Solved

Writing a port blocker

Posted on 2002-07-24
5
387 Views
Last Modified: 2013-11-15
What is the best way to write a port blocker on the Windows platform?
Surely if I just opened sockets and left them open it would achieve the result I want.  However, this would use a lot of resources if I wanted to span a range of over a thousand ports plus.

TIA
0
Comment
Question by:cwgues
  • 2
  • 2
5 Comments
 
LVL 32

Expert Comment

by:jhance
ID: 7173959
Why don't you be more descriptive about what you mean by "port blocker"??
0
 
LVL 1

Author Comment

by:cwgues
ID: 7173978
Ok, I meant 'port-blocker' as a daemon process that resides on a server denying connections to be made to specified ports.
0
 
LVL 32

Expert Comment

by:jhance
ID: 7174040
Why don't you be more descriptive about what you mean by "server".  Is this Windows of some type, Unix, Linux, BSD????
0
 
LVL 3

Accepted Solution

by:
abusimbel earned 100 total points
ID: 7174545
Hello,

The solution for doing this is creating a NDIS driver you can apply over your network device and perform the packet drop in the lowest level. Is the same solution we can use for creating an snifer or firewall.

You can take a look to the following page http://www.tcpdump.org/wpcap.html or http://winpcap.polito.it/ where you can find the sources of a free sniffing driver you can use as example.

Another easier chance if you have Windows 2000 is to use a filter Hook driver. You will only need few lines of code and the loading method of the hook:

Take a look to the Windows Platform DDK in the MSDN library section Hooks[http://msdn.microsoft.com/library/en-us/network/hh/network/fltrhook_6hd3.asp?frame=false]. I will extract for you some interesting issues:



_______________

The filter hook in this example is a simple filter hook that makes forward and drop decisions, based on certain packet properties. This example shows how the filter hook specifies to drop Transmission Control Protocol (TCP) packets and to forward packets from all other protocols.

If packets with specific IP addresses or TCP/UDP port numbers must be filtered, consider creating a user-mode application that uses the Packet Filtering API instead. The Packet Filtering API optimizes the system-supplied IP filter driver to process packets without the overhead that is associated with a filter-hook driver. For more information about the Packet Filtering API, see the Microsoft Windows Platform SDK documentation.

#define PROT_TCP   6

// Drop all TCP packets

PF_FORWARD_ACTION
DropTcpPackets(
        unsigned char   *PacketHeader,
        unsigned char   *Packet,
        unsigned int    PacketLength,
        unsigned int    RecvInterfaceIndex,
        unsigned int    SendInterfaceIndex,
        IPAddr          RecvLinkNextHop,
        IPAddr          SendLinkNextHop
        )
{
    if (PacketHeader->iph_protocol == PROT_TCP)
    {
        return PF_DROP;
    }
    return PF_FORWARD;
}
_______________

Initializing and Unloading the Filter-Hook Driver
All kernel-mode drivers create and initialize a device object for the driver object. The filter-hook driver's DriverEntry routine can also register the driver's filter hook with the IP filter driver.

If a user-mode application or a higher-level driver sends an I/O control request to the filter-hook driver to set up the filter hook, then the DriverEntry routine must specify and export an entry point that enables device control. This entry point is an IRP_MJ_DEVICE_CONTROL dispatch routine. If DriverEntry enables device control in this way, this device-control routine registers the driver's filter hook rather than DriverEntry.

The DriverEntry routine must specify and export an entry point that unloads the filter-hook driver. This unload routine removes the device that was created in DriverEntry but must not clear the previously registered filter hook when the operating system unloads the filter-hook driver.
_______________

Setting and Clearing a Filter Hook
A filter-hook driver sets its filter-hook callback function to the IP filter driver to inform that IP filter driver to call the hook callback for every IP packet that is received or transmitted. A filter-hook driver might also clear a previously registered hook callback. To register or clear a hook callback function, the filter-hook driver must first create an IRP using a pointer to the device object for the IP filter driver and IOCTL_PF_SET_EXTENSION_POINTER. The filter-hook driver then submits this IRP to the IP filter driver.

The filter-hook driver sets or clears hook callback functions as follows:

Calls the IoGetDeviceObjectPointer function to retrieve a pointer to the device object for the IP filter driver
The filter-hook driver passes:

A pointer to a buffer that contains the string for the name of the IP filter driver
Values that specify synchronous, read, and write access to the IP filter driver
Pointers to buffers to hold the returned file and device objects
Calls the IoBuildDeviceIoControlRequest function to set up an IRP
The filter-hook driver passes parameters that specify:

IOCTL_PF_SET_EXTENSION_POINTER value
Pointer to the device object for the IP filter driver
Buffer that contains an PF_SET_EXTENSION_HOOK_INFO structure
To set the filter hook, this structure holds information that specifies the address of the filter-hook callback function. To clear the filter hook, this structure contains a NULL value.

This call returns a pointer to an IRP with the I/O stack location set up from the supplied parameters.

Calls the IoCallDriver function to submit the IRP to the IP filter driver
The filter-hook driver passes parameters that specify the pointer to the device object for the IP filter driver and a pointer to the previously created IRP.

The filter-hook driver must clear its filter hook from the same entity to which it registered its filter hook; therefore, the filter-hook driver should store the pointers to the IP filter driver's file and device objects in global variables. Only then can the filter-hook driver call the ObDereferenceObject function to decrement the reference count of the IP filter driver's file and device objects.
___________



Good look,
Abusimbel, The Apprentice.
0
 
LVL 1

Author Comment

by:cwgues
ID: 7187520
thanks very much abusimbel, your answer was very informative.  

jhance I suggest you follow this hyperlink
http://www.dictionary.com/cgi-bin/dict.pl?term=pedantic
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

A list of useful business intelligence software.
Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
This video demonstrates how to use each tool, their shortcuts, where and when to use them, and how to use the keyboard to improve workflow.
XMind Plus helps organize all details/aspects of any project from large to small in an orderly and concise manner. If you are working on a complex project, use this micro tutorial to show you how to make a basic flow chart. The software is free when…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now