2014-12-29 23:32:38 chip
Page 1152
📢 PUBLIC
Stream inspection and modification, from WDK samples.
Download as text: [FILE 7033]
oob_edit:
/*++
Copyright (c) Microsoft Corporation. All rights reserved
Abstract:
Stream Edit Callout Driver Sample.
This sample demonstrates Out-of-band (OOB) stream inspection/editing
via the WFP stream API.
Environment:
Kernel mode
--*/
#include <ntddk.h>
#pragma warning(push)
#pragma warning(disable:4201) // unnamed struct/union
#include <fwpsk.h>
#pragma warning(pop)
#include <fwpmk.h>
#include "inline_edit.h"
#include "oob_edit.h"
#include "stream_callout.h"
#define STREAM_EDITOR_OUTGOING_DATA_TAG 'doeS'
#define STREAM_EDITOR_MDL_DATA_TAG 'dmeS'
void* gThreadObj;
KSTART_ROUTINE StreamOobEditWorker;
NTSTATUS
OobEditInit(
_Out_ STREAM_EDITOR* streamEditor
)
{
NTSTATUS status = STATUS_SUCCESS;
HANDLE threadHandle;
streamEditor->editInline = FALSE;
KeInitializeSpinLock(&streamEditor->oobEditInfo.editLock);
KeInitializeEvent(
&streamEditor->oobEditInfo.editEvent,
NotificationEvent,
FALSE
);
streamEditor->oobEditInfo.busyThreshold = 32 * 1024;
streamEditor->oobEditInfo.editState = OOB_EDIT_IDLE;
InitializeListHead(&streamEditor->oobEditInfo.outgoingDataQueue);
status = PsCreateSystemThread(
&threadHandle,
THREAD_ALL_ACCESS,
NULL,
NULL,
NULL,
StreamOobEditWorker,
&gStreamEditor
);
if (!NT_SUCCESS(status))
{
goto Exit;
}
status = ObReferenceObjectByHandle(
threadHandle,
0,
NULL,
KernelMode,
&gThreadObj,
NULL
);
NT_ASSERT(NT_SUCCESS(status));
ZwClose(threadHandle);
Exit:
return status;
}
void
OobEditShutdown(
_Out_ STREAM_EDITOR* streamEditor
)
{
KLOCK_QUEUE_HANDLE editLockHandle;
KeAcquireInStackQueuedSpinLock(
&streamEditor->oobEditInfo.editLock,
&editLockHandle
);
streamEditor->oobEditInfo.shuttingDown = TRUE;
switch (streamEditor->oobEditInfo.editState)
{
case OOB_EDIT_IDLE:
{
streamEditor->oobEditInfo.editState = OOB_EDIT_SHUT_DOWN;
KeSetEvent(
&gStreamEditor.oobEditInfo.editEvent,
IO_NO_INCREMENT,
FALSE
);
break;
}
default:
break;
};
KeReleaseInStackQueuedSpinLock(&editLockHandle);
NT_ASSERT(gThreadObj != NULL);
KeWaitForSingleObject(
gThreadObj,
Executive,
KernelMode,
FALSE,
NULL
);
ObDereferenceObject(gThreadObj);
}
__inline
NET_BUFFER_LIST*
TailOfNetBufferListChain(
_In_ NET_BUFFER_LIST* netBufferListChain
)
{
NT_ASSERT(netBufferListChain != NULL);
while (netBufferListChain->Next != NULL)
{
netBufferListChain = netBufferListChain->Next;
}
return netBufferListChain;
}
void
NTAPI
StreamOobInjectCompletionFn(
_Inout_ void* context,
_Inout_ NET_BUFFER_LIST* netBufferList,
BOOLEAN dispatchLevel
)
/* ++
Injection completion function for injecting an NBL created using
FwpsAllocateNetBufferAndNetBufferList. This function frees up
resources allocated during StreamOobReinjectData().
-- */
{
MDL* mdl = (MDL*)context;
UNREFERENCED_PARAMETER(dispatchLevel);
FwpsFreeNetBufferList(netBufferList);
if (mdl != NULL)
{
IoFreeMdl(mdl);
//
// The MDL mapped over a pool alloc which we need to free here.
//
ExFreePoolWithTag(
mdl->MappedSystemVa,
STREAM_EDITOR_MDL_DATA_TAG
);
}
}
void
NTAPI StreamOobInjectCloneCompletionFn(
_Inout_ void* context,
_Inout_ NET_BUFFER_LIST* netBufferList,
BOOLEAN dispatchLevel
)
/* ++
Injection completion function for injecting one of the NBLs cloned
via FwpsCloneStreamData.
