CN110417771A - A method of interception Windows is automated by driving and is automatically updated - Google Patents
A method of interception Windows is automated by driving and is automatically updated Download PDFInfo
- Publication number
- CN110417771A CN110417771A CN201910676339.6A CN201910676339A CN110417771A CN 110417771 A CN110417771 A CN 110417771A CN 201910676339 A CN201910676339 A CN 201910676339A CN 110417771 A CN110417771 A CN 110417771A
- Authority
- CN
- China
- Prior art keywords
- layer
- data packet
- function
- domain name
- driver
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/45—Network directories; Name-to-address mapping
- H04L61/4505—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
- H04L61/4511—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/30—Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
- H04L63/306—Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information intercepting packet switched data communications, e.g. Web, Internet or IMS communications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/34—Network arrangements or protocols for supporting network services or applications involving the movement of software or configuration parameters
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Technology Law (AREA)
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present invention provides a kind of methods for being automated by driving and intercepting Windows and automatically updating, the method are as follows: install WFP network filter in Windows operating system bottom, and a driver is set, the driver is registered and opens WFP network filter, WFP network filter energy real-time blocking Windows operating system updates the received network packet of server to Microsoft, and Microsoft updates the network packet that server is sent, and automatically updates to realize and intercept Windows operating system;Improve the Experience Degree of client.
Description
Technical field
The present invention relates to computer system field of communication technology, especially one kind to intercept Windows certainly by driving automation
The dynamic method updated.
Background technique
Existing Windows operating system can all be automatically updated, but some users are operated using Windows
It is not intended to system when system to be updated, such as 1. normal use Windows operating system of following three situation but does not wish
It hopes and is automatically updated interference planned routes or alternates the user of the low demand of low interest to system version, such as the commercial affairs in meeting
Personage, the student test etc..
2. needing to be chronically at busy condition, it is undesirable to it is automatically updated and occupies network bandwidth and other system resources, or
It is not intended to system to be forced the computer restarted, such as server because of automatically updating.
3. wishing to protect software itself or maintaining certain softwares of system stability.As be mounted large software,
It is modifying system environments and if may result in the program of graunch by abnormal end in the process, Visual is such as installed
Restart during Studio in case of unpredictable, may result in exploitation environment and unexpected mistake occur.
And the method that existing interception Windows operating system is updated has the following disadvantages: 1. existing interceptions
The scheme that Windows is automatically updated needs user's manual setting, and process is relatively cumbersome and is unfamiliar with computation for some
Difficulty is larger for user.
2. currently existing scheme is after closing automatically updates, it is also necessary to by cumbersome manual operation come recovery system from
It is dynamic to update.
3. currently existing scheme can not be called by other programming automations.
A kind of method using WFP intercepting network data is provided in the prior art, application No. is: 201110072859.X
, the Chinese patent of Publication No. 2011-09-21, a kind of method using WFP intercepting network data, belong to network security neck
Domain, the following steps are included: S1, open Windows kernel in WFP filter engine session, in a session increase a sublayer, and
And a mark is registered respectively in the ALE of WFP filter engine and transport layer, mark is added in sublayer, the mistake of mark is set
Information is filtered, the filtering information includes filter condition;S2, call back function is set in the mark of ALE, and in call back function
Determine whether the data of this port can be successfully transmitted to the corresponding relationship of port and process, and according to process strategy, next
Data can be sent by recording this port;S3, the setting filtering call back function in the mark of transport layer, in filtering call back function
Data packet parsed, parse the corresponding port of data packet, the corresponding end of data packet judged according to the information recorded in S2
Can mouth send data.Simple, easy for installation, compatible any third-party secure network product is realized in the invention.The patent
Although and technical solution and this patent of the technical issues of realizing WFP intercepting network data, solving and use not phase
Together.
WFP(Windows File Protection), computerese is a kind of Windows file protective program, is prevented
Only program replaces important Windows system file.
Summary of the invention
In order to overcome the problems referred above, the object of the present invention is to provide one kind intercepts Windows automatically more by driving automation
New method can intercept Windows operating system and automatically update, and can be as functional module by other routine calls.
