WFP tcp重定向到用户应用程序 [英] WFP tcp redirect to User app

问题描述

我想将TCP连接重定向到用户应用程序ON WINDOWS 8.以下是分类功能，

I want to redirect TCP connection to user app ON WINDOWS 8. Following is the classify fucntion,

void NTAPI

TCPProxyConnectClassify（

  IN const FWPS_INCOMING_VALUES0 * pInFixedValues，

  IN const FWPS_INCOMING_METADATA_VALUES0 * pInMetaValues，

  IN OUT void * pLayerData，

  IN const void * pClassifyContext，

  IN const FWPS_FILTER1 * pFilter，

  IN UINT64 ui64FlowContext，

  OUT FWPS_CLASSIFY_OUT0 * pClassifyOut

 ）

{

  UINT64 ui64ClassifyHandle;

  NTSTATUS ntStatus = STATUS_SUCCESS;

  FWPS_CONNECT_REQUEST0 * pModifiedLayerData;

  HANDLE hRedirectHandle;

  UINT16 ui16NewLocalPort = 27015;

  DWORD dwProcessID = 1072;

  UNICODE_STRING IPNumber;

  PWSTR终止符;

void NTAPI
TCPProxyConnectClassify(
 IN const FWPS_INCOMING_VALUES0* pInFixedValues,
 IN const FWPS_INCOMING_METADATA_VALUES0* pInMetaValues,
 IN OUT void* pLayerData,
 IN const void *pClassifyContext,
 IN const FWPS_FILTER1* pFilter,
 IN UINT64 ui64FlowContext,
 OUT FWPS_CLASSIFY_OUT0* pClassifyOut
 )
{
 UINT64 ui64ClassifyHandle;
 NTSTATUS ntStatus = STATUS_SUCCESS;
 FWPS_CONNECT_REQUEST0* pModifiedLayerData;
 HANDLE hRedirectHandle;
 UINT16 ui16NewLocalPort = 27015;
 DWORD dwProcessID = 1072;
 UNICODE_STRING IPNumber;
 PWSTR terminator;

  UNREFERENCED_PARAMETER（ui64FlowContext）;

  UNREF ERENCED_PARAMETER（pLayerData）;

  ntStatus = FwpsAcquireClassifyHandle0（（void *）pClassifyContext，（UINT32）0，& ui64ClassifyHandle）;
$
  if（NT_SUCCESS（ntStatus） ））
  {

   ntStatus = FwpsRedirectHandleCreate0（& TCP_PROXY_REDIRECT_CALLOUT_V4,0，& hRedirectHandle）;

    if（！NT_SUCCESS（ntStatus））

   {

    FwpsReleaseClassifyHandle0（ui64ClassifyHandle）;

    return;

  }

 UNREFERENCED_PARAMETER(ui64FlowContext);
 UNREFERENCED_PARAMETER(pLayerData);
 ntStatus = FwpsAcquireClassifyHandle0((void*)pClassifyContext, (UINT32)0, &ui64ClassifyHandle);
 if (NT_SUCCESS(ntStatus))
 {
  ntStatus = FwpsRedirectHandleCreate0(&TCP_PROXY_REDIRECT_CALLOUT_V4, 0, &hRedirectHandle);
  if (!NT_SUCCESS(ntStatus))
  {
   FwpsReleaseClassifyHandle0( ui64ClassifyHandle );
   return;
  }

   ntStatus = FwpsAcquireWritableLayerDataPointer0（ui64ClassifyHandle，pFilter-> filterId，（UINT32） ）0，（PVOID *）& pModifiedLayerData，pClassifyOut）;
$
   if（NT_SUCCESS（ntStatus））

