CN102739685B - Filter method and device for application layer network communication - Google Patents
Filter method and device for application layer network communication Download PDFInfo
- Publication number
- CN102739685B CN102739685B CN201210230635.1A CN201210230635A CN102739685B CN 102739685 B CN102739685 B CN 102739685B CN 201210230635 A CN201210230635 A CN 201210230635A CN 102739685 B CN102739685 B CN 102739685B
- Authority
- CN
- China
- Prior art keywords
- file
- dll
- dll file
- loading
- mswsock
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Landscapes
- Computer And Data Communications (AREA)
- Information Transfer Between Computers (AREA)
Abstract
The invention discloses a filter method and device for application layer network communication. The method and the device have the advantages of an LSP (Layered Service Provider) and do not have installation difficulty of the LSP. The technical proposal is that the method comprises the following steps: a network application calls a window socket application program interface; a file system filter driver orientates a preset weight loading on a ws2_32.d 11 file to loading on a my ws2_32.d 11 file, wherein the ws2_32.d 11 file is from a Winsock 2.0 database; the my ws2_32.d 11 file directly calls utility functions in the ws2_32.d 11 file; the my ws2_32.d 11 file is operated, so that the file system driver orientates the weight loading on a real ws2_32.d 11 file to the loading for the ws2_32.d 11 file; and the ws2_32.d 11 file is operated.
Description
Technical field
The present invention relates to the filtration that web application Socket is communicated, particularly relate to and filter in the communication of client for application program.
Background technology
Filtering technique is the basis realizing communication data analyses, fire compartment wall, network agent, network acceleration, these programs are all the packets utilizing certain filtering technique to get upper layer transfers to get off, do protocal analysis just become analysis tool, do that risk assessment selects to let slip or tackle become fire compartment wall, do forward become the instrument of agency, be forwarded to Express agent server become accelerator.
The network filtering technology that windows platform is common, arrange by from high level to bottom, mainly contain: WinSock API Hook, LSP(Layered Service Provider, hierarchical service provides program), TDI(Transport Driver Interface) drive, WFP(Windows Filtering Platform), NDIS IMD(Intermediate Driver) driving, NDIS Hook, Microsoft Loopback Adapter and VPN technologies.By respective demand, the filtering technique of analysis tool and fire compartment wall tendency bottom, to obtain more data, agency and accelerator are inclined to use high-rise filtering technique, do data retransmission to be absorbed in and can to distinguish process, reduce the risk causing system crash simultaneously.Also have some accelerators to use VPN technologies, but shortcoming be VPN cannot for program process, so generally need to coordinate LSP.
Use high-rise filtering technique to act as agent and the existing example of accelerator: SocksCap, agency, use WinSock API Hook mode; ProxyCap, agency, uses LSP; Two or seven agencies, network game accelerator, uses LSP.
LSP is the mechanism that Windows system provides itself, and WinSock API Hook is third party's scheme, realize more difficult, and compatibility is also poor; And although the defect of LSP is it itself is very outstanding mechanism, but there are all difficulties in installation, and such as multiple LSP plunder installation site leads to a conflict, bad LSP installation procedure is deleted other LSP by force and caused coexisting.LSP is divided into IFS LSP(Installable File Systems installable file system) and the non-installable file system of Non-IFS LSP() two kinds.
Summary of the invention
The object of the invention is to solve the problem, provide a kind of filter method of application layer network service, while there is LSP advantage, but there is no the installation difficulty of LSP, be mainly used in network agent and network accelerator, can be used for protocal analysis instrument yet, the head of a family controls class software.
Another problem of the present invention there are provided a kind of filter of application layer network service, but the installation difficulty of LSP is not had while there is LSP advantage, be mainly used in network agent and network accelerator, also can be used for protocal analysis instrument, the head of a family controls class software.
Technical scheme of the present invention is: the filter method that present invention is disclosed a kind of application layer network service, comprising:
Form socket application programming interfaces are called in network application, file system filter driver is redirected to loading to myws2_32.dll file by what preset to the loading of ws2_32.dll file, wherein ws2_32.dll file is from WinSock2.0 storehouse, and myws2_32.dll file directly calls the tool-class function in ws2_32.dll file;
Run myws2_32.dll file, the loading that file system filter driver will be redirected to the loading of self-defining realws2_32.dll file ws2_32.dll file;
Run ws2_32.dll file.
