CN110417771A - A method of interception Windows is automated by driving and is automatically updated - Google Patents

A method of interception Windows is automated by driving and is automatically updated Download PDF

Info

Publication number
CN110417771A
CN110417771A CN201910676339.6A CN201910676339A CN110417771A CN 110417771 A CN110417771 A CN 110417771A CN 201910676339 A CN201910676339 A CN 201910676339A CN 110417771 A CN110417771 A CN 110417771A
Authority
CN
China
Prior art keywords
layer
data packet
function
domain name
driver
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201910676339.6A
Other languages
Chinese (zh)
Other versions
CN110417771B (en
Inventor
刘德建
任佳伟
陈宏展
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Fujian Tianqing Online Interactive Technology Co Ltd
Original Assignee
Fujian Tianqing Online Interactive Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Fujian Tianqing Online Interactive Technology Co Ltd filed Critical Fujian Tianqing Online Interactive Technology Co Ltd
Priority to CN201910676339.6A priority Critical patent/CN110417771B/en
Publication of CN110417771A publication Critical patent/CN110417771A/en
Application granted granted Critical
Publication of CN110417771B publication Critical patent/CN110417771B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4505Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
    • H04L61/4511Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/30Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
    • H04L63/306Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information intercepting packet switched data communications, e.g. Web, Internet or IMS communications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/34Network arrangements or protocols for supporting network services or applications involving the movement of software or configuration parameters 

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Technology Law (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present invention provides a kind of methods for being automated by driving and intercepting Windows and automatically updating, the method are as follows: install WFP network filter in Windows operating system bottom, and a driver is set, the driver is registered and opens WFP network filter, WFP network filter energy real-time blocking Windows operating system updates the received network packet of server to Microsoft, and Microsoft updates the network packet that server is sent, and automatically updates to realize and intercept Windows operating system;Improve the Experience Degree of client.

