Writing a port blocker

Posted on 2002-07-24
Medium Priority
Last Modified: 2013-11-15
What is the best way to write a port blocker on the Windows platform?
Surely if I just opened sockets and left them open it would achieve the result I want.  However, this would use a lot of resources if I wanted to span a range of over a thousand ports plus.

Question by:cwgues
  • 2
  • 2
LVL 32

Expert Comment

ID: 7173959
Why don't you be more descriptive about what you mean by "port blocker"??

Author Comment

ID: 7173978
Ok, I meant 'port-blocker' as a daemon process that resides on a server denying connections to be made to specified ports.
LVL 32

Expert Comment

ID: 7174040
Why don't you be more descriptive about what you mean by "server".  Is this Windows of some type, Unix, Linux, BSD????

Accepted Solution

abusimbel earned 400 total points
ID: 7174545

The solution for doing this is creating a NDIS driver you can apply over your network device and perform the packet drop in the lowest level. Is the same solution we can use for creating an snifer or firewall.

You can take a look to the following page http://www.tcpdump.org/wpcap.html or http://winpcap.polito.it/ where you can find the sources of a free sniffing driver you can use as example.

Another easier chance if you have Windows 2000 is to use a filter Hook driver. You will only need few lines of code and the loading method of the hook:

Take a look to the Windows Platform DDK in the MSDN library section Hooks[http://msdn.microsoft.com/library/en-us/network/hh/network/fltrhook_6hd3.asp?frame=false]. I will extract for you some interesting issues:


The filter hook in this example is a simple filter hook that makes forward and drop decisions, based on certain packet properties. This example shows how the filter hook specifies to drop Transmission Control Protocol (TCP) packets and to forward packets from all other protocols.

If packets with specific IP addresses or TCP/UDP port numbers must be filtered, consider creating a user-mode application that uses the Packet Filtering API instead. The Packet Filtering API optimizes the system-supplied IP filter driver to process packets without the overhead that is associated with a filter-hook driver. For more information about the Packet Filtering API, see the Microsoft Windows Platform SDK documentation.

#define PROT_TCP   6

// Drop all TCP packets

        unsigned char   *PacketHeader,
        unsigned char   *Packet,
        unsigned int    PacketLength,
        unsigned int    RecvInterfaceIndex,
        unsigned int    SendInterfaceIndex,
        IPAddr          RecvLinkNextHop,
        IPAddr          SendLinkNextHop
    if (PacketHeader->iph_protocol == PROT_TCP)
        return PF_DROP;
    return PF_FORWARD;

Initializing and Unloading the Filter-Hook Driver
All kernel-mode drivers create and initialize a device object for the driver object. The filter-hook driver's DriverEntry routine can also register the driver's filter hook with the IP filter driver.

If a user-mode application or a higher-level driver sends an I/O control request to the filter-hook driver to set up the filter hook, then the DriverEntry routine must specify and export an entry point that enables device control. This entry point is an IRP_MJ_DEVICE_CONTROL dispatch routine. If DriverEntry enables device control in this way, this device-control routine registers the driver's filter hook rather than DriverEntry.

The DriverEntry routine must specify and export an entry point that unloads the filter-hook driver. This unload routine removes the device that was created in DriverEntry but must not clear the previously registered filter hook when the operating system unloads the filter-hook driver.

Setting and Clearing a Filter Hook
A filter-hook driver sets its filter-hook callback function to the IP filter driver to inform that IP filter driver to call the hook callback for every IP packet that is received or transmitted. A filter-hook driver might also clear a previously registered hook callback. To register or clear a hook callback function, the filter-hook driver must first create an IRP using a pointer to the device object for the IP filter driver and IOCTL_PF_SET_EXTENSION_POINTER. The filter-hook driver then submits this IRP to the IP filter driver.

The filter-hook driver sets or clears hook callback functions as follows:

Calls the IoGetDeviceObjectPointer function to retrieve a pointer to the device object for the IP filter driver
The filter-hook driver passes:

A pointer to a buffer that contains the string for the name of the IP filter driver
Values that specify synchronous, read, and write access to the IP filter driver
Pointers to buffers to hold the returned file and device objects
Calls the IoBuildDeviceIoControlRequest function to set up an IRP
The filter-hook driver passes parameters that specify:

Pointer to the device object for the IP filter driver
Buffer that contains an PF_SET_EXTENSION_HOOK_INFO structure
To set the filter hook, this structure holds information that specifies the address of the filter-hook callback function. To clear the filter hook, this structure contains a NULL value.

This call returns a pointer to an IRP with the I/O stack location set up from the supplied parameters.

Calls the IoCallDriver function to submit the IRP to the IP filter driver
The filter-hook driver passes parameters that specify the pointer to the device object for the IP filter driver and a pointer to the previously created IRP.

The filter-hook driver must clear its filter hook from the same entity to which it registered its filter hook; therefore, the filter-hook driver should store the pointers to the IP filter driver's file and device objects in global variables. Only then can the filter-hook driver call the ObDereferenceObject function to decrement the reference count of the IP filter driver's file and device objects.

Good look,
Abusimbel, The Apprentice.

Author Comment

ID: 7187520
thanks very much abusimbel, your answer was very informative.  

jhance I suggest you follow this hyperlink

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Rules and regulations were devised in order to maintain the integrity of a system. However, interpretation of rules can be quite tricky.
Want to know how to use Exchange Server Eseutil command? Go through this article as it gives you the know-how.
The viewer will learn how to use the return statement in functions in C++. The video will also teach the user how to pass data to a function and have the function return data back for further processing.
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question