基于TDI的网络防火墙

//=========================================================== #include "tdi_fw.h" PDEVICE_OBJECT g_tcpoldobj, g_udpoldobj, g_ipoldobj; PDEVICE_OBJECT g_tcpfltobj, g_udpfltobj, g_ipfltobj; PDEVICE_OBJECT g_dev_control, g_dev_nfo; BOOLEAN g_NET_DENY; // 阻止网络 BOOLEAN g_FltEnable; // 过滤开关 BOOLEAN g_LogEnable = TRUE; // 日志开关 /* for IOCTL_TDI_QUERY_DIRECT_SEND_HANDLER */ typedef NTSTATUS TCPSendData_t(IN PIRP Irp, IN PIO_STACK_LOCATION IrpSp); TCPSendData_t *g_old_TCPSendData; TCPSendData_t g_new_TCPSendData; /* global traffic stats */ KSPIN_LOCK g_traffic_lock; unsigned __int64 g_traffic_in; unsigned __int64 g_traffic_out; // request_list LIST_ENTRY request_list_head; KSPIN_LOCK request_list_lock; KEVENT g_request_event; ULONG g_request_count; PVOID g_tdi_ioctls[] = { NULL, /*TDI_ASSOCIATE_ADDRESS,*/ tdi_associate_address, /*TDI_DISASSOCIATE_ADDRESS,*/ tdi_disassociate_address, /*TDI_CONNECT,*/ tdi_connect, /*TDI_LISTEN,*/ tdi_deny_stub, // for now only deny stubs for security reasons /*TDI_ACCEPT,*/ tdi_deny_stub, // for now only deny stubs for security reasons /*TDI_DISCONNECT,*/ tdi_disconnect, /*TDI_SEND,*/ tdi_send, /*TDI_RECEIVE,*/ tdi_receive, /*TDI_SEND_DATAGRAM,*/ tdi_send_datagram, /*TDI_RECEIVE_DATAGRAM,*/ tdi_receive_datagram, /*TDI_SET_EVENT_HANDLER,*/ tdi_set_event_handler }; PVOID tdi_event_handler[] = { /*TDI_EVENT_CONNECT,*/ tdi_event_connect, /*TDI_EVENT_DISCONNECT,*/ tdi_event_disconnect, /*TDI_EVENT_ERROR,*/ NULL, /*TDI_EVENT_RECEIVE,*/ tdi_event_receive, /*TDI_EVENT_RECEIVE_DATAGRAM,*/ tdi_event_receive_datagram, /*TDI_EVENT_RECEIVE_EXPEDITED,*/ tdi_event_receive, /*TDI_EVENT_SEND_POSSIBLE,*/ NULL, /*TDI_EVENT_CHAINED_RECEIVE,*/ tdi_event_chained_receive, /*TDI_EVENT_CHAINED_RECEIVE_DATAGRAM,*/ NULL, /*TDI_EVENT_CHAINED_RECEIVE_EXPEDITED,*/ tdi_event_chained_receive, /*TDI_EVENT_ERROR_EX,*/ NULL }; /* ------------------prototypes--------------------- */ NTSTATUS c_n_a_device(IN PDRIVER_OBJECT DriverObject, OUT PDEVICE_OBJECT *ppFltDevObj, OUT PDEVICE_OBJECT *ppOldDevObj, IN wchar_t *pwch_devname); void d_n_d_device(PDRIVER_OBJECT DriverObject, PDEVICE_OBJECT oldobj, PDEVICE_OBJECT fltobj); int tdi_create(PIRP irp, PIO_STACK_LOCATION irps, PDEVICE_OBJECT old_devobj, int ipproto, OUT struct _completion *completion); NTSTATUS tdi_dispatch_complete(PDEVICE_OBJECT fltdevobj, PDEVICE_OBJECT old_devobj, PIRP irp, int filter, PIO_COMPLETION_ROUTINE CompletionRoutine, PVOID context); NTSTATUS process_request(ULONG ctl_code, char *buf, OUT ULONG *out_len, ULONG buf_size); NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath); VOID OnUnload(PDRIVER_OBJECT DriverObject); NTSTATUS DeviceDispatch(PDEVICE_OBJECT DeviceObject, PIRP irp); //=========================================================== PDEVICE_OBJECT get_original_devobj(PDEVICE_OBJECT flt_devobj, OPTIONAL OUT int *proto) { PDEVICE_OBJECT p = NULL; if (flt_devobj == g_tcpfltobj) { p = g_tcpoldobj; if (proto) *proto = IPPROTO_TCP; } else if (flt_devobj == g_udpfltobj) { p = g_udpoldobj; if (proto) *proto = IPPROTO_UDP; } else if (flt_devobj == g_ipfltobj) { p = g_ipoldobj; if (proto) *proto = IPPROTO_IP; } // else // { // KdPrint(("~![tdi_fw] get_original_devobj: Unknown DeviceObject 0x%x!