The present invention is realized using following scheme: a method of interception Windows is automated by driving and is automatically updated, institute
State method are as follows: WFP network filter is installed in Windows operating system bottom, and a driver, the driver are set
Register and open WFP network filter, WFP network filter energy real-time blocking Windows operating system is to Microsoft's more new demand servicing
The received network packet of device and Microsoft update the network packet that server is sent, and intercept Windows behaviour to realize
It is automatically updated as system.
Further, the method further specifically comprises the following steps: step S1, starts Windows operating system
Whether one application program, the application program load driver program, load succeed, and are then to enter step S2;It is no, then it will load
A driver is reloaded again after the driver unloading of failure;Enter back into step S2;
Step S2, the described application program refreshes DNS cache, and opens driver, makes driver in Windows operating system
Inner nuclear layer operation;
Step S3, WFP network filter is registered and opened to the described driver, starts to execute interception function;
Step S4, the stopping that the described application program waits user to transmit intercepts the request that Windows operating system updates;
Etc. step S5, until driver closes and nullifies the WFP network filter after terminating request;
Step S6, application program stops and unloads driver, and then application program terminates.
Further, the stopping interception Windows that user is transmitted by DeviceIoControl mode in the step S4
The request of operating system update.
Further, the WFP network filter intercepts the concrete mode that Windows operating system automatically updates are as follows:
Step 1, setting one initialize blacklist data for storing the black list database of domain name blacklist and IP blacklist
Library, and two domain name letters of update.microsoft.com and windowsupdate.com are added in black list database
Breath;
Step 2, driving obtain basic filtering engine BFE handle, the ginseng as subsequent operation using FwpmEngineOpen function
Number;
Step 3, driving use FwpsCalloutRegister function, respectively application layer traffic-the establish layer, layer data stream and
The call back function of the corresponding registration monitoring data of layer data packet;Wherein, application layer traffic-the establishes the call back function of layer for handling
The data packet of network linking is requested, the call back function of layer data stream is used for handling TCP data packet, the call back function of layer data packet
In processing UDP message packet;
3 call back functions that step 4, driving are registered using FwpmCalloutAdd function to filter engine application addition;
Step 5, driving use FwpmSubLayerAdd function, establish layer, layer data stream and data in application layer traffic-the respectively
Covering creates sublayer, for capturing data;
Step 6, driving establish layer, number in application layer traffic-the respectively by filter engine using FwpmFilterAdd function
Filter is created according to fluid layer and layer data packet, and call back function is associated with sublayer;After completing association, when sublayer captures network
When data packet, Windows operating system can call the corresponding call back function of sublayer to handle this data packet;
Step 7, application layer traffic-the establish the call back function of layer when being called by system, first parse the process of network packet
Path, process ID, local ip address, far-end IP address, local port and remote port information, and by these information preservations
Into context data stream, then use FwpsFlowAssociateContext function by context data stream and layer data stream
Binding is associated with layer data packet;The filter can be by context data stream cross-layer transmission to layer data stream and layer data packet, In
When the data packet of the call back function processing sublayer capture of layer data stream, layer data packet, this is obtained by parsing context data stream
The process path of data packet, process ID, local ip address, far-end IP address, local port, remote port information;
After the call back function of step 8, layer data stream and layer data packet captures UDP and TCP data packet, the distal end of data packet is judged
Whether IP is located in the IP blacklist of black list database, is, then data interception packet, and data packet is prevented to transmit to next layer, no,
Then enter next step;
Step 9, layer data stream and layer data packet judge whether the data packet intercepted and captured is HTTP data packet or DNS data packet respectively,
If then entering next step, data packet of otherwise letting pass;
Step 10, layer data stream and layer data packet parse HTTP message and DNS message respectively;Message is judged by character string comparison
In request domain name whether be located in the domain name blacklist in black list database, if not letting pass this in domain name blacklist
Data packet;Intercept process is carried out if in domain name blacklist;
Step 11, when need to terminate intercept Windows operating system and automatically update when, call ControlService function to drive
Dynamic transmitting control code SERVICE_CONTROL_STOP makes driving fail, and drives the drive that default is called after receiving control code
Dynamic unloading call back function unloads and nullifies filter, last application call in driving unloading call back function calling process
DeleteService function unloads driver.
