CN110417771B - Method for automatically intercepting Windows automatic update through driving - Google Patents
Method for automatically intercepting Windows automatic update through driving Download PDFInfo
- Publication number
- CN110417771B CN110417771B CN201910676339.6A CN201910676339A CN110417771B CN 110417771 B CN110417771 B CN 110417771B CN 201910676339 A CN201910676339 A CN 201910676339A CN 110417771 B CN110417771 B CN 110417771B
- Authority
- CN
- China
- Prior art keywords
- layer
- data
- data packet
- function
- domain name
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/45—Network directories; Name-to-address mapping
- H04L61/4505—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
- H04L61/4511—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/30—Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
- H04L63/306—Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information intercepting packet switched data communications, e.g. Web, Internet or IMS communications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/34—Network arrangements or protocols for supporting network services or applications involving the movement of software or configuration parameters
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Technology Law (AREA)
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a method for intercepting Windows automatic update automatically by driving, which comprises the following steps: installing a WFP network filter at the bottom layer of the Windows operating system, setting a driver, registering and starting the WFP network filter, wherein the WFP network filter can intercept a network data packet received by the Windows operating system to the Microsoft update server and a network data packet sent by the Microsoft update server in real time, thereby realizing the interception of the automatic update of the Windows operating system; the experience degree of the client is improved.
Description
Technical Field
The invention relates to the technical field of computer system communication, in particular to a method for intercepting Windows automatic update automatically by driving automation.
Background
The existing Windows operating system is automatically updated, but some users do not want the system to be updated when using the Windows operating system, as shown in the following three cases 1. users who normally use the Windows operating system but do not want to be automatically updated to interfere with the planned journey or to change the system version with low interest and low demand, such as business people in a meeting, students on tests, and the like.
2. It is desirable to keep busy for a long period of time, not want to be automatically updated to occupy network bandwidth and other system resources, or not want to have the system be forced to restart by automatic update, such as a server.
3. It is desirable to protect the software itself or some software that maintains system stability. Such as large software being installed, a program that is modifying the system environment and may cause unexpected errors if aborted during the process, such as if an unexpected restart occurs during the installation of Visual Studio, may cause unexpected errors in the development environment.
The existing method for intercepting the update of the Windows operating system has the following defects: 1. the existing scheme for intercepting Windows automatic update needs manual setting by users, the process is relatively complicated, and the difficulty is higher for some users unfamiliar with computer operation.
2. The existing scheme needs to restore the automatic update of the system through a complicated manual operation after the automatic update is closed.
3. The existing scheme cannot be automatically called by other programs.
The prior art provides a method for intercepting network data by using a WFP, and the application number is as follows: s1, opening a session of a WFP filtering engine in a Windows kernel, adding a sub-layer in the session, respectively registering a label on an ALE and a transmission layer of the WFP filtering engine, adding the label into the sub-layer, and setting labeled filtering information, wherein the filtering information comprises filtering conditions; s2, setting a callback function in the ALE label, obtaining the corresponding relation between the port and the process in the callback function, judging whether the data of the port can be successfully sent according to the process strategy, and then recording the data that can be sent by the port; and S3, setting a filtering callback function in the label of the transmission layer, analyzing the data packet in the filtering callback function to obtain a port corresponding to the data packet, and judging whether the port corresponding to the data packet can send data or not according to the information recorded in the S2. The invention is simple to realize, convenient to install and compatible with any third-party secure network product. Although the patent also realizes the WFP to intercept the network data, the technical problem to be solved and the technical scheme adopted are not the same as the patent.
Wfp (Windows File protection), computer terminology, is a Windows File protection program that prevents programs from replacing important Windows system files.
Disclosure of Invention
In order to overcome the problems, the invention aims to provide a method for intercepting automatic Windows updates automatically by driving, which can intercept automatic Windows updates and can be called by other programs as functional modules.
The invention is realized by adopting the following scheme: a method for intercepting Windows automatic update automatically by driving automation, the method is: the WFP network filter is installed on the bottom layer of the Windows operating system, a driver is set, the driver registers and starts the WFP network filter, and the WFP network filter can intercept a network data packet received by the Windows operating system to the Microsoft update server and a network data packet sent by the Microsoft update server in real time, so that the automatic update of the Windows operating system is intercepted.