   {

    //我的本地地址

    RtlInitUnicodeString（& IPNumber，L" 10.0.2.15"）;

    ntStatus = RtlIpv4StringToAddressW（（PCWSTR）（IPNumbe） r.Buffer），TRUE，& terminator，&（（SOCKADDR_IN *）& pModifiedLayerData-> remoteAddressAndPort） - > sin_addr）;

  ntStatus = FwpsAcquireWritableLayerDataPointer0(ui64ClassifyHandle, pFilter->filterId, (UINT32)0, (PVOID*)&pModifiedLayerData, pClassifyOut);
  if (NT_SUCCESS(ntStatus))
  {
   //My local address
   RtlInitUnicodeString( &IPNumber, L"10.0.2.15");
   ntStatus = RtlIpv4StringToAddressW((PCWSTR)(IPNumber.Buffer),TRUE,&terminator,&((SOCKADDR_IN*)&pModifiedLayerData->remoteAddressAndPort)->sin_addr);

ui16NewLocalPort = RtlUshortSwapBytes（ui16NewLocalPort）;

ui16NewLocalPort = RtlUshortSwapBytes(ui16NewLocalPort);

（（SOCKADDR_IN *）& pModifiedLayerData-> remoteAddressAndPort） - > sin_port = ui16NewLocalPort;

    pModifiedLayerData-> localRedirectTargetPID = dwProcessID; //本地代理的PID为
    pModifiedLayerData-> localRedirectHandle = hRedirectHandle;

    FwpsApplyModifiedLayerData0（ui64ClassifyHandle，（PVOID）pModifiedLayerData， FWPS_CLASSIFY_FLAG_REAUTHORIZE_IF_MODIFIED_BY_OTHERS）;
$
    FwpsRedirectHandleDestroy0（hRedirectHandle）;

  }

   FwpsReleaseClassifyHandle0（ui64ClassifyHandle ）;;
 }

((SOCKADDR_IN*)&pModifiedLayerData->remoteAddressAndPort)->sin_port = ui16NewLocalPort;
   pModifiedLayerData->localRedirectTargetPID = dwProcessID; // local proxy's PID
   pModifiedLayerData->localRedirectHandle = hRedirectHandle;
   FwpsApplyModifiedLayerData0(ui64ClassifyHandle, (PVOID)pModifiedLayerData, FWPS_CLASSIFY_FLAG_REAUTHORIZE_IF_MODIFIED_BY_OTHERS);
   FwpsRedirectHandleDestroy0(hRedirectHandle);
  }
  FwpsReleaseClassifyHandle0( ui64ClassifyHandle );
 }

  return;

}

 return;
}

我的用户app使用端口27015创建套接字并在accept（）中等待。重定向永远不会发生。

My user app creates socket with port 27015 and is waiting in accept(). The redirection never takes place.

我错过了什么？

在eventviewer日志中

in the eventviewer log is

Windows过滤平台已阻止连接。

The Windows Filtering Platform has blocked a connection.

应用程序信息：

 进程ID：   1164

 应用程序名称：  \ devvice \ drdiskvolume2 \windows \ system32 \svchost.exe

Application Information:
 Process ID:  1164
 Application Name: \device\harddiskvolume2\windows\system32\svchost.exe

网络信息：

 方向：   出境

 来源地址：   10.0.2.15

 来源端口：   57532

  ;目的地地址：  10.0.2.15

 目的地港口：   27015

 协议：   17

Network Information:
 Direction:  Outbound
 Source Address:  10.0.2.15
 Source Port:  57532
 Destination Address: 10.0.2.15
 Destination Port:  27015
 Protocol:  17

过滤信息：

 过滤器运行时ID：  0

 图层名称：   Connect

 图层运行时ID：  48

Filter Information:
 Filter Run-Time ID: 0
 Layer Name:  Connect
 Layer Run-Time ID: 48

推荐答案

您是否尝试过添加明确允许的过滤器？这个流量在FWPM_LAYER_ALE_AUTH_CONNECT_V4？ 您的重定向工作正常，新连接正在被阻止。

Have you tried adding a filter that explicitly allows this traffic at FWPM_LAYER_ALE_AUTH_CONNECT_V4?  Your redirection is working, the new connection is being blocked though.

希望这会有所帮助，

这篇关于WFP tcp重定向到用户应用程序的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！