Further, intercept process is then carried out in domain name blacklist in the step 10 specifically: step 10.1, data
Fluid layer judges whether the far-end IP of data packet is in black list database, if not in the database if far-end IP is added to
In the library IP of black list database, data packet of otherwise letting pass;
Step 10.2, layer data packet judge whether there is the corresponding parsing IP information of domain name in the feedback information of data packet, if there is
Then judge whether the corresponding parsing IP of domain name is in black list database, if the corresponding parsing IP of domain name be added not if
Into domain name blacklist, data packet of otherwise letting pass.
The beneficial effects of the present invention are: 1, the present invention realize automation, can be used as functional module by other programs
It calls.2, the present invention uses networks filter driver technology, and the network packet for meeting feature is intercepted in system bottom, is theoretically existed
It does not open and intercepts Windwos in the Windows operating system of VPN to automatically update be successful;In addition this programme is based on Microsoft
The network filtering framework of offer, is provided simultaneously with system compatibility and system stability.3, process of the present invention is convenient, and user only needs out
Interception or clearance to automatic updating data packet can be realized by opening or stopping driving, remove cumbersome and unstable effect setting manually from
It sets.4, the present invention separates control terminal and function end, in application layer process user interaction, realizes core function in inner nuclear layer;It can
To improve stability, prevent user misoperation from unexpected event being caused to occur.
Detailed description of the invention
Fig. 1 is method flow schematic diagram of the invention.
Fig. 2 is the schematic diagram of the black list database for storing domain name blacklist and IP blacklist of the invention.
Fig. 3 is the process that WFP network filter of the invention intercepts the concrete mode that Windows operating system automatically updates
Schematic diagram.
Specific embodiment
The present invention will be further described with reference to the accompanying drawing.
Shown in please referring to Fig.1 to Fig.3, a kind of side automatically updated by driving automation interception Windows of the invention
Method, the method are as follows: WFP network filter is installed in Windows operating system bottom, and a driver, the drive are set
WFP network filter is registered and opened to dynamic program, WFP network filter energy real-time blocking Windows operating system to Microsoft more
The received network packet of new demand servicing device and Microsoft update the network packet that server is sent, to realize interception
Windows operating system automatically updates.
Wherein, the method further specifically comprises the following steps: step S1, starts one answering for Windows operating system
With program, the application program load driver program, it is then to enter step S2 that whether load, which succeeds,;It is no, then load is failed
Driver unloading after reload a driver again;Enter back into step S2;
Step S2, the described application program refreshes DNS cache, and opens driver, makes driver in Windows operating system
Inner nuclear layer operation;
Step S3, WFP network filter is registered and opened to the described driver, starts to execute interception function;
Step S4, the stopping that the described application program waits user to transmit intercepts the request that Windows operating system updates;The step
User intercepts the request that Windows operating system updates by the stopping that DeviceIoControl mode transmits in rapid S4.
Etc. step S5, until driver closes and nullifies the WFP network filter after terminating request;
Step S6, application program stops and unloads driver, and then application program terminates.
Further, the WFP network filter intercepts the concrete mode that Windows operating system automatically updates are as follows:
Step 1, setting one initialize blacklist data for storing the black list database of domain name blacklist and IP blacklist
Library, and two domain name letters of update.microsoft.com and windowsupdate.com are added in black list database
Breath;Windows operating system can be realized by carrying out network interaction with the two domain names and update version querying, downloading update packet
Etc. functions.Quiescing system accesses the two domain names and receives the data sent from the two domain name corresponding servers
Packet, can intercept Windows system and automatically update.
