From 59b9ae008f6f5f8fafe43b9cc3b2bef7deb08fae Mon Sep 17 00:00:00 2001 From: Vladimir Stoilov Date: Wed, 20 Nov 2024 11:44:36 +0200 Subject: [PATCH] [windows_kext] Minor improvments --- windows_kext/driver/src/ale_callouts.rs | 3 +++ windows_kext/driver/src/packet_callouts.rs | 2 +- windows_kext/wdk/src/filter_engine/callout_data.rs | 11 ++++------- windows_kext/wdk/src/filter_engine/classify.rs | 5 +++++ windows_kext/wdk/src/filter_engine/ffi.rs | 2 +- 5 files changed, 14 insertions(+), 9 deletions(-) diff --git a/windows_kext/driver/src/ale_callouts.rs b/windows_kext/driver/src/ale_callouts.rs index ed478938e..51c5cc303 100644 --- a/windows_kext/driver/src/ale_callouts.rs +++ b/windows_kext/driver/src/ale_callouts.rs @@ -105,6 +105,9 @@ pub fn ale_layer_connect_v6(data: CalloutData) { } fn ale_layer_auth(mut data: CalloutData, ale_data: AleLayerData) { + // Make the default path as drop. + data.block_and_absorb(); + let Some(device) = crate::entry::get_device() else { return; }; diff --git a/windows_kext/driver/src/packet_callouts.rs b/windows_kext/driver/src/packet_callouts.rs index b535046c4..1e8c28f17 100644 --- a/windows_kext/driver/src/packet_callouts.rs +++ b/windows_kext/driver/src/packet_callouts.rs @@ -115,7 +115,7 @@ fn ip_packet_layer( // Block all fragment data. No easy way to keep track of the origin and they are rarely used. if data.is_fragment_data() { - data.action_block(); + data.block_and_absorb(); crate::err!("blocked fragment packet"); return; } diff --git a/windows_kext/wdk/src/filter_engine/callout_data.rs b/windows_kext/wdk/src/filter_engine/callout_data.rs index abb5e318c..ff155dd1c 100644 --- a/windows_kext/wdk/src/filter_engine/callout_data.rs +++ b/windows_kext/wdk/src/filter_engine/callout_data.rs @@ -161,24 +161,28 @@ impl<'a> CalloutData<'a> { pub fn action_permit(&mut self) { unsafe { (*self.classify_out).action_permit(); + (*self.classify_out).clear_absorb_flag(); } } pub fn action_continue(&mut self) { unsafe { (*self.classify_out).action_continue(); + (*self.classify_out).clear_absorb_flag(); } } pub fn action_block(&mut self) { unsafe { (*self.classify_out).action_block(); + (*self.classify_out).clear_absorb_flag(); } } pub fn action_none(&mut self) { unsafe { (*self.classify_out).set_none(); + (*self.classify_out).clear_absorb_flag(); } } @@ -198,13 +202,6 @@ impl<'a> CalloutData<'a> { self.get_value_u32(flags_index) & FWP_CONDITION_FLAG_IS_REAUTHORIZE > 0 } - pub fn parmit_and_absorb(&mut self) { - unsafe { - (*self.classify_out).action_permit(); - (*self.classify_out).set_absorb(); - } - } - pub fn get_callout_id(&self) -> usize { self.callout_id } diff --git a/windows_kext/wdk/src/filter_engine/classify.rs b/windows_kext/wdk/src/filter_engine/classify.rs index 1acff2edd..6d5b9b055 100644 --- a/windows_kext/wdk/src/filter_engine/classify.rs +++ b/windows_kext/wdk/src/filter_engine/classify.rs @@ -80,6 +80,11 @@ impl ClassifyOut { self.flags |= FWPS_CLASSIFY_OUT_FLAG_ABSORB; } + // Removes the absorb flag. + pub fn clear_absorb_flag(&mut self) { + self.flags &= !FWPS_CLASSIFY_OUT_FLAG_ABSORB; + } + // Clear the write flag permission. Next filter in the chain will not change the action. pub fn clear_write_flag(&mut self) { self.rights &= !FWPS_RIGHT_ACTION_WRITE; diff --git a/windows_kext/wdk/src/filter_engine/ffi.rs b/windows_kext/wdk/src/filter_engine/ffi.rs index 45103272e..bf5fa3610 100644 --- a/windows_kext/wdk/src/filter_engine/ffi.rs +++ b/windows_kext/wdk/src/filter_engine/ffi.rs @@ -62,7 +62,7 @@ pub(crate) fn register_sublayer( sublayer.displayData.name = name.as_ptr() as _; sublayer.displayData.description = description.as_ptr() as _; sublayer.flags = 0; - sublayer.weight = 0xFFFF; + sublayer.weight = 0xFFFF; // Set to Max value. Weight compared to other sublayers. let status = FwpmSubLayerAdd0(filter_engine_handle, &sublayer, core::ptr::null_mut()); check_ntstatus(status as i32)?;