Description

A method of interception Windows is automated by driving and is automatically updated
Technical field
The present invention relates to computer system field of communication technology, especially one kind to intercept Windows certainly by driving automation The dynamic method updated.
Background technique
Existing Windows operating system can all be automatically updated, but some users are operated using Windows It is not intended to system when system to be updated, such as 1. normal use Windows operating system of following three situation but does not wish It hopes and is automatically updated interference planned routes or alternates the user of the low demand of low interest to system version, such as the commercial affairs in meeting Personage, the student test etc..
2. needing to be chronically at busy condition, it is undesirable to it is automatically updated and occupies network bandwidth and other system resources, or It is not intended to system to be forced the computer restarted, such as server because of automatically updating.
3. wishing to protect software itself or maintaining certain softwares of system stability.As be mounted large software, It is modifying system environments and if may result in the program of graunch by abnormal end in the process, Visual is such as installed Restart during Studio in case of unpredictable, may result in exploitation environment and unexpected mistake occur.
And the method that existing interception Windows operating system is updated has the following disadvantages: 1. existing interceptions The scheme that Windows is automatically updated needs user's manual setting, and process is relatively cumbersome and is unfamiliar with computation for some Difficulty is larger for user.
2. currently existing scheme is after closing automatically updates, it is also necessary to by cumbersome manual operation come recovery system from It is dynamic to update.
3. currently existing scheme can not be called by other programming automations.
A kind of method using WFP intercepting network data is provided in the prior art, application No. is: 201110072859.X , the Chinese patent of Publication No. 2011-09-21, a kind of method using WFP intercepting network data, belong to network security neck Domain, the following steps are included: S1, open Windows kernel in WFP filter engine session, in a session increase a sublayer, and And a mark is registered respectively in the ALE of WFP filter engine and transport layer, mark is added in sublayer, the mistake of mark is set Information is filtered, the filtering information includes filter condition;S2, call back function is set in the mark of ALE, and in call back function Determine whether the data of this port can be successfully transmitted to the corresponding relationship of port and process, and according to process strategy, next Data can be sent by recording this port;S3, the setting filtering call back function in the mark of transport layer, in filtering call back function Data packet parsed, parse the corresponding port of data packet, the corresponding end of data packet judged according to the information recorded in S2 Can mouth send data.Simple, easy for installation, compatible any third-party secure network product is realized in the invention.The patent Although and technical solution and this patent of the technical issues of realizing WFP intercepting network data, solving and use not phase Together.
WFP(Windows File Protection), computerese is a kind of Windows file protective program, is prevented Only program replaces important Windows system file.
Summary of the invention
In order to overcome the problems referred above, the object of the present invention is to provide one kind intercepts Windows automatically more by driving automation New method can intercept Windows operating system and automatically update, and can be as functional module by other routine calls.
The present invention is realized using following scheme: a method of interception Windows is automated by driving and is automatically updated, institute State method are as follows: WFP network filter is installed in Windows operating system bottom, and a driver, the driver are set Register and open WFP network filter, WFP network filter energy real-time blocking Windows operating system is to Microsoft's more new demand servicing The received network packet of device and Microsoft update the network packet that server is sent, and intercept Windows behaviour to realize It is automatically updated as system.
Further, the method further specifically comprises the following steps: step S1, starts Windows operating system Whether one application program, the application program load driver program, load succeed, and are then to enter step S2;It is no, then it will load A driver is reloaded again after the driver unloading of failure;Enter back into step S2;
Step S2, the described application program refreshes DNS cache, and opens driver, makes driver in Windows operating system Inner nuclear layer operation;
Step S3, WFP network filter is registered and opened to the described driver, starts to execute interception function;
Step S4, the stopping that the described application program waits user to transmit intercepts the request that Windows operating system updates;
Etc. step S5, until driver closes and nullifies the WFP network filter after terminating request;
Step S6, application program stops and unloads driver, and then application program terminates.
Further, the stopping interception Windows that user is transmitted by DeviceIoControl mode in the step S4 The request of operating system update.
Further, the WFP network filter intercepts the concrete mode that Windows operating system automatically updates are as follows:
Step 1, setting one initialize blacklist data for storing the black list database of domain name blacklist and IP blacklist Library, and two domain name letters of update.microsoft.com and windowsupdate.com are added in black list database Breath;
Step 2, driving obtain basic filtering engine BFE handle, the ginseng as subsequent operation using FwpmEngineOpen function Number;