FwpsCloneStreamData can return a chain of cloned NBLs; each NBL will
complete separately.
-- */
{
UNREFERENCED_PARAMETER(context);
UNREFERENCED_PARAMETER(dispatchLevel);
FwpsFreeCloneNetBufferList(netBufferList, 0);
}
NTSTATUS
StreamOobQueueUpIncomingData(
_Inout_ STREAM_EDITOR* streamEditor,
_Inout_ FWPS_STREAM_DATA* streamData
)
/* ++
This function clones the indicated stream data into a NBL chain and
appends the chain at the end of the existing chain (if exists) inside
the streamEditor.
This function assumes that the oobEditInfo lock inside streamEditor is
being held.
-- */
{
NTSTATUS status;
NET_BUFFER_LIST* clonedNetBufferListChain;
status = FwpsCloneStreamData(
streamData,
NULL,
NULL,
0,
&clonedNetBufferListChain
);
if (!NT_SUCCESS(status))
{
goto Exit;
}
//
// TCP Fin (EOF) is indicated by an empty NBL with disconnect flag
// set, since it does not contain any data we queue it up separately.
//
if ((streamData->flags & FWPS_STREAM_FLAG_SEND_DISCONNECT) ||
(streamData->flags & FWPS_STREAM_FLAG_RECEIVE_DISCONNECT))
{
NT_ASSERT(streamEditor->oobEditInfo.noMoreData);
NT_ASSERT(streamEditor->oobEditInfo.nblEof == NULL);
NT_ASSERT(streamData->dataLength == 0);
streamEditor->oobEditInfo.nblEof = clonedNetBufferListChain;
status = STATUS_SUCCESS;
goto Exit;
}
if (streamEditor->oobEditInfo.nblTail != NULL)
{
NT_ASSERT(streamEditor->oobEditInfo.nblHead != NULL);
NT_ASSERT(streamEditor->oobEditInfo.nblTail->Next == NULL);
streamEditor->oobEditInfo.nblTail->Next = clonedNetBufferListChain;
}
else
{
NT_ASSERT(streamEditor->oobEditInfo.nblHead == NULL);
streamEditor->oobEditInfo.nblHead = clonedNetBufferListChain;
}
streamEditor->oobEditInfo.nblTail =
TailOfNetBufferListChain(clonedNetBufferListChain);
streamEditor->oobEditInfo.totalDataLength += streamData->dataLength;
streamEditor->oobEditInfo.streamFlags = streamData->flags;
Exit:
return status;
}
void
StreamOobEdit(
_Inout_ STREAM_EDITOR* streamEditor,
const FWPS_INCOMING_VALUES* inFixedValues,
const FWPS_INCOMING_METADATA_VALUES* inMetaValues,
const FWPS_FILTER* filter,
_Inout_ FWPS_STREAM_DATA* streamData,
_Inout_ FWPS_STREAM_CALLOUT_IO_PACKET* ioPacket,
_Inout_ FWPS_CLASSIFY_OUT* classifyOut
)
/* ++
This function queues up incoming data and notifies the worker thread
to process them. The incoming data is blocked and removed from the
stream while data is pending.
If the editor is shutdown (e.g. during driverUnload) as indicated
by OOB_EDIT_SHUT_DOWN state, it permits the indicated data inline after
flushing all pended data (to be carried out by the caller).
-- */
{
NTSTATUS status;
KLOCK_QUEUE_HANDLE editLockHandle;
KeAcquireInStackQueuedSpinLock(
&streamEditor->oobEditInfo.editLock,
&editLockHandle
);
if (streamEditor->oobEditInfo.nblEof != NULL)
{
//
// A new flow arrives before we finish processing an earlier flow. Production
// code should create 1:1 between streamEditor and flow to handle this
// condition. See the "MSN Monitor sample" for how that can be implemented.
//
ioPacket->streamAction = FWPS_STREAM_ACTION_DROP_CONNECTION;
classifyOut->actionType = FWP_ACTION_NONE;
goto Exit;
}
if (classifyOut->flags & FWPS_CLASSIFY_OUT_FLAG_NO_MORE_DATA)
{
NT_ASSERT(streamEditor->oobEditInfo.nblEof == NULL);
streamEditor->oobEditInfo.noMoreData = TRUE;
}
//
// Record needed flow information etc for data (re-)injection.
