in network/trans/WFPSampler/sys/ClassifyFunctions_BasicPacketExaminationCallouts.cpp [4351:4971]
VOID PerformBasicPacketExaminationAtOther(_In_ CLASSIFY_DATA* pClassifyData)
{
#if DBG
DbgPrintEx(DPFLTR_IHVNETWORK_ID,
DPFLTR_INFO_LEVEL,
" ---> PerformBasicPacketExaminationAtOther()\n");
#endif /// DBG
NT_ASSERT(pClassifyData);
NT_ASSERT(pClassifyData->pClassifyValues);
NTSTATUS status = STATUS_SUCCESS;
UINT16 localPort = 0;
BYTE* pLocalAddress = 0;
PSTR pString = 0;
#pragma warning(push)
#pragma warning(disable: 28193) /// value is checked before use
FWP_VALUE* pLocalAddressValue = KrnlHlprFwpValueGetFromFwpsIncomingValues(pClassifyData->pClassifyValues,
&FWPM_CONDITION_IP_LOCAL_ADDRESS);
FWP_VALUE* pProtocolValue = KrnlHlprFwpValueGetFromFwpsIncomingValues(pClassifyData->pClassifyValues,
&FWPM_CONDITION_IP_PROTOCOL);
FWP_VALUE* pLocalPortValue = KrnlHlprFwpValueGetFromFwpsIncomingValues(pClassifyData->pClassifyValues,
&FWPM_CONDITION_IP_LOCAL_PORT);
#pragma warning(pop)
#if(NTDDI_VERSION >= NTDDI_WIN7)
UINT16 remotePort = 0;
BYTE* pRemoteAddress = 0;
#pragma warning(push)
#pragma warning(disable: 28193) /// value is checked before use
FWP_VALUE* pRemoteAddressValue = KrnlHlprFwpValueGetFromFwpsIncomingValues(pClassifyData->pClassifyValues,
&FWPM_CONDITION_IP_REMOTE_ADDRESS);
FWP_VALUE* pRemotePortValue = KrnlHlprFwpValueGetFromFwpsIncomingValues(pClassifyData->pClassifyValues,
&FWPM_CONDITION_IP_REMOTE_PORT);
#pragma warning(pop)
#endif /// (NTDDI_VERSION >= NTDDI_WIN7)
DbgPrintEx(DPFLTR_IHVNETWORK_ID,
DPFLTR_INFO_LEVEL,
"\tLayer:%s\n",
KrnlHlprFwpsLayerIDToString(pClassifyData->pClassifyValues->layerId));
HLPR_NEW_ARRAY(pString,
CHAR,
MAX_STRING_SIZE,
WFPSAMPLER_CALLOUT_DRIVER_TAG);
HLPR_BAIL_ON_ALLOC_FAILURE(pString,
status);
switch(pClassifyData->pClassifyValues->layerId)
{
case FWPS_LAYER_STREAM_V4:
case FWPS_LAYER_STREAM_V6:
{
FWPS_STREAM_CALLOUT_IO_PACKET0* pIOPacket = (FWPS_STREAM_CALLOUT_IO_PACKET*)(pClassifyData->pPacket);
if(pIOPacket)
{
status = RtlStringCchPrintfA(pString,
MAX_STRING_SIZE,
"\n"
"\t\t\tStreamData:\n"
"\t\t\t\tFlags: %#x\n"
"\t\t\t\tDataLength: %I64d\n"
"\t\t\tBytesMissed: %I64d\n"
"\t\t\tBytesRequired: %d\n"
"\t\t\tBytesEnforced: %I64d\n"
"\t\t\tStreamAction: %#x\n",
pIOPacket->streamData ? pIOPacket->streamData->flags : 0,
(UINT64)(pIOPacket->streamData ? pIOPacket->streamData->dataLength : 0),
(UINT64)(pIOPacket->missedBytes),
pIOPacket->countBytesRequired,
(UINT64)(pIOPacket->countBytesEnforced),
pIOPacket->streamAction);
if(status == STATUS_SUCCESS)
DbgPrintEx(DPFLTR_IHVNETWORK_ID,
DPFLTR_INFO_LEVEL,
"\t\tStreamCalloutIOPacket: %s",
pString);
}
break;
}
case FWPS_LAYER_ALE_RESOURCE_ASSIGNMENT_V4:
