Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Windows Filtering Platform user mode or kernel mode?

Tags:

filter

wfp

I am using the Windows Filtering Platform. I want to create a traffic filter, security manager, which monitors packets and network events or blocks urls... I know most of the WFP functions can be called from either user mode or kernel mode. I am wondering whether to write my filter by using kernel-mode functions or user-mode ones?? Is there any kind of network actions that can only be captured by using kernel-mode driver? Please help me in this regard.

Thanks in advance for any help on the matter

like image 780
QuangNHb Avatar asked Aug 31 '12 08:08

QuangNHb

People also ask

Does Windows have kernel mode?

A processor in a computer running Windows has two different modes: user mode and kernel mode. The processor switches between the two modes depending on what type of code is running on the processor. Applications run in user mode, and core operating system components run in kernel mode.

Why does a Windows driver need to run in kernel mode?

Provides routines for your driver to work with access control. Implements the core functionality that everything else in the operating system depends upon. The Microsoft Windows kernel provides basic low-level operations such as scheduling threads or routing hardware interrupts.

How the communication happens between user mode and kernel mode?

The filter manager supports communication between user mode and kernel mode through communication ports. The minifilter driver controls security on the port by specifying a security descriptor to be applied to the communication port object.

What is kernel mode code?

In Kernel mode, the executing code has complete and unrestricted access to the underlying hardware. It can execute any CPU instruction and reference any memory address. Kernel mode is generally reserved for the lowest-level, most trusted functions of the operating system.

2 Answers

WFP Callouts can only be deployed using kernel mode drivers. As far as I know modifying packets (NAT, port forwarding, etc) can only be done using callouts on kernel mode drivers.

UPDATE:

  • User-mode application may be used to do shallow packet inspecting and some simple stream operations as well as control kernel mode drivers.

  • Kernel mode drivers may do deep and shallow packet inspection and all kinds of stream manipulation, but cannot interact with common applications without the use of user mode applications implementing the WFP API.

like image 104
Alexandre Marcondes Avatar answered Sep 24 '22 04:09

Alexandre Marcondes

Alexandre is correct, some things can only be done with kernel mode WFP callout drivers.

However, you might also want to look at my project WinDivert (LGPL) which lifts some WFP kernel-mode functionality (i.e. intercepting and modifying packets) into a user-mode API. WinDivert provides the callout driver for you.

like image 35
Basil Avatar answered Sep 20 '22 04:09

Basil
Sign in to Comment

Related questions

Lucene: Filtering for documents NOT containing a Term
How intercept a google maps intent in Android?
How to write a filtered IObservableList
How to combine results of jQuery find() and filter()? [duplicate]
Parsing multiple enum values (Flagged): Reading in a filter type from a query string
How can I make AngularJS simply print the date without applying a time zone ?
CSS Filters to create a solid border around an object
Show commits made on branch originally (filter out merged commits)
Annotation for applying filter in spring-boot to specific url patterns
twig is_safe for simple function does not work
Java Servlet filter: I have to add headers before passing to the chain, documentation tells otherwise
Difference between filter and list comprehension
Matlab: Eliminating freak values in dataset
Laravel 5 PHP - filter results with input value
Java lambdas: Copy nodes from list to a new list
jQuery .filter(): exit before the end
Remove white spaces between tag values in xml with php
Can I filter on request.user when using Django generic views?
Magento: addAttributeToFilter but ignore for products that don't have this attribute?
Calling render() from a filter helper method in Grails

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!