Windwos 驱动WFP基本流程代码
时间: 2024-01-19 17:02:56 浏览: 195
WFP驱动--进程规则拦截
3星 · 编辑精心推荐
WFP 驱动程序的基本流程代码如下:
```c
#include <ntddk.h>
#include <wdf.h>
#include <fwpmk.h>
#include <fwpvi.h>
#define WFP_DRIVER_TAG 'wfpd'
DRIVER_INITIALIZE DriverEntry;
EVT_WDF_DRIVER_DEVICE_ADD WfpEvtDeviceAdd;
EVT_WDF_OBJECT_CONTEXT_CLEANUP WfpEvtDriverContextCleanup;
typedef struct _WFP_DRIVER_CONTEXT {
HANDLE engineHandle;
UINT32 calloutId;
} WFP_DRIVER_CONTEXT, *PWFP_DRIVER_CONTEXT;
WDF_DECLARE_CONTEXT_TYPE_WITH_NAME(WFP_DRIVER_CONTEXT, WfpGetDriverContext)
NTSTATUS
DriverEntry(
_In_ PDRIVER_OBJECT DriverObject,
_In_ PUNICODE_STRING RegistryPath
)
{
NTSTATUS status;
WDF_DRIVER_CONFIG config;
WDF_DRIVER_CONFIG_INIT(&config, WdfEvtDriverDeviceAdd);
config.DriverPoolTag = WFP_DRIVER_TAG;
status = WdfDriverCreate(DriverObject, RegistryPath, WDF_NO_OBJECT_ATTRIBUTES, &config, WDF_NO_HANDLE);
if (!NT_SUCCESS(status)) {
KdPrint(("WdfDriverCreate failed with status 0x%x\n", status));
}
return status;
}
NTSTATUS
WfpEvtDeviceAdd(
_In_ WDFDRIVER Driver,
_Inout_ PWDFDEVICE_INIT DeviceInit
)
{
NTSTATUS status;
WDFDEVICE device;
PWFP_DRIVER_CONTEXT driverContext;
HANDLE engineHandle;
FWP_BYTE_BLOB providerBlob;
FWPM_SESSION session;
FWPM_CALLOUT callout;
FWPM_DISPLAY_DATA displayData;
UINT32 calloutId;
FWPM_FILTER filter;
FWPM_FILTER_CONDITION filterConditions[1];
UNICODE_STRING filterName;
UNREFERENCED_PARAMETER(Driver);
KdPrint(("WfpEvtDeviceAdd called\n"));
status = WdfDeviceCreate(&DeviceInit, WDF_NO_OBJECT_ATTRIBUTES, &device);
if (!NT_SUCCESS(status)) {
KdPrint(("WdfDeviceCreate failed with status 0x%x\n", status));
return status;
}
driverContext = WfpGetDriverContext(WdfObjectGetDriver(device));
status = FwpmEngineOpen0(NULL, RPC_C_AUTHN_WINNT, NULL, NULL, &engineHandle);
if (!NT_SUCCESS(status)) {
KdPrint(("FwpmEngineOpen0 failed with status 0x%x\n", status));
return status;
}
providerBlob.size = sizeof(GUID);
providerBlob.data = (BYTE*)&GUID_WFP_DRIVER;
RtlZeroMemory(&session, sizeof(FWPM_SESSION));
session.flags = FWPM_SESSION_FLAG_DYNAMIC;
RtlZeroMemory(&callout, sizeof(FWPM_CALLOUT));
callout.displayData.name = L"WFP Callout";
callout.displayData.description = L"Callout for WFP driver";
callout.providerKey = providerBlob;
callout.applicableLayer = FWPM_LAYER_ALE_AUTH_CONNECT_V4;
callout.flags = FWPM_CALLOUT_FLAG_ALLOW_MID_STREAM_INSPECTION;
callout.calloutKey = GUID_WFP_CALLOUT;
status = FwpmCalloutAdd0(engineHandle, &callout, &session, &calloutId);
if (!NT_SUCCESS(status)) {
KdPrint(("FwpmCalloutAdd0 failed with status 0x%x\n", status));
FwpmEngineClose0(engineHandle);
return status;
}
RtlZeroMemory(&filter, sizeof(FWPM_FILTER));
RtlInitUnicodeString(&filterName, L"WFP Filter");
filter.displayData.name = filterName;
filter.layerKey = FWPM_LAYER_ALE_AUTH_CONNECT_V4;
filter.action.type = FWP_ACTION_CALLOUT_TERMINATING;
filter.action.calloutKey = GUID_WFP_CALLOUT;
filter.filterCondition = filterConditions;
filter.numFilterConditions = 1;
filterConditions[0].fieldKey = FWPM_CONDITION_IP_REMOTE_ADDRESS;
filterConditions[0].matchType = FWP_MATCH_EQUAL;
filterConditions[0].conditionValue.type = FWP_BYTE_ARRAY16_TYPE;
filterConditions[0].conditionValue.byteArray16[0] = 192;
filterConditions[0].conditionValue.byteArray16[1] = 168;
filterConditions[0].conditionValue.byteArray16[2] = 0;
filterConditions[0].conditionValue.byteArray16[3] = 1;
status = FwpmFilterAdd0(engineHandle, &filter, &session, &filter.filterId);
if (!NT_SUCCESS(status)) {
KdPrint(("FwpmFilterAdd0 failed with status 0x%x\n", status));
FwpmCalloutDeleteByKey0(engineHandle, &GUID_WFP_CALLOUT);
FwpmEngineClose0(engineHandle);
return status;
}
driverContext->engineHandle = engineHandle;
driverContext->calloutId = calloutId;
return status;
}
VOID
WfpEvtDriverContextCleanup(
_In_ WDFOBJECT DriverObject
)
{
PWFP_DRIVER_CONTEXT driverContext;
KdPrint(("WfpEvtDriverContextCleanup called\n"));
driverContext = WfpGetDriverContext(DriverObject);
FwpmFilterDeleteById0(driverContext->engineHandle, driverContext->calloutId);
FwpmCalloutDeleteByKey0(driverContext->engineHandle, &GUID_WFP_CALLOUT);
FwpmEngineClose0(driverContext->engineHandle);
}
```
以上代码是一个简单的 WFP 驱动程序,它实现了一个基于 IP 地址的过滤器,只允许指定的 IP 地址进行连接。在 `DriverEntry` 函数中创建了 WDF 驱动程序对象,并指定了设备添加回调函数 `WfpEvtDeviceAdd`。在 `WfpEvtDeviceAdd` 函数中创建了 WDF 设备对象,并初始化了 WFP 引擎、WFP 回调函数、WFP 过滤器等。在 `WfpEvtDriverContextCleanup` 函数中清理 WFP 引擎和 WFP 对象。需要注意的是,以上代码仅供参考,具体实现需要根据实际需求进行修改。
阅读全文