Читаем Windows® Internals, Sixth Edition, Part 1 полностью

Using the kernel debugger to look at a live system, you can examine TCP/IP’s device objects. After performing the !drvobj command to see the addresses of each of the driver’s device objects, execute !devobj to view the name and other details about the device object.kd> !drvobj tdx Driver object (861d9478) is for: \Driver\tdx Driver Extension List: (id , addr) Device Object list: 861db310 861db440 861d8440 861d03e8 861cd440 861d2318 861d9350 lkd> !devobj 861cd440 Device object (861cd440) is for: Tcp6 \Driver\tdx DriverObject 861d9478 Current Irp 00000000 RefCount 7 Type 00000012 Flags 00000050 Dacl 8b1bc54c DevExt 861cd4f8 DevObjExt 861cd500 ExtensionFlags (0x00000800) Unknown flags 0x00000800 Device queue is not busy. lkd> !devobj 861db440 Device object (861db440) is for: RawIp \Driver\tdx DriverObject 861d9478 Current Irp 00000000 RefCount 0 Type 00000012 Flags 00000050 Dacl 8b1bc54c DevExt 861db4f8 DevObjExt 861db500 ExtensionFlags (0x00000800) Unknown flags 0x00000800 Device queue is not busy. lkd> !devobj 861d8440 Device object (861d8440) is for: Udp6 \Driver\tdx DriverObject 861d9478 Current Irp 00000000 RefCount 0 Type 00000012 Flags 00000050 Dacl 8b1bc54c DevExt 861d84f8 DevObjExt 861d8500 ExtensionFlags (0x00000800) Unknown flags 0x00000800 Device queue is not busy. lkd> !devobj 861d03e8 Device object (861d03e8) is for: Udp \Driver\tdx DriverObject 861d9478 Current Irp 00000000 RefCount 6 Type 00000012 Flags 00000050 Dacl 8b1bc54c DevExt 861d04a0 DevObjExt 861d04a8 ExtensionFlags (0x00000800) Unknown flags 0x00000800 Device queue is not busy. lkd> !devobj 861cd440 Device object (861cd440) is for: Tcp6 \Driver\tdx DriverObject 861d9478 Current Irp 00000000 RefCount 7 Type 00000012 Flags 00000050 Dacl 8b1bc54c DevExt 861cd4f8 DevObjExt 861cd500 ExtensionFlags (0x00000800) Unknown flags 0x00000800 Device queue is not busy. lkd> !devobj 861d2318 Device object (861d2318) is for: Tcp \Driver\tdx DriverObject 861d9478 Current Irp 00000000 RefCount 167 Type 00000012 Flags 00000050 Dacl 8b1bc54c DevExt 861d23d0 DevObjExt 861d23d8 ExtensionFlags (0x00000800) Unknown flags 0x00000800 Device queue is not busy. lkd> !devobj 861d9350 Device object (861d9350) is for: Tdx \Driver\tdx DriverObject 861d9478 Current Irp 00000000 RefCount 0 Type 00000021 Flags 00000050 Dacl 8b0649a8 DevExt 00000000 DevObjExt 861d9408 ExtensionFlags (0x00000800) Unknown flags 0x00000800 Device queue is not busy.

Windows Filtering Platform

Windows includes a rich and extensible platform for monitoring, intercepting, and processing network traffic at all levels in the network stack. Other Windows networking services extend basic networking features of the TCP/IP protocol driver by relying on Windows Filtering Platform (WFP). These include Network Address Translation (NAT), IP filtering, IP inspection, and Internet Protocol Security (IPsec). Figure 7-36 shows how the different components of the WFP are integrated with the TCP/IP stack. These include

Filter engine. The filter engine is implemented in both user mode and kernel mode and performs all the filtering operations on the network. Each filter engine component consists of filtering layers, one for each component of the network stack. The user-mode engine, responsible for RPC and IPsec keying policy, among other things, contains approximately 10 filters, while the kernel-mode engine, which performs the network and transport layer filtering of the TCP/IP stack, contains around 50.

Shims. Shims are the kernel-mode components that reside between the network stack and the filter engine. They are responsible for making the decision to allow or block network traffic based on their filtering behavior, which is defined by the filter engine. A shim operates in three steps: it parses the incoming data to match incoming values with entries in the filter engine, calls the filter engine to return an action based on the incoming values, and then interprets the action (drop the packet, for example).

Base filtering engine (BFE). The BFE is a user-mode service (%SystemRoot%\System32\Bfe.dll) that manages all WFP operations. It is responsible for adding and removing filters from the WFP stack, managing the filter configuration, and enforcing security on the filter database.

Callout drivers. Callout drivers are kernel-mode components that add custom filtering functionality outside the basic support provided by the WFP. Callout drivers associate callout functions with one or more kernel-mode filtering layers, and the WFP enables callout functions to perform deep packet inspection and modification. Network Address Translation (described next) and IPsec are implemented as callout drivers, for example.

Перейти на страницу:

Похожие книги