I am using the Windows Filtering Platform. I want to create a traffic filter, security manager, which monitors packets and network events or blocks urls... I know most of the WFP functions can be called from either user mode or kernel mode. I am wondering whether to write my filter by using kernel-mode functions or user-mode ones?? Is there any kind of network actions that can only be captured by using kernel-mode driver? Please help me in this regard.
Thanks in advance for any help on the matter
A processor in a computer running Windows has two different modes: user mode and kernel mode. The processor switches between the two modes depending on what type of code is running on the processor. Applications run in user mode, and core operating system components run in kernel mode.
Provides routines for your driver to work with access control. Implements the core functionality that everything else in the operating system depends upon. The Microsoft Windows kernel provides basic low-level operations such as scheduling threads or routing hardware interrupts.
The filter manager supports communication between user mode and kernel mode through communication ports. The minifilter driver controls security on the port by specifying a security descriptor to be applied to the communication port object.
In Kernel mode, the executing code has complete and unrestricted access to the underlying hardware. It can execute any CPU instruction and reference any memory address. Kernel mode is generally reserved for the lowest-level, most trusted functions of the operating system.
WFP Callouts can only be deployed using kernel mode drivers. As far as I know modifying packets (NAT, port forwarding, etc) can only be done using callouts on kernel mode drivers.
UPDATE:
User-mode application may be used to do shallow packet inspecting and some simple stream operations as well as control kernel mode drivers.
Kernel mode drivers may do deep and shallow packet inspection and all kinds of stream manipulation, but cannot interact with common applications without the use of user mode applications implementing the WFP API.
Alexandre is correct, some things can only be done with kernel mode WFP callout drivers.
However, you might also want to look at my project WinDivert (LGPL) which lifts some WFP kernel-mode functionality (i.e. intercepting and modifying packets) into a user-mode API. WinDivert provides the callout driver for you.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With