Step 2, driving obtain basic filtering engine BFE handle using FwpmEngineOpen function, as subsequent operation
Parameter;Wherein, basic filtering engine BFE is the included user mode services of a Windows operating system, coordinates WFP group
Part, basic filtering engine BFE execute main task be into system add or remove filter, stored filter device configuration and
Strengthen WFP and configures safety.The communication of application program and basic filtering engine BFE are managed by WFP such as FwpmEngineOpen
Function carries out.
Step 3, driving use FwpsCalloutRegister function, establish layer (i.e. in application layer traffic-the respectively
FWPM_LAYER_ALE_FLOW_ESTABLISHED_V4 layers), layer data stream (i.e. FWPM_LAYER_STREAM_V4 layers) sum number
According to the call back function of (i.e. FWPM_LAYER_DATAGRAM_DATA_V4 layers) of covering corresponding registration monitoring data;Wherein, it applies
The call back function that layer data stream establishes layer is used to handle the data packet of request network linking, and the call back function of layer data stream is for locating
TCP data packet is managed, the call back function of layer data packet is for handling UDP message packet;The WFP filter frame that Microsoft provides is in network number
According to many layers delimited in packet transmission process, since data packet needs to be sealed according to different network protocols in system bottom
Dress, therefore the data content that different layers capture is different;The present invention relates to have FWPM_LAYER_ALE_FLOW_
ESTABLISHED_V4 layers, FWPM_LAYER_STREAM_V4 layers and FWPM_LAYER_DATAGRAM_DATA_V4 layers, FWPM_
The LAYER_ALE_FLOW_ESTABLISHED_V4 layers of authorization connection request that can capture process transmission, this layer can be with
Obtain transmitting-receiving progress information, transmitting-receiving IP information, the transmitting-receiving port information of data packet.FWPM_LAYER_STREAM_V4 layers can catch
Receive all TCP data packets for being free of IP, FWPM_LAYER_DATAGRAM_DATA_V4 layers can capture it is all not
Containing IP UDP message packets.
3 call back functions that step 4, driving are registered using FwpmCalloutAdd function to filter engine application addition;
Step 5, driving use FwpmSubLayerAdd function, establish layer (i.e. FWPM_LAYER_ in application layer traffic-the respectively
ALE_FLOW_ESTABLISHED_V4 layers), layer data stream (i.e. FWPM_LAYER_STREAM_V4 layers) and layer data packet is (i.e.
FWPM_LAYER_DATAGRAM_DATA_V4 layers) creation sublayer, for capturing data;
Step 6, driving establish layer (i.e. in application layer traffic-the respectively by filter engine using FwpmFilterAdd function
FWPM_LAYER_ALE_FLOW_ESTABLISHED_V4 layers), layer data stream (i.e. FWPM_LAYER_STREAM_V4 layers) sum number
According to (i.e. FWPM_LAYER_DATAGRAM_DATA_V4 layers) creation filter of covering, and call back function is associated with sublayer;It is complete
After association, when sublayer captures network packet, Windows operating system can call the corresponding call back function processing of sublayer
This data packet;
Step 7, application layer traffic-the establish the call back function of layer when being called by system, first parse the process of network packet
Path, process ID, local ip address, far-end IP address, local port and remote port information, and by these information preservations
Into context data stream, then use FwpsFlowAssociateContext function by context data stream and layer data stream
Binding is associated with layer data packet;The filter can be by context data stream cross-layer transmission to layer data stream and layer data packet, In
When the data packet of the call back function processing sublayer capture of layer data stream, layer data packet, this is obtained by parsing context data stream
The process path of data packet, process ID, local ip address, far-end IP address, local port, remote port information;
After the call back function of step 8, layer data stream and layer data packet captures UDP and TCP data packet, the distal end of data packet is judged
Whether IP is located in the IP blacklist of black list database, is, then data interception packet, and data packet is prevented to transmit to next layer, no,
Then enter next step;
Step 9, layer data stream and layer data packet judge whether the data packet intercepted and captured is HTTP data packet or DNS data packet respectively,
If then entering next step, data packet of otherwise letting pass;
Step 10, layer data stream and layer data packet parse HTTP message and DNS message respectively;Message is judged by character string comparison
In request domain name whether be located in the domain name blacklist in black list database, if not letting pass this in domain name blacklist
Data packet;Intercept process is carried out if in domain name blacklist;
Intercept process is then carried out in the step 10 in domain name blacklist specifically: step 10.1, layer data stream judge data
Whether the far-end IP of packet is in black list database, if not in the database if far-end IP is added to black list database
The library IP in, data packet of otherwise letting pass;
Step 10.2, layer data packet judge whether there is the corresponding parsing IP information of domain name in the feedback information of data packet, if there is
Then judge whether the corresponding parsing IP of domain name is in black list database, if the corresponding parsing IP of domain name be added not if
Into domain name blacklist, data packet of otherwise letting pass.