//
streamEditor->oobEditInfo.calloutId = filter->action.calloutId;
streamEditor->oobEditInfo.flowId = inMetaValues->flowHandle;
streamEditor->oobEditInfo.layerId = inFixedValues->layerId;
switch (streamEditor->oobEditInfo.editState)
{
case OOB_EDIT_PROCESSING:
{
if ((streamEditor->oobEditInfo.totalDataLength + streamData->dataLength) >
streamEditor->oobEditInfo.busyThreshold)
{
ioPacket->streamAction = FWPS_STREAM_ACTION_DEFER;
classifyOut->actionType = FWP_ACTION_NONE;
streamEditor->oobEditInfo.editState = OOB_EDIT_BUSY;
}
else
{
status = StreamOobQueueUpIncomingData(
streamEditor,
streamData
);
if (!NT_SUCCESS(status))
{
streamEditor->oobEditInfo.editState = OOB_EDIT_ERROR;
ioPacket->streamAction = FWPS_STREAM_ACTION_DROP_CONNECTION;
classifyOut->actionType = FWP_ACTION_NONE;
}
else
{
//
// State remains at OOB_EDIT_PROCESSING state. Since the worker thread
// is active there is no need to set the event (to wake it up)
//
ioPacket->streamAction = FWPS_STREAM_ACTION_NONE;
ioPacket->countBytesEnforced = 0;
classifyOut->actionType = FWP_ACTION_BLOCK;
classifyOut->rights &= ~FWPS_RIGHT_ACTION_WRITE;
}
}
break;
}
case OOB_EDIT_IDLE:
{
status = StreamOobQueueUpIncomingData(
streamEditor,
streamData
);
if (!NT_SUCCESS(status))
{
streamEditor->oobEditInfo.editState = OOB_EDIT_ERROR;
ioPacket->streamAction = FWPS_STREAM_ACTION_DROP_CONNECTION;
classifyOut->actionType = FWP_ACTION_NONE;
}
else
{
streamEditor->oobEditInfo.editState = OOB_EDIT_PROCESSING;
//
// The worker thread is idle waiting for more work, now wake it up.
//
KeSetEvent(
&streamEditor->oobEditInfo.editEvent,
0,
FALSE
);
ioPacket->streamAction = FWPS_STREAM_ACTION_NONE;
ioPacket->countBytesEnforced = 0;
classifyOut->actionType = FWP_ACTION_BLOCK;
classifyOut->rights &= ~FWPS_RIGHT_ACTION_WRITE;
}
break;
}
case OOB_EDIT_SHUT_DOWN:
{
ioPacket->streamAction = FWPS_STREAM_ACTION_NONE;
ioPacket->countBytesEnforced = 0;
classifyOut->actionType = FWP_ACTION_PERMIT;
if (filter->flags & FWPS_FILTER_FLAG_CLEAR_ACTION_RIGHT)
{
classifyOut->rights &= ~FWPS_RIGHT_ACTION_WRITE;
}
break;
}
case OOB_EDIT_ERROR:
{
ioPacket->streamAction = FWPS_STREAM_ACTION_DROP_CONNECTION;
classifyOut->actionType = FWP_ACTION_NONE;
break;
}
default:
NT_ASSERT(FALSE);
};
Exit:
KeReleaseInStackQueuedSpinLock(&editLockHandle);
}
NTSTATUS
StreamOobQueueUpOutgoingData(
_Inout_ STREAM_EDITOR* streamEditor,
_Inout_ NET_BUFFER_LIST* netBufferList,
BOOLEAN isClone,
size_t dataLength,
DWORD streamFlags,
_In_opt_ MDL* mdl
)
/* ++
This function queues up processed data (either sections of the indicated
data or newly created data) such that they can be (re-)injected back to
the data stream during the following context.
1. Before FWP_ACTION_BLOCK is returned from the ClassifyFn, or
2. After EOF is indicated.
Under the conditions above, the incoming data (which we pend) and the
outgoing data (which we (re-)inject) can be synchronized properly).