Step 3, driving use FwpsCalloutRegister function, respectively application layer traffic-the establish layer, layer data stream and The call back function of the corresponding registration monitoring data of layer data packet;Wherein, application layer traffic-the establishes the call back function of layer for handling The data packet of network linking is requested, the call back function of layer data stream is used for handling TCP data packet, the call back function of layer data packet In processing UDP message packet;
3 call back functions that step 4, driving are registered using FwpmCalloutAdd function to filter engine application addition;
Step 5, driving use FwpmSubLayerAdd function, establish layer, layer data stream and data in application layer traffic-the respectively Covering creates sublayer, for capturing data;
Step 6, driving establish layer, number in application layer traffic-the respectively by filter engine using FwpmFilterAdd function Filter is created according to fluid layer and layer data packet, and call back function is associated with sublayer;After completing association, when sublayer captures network When data packet, Windows operating system can call the corresponding call back function of sublayer to handle this data packet;
Step 7, application layer traffic-the establish the call back function of layer when being called by system, first parse the process of network packet Path, process ID, local ip address, far-end IP address, local port and remote port information, and by these information preservations Into context data stream, then use FwpsFlowAssociateContext function by context data stream and layer data stream Binding is associated with layer data packet;The filter can be by context data stream cross-layer transmission to layer data stream and layer data packet, In When the data packet of the call back function processing sublayer capture of layer data stream, layer data packet, this is obtained by parsing context data stream The process path of data packet, process ID, local ip address, far-end IP address, local port, remote port information;
After the call back function of step 8, layer data stream and layer data packet captures UDP and TCP data packet, the distal end of data packet is judged Whether IP is located in the IP blacklist of black list database, is, then data interception packet, and data packet is prevented to transmit to next layer, no, Then enter next step;
Step 9, layer data stream and layer data packet judge whether the data packet intercepted and captured is HTTP data packet or DNS data packet respectively, If then entering next step, data packet of otherwise letting pass;
Step 10, layer data stream and layer data packet parse HTTP message and DNS message respectively;Message is judged by character string comparison In request domain name whether be located in the domain name blacklist in black list database, if not letting pass this in domain name blacklist Data packet;Intercept process is carried out if in domain name blacklist;
Step 11, when need to terminate intercept Windows operating system and automatically update when, call ControlService function to drive Dynamic transmitting control code SERVICE_CONTROL_STOP makes driving fail, and drives the drive that default is called after receiving control code Dynamic unloading call back function unloads and nullifies filter, last application call in driving unloading call back function calling process DeleteService function unloads driver.
Further, intercept process is then carried out in domain name blacklist in the step 10 specifically: step 10.1, data Fluid layer judges whether the far-end IP of data packet is in black list database, if not in the database if far-end IP is added to In the library IP of black list database, data packet of otherwise letting pass;
Step 10.2, layer data packet judge whether there is the corresponding parsing IP information of domain name in the feedback information of data packet, if there is Then judge whether the corresponding parsing IP of domain name is in black list database, if the corresponding parsing IP of domain name be added not if Into domain name blacklist, data packet of otherwise letting pass.
The beneficial effects of the present invention are: 1, the present invention realize automation, can be used as functional module by other programs It calls.2, the present invention uses networks filter driver technology, and the network packet for meeting feature is intercepted in system bottom, is theoretically existed It does not open and intercepts Windwos in the Windows operating system of VPN to automatically update be successful;In addition this programme is based on Microsoft The network filtering framework of offer, is provided simultaneously with system compatibility and system stability.3, process of the present invention is convenient, and user only needs out Interception or clearance to automatic updating data packet can be realized by opening or stopping driving, remove cumbersome and unstable effect setting manually from It sets.4, the present invention separates control terminal and function end, in application layer process user interaction, realizes core function in inner nuclear layer;It can To improve stability, prevent user misoperation from unexpected event being caused to occur.
Detailed description of the invention
Fig. 1 is method flow schematic diagram of the invention.
Fig. 2 is the schematic diagram of the black list database for storing domain name blacklist and IP blacklist of the invention.
Fig. 3 is the process that WFP network filter of the invention intercepts the concrete mode that Windows operating system automatically updates Schematic diagram.
Specific embodiment
The present invention will be further described with reference to the accompanying drawing.
Shown in please referring to Fig.1 to Fig.3, a kind of side automatically updated by driving automation interception Windows of the invention Method, the method are as follows: WFP network filter is installed in Windows operating system bottom, and a driver, the drive are set WFP network filter is registered and opened to dynamic program, WFP network filter energy real-time blocking Windows operating system to Microsoft more The received network packet of new demand servicing device and Microsoft update the network packet that server is sent, to realize interception Windows operating system automatically updates.