Present invention further teaches a kind of filter method of application layer network service, comprising:
Form socket application programming interfaces are called in network application, file system filter driver is redirected to loading to mymswsock.dll file by what preset to the loading of mswsock.dll file, wherein mswsock.dll file is that the infrastructure service of Microsoft's acquiescence provides the filename of program, and mymswsock.dll file directly calls the function of mswsock.dll file;
Run mswsock.dll file, the loading that file system filter driver will be redirected to the loading of self-defining realmswsock.dll file mswsock.dll file;
Run mswsock.dll file.
Present invention is disclosed a kind of filter of application layer network service, comprising:
First redirection module, form socket application programming interfaces are called in network application, file system filter driver is redirected to loading to myws2_32.dll file by what preset to the loading of ws2_32.dll file, wherein ws2_32.dll file is from WinSock2.0 storehouse, and myws2_32.dll file directly calls the tool-class function in ws2_32.dll file;
Second redirection module, runs myws2_32.dll file, the loading that file system filter driver will be redirected to the loading of self-defining realws2_32.dll file ws2_32.dll file;
Run module, run ws2_32.dll file.
Present invention further teaches a kind of filter of application layer network service, comprising:
First redirection module, form socket application programming interfaces are called in network application, file system filter driver is redirected to loading to mymswsock.dll file by what preset to the loading of mswsock.dll file, wherein mswsock.dll file is that the infrastructure service of Microsoft's acquiescence provides the filename of program, and mymswsock.dll file directly calls the function of mswsock.dll file;
Second redirection module, runs mswsock.dll file, the loading that file system filter driver will be redirected to the loading of self-defining realmswsock.dll file mswsock.dll file;
Run module, run mswsock.dll file.
The present invention contrasts prior art following beneficial effect: technical scheme of the present invention is the filtration that the technological means of employing twice file redirection realizes to the communication of application layer network, compared to prior art, the present invention does not but have the installation difficulty of LSP while having LSP advantage, be mainly used in network agent and network accelerator, also can be used for protocal analysis instrument, the head of a family controls class software.
Accompanying drawing explanation
Fig. 1 shows the flow chart of the first embodiment of the filter method of application layer network service of the present invention.
Fig. 2 shows the flow chart of the second embodiment of the filter method of application layer network service of the present invention.
Fig. 3 shows the structure chart of the embodiment of the filter of application layer network service of the present invention.
Embodiment
Below in conjunction with drawings and Examples, the invention will be further described.
first embodiment of the filter method of application layer network service
When adopting Non-IFS LSP to do network data filtration, can install a LSP in system, be below normal flow:
(1) WinSockAPI is called in network application, must load ws2_32.dll
(2) Ws2_32.dll checks registration table, finds LSP, supposes to be mynonifslsp.dll, so Ws2_32.dll is loaded with mynonifslsp.dll, and calls the WSPStartup function of mylsp.dll realization.
(3) mynonifslsp.dll checks registration table, finds that lower floor is that BSP(infrastructure service provides program), just load mswsock.dll, then call its WSPStartup function.
As long as but installation LSP just has trouble, invention does not install LSP, and what we utilized is that WinSock application program all will load WinSock API storehouse (ws2_32.dll).
Fig. 1 shows the first embodiment of the filter method of application layer network service of the present invention.Refer to Fig. 1, the filter method of the application layer network service of the present embodiment comprises following step.
Form socket application programming interfaces are called in network application, file system filter driver is redirected to loading to myws2_32.dll file by what preset to the loading of ws2_32.dll file, wherein ws2_32.dll file is from WinSock2.0 storehouse, myws2_32.dll file directly calls the tool-class function in ws2_32.dll file, only have the API that transceiving data is relevant to want oneself to realize, finally call the function that ws2_32.dll is corresponding.First place's file redirection is crucial: load ws2_32.dll and be redirected to the myws2_32.dll realized voluntarily, thus have the chance of intervention, but realize myws2_32.dll not according to Non-IFS LSP specification, but the mode of WinSock API Hook, it can play the effect similar with Non-IFS.
Then, run myws2_32.dll file, then, the loading that file system filter driver will be redirected to the loading of self-defining realws2_32.dll file ws2_32.dll file.Notice and be redirected the loading of ws2_32.dll, can not directly load in myws2_32.dll, should change into and load realws2_32.dll, file system filter driver can load this and be redirected as ws2_32.dll originally.
Finally, ws2_32.dll file is run.
