public unsafe void SendPacket(Packet pkt) { bool worked = false; if (pkt.Outbound) { ETH_REQUEST Request = new ETH_REQUEST(); INTERMEDIATE_BUFFER *ib = pkt.IB; Request.EthPacket.Buffer = (IntPtr)ib; Request.hAdapterHandle = adapterHandle; if (!Ndisapi.SendPacketToAdapter(hNdisapi, ref Request)) { worked = false; } else { worked = true; } } else { ETH_REQUEST Request = new ETH_REQUEST(); INTERMEDIATE_BUFFER *ib = pkt.IB; Request.EthPacket.Buffer = (IntPtr)ib; Request.hAdapterHandle = adapterHandle; worked = Ndisapi.SendPacketToMstcp(hNdisapi, ref Request); } if (pkt.CodeGenerated) { pkt.ClearGeneratedPacket(); } }
void lookingForPacket() { while (true) { if (needToStop) { snifferLog("Запуск снифера"); Marshal.FreeHGlobal(bufferPtr); Ndisapi.CloseFilterDriver(driverPtr); if (snifferLogWriter != null) { snifferLogWriter.Close(); } return; } if (Ndisapi.ReadPacket(driverPtr, ref request)) { buffer = (INTERMEDIATE_BUFFER)Marshal.PtrToStructure(bufferPtr, typeof(INTERMEDIATE_BUFFER)); captureDevice_OnPacketArrival(buffer); } else { System.Threading.Thread.Sleep(16); } } }
void SetPacketEvent() { hEvent = new ManualResetEvent(false); // note that SafeWaitHandle exposes user code indirectly; // a fix is, basically, to modify ndisapi, or write our own driver. // todo for now Ndisapi.SetPacketEvent(hNdisapi, adapterHandle, hEvent.SafeWaitHandle); }
public Capture() { GCHandle.Alloc(adapters); if ((Ndisapi.IsDriverLoaded(driverPtr))) { ready = Ndisapi.GetTcpipBoundAdaptersInfo(driverPtr, ref adapters); } threadLookingForPacket = new Thread(lookingForPacket); threadParsePacket = new Thread(parsePacket); tcpClients = new Dictionary <Connection, TcpClient>(); clients = new Dictionary <Connection, Client>(); }
static void Main() { try { var driverPtr = Ndisapi.OpenFilterDriver(); var adapters = new TCP_AdapterList(); GCHandle.Alloc(adapters); if ((Ndisapi.IsDriverLoaded(driverPtr))) { Console.WriteLine("The following network interfaces are available to MSTCP:"); var result = Ndisapi.GetTcpipBoundAdaptersInfo(driverPtr, ref adapters); if (!result) { throw new ApplicationException("Can't get TCP/IP bound adapters info"); } for (var i = 0; i < adapters.m_nAdapterCount; i++) { Console.WriteLine("{0}) {1}", i + 1, adapters.GetName(i)); Console.WriteLine("\tInternal Name:\t {0}", adapters.GetInternalName(i)); Console.WriteLine("\tCurrent MAC:\t {0}", adapters.GetMacAddressStr(i)); Console.WriteLine("\tMedium:\t 0x{0:X8}", adapters.m_nAdapterMediumList[i]); Console.WriteLine("\tCurrent MTU:\t {0}", adapters.m_usMTU[i]); // Set tunnel mode for the selected network iunterface var mode = new ADAPTER_MODE { hAdapterHandle = adapters.m_nAdapterHandle[i] }; Ndisapi.GetAdapterMode(driverPtr, ref mode); Console.WriteLine("\tCurrent adapter mode = 0x{0:X8}", mode.dwFlags); } Console.WriteLine("\n\nCurrent system wide MTU decrement = {0}", Ndisapi.GetMTUDecrement()); Console.WriteLine("Default adapter startup mode = 0x{0:X8}", Ndisapi.GetAdaptersStartupMode()); } else { Console.WriteLine("Helper driver failed to load or was not installed."); } Ndisapi.CloseFilterDriver(driverPtr); } catch (Exception ex) { Console.WriteLine(ex.ToString()); } }
static void OpenNDISDriver() { if (hNdisapi != IntPtr.Zero) { LogCenter.Instance.Push("NetworkAdapter-static", "Bad state was found, attempting to open the NDIS Filter Driver while the IntPtr != IntPtr.Zero, continuing"); } hNdisapi = Ndisapi.OpenFilterDriver(Ndisapi.NDISRD_DRIVER_NAME); TCP_AdapterList adList = new TCP_AdapterList(); Ndisapi.GetTcpipBoundAdaptersInfo(hNdisapi, ref adList); if (adList.m_nAdapterCount == 0) { LogCenter.WriteErrorLog(new Exception("No adapters found on this driver interface")); return; } isNdisFilterDriverOpen = true; }
public static List <NetworkAdapter> GetNewAdapters() { if (!isNdisFilterDriverOpen) { OpenNDISDriver(); } TCP_AdapterList adList = new TCP_AdapterList(); Ndisapi.GetTcpipBoundAdaptersInfo(hNdisapi, ref adList); List <NetworkAdapter> tempList = new List <NetworkAdapter>(); for (int x = 0; x < currentAdapters.Count; x++) { for (int y = 0; y < adList.m_nAdapterCount; y++) { if (adList.m_nAdapterHandle[y] == currentAdapters[x].adapterHandle) { currentAdapters[x].UpdateNetworkInterface(Encoding.ASCII.GetString(adList.m_szAdapterNameList, y * 256, 256)); } } } for (int x = 0; x < adList.m_nAdapterCount; x++) { bool found = false; for (int y = 0; y < currentAdapters.Count; y++) { if (adList.m_nAdapterHandle[x] == currentAdapters[y].adapterHandle) { found = true; } } if (!found) { NetworkAdapter newAdapter = new NetworkAdapter(adList.m_nAdapterHandle[x], Encoding.ASCII.GetString(adList.m_szAdapterNameList, x * 256, 256)); if (newAdapter.InterfaceInformation != null) { tempList.Add(newAdapter); currentAdapters.Add(newAdapter); } } } return(tempList); }
static void UpdateAdapterList() { bool succeeded = false; while (!succeeded) { if (!isNdisFilterDriverOpen) { OpenNDISDriver(); } TCP_AdapterList adList = new TCP_AdapterList(); Ndisapi.GetTcpipBoundAdaptersInfo(hNdisapi, ref adList); List <NetworkAdapter> tempList = new List <NetworkAdapter>(); //Populate with current adapters List <NetworkAdapter> notFound = new List <NetworkAdapter>(); for (int x = 0; x < currentAdapters.Count; x++) { bool found = false; for (int y = 0; y < adList.m_nAdapterCount; y++) { if (adList.m_nAdapterHandle[y] == currentAdapters[x].adapterHandle) { currentAdapters[x].UpdateNetworkInterface(Encoding.ASCII.GetString(adList.m_szAdapterNameList, y * 256, 256)); tempList.Add(currentAdapters[x]); found = true; } } if (!found) { notFound.Add(currentAdapters[x]); } } //Deal with no longer existant adapters for (int x = 0; x < notFound.Count; x++) { notFound[x].SetNoLongerAvailable(); } //Adding any new adapters for (int x = 0; x < adList.m_nAdapterCount; x++) { bool found = false; for (int y = 0; y < currentAdapters.Count; y++) { if (adList.m_nAdapterHandle[x] == currentAdapters[y].adapterHandle) { found = true; } } if (!found) { NetworkAdapter newAdapter = new NetworkAdapter(adList.m_nAdapterHandle[x], Encoding.ASCII.GetString(adList.m_szAdapterNameList, x * 256, 256)); if (newAdapter.InterfaceInformation != null) { tempList.Add(newAdapter); } } } currentAdapters = new List <NetworkAdapter>(tempList); succeeded = true; } }
void SetAdapterMode() { mode.dwFlags = Ndisapi.MSTCP_FLAG_SENT_TUNNEL | Ndisapi.MSTCP_FLAG_RECV_TUNNEL; mode.hAdapterHandle = adapterHandle; Ndisapi.SetAdapterMode(hNdisapi, ref mode); }
static void Main() { try { var ndisHandler = Ndisapi.OpenFilterDriver(); var adapterList = new TCP_AdapterList(); var currentMacRequest = new PACKET_OID_DATA(); var statRequest = new PACKET_OID_DATA(); statRequest.Length = sizeof(int); GCHandle.Alloc(adapterList); if (!(Ndisapi.IsDriverLoaded(ndisHandler))) { throw new Exception("Driver failed to load or was not installed."); } var result = Ndisapi.GetTcpipBoundAdaptersInfo(ndisHandler, ref adapterList); if (!result) { throw new ApplicationException("Cannot get network adapters list."); } for (var i = 0; i < adapterList.m_nAdapterCount; i++) { currentMacRequest.Length = 6; currentMacRequest.Oid = Oid8023CurrentAddress; currentMacRequest.hAdapterHandle = adapterList.m_nAdapterHandle[i]; statRequest.hAdapterHandle = adapterList.m_nAdapterHandle[i]; if (!Ndisapi.NdisrdRequest(ndisHandler, ref currentMacRequest, false)) { continue; } var data = currentMacRequest.GetData(); Console.WriteLine("{0}) Current MAC is {1:X2}-{2:X2}-{3:X2}-{4:X2}-{5:X2}-{6:X2} ", i + 1, data[0], data[1], data[2], data[3], data[4], data[5]); statRequest.Oid = OidGenXmitOk; if (Ndisapi.NdisrdRequest(ndisHandler, ref statRequest, false)) { Console.WriteLine("\tFrames transmitted without errors = {0}", BitConverter.ToUInt32(statRequest.GetData(), 0)); } statRequest.Oid = OidGenRcvOk; Ndisapi.NdisrdRequest(ndisHandler, ref statRequest, false); Console.WriteLine("\tFrames received without errors = {0}", BitConverter.ToUInt32(statRequest.GetData(), 0)); statRequest.Oid = OidGenXmitError; Ndisapi.NdisrdRequest(ndisHandler, ref statRequest, false); Console.WriteLine("\tFrames that a NIC failed to transmit = {0}", BitConverter.ToUInt32(statRequest.GetData(), 0)); statRequest.Oid = OidGenRcvError; Ndisapi.NdisrdRequest(ndisHandler, ref statRequest, false); Console.WriteLine("\tFrames that a NIC have not indicated due to errors = {0}", BitConverter.ToUInt32(statRequest.GetData(), 0)); } Ndisapi.CloseFilterDriver(ndisHandler); } catch (Exception ex) { Console.WriteLine(ex); } }
static void CloseNDISDriver() { Ndisapi.CloseFilterDriver(hNdisapi); }
static void Main(string[] args) { try { if (args.Length < 1) { Console.WriteLine( "Command line syntax:\r\n\tfilterstats.exe [DoReset] \r\n\tDoReset - 1 to reset filters counters / 0 - query counters without reset."); return; } var reset = Convert.ToInt32(args[0]) == 1; var driverPtr = Ndisapi.OpenFilterDriver(); if (!Ndisapi.IsDriverLoaded(driverPtr)) { Console.WriteLine("Driver not installed on this system of failed to load."); return; } // Get number of filters loaded var filtersCount = 0u; Ndisapi.GetPacketFilterTableSize(driverPtr, ref filtersCount); Console.WriteLine("{0} filters loaded into the driver", filtersCount); if (filtersCount == 0) { return; } var filtersTable = new STATIC_FILTER_TABLE { m_TableSize = filtersCount }; // if reset flag is set then query filters table with reset and without reset otherwise if (reset) { Ndisapi.GetPacketFilterTableResetStats(driverPtr, ref filtersTable); } else { Ndisapi.GetPacketFilterTable(driverPtr, ref filtersTable); } Console.WriteLine("Statistics for the loaded filters:"); for (var i = 0; i < filtersTable.m_TableSize; ++i) { Console.WriteLine("Filter {0}: ", i); Console.WriteLine("\tIncoming packets counter = {0}", filtersTable.m_StaticFilters[i].m_PacketsIn); Console.WriteLine("\tIncoming bytes counter = {0}", filtersTable.m_StaticFilters[i].m_BytesIn); Console.WriteLine("\tOutgoing packets counter = {0}", filtersTable.m_StaticFilters[i].m_PacketsOut); Console.WriteLine("\tOutgoing bytes counter = {0}", filtersTable.m_StaticFilters[i].m_BytesOut); Console.WriteLine("\tLast reset = {0}", new DateTime(1980, 1, 1).AddSeconds(filtersTable.m_StaticFilters[i].m_LastReset).ToLocalTime()); } } catch (Exception ex) { Console.WriteLine(ex); } }
static void Main(string[] args) { if (args.Length < 2) { Console.WriteLine(@"Command line syntax: PacketSniffer.exe index num [-promisc] index - network interface index. num - number or packets to capture -promisc - optional parameter. When specified network interface is switched to the promiscuous mode.\n\tYou can use ListAdapters to determine correct index.\n"); return; } var promisciousMode = args.Length == 3 && args[2].Equals("-promisc"); var adapterIndex = uint.Parse(args[0]) - 1; var packetsCount = int.Parse(args[1]); try { var driverPtr = Ndisapi.OpenFilterDriver(); if (!Ndisapi.IsDriverLoaded(driverPtr)) { throw new ApplicationException("Cannot load driver"); } // Retrieve adapter list var adList = new TCP_AdapterList(); Ndisapi.GetTcpipBoundAdaptersInfo(driverPtr, ref adList); uint dwOldHwFilter = 0; if (promisciousMode) { if (!Ndisapi.GetHwPacketFilter(driverPtr, adList.m_nAdapterHandle[adapterIndex], ref dwOldHwFilter)) { Console.WriteLine("Failed to get current packet filter from the network interface."); } else { Console.WriteLine("Succeded to get current packet filter from the network interface. dwOldHwFilter = {0}", dwOldHwFilter); } if (!Ndisapi.SetHwPacketFilter(driverPtr, adList.m_nAdapterHandle[adapterIndex], 0x00000020 /*NDIS_PACKET_TYPE_PROMISCUOUS*/)) { Console.WriteLine("Failed to set promiscuous mode for the network interface."); } else { Console.WriteLine("Succeded to set promiscuous mode for the network interface."); } } // Set listen mode for the selected network interface var mode = new ADAPTER_MODE { dwFlags = Ndisapi.MSTCP_FLAG_SENT_LISTEN | Ndisapi.MSTCP_FLAG_RECV_LISTEN, hAdapterHandle = adList.m_nAdapterHandle[adapterIndex] }; if (promisciousMode) { mode.dwFlags = mode.dwFlags | Ndisapi.MSTCP_FLAG_FILTER_DIRECT | Ndisapi.MSTCP_FLAG_LOOPBACK_BLOCK; } Ndisapi.SetAdapterMode(driverPtr, ref mode); // Allocate and initialize packet structures var buffer = new INTERMEDIATE_BUFFER(); var bufferPtr = Marshal.AllocHGlobal(Marshal.SizeOf(buffer)); Win32Api.ZeroMemory(bufferPtr, Marshal.SizeOf(buffer)); var request = new ETH_REQUEST { hAdapterHandle = adList.m_nAdapterHandle[adapterIndex], EthPacket = { Buffer = bufferPtr } }; while (packetsCount > 0) { if (Ndisapi.ReadPacket(driverPtr, ref request)) { --packetsCount; buffer = (INTERMEDIATE_BUFFER)Marshal.PtrToStructure(bufferPtr, typeof(INTERMEDIATE_BUFFER)); WriteToConsole(buffer, bufferPtr); } else { Console.Write("."); System.Threading.Thread.Sleep(100); } } Marshal.FreeHGlobal(bufferPtr); if (promisciousMode) { Ndisapi.SetHwPacketFilter(driverPtr, adList.m_nAdapterHandle[adapterIndex], dwOldHwFilter); } Ndisapi.CloseFilterDriver(driverPtr); } catch (Exception ex) { Console.WriteLine(ex.ToString()); } }
public void start(int num) { if (ready) { ADAPTER_MODE mode = new ADAPTER_MODE { dwFlags = Ndisapi.MSTCP_FLAG_SENT_LISTEN | Ndisapi.MSTCP_FLAG_RECV_LISTEN, hAdapterHandle = adapters.m_nAdapterHandle[num] }; Ndisapi.SetAdapterMode(driverPtr, ref mode); IP_ADDRESS_V4[] serversIp = new IP_ADDRESS_V4[serverIps.Length]; for (int i = 0; i < serverIps.Length; i++) { serversIp[i] = new IP_ADDRESS_V4() { m_AddressType = Ndisapi.IP_SUBNET_V4_TYPE, m_IpSubnet = new IP_SUBNET_V4 { m_Ip = BitConverter.ToUInt32(IPAddress.Parse(serverIps[i]).GetAddressBytes(), 0), m_IpMask = 0xFFFFFFFF } } } ; //Filters STATIC_FILTER_TABLE filtersTable = new STATIC_FILTER_TABLE(); filtersTable.m_StaticFilters = new STATIC_FILTER[256]; filtersTable.m_TableSize = (uint)(2 * serverIps.Length + 1); for (int i = 0; i < 2 * serverIps.Length; i += 2) { filtersTable.m_StaticFilters[i].m_Adapter = 0; // applied to all adapters filtersTable.m_StaticFilters[i].m_ValidFields = Ndisapi.NETWORK_LAYER_VALID; filtersTable.m_StaticFilters[i].m_FilterAction = Ndisapi.FILTER_PACKET_REDIRECT; filtersTable.m_StaticFilters[i].m_dwDirectionFlags = Ndisapi.PACKET_FLAG_ON_SEND; filtersTable.m_StaticFilters[i].m_NetworkFilter.m_dwUnionSelector = Ndisapi.IPV4; filtersTable.m_StaticFilters[i].m_NetworkFilter.m_IPv4.m_ValidFields = Ndisapi.IP_V4_FILTER_DEST_ADDRESS; filtersTable.m_StaticFilters[i].m_NetworkFilter.m_IPv4.m_DestAddress = serversIp[i / 2]; filtersTable.m_StaticFilters[i + 1].m_Adapter = 0; // applied to all adapters filtersTable.m_StaticFilters[i + 1].m_ValidFields = Ndisapi.NETWORK_LAYER_VALID; filtersTable.m_StaticFilters[i + 1].m_FilterAction = Ndisapi.FILTER_PACKET_REDIRECT; filtersTable.m_StaticFilters[i + 1].m_dwDirectionFlags = Ndisapi.PACKET_FLAG_ON_RECEIVE; filtersTable.m_StaticFilters[i + 1].m_NetworkFilter.m_dwUnionSelector = Ndisapi.IPV4; filtersTable.m_StaticFilters[i + 1].m_NetworkFilter.m_IPv4.m_ValidFields = Ndisapi.IP_V4_FILTER_SRC_ADDRESS; filtersTable.m_StaticFilters[i + 1].m_NetworkFilter.m_IPv4.m_SrcAddress = serversIp[i / 2]; } filtersTable.m_StaticFilters[2 * serverIps.Length].m_Adapter = 0; // applied to all adapters filtersTable.m_StaticFilters[2 * serverIps.Length].m_ValidFields = 0; filtersTable.m_StaticFilters[2 * serverIps.Length].m_FilterAction = Ndisapi.FILTER_PACKET_PASS; filtersTable.m_StaticFilters[2 * serverIps.Length].m_dwDirectionFlags = Ndisapi.PACKET_FLAG_ON_RECEIVE | Ndisapi.PACKET_FLAG_ON_SEND; Ndisapi.SetPacketFilterTable(driverPtr, ref filtersTable); buffer = new INTERMEDIATE_BUFFER(); bufferPtr = Marshal.AllocHGlobal(Marshal.SizeOf(buffer)); Win32Api.ZeroMemory(bufferPtr, Marshal.SizeOf(buffer)); request = new ETH_REQUEST { hAdapterHandle = adapters.m_nAdapterHandle[num], EthPacket = { Buffer = bufferPtr } }; threadLookingForPacket.Start(); threadParsePacket.Start(); ready = false; if (onStartedSniffer != null) { onStartedSniffer(this, EventArgs.Empty); } } }
static void Main(string[] args) { if (args.Length < 2) { Console.WriteLine(@"Command line syntax: PassThru.exe index num index - network interface index. num - number or packets to filter You can use ListAdapters to determine correct index.\n"); return; } var adapterIndex = uint.Parse(args[0]) - 1; var packetsCount = int.Parse(args[1]); try { var driverPtr = Ndisapi.OpenFilterDriver(); if (!Ndisapi.IsDriverLoaded(driverPtr)) { throw new ApplicationException("Cannot load driver"); } // Retrieve adapter list var adapters = new TCP_AdapterList(); Ndisapi.GetTcpipBoundAdaptersInfo(driverPtr, ref adapters); // Set tunnel mode for the selected network interface var mode = new ADAPTER_MODE { dwFlags = Ndisapi.MSTCP_FLAG_SENT_TUNNEL | Ndisapi.MSTCP_FLAG_RECV_TUNNEL, hAdapterHandle = adapters.m_nAdapterHandle[adapterIndex] }; Ndisapi.SetAdapterMode(driverPtr, ref mode); // Create and set event for the adapter var manualResetEvent = new ManualResetEvent(false); Ndisapi.SetPacketEvent(driverPtr, adapters.m_nAdapterHandle[adapterIndex], manualResetEvent.SafeWaitHandle); // Allocate and initialize packet structures var request = new ETH_REQUEST(); var buffer = new INTERMEDIATE_BUFFER(); var bufferPtr = Marshal.AllocHGlobal(Marshal.SizeOf(buffer)); Win32Api.ZeroMemory(bufferPtr, Marshal.SizeOf(buffer)); request.hAdapterHandle = adapters.m_nAdapterHandle[adapterIndex]; request.EthPacket.Buffer = bufferPtr; while (packetsCount > 0) { manualResetEvent.WaitOne(); while (Ndisapi.ReadPacket(driverPtr, ref request)) { --packetsCount; buffer = (INTERMEDIATE_BUFFER)Marshal.PtrToStructure(bufferPtr, typeof(INTERMEDIATE_BUFFER)); WriteToConsole(buffer, bufferPtr); if (buffer.m_dwDeviceFlags == Ndisapi.PACKET_FLAG_ON_SEND) { Ndisapi.SendPacketToAdapter(driverPtr, ref request); } else { Ndisapi.SendPacketToMstcp(driverPtr, ref request); } } manualResetEvent.Reset(); } Marshal.FreeHGlobal(bufferPtr); Ndisapi.CloseFilterDriver(driverPtr); } catch (Exception ex) { Console.WriteLine(ex.ToString()); } }
unsafe void ProcessLoop() { // Allocate and initialize packet structures ETH_REQUEST Request = new ETH_REQUEST(); INTERMEDIATE_BUFFER PacketBuffer = new INTERMEDIATE_BUFFER(); IntPtr PacketBufferIntPtr = Marshal.AllocHGlobal(Marshal.SizeOf(PacketBuffer)); try { win32api.ZeroMemory(PacketBufferIntPtr, Marshal.SizeOf(PacketBuffer)); Request.hAdapterHandle = adapterHandle; Request.EthPacket.Buffer = PacketBufferIntPtr; modules = new ModuleList(this); modules.LoadExternalModules(); modules.UpdateModuleOrder(); string folder = Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData); folder = folder + System.IO.Path.DirectorySeparatorChar + "firebwall"; if (!System.IO.Directory.Exists(folder)) { System.IO.Directory.CreateDirectory(folder); } folder = folder + System.IO.Path.DirectorySeparatorChar + "pcapLogs"; if (!System.IO.Directory.Exists(folder)) { System.IO.Directory.CreateDirectory(folder); } string f = folder + System.IO.Path.DirectorySeparatorChar + "blocked-" + this.InterfaceInformation.Name + "-" + PcapCreator.Instance.GetNewDate() + ".pcap"; pcaplog = new PcapFileWriter(f); INTERMEDIATE_BUFFER *PacketPointer; while (true) { hEvent.WaitOne(); while (Ndisapi.ReadPacket(hNdisapi, ref Request)) { PacketPointer = (INTERMEDIATE_BUFFER *)PacketBufferIntPtr; //PacketBuffer = (INTERMEDIATE_BUFFER)Marshal.PtrToStructure(PacketBufferIntPtr, typeof(INTERMEDIATE_BUFFER)); Packet pkt = new EthPacket(PacketPointer).MakeNextLayerPacket(); if (pkt.Outbound) { OutBandwidth.AddBits(pkt.Length()); } else { InBandwidth.AddBits(pkt.Length()); } bool drop = false; bool edit = false; if (enabled) { for (int x = 0; x < modules.Count; x++) { FirewallModule fm = modules.GetModule(x); PacketMainReturn pmr = fm.PacketMain(ref pkt); if (pmr == null) { continue; } if ((pmr.returnType & PacketMainReturnType.Log) == PacketMainReturnType.Log && pmr.logMessage != null) { LogCenter.Instance.Push(pmr); } if ((pmr.returnType & PacketMainReturnType.Drop) == PacketMainReturnType.Drop) { drop = true; break; } if ((pmr.returnType & PacketMainReturnType.Edited) == PacketMainReturnType.Edited) { edit = true; } } } if (!drop) { if (pkt.Outbound) { Ndisapi.SendPacketToAdapter(hNdisapi, ref Request); } else { Ndisapi.SendPacketToMstcp(hNdisapi, ref Request); } } else { pcaplog.AddPacket(pkt.Data(), (int)pkt.Length()); } } //OM NOM NOM PASTA! while (processQueue.Count != 0) { Packet pkt = processQueue.Dequeue().MakeNextLayerPacket(); if (pkt.Outbound) { OutBandwidth.AddBits(pkt.Length()); } else { InBandwidth.AddBits(pkt.Length()); } bool drop = false; bool edit = false; if (enabled) { for (int x = 0; x < modules.Count; x++) { FirewallModule fm = modules.GetModule(x); PacketMainReturn pmr = fm.PacketMain(ref pkt); if (pmr == null) { continue; } if ((pmr.returnType & PacketMainReturnType.Log) == PacketMainReturnType.Log && pmr.logMessage != null) { LogCenter.Instance.Push(pmr.Module, pmr.logMessage); } if ((pmr.returnType & PacketMainReturnType.Drop) == PacketMainReturnType.Drop) { drop = true; break; } if ((pmr.returnType & PacketMainReturnType.Edited) == PacketMainReturnType.Edited) { edit = true; } } } if (!drop) { if (pkt.Outbound) { Ndisapi.SendPacketToAdapter(hNdisapi, ref Request); } else { Ndisapi.SendPacketToMstcp(hNdisapi, ref Request); } } else { pcaplog.AddPacket(pkt.Data(), (int)pkt.Length()); } } hEvent.Reset(); } } catch (Exception tae) { Marshal.FreeHGlobal(PacketBufferIntPtr); } }
static void Main(string[] args) { try { if (args.Length < 2) { Console.WriteLine( "Command line syntax:\n\tfilter.exe index scenario \n\tindex - network interface index.\n\tscenario - sample set of filters to load.\n\tYou can use ListAdapters to determine correct index."); Console.WriteLine("Available Scenarios:"); Console.WriteLine("1 - Redirect only IPv4 DNS packets for processing in user mode."); Console.WriteLine("2 - Redirect only HTTP(TCP port 80) packets for processing in user mode. Both IPv4 and IPv6 protocols."); Console.WriteLine("3 - Drop all IPv4 ICMP packets. Redirect all other packets to user mode (default behaviour)."); Console.WriteLine("4 - Block IPv4 access to http://www.ntkernel.com. Pass all other packets without processing in user mode."); Console.WriteLine("5 - Redirect only ARP/RARP packets to user mode. Pass all others."); return; } var adapterIndex = uint.Parse(args[0]) - 1; var scena = uint.Parse(args[1]); var driverPtr = Ndisapi.OpenFilterDriver(); if (!Ndisapi.IsDriverLoaded(driverPtr)) { Console.WriteLine("Driver not installed on this system of failed to load."); return; } // Retrieve adapter list var adapters = new TCP_AdapterList(); Ndisapi.GetTcpipBoundAdaptersInfo(driverPtr, ref adapters); // Set tunnel mode for the selected network interface var mode = new ADAPTER_MODE { dwFlags = Ndisapi.MSTCP_FLAG_SENT_TUNNEL | Ndisapi.MSTCP_FLAG_RECV_TUNNEL, hAdapterHandle = adapters.m_nAdapterHandle[adapterIndex] }; Ndisapi.SetAdapterMode(driverPtr, ref mode); // Create and set event for the adapter var manualResetEvent = new ManualResetEvent(false); Ndisapi.SetPacketEvent(driverPtr, adapters.m_nAdapterHandle[adapterIndex], manualResetEvent.SafeWaitHandle); var filtersTable = new STATIC_FILTER_TABLE(); filtersTable.m_StaticFilters = new STATIC_FILTER[256]; switch (scena) { case 1: filtersTable.m_TableSize = 3; //************************************************************************************** // 1. Outgoing DNS requests filter: REDIRECT OUT UDP packets with destination PORT 53 // Common values filtersTable.m_StaticFilters[0].m_Adapter = 0; // applied to all adapters filtersTable.m_StaticFilters[0].m_ValidFields = Ndisapi.NETWORK_LAYER_VALID | Ndisapi.TRANSPORT_LAYER_VALID; filtersTable.m_StaticFilters[0].m_FilterAction = Ndisapi.FILTER_PACKET_REDIRECT; filtersTable.m_StaticFilters[0].m_dwDirectionFlags = Ndisapi.PACKET_FLAG_ON_SEND; // Network layer filter filtersTable.m_StaticFilters[0].m_NetworkFilter.m_dwUnionSelector = Ndisapi.IPV4; filtersTable.m_StaticFilters[0].m_NetworkFilter.m_IPv4.m_ValidFields = Ndisapi.IP_V4_FILTER_PROTOCOL; filtersTable.m_StaticFilters[0].m_NetworkFilter.m_IPv4.m_Protocol = 17; //IPPROTO_UDP // Transport layer filter filtersTable.m_StaticFilters[0].m_TransportFilter.m_dwUnionSelector = Ndisapi.TCPUDP; filtersTable.m_StaticFilters[0].m_TransportFilter.m_TcpUdp.m_ValidFields = Ndisapi.TCPUDP_DEST_PORT; filtersTable.m_StaticFilters[0].m_TransportFilter.m_TcpUdp.m_DestPort.m_StartRange = 53; // DNS filtersTable.m_StaticFilters[0].m_TransportFilter.m_TcpUdp.m_DestPort.m_EndRange = 53; //**************************************************************************************** // 2. Incoming DNS responses filter: REDIRECT IN UDP packets with source PORT 53 // Common values filtersTable.m_StaticFilters[1].m_Adapter = 0; // applied to all adapters filtersTable.m_StaticFilters[1].m_ValidFields = Ndisapi.NETWORK_LAYER_VALID | Ndisapi.TRANSPORT_LAYER_VALID; filtersTable.m_StaticFilters[1].m_FilterAction = Ndisapi.FILTER_PACKET_REDIRECT; filtersTable.m_StaticFilters[1].m_dwDirectionFlags = Ndisapi.PACKET_FLAG_ON_RECEIVE; // Network layer filter filtersTable.m_StaticFilters[1].m_NetworkFilter.m_dwUnionSelector = Ndisapi.IPV4; filtersTable.m_StaticFilters[1].m_NetworkFilter.m_IPv4.m_ValidFields = Ndisapi.IP_V4_FILTER_PROTOCOL; filtersTable.m_StaticFilters[1].m_NetworkFilter.m_IPv4.m_Protocol = 17; //IPPROTO_UDP // Transport layer filter filtersTable.m_StaticFilters[1].m_TransportFilter.m_dwUnionSelector = Ndisapi.TCPUDP; filtersTable.m_StaticFilters[1].m_TransportFilter.m_TcpUdp.m_ValidFields = Ndisapi.TCPUDP_SRC_PORT; filtersTable.m_StaticFilters[1].m_TransportFilter.m_TcpUdp.m_SourcePort.m_StartRange = 53; // DNS filtersTable.m_StaticFilters[1].m_TransportFilter.m_TcpUdp.m_SourcePort.m_EndRange = 53; //*************************************************************************************** // 3. Pass all packets (skipped by previous filters) without processing in user mode // Common values filtersTable.m_StaticFilters[2].m_Adapter = 0; // applied to all adapters filtersTable.m_StaticFilters[2].m_ValidFields = 0; filtersTable.m_StaticFilters[2].m_FilterAction = Ndisapi.FILTER_PACKET_PASS; filtersTable.m_StaticFilters[2].m_dwDirectionFlags = Ndisapi.PACKET_FLAG_ON_RECEIVE | Ndisapi.PACKET_FLAG_ON_SEND; break; case 2: filtersTable.m_TableSize = 5; //************************************************************************************** // 1. Outgoing HTTP requests filter: REDIRECT OUT TCP packets with destination PORT 80 IPv4 // Common values filtersTable.m_StaticFilters[0].m_Adapter = 0; // applied to all adapters filtersTable.m_StaticFilters[0].m_ValidFields = Ndisapi.NETWORK_LAYER_VALID | Ndisapi.TRANSPORT_LAYER_VALID; filtersTable.m_StaticFilters[0].m_FilterAction = Ndisapi.FILTER_PACKET_REDIRECT; filtersTable.m_StaticFilters[0].m_dwDirectionFlags = Ndisapi.PACKET_FLAG_ON_SEND; // Network layer filter filtersTable.m_StaticFilters[0].m_NetworkFilter.m_dwUnionSelector = Ndisapi.IPV4; filtersTable.m_StaticFilters[0].m_NetworkFilter.m_IPv4.m_ValidFields = Ndisapi.IP_V4_FILTER_PROTOCOL; filtersTable.m_StaticFilters[0].m_NetworkFilter.m_IPv4.m_Protocol = 6; //IPPROTO_TCP // Transport layer filter filtersTable.m_StaticFilters[0].m_TransportFilter.m_dwUnionSelector = Ndisapi.TCPUDP; filtersTable.m_StaticFilters[0].m_TransportFilter.m_TcpUdp.m_ValidFields = Ndisapi.TCPUDP_DEST_PORT; filtersTable.m_StaticFilters[0].m_TransportFilter.m_TcpUdp.m_DestPort.m_StartRange = 80; // HTTP filtersTable.m_StaticFilters[0].m_TransportFilter.m_TcpUdp.m_DestPort.m_EndRange = 80; //**************************************************************************************** // 2. Incoming HTTP responses filter: REDIRECT IN TCP packets with source PORT 80 IPv4 // Common values filtersTable.m_StaticFilters[1].m_Adapter = 0; // applied to all adapters filtersTable.m_StaticFilters[1].m_ValidFields = Ndisapi.NETWORK_LAYER_VALID | Ndisapi.TRANSPORT_LAYER_VALID; filtersTable.m_StaticFilters[1].m_FilterAction = Ndisapi.FILTER_PACKET_REDIRECT; filtersTable.m_StaticFilters[1].m_dwDirectionFlags = Ndisapi.PACKET_FLAG_ON_RECEIVE; // Network layer filter filtersTable.m_StaticFilters[1].m_NetworkFilter.m_dwUnionSelector = Ndisapi.IPV4; filtersTable.m_StaticFilters[1].m_NetworkFilter.m_IPv4.m_ValidFields = Ndisapi.IP_V4_FILTER_PROTOCOL; filtersTable.m_StaticFilters[1].m_NetworkFilter.m_IPv4.m_Protocol = 6; //IPPROTO_TCP // Transport layer filter filtersTable.m_StaticFilters[1].m_TransportFilter.m_dwUnionSelector = Ndisapi.TCPUDP; filtersTable.m_StaticFilters[1].m_TransportFilter.m_TcpUdp.m_ValidFields = Ndisapi.TCPUDP_SRC_PORT; filtersTable.m_StaticFilters[1].m_TransportFilter.m_TcpUdp.m_SourcePort.m_StartRange = 80; // HTTP filtersTable.m_StaticFilters[1].m_TransportFilter.m_TcpUdp.m_SourcePort.m_EndRange = 80; //**************************************************************************************** // 3. Outgoing HTTP requests filter: REDIRECT OUT TCP packets with destination PORT 80 IPv6 // Common values filtersTable.m_StaticFilters[2].m_Adapter = 0; // applied to all adapters filtersTable.m_StaticFilters[2].m_ValidFields = Ndisapi.NETWORK_LAYER_VALID | Ndisapi.TRANSPORT_LAYER_VALID; filtersTable.m_StaticFilters[2].m_FilterAction = Ndisapi.FILTER_PACKET_REDIRECT; filtersTable.m_StaticFilters[2].m_dwDirectionFlags = Ndisapi.PACKET_FLAG_ON_SEND; // Network layer filter filtersTable.m_StaticFilters[2].m_NetworkFilter.m_dwUnionSelector = Ndisapi.IPV6; filtersTable.m_StaticFilters[2].m_NetworkFilter.m_IPv4.m_ValidFields = Ndisapi.IP_V6_FILTER_PROTOCOL; filtersTable.m_StaticFilters[2].m_NetworkFilter.m_IPv4.m_Protocol = 6; //IPPROTO_TCP // Transport layer filter filtersTable.m_StaticFilters[2].m_TransportFilter.m_dwUnionSelector = Ndisapi.TCPUDP; filtersTable.m_StaticFilters[2].m_TransportFilter.m_TcpUdp.m_ValidFields = Ndisapi.TCPUDP_DEST_PORT; filtersTable.m_StaticFilters[2].m_TransportFilter.m_TcpUdp.m_DestPort.m_StartRange = 80; // HTTP filtersTable.m_StaticFilters[2].m_TransportFilter.m_TcpUdp.m_DestPort.m_EndRange = 80; //**************************************************************************************** // 4. Incoming HTTP responses filter: REDIRECT IN TCP packets with source PORT 80 IPv6 // Common values filtersTable.m_StaticFilters[3].m_Adapter = 0; // applied to all adapters filtersTable.m_StaticFilters[3].m_ValidFields = Ndisapi.NETWORK_LAYER_VALID | Ndisapi.TRANSPORT_LAYER_VALID; filtersTable.m_StaticFilters[3].m_FilterAction = Ndisapi.FILTER_PACKET_REDIRECT; filtersTable.m_StaticFilters[3].m_dwDirectionFlags = Ndisapi.PACKET_FLAG_ON_RECEIVE; // Network layer filter filtersTable.m_StaticFilters[3].m_NetworkFilter.m_dwUnionSelector = Ndisapi.IPV6; filtersTable.m_StaticFilters[3].m_NetworkFilter.m_IPv4.m_ValidFields = Ndisapi.IP_V6_FILTER_PROTOCOL; filtersTable.m_StaticFilters[3].m_NetworkFilter.m_IPv4.m_Protocol = 6; // IPPROTO_TCP // Transport layer filter filtersTable.m_StaticFilters[3].m_TransportFilter.m_dwUnionSelector = Ndisapi.TCPUDP; filtersTable.m_StaticFilters[3].m_TransportFilter.m_TcpUdp.m_ValidFields = Ndisapi.TCPUDP_SRC_PORT; filtersTable.m_StaticFilters[3].m_TransportFilter.m_TcpUdp.m_SourcePort.m_StartRange = 80; // HTTP filtersTable.m_StaticFilters[3].m_TransportFilter.m_TcpUdp.m_SourcePort.m_EndRange = 80; //*************************************************************************************** // 5. Pass all packets (skipped by previous filters) without processing in user mode // Common values filtersTable.m_StaticFilters[4].m_Adapter = 0; // applied to all adapters filtersTable.m_StaticFilters[4].m_ValidFields = 0; filtersTable.m_StaticFilters[4].m_FilterAction = Ndisapi.FILTER_PACKET_PASS; filtersTable.m_StaticFilters[4].m_dwDirectionFlags = Ndisapi.PACKET_FLAG_ON_RECEIVE | Ndisapi.PACKET_FLAG_ON_SEND; break; case 3: filtersTable.m_TableSize = 5; //************************************************************************************** // 1. Block all ICMP packets // Common values filtersTable.m_StaticFilters[0].m_Adapter = 0; // applied to all adapters filtersTable.m_StaticFilters[0].m_ValidFields = Ndisapi.NETWORK_LAYER_VALID; filtersTable.m_StaticFilters[0].m_FilterAction = Ndisapi.FILTER_PACKET_DROP; filtersTable.m_StaticFilters[0].m_dwDirectionFlags = Ndisapi.PACKET_FLAG_ON_SEND | Ndisapi.PACKET_FLAG_ON_RECEIVE; // Network layer filter filtersTable.m_StaticFilters[0].m_NetworkFilter.m_dwUnionSelector = Ndisapi.IPV4; filtersTable.m_StaticFilters[0].m_NetworkFilter.m_IPv4.m_ValidFields = Ndisapi.IP_V4_FILTER_PROTOCOL; filtersTable.m_StaticFilters[0].m_NetworkFilter.m_IPv4.m_Protocol = 1; //IPPROTO_ICMP break; case 4: filtersTable.m_TableSize = 2; //************************************************************************************** // 1. Outgoing HTTP requests filter: DROP OUT TCP packets with destination IP 104.196.49.47 PORT 80 - 443 (http://www.ntkernel.com) // Common values filtersTable.m_StaticFilters[0].m_Adapter = 0; // applied to all adapters filtersTable.m_StaticFilters[0].m_ValidFields = Ndisapi.NETWORK_LAYER_VALID | Ndisapi.TRANSPORT_LAYER_VALID; filtersTable.m_StaticFilters[0].m_FilterAction = Ndisapi.FILTER_PACKET_DROP; filtersTable.m_StaticFilters[0].m_dwDirectionFlags = Ndisapi.PACKET_FLAG_ON_SEND; // Network layer filter var address = new in_addr(); var mask = new in_addr(); // IP address 104.196.49.47 address.s_b1 = 104; address.s_b2 = 196; address.s_b3 = 49; address.s_b4 = 47; // Network mask 255.255.255.255 mask.s_b1 = 255; mask.s_b2 = 255; mask.s_b3 = 255; mask.s_b4 = 255; filtersTable.m_StaticFilters[0].m_NetworkFilter.m_dwUnionSelector = Ndisapi.IPV4; filtersTable.m_StaticFilters[0].m_NetworkFilter.m_IPv4.m_ValidFields = Ndisapi.IP_V4_FILTER_PROTOCOL | Ndisapi.IP_V4_FILTER_DEST_ADDRESS; filtersTable.m_StaticFilters[0].m_NetworkFilter.m_IPv4.m_DestAddress.m_AddressType = Ndisapi.IP_SUBNET_V4_TYPE; filtersTable.m_StaticFilters[0].m_NetworkFilter.m_IPv4.m_DestAddress.m_IpSubnet.m_Ip = address.s_addr; // IP address filtersTable.m_StaticFilters[0].m_NetworkFilter.m_IPv4.m_DestAddress.m_IpSubnet.m_IpMask = mask.s_addr; // network mask filtersTable.m_StaticFilters[0].m_NetworkFilter.m_IPv4.m_Protocol = 6; //IPPROTO_TCP // Transport layer filter filtersTable.m_StaticFilters[0].m_TransportFilter.m_dwUnionSelector = Ndisapi.TCPUDP; filtersTable.m_StaticFilters[0].m_TransportFilter.m_TcpUdp.m_ValidFields = Ndisapi.TCPUDP_DEST_PORT; filtersTable.m_StaticFilters[0].m_TransportFilter.m_TcpUdp.m_DestPort.m_StartRange = 80; // HTTP filtersTable.m_StaticFilters[0].m_TransportFilter.m_TcpUdp.m_DestPort.m_EndRange = 443; //HTTPS //*************************************************************************************** // 2. Pass all packets (skipped by previous filters) without processing in user mode // Common values filtersTable.m_StaticFilters[1].m_Adapter = 0; // applied to all adapters filtersTable.m_StaticFilters[1].m_ValidFields = 0; filtersTable.m_StaticFilters[1].m_FilterAction = Ndisapi.FILTER_PACKET_PASS; filtersTable.m_StaticFilters[1].m_dwDirectionFlags = Ndisapi.PACKET_FLAG_ON_RECEIVE | Ndisapi.PACKET_FLAG_ON_SEND; break; case 5: filtersTable.m_TableSize = 3; //************************************************************************************** // 1. Redirects all ARP packets to be processes by user mode application // Common values filtersTable.m_StaticFilters[0].m_Adapter = 0; // applied to all adapters filtersTable.m_StaticFilters[0].m_ValidFields = Ndisapi.DATA_LINK_LAYER_VALID; filtersTable.m_StaticFilters[0].m_FilterAction = Ndisapi.FILTER_PACKET_REDIRECT; filtersTable.m_StaticFilters[0].m_dwDirectionFlags = Ndisapi.PACKET_FLAG_ON_SEND | Ndisapi.PACKET_FLAG_ON_RECEIVE; filtersTable.m_StaticFilters[0].m_DataLinkFilter.m_dwUnionSelector = Ndisapi.ETH_802_3; filtersTable.m_StaticFilters[0].m_DataLinkFilter.m_Eth8023Filter.m_ValidFields = Ndisapi.ETH_802_3_PROTOCOL; filtersTable.m_StaticFilters[0].m_DataLinkFilter.m_Eth8023Filter.m_Protocol = 0x0806; // ETH_P_ARP; //************************************************************************************** // 1. Redirects all RARP packets to be processes by user mode application // Common values filtersTable.m_StaticFilters[1].m_Adapter = 0; // applied to all adapters filtersTable.m_StaticFilters[1].m_ValidFields = Ndisapi.DATA_LINK_LAYER_VALID; filtersTable.m_StaticFilters[1].m_FilterAction = Ndisapi.FILTER_PACKET_REDIRECT; filtersTable.m_StaticFilters[1].m_dwDirectionFlags = Ndisapi.PACKET_FLAG_ON_SEND | Ndisapi.PACKET_FLAG_ON_RECEIVE; filtersTable.m_StaticFilters[1].m_DataLinkFilter.m_dwUnionSelector = Ndisapi.ETH_802_3; filtersTable.m_StaticFilters[1].m_DataLinkFilter.m_Eth8023Filter.m_ValidFields = Ndisapi.ETH_802_3_PROTOCOL; filtersTable.m_StaticFilters[1].m_DataLinkFilter.m_Eth8023Filter.m_Protocol = 0x0806; // ETH_P_ARP; //*************************************************************************************** // 2. Pass all packets (skipped by previous filters) without processing in user mode // Common values filtersTable.m_StaticFilters[2].m_Adapter = 0; // applied to all adapters filtersTable.m_StaticFilters[2].m_ValidFields = 0; filtersTable.m_StaticFilters[2].m_FilterAction = Ndisapi.FILTER_PACKET_PASS; filtersTable.m_StaticFilters[2].m_dwDirectionFlags = Ndisapi.PACKET_FLAG_ON_RECEIVE | Ndisapi.PACKET_FLAG_ON_SEND; break; default: Console.WriteLine("Unknown test scenario specified. Exiting."); return; } // Load filters into driver Ndisapi.SetPacketFilterTable(driverPtr, ref filtersTable); // Allocate and initialize packet structures var request = new ETH_REQUEST(); var buffer = new INTERMEDIATE_BUFFER(); var bufferPtr = Marshal.AllocHGlobal(Marshal.SizeOf(buffer)); Win32Api.ZeroMemory(bufferPtr, Marshal.SizeOf(buffer)); request.hAdapterHandle = adapters.m_nAdapterHandle[adapterIndex]; request.EthPacket.Buffer = bufferPtr; while (true) { manualResetEvent.WaitOne(); while (Ndisapi.ReadPacket(driverPtr, ref request)) { buffer = (INTERMEDIATE_BUFFER)Marshal.PtrToStructure(bufferPtr, typeof(INTERMEDIATE_BUFFER)); WriteToConsole(buffer, bufferPtr); if (buffer.m_dwDeviceFlags == Ndisapi.PACKET_FLAG_ON_SEND) { Ndisapi.SendPacketToAdapter(driverPtr, ref request); } else { Ndisapi.SendPacketToMstcp(driverPtr, ref request); } } manualResetEvent.Reset(); } } catch (Exception ex) { Console.WriteLine(ex); } }