Wherein, the method further specifically comprises the following steps: step S1, starts one answering for Windows operating system With program, the application program load driver program, it is then to enter step S2 that whether load, which succeeds,;It is no, then load is failed Driver unloading after reload a driver again;Enter back into step S2;
Step S2, the described application program refreshes DNS cache, and opens driver, makes driver in Windows operating system Inner nuclear layer operation;
Step S3, WFP network filter is registered and opened to the described driver, starts to execute interception function;
Step S4, the stopping that the described application program waits user to transmit intercepts the request that Windows operating system updates;The step User intercepts the request that Windows operating system updates by the stopping that DeviceIoControl mode transmits in rapid S4.
Etc. step S5, until driver closes and nullifies the WFP network filter after terminating request;
Step S6, application program stops and unloads driver, and then application program terminates.
Further, the WFP network filter intercepts the concrete mode that Windows operating system automatically updates are as follows:
Step 1, setting one initialize blacklist data for storing the black list database of domain name blacklist and IP blacklist Library, and two domain name letters of update.microsoft.com and windowsupdate.com are added in black list database Breath;Windows operating system can be realized by carrying out network interaction with the two domain names and update version querying, downloading update packet Etc. functions.Quiescing system accesses the two domain names and receives the data sent from the two domain name corresponding servers Packet, can intercept Windows system and automatically update.
Step 2, driving obtain basic filtering engine BFE handle using FwpmEngineOpen function, as subsequent operation Parameter;Wherein, basic filtering engine BFE is the included user mode services of a Windows operating system, coordinates WFP group Part, basic filtering engine BFE execute main task be into system add or remove filter, stored filter device configuration and Strengthen WFP and configures safety.The communication of application program and basic filtering engine BFE are managed by WFP such as FwpmEngineOpen Function carries out.
Step 3, driving use FwpsCalloutRegister function, establish layer (i.e. in application layer traffic-the respectively FWPM_LAYER_ALE_FLOW_ESTABLISHED_V4 layers), layer data stream (i.e. FWPM_LAYER_STREAM_V4 layers) sum number According to the call back function of (i.e. FWPM_LAYER_DATAGRAM_DATA_V4 layers) of covering corresponding registration monitoring data;Wherein, it applies The call back function that layer data stream establishes layer is used to handle the data packet of request network linking, and the call back function of layer data stream is for locating TCP data packet is managed, the call back function of layer data packet is for handling UDP message packet;The WFP filter frame that Microsoft provides is in network number According to many layers delimited in packet transmission process, since data packet needs to be sealed according to different network protocols in system bottom Dress, therefore the data content that different layers capture is different;The present invention relates to have FWPM_LAYER_ALE_FLOW_ ESTABLISHED_V4 layers, FWPM_LAYER_STREAM_V4 layers and FWPM_LAYER_DATAGRAM_DATA_V4 layers, FWPM_ The LAYER_ALE_FLOW_ESTABLISHED_V4 layers of authorization connection request that can capture process transmission, this layer can be with Obtain transmitting-receiving progress information, transmitting-receiving IP information, the transmitting-receiving port information of data packet.FWPM_LAYER_STREAM_V4 layers can catch Receive all TCP data packets for being free of IP, FWPM_LAYER_DATAGRAM_DATA_V4 layers can capture it is all not Containing IP UDP message packets.
3 call back functions that step 4, driving are registered using FwpmCalloutAdd function to filter engine application addition;
Step 5, driving use FwpmSubLayerAdd function, establish layer (i.e. FWPM_LAYER_ in application layer traffic-the respectively ALE_FLOW_ESTABLISHED_V4 layers), layer data stream (i.e. FWPM_LAYER_STREAM_V4 layers) and layer data packet is (i.e. FWPM_LAYER_DATAGRAM_DATA_V4 layers) creation sublayer, for capturing data;
Step 6, driving establish layer (i.e. in application layer traffic-the respectively by filter engine using FwpmFilterAdd function FWPM_LAYER_ALE_FLOW_ESTABLISHED_V4 layers), layer data stream (i.e. FWPM_LAYER_STREAM_V4 layers) sum number According to (i.e. FWPM_LAYER_DATAGRAM_DATA_V4 layers) creation filter of covering, and call back function is associated with sublayer;It is complete After association, when sublayer captures network packet, Windows operating system can call the corresponding call back function processing of sublayer This data packet;
Step 7, application layer traffic-the establish the call back function of layer when being called by system, first parse the process of network packet Path, process ID, local ip address, far-end IP address, local port and remote port information, and by these information preservations Into context data stream, then use FwpsFlowAssociateContext function by context data stream and layer data stream Binding is associated with layer data packet;The filter can be by context data stream cross-layer transmission to layer data stream and layer data packet, In When the data packet of the call back function processing sublayer capture of layer data stream, layer data packet, this is obtained by parsing context data stream The process path of data packet, process ID, local ip address, far-end IP address, local port, remote port information;
After the call back function of step 8, layer data stream and layer data packet captures UDP and TCP data packet, the distal end of data packet is judged Whether IP is located in the IP blacklist of black list database, is, then data interception packet, and data packet is prevented to transmit to next layer, no, Then enter next step;
Step 9, layer data stream and layer data packet judge whether the data packet intercepted and captured is HTTP data packet or DNS data packet respectively, If then entering next step, data packet of otherwise letting pass;
Step 10, layer data stream and layer data packet parse HTTP message and DNS message respectively;Message is judged by character string comparison In request domain name whether be located in the domain name blacklist in black list database, if not letting pass this in domain name blacklist Data packet;Intercept process is carried out if in domain name blacklist;
Intercept process is then carried out in the step 10 in domain name blacklist specifically: step 10.1, layer data stream judge data Whether the far-end IP of packet is in black list database, if not in the database if far-end IP is added to black list database The library IP in, data packet of otherwise letting pass;
Step 10.2, layer data packet judge whether there is the corresponding parsing IP information of domain name in the feedback information of data packet, if there is Then judge whether the corresponding parsing IP of domain name is in black list database, if the corresponding parsing IP of domain name be added not if Into domain name blacklist, data packet of otherwise letting pass.
Step 11, when need terminate intercept Windows operating system automatically update when, call ControlService function Driving is set to fail to driving transmitting control code SERVICE_CONTROL_STOP, driving calls default after receiving control code Driving unload call back function, driving unloading call back function calling process in unload and nullify filter, last application program DeleteService function is called to unload driver.
Below with reference to a specific embodiment, the invention will be further described:
The specific implementation of the present invention program:
Assuming that application program A, which intercepts Windows system using this programme, attempts the network sent or received during automatically updating Data packet prevents Windows system from automatically updating behavior in application program A operational process.Application program A successfully loads drive Dynamic B, the domain name-IP black list database of driving B initialization driving, is added domain name in the database " Update.microsoft.com " and " windowsupdate.com ", there is 2 domain name blacklists at this time in black list database Member and 0 IP black list member.Then driving B success FWPM_LAYER_ALE_FLOW_ESTABLISHED_V4 layers, FWPM_LAYER_STREAM_V4 layers and FWPM_LAYER_DATAGRAM_DATA_V4 layers of completion registered callbacks function, creation The sequence of operations such as layer, opening filter, network filtering module complete initialization and start to play a role.
Assuming that system process svchost.exe attempts access network at this time, a data packet is then first sent for requesting External server is connected, the filter of FWPM_LAYER_ALE_FLOW_ESTABLISHED_V4 sublayer captures this data Packet, therefrom extract the process ID of process svchost.exe, process path, local ip address, far-end IP address, local port, Remote port information, and by these information preservations into context data stream, then by this context data stream and FWPM_ LAYER_STREAM_V4 layers are associated with binding with FWPM_LAYER_DATAGRAM_DATA_V4 layers.
Next divide several situation discussion:
Svchost.exe sends data packet, request analysis domain name " baidu.com " to dns server. FWPM_LAYER_ After DATAGRAM_DATA_V4 layers of filter captures this data packet, by character string comparison, traverse in black list database Each domain name character string, judge these character strings whether be located at this time request domain name in.Lookup result is blacklist number According to there is no domain name string matching " baidu.com " in library, therefore this DNS data packet of letting pass.
Dns server sends data packet to svchost.exe, and packet content is domain name " A.windowsupdate.com " and its domain name mapping IP result: 1.2.3.4 and 5.6.7.8.DATAGRAM_DATA_V4 layers After filter captures this data packet, by character string comparison, each of black list database domain name character string is traversed, is sentenced Whether these character strings of breaking are located in this time domain name of request.Lookup result is the character string in black list database The domain name of " windowsupdate.com " and this request analysis " a.windowsupdate.com " match, therefore prevent this DNS data packet, while translating domain names into IP result 1.2.3.4 and 5.6.7.8 and being added in black list database.Blacklist at this time Database include following member: " update.microsoft.com ", " windowsupdate.com ", 1.2.3.4 and 5.6.7.8。
Scvhos.exe does not pass through domain name mapping, directly HTTP request is sent toward IP 1.2.3.4, to Microsoft's server Whether inquiry needs more new version.After FWPM_LAYER_STREAM_V4 layers of filter captures this data packet, from FWPM_ Far-end IP address 1.2.3.4 is extracted in LAYER_ALE_FLOW_ESTABLISHED_V4 layers of associated context data stream, then Judge whether far-end IP 1.2.3.4 is located in black list database.Since 1.2.3.4 is located in black list database, block Cut this HTTP request.
In short, present invention can apply to 1. normal use Windows operating systems but being not intended to be automatically updated interference meter Journey of paddling alternates the user of the low demand of low interest to system version, as in meeting business people, test Student etc..
2. needing to be chronically at busy condition, it is undesirable to it is automatically updated and occupies network bandwidth and other system resources, or It is not intended to system to be forced the computer restarted, such as server because of automatically updating.
3. wishing to protect software itself or maintaining certain softwares of system stability.As be mounted large software, It is modifying system environments and if may result in the program of graunch by abnormal end in the process, Visual is such as installed Restart during Studio in case of unpredictable, may result in exploitation environment and unexpected mistake occur;And The present invention improves the Experience Degree of user.
The foregoing is merely presently preferred embodiments of the present invention, all equivalent changes done according to scope of the present invention patent with Modification, is all covered by the present invention.