In the present embodiment, done two to be redirected: ws2_32.dll is redirected as myws2_32.dll; Realws2_32.dll is redirected as ws2_32.dll.All being redirected at application layer access ws2_32.dll, so in order to load real ws2_32.dll, alias must be got to it, then allowing filtration drive according to this alias, turn and want to access real ws2_32.dll.
In order to filter, if use Non-IFS LSP scheme, our program is mynonifslsp.dll, adopt the present invention program, self-defining program is myws2_32.dll, and implementation is different, but can play the same effect, its implementation is WinSock API Hook(application programming interface hook), this is a ripe technology.This scheme is WinSock API Hook in essence, innovative point be use file system be redirected the injection being dll, be different from general establishment remote thread, on-the-fly modify importing table, the overall situation hook injection mode.This programme is more difficult to be tackled by fail-safe software.
second embodiment of the filter method of application layer network service
When not installing any LSP in system, be below normal flow:
(1) WinSockAPI is called in network application, must load ws2_32.dll
(2) Ws2_32.dll checks registration table, find without any LSP, the BSP(Base Service Provider with regard to load default), and call its WSPStartup function, the file of this BSP is exactly mswsock.dll, WSPStartup function is also that WinSock2.0 specification is appointed.
(3) BSP realizes the network service of more bottom.
When adopting IFS LSP to do network data filtration, a LSP can be installed in system:
(1) WinSockAPI is called in network application, must load ws2_32.dll
(2) Ws2_32.dll checks registration table, finds our LSP, supposes to be myifslsp.dll, so Ws2_32.dll is loaded with myifslsp.dll, and calls the WSPStartup function of mylsp.dll realization.
(3) myifslsp.dll checks registration table, finds that lower floor is BSP, just loads mswsock.dll, then call its WSPStartup function.
Two problems is had at least in above-mentioned flow process:
(1) implementor of LSP may realize not in accordance with specification, in reality also really so.The LSP on upper strata can not load the LSP of lower floor, and directly just loads BSP, so the LSP of lower floor may lose efficacy.Citing: system has two LSP, what applicant wished calls order is LSP1->LSP2->BSP, but the implementor of LSP1 does not wish that his lower floor has other LSP to work, so he can skip LSP2, directly load BSP, make to call order and become LSP1->BSP.
(2) installing LSP is than more sensitive behavior, is easy to be tackled by antivirus software, causes installing.
Refer to Fig. 2, the performing step of the filter method of the application layer network service of the present embodiment is as follows.
Form socket application programming interfaces are called in network application, file system filter driver is redirected to loading to mymswsock.dll file by what preset to the loading of mswsock.dll file, wherein mswsock.dll file is that the infrastructure service of Microsoft's acquiescence provides the filename of program, and mymswsock.dll file directly calls the function of mswsock.dll file.Mswsock.dll has a lot of function, but the mymswsock.dll of applicant does not need to realize, except WSPStartup function directly can call the respective function of original mswsock.dll, the implementation method of WSPStartup function is the same with IFS LSP, and this just remains the advantage of LSP.First place's file redirection is crucial: load mswsock.dll and be redirected to mymswsock.dll, mymswsock.dll is an IFS LSP, and it finally can call real BSP again.Why applicant will realize is IFS LSP, because BSP is exactly an IFS LSP in essence.WSPStartup function is WinSock2.0SPI normalized definition (SPI=Service Provider Interface Service Provider Interface)
Run mswsock.dll file, the loading that file system filter driver will be redirected to the loading of self-defining realmswsock.dll file mswsock.dll file.Notice and be redirected the loading of mswsock.dll, can not directly load in mymswsock.dll, should change into and load realmswsock.dll, file system filter driver can load this and be redirected as mswsock.dll originally.The present embodiment has done two and has been redirected: mswsock.dll is redirected as mymswsock.dll; Realmswsock.dll is redirected as mswsock.dll.All being redirected at application layer access mswsock.dll, so in order to load real mswsock.dll, alias must be got to it, then allowing filtration drive according to this alias, turn and want to access real mswsock.dll.
Run mswsock.dll file.
The advantage of this scheme is mymswsock.dll is exactly an IFS LSP in essence, but does not need the installation of LSP, and guard system does not exist the LSP of how many rogues, all can not have influence on our mymswsock.dll.
