stsf

Forum Replies Created

Viewing 3 posts - 1 through 3 (of 3 total)
  • Author
    Posts
  • in reply to: Filter setup to redirect everything except one ip/port #7196
    stsf
    Participant

    @SerpentFly wrote:

    Packet is matched against the filters list and first matching filter action is applied. So there is probably something wrong with your first filter.

    Yeah, just came here to say that i found out what was wrong a few minutes ago. In short, i was being stupid.

    I was using the “block ntkernel.com” filter as an example, and i changed its filter action to pass.
    That filter was set up to look at the destination address and destination ports.

    I had to set up another filter to catch source address and source ports, that solved the issue.

    So my new filter setup, for anyone interested in doing the same, is:

    filter 1 – pass tcp ipv4 packets with destination address of 192.168.7.22:80
    filter 2 – pass tcp ipv4 packets with source address of 192.168.7.22:80
    filter 3 – send all tcp ipv4 packets to user mode
    filter 4 – pass all packets

    in reply to: Implementing filter functionality in C# #7183
    stsf
    Participant

    So I came up with somewhat of a solution to the post above, after heavy experimentation:

    Here is the C# version of the 2nd case in filter.cpp – process port 80, pass everything else:

    var filter1 = new STATIC_FILTER();

    filter1.m_Adapter = 0;
    filter1.m_dwDirectionFlags = Ndisapi.PACKET_FLAG_ON_SEND;
    filter1.m_FilterAction = Ndisapi.FILTER_PACKET_REDIRECT;
    filter1.m_ValidFields = Ndisapi.NETWORK_LAYER_VALID | Ndisapi.TRANSPORT_LAYER_VALID;

    // Network layer filter
    filter1.m_NetworkFilter.m_dwUnionSelector = Ndisapi.IPV4;
    filter1.m_NetworkFilter.m_IPv4.m_ValidFields = Ndisapi.IP_V4_FILTER_PROTOCOL;
    filter1.m_NetworkFilter.m_IPv4.m_Protocol = 6;

    // Transport layer filter
    filter1.m_TransportFilter.m_dwUnionSelector = Ndisapi.TCPUDP;
    filter1.m_TransportFilter.m_TcpUdp.m_ValidFields = Ndisapi.TCPUDP_DEST_PORT;
    filter1.m_TransportFilter.m_TcpUdp.m_DestPort.m_StartRange = 80; // HTTP
    filter1.m_TransportFilter.m_TcpUdp.m_DestPort.m_EndRange = 80t;

    var filter2 = new STATIC_FILTER();

    filter2.m_Adapter = 0;
    filter2.m_dwDirectionFlags = Ndisapi.PACKET_FLAG_ON_RECEIVE;
    filter2.m_FilterAction = Ndisapi.FILTER_PACKET_REDIRECT;
    filter2.m_ValidFields = Ndisapi.NETWORK_LAYER_VALID | Ndisapi.TRANSPORT_LAYER_VALID;

    // Network layer filter
    filter2.m_NetworkFilter.m_dwUnionSelector = Ndisapi.IPV4;
    filter2.m_NetworkFilter.m_IPv4.m_ValidFields = Ndisapi.IP_V4_FILTER_PROTOCOL;
    filter2.m_NetworkFilter.m_IPv4.m_Protocol = 6;

    // Transport layer filter
    filter2.m_TransportFilter.m_dwUnionSelector = Ndisapi.TCPUDP;
    filter2.m_TransportFilter.m_TcpUdp.m_ValidFields = Ndisapi.TCPUDP_SRC_PORT;
    filter2.m_TransportFilter.m_TcpUdp.m_DestPort.m_StartRange = 80; // HTTP
    filter2.m_TransportFilter.m_TcpUdp.m_DestPort.m_EndRange = 80;

    /// IPV6
    ///
    var filter3 = new STATIC_FILTER();

    filter3.m_Adapter = 0;
    filter3.m_dwDirectionFlags = Ndisapi.PACKET_FLAG_ON_SEND;
    filter3.m_FilterAction = Ndisapi.FILTER_PACKET_REDIRECT;
    filter3.m_ValidFields = Ndisapi.NETWORK_LAYER_VALID | Ndisapi.TRANSPORT_LAYER_VALID;

    // Network layer filter
    filter3.m_NetworkFilter.m_dwUnionSelector = Ndisapi.IPV6;
    filter3.m_NetworkFilter.m_IPv4.m_ValidFields = Ndisapi.IP_V6_FILTER_PROTOCOL;
    filter3.m_NetworkFilter.m_IPv4.m_Protocol = 6;

    // Transport layer filter
    filter3.m_TransportFilter.m_dwUnionSelector = Ndisapi.TCPUDP;
    filter3.m_TransportFilter.m_TcpUdp.m_ValidFields = Ndisapi.TCPUDP_DEST_PORT;
    filter3.m_TransportFilter.m_TcpUdp.m_DestPort.m_StartRange = 80; // HTTP
    filter3.m_TransportFilter.m_TcpUdp.m_DestPort.m_EndRange = 80;

    var filter4 = new STATIC_FILTER();

    filter4.m_Adapter = 0;
    filter4.m_dwDirectionFlags = Ndisapi.PACKET_FLAG_ON_RECEIVE;
    filter4.m_FilterAction = Ndisapi.FILTER_PACKET_REDIRECT;
    filter4.m_ValidFields = Ndisapi.NETWORK_LAYER_VALID | Ndisapi.TRANSPORT_LAYER_VALID;

    // Network layer filter
    filter4.m_NetworkFilter.m_dwUnionSelector = Ndisapi.IPV6;
    filter4.m_NetworkFilter.m_IPv4.m_ValidFields = Ndisapi.IP_V6_FILTER_PROTOCOL;
    filter4.m_NetworkFilter.m_IPv4.m_Protocol = 6;

    // Transport layer filter
    filter4.m_TransportFilter.m_dwUnionSelector = Ndisapi.TCPUDP;
    filter4.m_TransportFilter.m_TcpUdp.m_ValidFields = Ndisapi.TCPUDP_SRC_PORT;
    filter4.m_TransportFilter.m_TcpUdp.m_DestPort.m_StartRange = 80; // HTTP
    filter4.m_TransportFilter.m_TcpUdp.m_DestPort.m_EndRange = 80;

    var filter5 = new STATIC_FILTER();
    //filter5.m_Adapter.QuadPart = 0; // applied to all adapters
    filter5.m_Adapter = 0;
    filter5.m_ValidFields = 0;
    filter5.m_FilterAction = Ndisapi.FILTER_PACKET_PASS;
    filter5.m_dwDirectionFlags = Ndisapi.PACKET_FLAG_ON_RECEIVE | Ndisapi.PACKET_FLAG_ON_SEND;

    //STATIC_FILTER[] filterarray = new STATIC_FILTER[5];
    //filterarray[0] = filter1;
    //filterarray[1] = filter2;
    //filterarray[2] = filter3;
    //filterarray[3] = filter4;
    //filterarray[4] = filter5;

    var filtertable = new STATIC_FILTER_TABLE();

    filtertable.m_TableSize = 5;
    filtertable.m_StaticFilters = new STATIC_FILTER[256];
    filtertable.m_StaticFilters[0] = filter1;
    filtertable.m_StaticFilters[1] = filter2;
    filtertable.m_StaticFilters[2] = filter3;
    filtertable.m_StaticFilters[3] = filter4;
    filtertable.m_StaticFilters[4] = filter5;

    Ndisapi.SetPacketFilterTable(driverPtr, ref filtertable);

    However – after figuring this out, I discovered a new issue that I can not solve:

    If my goal was to process every packed EXCEPT port 80, I would assume I would change Ndisapi.FILTER_PACKET_REDIRECT to Ndisapi.FILTER_PACKET_PASS; in the filters above and vice versa.

    However, when I do this, the packets to port 80 still end up being processed. I have tried re-arranging the order that I put them into the filter, and that did not yield any results

    I was wondering – how would it be possible to achieve this scenario – to process all packets EXCEPT a particular port?

    in reply to: Modifying the WinpkFilter C# Packet filter code question #7180
    stsf
    Participant

    Figured the problem out, replying here if anyone encountered the same thing.

    Instead of using the PacketFilter project, I should have used the passthrough project – which looks rather similar – but has some key differences:

    1. The dwFlags loaded in the new adapter mode
    2. The sendPacketToAdapter and sendPacketToMstcp function calls at the end of the loop when processing an individual packet – that’s what I was looking for. I ended up changing “WriteToConsole” to test the packet, and if it failed – i just did not call the functions above.

    Thanks again – you have a great product

Viewing 3 posts - 1 through 3 (of 3 total)