Claims (5)

1. a kind of automate the method for intercepting Windows and automatically updating by driving, it is characterised in that: the method are as follows: In Windows operating system bottom installs WFP network filter, and a driver is arranged, and the driver is registered and opened WFP network filter, WFP network filter energy real-time blocking Windows operating system update the received net of server to Microsoft Network data packet and Microsoft update the network packet that server is sent, to realize that interception Windows operating system is automatic It updates.
2. a kind of method automatically updated by driving automation interception Windows according to claim 1, feature exist In: the application program that the method further specifically comprises the following steps: step S1, starts Windows operating system, it is described Whether application program load driver program, load succeed, and are then to enter step S2;No, then the driver by load failure unloads A driver is reloaded after load again;Enter back into step S2;
Step S2, the described application program refreshes DNS cache, and opens driver, makes driver in Windows operating system Inner nuclear layer operation;
Step S3, WFP network filter is registered and opened to the described driver, starts to execute interception function;
Step S4, the stopping that the described application program waits user to transmit intercepts the request that Windows operating system updates;
Etc. step S5, until driver closes and nullifies the WFP network filter after terminating request;
Step S6, application program stops and unloads driver, and then application program terminates.
3. a kind of method automatically updated by driving automation interception Windows according to claim 2, feature exist In: user intercepts what Windows operating system updated by the stopping that DeviceIoControl mode transmits in the step S4 Request.
4. a kind of method automatically updated by driving automation interception Windows according to claim 1, feature exist In: the WFP network filter intercepts the concrete mode that Windows operating system automatically updates are as follows:
Step 1, setting one initialize blacklist data for storing the black list database of domain name blacklist and IP blacklist Library, and two domain name letters of update.microsoft.com and windowsupdate.com are added in black list database Breath;
Step 2, driving obtain basic filtering engine BFE handle, the ginseng as subsequent operation using FwpmEngineOpen function Number;
Step 3, driving use FwpsCalloutRegister function, respectively application layer traffic-the establish layer, layer data stream and The call back function of the corresponding registration monitoring data of layer data packet;Wherein, application layer traffic-the establishes the call back function of layer for handling The data packet of network linking is requested, the call back function of layer data stream is used for handling TCP data packet, the call back function of layer data packet In processing UDP message packet;
3 call back functions that step 4, driving are registered using FwpmCalloutAdd function to filter engine application addition;
Step 5, driving use FwpmSubLayerAdd function, establish layer, layer data stream and data in application layer traffic-the respectively Covering creates sublayer, for capturing data;
Step 6, driving establish layer, number in application layer traffic-the respectively by filter engine using FwpmFilterAdd function Filter is created according to fluid layer and layer data packet, and call back function is associated with sublayer;After completing association, when sublayer captures network When data packet, Windows operating system can call the corresponding call back function of sublayer to handle this data packet;
Step 7, application layer traffic-the establish the call back function of layer when being called by system, first parse the process road of network packet Diameter, process ID, local ip address, far-end IP address, local port and remote port information, and extremely by these information preservations In context data stream, then using FwpsFlowAssociateContext function by context data stream and layer data stream and Layer data packet association binding;The filter can be by context data stream cross-layer transmission to layer data stream and layer data packet, in number When handling the data packet of sublayer capture according to the call back function of fluid layer, layer data packet, this number is obtained by parsing context data stream According to the process path of packet, process ID, local ip address, far-end IP address, local port, remote port information;
After the call back function of step 8, layer data stream and layer data packet captures UDP and TCP data packet, the distal end of data packet is judged Whether IP is located in the IP blacklist of black list database, is, then data interception packet, and data packet is prevented to transmit to next layer, no, Then enter next step;
Step 9, layer data stream and layer data packet judge whether the data packet intercepted and captured is HTTP data packet or DNS data packet respectively, If then entering next step, data packet of otherwise letting pass;
Step 10, layer data stream and layer data packet parse HTTP message and DNS message respectively;Message is judged by character string comparison In request domain name whether be located in the domain name blacklist in black list database, if not letting pass this in domain name blacklist Data packet;Intercept process is carried out if in domain name blacklist;
Step 11, when need to terminate intercept Windows operating system and automatically update when, call ControlService function to drive Dynamic transmitting control code SERVICE_CONTROL_STOP makes driving fail, and drives the drive that default is called after receiving control code Dynamic unloading call back function unloads and nullifies filter, last application call in driving unloading call back function calling process DeleteService function unloads driver.
5. a kind of method automatically updated by driving automation interception Windows according to claim 4, feature exist In: intercept process is then carried out in the step 10 in domain name blacklist specifically: step 10.1, layer data stream judge data packet Far-end IP whether be in black list database, if not in the database if far-end IP is added to black list database In the library IP, data packet of otherwise letting pass;
Step 10.2, layer data packet judge whether there is the corresponding parsing IP information of domain name in the feedback information of data packet, if there is Then judge whether the corresponding parsing IP of domain name is in black list database, if the corresponding parsing IP of domain name be added not if Into domain name blacklist, data packet of otherwise letting pass.
CN201910676339.6A 2019-07-25 2019-07-25 Method for automatically intercepting Windows automatic update through driving Active CN110417771B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910676339.6A CN110417771B (en) 2019-07-25 2019-07-25 Method for automatically intercepting Windows automatic update through driving

