• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 440
  • Last Modified:

Writing a port blocker

What is the best way to write a port blocker on the Windows platform?
Surely if I just opened sockets and left them open it would achieve the result I want.  However, this would use a lot of resources if I wanted to span a range of over a thousand ports plus.

  • 2
  • 2
1 Solution
Why don't you be more descriptive about what you mean by "port blocker"??
cwguesAuthor Commented:
Ok, I meant 'port-blocker' as a daemon process that resides on a server denying connections to be made to specified ports.
Why don't you be more descriptive about what you mean by "server".  Is this Windows of some type, Unix, Linux, BSD????

The solution for doing this is creating a NDIS driver you can apply over your network device and perform the packet drop in the lowest level. Is the same solution we can use for creating an snifer or firewall.

You can take a look to the following page http://www.tcpdump.org/wpcap.html or http://winpcap.polito.it/ where you can find the sources of a free sniffing driver you can use as example.

Another easier chance if you have Windows 2000 is to use a filter Hook driver. You will only need few lines of code and the loading method of the hook:

Take a look to the Windows Platform DDK in the MSDN library section Hooks[http://msdn.microsoft.com/library/en-us/network/hh/network/fltrhook_6hd3.asp?frame=false]. I will extract for you some interesting issues:


The filter hook in this example is a simple filter hook that makes forward and drop decisions, based on certain packet properties. This example shows how the filter hook specifies to drop Transmission Control Protocol (TCP) packets and to forward packets from all other protocols.

If packets with specific IP addresses or TCP/UDP port numbers must be filtered, consider creating a user-mode application that uses the Packet Filtering API instead. The Packet Filtering API optimizes the system-supplied IP filter driver to process packets without the overhead that is associated with a filter-hook driver. For more information about the Packet Filtering API, see the Microsoft Windows Platform SDK documentation.

#define PROT_TCP   6

// Drop all TCP packets

        unsigned char   *PacketHeader,
        unsigned char   *Packet,
        unsigned int    PacketLength,
        unsigned int    RecvInterfaceIndex,
        unsigned int    SendInterfaceIndex,
        IPAddr          RecvLinkNextHop,
        IPAddr          SendLinkNextHop
    if (PacketHeader->iph_protocol == PROT_TCP)
        return PF_DROP;
    return PF_FORWARD;

Initializing and Unloading the Filter-Hook Driver
All kernel-mode drivers create and initialize a device object for the driver object. The filter-hook driver's DriverEntry routine can also register the driver's filter hook with the IP filter driver.

If a user-mode application or a higher-level driver sends an I/O control request to the filter-hook driver to set up the filter hook, then the DriverEntry routine must specify and export an entry point that enables device control. This entry point is an IRP_MJ_DEVICE_CONTROL dispatch routine. If DriverEntry enables device control in this way, this device-control routine registers the driver's filter hook rather than DriverEntry.

The DriverEntry routine must specify and export an entry point that unloads the filter-hook driver. This unload routine removes the device that was created in DriverEntry but must not clear the previously registered filter hook when the operating system unloads the filter-hook driver.

Setting and Clearing a Filter Hook
A filter-hook driver sets its filter-hook callback function to the IP filter driver to inform that IP filter driver to call the hook callback for every IP packet that is received or transmitted. A filter-hook driver might also clear a previously registered hook callback. To register or clear a hook callback function, the filter-hook driver must first create an IRP using a pointer to the device object for the IP filter driver and IOCTL_PF_SET_EXTENSION_POINTER. The filter-hook driver then submits this IRP to the IP filter driver.

The filter-hook driver sets or clears hook callback functions as follows:

Calls the IoGetDeviceObjectPointer function to retrieve a pointer to the device object for the IP filter driver
The filter-hook driver passes:

A pointer to a buffer that contains the string for the name of the IP filter driver
Values that specify synchronous, read, and write access to the IP filter driver
Pointers to buffers to hold the returned file and device objects
Calls the IoBuildDeviceIoControlRequest function to set up an IRP
The filter-hook driver passes parameters that specify:

Pointer to the device object for the IP filter driver
Buffer that contains an PF_SET_EXTENSION_HOOK_INFO structure
To set the filter hook, this structure holds information that specifies the address of the filter-hook callback function. To clear the filter hook, this structure contains a NULL value.

This call returns a pointer to an IRP with the I/O stack location set up from the supplied parameters.

Calls the IoCallDriver function to submit the IRP to the IP filter driver
The filter-hook driver passes parameters that specify the pointer to the device object for the IP filter driver and a pointer to the previously created IRP.

The filter-hook driver must clear its filter hook from the same entity to which it registered its filter hook; therefore, the filter-hook driver should store the pointers to the IP filter driver's file and device objects in global variables. Only then can the filter-hook driver call the ObDereferenceObject function to decrement the reference count of the IP filter driver's file and device objects.

Good look,
Abusimbel, The Apprentice.
cwguesAuthor Commented:
thanks very much abusimbel, your answer was very informative.  

jhance I suggest you follow this hyperlink
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now