- 1 year ago
Getting Notification for WFP User-Mode Filter
You can get notifications for a Windows Filtering Platform (WFP) user-mode filter by registering for callbacks using the FwpmSubLayerAdd()
function in the Windows Filtering Platform API. This allows you to receive notifications when certain events occur, such as when a packet is blocked or allowed by the filter.
To register for callbacks, you first need to create a filter sublayer object using the FWPM_SUBLAYER0
structure. You can then register the sublayer using FwpmSubLayerAdd()
, and specify the callback function to be called when a certain event occurs. The callback function should be defined using the FWPM_CALLOUT0
structure.
Here is an example of how to register for notifications for a user-mode WFP filter using the Windows Filtering Platform API in C++:
cpp#include <windows.h>
#include <fwpmu.h>
// Callback function for filter events
DWORD WINAPI FilterCallback(
_In_ FWPM_CALLOUT0* pCallout,
_In_ const FWPM_FILTER0* pFilter,
_In_ const UINT64 flowContext,
_Inout_ FWPS_CLASSIFY_OUT0* pClassifyOut
)
{
// Process the filter event here
// ...
return 0;
}
// Register the filter sublayer and callback function
DWORD RegisterFilter()
{
FWPM_SUBLAYER0 SubLayer = {0};
SubLayer.subLayerKey = {0x12345678, 0x1234, 0x5678, {0x12, 0x34, 0x56, 0x78, 0x90, 0xAB, 0xCD, 0xEF}};
SubLayer.displayData.name = L"My Filter Sublayer";
SubLayer.displayData.description = L"Sublayer for my user-mode filter";
SubLayer.weight = 0x100;
SubLayer.flags = 0;
FWPM_CALLOUT0 Callout = {0};
Callout.calloutKey = {0x87654321, 0x5678, 0x4321, {0x98, 0x76, 0x54, 0x32, 0x10, 0xFE, 0xDC, 0xBA}};
Callout.displayData.name = L"My Filter Callout";
Callout.displayData.description = L"Callout for my user-mode filter";
Callout.applicableLayer = FWPM_LAYER_OUTBOUND_TRANSPORT_V4;
Callout.flags = 0;
Callout.calloutType = FWPM_CALLOUT_TYPE_STREAM;
Callout.streamCallout.entryPoints = &FilterCallback;
Callout.streamCallout.addStreamFn = NULL;
Callout.streamCallout.deleteStreamFn = NULL;
Callout.streamCallout.classifyStreamFn = NULL;
DWORD Status = FwpmSubLayerAdd(NULL, &SubLayer, NULL);
if (Status != ERROR_SUCCESS) return Status;
Status = FwpmCalloutAdd(NULL, &Callout, NULL, NULL);
if (Status != ERROR_SUCCESS) return Status;
Status = FwpmFilterAdd(NULL, &Filter, NULL, NULL);
if (Status != ERROR_SUCCESS) return Status;
return ERROR_SUCCESS;
}
int main()
{
DWORD Status = RegisterFilter();
if (Status != ERROR_SUCCESS) return Status;
// Wait for filter events to occur here
// ...
return 0;
}
In this example, the FWPM_SUBLAYER0
structure is used to define the filter sublayer, and the `FW