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910676339.6A CN110417771B (en) 2019-07-25 2019-07-25 Method for automatically intercepting Windows automatic update through driving

Publications (2)

Publication Number Publication Date
CN110417771A true CN110417771A (en) 2019-11-05
CN110417771B CN110417771B (en) 2021-07-09

Family

ID=68363126

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910676339.6A Active CN110417771B (en) 2019-07-25 2019-07-25 Method for automatically intercepting Windows automatic update through driving

Country Status (1)

Country Link
CN (1) CN110417771B (en)

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102195972A (en) * 2011-03-24 2011-09-21 北京思创银联科技股份有限公司 Method for intercepting network data by using WFP (Windows Filter Platform)
CN103065092A (en) * 2012-12-24 2013-04-24 公安部第一研究所 Method for intercepting operating of suspicious programs
CN104915598A (en) * 2015-05-29 2015-09-16 南京信息工程大学 Monitoring method and monitoring system for C/S client side
CN105844146A (en) * 2016-03-16 2016-08-10 北京金山安全软件有限公司 Method and device for protecting driver and electronic equipment
US20170054686A1 (en) * 2015-08-18 2017-02-23 Konstantin Malkov Agentless Security of Virtual Machines using a Filtering Platform
CN106936846A (en) * 2017-04-10 2017-07-07 北京明朝万达科技股份有限公司 A kind of method for network access control and device based on WFP platforms
CN109347817A (en) * 2018-10-12 2019-02-15 厦门安胜网络科技有限公司 A kind of method and device that network security redirects
CN109587269A (en) * 2018-12-27 2019-04-05 迅雷计算机(深圳)有限公司 A kind of hold-up interception method, unit, system and the storage medium of downloading behavior