Step 11, when need terminate intercept Windows operating system automatically update when, call ControlService function
Driving is set to fail to driving transmitting control code SERVICE_CONTROL_STOP, driving calls default after receiving control code
Driving unload call back function, driving unloading call back function calling process in unload and nullify filter, last application program
DeleteService function is called to unload driver.
Below with reference to a specific embodiment, the invention will be further described:
The specific implementation of the present invention program:
Assuming that application program A, which intercepts Windows system using this programme, attempts the network sent or received during automatically updating
Data packet prevents Windows system from automatically updating behavior in application program A operational process.Application program A successfully loads drive
Dynamic B, the domain name-IP black list database of driving B initialization driving, is added domain name in the database "
Update.microsoft.com " and " windowsupdate.com ", there is 2 domain name blacklists at this time in black list database
Member and 0 IP black list member.Then driving B success FWPM_LAYER_ALE_FLOW_ESTABLISHED_V4 layers,
FWPM_LAYER_STREAM_V4 layers and FWPM_LAYER_DATAGRAM_DATA_V4 layers of completion registered callbacks function, creation
The sequence of operations such as layer, opening filter, network filtering module complete initialization and start to play a role.
Assuming that system process svchost.exe attempts access network at this time, a data packet is then first sent for requesting
External server is connected, the filter of FWPM_LAYER_ALE_FLOW_ESTABLISHED_V4 sublayer captures this data
Packet, therefrom extract the process ID of process svchost.exe, process path, local ip address, far-end IP address, local port,
Remote port information, and by these information preservations into context data stream, then by this context data stream and FWPM_
LAYER_STREAM_V4 layers are associated with binding with FWPM_LAYER_DATAGRAM_DATA_V4 layers.
Next divide several situation discussion:
Svchost.exe sends data packet, request analysis domain name " baidu.com " to dns server. FWPM_LAYER_
After DATAGRAM_DATA_V4 layers of filter captures this data packet, by character string comparison, traverse in black list database
Each domain name character string, judge these character strings whether be located at this time request domain name in.Lookup result is blacklist number
According to there is no domain name string matching " baidu.com " in library, therefore this DNS data packet of letting pass.
Dns server sends data packet to svchost.exe, and packet content is domain name "
A.windowsupdate.com " and its domain name mapping IP result: 1.2.3.4 and 5.6.7.8.DATAGRAM_DATA_V4 layers
After filter captures this data packet, by character string comparison, each of black list database domain name character string is traversed, is sentenced
Whether these character strings of breaking are located in this time domain name of request.Lookup result is the character string in black list database
The domain name of " windowsupdate.com " and this request analysis " a.windowsupdate.com " match, therefore prevent this
DNS data packet, while translating domain names into IP result 1.2.3.4 and 5.6.7.8 and being added in black list database.Blacklist at this time
Database include following member: " update.microsoft.com ", " windowsupdate.com ", 1.2.3.4 and
5.6.7.8。
Scvhos.exe does not pass through domain name mapping, directly HTTP request is sent toward IP 1.2.3.4, to Microsoft's server
Whether inquiry needs more new version.After FWPM_LAYER_STREAM_V4 layers of filter captures this data packet, from FWPM_
Far-end IP address 1.2.3.4 is extracted in LAYER_ALE_FLOW_ESTABLISHED_V4 layers of associated context data stream, then
Judge whether far-end IP 1.2.3.4 is located in black list database.Since 1.2.3.4 is located in black list database, block
Cut this HTTP request.