-- */
{
NTSTATUS status = STATUS_SUCCESS;
KLOCK_QUEUE_HANDLE editLockHandle;
OUTGOING_STREAM_DATA* outgoingStreamData;
outgoingStreamData = (OUTGOING_STREAM_DATA*) ExAllocatePoolWithTag(
NonPagedPool,
sizeof(OUTGOING_STREAM_DATA),
STREAM_EDITOR_OUTGOING_DATA_TAG
);
if (outgoingStreamData == NULL)
{
status = STATUS_NO_MEMORY;
return status;
}
RtlZeroMemory(outgoingStreamData, sizeof(OUTGOING_STREAM_DATA));
outgoingStreamData->netBufferList = netBufferList;
outgoingStreamData->isClone = isClone;
outgoingStreamData->dataLength = dataLength;
outgoingStreamData->streamFlags = streamFlags;
outgoingStreamData->mdl = mdl;
KeAcquireInStackQueuedSpinLock(
&streamEditor->oobEditInfo.editLock,
&editLockHandle
);
InsertTailList(
&streamEditor->oobEditInfo.outgoingDataQueue,
&outgoingStreamData->listEntry
);
KeReleaseInStackQueuedSpinLock(&editLockHandle);
return status;
}
NTSTATUS
StreamOobFlushOutgoingData(
_Inout_ STREAM_EDITOR* streamEditor
)
{
NTSTATUS status = STATUS_SUCCESS;
KLOCK_QUEUE_HANDLE editLockHandle;
OUTGOING_STREAM_DATA* outgoingStreamData = NULL;
for(;;)
{
KeAcquireInStackQueuedSpinLock(
&streamEditor->oobEditInfo.editLock,
&editLockHandle
);
if (!IsListEmpty(&streamEditor->oobEditInfo.outgoingDataQueue))
{
LIST_ENTRY* listEntry =
RemoveHeadList(&streamEditor->oobEditInfo.outgoingDataQueue);
outgoingStreamData = CONTAINING_RECORD(
listEntry,
OUTGOING_STREAM_DATA,
listEntry
);
}
KeReleaseInStackQueuedSpinLock(&editLockHandle);
if (outgoingStreamData == NULL)
{
break;
}
status = FwpsStreamInjectAsync(
gInjectionHandle,
NULL,
0,
streamEditor->oobEditInfo.flowId,
streamEditor->oobEditInfo.calloutId,
streamEditor->oobEditInfo.layerId,
outgoingStreamData->streamFlags,
outgoingStreamData->netBufferList,
outgoingStreamData->dataLength,
outgoingStreamData->isClone ? StreamOobInjectCloneCompletionFn :
StreamOobInjectCompletionFn,
outgoingStreamData->mdl
);
if (!NT_SUCCESS(status))
{
goto Exit;
}
ExFreePoolWithTag(
outgoingStreamData,
STREAM_EDITOR_OUTGOING_DATA_TAG
);
outgoingStreamData = NULL;
}
Exit:
if (outgoingStreamData != NULL)
{
NT_ASSERT(!NT_SUCCESS(status));
if (outgoingStreamData->isClone)
{
FwpsDiscardClonedStreamData(
outgoingStreamData->netBufferList,
0,
FALSE
);
}
else
{
FwpsFreeNetBufferList(outgoingStreamData->netBufferList);
if (outgoingStreamData->mdl != NULL)
{
IoFreeMdl(outgoingStreamData->mdl);
ExFreePoolWithTag(
outgoingStreamData->mdl->MappedSystemVa,
STREAM_EDITOR_MDL_DATA_TAG
);
}
}
ExFreePoolWithTag(
outgoingStreamData,
STREAM_EDITOR_OUTGOING_DATA_TAG
);
}
return status;
}
NTSTATUS
StreamOobReinjectData(
_Inout_ STREAM_EDITOR* streamEditor,
UINT32 streamFlags,
const void* data,
size_t length
)
/* ++
This function injects a section of the original indicated data back
to the data stream.
An MDL is allocated to describe the data section.