In order to filter, if use IFS LSP scheme, self-defining program is myifslsp.dll, adopt the present invention program, self-defining program is mymswsock.dll, but its implementation is roughly the same, difference is calling BSP, and the name of use is different: myifslsp.dll directly can call mswsock.dll; Mymswsock.dll should call realmswsock.dll, then allows filter Driver on FSD that name is changed into mswsock.dll.
first embodiment of the filter of application layer network service
Refer to Fig. 3, the filter of the application layer network service of the present embodiment comprises the first redirection module, the second redirection module and runs module.Wherein in the first redirection module, form socket application programming interfaces are called in network application, file system filter driver is redirected to loading to myws2_32.dll file by what preset to the loading of ws2_32.dll file, wherein ws2_32.dll file is from WinSock2.0 storehouse, and myws2_32.dll file directly calls the tool-class function in ws2_32.dll file.
Myws2_32.dll file is run, the loading that file system filter driver will be redirected to the loading of self-defining realws2_32.dll file ws2_32.dll file in the second redirection module;
Ws2_32.dll file is run in operation module.
second embodiment of the filter of application layer network service
The structure of the filter of the application layer communication of the present embodiment is the same with the first embodiment, and as shown in Figure 3, what just module was concrete realizes content difference.The filter of the present embodiment comprises the first redirection module, the second redirection module and runs module.Wherein in the first redirection module, form socket application programming interfaces are called in network application, file system filter driver is redirected to loading to mymswsock.dll file by what preset to the loading of mswsock.dll file, wherein mswsock.dll file is that the infrastructure service of Microsoft's acquiescence provides the filename of program, and mymswsock.dll file directly calls the function of mswsock.dll file.
Mswsock.dll file is run, the loading that file system filter driver will be redirected to the loading of self-defining realmswsock.dll file mswsock.dll file in second redirection module;
Run in module and run mswsock.dll file.
Above-described embodiment is available to those of ordinary skill in the art to realize and uses of the present invention; those of ordinary skill in the art can be without departing from the present invention in the case of the inventive idea; various modifications or change are made to above-described embodiment; thus protection scope of the present invention not limit by above-described embodiment, and should be the maximum magnitude meeting the inventive features that claims are mentioned.
Claims (4)
1. a filter method for application layer network service, comprising:
Form socket application programming interfaces are called in network application, file system filter driver is redirected to loading to myws2_32.dll file by what preset to the loading of ws2_32.dll file, wherein ws2_32.dll file is from WinSock2.0 storehouse, and myws2_32.dll file directly calls the tool-class function in ws2_32.dll file;
Run myws2_32.dll file, the loading that file system filter driver will be redirected to the loading of self-defining realws2_32.dll file ws2_32.dll file;
Run ws2_32.dll file.
2. a filter method for application layer network service, comprising:
Form socket application programming interfaces are called in network application, file system filter driver is redirected to loading to mymswsock.dll file by what preset to the loading of mswsock.dll file, wherein mswsock.dll file is that the infrastructure service of Microsoft's acquiescence provides the filename of program, and mymswsock.dll file directly calls the function of mswsock.dll file;
Run mswsock.dll file, the loading that file system filter driver will be redirected to the loading of self-defining realmswsock.dll file mswsock.dll file;
Run mswsock.dll file.
3. a filter for application layer network service, comprising:
First redirection module, form socket application programming interfaces are called in network application, file system filter driver is redirected to loading to myws2_32.dll file by what preset to the loading of ws2_32.dll file, wherein ws2_32.dll file is from WinSock2.0 storehouse, and myws2_32.dll file directly calls the tool-class function in ws2_32.dll file;
Second redirection module, runs myws2_32.dll file, the loading that file system filter driver will be redirected to the loading of self-defining realws2_32.dll file ws2_32.dll file;
Run module, run ws2_32.dll file.
4. a filter for application layer network service, comprising:
First redirection module, form socket application programming interfaces are called in network application, file system filter driver is redirected to loading to mymswsock.dll file by what preset to the loading of mswsock.dll file, wherein mswsock.dll file is that the infrastructure service of Microsoft's acquiescence provides the filename of program, and mymswsock.dll file directly calls the function of mswsock.dll file;
Second redirection module, runs mswsock.dll file, the loading that file system filter driver will be redirected to the loading of self-defining realmswsock.dll file mswsock.dll file;
Run module, run mswsock.dll file.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210230635.1A CN102739685B (en) | 2012-07-04 | 2012-07-04 | Filter method and device for application layer network communication |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210230635.1A CN102739685B (en) | 2012-07-04 | 2012-07-04 | Filter method and device for application layer network communication |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102739685A CN102739685A (en) | 2012-10-17 |
| CN102739685B true CN102739685B (en) | 2015-04-08 |
Family
ID=46994468
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210230635.1A Active CN102739685B (en) | 2012-07-04 | 2012-07-04 | Filter method and device for application layer network communication |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102739685B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102999354B (en) * | 2012-11-15 | 2015-12-02 | 北京奇虎科技有限公司 | file loading method and device |
| CN103914656A (en) * | 2014-03-25 | 2014-07-09 | 安一恒通(北京)科技有限公司 | Method and device for preventing monitoring of malware |
| CN103957214A (en) * | 2014-05-06 | 2014-07-30 | 重庆邮电大学 | Computer network data package grabbing method for teaching |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101373501A (en) * | 2008-05-12 | 2009-02-25 | 公安部第三研究所 | Method for capturing dynamic behavior aiming at computer virus |
| CN102420837A (en) * | 2009-11-10 | 2012-04-18 | 浙江省公众信息产业有限公司 | NDIS (Network Driver Interface Standard)-based method and system |
-
2012
- 2012-07-04 CN CN201210230635.1A patent/CN102739685B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101373501A (en) * | 2008-05-12 | 2009-02-25 | 公安部第三研究所 | Method for capturing dynamic behavior aiming at computer virus |
| CN102420837A (en) * | 2009-11-10 | 2012-04-18 | 浙江省公众信息产业有限公司 | NDIS (Network Driver Interface Standard)-based method and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102739685A (en) | 2012-10-17 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP1347618B1 (en) | Manager level device / service arbitrator | |
| CN102739685B (en) | Filter method and device for application layer network communication | |
| US8893260B2 (en) | Secure remote access public communication environment | |
| CN101909298B (en) | Secure access control method and device for wireless network | |
| US20080275992A1 (en) | System and method of managing connections between a computing system and an available network using a connection manager | |
| CN109104412A (en) | Account right management method, management system and computer readable storage medium | |
| CN105824283A (en) | Programmable display | |
| JP2012531678A5 (en) | ||
| CN101917281B (en) | Automatic collocation method for network cards | |
| CN101217558A (en) | An operation middleware service load balancing method | |
| CN101361082A (en) | System and method for secure remote desktop access | |
| EP1794991A1 (en) | Systems and method for virtual host name roaming and managing virtual ip addresses | |
| CN101594376B (en) | Method and corresponding device for registering CIM provider to CIMOM | |
| US7570917B2 (en) | Bluetooth communication through a single virtual port | |
| CN103368809A (en) | Internet reverse penetration tunnel implementation method | |
| JP7412506B2 (en) | Fraud detection rule update method, fraud detection electronic control unit and in-vehicle network system | |
| CN102316163B (en) | Method for realizing Web container expansion and Web container | |
| WO2012053049A1 (en) | Communication terminal, and communication interface selection program thereof | |
| CN104253834B (en) | Method, mobile terminal and the system that mobile application data copy is controlled | |
| CN102736924A (en) | Software installation method and device | |
| CN105141694B (en) | A kind of method and system of cloud desktop sharing data | |
| CN104539465B (en) | The shared method, apparatus of multisystem external equipment and multisystem terminal | |
| US20080086761A1 (en) | Methods, devices, and computer program products for controlling wireless connection access | |
| CN113407234B (en) | Cross-platform and cross-browser operation and maintenance access method, system and storage medium | |
| CN110844724A (en) | Elevator data communication system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C56 | Change in the name or address of the patentee | ||
| CP02 | Change in the address of a patent holder |
Address after: 200030 Shanghai city Xuhui District Xietu Road No. 2899 Building 5 floor A Kuangchi Cultural Square Patentee after: ChinaNetCenter Co., Ltd. Address before: 200030 Shanghai Xuhui District Xietu Road No. 2669 15 Floor Patentee before: ChinaNetCenter Co., Ltd. |
|
| TR01 | Transfer of patent right |
Effective date of registration: 20171127 Address after: 361000 No. 0036, unit 0036, Chengyi street, Xiamen Software Park, Fujian Province, unit 0036 Patentee after: Xiamen net Lodge Co., Ltd. Address before: 200030 Shanghai city Xuhui District Xietu Road No. 2899 Building 5 floor A Kuangchi Cultural Square Patentee before: ChinaNetCenter Co., Ltd. |
|
| TR01 | Transfer of patent right |