/// <summary>
/// </summary>
/// <param name="filter">
/// The packet filter string to be evaluated.
/// </param>
/// <param name="layer">
/// The layer.
/// </param>
/// <param name="packet">
/// The packet.
/// </param>
/// <param name="packetLen">
/// The total length of the packet.
/// </param>
/// <param name="address">
/// The <seealso cref="WinDivertAddress" /> of the packet pPacket.
/// </param>
/// <returns>
/// TRUE if the packet matches the filter string, FALSE otherwise.
/// </returns>
/// <remarks>
/// Evaluates the given packet against the given packet filter string. This function returns
/// TRUE if the packet matches, and returns FALSE otherwise.
///
/// This function also returns FALSE if an error occurs, in which case
/// <seealso cref="Marshal.GetLastWin32Error" /> can be used to get the reason for the
/// error.Otherwise, if no error occurred, GetLastError() will return 0.
///
/// Note that this function is relatively slow since the packet filter string will be (re)
/// compiled for each call. This function is mainly intended for debugging or testing purposes.
/// </remarks>
public static bool WinDivertHelperEvalFilter(string filter, WinDivertLayer layer, WinDivertBuffer packet, uint packetLen, ref WinDivertAddress address)
{
fixed (WinDivertAddress* pAddress = &address)
{
var retVal = WinDivertNative.WinDivertHelperEvalFilter(filter, layer, packet.BufferPointer, packetLen, ref address);
return retVal;
}
}
/// <summary>
/// Checks if the given packet filter string is valid with respect to the filter language. If
/// the filter is invalid, then a human readable description of the error is returned by
/// errorStr (if non-NULL), and the error's position is returned by errorPos (if non-NULL).
/// </summary>
/// <param name="filter">
/// The packet filter string to be checked.
/// </param>
/// <param name="layer">
/// The layer.
/// </param>
/// <param name="errorMessage">
/// The error description.
/// </param>
/// <param name="errorPosition">
/// The error position.
/// </param>
/// <returns>
/// TRUE if the packet filter string is valid, FALSE otherwise.
/// </returns>
public static bool WinDivertHelperCheckFilter(string filter, WinDivertLayer layer, out string errorMessage, ref uint errorPosition)
{
errorMessage = null;
errorPosition = 0;
char* pErrorString = null;
uint errPosTmp = 0;
var retVal = WinDivertNative.WinDivertHelperCheckFilter(filter, layer, &pErrorString, ref errorPosition);
if (pErrorString != null)
{
errorMessage = Marshal.PtrToStringAnsi((IntPtr)pErrorString);
errorPosition = errPosTmp;
}
return retVal;
}
/// <summary>
/// Opens a WinDivert handle for the given filter. Unless otherwise specified by flags, any
/// packet that matches the filter will be diverted to the handle. Diverted packets can be
/// read by the application with <seealso cref="WinDivertRecv(IntPtr, WinDivertBuffer, ref WinDivertAddress, ref uint)" />
/// </summary>
/// <param name="filter">
/// A packet filter string specified in the WinDivert filter language.
/// </param>
/// <param name="layer">
/// The layer.
/// </param>
/// <param name="priority">
/// The priority of the handle.
/// </param>
/// <param name="flags">
/// Additional flags.
/// </param>
/// <returns>
/// A valid WinDivert handle on success, or IntPtr.Zero if an error occurred. Use
/// <see cref="Marshal.GetLastWin32Error" /> to get the reason for the error.
/// </returns>
/// <remarks>
/// A typical application is only interested in a subset of all network traffic. In this case
/// the filter should match as closely as possible to the subset of interest. This avoids
/// unnecessary overheads introduced by diverting packets to the user-mode application. See
/// the filter language section for more information. The layer of the WinDivert handle is
/// determined by the layer parameter.
/// </remarks>
public static IntPtr WinDivertOpen(string filter, WinDivertLayer layer, short priority, WinDivertOpenFlags flags)
{
return WinDivertNative.WinDivertOpen(filter, layer, priority, (ulong)flags);
}
internal static extern IntPtr WinDivertOpen([MarshalAs(UnmanagedType.LPStr)] string filter, WinDivertLayer layer, short priority, ulong flags);
internal static extern bool WinDivertHelperCompileFilter([MarshalAs(UnmanagedType.LPStr)] string filter, WinDivertLayer layer, IntPtr obj, uint objLen, out IntPtr errorStr, out uint errorPos);
public static extern bool WinDivertHelperCheckFilter([In()][MarshalAs(UnmanagedType.LPStr)] string filter, WinDivertLayer layer, char **errorStr, ref uint errorPos);
public static extern bool WinDivertHelperEvalFilter([In()][MarshalAs(UnmanagedType.LPStr)] string filter, WinDivertLayer layer, [In()] IntPtr pPacket, uint packetLen, [In()] ref WinDivertAddress pAddr);
public static extern IntPtr WinDivertOpen(byte[] rule, WinDivertLayer layer, short priority, WinDivertFlag flags);
public static extern bool WinDivertHelperCheckFilter([In][MarshalAs(UnmanagedType.LPStr)] string filter, WinDivertLayer layer, ref IntPtr errorStr, IntPtr errorPos);
public static extern WinDivertSafeHandle WinDivertOpen([In][MarshalAs(UnmanagedType.LPStr)] string filter, WinDivertLayer layer, short priority, ulong flags);
private static WinDivertHandle OpenHandle(byte[] ruleBuffer, FilterDefinition filter, WinDivertLayer layer, short priority, WinDivertFlag flags)
{
LibraryMode mode = GetSafeLibraryMode();
if (filter._stringValue != null)
{
int count = Encoding.ASCII.GetBytes(filter._stringValue, 0, filter._stringValue.Length, ruleBuffer, 0);
}
else
{
DivertFilterStringBuilder.WriteFilter(ruleBuffer, filter._filterExpression);
}
switch (mode)
{
case LibraryMode.Standard:
//var rule=DivertFilterStringBuilder.MakeFilter(filter);
//IntPtr rawHandle = Interop.NativeMethods.WinDivert.WinDivertOpen(rule, layer,priority,flags);
IntPtr rawHandle = Interop.NativeMethods.WinDivert.WinDivertOpen(ruleBuffer, layer, priority, flags);
WinDivertLibHandle wh = rawHandle;
if (wh.IsInvalid)
{
var error = NativeMethods.Kernel32.GetLastError();
switch (error)
{
case 2:
throw new Exception("Driver WinDivert32.sys or WinDivert64.sys is not found");
case 5:
throw new UnauthorizedAccessException("Need Admin");
case 87:
throw new ArgumentException("filter expression is invalid", nameof(filter));
case 577:
throw new UnauthorizedAccessException("Driver signature verification failed");
case 654:
throw new InvalidOperationException("An incompatible version of the WinDivert driver is currently loaded");
case 1060:
throw new InvalidOperationException("The handle was opened with the WINDIVERT_FLAG_NO_INSTALL flag and the WinDivert driver is not already installed.");
case 1275:
throw new UnauthorizedAccessException("Driver is blocked by other software");
case 1753:
throw new InvalidOperationException("Base Filtering Engine service has been disabled");
}
}
return(wh);
case LibraryMode.ManagedOnly:
default:
throw new InvalidOperationException();
}
}
public static WinDivertHandle OpenHandle(FilterDefinition filter, WinDivertLayer layer, short priority, WinDivertFlag flags)
{
byte[] ruleBuffer = new byte[10240];
return(OpenHandle(ruleBuffer, filter, layer, priority, flags));
}