-- */
{
NTSTATUS status;
void* dataCopy = NULL;
MDL* mdl = NULL;
NET_BUFFER_LIST* netBufferList = NULL;
dataCopy = ExAllocatePoolWithTag(
NonPagedPool,
length,
STREAM_EDITOR_MDL_DATA_TAG
);
if (dataCopy == NULL)
{
status = STATUS_NO_MEMORY;
goto Exit;
}
RtlCopyMemory(dataCopy, data, length);
mdl = IoAllocateMdl(
dataCopy,
(ULONG)length,
FALSE,
FALSE,
NULL
);
if (mdl == NULL)
{
status = STATUS_NO_MEMORY;
goto Exit;
}
MmBuildMdlForNonPagedPool(mdl);
status = FwpsAllocateNetBufferAndNetBufferList(
gNetBufferListPool,
0,
0,
mdl,
0,
length,
&netBufferList
);
if (!NT_SUCCESS(status))
{
goto Exit;
}
NT_ASSERT(!(streamFlags & FWPS_STREAM_FLAG_SEND_DISCONNECT) &&
!(streamFlags & FWPS_STREAM_FLAG_RECEIVE_DISCONNECT));
status = StreamOobQueueUpOutgoingData(
streamEditor,
netBufferList,
FALSE,
length,
streamFlags,
mdl
);
if (!NT_SUCCESS(status))
{
goto Exit;
}
dataCopy = NULL;
mdl = NULL;
netBufferList = NULL;
Exit:
if (netBufferList != NULL)
{
FwpsFreeNetBufferList(netBufferList);
}
if (mdl != NULL)
{
IoFreeMdl(mdl);
}
if (dataCopy != NULL)
{
ExFreePoolWithTag(
dataCopy,
STREAM_EDITOR_MDL_DATA_TAG
);
}
return status;
}
NTSTATUS
StreamOobInjectReplacement(
_Inout_ STREAM_EDITOR* streamEditor,
UINT32 streamFlags,
_In_opt_ MDL* data,
size_t length
)
/* ++
This function injects a section of replacement data (in place of data
removed from the stream) into the data stream.
The MDL describes the replacement data is allocated during DriverEntry
and does not need to be freed during injection completion.
-- */
{
NTSTATUS status;
NET_BUFFER_LIST* netBufferList = NULL;
status = FwpsAllocateNetBufferAndNetBufferList(
gNetBufferListPool,
0,
0,
data,
0,
length,
&netBufferList
);
if (!NT_SUCCESS(status))
{
goto Exit;
}
NT_ASSERT(!(streamFlags & FWPS_STREAM_FLAG_SEND_DISCONNECT) &&
!(streamFlags & FWPS_STREAM_FLAG_RECEIVE_DISCONNECT));
status = StreamOobQueueUpOutgoingData(
streamEditor,
netBufferList,
FALSE,
length,
streamFlags,
NULL
);
if (!NT_SUCCESS(status))
{
FwpsFreeNetBufferList(netBufferList);
goto Exit;
}
netBufferList = NULL;
Exit:
if (netBufferList != NULL)
{
FwpsFreeNetBufferList(netBufferList);
}
return status;
}
NTSTATUS
StreamOobCopyDataToFlatBuffer(
_Inout_ STREAM_EDITOR* streamEditor,
_Inout_ NET_BUFFER_LIST* netBufferListChain,
size_t totalDataLength,
DWORD streamFlags
)
/* ++
This function copies the data described by NBL(s) into a flat buffer.
It reuses the FwpsCopyStreamDataToBuffer API (via StreamCopyDataForInspection)
by creating a FWPS_STREAM_DATA struct.
-- */
{
NTSTATUS status = STATUS_SUCCESS;
FWPS_STREAM_DATA streamData = {0};
if (totalDataLength > 0)
{
streamData.netBufferListChain = netBufferListChain;
streamData.dataLength = totalDataLength;
streamData.flags = streamFlags;
streamData.dataOffset.netBufferList = netBufferListChain;
streamData.dataOffset.netBuffer =
NET_BUFFER_LIST_FIRST_NB(streamData.dataOffset.netBufferList);
streamData.dataOffset.mdl =
NET_BUFFER_CURRENT_MDL(streamData.dataOffset.netBuffer);
streamData.dataOffset.mdlOffset =
NET_BUFFER_CURRENT_MDL_OFFSET(streamData.dataOffset.netBuffer);
if (StreamCopyDataForInspection(
streamEditor,
&streamData
) == FALSE)
{
status = STATUS_NO_MEMORY;
}
}
return status;
}
NTSTATUS
StreamOobEditData(
_Inout_ STREAM_EDITOR* streamEditor,
_Inout_ NET_BUFFER_LIST* netBufferListChain,
size_t totalDataLength,
DWORD streamFlags
)
/* ++
This function first copies the stream data into a flat inspection buffer;
it then parses the buffer looking for the matching pattern. For
non-matching sections it re-injects the data back; for a match it skips
over and injects an replacement section.
If a match can not be determined due to lack of data, it injects the
non-matching section back and moves the potential match to the beginning
of the inspection buffer.