\n", flt_devobj)); // } return p; } /* create & attach device */ NTSTATUS c_n_a_device(IN PDRIVER_OBJECT DriverObject, OUT PDEVICE_OBJECT *ppFltDevObj, OUT PDEVICE_OBJECT *ppOldDevObj, IN WCHAR *pwch_devname) { NTSTATUS status; UNICODE_STRING us_DevName; status = IoCreateDevice(DriverObject, 0, NULL, FILE_DEVICE_UNKNOWN, 0, TRUE, ppFltDevObj); if (status != STATUS_SUCCESS) { KdPrint(("~![tdi_fw] c_n_a_device fail: IoCreateDevice(%S): 0x%x\n", pwch_devname, status)); return status; } (*ppFltDevObj)->Flags |= DO_DIRECT_IO; RtlInitUnicodeString(&us_DevName, pwch_devname); status = IoAttachDevice(*ppFltDevObj, &us_DevName, ppOldDevObj); if (status != STATUS_SUCCESS) { KdPrint(("~![tdi_fw] c_n_a_device fail: IoAttachDevice(%S): 0x%x\n", pwch_devname, status)); return status; } KdPrint(("[tdi_fw] c_n_a_device: %-13S fltdevobj: 0x%x\n", pwch_devname, *ppFltDevObj)); return STATUS_SUCCESS; } /* detach & delete device */ void d_n_d_device(PDRIVER_OBJECT DriverObject, PDEVICE_OBJECT oldobj, PDEVICE_OBJECT fltobj) { if (oldobj != NULL) IoDetachDevice(oldobj); if (fltobj != NULL) { IoDeleteDevice(fltobj); fltobj = NULL; } } NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath) { NTSTATUS status; UNICODE_STRING us_DevName, us_SymbollinkName; int i; KdPrint(("*******************tdi_fw*******************\n")); //__debugbreak(); memtrack_init(); KeInitializeSpinLock(&g_traffic_lock); // 统计总流量用 InitializeListHead(&request_list_head); KeInitializeSpinLock(&request_list_lock); KeInitializeEvent(&g_request_event, NotificationEvent, FALSE); KdPrint(("[tdi_fw] &g_request_event: %x\n", &g_request_event)); status = ot_init(); if (status) { KdPrint(("~![tdi_fw] DriverEntry: ot_init: 0x%x\n", status)); goto done; } status = filter_init(); if (status) { KdPrint(("~![tdi_fw] DriverEntry: filter_init: 0x%x\n", status)); goto done; } for (i = 0; i < IRP_MJ_MAXIMUM_FUNCTION; i++) DriverObject->MajorFunction[i] = DeviceDispatch; #if DBG DriverObject->DriverUnload = OnUnload; #endif /* create control device and symbolic link */ RtlInitUnicodeString(&us_DevName, L"\\Device\\tdifw"); status = IoCreateDevice(DriverObject, 0, &us_DevName, 0, 0, TRUE, // exclusive! &g_dev_control); if (status) { KdPrint(("~![tdi_fw] DriverEntry: IoCreateDevice(control): 0x%x!\n", status)); goto done; } RtlInitUnicodeString(&us_SymbollinkName, L"\\??\\tdifw"); status = IoCreateSymbolicLink(&us_SymbollinkName, &us_DevName); if (status) { KdPrint(("~![tdi_fw] DriverEntry: IoCreateSymbolicLink: 0x%x!\n", status)); goto done; } RtlInitUnicodeString(&us_DevName, L"\\Device\\tdifw_nfo"); status = IoCreateDevice(DriverObject, 0, &us_DevName, 0, 0, FALSE, // not exclusive! &g_dev_nfo); if (status != STATUS_SUCCESS) { KdPrint(("~![tdi_fw] DriverEntry: IoCreateDevice(nfo): 0x%x!\n", status)); goto done; } RtlInitUnicodeString(&us_SymbollinkName, L"\\??\\tdifw_nfo"); status = IoCreateSymbolicLink(&us_SymbollinkName, &us_DevName); if (status != STATUS_SUCCESS) { KdPrint(("~![tdi_fw] DriverEntry: IoCreateSymbolicLink: 0x%x!\n", status)); goto done; } status |= c_n_a_device(DriverObject, &g_tcpfltobj, &g_tcpoldobj, L"\\Device\\Tcp"); status |= c_n_a_device(DriverObject, &g_udpfltobj, &g_udpoldobj, L"\\Device\\Udp"); status |= c_n_a_device(DriverObject, &g_ipfltobj, &g_ipoldobj, L"\\Device\\RawIp"); KdPrint(("*******************************************************************************\n")); do