Writing a port blocker

Posted on 2002-07-24
Last Modified: 2013-11-15
What is the best way to write a port blocker on the Windows platform?
Surely if I just opened sockets and left them open it would achieve the result I want.  However, this would use a lot of resources if I wanted to span a range of over a thousand ports plus.

Question by:cwgues
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
LVL 32

Expert Comment

ID: 7173959
Why don't you be more descriptive about what you mean by "port blocker"??

Author Comment

ID: 7173978
Ok, I meant 'port-blocker' as a daemon process that resides on a server denying connections to be made to specified ports.
LVL 32

Expert Comment

ID: 7174040
Why don't you be more descriptive about what you mean by "server".  Is this Windows of some type, Unix, Linux, BSD????

Accepted Solution

abusimbel earned 100 total points
ID: 7174545

The solution for doing this is creating a NDIS driver you can apply over your network device and perform the packet drop in the lowest level. Is the same solution we can use for creating an snifer or firewall.

You can take a look to the following page or where you can find the sources of a free sniffing driver you can use as example.

Another easier chance if you have Windows 2000 is to use a filter Hook driver. You will only need few lines of code and the loading method of the hook:

Take a look to the Windows Platform DDK in the MSDN library section Hooks[]. I will extract for you some interesting issues:


The filter hook in this example is a simple filter hook that makes forward and drop decisions, based on certain packet properties. This example shows how the filter hook specifies to drop Transmission Control Protocol (TCP) packets and to forward packets from all other protocols.

If packets with specific IP addresses or TCP/UDP port numbers must be filtered, consider creating a user-mode application that uses the Packet Filtering API instead. The Packet Filtering API optimizes the system-supplied IP filter driver to process packets without the overhead that is associated with a filter-hook driver. For more information about the Packet Filtering API, see the Microsoft Windows Platform SDK documentation.

#define PROT_TCP   6

// Drop all TCP packets

        unsigned char   *PacketHeader,
        unsigned char   *Packet,
        unsigned int    PacketLength,
        unsigned int    RecvInterfaceIndex,
        unsigned int    SendInterfaceIndex,
        IPAddr          RecvLinkNextHop,
        IPAddr          SendLinkNextHop
    if (PacketHeader->iph_protocol == PROT_TCP)
        return PF_DROP;
    return PF_FORWARD;

Initializing and Unloading the Filter-Hook Driver
All kernel-mode drivers create and initialize a device object for the driver object. The filter-hook driver's DriverEntry routine can also register the driver's filter hook with the IP filter driver.

If a user-mode application or a higher-level driver sends an I/O control request to the filter-hook driver to set up the filter hook, then the DriverEntry routine must specify and export an entry point that enables device control. This entry point is an IRP_MJ_DEVICE_CONTROL dispatch routine. If DriverEntry enables device control in this way, this device-control routine registers the driver's filter hook rather than DriverEntry.

The DriverEntry routine must specify and export an entry point that unloads the filter-hook driver. This unload routine removes the device that was created in DriverEntry but must not clear the previously registered filter hook when the operating system unloads the filter-hook driver.

Setting and Clearing a Filter Hook
A filter-hook driver sets its filter-hook callback function to the IP filter driver to inform that IP filter driver to call the hook callback for every IP packet that is received or transmitted. A filter-hook driver might also clear a previously registered hook callback. To register or clear a hook callback function, the filter-hook driver must first create an IRP using a pointer to the device object for the IP filter driver and IOCTL_PF_SET_EXTENSION_POINTER. The filter-hook driver then submits this IRP to the IP filter driver.

The filter-hook driver sets or clears hook callback functions as follows:

Calls the IoGetDeviceObjectPointer function to retrieve a pointer to the device object for the IP filter driver
The filter-hook driver passes:

A pointer to a buffer that contains the string for the name of the IP filter driver
Values that specify synchronous, read, and write access to the IP filter driver
Pointers to buffers to hold the returned file and device objects
Calls the IoBuildDeviceIoControlRequest function to set up an IRP
The filter-hook driver passes parameters that specify:

Pointer to the device object for the IP filter driver
Buffer that contains an PF_SET_EXTENSION_HOOK_INFO structure
To set the filter hook, this structure holds information that specifies the address of the filter-hook callback function. To clear the filter hook, this structure contains a NULL value.

This call returns a pointer to an IRP with the I/O stack location set up from the supplied parameters.

Calls the IoCallDriver function to submit the IRP to the IP filter driver
The filter-hook driver passes parameters that specify the pointer to the device object for the IP filter driver and a pointer to the previously created IRP.

The filter-hook driver must clear its filter hook from the same entity to which it registered its filter hook; therefore, the filter-hook driver should store the pointers to the IP filter driver's file and device objects in global variables. Only then can the filter-hook driver call the ObDereferenceObject function to decrement the reference count of the IP filter driver's file and device objects.

Good look,
Abusimbel, The Apprentice.

Author Comment

ID: 7187520
thanks very much abusimbel, your answer was very informative.  

jhance I suggest you follow this hyperlink

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A high-level exploration of how our ever-increasing access to information has changed the way we do our jobs.
Skype is a P2P (Peer to Peer) instant messaging and VOIP (Voice over IP) service – as well as a whole lot more.
The goal of the tutorial is to teach the user how to use functions in C++. The video will cover how to define functions, how to call functions and how to create functions prototypes. Microsoft Visual C++ 2010 Express will be used as a text editor an…
The viewer will learn how to user default arguments when defining functions. This method of defining functions will be contrasted with the non-default-argument of defining functions.

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question