When an EOF is reached, it flushes all processed stream sections back
and re-injects the FIN back to end the stream.
-- */
{
NTSTATUS status = STATUS_SUCCESS;
UINT i = 0;
BOOLEAN streamModified = FALSE;
BOOLEAN potentialMatch = FALSE;
BYTE* dataStart;
UINT findLength = (UINT) strlen(configStringToFind);
status = StreamOobCopyDataToFlatBuffer(
streamEditor,
netBufferListChain,
totalDataLength,
streamFlags
);
if (!NT_SUCCESS(status))
{
goto Exit;
}
dataStart = (BYTE*)streamEditor->scratchBuffer + streamEditor->dataOffset;
for (; i < streamEditor->dataLength; ++i)
{
if (i + findLength <= streamEditor->dataLength)
{
if (RtlCompareMemory(
dataStart + i,
configStringToFind,
findLength
) == findLength)
{
if (i != 0)
{
status = StreamOobReinjectData(
streamEditor,
streamFlags,
dataStart,
i
);
if (!NT_SUCCESS(status))
{
goto Exit;
}
streamEditor->dataOffset += i;
streamEditor->dataLength -= i;
i = 0;
}
status = StreamOobInjectReplacement(
streamEditor,
streamFlags,
gStringToReplaceMdl,
strlen(configStringToReplace)
);
if (!NT_SUCCESS(status))
{
goto Exit;
}
streamEditor->dataOffset += findLength;
streamEditor->dataLength -= findLength;
streamModified = TRUE;
if (streamEditor->dataLength > 0)
{
dataStart = (BYTE*)streamEditor->scratchBuffer + streamEditor->dataOffset;
--i;
continue;
}
else
{
streamEditor->dataOffset = 0;
}
}
}
else
{
if (streamEditor->oobEditInfo.noMoreData)
{
break;
}
if (RtlCompareMemory(
dataStart + i,
configStringToFind,
streamEditor->dataLength - i
) == streamEditor->dataLength - i)
{
potentialMatch = TRUE; // this is a partial find
status = StreamOobReinjectData(
streamEditor,
streamFlags,
dataStart,
i
);
if (!NT_SUCCESS(status))
{
goto Exit;
}
RtlMoveMemory(
(BYTE*)streamEditor->scratchBuffer,
dataStart + i,
streamEditor->dataLength - i
);
streamEditor->dataOffset = 0;
streamEditor->dataLength = streamEditor->dataLength - i;
break;
}
}
}
if (streamModified && streamEditor->dataLength > 0)
{
status = StreamOobReinjectData(
streamEditor,
streamFlags,
dataStart,
streamEditor->dataLength
);
if (!NT_SUCCESS(status))
{
goto Exit;
}
streamEditor->dataOffset = 0;
streamEditor->dataLength = 0;
}
if (!streamModified && !potentialMatch)
{
if (totalDataLength > 0)
{
NT_ASSERT(!(streamFlags & FWPS_STREAM_FLAG_SEND_DISCONNECT) &&
!(streamFlags & FWPS_STREAM_FLAG_RECEIVE_DISCONNECT));
status = StreamOobQueueUpOutgoingData(
streamEditor,
netBufferListChain,
TRUE,
totalDataLength,
streamFlags,
NULL
);
if (!NT_SUCCESS(status))
{
goto Exit;
}
netBufferListChain = NULL;
}
else if (streamEditor->dataLength > 0)
{
status = StreamOobReinjectData(
streamEditor,
streamFlags,
dataStart,
streamEditor->dataLength
);
if (!NT_SUCCESS(status))
{
goto Exit;
}
}
streamEditor->dataOffset = 0;
streamEditor->dataLength = 0;
}
if (streamEditor->oobEditInfo.nblEof != NULL)
{
status = StreamOobFlushOutgoingData(streamEditor);
if (!NT_SUCCESS(status))
{
goto Exit;
}
status = FwpsStreamInjectAsync(
gInjectionHandle,
NULL,
0,
streamEditor->oobEditInfo.flowId,
streamEditor->oobEditInfo.calloutId,
streamEditor->oobEditInfo.layerId,
streamFlags | (configInspectionOutbound ? FWPS_STREAM_FLAG_SEND_DISCONNECT :
FWPS_STREAM_FLAG_RECEIVE_DISCONNECT),
streamEditor->oobEditInfo.nblEof,
0,
StreamOobInjectCompletionFn,
NULL
);
if (!NT_SUCCESS(status))
{
goto Exit;
}
streamEditor->oobEditInfo.nblEof = NULL;
streamEditor->oobEditInfo.noMoreData = FALSE;
}
Exit:
if (netBufferListChain != NULL)
{
FwpsDiscardClonedStreamData(
netBufferListChain,
0,
FALSE
);
}
if (streamEditor->oobEditInfo.nblEof != NULL)
{
FwpsDiscardClonedStreamData(
streamEditor->oobEditInfo.nblEof,
0,
FALSE
);
streamEditor->oobEditInfo.nblEof = NULL;
}
return status;
}
_IRQL_requires_same_
_Function_class_(KSTART_ROUTINE)
void
StreamOobEditWorker(
_In_ void* StartContext
)
/* ++
This function waits for an event which gets signalled when there is data
waiting to be inspected.
Once awaken, the worker thread edits the stream until all stream data is
processed (and then it waits for more work again).
When requested to shutdown, it will finish the editing task and enters
"shutdown" state.
-- */
{
NTSTATUS status = STATUS_SUCCESS;
NET_BUFFER_LIST* netBufferListChain = NULL;
size_t totalDataLength;
STREAM_EDITOR* streamEditor = (STREAM_EDITOR*)StartContext;
DWORD streamFlags;
for(;;)
{
KLOCK_QUEUE_HANDLE editLockHandle;
KeWaitForSingleObject(
&streamEditor->oobEditInfo.editEvent,
Executive,
KernelMode,
FALSE,
NULL
);
if (streamEditor->oobEditInfo.editState == OOB_EDIT_ERROR ||
streamEditor->oobEditInfo.editState == OOB_EDIT_SHUT_DOWN)
{
break;
}
KeAcquireInStackQueuedSpinLock(
&streamEditor->oobEditInfo.editLock,
&editLockHandle
);
NT_ASSERT(streamEditor->oobEditInfo.editState == OOB_EDIT_PROCESSING ||
streamEditor->oobEditInfo.editState == OOB_EDIT_BUSY);
netBufferListChain = streamEditor->oobEditInfo.nblHead;
totalDataLength = streamEditor->oobEditInfo.totalDataLength;
streamFlags = streamEditor->oobEditInfo.streamFlags;
streamEditor->oobEditInfo.nblHead = NULL;
streamEditor->oobEditInfo.nblTail = NULL;
streamEditor->oobEditInfo.totalDataLength = 0;
KeReleaseInStackQueuedSpinLock(&editLockHandle);
_Analysis_assume_(netBufferListChain != NULL);
status = StreamOobEditData(
streamEditor,
netBufferListChain,
totalDataLength,
streamFlags
);
if (!NT_SUCCESS(status))
{
streamEditor->oobEditInfo.editState = OOB_EDIT_ERROR;
break;
}
if (streamEditor->oobEditInfo.editState == OOB_EDIT_BUSY)
{
NTSTATUS streamContinueStatus;
streamEditor->oobEditInfo.editState = OOB_EDIT_PROCESSING;
streamContinueStatus = FwpsStreamContinue(
streamEditor->oobEditInfo.flowId,
streamEditor->oobEditInfo.calloutId,
streamEditor->oobEditInfo.layerId,
streamEditor->oobEditInfo.streamFlags
);
if (!NT_SUCCESS(streamContinueStatus))
{
streamEditor->oobEditInfo.editState = OOB_EDIT_ERROR;
break;
}
}
KeAcquireInStackQueuedSpinLock(
&streamEditor->oobEditInfo.editLock,
&editLockHandle
);
if (streamEditor->oobEditInfo.nblHead == NULL)
{
if (!streamEditor->oobEditInfo.shuttingDown)
{
streamEditor->oobEditInfo.editState = OOB_EDIT_IDLE;
KeClearEvent(&streamEditor->oobEditInfo.editEvent);
}
else
{
streamEditor->oobEditInfo.editState = OOB_EDIT_SHUT_DOWN;
}
}
KeReleaseInStackQueuedSpinLock(&editLockHandle);
}
PsTerminateSystemThread(status);
}
#if(NTDDI_VERSION >= NTDDI_WIN7)
void
NTAPI
StreamOobEditClassify(
_In_ const FWPS_INCOMING_VALUES* inFixedValues,
_In_ const FWPS_INCOMING_METADATA_VALUES* inMetaValues,
_Inout_ void* layerData,
_In_ const void* classifyContext,
_In_ const FWPS_FILTER* filter,
_In_ UINT64 flowContext,
_Inout_ FWPS_CLASSIFY_OUT* classifyOut
)
#else
void
NTAPI
StreamOobEditClassify(
_In_ const FWPS_INCOMING_VALUES* inFixedValues,
_In_ const FWPS_INCOMING_METADATA_VALUES* inMetaValues,
_Inout_ void* layerData,
_In_ const FWPS_FILTER* filter,
_In_ UINT64 flowContext,
_Inout_ FWPS_CLASSIFY_OUT* classifyOut
)
#endif /// (NTDDI_VERSION >= NTDDI_WIN7)
/* ++
This is the ClassifyFn function registered by the OOB stream edit callout.