In short, present invention can apply to 1. normal use Windows operating systems but being not intended to be automatically updated interference meter
Journey of paddling alternates the user of the low demand of low interest to system version, as in meeting business people, test
Student etc..
2. needing to be chronically at busy condition, it is undesirable to it is automatically updated and occupies network bandwidth and other system resources, or
It is not intended to system to be forced the computer restarted, such as server because of automatically updating.
3. wishing to protect software itself or maintaining certain softwares of system stability.As be mounted large software,
It is modifying system environments and if may result in the program of graunch by abnormal end in the process, Visual is such as installed
Restart during Studio in case of unpredictable, may result in exploitation environment and unexpected mistake occur;And
The present invention improves the Experience Degree of user.
The foregoing is merely presently preferred embodiments of the present invention, all equivalent changes done according to scope of the present invention patent with
Modification, is all covered by the present invention.
Claims (5)
1. a kind of automate the method for intercepting Windows and automatically updating by driving, it is characterised in that: the method are as follows: In
Windows operating system bottom installs WFP network filter, and a driver is arranged, and the driver is registered and opened
WFP network filter, WFP network filter energy real-time blocking Windows operating system update the received net of server to Microsoft
Network data packet and Microsoft update the network packet that server is sent, to realize that interception Windows operating system is automatic
It updates.
2. a kind of method automatically updated by driving automation interception Windows according to claim 1, feature exist
In: the application program that the method further specifically comprises the following steps: step S1, starts Windows operating system, it is described
Whether application program load driver program, load succeed, and are then to enter step S2;No, then the driver by load failure unloads
A driver is reloaded after load again;Enter back into step S2;
Step S2, the described application program refreshes DNS cache, and opens driver, makes driver in Windows operating system
Inner nuclear layer operation;
Step S3, WFP network filter is registered and opened to the described driver, starts to execute interception function;
Step S4, the stopping that the described application program waits user to transmit intercepts the request that Windows operating system updates;
Etc. step S5, until driver closes and nullifies the WFP network filter after terminating request;
Step S6, application program stops and unloads driver, and then application program terminates.
3. a kind of method automatically updated by driving automation interception Windows according to claim 2, feature exist
In: user intercepts what Windows operating system updated by the stopping that DeviceIoControl mode transmits in the step S4
Request.
4. a kind of method automatically updated by driving automation interception Windows according to claim 1, feature exist
In: the WFP network filter intercepts the concrete mode that Windows operating system automatically updates are as follows:
Step 1, setting one initialize blacklist data for storing the black list database of domain name blacklist and IP blacklist
Library, and two domain name letters of update.microsoft.com and windowsupdate.com are added in black list database
Breath;
Step 2, driving obtain basic filtering engine BFE handle, the ginseng as subsequent operation using FwpmEngineOpen function
Number;
Step 3, driving use FwpsCalloutRegister function, respectively application layer traffic-the establish layer, layer data stream and
The call back function of the corresponding registration monitoring data of layer data packet;Wherein, application layer traffic-the establishes the call back function of layer for handling
The data packet of network linking is requested, the call back function of layer data stream is used for handling TCP data packet, the call back function of layer data packet
In processing UDP message packet;
3 call back functions that step 4, driving are registered using FwpmCalloutAdd function to filter engine application addition;
Step 5, driving use FwpmSubLayerAdd function, establish layer, layer data stream and data in application layer traffic-the respectively
Covering creates sublayer, for capturing data;
Step 6, driving establish layer, number in application layer traffic-the respectively by filter engine using FwpmFilterAdd function
