UINT32 PrvScenarioProxyDeleteFwpmObjects(_In_ const FWPM_FILTER* pFilter) { ASSERT(pFilter); UINT32 status = NO_ERROR; HANDLE engineHandle = 0; HANDLE enumHandle = 0; UINT32 entryCount = 0; FWPM_FILTER** ppFilters = 0; FWPM_FILTER_ENUM_TEMPLATE filterEnumTemplate = {0}; FWPM_PROVIDER_CONTEXT_ENUM_TEMPLATE providerContextEnumTemplate = {0}; GUID calloutKey = {0}; #if(NTDDI_VERSION >= NTDDI_WIN7) if(pFilter->layerKey == FWPM_LAYER_ALE_CONNECT_REDIRECT_V4 || pFilter->layerKey == FWPM_LAYER_ALE_CONNECT_REDIRECT_V6 || pFilter->layerKey == FWPM_LAYER_ALE_BIND_REDIRECT_V4 || pFilter->layerKey == FWPM_LAYER_ALE_BIND_REDIRECT_V6) calloutKey = WFPSAMPLER_CALLOUT_PROXY_BY_ALE_REDIRECT; else #endif /// (NTDDI_VERSION >= NTDDI_WIN7) calloutKey = WFPSAMPLER_CALLOUT_PROXY_BY_INJECTION; calloutKey.Data4[7] = HlprFwpmLayerGetIDByKey(&(pFilter->layerKey)); /// Uniquely identifies the callout used providerContextEnumTemplate.providerContextType = FWPM_GENERAL_CONTEXT; filterEnumTemplate.providerKey = (GUID*)&WFPSAMPLER_PROVIDER; filterEnumTemplate.layerKey = pFilter->layerKey; filterEnumTemplate.enumType = FWP_FILTER_ENUM_FULLY_CONTAINED; filterEnumTemplate.flags = FWP_FILTER_ENUM_FLAG_INCLUDE_BOOTTIME | FWP_FILTER_ENUM_FLAG_INCLUDE_DISABLED; filterEnumTemplate.numFilterConditions = pFilter->numFilterConditions; filterEnumTemplate.filterCondition = pFilter->filterCondition; filterEnumTemplate.providerContextTemplate = &providerContextEnumTemplate; filterEnumTemplate.actionMask = FWP_ACTION_FLAG_CALLOUT; filterEnumTemplate.calloutKey = &calloutKey; status = HlprFwpmEngineOpen(&engineHandle); HLPR_BAIL_ON_FAILURE(status); status = HlprFwpmFilterCreateEnumHandle(engineHandle, &filterEnumTemplate, &enumHandle); HLPR_BAIL_ON_FAILURE(status); status = HlprFwpmFilterEnum(engineHandle, enumHandle, 0xFFFFFFFF, &ppFilters, &entryCount); HLPR_BAIL_ON_FAILURE(status); if(ppFilters) { for(UINT32 filterIndex = 0; filterIndex < entryCount; filterIndex++) { HlprFwpmFilterDeleteByKey(engineHandle, &(ppFilters[filterIndex]->filterKey)); HlprFwpmCalloutDeleteByKey(engineHandle, &(ppFilters[filterIndex]->action.calloutKey)); if(ppFilters[filterIndex]->flags & FWPM_FILTER_FLAG_HAS_PROVIDER_CONTEXT) HlprFwpmProviderContextDeleteByKey(engineHandle, &(ppFilters[filterIndex]->providerContextKey)); } FwpmFreeMemory((void**)&ppFilters); } HLPR_BAIL_LABEL: if(engineHandle) { if(enumHandle) HlprFwpmFilterDestroyEnumHandle(engineHandle, &enumHandle); HlprFwpmEngineClose(&engineHandle); } return status; }
UINT32 PrvScenarioFastStreamInjectionDeleteFwpmObjects(_In_ const FWPM_FILTER* pFilter) { ASSERT(pFilter); UINT32 status = NO_ERROR; HANDLE engineHandle = 0; HANDLE enumHandle = 0; UINT32 entryCount = 0; FWPM_FILTER** ppFilters = 0; FWPM_FILTER_ENUM_TEMPLATE filterEnumTemplate = {0}; GUID calloutKey = {0}; calloutKey = WFPSAMPLER_CALLOUT_FAST_STREAM_INJECTION; calloutKey.Data4[7] = HlprFwpmLayerGetIDByKey(&(pFilter->layerKey)); /// Uniquely identifies the callout used filterEnumTemplate.providerKey = (GUID*)&WFPSAMPLER_PROVIDER; filterEnumTemplate.layerKey = pFilter->layerKey; filterEnumTemplate.enumType = FWP_FILTER_ENUM_FULLY_CONTAINED; filterEnumTemplate.flags = FWP_FILTER_ENUM_FLAG_INCLUDE_BOOTTIME | FWP_FILTER_ENUM_FLAG_INCLUDE_DISABLED; filterEnumTemplate.numFilterConditions = pFilter->numFilterConditions; filterEnumTemplate.filterCondition = pFilter->filterCondition; filterEnumTemplate.actionMask = FWP_ACTION_FLAG_CALLOUT; filterEnumTemplate.calloutKey = &calloutKey; status = HlprFwpmEngineOpen(&engineHandle); HLPR_BAIL_ON_FAILURE(status); status = HlprFwpmFilterCreateEnumHandle(engineHandle, &filterEnumTemplate, &enumHandle); HLPR_BAIL_ON_FAILURE(status); status = HlprFwpmFilterEnum(engineHandle, enumHandle, 0xFFFFFFFF, &ppFilters, &entryCount); HLPR_BAIL_ON_FAILURE(status); if(ppFilters) { for(UINT32 filterIndex = 0; filterIndex < entryCount; filterIndex++) { HlprFwpmFilterDeleteByKey(engineHandle, &(ppFilters[filterIndex]->filterKey)); HlprFwpmCalloutDeleteByKey(engineHandle, &(ppFilters[filterIndex]->action.calloutKey)); } FwpmFreeMemory((void**)&ppFilters); } HLPR_BAIL_LABEL: if(engineHandle) { if(enumHandle) HlprFwpmFilterDestroyEnumHandle(engineHandle, &enumHandle); HlprFwpmEngineClose(&engineHandle); } return status; }
VOID PrvPendAuthorizationNotificationWorkItemRoutine(_In_ PDEVICE_OBJECT pDeviceObject, _Inout_opt_ PVOID pContext) { #if DBG DbgPrintEx(DPFLTR_IHVNETWORK_ID, DPFLTR_INFO_LEVEL, " ---> PrvPendAuthorizationNotificationWorkItemRoutine()\n"); #endif /// DBG UNREFERENCED_PARAMETER(pDeviceObject); NT_ASSERT(pContext); NT_ASSERT(((WORKITEM_DATA*)pContext)->pNotifyData); WORKITEM_DATA* pWorkItemData = (WORKITEM_DATA*)pContext; if(pWorkItemData) { NTSTATUS status = STATUS_SUCCESS; FWPM_CALLOUT* pCallout = 0; PWSTR pCalloutName = L""; status = FwpmCalloutGetById(g_EngineHandle, pWorkItemData->pNotifyData->calloutID, &pCallout); if(status != STATUS_SUCCESS) DbgPrintEx(DPFLTR_IHVNETWORK_ID, DPFLTR_ERROR_LEVEL, " !!!! PrvPendAuthorizationNotificationWorkItemRoutine : FwpmCalloutGetById() [status: %#x]\n", status); else { pCalloutName = pCallout->displayData.name; if(pCallout->applicableLayer != FWPM_LAYER_ALE_RESOURCE_ASSIGNMENT_V4 && pCallout->applicableLayer != FWPM_LAYER_ALE_RESOURCE_ASSIGNMENT_V6 && pCallout->applicableLayer != FWPM_LAYER_ALE_AUTH_LISTEN_V4 && pCallout->applicableLayer != FWPM_LAYER_ALE_AUTH_LISTEN_V6 && pCallout->applicableLayer != FWPM_LAYER_ALE_AUTH_CONNECT_V4 && pCallout->applicableLayer != FWPM_LAYER_ALE_AUTH_CONNECT_V6 && pCallout->applicableLayer != FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4 && pCallout->applicableLayer != FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6) { status = STATUS_FWP_INCOMPATIBLE_LAYER; DbgPrintEx(DPFLTR_IHVNETWORK_ID, DPFLTR_ERROR_LEVEL, " !!!! PrvPendAuthorizationNotificationWorkItemRoutine() [status: %#x]\n", status); } } switch(pWorkItemData->pNotifyData->notificationType) { case FWPS_CALLOUT_NOTIFY_ADD_FILTER: { DbgPrintEx(DPFLTR_IHVNETWORK_ID, DPFLTR_INFO_LEVEL, " -- A filter referencing %S callout was added\n", pCalloutName); break; } case FWPS_CALLOUT_NOTIFY_DELETE_FILTER: { DbgPrintEx(DPFLTR_IHVNETWORK_ID, DPFLTR_INFO_LEVEL, " -- A filter referencing %S callout was deleted\n", pCalloutName); break; } case FWPS_CALLOUT_NOTIFY_ADD_FILTER_POST_COMMIT: { DbgPrintEx(DPFLTR_IHVNETWORK_ID, DPFLTR_INFO_LEVEL, " -- A filter referencing %S callout was committed\n", pCalloutName); break; } default: { DbgPrintEx(DPFLTR_IHVNETWORK_ID, DPFLTR_INFO_LEVEL, " -- Invalid Notification Type. Please Contact [email protected]\n"); break; } } FwpmFreeMemory((VOID**)&pCallout); HLPR_DELETE(pWorkItemData->pNotifyData, WFPSAMPLER_CALLOUT_DRIVER_TAG); KrnlHlprWorkItemDataDestroy(&pWorkItemData); } #if DBG DbgPrintEx(DPFLTR_IHVNETWORK_ID, DPFLTR_INFO_LEVEL, " <--- PrvPendAuthorizationNotificationWorkItemRoutine()\n"); #endif /// DBG return; }
UINT32 PrvScenarioAppContainerDeleteFwpmObjects(_In_ const SID* pPackageID, _In_ const SID* pUserID) { UNREFERENCED_PARAMETER(pUserID); ASSERT(pPackageID); ASSERT(pUserID); UINT32 status = NO_ERROR; /// UINT32 sidSize = 0; HANDLE engineHandle = 0; const GUID pLayerKeys[] = {FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4, FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6, FWPM_LAYER_ALE_AUTH_CONNECT_V4, FWPM_LAYER_ALE_AUTH_CONNECT_V6}; const UINT8 NUM_CONDITIONS = 1; /// 2 const UINT8 NUM_OBJECTS = RTL_NUMBER_OF(pLayerKeys); FWPM_FILTER_CONDITION pFilterConditions[NUM_CONDITIONS] = {0}; pFilterConditions[0].fieldKey = FWPM_CONDITION_ALE_PACKAGE_ID; pFilterConditions[0].matchType = FWP_MATCH_EQUAL; pFilterConditions[0].conditionValue.type = FWP_SID; pFilterConditions[0].conditionValue.sid = (SID*)pPackageID; /// pFilterConditions[1].fieldKey = FWPM_CONDITION_ALE_USER_ID; /// pFilterConditions[1].matchType = FWP_MATCH_EQUAL; /// pFilterConditions[1].conditionValue.type = FWP_SECURITY_DESCRIPTOR_TYPE; /// pFilterConditions[1].conditionValue.sd = ; status = HlprFwpmEngineOpen(&engineHandle); HLPR_BAIL_ON_FAILURE(status); for(UINT32 objectIndex = 0; objectIndex < NUM_OBJECTS; objectIndex++) { UINT32 entryCount = 0; FWPM_FILTER** ppFilters = 0; HANDLE enumHandle = 0; FWPM_FILTER_ENUM_TEMPLATE filterEnumTemplate = {0}; filterEnumTemplate.providerKey = (GUID*)&WFPSAMPLER_PROVIDER; filterEnumTemplate.layerKey = pLayerKeys[objectIndex]; filterEnumTemplate.enumType = FWP_FILTER_ENUM_FULLY_CONTAINED; filterEnumTemplate.flags = FWP_FILTER_ENUM_FLAG_INCLUDE_BOOTTIME | FWP_FILTER_ENUM_FLAG_INCLUDE_DISABLED; filterEnumTemplate.numFilterConditions = NUM_CONDITIONS; filterEnumTemplate.filterCondition = pFilterConditions; filterEnumTemplate.actionMask = 0xFFFFFFFF; status = HlprFwpmFilterCreateEnumHandle(engineHandle, &filterEnumTemplate, &enumHandle); HLPR_BAIL_ON_FAILURE_WITH_LABEL(status, HLPR_BAIL_LABEL_2); status = HlprFwpmFilterEnum(engineHandle, enumHandle, 0xFFFFFFFF, &ppFilters, &entryCount); HLPR_BAIL_ON_FAILURE_WITH_LABEL(status, HLPR_BAIL_LABEL_2); if(ppFilters) { for(UINT32 filterIndex = 0; filterIndex < entryCount; filterIndex++) { HlprFwpmFilterDeleteByKey(engineHandle, &(ppFilters[filterIndex]->filterKey)); } FwpmFreeMemory((void**)&ppFilters); } HLPR_BAIL_LABEL_2: if(enumHandle) HlprFwpmFilterDestroyEnumHandle(engineHandle, &enumHandle); } HLPR_BAIL_LABEL: HlprFwpmEngineClose(&engineHandle); return status; }
UINT32 PrvScenarioAppContainerDeleteFwpmObjects() { UINT32 status = NO_ERROR; UINT32 sidSize = 0; HANDLE engineHandle = 0; const GUID pLayerKeys[] = {FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4, FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6, FWPM_LAYER_ALE_AUTH_CONNECT_V4, FWPM_LAYER_ALE_AUTH_CONNECT_V6}; const UINT32 NUM_OBJECTS = RTL_NUMBER_OF(pLayerKeys); FWPM_FILTER_CONDITION filterCondition = {0}; /// Only App Containers have a valid (non-NULL) SID for the ALE_PACKAGE_ID filterCondition.fieldKey = FWPM_CONDITION_ALE_PACKAGE_ID; filterCondition.matchType = FWP_MATCH_NOT_EQUAL; filterCondition.conditionValue.type = FWP_SID; #pragma warning(push) #pragma warning(disable: 6388) /// filterCondition.conditionValue.sid guaranteed to be 0 due to ZeroMemory call status = HlprSIDGetWellKnown(WinNullSid, &(filterCondition.conditionValue.sid), &sidSize); HLPR_BAIL_ON_FAILURE(status); #pragma warning(pop) status = HlprFwpmEngineOpen(&engineHandle); HLPR_BAIL_ON_FAILURE(status); for(UINT32 objectIndex = 0; objectIndex < NUM_OBJECTS; objectIndex++) { HANDLE enumHandle = 0; UINT32 entryCount = 0; FWPM_FILTER** ppFilters = 0; FWPM_FILTER_ENUM_TEMPLATE filterEnumTemplate = {0}; filterEnumTemplate.providerKey = (GUID*)&WFPSAMPLER_PROVIDER; filterEnumTemplate.layerKey = pLayerKeys[objectIndex]; filterEnumTemplate.enumType = FWP_FILTER_ENUM_FULLY_CONTAINED; filterEnumTemplate.flags = FWP_FILTER_ENUM_FLAG_INCLUDE_BOOTTIME | FWP_FILTER_ENUM_FLAG_INCLUDE_DISABLED; filterEnumTemplate.numFilterConditions = 1; filterEnumTemplate.filterCondition = &filterCondition; filterEnumTemplate.actionMask = 0xFFFFFFFF; status = HlprFwpmFilterCreateEnumHandle(engineHandle, &filterEnumTemplate, &enumHandle); HLPR_BAIL_ON_FAILURE_WITH_LABEL(status, HLPR_BAIL_LABEL_2); status = HlprFwpmFilterEnum(engineHandle, enumHandle, 