An OOB stream modification callout blocks all indicated data after cloning
them for processing by a kernel mode worker thread (or marshalling the data
to user mode for inspection); the resultant/edited data will then be put
back to the stream via the stream injection API.
For such a callout, the processed data must be (re-)injected back to the
stream from within the ClassifyFn.
-- */
{
FWPS_STREAM_CALLOUT_IO_PACKET* ioPacket;
FWPS_STREAM_DATA* streamData;
UINT findLength = (UINT) strlen(configStringToFind);
ioPacket = (FWPS_STREAM_CALLOUT_IO_PACKET*)layerData;
NT_ASSERT(ioPacket != NULL);
streamData = ioPacket->streamData;
NT_ASSERT(streamData != NULL);
#if(NTDDI_VERSION >= NTDDI_WIN7)
UNREFERENCED_PARAMETER(classifyContext);
#endif /// (NTDDI_VERSION >= NTDDI_WIN7)
UNREFERENCED_PARAMETER(flowContext);
RtlZeroMemory(classifyOut, sizeof(FWPS_CLASSIFY_OUT));
//
// Let go the traffic that the editor does not care about.
//
if ((configInspectionOutbound && (streamData->flags & FWPS_STREAM_FLAG_RECEIVE)) ||
(!configInspectionOutbound && (streamData->flags & FWPS_STREAM_FLAG_SEND)))
{
ioPacket->streamAction = FWPS_STREAM_ACTION_NONE;
classifyOut->actionType = FWP_ACTION_PERMIT;
if (filter->flags & FWPS_FILTER_FLAG_CLEAR_ACTION_RIGHT)
{
classifyOut->rights &= ~FWPS_RIGHT_ACTION_WRITE;
}
goto Exit;
}
//
// In this sample we don't edit TCP urgent data
//
if ((streamData->flags & FWPS_STREAM_FLAG_SEND_EXPEDITED) ||
(streamData->flags & FWPS_STREAM_FLAG_RECEIVE_EXPEDITED))
{
ioPacket->streamAction = FWPS_STREAM_ACTION_NONE;
classifyOut->actionType = FWP_ACTION_PERMIT;
if (filter->flags & FWPS_FILTER_FLAG_CLEAR_ACTION_RIGHT)
{
classifyOut->rights &= ~FWPS_RIGHT_ACTION_WRITE;
}
goto Exit;
}
if ((streamData->dataLength < findLength) &&
!(classifyOut->flags & FWPS_CLASSIFY_OUT_FLAG_NO_MORE_DATA))
{
ioPacket->streamAction = FWPS_STREAM_ACTION_NEED_MORE_DATA;
ioPacket->countBytesRequired = findLength;
classifyOut->actionType = FWP_ACTION_NONE;
goto Exit;
}
StreamOobEdit(
&gStreamEditor,
inFixedValues,
inMetaValues,
filter,
streamData,
ioPacket,
classifyOut
);
if (classifyOut->actionType == FWP_ACTION_BLOCK ||
classifyOut->actionType == FWP_ACTION_PERMIT)
{
if (!(streamData->flags & FWPS_STREAM_FLAG_SEND_DISCONNECT) &&
!(streamData->flags & FWPS_STREAM_FLAG_RECEIVE_DISCONNECT))
{
NTSTATUS status = StreamOobFlushOutgoingData( &gStreamEditor);
if (!NT_SUCCESS(status))
{
ioPacket->streamAction = FWPS_STREAM_ACTION_DROP_CONNECTION;
classifyOut->actionType = FWP_ACTION_NONE;
}
}
}
Exit:
return;
}
WebV7 (C)2018 nlited | Rendered by tikope in 36.233ms | 18.224.30.203