暂停一个数据包 [英] Suspend a packet
问题描述
是否可以实现一个可以检查数据包并通知用户空间的调出驱动程序,以便用户空间可以确定是否应该允许此数据包或被封锁?所以在某种意义上,标注驱动程序应该在必要时暂停数据包。
如果这是可行的,我应该怎么做呢? TIA。
您可以使用FwpsPendOperation @ FWPM_LAYER_ALE_AUTH_CONNECT_V { 4 | 6}。
http: //msdn.microsoft.com/en-us/library/windows/hardware/ff551199(v=vs.85).aspx
你会的需要实现一种机制,用于将必要的数据从内核传输到用户模式并返回(例如使用IOCtls和IRP,这两者都超出了本论坛的范围)。
当您做出决定时,请致电FwpsCompleteOperation。
http://msdn.microsoft.com/en-us/library/windows/hardware/ff551152(v = vs.85).aspx
如果数据包是非TCP的,那么你可以注入原始数据包(TCP没有数据包@ ALE_AUTH_CONNECT,因为这是握手)。
有一点需要注意的是如果机器发出信号表明它需要进入电源管理状态,无论您是做出决定,还是需要完成等待不是为了避免错误检查。
希望这会有所帮助,
        
Hi,
Is it possible to implement a callout driver that can inspect a packet and notifies the user space so that the user space can determine if this packet should be allowed or blocked? So in a sense, the callout driver should suspend the packet if necessary.
If this is doable, how should I go about it? TIA.
You can use FwpsPendOperation @ FWPM_LAYER_ALE_AUTH_CONNECT_V{ 4 | 6 }.
http://msdn.microsoft.com/en-us/library/windows/hardware/ff551199(v=vs.85).aspx
You will need to implement a mechanism for transmitting the necessary data from Kernel to User Mode and back (for example using IOCtls & IRPs, both of which are beyond the scope of this forum).
When you have a decision, call FwpsCompleteOperation.
http://msdn.microsoft.com/en-us/library/windows/hardware/ff551152(v=vs.85).aspxIf the packet was non-TCP, then you can inject the original packet (TCP has no packets @ ALE_AUTH_CONNECT as this is the handshake).
One thing to note though is that if the machine signals that it needs to drop into a power managed state, you will need to complete the pend whether you have a decision or not so as to avoid a bugcheck.
Hope this helps,
这篇关于暂停一个数据包的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