0xFFFFFFFF, &ppFilters, &entryCount); HLPR_BAIL_ON_FAILURE_WITH_LABEL(status, HLPR_BAIL_LABEL_2); if(ppFilters) { for(UINT32 filterIndex = 0; filterIndex < entryCount; filterIndex++) { HlprFwpmFilterDeleteByKey(engineHandle, &(ppFilters[filterIndex]->filterKey)); } FwpmFreeMemory((void**)&ppFilters); } HLPR_BAIL_LABEL_2: if(enumHandle) HlprFwpmFilterDestroyEnumHandle(engineHandle, &enumHandle); } HLPR_BAIL_LABEL: HlprSIDDestroy(&(filterCondition.conditionValue.sid)); HlprFwpmEngineClose(&engineHandle); return status; }
DWORD MonitorAppDoMonitoring(PCWSTR AppPath) { HANDLE monitorDevice = NULL; HANDLE engineHandle = NULL; DWORD result; MONITOR_SETTINGS monitorSettings; FWPM_SESSION session; FWP_BYTE_BLOB* applicationId = NULL; RtlZeroMemory(&monitorSettings, sizeof(MONITOR_SETTINGS)); RtlZeroMemory(&session, sizeof(FWPM_SESSION)); session.displayData.name = L"Monitor Sample Session"; session.displayData.description = L"Monitors traffic at the Stream layer."; // Let the Base Filtering Engine cleanup after us. session.flags = FWPM_SESSION_FLAG_DYNAMIC; printf("Opening Filtering Engine\n"); result = FwpmEngineOpen( NULL, RPC_C_AUTHN_WINNT, NULL, &session, &engineHandle ); if (NO_ERROR != result) { goto cleanup; } printf("Successfully opened Filtering Engine\n"); printf("Looking up Application ID from BFE\n"); result = MonitorAppIDFromPath(AppPath, &applicationId); if (NO_ERROR != result) { goto cleanup; } printf("Successfully retrieved Application ID\n"); printf("Opening Monitor Sample Device\n"); result = MonitorAppOpenMonitorDevice(&monitorDevice); if (NO_ERROR != result) { goto cleanup; } printf("Successfully opened Monitor Device\n"); printf("Adding Filters through the Filtering Engine\n"); result = MonitorAppAddFilters(engineHandle, applicationId); if (NO_ERROR != result) { goto cleanup; } printf("Successfully added Filters through the Filtering Engine\n"); printf("Enabling monitoring through the Monitor Sample Device\n"); monitorSettings.monitorOperation = monitorTraffic; result = MonitorAppEnableMonitoring(monitorDevice, &monitorSettings); if (NO_ERROR != result) { goto cleanup; } printf("Successfully enabled monitoring.\n"); printf("Events will be traced through WMI. Please press any key to exit and cleanup filters.\n"); #pragma prefast(push) #pragma prefast(disable:6031, "by design the return value of _getch() is ignored here") _getch(); #pragma prefast(pop) cleanup: if (NO_ERROR != result) { printf("Monitor.\tError 0x%x occurred during execution\n", result); } if (monitorDevice) { MonitorAppCloseMonitorDevice(monitorDevice); } // // Free the application Id that we retrieved. // if (applicationId) { FwpmFreeMemory((void**)&applicationId); } if (engineHandle) { result = FwpmEngineClose(engineHandle); engineHandle = NULL; } return result; }