Filter is created according to fluid layer and layer data packet, and call back function is associated with sublayer;After completing association, when sublayer captures network
When data packet, Windows operating system can call the corresponding call back function of sublayer to handle this data packet;
Step 7, application layer traffic-the establish the call back function of layer when being called by system, first parse the process road of network packet
Diameter, process ID, local ip address, far-end IP address, local port and remote port information, and extremely by these information preservations
In context data stream, then using FwpsFlowAssociateContext function by context data stream and layer data stream and
Layer data packet association binding;The filter can be by context data stream cross-layer transmission to layer data stream and layer data packet, in number
When handling the data packet of sublayer capture according to the call back function of fluid layer, layer data packet, this number is obtained by parsing context data stream
According to the process path of packet, process ID, local ip address, far-end IP address, local port, remote port information;
After the call back function of step 8, layer data stream and layer data packet captures UDP and TCP data packet, the distal end of data packet is judged
Whether IP is located in the IP blacklist of black list database, is, then data interception packet, and data packet is prevented to transmit to next layer, no,
Then enter next step;
Step 9, layer data stream and layer data packet judge whether the data packet intercepted and captured is HTTP data packet or DNS data packet respectively,
If then entering next step, data packet of otherwise letting pass;
Step 10, layer data stream and layer data packet parse HTTP message and DNS message respectively;Message is judged by character string comparison
In request domain name whether be located in the domain name blacklist in black list database, if not letting pass this in domain name blacklist
Data packet;Intercept process is carried out if in domain name blacklist;
Step 11, when need to terminate intercept Windows operating system and automatically update when, call ControlService function to drive
Dynamic transmitting control code SERVICE_CONTROL_STOP makes driving fail, and drives the drive that default is called after receiving control code
Dynamic unloading call back function unloads and nullifies filter, last application call in driving unloading call back function calling process
DeleteService function unloads driver.
5. a kind of method automatically updated by driving automation interception Windows according to claim 4, feature exist
In: intercept process is then carried out in the step 10 in domain name blacklist specifically: step 10.1, layer data stream judge data packet
Far-end IP whether be in black list database, if not in the database if far-end IP is added to black list database
In the library IP, data packet of otherwise letting pass;
Step 10.2, layer data packet judge whether there is the corresponding parsing IP information of domain name in the feedback information of data packet, if there is
Then judge whether the corresponding parsing IP of domain name is in black list database, if the corresponding parsing IP of domain name be added not if
Into domain name blacklist, data packet of otherwise letting pass.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910676339.6A CN110417771B (en) | 2019-07-25 | 2019-07-25 | Method for automatically intercepting Windows automatic update through driving |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910676339.6A CN110417771B (en) | 2019-07-25 | 2019-07-25 | Method for automatically intercepting Windows automatic update through driving |
Publications (2)
Publication Number | Publication Date |
---|---|
CN110417771A true CN110417771A (en) | 2019-11-05 |
CN110417771B CN110417771B (en) | 2021-07-09 |
Family
ID=68363126
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910676339.6A Active CN110417771B (en) | 2019-07-25 | 2019-07-25 | Method for automatically intercepting Windows automatic update through driving |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110417771B (en) |
Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102195972A (en) * | 2011-03-24 | 2011-09-21 | 北京思创银联科技股份有限公司 | Method for intercepting network data by using WFP (Windows Filter Platform) |
CN103065092A (en) * | 2012-12-24 | 2013-04-24 | 公安部第一研究所 | Method for intercepting operating of suspicious programs |
CN104915598A (en) * | 2015-05-29 | 2015-09-16 | 南京信息工程大学 | Monitoring method and monitoring system for C/S client side |
CN105844146A (en) * | 2016-03-16 | 2016-08-10 | 北京金山安全软件有限公司 | Method and device for protecting driver and electronic equipment |
US20170054686A1 (en) * | 2015-08-18 | 2017-02-23 | Konstantin Malkov | Agentless Security of Virtual Machines using a Filtering Platform |
CN106936846A (en) * | 2017-04-10 | 2017-07-07 | 北京明朝万达科技股份有限公司 | A kind of method for network access control and device based on WFP platforms |
CN109347817A (en) * | 2018-10-12 | 2019-02-15 | 厦门安胜网络科技有限公司 | A kind of method and device that network security redirects |
CN109587269A (en) * | 2018-12-27 | 2019-04-05 | 迅雷计算机(深圳)有限公司 | A kind of hold-up interception method, unit, system and the storage medium of downloading behavior |
-
2019
- 2019-07-25 CN CN201910676339.6A patent/CN110417771B/en active Active
Patent Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102195972A (en) * | 2011-03-24 | 2011-09-21 | 北京思创银联科技股份有限公司 | Method for intercepting network data by using WFP (Windows Filter Platform) |
CN103065092A (en) * | 2012-12-24 | 2013-04-24 | 公安部第一研究所 | Method for intercepting operating of suspicious programs |
CN104915598A (en) * | 2015-05-29 | 2015-09-16 | 南京信息工程大学 | Monitoring method and monitoring system for C/S client side |
US20170054686A1 (en) * | 2015-08-18 | 2017-02-23 | Konstantin Malkov | Agentless Security of Virtual Machines using a Filtering Platform |
CN105844146A (en) * | 2016-03-16 | 2016-08-10 | 北京金山安全软件有限公司 | Method and device for protecting driver and electronic equipment |
CN106936846A (en) * | 2017-04-10 | 2017-07-07 | 北京明朝万达科技股份有限公司 | A kind of method for network access control and device based on WFP platforms |
CN109347817A (en) * | 2018-10-12 | 2019-02-15 | 厦门安胜网络科技有限公司 | A kind of method and device that network security redirects |
CN109587269A (en) * | 2018-12-27 | 2019-04-05 | 迅雷计算机(深圳)有限公司 | A kind of hold-up interception method, unit, system and the storage medium of downloading behavior |
Non-Patent Citations (2)
Title |
---|
TK13: "Win64 驱动内核编程-16.WFP网络监控驱动(防火墙)", 《程序园》 * |
WINDOWS: "《windows驱动-WFP框架介绍及其编程》", 《HTTPS://QWERTWWWE.GIHUB.IO/WINDOWS-DRIVER-DEVELOP-WFP-FRAMEWORK》 * |
Also Published As
Publication number | Publication date |
---|---|
CN110417771B (en) | 2021-07-09 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
FI113927B (en) | Method of intercepting the network packets in a network connected device | |
US20190303221A1 (en) | Methods and apparatus for preventing packet spoofing with user space communication stacks | |
US7664822B2 (en) | Systems and methods for authentication of target protocol screen names | |
US7428590B2 (en) | Systems and methods for reflecting messages associated with a target protocol within a network | |
US8018870B2 (en) | Method and apparatus for simply configuring a subscriber appliance for performing a service controlled by a separate service provider | |
US7774832B2 (en) | Systems and methods for implementing protocol enforcement rules | |
US7707401B2 (en) | Systems and methods for a protocol gateway | |
US7818565B2 (en) | Systems and methods for implementing protocol enforcement rules | |
US6336140B1 (en) | Method and system for the identification and the suppression of executable objects | |
US20150156183A1 (en) | System and method for filtering network communications | |
US11005813B2 (en) | Systems and methods for modification of p0f signatures in network packets | |
CN102761534B (en) | Realize the method and apparatus of media access control layer Transparent Proxy | |
US8544078B2 (en) | Flexible network security system and method for permitting trusted process | |
CN108810124B (en) | Remote access control system for large number of multimedia terminals in public network environment | |
JP2004333186A (en) | Remote support system of analyzer | |
CN110417771A (en) | A method of interception Windows is automated by driving and is automatically updated | |
AU2004272201A1 (en) | Systems and methods for dynamically updating software in a protocol gateway | |
WO2006062961A2 (en) | Systems and methods for implementing protocol enforcement rules | |
US11861025B1 (en) | System and method for receiving and processing a signal within a TCP/IP protocol stack | |
CN102932487B (en) | Data processing method and system | |
CN112653702B (en) | Method for identifying establishment of agent environment | |
KR100674327B1 (en) | Auto-control system for IP-A/VDSL equipments using SNMP | |
JP3725139B2 (en) | Packet transfer apparatus and packet transfer method | |
KR20010064883A (en) | Automatically internet connection method using point-to-point protocol | |
CN110535719A (en) | A kind of plug-in behavior monitoring method of game based on DNS traffic characteristic |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |