UINT32 PrvScenarioProxyDeleteFwpmObjects(_In_ const FWPM_FILTER* pFilter)
{
ASSERT(pFilter);
UINT32 status = NO_ERROR;
HANDLE engineHandle = 0;
HANDLE enumHandle = 0;
UINT32 entryCount = 0;
FWPM_FILTER** ppFilters = 0;
FWPM_FILTER_ENUM_TEMPLATE filterEnumTemplate = {0};
FWPM_PROVIDER_CONTEXT_ENUM_TEMPLATE providerContextEnumTemplate = {0};
GUID calloutKey = {0};
#if(NTDDI_VERSION >= NTDDI_WIN7)
if(pFilter->layerKey == FWPM_LAYER_ALE_CONNECT_REDIRECT_V4 ||
pFilter->layerKey == FWPM_LAYER_ALE_CONNECT_REDIRECT_V6 ||
pFilter->layerKey == FWPM_LAYER_ALE_BIND_REDIRECT_V4 ||
pFilter->layerKey == FWPM_LAYER_ALE_BIND_REDIRECT_V6)
calloutKey = WFPSAMPLER_CALLOUT_PROXY_BY_ALE_REDIRECT;
else
#endif /// (NTDDI_VERSION >= NTDDI_WIN7)
calloutKey = WFPSAMPLER_CALLOUT_PROXY_BY_INJECTION;
calloutKey.Data4[7] = HlprFwpmLayerGetIDByKey(&(pFilter->layerKey)); /// Uniquely identifies the callout used
providerContextEnumTemplate.providerContextType = FWPM_GENERAL_CONTEXT;
filterEnumTemplate.providerKey = (GUID*)&WFPSAMPLER_PROVIDER;
filterEnumTemplate.layerKey = pFilter->layerKey;
filterEnumTemplate.enumType = FWP_FILTER_ENUM_FULLY_CONTAINED;
filterEnumTemplate.flags = FWP_FILTER_ENUM_FLAG_INCLUDE_BOOTTIME |
FWP_FILTER_ENUM_FLAG_INCLUDE_DISABLED;
filterEnumTemplate.numFilterConditions = pFilter->numFilterConditions;
filterEnumTemplate.filterCondition = pFilter->filterCondition;
filterEnumTemplate.providerContextTemplate = &providerContextEnumTemplate;
filterEnumTemplate.actionMask = FWP_ACTION_FLAG_CALLOUT;
filterEnumTemplate.calloutKey = &calloutKey;
status = HlprFwpmEngineOpen(&engineHandle);
HLPR_BAIL_ON_FAILURE(status);
status = HlprFwpmFilterCreateEnumHandle(engineHandle,
&filterEnumTemplate,
&enumHandle);
HLPR_BAIL_ON_FAILURE(status);
status = HlprFwpmFilterEnum(engineHandle,
enumHandle,
0xFFFFFFFF,
&ppFilters,
&entryCount);
HLPR_BAIL_ON_FAILURE(status);
if(ppFilters)
{
for(UINT32 filterIndex = 0;
filterIndex < entryCount;
filterIndex++)
{
HlprFwpmFilterDeleteByKey(engineHandle,
&(ppFilters[filterIndex]->filterKey));
HlprFwpmCalloutDeleteByKey(engineHandle,
&(ppFilters[filterIndex]->action.calloutKey));
if(ppFilters[filterIndex]->flags & FWPM_FILTER_FLAG_HAS_PROVIDER_CONTEXT)
HlprFwpmProviderContextDeleteByKey(engineHandle,
&(ppFilters[filterIndex]->providerContextKey));
}
FwpmFreeMemory((void**)&ppFilters);
}
HLPR_BAIL_LABEL:
if(engineHandle)
{
if(enumHandle)
HlprFwpmFilterDestroyEnumHandle(engineHandle,
&enumHandle);
HlprFwpmEngineClose(&engineHandle);
}
return status;
}
UINT32 PrvScenarioFastStreamInjectionDeleteFwpmObjects(_In_ const FWPM_FILTER* pFilter)
{
ASSERT(pFilter);
UINT32 status = NO_ERROR;
HANDLE engineHandle = 0;
HANDLE enumHandle = 0;
UINT32 entryCount = 0;
FWPM_FILTER** ppFilters = 0;
FWPM_FILTER_ENUM_TEMPLATE filterEnumTemplate = {0};
GUID calloutKey = {0};
calloutKey = WFPSAMPLER_CALLOUT_FAST_STREAM_INJECTION;
calloutKey.Data4[7] = HlprFwpmLayerGetIDByKey(&(pFilter->layerKey)); /// Uniquely identifies the callout used
filterEnumTemplate.providerKey = (GUID*)&WFPSAMPLER_PROVIDER;
filterEnumTemplate.layerKey = pFilter->layerKey;
filterEnumTemplate.enumType = FWP_FILTER_ENUM_FULLY_CONTAINED;
filterEnumTemplate.flags = FWP_FILTER_ENUM_FLAG_INCLUDE_BOOTTIME |
FWP_FILTER_ENUM_FLAG_INCLUDE_DISABLED;
filterEnumTemplate.numFilterConditions = pFilter->numFilterConditions;
filterEnumTemplate.filterCondition = pFilter->filterCondition;
filterEnumTemplate.actionMask = FWP_ACTION_FLAG_CALLOUT;
filterEnumTemplate.calloutKey = &calloutKey;
status = HlprFwpmEngineOpen(&engineHandle);
HLPR_BAIL_ON_FAILURE(status);
status = HlprFwpmFilterCreateEnumHandle(engineHandle,
&filterEnumTemplate,
&enumHandle);
HLPR_BAIL_ON_FAILURE(status);
status = HlprFwpmFilterEnum(engineHandle,
enumHandle,
0xFFFFFFFF,
&ppFilters,
&entryCount);
HLPR_BAIL_ON_FAILURE(status);
if(ppFilters)
{
for(UINT32 filterIndex = 0;
filterIndex < entryCount;
filterIndex++)
{
HlprFwpmFilterDeleteByKey(engineHandle,
&(ppFilters[filterIndex]->filterKey));
HlprFwpmCalloutDeleteByKey(engineHandle,
&(ppFilters[filterIndex]->action.calloutKey));
}
FwpmFreeMemory((void**)&ppFilters);
}
HLPR_BAIL_LABEL:
if(engineHandle)
{
if(enumHandle)
HlprFwpmFilterDestroyEnumHandle(engineHandle,
&enumHandle);
HlprFwpmEngineClose(&engineHandle);
}
return status;
}
VOID PrvPendAuthorizationNotificationWorkItemRoutine(_In_ PDEVICE_OBJECT pDeviceObject,
_Inout_opt_ PVOID pContext)
{
#if DBG
DbgPrintEx(DPFLTR_IHVNETWORK_ID,
DPFLTR_INFO_LEVEL,
" ---> PrvPendAuthorizationNotificationWorkItemRoutine()\n");
#endif /// DBG
UNREFERENCED_PARAMETER(pDeviceObject);
NT_ASSERT(pContext);
NT_ASSERT(((WORKITEM_DATA*)pContext)->pNotifyData);
WORKITEM_DATA* pWorkItemData = (WORKITEM_DATA*)pContext;
if(pWorkItemData)
{
NTSTATUS status = STATUS_SUCCESS;
FWPM_CALLOUT* pCallout = 0;
PWSTR pCalloutName = L"";
status = FwpmCalloutGetById(g_EngineHandle,
pWorkItemData->pNotifyData->calloutID,
&pCallout);
if(status != STATUS_SUCCESS)
DbgPrintEx(DPFLTR_IHVNETWORK_ID,
DPFLTR_ERROR_LEVEL,
" !!!! PrvPendAuthorizationNotificationWorkItemRoutine : FwpmCalloutGetById() [status: %#x]\n",
status);
else
{
pCalloutName = pCallout->displayData.name;
if(pCallout->applicableLayer != FWPM_LAYER_ALE_RESOURCE_ASSIGNMENT_V4 &&
pCallout->applicableLayer != FWPM_LAYER_ALE_RESOURCE_ASSIGNMENT_V6 &&
pCallout->applicableLayer != FWPM_LAYER_ALE_AUTH_LISTEN_V4 &&
pCallout->applicableLayer != FWPM_LAYER_ALE_AUTH_LISTEN_V6 &&
pCallout->applicableLayer != FWPM_LAYER_ALE_AUTH_CONNECT_V4 &&
pCallout->applicableLayer != FWPM_LAYER_ALE_AUTH_CONNECT_V6 &&
pCallout->applicableLayer != FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4 &&
pCallout->applicableLayer != FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6)
{
status = STATUS_FWP_INCOMPATIBLE_LAYER;
DbgPrintEx(DPFLTR_IHVNETWORK_ID,
DPFLTR_ERROR_LEVEL,
" !!!! PrvPendAuthorizationNotificationWorkItemRoutine() [status: %#x]\n",
status);
}
}
switch(pWorkItemData->pNotifyData->notificationType)
{
case FWPS_CALLOUT_NOTIFY_ADD_FILTER:
{
DbgPrintEx(DPFLTR_IHVNETWORK_ID,
DPFLTR_INFO_LEVEL,
" -- A filter referencing %S callout was added\n",
pCalloutName);
break;
}
case FWPS_CALLOUT_NOTIFY_DELETE_FILTER:
{
DbgPrintEx(DPFLTR_IHVNETWORK_ID,
DPFLTR_INFO_LEVEL,
" -- A filter referencing %S callout was deleted\n",
pCalloutName);
break;
}
case FWPS_CALLOUT_NOTIFY_ADD_FILTER_POST_COMMIT:
{
DbgPrintEx(DPFLTR_IHVNETWORK_ID,
DPFLTR_INFO_LEVEL,
" -- A filter referencing %S callout was committed\n",
pCalloutName);
break;
}
default:
{
DbgPrintEx(DPFLTR_IHVNETWORK_ID,
DPFLTR_INFO_LEVEL,
" -- Invalid Notification Type. Please Contact [email protected]\n");
break;
}
}
FwpmFreeMemory((VOID**)&pCallout);
HLPR_DELETE(pWorkItemData->pNotifyData,
WFPSAMPLER_CALLOUT_DRIVER_TAG);
KrnlHlprWorkItemDataDestroy(&pWorkItemData);
}
#if DBG
DbgPrintEx(DPFLTR_IHVNETWORK_ID,
DPFLTR_INFO_LEVEL,
" <--- PrvPendAuthorizationNotificationWorkItemRoutine()\n");
#endif /// DBG
return;
}
UINT32 PrvScenarioAppContainerDeleteFwpmObjects(_In_ const SID* pPackageID,
_In_ const SID* pUserID)
{
UNREFERENCED_PARAMETER(pUserID);
ASSERT(pPackageID);
ASSERT(pUserID);
UINT32 status = NO_ERROR;
/// UINT32 sidSize = 0;
HANDLE engineHandle = 0;
const GUID pLayerKeys[] = {FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4,
FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6,
FWPM_LAYER_ALE_AUTH_CONNECT_V4,
FWPM_LAYER_ALE_AUTH_CONNECT_V6};
const UINT8 NUM_CONDITIONS = 1; /// 2
const UINT8 NUM_OBJECTS = RTL_NUMBER_OF(pLayerKeys);
FWPM_FILTER_CONDITION pFilterConditions[NUM_CONDITIONS] = {0};
pFilterConditions[0].fieldKey = FWPM_CONDITION_ALE_PACKAGE_ID;
pFilterConditions[0].matchType = FWP_MATCH_EQUAL;
pFilterConditions[0].conditionValue.type = FWP_SID;
pFilterConditions[0].conditionValue.sid = (SID*)pPackageID;
/// pFilterConditions[1].fieldKey = FWPM_CONDITION_ALE_USER_ID;
/// pFilterConditions[1].matchType = FWP_MATCH_EQUAL;
/// pFilterConditions[1].conditionValue.type = FWP_SECURITY_DESCRIPTOR_TYPE;
/// pFilterConditions[1].conditionValue.sd = ;
status = HlprFwpmEngineOpen(&engineHandle);
HLPR_BAIL_ON_FAILURE(status);
for(UINT32 objectIndex = 0;
objectIndex < NUM_OBJECTS;
objectIndex++)
{
UINT32 entryCount = 0;
FWPM_FILTER** ppFilters = 0;
HANDLE enumHandle = 0;
FWPM_FILTER_ENUM_TEMPLATE filterEnumTemplate = {0};
filterEnumTemplate.providerKey = (GUID*)&WFPSAMPLER_PROVIDER;
filterEnumTemplate.layerKey = pLayerKeys[objectIndex];
filterEnumTemplate.enumType = FWP_FILTER_ENUM_FULLY_CONTAINED;
filterEnumTemplate.flags = FWP_FILTER_ENUM_FLAG_INCLUDE_BOOTTIME |
FWP_FILTER_ENUM_FLAG_INCLUDE_DISABLED;
filterEnumTemplate.numFilterConditions = NUM_CONDITIONS;
filterEnumTemplate.filterCondition = pFilterConditions;
filterEnumTemplate.actionMask = 0xFFFFFFFF;
status = HlprFwpmFilterCreateEnumHandle(engineHandle,
&filterEnumTemplate,
&enumHandle);
HLPR_BAIL_ON_FAILURE_WITH_LABEL(status,
HLPR_BAIL_LABEL_2);
status = HlprFwpmFilterEnum(engineHandle,
enumHandle,
0xFFFFFFFF,
&ppFilters,
&entryCount);
HLPR_BAIL_ON_FAILURE_WITH_LABEL(status,
HLPR_BAIL_LABEL_2);
if(ppFilters)
{
for(UINT32 filterIndex = 0;
filterIndex < entryCount;
filterIndex++)
{
HlprFwpmFilterDeleteByKey(engineHandle,
&(ppFilters[filterIndex]->filterKey));
}
FwpmFreeMemory((void**)&ppFilters);
}
HLPR_BAIL_LABEL_2:
if(enumHandle)
HlprFwpmFilterDestroyEnumHandle(engineHandle,
&enumHandle);
}
HLPR_BAIL_LABEL:
HlprFwpmEngineClose(&engineHandle);
return status;
}
UINT32 PrvScenarioAppContainerDeleteFwpmObjects()
{
UINT32 status = NO_ERROR;
UINT32 sidSize = 0;
HANDLE engineHandle = 0;
const GUID pLayerKeys[] = {FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4,
FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6,
FWPM_LAYER_ALE_AUTH_CONNECT_V4,
FWPM_LAYER_ALE_AUTH_CONNECT_V6};
const UINT32 NUM_OBJECTS = RTL_NUMBER_OF(pLayerKeys);
FWPM_FILTER_CONDITION filterCondition = {0};
/// Only App Containers have a valid (non-NULL) SID for the ALE_PACKAGE_ID
filterCondition.fieldKey = FWPM_CONDITION_ALE_PACKAGE_ID;
filterCondition.matchType = FWP_MATCH_NOT_EQUAL;
filterCondition.conditionValue.type = FWP_SID;
#pragma warning(push)
#pragma warning(disable: 6388) /// filterCondition.conditionValue.sid guaranteed to be 0 due to ZeroMemory call
status = HlprSIDGetWellKnown(WinNullSid,
&(filterCondition.conditionValue.sid),
&sidSize);
HLPR_BAIL_ON_FAILURE(status);
#pragma warning(pop)
status = HlprFwpmEngineOpen(&engineHandle);
HLPR_BAIL_ON_FAILURE(status);
for(UINT32 objectIndex = 0;
objectIndex < NUM_OBJECTS;
objectIndex++)
{
HANDLE enumHandle = 0;
UINT32 entryCount = 0;
FWPM_FILTER** ppFilters = 0;
FWPM_FILTER_ENUM_TEMPLATE filterEnumTemplate = {0};
filterEnumTemplate.providerKey = (GUID*)&WFPSAMPLER_PROVIDER;
filterEnumTemplate.layerKey = pLayerKeys[objectIndex];
filterEnumTemplate.enumType = FWP_FILTER_ENUM_FULLY_CONTAINED;
filterEnumTemplate.flags = FWP_FILTER_ENUM_FLAG_INCLUDE_BOOTTIME |
FWP_FILTER_ENUM_FLAG_INCLUDE_DISABLED;
filterEnumTemplate.numFilterConditions = 1;
filterEnumTemplate.filterCondition = &filterCondition;
filterEnumTemplate.actionMask = 0xFFFFFFFF;
status = HlprFwpmFilterCreateEnumHandle(engineHandle,
&filterEnumTemplate,
&enumHandle);
HLPR_BAIL_ON_FAILURE_WITH_LABEL(status,
HLPR_BAIL_LABEL_2);
status = HlprFwpmFilterEnum(engineHandle,
enumHandle,
0xFFFFFFFF,
&ppFilters,
&entryCount);
HLPR_BAIL_ON_FAILURE_WITH_LABEL(status,
HLPR_BAIL_LABEL_2);
if(ppFilters)
{
for(UINT32 filterIndex = 0;
filterIndex < entryCount;
filterIndex++)
{
HlprFwpmFilterDeleteByKey(engineHandle,
&(ppFilters[filterIndex]->filterKey));
}
FwpmFreeMemory((void**)&ppFilters);
}
HLPR_BAIL_LABEL_2:
if(enumHandle)
HlprFwpmFilterDestroyEnumHandle(engineHandle,
&enumHandle);
}
HLPR_BAIL_LABEL:
HlprSIDDestroy(&(filterCondition.conditionValue.sid));
HlprFwpmEngineClose(&engineHandle);
return status;
}
DWORD
MonitorAppDoMonitoring(PCWSTR AppPath)
{
HANDLE monitorDevice = NULL;
HANDLE engineHandle = NULL;
DWORD result;
MONITOR_SETTINGS monitorSettings;
FWPM_SESSION session;
FWP_BYTE_BLOB* applicationId = NULL;
RtlZeroMemory(&monitorSettings, sizeof(MONITOR_SETTINGS));
RtlZeroMemory(&session, sizeof(FWPM_SESSION));
session.displayData.name = L"Monitor Sample Session";
session.displayData.description = L"Monitors traffic at the Stream layer.";
// Let the Base Filtering Engine cleanup after us.
session.flags = FWPM_SESSION_FLAG_DYNAMIC;
printf("Opening Filtering Engine\n");
result = FwpmEngineOpen(
NULL,
RPC_C_AUTHN_WINNT,
NULL,
&session,
&engineHandle
);
if (NO_ERROR != result)
{
goto cleanup;
}
printf("Successfully opened Filtering Engine\n");
printf("Looking up Application ID from BFE\n");
result = MonitorAppIDFromPath(AppPath, &applicationId);
if (NO_ERROR != result)
{
goto cleanup;
}
printf("Successfully retrieved Application ID\n");
printf("Opening Monitor Sample Device\n");
result = MonitorAppOpenMonitorDevice(&monitorDevice);
if (NO_ERROR != result)
{
goto cleanup;
}
printf("Successfully opened Monitor Device\n");
printf("Adding Filters through the Filtering Engine\n");
result = MonitorAppAddFilters(engineHandle,
applicationId);
if (NO_ERROR != result)
{
goto cleanup;
}
printf("Successfully added Filters through the Filtering Engine\n");
printf("Enabling monitoring through the Monitor Sample Device\n");
monitorSettings.monitorOperation = monitorTraffic;
result = MonitorAppEnableMonitoring(monitorDevice,
&monitorSettings);
if (NO_ERROR != result)
{
goto cleanup;
}
printf("Successfully enabled monitoring.\n");
printf("Events will be traced through WMI. Please press any key to exit and cleanup filters.\n");
#pragma prefast(push)
#pragma prefast(disable:6031, "by design the return value of _getch() is ignored here")
_getch();
#pragma prefast(pop)
cleanup:
if (NO_ERROR != result)
{
printf("Monitor.\tError 0x%x occurred during execution\n", result);
}
if (monitorDevice)
{
MonitorAppCloseMonitorDevice(monitorDevice);
}
//
// Free the application Id that we retrieved.
//
if (applicationId)
{
FwpmFreeMemory((void**)&applicationId);
}
if (engineHandle)
{
result = FwpmEngineClose(engineHandle);
engineHandle = NULL;
}
return result;
}
