阻止并重新注入入站TCP流？ [英] Block and re-inject inbound TCP streams?

问题描述

有没有办法在WFP中支持这个：



我们希望过滤入站TCP流来替换一些字符串。有没有办法阻止内核级别的传入数据包，将它们重定向到用户模式，有一个读取和修改此数据的用户模式例程，然后内核驱动程序例程读取修改后的
数据（已写入通过用户模式程序）并通过相同的路径重新注入数据本来没有被重定向？

Is there a way to support this in WFP:

We want to filter inbound TCP streams to replace some strings. Is there a way to block the incoming packets at the kernel level, redirect them to user mode, have a user mode routine that reads and modifies this data, then a kernel driver routine reads the modified data back (which was written by the user mode program) and re-injects the data through the same path it would have gone had not being redirected?

stmedit WFP样本可以替换字符串，但它是否可能支持这种情况？
$


感谢您的帮助。

The stmedit WFP sample can replace the string, but would it be possible to support this scenario?

Thanks for any help.

推荐答案

是的，这一切都是可行的。 您将需要创建将内核数据封送到用户并返回的机制（IRP和IOCtls是使用的常规方法）。 基本上你需要一个带有classifyFn的callout驱动程序，它被调用@ FWPM_LAYER_STREAM_V {4
| 6} 您将根据指示的方向（FWPM_CONDITION_DIRECTION）进行操作。 在classifyFn中，您需要克隆原始数据并将其阻止。 您将分离一个工作线程，该线程需要执行克隆（内核内存）的编组
到用户模式。一旦你的usermode组件完成了它，你需要将内存编组回内核，并调用FwpsStreamInjectAsync重新注入数据。 （请注意，这假定了最基本的场景，并且
不考虑数据大小变化等问题。）

Yes this is all doable.  You will need to create the mechanism which marshals the kernel data to user and back (IRPs and IOCtls is the normal methods used).  Essentially you will need a callout driver with a classifyFn that gets invoked @ FWPM_LAYER_STREAM_V{4 | 6}.  You will base your actions off of the indicated direction (FWPM_CONDITION_DIRECTION).  In the classifyFn, you will need to clone the original data and block it.  You will spin off a worker thread, which will need to perform the marshaling of the clone(kernel memory) to user mode. Once your usermode component has finished with it, you will need to marshal the memory back to kernel, and call FwpsStreamInjectAsync to reinject the data. (Note that this assumes the most basic of scenarios, and does not account for issues like changes in the data size).

您应该问的一个问题是您为什么需要从用户模式修改数据？ 如果你可以消除这个要求，那么你的设计将大大简化，并且表现得更快。

One question you should ask is why do you need to modify the data from user mode?  If you can eliminate this requirement, then your design will be greatly simplified, and perform faster.

希望这有帮助，

这篇关于阻止并重新注入入站TCP流？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！