Writing filters and conditions

Good day sir.

Thank you so much for the reffeence docuemnation.

Am ware that i need to write conditions and filters to allow certain
DNS queries to pass, while while other.

Do want to know how do i write these filters.

Your response is highly needed.

On 8/10/17, xxxxx@hotmail.com wrote:
> Please see this
>
> https://msdn.microsoft.com/en-us/library/windows/desktop/bb451831(v=vs.85).aspx
>
> Clearly FWPM_LAYER_ALE_AUTH_CONNECT_V4 is a correct layer to intercept dns
> query.
>
> At this point remote address can be changed and dns query redirected.
>
>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list online at:
> http:
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and software
> drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at
> http:
></http:></http:></http:>

Hi

There are 2 types of packet modification.

  1. Changing the 5 tuple ( src,dest,srcport,destport,protocol).This is achieved by modifying IP Header and Transport header.

  2. Second is changing the payload.

You have to get data from NET_BUFFER_LIST using NdisGetdataBuffer and then change it.

Packet modification is described in WFP Sampler Microsoft Sample.


From: xxxxx@lists.osr.com on behalf of tope awolowo
Sent: Friday, August 11, 2017 3:17 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] Writing filters and conditions

Good day sir.

Thank you so much for the reffeence docuemnation.

Am ware that i need to write conditions and filters to allow certain
DNS queries to pass, while while other.

Do want to know how do i write these filters.

Your response is highly needed.

On 8/10/17, xxxxx@hotmail.com wrote:
> Please see this
>
> https://msdn.microsoft.com/en-us/library/windows/desktop/bb451831(v=vs.85).aspx
UDP Packet Flows (Windows) - msdn.microsoft.comhttps:
msdn.microsoft.com
The order in which the layers of the Windows Filtering Platform (WFP) filter engine are traversed during a typical UDP session.

>
> Clearly FWPM_LAYER_ALE_AUTH_CONNECT_V4 is a correct layer to intercept dns
> query.
>
> At this point remote address can be changed and dns query redirected.
>
>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list online at:
> http:
OSR Online NTDEV Listhttp:
www.osronline.com
OSR Online is the homepage for Windows driver writers. The NTDEV, NTFSD, and NTTALK lists are world-wide peer support forums administered by OSR.

>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and software
> drivers!
> Details at http:
[https://www.osr.com/wp-content/uploads/seminar_map4_big.png]http:

Windows Driver Development Training from OSRhttp:
www.osr.com
Learn Windows driver development, file system development, and debugging from developer/instructors with real-world experience. Seminars taught world-wide.

>
> To unsubscribe, visit the List Server section of OSR Online at
> http:
ListServer/Forumhttp:
www.osronline.com
OSR Open Systems Resources, Inc. The Windows device driver and file systems experts. Seminars - Development - Consulting - Training

>


NTDEV is sponsored by OSR

Visit the list online at: http:
OSR Online NTDEV Listhttp:
www.osronline.com
OSR Online is the homepage for Windows driver writers. The NTDEV, NTFSD, and NTTALK lists are world-wide peer support forums administered by OSR.

MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
Details at http:
[https://www.osr.com/wp-content/uploads/seminar_map4_big.png]http:

Windows Driver Development Training from OSRhttp:
www.osr.com
Learn Windows driver development, file system development, and debugging from developer/instructors with real-world experience. Seminars taught world-wide.

To unsubscribe, visit the List Server section of OSR Online at http:
ListServer/Forumhttp:
www.osronline.com
OSR Open Systems Resources, Inc. The Windows device driver and file systems experts. Seminars - Development - Consulting - Training</http:></http:></http:></http:></http:></http:></http:></http:></http:></http:></http:></http:></http:></http:></https:>

Hi

There are 2 types of packet modification.

  1. Changing the 5 tuple ( src,dest,srcport,destport,protocol).This is achieved
    by modifying IP Header and Transport header.

  2. Second is changing the payload.

You have to get data from NET_BUFFER_LIST using NdisGetdataBuffer and then
change it.

Packet modification is described in WFP Sampler Microsoft Sample.