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102195972A (en) * 2011-03-24 2011-09-21 北京思创银联科技股份有限公司 Method for intercepting network data by using WFP (Windows Filter Platform)
CN103065092A (en) * 2012-12-24 2013-04-24 公安部第一研究所 Method for intercepting operating of suspicious programs
CN104915598A (en) * 2015-05-29 2015-09-16 南京信息工程大学 Monitoring method and monitoring system for C/S client side
US20170054686A1 (en) * 2015-08-18 2017-02-23 Konstantin Malkov Agentless Security of Virtual Machines using a Filtering Platform
CN105844146A (en) * 2016-03-16 2016-08-10 北京金山安全软件有限公司 Method and device for protecting driver and electronic equipment
CN106936846A (en) * 2017-04-10 2017-07-07 北京明朝万达科技股份有限公司 A kind of method for network access control and device based on WFP platforms
CN109347817A (en) * 2018-10-12 2019-02-15 厦门安胜网络科技有限公司 A kind of method and device that network security redirects
CN109587269A (en) * 2018-12-27 2019-04-05 迅雷计算机(深圳)有限公司 A kind of hold-up interception method, unit, system and the storage medium of downloading behavior

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
TK13: "Win64 驱动内核编程-16.WFP网络监控驱动(防火墙)", 《程序园》 *
WINDOWS: "《windows驱动-WFP框架介绍及其编程》", 《HTTPS://QWERTWWWE.GIHUB.IO/WINDOWS-DRIVER-DEVELOP-WFP-FRAMEWORK》 *

Also Published As

Publication number Publication date
CN110417771B (en) 2021-07-09

Similar Documents

Publication Publication Date Title
FI113927B (en) Method of intercepting the network packets in a network connected device
US20190303221A1 (en) Methods and apparatus for preventing packet spoofing with user space communication stacks
US7664822B2 (en) Systems and methods for authentication of target protocol screen names
US7428590B2 (en) Systems and methods for reflecting messages associated with a target protocol within a network
US8018870B2 (en) Method and apparatus for simply configuring a subscriber appliance for performing a service controlled by a separate service provider
US7774832B2 (en) Systems and methods for implementing protocol enforcement rules
US7707401B2 (en) Systems and methods for a protocol gateway
US7818565B2 (en) Systems and methods for implementing protocol enforcement rules
US6336140B1 (en) Method and system for the identification and the suppression of executable objects
US20150156183A1 (en) System and method for filtering network communications
US11005813B2 (en) Systems and methods for modification of p0f signatures in network packets
CN102761534B (en) Realize the method and apparatus of media access control layer Transparent Proxy
US8544078B2 (en) Flexible network security system and method for permitting trusted process
CN108810124B (en) Remote access control system for large number of multimedia terminals in public network environment
JP2004333186A (en) Remote support system of analyzer
CN110417771A (en) A method of interception Windows is automated by driving and is automatically updated
AU2004272201A1 (en) Systems and methods for dynamically updating software in a protocol gateway
WO2006062961A2 (en) Systems and methods for implementing protocol enforcement rules
US11861025B1 (en) System and method for receiving and processing a signal within a TCP/IP protocol stack
CN102932487B (en) Data processing method and system
CN112653702B (en) Method for identifying establishment of agent environment
KR100674327B1 (en) Auto-control system for IP-A/VDSL equipments using SNMP
JP3725139B2 (en) Packet transfer apparatus and packet transfer method
KR20010064883A (en) Automatically internet connection method using point-to-point protocol
CN110535719A (en) A kind of plug-in behavior monitoring method of game based on DNS traffic characteristic

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant