_FAILURE; ServiceEventLogError(L"WindowsFirewallAcquireFirewallCategory : SafeArrayCreate()", status); HLPR_BAIL; } V_VT((VARIANT*)pBootTimeCategory->pvData) = VT_I4; V_I4((VARIANT*)pBootTimeCategory->pvData) = NET_FW_RULE_CATEGORY_BOOT; VariantInit(&firewallCategory); V_VT(&boottimeCategory) = VT_ARRAY | VT_VARIANT; V_ARRAY(&boottimeCategory) = pBootTimeCategory; pFirewallCategory = SafeArrayCreate(VT_VARIANT, 1, &boundary); if(pFirewallCategory == 0) { status = ERROR_GEN_FAILURE; ServiceEventLogError(L"WindowsFirewallAcquireFirewallCategory : SafeArrayCreate()", status); HLPR_BAIL; } V_VT((VARIANT*)pFirewallCategory->pvData) = VT_I4; V_I4((VARIANT*)pFirewallCategory->pvData) = NET_FW_RULE_CATEGORY_FIREWALL; VariantInit(&firewallCategory); V_VT(&firewallCategory) = VT_ARRAY | VT_VARIANT; V_ARRAY(&firewallCategory) = pFirewallCategory; /// Initialize the COM library if(!g_isCOMInitialized) { status = CoInitializeEx(0, COINIT_MULTITHREADED); if(FAILED(status)) { ServiceEventLogError(L"WindowsFirewallAcquireFirewallCategory : CoInitializeEx()", status); HLPR_BAIL; } g_isCOMInitialized = TRUE; } /// Create an instance of the NetFwProduct class status = CoCreateInstance(__uuidof(NetFwProduct), 0, CLSCTX_INPROC_SERVER, __uuidof(INetFwProduct), (LPVOID*)&pNetFwProduct); if(FAILED(status)) { ServiceEventLogError(L"WindowsFirewallAcquireFirewallCategory : CoCreateInstance()", status); HLPR_BAIL; } /// Set the DisplayName status = pNetFwProduct->put_DisplayName(pProductName); if(FAILED(status)) { ServiceEventLogError(L"WindowsFirewallAcquireFirewallCategory : INetFwProduct::put_DisplayName()", status); HLPR_BAIL; } /// Take the category status = pNetFwProduct->put_RuleCategories(boottimeCategory); if(FAILED(status)) { ServiceEventLogError(L"WindowsFirewallAcquireFirewallCategory : INetFwProduct::put_RuleCategories()", status); HLPR_BAIL; } status = pNetFwProduct->put_RuleCategories(firewallCategory); if(FAILED(status)) { ServiceEventLogError(L"WindowsFirewallAcquireFirewallCategory : INetFwProduct::put_RuleCategories()", status); HLPR_BAIL; } /// Create an instance of the NetFwProducts class status = CoCreateInstance(__uuidof(NetFwProducts), 0, CLSCTX_INPROC_SERVER, __uuidof(INetFwProducts), (LPVOID*)&pNetFwProducts); if(FAILED(status)) { ServiceEventLogError(L"WindowsFirewallAcquireFirewallCategory : CoCreateInstance()", status); HLPR_BAIL; } /// Register as a Firewall Product if(pFirewallRegistrationHandle == 0) { status = pNetFwProducts->Register(pNetFwProduct, &pFirewallRegistrationHandle); if(FAILED(status)) { ServiceEventLogError(L"WindowsFirewallAcquireFirewallCategory : INetFwProducts::Register()", status); HLPR_BAIL; } } status = NO_ERROR; HLPR_BAIL_LABEL: if(FAILED(status)) WindowsFirewallReleaseFirewallCategory(); if(pNetFwProducts) pNetFwProducts->Release(); if(pNetFwProduct) pNetFwProduct->Release(); if(pProductName) SysFreeString(pProductName); } else { HLPR_NEW(pWFNotifyThread, THREAD_DATA); if(pWFNotifyThread) { pWFNotifyThread->threadStartRoutine = (LPTHREAD_START_ROUTINE)WindowsFirewallNotifyThreadStartRoutine; status = HlprThreadStart(pWFNotifyThread); } else status = ERROR_OUTOFMEMORY; } if(HlprServiceQueryState(L"WFPSampler") == SERVICE_START_PENDING) ServiceStatusReportToSCM(SERVICE_START_PENDING, status, 2500); return status; }
NTSTATUS KrnlHlprPendDataCreate(_Outptr_ PEND_DATA** ppPendData, _In_ const FWPS_INCOMING_VALUES* pClassifyValues, _In_ const FWPS_INCOMING_METADATA_VALUES* pMetadata, _In_opt_ NET_BUFFER_LIST* pNBL, _In_ const FWPS_FILTER* pFilter, _In_opt_ VOID* pClassifyContext, /* 0 */ _In_opt_ FWPS_CLASSIFY_OUT* pClassifyOut) /* 0 */ { #if DBG DbgPrintEx(DPFLTR_IHVNETWORK_ID, DPFLTR_INFO_LEVEL, " ---> KrnlHlprPendDataCreate()\n"); #endif /// DBG NT_ASSERT(ppPendData); NT_ASSERT(pClassifyValues); NT_ASSERT(pMetadata); NT_ASSERT(pFilter); NTSTATUS status = STATUS_SUCCESS; HLPR_NEW(*ppPendData, PEND_DATA, WFPSAMPLER_SYSLIB_TAG); HLPR_BAIL_ON_ALLOC_FAILURE(*ppPendData, status); status = KrnlHlprPendDataPopulate(*ppPendData, pClassifyValues, pMetadata, pNBL, pFilter, pClassifyContext, pClassifyOut); HLPR_BAIL_LABEL: #pragma warning(push) #pragma warning(disable: 6001) /// *ppPendData initialized with calls to HLPR_NEW & KrnlHlprPendDataPopulate if(status != STATUS_SUCCESS && *ppPendData) KrnlHlprPendDataDestroy(ppPendData); #pragma warning(pop) #if DBG DbgPrintEx(DPFLTR_IHVNETWORK_ID, DPFLTR_INFO_LEVEL, " <--- KrnlHlprPendDataCreate() [status: %#x]\n", status); #endif /// DBG return status; }
/** @framework_function="RPCClientInterfaceInitialize" Purpose: Initialize the RPC client interface by creating a fast binding handle. <br> <br> Notes: <br> <br> MSDN_Ref: HTTP://MSDN.Microsoft.com/En-US/Library/Windows/Desktop/AA378651.aspx <br> HTTP://MSDN.Microsoft.com/En-US/Library/Windows/Desktop/AA375587.aspx <br> HTTP://MSDN.Microsoft.com/En-US/Library/Windows/Desktop/AA375583.aspx <br> */ UINT32 RPCClientInterfaceInitialize() { RPC_STATUS status = RPC_S_OK; SID* pLocalSystemSID = 0; SIZE_T sidSize = 0; RPC_SECURITY_QOS_V4 securityQoS = {0}; RPC_BINDING_HANDLE_TEMPLATE_V1 bindingHandleTemplate = {0}; RPC_BINDING_HANDLE_SECURITY_V1 bindingHandleSecurity = {0}; RPC_BINDING_HANDLE_OPTIONS_V1 bindingHandleOptions = {0}; HLPR_NEW(pRPCData, RPC_DATA); HLPR_BAIL_ON_ALLOC_FAILURE(pRPCData, status); status = HlprSIDCreate(&pLocalSystemSID, &sidSize, 0, WinLocalSystemSid); HLPR_BAIL_ON_FAILURE(status); wfpSamplerBindingHandle = 0; pRPCData->rpcClientInterfaceHandle = IWFPSampler_v1_0_c_ifspec; /// MIDL generated Client Interface Handle pRPCData->protocolSequence = RPC_PROTSEQ_LRPC; /// Use Local RPC securityQoS.Version = 4; /// Use RPC_SECURITY_QOS_V4 structure securityQoS.Capabilities = RPC_C_QOS_CAPABILITIES_MUTUAL_AUTH; /// Request mutual authentication from the security provider securityQoS.IdentityTracking = RPC_C_QOS_IDENTITY_STATIC; /// Security context is created only once securityQoS.ImpersonationType = RPC_C_IMP_LEVEL_IDENTIFY; /// Allow server to get client's identity and allow it's impersonation securityQoS.Sid = pLocalSystemSID; /// Security identifier used by Local RPC securityQoS.EffectiveOnly = TRUE; /// only see enabled privileges bindingHandleTemplate.Version = 1; /// Use BINDING_HANDLE_TEMPLATE_V1 structure bindingHandleTemplate.ProtocolSequence = pRPCData->protocolSequence; /// Use Local RPC bindingHandleTemplate.StringEndpoint = (PWSTR)g_pEndpoint; /// String representation of our endpoint bindingHandleSecurity.Version = 1; /// Use BINDING_HANDLE_SECURITY_V1 structure bindingHandleSecurity.AuthnLevel = RPC_C_AUTHN_LEVEL_PKT_PRIVACY; /// Authentication level which causes Local RPC to use a secure channel bindingHandleSecurity.AuthnSvc = RPC_C_AUTHN_WINNT; /// Autherntication service to use bindingHandleSecurity.SecurityQos = (RPC_SECURITY_QOS*)&securityQoS; /// Security Qos Settings to Use bindingHandleOptions.Version = 1; /// Use BINDING_HANDLE_OPTIONS_V1 structure bindingHandleOptions.Flags = RPC_BHO_NONCAUSAL; /// Execute calls in any order bindingHandleOptions.ComTimeout = RPC_C_BINDING_DEFAULT_TIMEOUT; /// Use default communication timeout value status = RpcBindingCreate(&bindingHandleTemplate, /// Core structure of the binding handle &bindingHandleSecurity, /// Security options for the binding handle &bindingHandleOptions, /// Additional options to set on the binding handle &wfpSamplerBindingHandle); /// Created binding handle if(status != RPC_S_OK) { HlprLogError(L"RPCClientInterfaceInitialize : RpcBindingCreate() [status: %#x]", status); HLPR_BAIL; } pRPCData->bindingHandle = wfpSamplerBindingHandle; status = RpcBindingBind(0, /// These RPC calls will be synchronous pRPCData->bindingHandle, /// Binding handle that will be used to make the RPC call pRPCData->rpcClientInterfaceHandle); /// Interface handle that will be used to make the RPC call if(status != RPC_S_OK) { HlprLogError(L"RPCClientInterfaceInitialize : RpcBindingBind() [status: %#x]", status); HLPR_BAIL; } HLPR_BAIL_LABEL: if(status != RPC_S_OK) { HlprLogError(L"[status: %#x]", status); PrvRPCTroubleshootError(); RPCClientInterfaceTerminate(); } if(pLocalSystemSID) HlprSIDDestroy(&pLocalSystemSID); return status; }