Skip to content

Commit

Permalink
Feature/kext default action drop (#1747)
Browse files Browse the repository at this point in the history
* [windows_kext] Make default action to drop

* [windows_kext] Minor improvments
  • Loading branch information
vlabo committed Nov 28, 2024
1 parent 590fe74 commit f35256c
Show file tree
Hide file tree
Showing 5 changed files with 18 additions and 10 deletions.
3 changes: 3 additions & 0 deletions windows_kext/driver/src/ale_callouts.rs
Original file line number Diff line number Diff line change
Expand Up @@ -105,6 +105,9 @@ pub fn ale_layer_connect_v6(data: CalloutData) {
}

fn ale_layer_auth(mut data: CalloutData, ale_data: AleLayerData) {
// Make the default path as drop.
data.block_and_absorb();

let Some(device) = crate::entry::get_device() else {
return;
};
Expand Down
7 changes: 5 additions & 2 deletions windows_kext/driver/src/packet_callouts.rs
Original file line number Diff line number Diff line change
Expand Up @@ -110,9 +110,12 @@ fn ip_packet_layer(
interface_index: u32,
sub_interface_index: u32,
) {
// Make the default path as drop.
data.block_and_absorb();

// Block all fragment data. No easy way to keep track of the origin and they are rarely used.
if data.is_fragment_data() {
data.action_block();
data.block_and_absorb();
crate::err!("blocked fragment packet");
return;
}
Expand Down Expand Up @@ -147,7 +150,7 @@ fn ip_packet_layer(
} {
Ok(key) => key,
Err(err) => {
crate::dbg!("failed to get key from nbl: {}", err);
crate::err!("failed to get key from nbl: {}", err);
return;
}
};
Expand Down
11 changes: 4 additions & 7 deletions windows_kext/wdk/src/filter_engine/callout_data.rs
Original file line number Diff line number Diff line change
Expand Up @@ -161,24 +161,28 @@ impl<'a> CalloutData<'a> {
pub fn action_permit(&mut self) {
unsafe {
(*self.classify_out).action_permit();
(*self.classify_out).clear_absorb_flag();
}
}

pub fn action_continue(&mut self) {
unsafe {
(*self.classify_out).action_continue();
(*self.classify_out).clear_absorb_flag();
}
}

pub fn action_block(&mut self) {
unsafe {
(*self.classify_out).action_block();
(*self.classify_out).clear_absorb_flag();
}
}

pub fn action_none(&mut self) {
unsafe {
(*self.classify_out).set_none();
(*self.classify_out).clear_absorb_flag();
}
}

Expand All @@ -198,13 +202,6 @@ impl<'a> CalloutData<'a> {
self.get_value_u32(flags_index) & FWP_CONDITION_FLAG_IS_REAUTHORIZE > 0
}

pub fn parmit_and_absorb(&mut self) {
unsafe {
(*self.classify_out).action_permit();
(*self.classify_out).set_absorb();
}
}

pub fn get_callout_id(&self) -> usize {
self.callout_id
}
Expand Down
5 changes: 5 additions & 0 deletions windows_kext/wdk/src/filter_engine/classify.rs
Original file line number Diff line number Diff line change
Expand Up @@ -80,6 +80,11 @@ impl ClassifyOut {
self.flags |= FWPS_CLASSIFY_OUT_FLAG_ABSORB;
}

// Removes the absorb flag.
pub fn clear_absorb_flag(&mut self) {
self.flags &= !FWPS_CLASSIFY_OUT_FLAG_ABSORB;
}

// Clear the write flag permission. Next filter in the chain will not change the action.
pub fn clear_write_flag(&mut self) {
self.rights &= !FWPS_RIGHT_ACTION_WRITE;
Expand Down
2 changes: 1 addition & 1 deletion windows_kext/wdk/src/filter_engine/ffi.rs
Original file line number Diff line number Diff line change
Expand Up @@ -62,7 +62,7 @@ pub(crate) fn register_sublayer(
sublayer.displayData.name = name.as_ptr() as _;
sublayer.displayData.description = description.as_ptr() as _;
sublayer.flags = 0;
sublayer.weight = 0xFFFF;
sublayer.weight = 0xFFFF; // Set to Max value. Weight compared to other sublayers.

let status = FwpmSubLayerAdd0(filter_engine_handle, &sublayer, core::ptr::null_mut());
check_ntstatus(status as i32)?;
Expand Down

0 comments on commit f35256c

Please sign in to comment.