case FWPS_LAYER_ALE_RESOURCE_ASSIGNMENT_V6:
{
PSTR pProtocolString = 0;
if(pProtocolValue &&
pProtocolValue->type == FWP_UINT8)
{
if(pProtocolValue->uint8 == ICMPV4 ||
pProtocolValue->uint8 == ICMPV6)
pProtocolString = "ICMP";
else if(pProtocolValue->uint8 == TCP)
pProtocolString = "TCP";
else if(pProtocolValue->uint8 == UDP)
pProtocolString = "UDP";
else if(pProtocolValue->uint8 == IPPROTO_RAW)
pProtocolString = "Raw IP";
}
if(pLocalPortValue)
{
if(pLocalPortValue->type == FWP_UINT16)
localPort = pLocalPortValue->uint16;
else if(pLocalPortValue->type == FWP_UINT8)
localPort = pLocalPortValue->uint8;
}
if(pLocalAddressValue)
{
if(pLocalAddressValue->type == FWP_UINT32)
{
pLocalAddress = (BYTE*)&(pLocalAddressValue->uint32);
status = RtlStringCchPrintfA(pString,
MAX_STRING_SIZE,
"\n\t\t\t"
"%s %d.%d.%d.%d : %d\n",
pProtocolString,
pLocalAddress[3],
pLocalAddress[2],
pLocalAddress[1],
pLocalAddress[0],
localPort);
}
else if(pLocalAddressValue->type == FWP_BYTE_ARRAY16_TYPE)
{
pLocalAddress = (BYTE*)pLocalAddressValue->byteArray16;
status = RtlStringCchPrintfA(pString,
MAX_STRING_SIZE,
"\n\t\t\t"
"%s %02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x : %d",
pProtocolString,
pLocalAddress[0],
pLocalAddress[1],
pLocalAddress[2],
pLocalAddress[3],
pLocalAddress[4],
pLocalAddress[5],
pLocalAddress[6],
pLocalAddress[7],
pLocalAddress[8],
pLocalAddress[9],
pLocalAddress[10],
pLocalAddress[11],
pLocalAddress[12],
pLocalAddress[13],
pLocalAddress[14],
pLocalAddress[15],
localPort);
}
if(status == STATUS_SUCCESS)
DbgPrintEx(DPFLTR_IHVNETWORK_ID,
DPFLTR_INFO_LEVEL,
"\t\tBinding: %s",
pString);
}
break;
}
case FWPS_LAYER_ALE_AUTH_LISTEN_V4:
case FWPS_LAYER_ALE_AUTH_LISTEN_V6:
{
if(pLocalPortValue)
{
if(pLocalPortValue->type == FWP_UINT16)
localPort = pLocalPortValue->uint16;
else if(pLocalPortValue->type == FWP_UINT8)
localPort = pLocalPortValue->uint8;
}
if(pLocalAddressValue)
{
if(pLocalAddressValue->type == FWP_UINT32)
{
pLocalAddress = (BYTE*)&(pLocalAddressValue->uint32);
status = RtlStringCchPrintfA(pString,
MAX_STRING_SIZE,
"\n\t\t\t"
"%d.%d.%d.%d : %d\n",
pLocalAddress[3],
pLocalAddress[2],
pLocalAddress[1],
pLocalAddress[0],
localPort);
}
else if(pLocalAddressValue->type == FWP_BYTE_ARRAY16_TYPE)
{
pLocalAddress = (BYTE*)pLocalAddressValue->byteArray16;
status = RtlStringCchPrintfA(pString,
MAX_STRING_SIZE,
"\n\t\t\t"
"%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x : %d",
pLocalAddress[0],
pLocalAddress[1],
pLocalAddress[2],
pLocalAddress[3],
pLocalAddress[4],
pLocalAddress[5],
pLocalAddress[6],
pLocalAddress[7],
pLocalAddress[8],
pLocalAddress[9],
pLocalAddress[10],
pLocalAddress[11],
pLocalAddress[12],
pLocalAddress[13],
pLocalAddress[14],
pLocalAddress[15],
localPort);
}
if(status == STATUS_SUCCESS)
DbgPrintEx(DPFLTR_IHVNETWORK_ID,
DPFLTR_INFO_LEVEL,
"\t\tListening: TCP %s",
pString);
}
break;
}
#if(NTDDI_VERSION >= NTDDI_WIN7)
case FWPS_LAYER_ALE_RESOURCE_RELEASE_V4:
case FWPS_LAYER_ALE_RESOURCE_RELEASE_V6:
{
PSTR pProtocolString = 0;
if(pProtocolValue &&
pProtocolValue->type == FWP_UINT8)
{
if(pProtocolValue->uint8 == ICMPV4 ||
pProtocolValue->uint8 == ICMPV6)
pProtocolString = "ICMP";
else if(pProtocolValue->uint8 == TCP)
pProtocolString = "TCP";
else if(pProtocolValue->uint8 == UDP)
pProtocolString = "UDP";
else if(pProtocolValue->uint8 == IPPROTO_RAW)
pProtocolString = "Raw IP";
}
if(pLocalPortValue)
{
if(pLocalPortValue->type == FWP_UINT16)
localPort = pLocalPortValue->uint16;
else if(pLocalPortValue->type == FWP_UINT8)
localPort = pLocalPortValue->uint8;
}
if(pLocalAddressValue)
{
if(pLocalAddressValue->type == FWP_UINT32)
{
pLocalAddress = (BYTE*)&(pLocalAddressValue->uint32);
status = RtlStringCchPrintfA(pString,
MAX_STRING_SIZE,
"\n\t\t\t"
"%s %d.%d.%d.%d : %d\n",
pProtocolString,
pLocalAddress[3],
pLocalAddress[2],
pLocalAddress[1],
pLocalAddress[0],
localPort);
}
else if(pLocalAddressValue->type == FWP_BYTE_ARRAY16_TYPE)
{
pLocalAddress = (BYTE*)pLocalAddressValue->byteArray16;
status = RtlStringCchPrintfA(pString,
MAX_STRING_SIZE,
"\n\t\t\t"
"%s %02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x : %d",
pProtocolString,
pLocalAddress[0],
pLocalAddress[1],
pLocalAddress[2],
pLocalAddress[3],
pLocalAddress[4],
pLocalAddress[5],
pLocalAddress[6],
pLocalAddress[7],
pLocalAddress[8],
pLocalAddress[9],
pLocalAddress[10],
pLocalAddress[11],
pLocalAddress[12],
pLocalAddress[13],
pLocalAddress[14],
pLocalAddress[15],
localPort);
}
if(status == STATUS_SUCCESS)
DbgPrintEx(DPFLTR_IHVNETWORK_ID,
DPFLTR_INFO_LEVEL,
"\t\tReleasing: %s",
pString);
}
break;
}
case FWPS_LAYER_ALE_ENDPOINT_CLOSURE_V4:
case FWPS_LAYER_ALE_ENDPOINT_CLOSURE_V6:
{
PSTR pProtocolString = 0;
if(pProtocolValue &&
pProtocolValue->type == FWP_UINT8)
{
if(pProtocolValue->uint8 == ICMPV4 ||
pProtocolValue->uint8 == ICMPV6)
pProtocolString = "ICMP";
else if(pProtocolValue->uint8 == TCP)
pProtocolString = "TCP";
else if(pProtocolValue->uint8 == UDP)
pProtocolString = "UDP";
else if(pProtocolValue->uint8 == IPPROTO_RAW)
pProtocolString = "Raw IP";
}
if(pLocalPortValue)
{
if(pLocalPortValue->type == FWP_UINT16)
localPort = pLocalPortValue->uint16;
else if(pLocalPortValue->type == FWP_UINT8)
localPort = pLocalPortValue->uint8;
}
if(pLocalAddressValue)
{
if(pLocalAddressValue->type == FWP_UINT32)
{
pLocalAddress = (BYTE*)&(pLocalAddressValue->uint32);
status = RtlStringCchPrintfA(pString,
MAX_STRING_SIZE,
"\n\t\t\t"
"%s %d.%d.%d.%d : %d\n",
pProtocolString,
pLocalAddress[3],
pLocalAddress[2],
pLocalAddress[1],
pLocalAddress[0],
localPort);
}
else if(pLocalAddressValue->type == FWP_BYTE_ARRAY16_TYPE)
{
pLocalAddress = (BYTE*)pLocalAddressValue->byteArray16;
status = RtlStringCchPrintfA(pString,
MAX_STRING_SIZE,
"\n\t\t\t"
"%s %02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x : %d",
pProtocolString,
pLocalAddress[0],
pLocalAddress[1],
pLocalAddress[2],
pLocalAddress[3],
pLocalAddress[4],
pLocalAddress[5],
pLocalAddress[6],
pLocalAddress[7],
pLocalAddress[8],
pLocalAddress[9],
pLocalAddress[10],
pLocalAddress[11],
pLocalAddress[12],
pLocalAddress[13],
pLocalAddress[14],
pLocalAddress[15],
localPort);
}
if(status == STATUS_SUCCESS)
DbgPrintEx(DPFLTR_IHVNETWORK_ID,
DPFLTR_INFO_LEVEL,
"\t\tClosing: %s",
pString);
}
break;
}
case FWPS_LAYER_ALE_CONNECT_REDIRECT_V4:
case FWPS_LAYER_ALE_CONNECT_REDIRECT_V6:
{
PSTR pProtocolString = 0;
if(pProtocolValue &&
pProtocolValue->type == FWP_UINT8)
{
if(pProtocolValue->uint8 == ICMPV4 ||
pProtocolValue->uint8 == ICMPV6)
pProtocolString = "ICMP";
else if(pProtocolValue->uint8 == TCP)
pProtocolString = "TCP";
else if(pProtocolValue->uint8 == UDP)
pProtocolString = "UDP";
else if(pProtocolValue->uint8 == IPPROTO_RAW)
pProtocolString = "Raw IP";
}
if(pLocalPortValue)
{
if(pLocalPortValue->type == FWP_UINT16)
localPort = pLocalPortValue->uint16;
else if(pLocalPortValue->type == FWP_UINT8)
localPort = pLocalPortValue->uint8;
}
if(pRemotePortValue)
{
if(pRemotePortValue->type == FWP_UINT16)
remotePort = pRemotePortValue->uint16;
else if(pRemotePortValue->type == FWP_UINT8)
remotePort = pRemotePortValue->uint8;
}
if(pLocalAddressValue &&
pRemoteAddressValue)
{
if(pLocalAddressValue->type == FWP_UINT32 &&
pRemoteAddressValue->type == FWP_UINT32)
{
pLocalAddress = (BYTE*)&(pLocalAddressValue->uint32);
pRemoteAddress = (BYTE*)&(pRemoteAddressValue->uint32);
status = RtlStringCchPrintfA(pString,
MAX_STRING_SIZE,
"\n\t\t\t"
"%s %d.%d.%d.%d : %d To %d.%d.%d.%d : %d\n",
pProtocolString,
pLocalAddress[3],
pLocalAddress[2],
pLocalAddress[1],
pLocalAddress[0],
localPort,
pRemoteAddress[3],
pRemoteAddress[2],
pRemoteAddress[1],
pRemoteAddress[0],
remotePort);
}
else if(pLocalAddressValue->type == FWP_BYTE_ARRAY16_TYPE &&
pRemoteAddressValue->type == FWP_BYTE_ARRAY16_TYPE)
{
pLocalAddress = (BYTE*)pLocalAddressValue->byteArray16;
pRemoteAddress = (BYTE*)pRemoteAddressValue->byteArray16;
status = RtlStringCchPrintfA(pString,
MAX_STRING_SIZE,
"\n\t\t\t"
"%s %02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x : %d To %02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x : %d\n",
pProtocolString,
pLocalAddress[0],
pLocalAddress[1],
pLocalAddress[2],
pLocalAddress[3],
pLocalAddress[4],
pLocalAddress[5],
pLocalAddress[6],
pLocalAddress[7],
pLocalAddress[8],
pLocalAddress[9],
pLocalAddress[10],
pLocalAddress[11],
pLocalAddress[12],
pLocalAddress[13],
pLocalAddress[14],
pLocalAddress[15],
localPort,
pRemoteAddress[0],
pRemoteAddress[1],
pRemoteAddress[2],
pRemoteAddress[3],
pRemoteAddress[4],
pRemoteAddress[5],
pRemoteAddress[6],
pRemoteAddress[7],
pRemoteAddress[8],
pRemoteAddress[9],
pRemoteAddress[10],
pRemoteAddress[11],
pRemoteAddress[12],
pRemoteAddress[13],
pRemoteAddress[14],
pRemoteAddress[15],
remotePort);
}
if(status == STATUS_SUCCESS)
DbgPrintEx(DPFLTR_IHVNETWORK_ID,
DPFLTR_INFO_LEVEL,
"\t\tInspecting: %s",
pString);
}
break;
}
case FWPS_LAYER_ALE_BIND_REDIRECT_V4:
case FWPS_LAYER_ALE_BIND_REDIRECT_V6:
{
PSTR pProtocolString = 0;
if(pProtocolValue &&
pProtocolValue->type == FWP_UINT8)
{
if(pProtocolValue->uint8 == ICMPV4 ||
pProtocolValue->uint8 == ICMPV6)
pProtocolString = "ICMP";
else if(pProtocolValue->uint8 == TCP)
pProtocolString = "TCP";
else if(pProtocolValue->uint8 == UDP)
pProtocolString = "UDP";
else if(pProtocolValue->uint8 == IPPROTO_RAW)
pProtocolString = "Raw IP";
}
if(pLocalPortValue)
{
if(pLocalPortValue->type == FWP_UINT16)
localPort = pLocalPortValue->uint16;
else if(pLocalPortValue->type == FWP_UINT8)
localPort = pLocalPortValue->uint8;
}
if(pLocalAddressValue)
{
if(pLocalAddressValue->type == FWP_UINT32)
{
pLocalAddress = (BYTE*)&(pLocalAddressValue->uint32);
status = RtlStringCchPrintfA(pString,
MAX_STRING_SIZE,
"\n\t\t\t"
"%s %d.%d.%d.%d : %d\n",
pProtocolString,
pLocalAddress[3],
pLocalAddress[2],
pLocalAddress[1],
pLocalAddress[0],
localPort);
}
else if(pLocalAddressValue->type == FWP_BYTE_ARRAY16_TYPE)
{
pLocalAddress = (BYTE*)pLocalAddressValue->byteArray16;
status = RtlStringCchPrintfA(pString,
MAX_STRING_SIZE,
"\n\t\t\t"
"%s %02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x : %d",
pProtocolString,
pLocalAddress[0],
pLocalAddress[1],
pLocalAddress[2],
pLocalAddress[3],
pLocalAddress[4],
pLocalAddress[5],
pLocalAddress[6],
pLocalAddress[7],
pLocalAddress[8],
pLocalAddress[9],
pLocalAddress[10],
pLocalAddress[11],
pLocalAddress[12],
pLocalAddress[13],
pLocalAddress[14],
pLocalAddress[15],
localPort);
}
if(status == STATUS_SUCCESS)
DbgPrintEx(DPFLTR_IHVNETWORK_ID,
DPFLTR_INFO_LEVEL,
"\t\tInspecting: %s",
pString);
}
break;
}
#endif /// (NTDDI_VERSION >= NTDDI_WIN7)
}
HLPR_BAIL_LABEL:
HLPR_DELETE_ARRAY(pString,
WFPSAMPLER_CALLOUT_DRIVER_TAG);
#if DBG
DbgPrintEx(DPFLTR_IHVNETWORK_ID,
DPFLTR_INFO_LEVEL,
" <--- PerformBasicPacketExaminationAtOther()\n");
#endif /// DBG
return;
}