Further, the method further specifically comprises the following steps: step S1, starting an application program of the Windows operating system, wherein the application program loads a driver program, if the loading is successful, the step S2 is entered; if not, unloading the drive program which fails to be loaded and then reloading the drive program once again; then, the process proceeds to step S2;
step S2, the application program refreshes the DNS cache and starts the driving program to make the driving program run in the kernel layer of the Windows operating system;
step S3, the driver registers and starts the WFP network filter, and starts to execute the interception function;
step S4, the application program waits for the request for stopping intercepting the Windows operating system updating from the user;
step S5, after waiting for the termination request, the driver closes and logs off the WFP network filter;
at step S6, the application stops and uninstalls the driver, and then the application terminates.
Further, in step S4, the user stops intercepting the request for Windows os update through DeviceIoControl.
Further, the specific way of intercepting the automatic update of the Windows operating system by the WFP network filter is as follows:
step 1, setting a blacklist database for storing a domain name blacklist and an IP blacklist, initializing the blacklist database, and adding two items of domain name information, namely, update.
Step 2, the driver obtains a basic filtering engine BFE handle by using a FwpmEngineopen function as a parameter of subsequent operation;
step 3, driving and using a FwpsCalloutRegister function, and respectively establishing callback functions of the registered monitoring data corresponding to the layer, the data flow layer and the data cladding on the application layer data flow; the callback function of the application layer data stream establishing layer is used for processing a data packet requesting network link, the callback function of the data stream layer is used for processing a TCP data packet, and the callback function of the data cladding layer is used for processing a UDP data packet;
step 4, driving to use the FwpmCalloutAdd function to apply for adding the registered 3 callback functions to the filtering engine;
step 5, driving to use a FwpmSubLayerARD function, and respectively creating sub-layers on an application layer data stream establishing layer, a data stream layer and a data cladding layer for capturing data;
step 6, driving to use a FwpmFilterAdd function, respectively establishing filters in an application layer data flow layer, a data flow layer and a data cladding layer through a filter engine, and associating a callback function with a sublayer; after the association is completed, when the sub-layer captures a network data packet, the Windows operating system calls a callback function corresponding to the sub-layer to process the data packet;
step 7, when a callback function of the application layer data flow establishing layer is called by a system, analyzing a process path, a process ID, a local IP address, a far-end IP address, a local port and far-end port information of a network data packet, storing the information into the context data flow, and then using a FwpsflowAssociation context function to associate and bind the context data flow with the data flow layer and the data cladding; the filter transmits the context data stream to the data stream layer and the data cladding layer in a cross-layer manner, and when the data packet captured by the callback function processing sub-layer of the data stream layer and the data cladding layer is analyzed, the process path, the process ID, the local IP address, the far-end IP address, the local port and the far-end port information of the data packet are obtained through analyzing the context data stream;
step 8, after capturing the UDP and TCP data packets by the callback functions of the data stream layer and the data cladding layer, judging whether the far-end IP of the data packet is positioned in an IP blacklist of a blacklist database, if so, intercepting the data packet and preventing the data packet from being transmitted to the next layer, and if not, entering the next step;
step 9, the data stream layer and the data cladding layer respectively judge whether the intercepted data packet is an HTTP data packet or a DNS data packet, if so, the next step is carried out, and otherwise, the data packet is released;
step 10, the data flow layer and the data cladding layer respectively analyze the HTTP message and the DNS message; judging whether the request domain name in the message is located in a domain name blacklist in a blacklist database or not through character string comparison, and if not, releasing the data packet; if the domain name is in the domain name blacklist, intercepting processing is carried out;
step 11, when needing to STOP intercepting the automatic update of the Windows operating system, calling a ControlService function to transmit a CONTROL code SERVICE _ CONTROL _ STOP to the drive to STOP the action of the drive, calling a default drive unloading callback function after the drive receives the CONTROL code, unloading and canceling the filter in the calling process of the drive unloading callback function, and finally calling a DeleteService function unloading driver by an application program.
Further, the intercepting process performed in the domain name blacklist in the step 10 specifically includes: step 10.1, the data flow layer judges whether the far-end IP of the data packet is in the blacklist database, if not, the far-end IP is added into the IP library of the blacklist database, otherwise, the data packet is released;
and step 10.2, judging whether the feedback information of the data packet contains the resolution IP information corresponding to the domain name or not by the data cladding, if so, judging whether the resolution IP corresponding to the domain name is in a blacklist database or not, if not, adding the resolution IP corresponding to the domain name into a domain name blacklist, and if not, releasing the data packet.
The invention has the beneficial effects that: 1. the invention realizes automation and can be used as a functional module to be called by other programs. 2. The invention adopts a network filtering driving technology, network data packets which accord with characteristics are intercepted at the bottom layer of the system, and Windwos automatic updating is intercepted on a Windows operating system which does not open a VPN in theory successfully; in addition, the scheme is based on a network filtering framework provided by Microsoft and has system compatibility and system stability. 3. The method and the device are convenient and fast in process, the user can intercept or release the automatically updated data packet only by starting or stopping driving, and complicated manual setting with unstable effect is omitted. 4. The invention separates the control end and the function end, processes user interaction in the application layer, and realizes the core function in the kernel layer; the stability can be improved, and unexpected events caused by misoperation of a user can be prevented from occurring.
Drawings
FIG. 1 is a schematic flow diagram of the process of the present invention.
FIG. 2 is a schematic diagram of a blacklist database for storing a domain name blacklist and an IP blacklist of the present invention.
FIG. 3 is a flow chart illustrating the specific manner of intercepting the automatic update of the Windows operating system by the WFP network filter according to the present invention.
Detailed Description
The invention is further described below with reference to the accompanying drawings.
Referring to fig. 1 to 3, a method for intercepting Windows automatic update automatically by driving according to the present invention includes: the WFP network filter is installed on the bottom layer of the Windows operating system, a driver is set, the driver registers and starts the WFP network filter, and the WFP network filter can intercept a network data packet received by the Windows operating system to the Microsoft update server and a network data packet sent by the Microsoft update server in real time, so that the automatic update of the Windows operating system is intercepted.
Wherein, the method further comprises the following steps: step S1, starting an application program of the Windows operating system, wherein the application program loads a driver program, if the loading is successful, the step S2 is entered; if not, unloading the drive program which fails to be loaded and then reloading the drive program once again; then, the process proceeds to step S2;
step S2, the application program refreshes the DNS cache and starts the driving program to make the driving program run in the kernel layer of the Windows operating system;
step S3, the driver registers and starts the WFP network filter, and starts to execute the interception function;
step S4, the application program waits for the request for stopping intercepting the Windows operating system updating from the user; in step S4, the user stops intercepting the request for Windows os update through DeviceIoControl.
Step S5, after waiting for the termination request, the driver closes and logs off the WFP network filter;
at step S6, the application stops and uninstalls the driver, and then the application terminates.
Further, the specific way of intercepting the automatic update of the Windows operating system by the WFP network filter is as follows:
step 1, setting a blacklist database for storing a domain name blacklist and an IP blacklist, initializing the blacklist database, and adding two items of domain name information, namely, update. The Windows operating system can realize the functions of inquiring the update version, downloading the update package and the like through network interaction with the two domain names. And prohibiting the operating system from accessing the two domain names and receiving the data packets sent by the servers corresponding to the two domain names, so that the automatic update of the Windows system can be intercepted.
Step 2, the driver obtains a basic filtering engine BFE handle by using a FwpmEngineopen function as a parameter of subsequent operation; the basic filtering engine BFE is a user mode service of a Windows operating system, coordinates WFP components, and executes main tasks of adding or removing filters into the system, storing filter configurations and strengthening WFP configuration security. The communication between the application program and the basic filtering engine BFE is carried out through WFP management functions of FwpmEngineopen and the like.
Step 3, the driver uses the FwpsCalloutRegister function to respectively register a callback function of the monitoring DATA in correspondence with an application LAYER DATA FLOW establishing LAYER (namely, FWPM _ LAYER _ ALE _ FLOW _ ESTABLISED _ V4 LAYER), a DATA FLOW LAYER (namely, FWPM _ LAYER _ STREAM _ V4 LAYER) and a DATA cladding LAYER (namely, FWPM _ LAYER _ DATAGRAM _ DATA _ V4 LAYER); the callback function of the application layer data stream establishing layer is used for processing a data packet requesting network link, the callback function of the data stream layer is used for processing a TCP data packet, and the callback function of the data cladding layer is used for processing a UDP data packet; the WFP filtering framework provided by Microsoft defines a plurality of layers in the transmission process of network data packets, and because the data packets are required to be encapsulated according to different network protocols at the bottom layer of the system, the data contents captured by different layers are different; the invention relates to a system which comprises a FWPM _ LAYER _ ALE _ FLOW _ ESTABLISHING _ V4 LAYER, a FWPM _ LAYER _ STREAM _ V4 LAYER and a FWPM _ LAYER _ DATAGRAM _ DATA _ V4 LAYER, wherein the FWPM _ LAYER _ ALE _ FLOW _ ESTABLISHING _ V4 LAYER can capture an authorized connection request transmitted by a process, and can obtain transceiving process information, transceiving IP information and transceiving port information of a DATA packet. The FWPM _ LAYER _ STREAM _ V4 LAYER may capture all TCP packets without IP headers, and the FWPM _ LAYER _ DATA _ V4 LAYER may capture all UDP packets without IP headers.
Step 4, driving to use the FwpmCalloutAdd function to apply for adding the registered 3 callback functions to the filtering engine;
step 5, the driver uses the FwpmsubLayerARD function to respectively create sub-LAYERs at an application LAYER DATA FLOW establishing LAYER (namely, FWPM _ LAYER _ ALE _ FLOW _ ESTABLISED _ V4 LAYER), a DATA FLOW LAYER (namely, FWPM _ LAYER _ STREAM _ V4 LAYER) and a DATA cladding LAYER (namely, FWPM _ LAYER _ DATAGRAM _ DATA _ V4 LAYER) for capturing DATA;
step 6, using a FwpmFilterAdd function, respectively establishing a filter at an application LAYER DATA FLOW LAYER (namely an FWPM _ LAYER _ ALE _ FLOW _ ESTABLISHED _ V4 LAYER), a DATA FLOW LAYER (namely an FWPM _ LAYER _ STREAM _ V4 LAYER) and a DATA cladding LAYER (namely an FWPM _ LAYER _ DATAGRAM _ DATA _ V4 LAYER) through a filter engine, and associating a callback function with a sublayer; after the association is completed, when the sub-layer captures a network data packet, the Windows operating system calls a callback function corresponding to the sub-layer to process the data packet;
step 7, when a callback function of the application layer data flow establishing layer is called by a system, analyzing a process path, a process ID, a local IP address, a far-end IP address, a local port and far-end port information of a network data packet, storing the information into the context data flow, and then using a FwpsflowAssociation context function to associate and bind the context data flow with the data flow layer and the data cladding; the filter transmits the context data stream to the data stream layer and the data cladding layer in a cross-layer manner, and when the data packet captured by the callback function processing sub-layer of the data stream layer and the data cladding layer is analyzed, the process path, the process ID, the local IP address, the far-end IP address, the local port and the far-end port information of the data packet are obtained through analyzing the context data stream;
step 8, after capturing the UDP and TCP data packets by the callback functions of the data stream layer and the data cladding layer, judging whether the far-end IP of the data packet is positioned in an IP blacklist of a blacklist database, if so, intercepting the data packet and preventing the data packet from being transmitted to the next layer, and if not, entering the next step;
step 9, the data stream layer and the data cladding layer respectively judge whether the intercepted data packet is an HTTP data packet or a DNS data packet, if so, the next step is carried out, and otherwise, the data packet is released;
step 10, the data flow layer and the data cladding layer respectively analyze the HTTP message and the DNS message; judging whether the request domain name in the message is located in a domain name blacklist in a blacklist database or not through character string comparison, and if not, releasing the data packet; if the domain name is in the domain name blacklist, intercepting processing is carried out;
the intercepting process performed in the domain name blacklist in the step 10 specifically includes: step 10.1, the data flow layer judges whether the far-end IP of the data packet is in the blacklist database, if not, the far-end IP is added into the IP library of the blacklist database, otherwise, the data packet is released;
and step 10.2, judging whether the feedback information of the data packet contains the resolution IP information corresponding to the domain name or not by the data cladding, if so, judging whether the resolution IP corresponding to the domain name is in a blacklist database or not, if not, adding the resolution IP corresponding to the domain name into a domain name blacklist, and if not, releasing the data packet.
Step 11, when needing to STOP intercepting the automatic update of the Windows operating system, calling a ControlService function to transmit a CONTROL code SERVICE _ CONTROL _ STOP to the drive to STOP the action of the drive, calling a default drive unloading callback function after the drive receives the CONTROL code, unloading and canceling the filter in the calling process of the drive unloading callback function, and finally calling a DeleteService function unloading driver by an application program.
The invention is further illustrated below with reference to a specific embodiment:
the scheme of the invention is concretely realized as follows:
the method is supposed to intercept the network data packet sent or received by the Windows system in the process of trying to automatically update by the application program A, and prevent the automatic update behavior of the Windows system in the process of running the application program A. The application program A successfully loads a driver B, the driver B initializes a domain name-IP blacklist database of the driver, and domain names of "update. micro soft. com" and "windows update. com" are added into the database, and at the moment, the blacklist database comprises 2 domain name blacklist members and 0 IP blacklist member. Then, the driver B successfully completes a series of operations of registering a callback function, creating a sub-LAYER, opening a filter and the like at the FWPM _ LAYER _ ALE _ FLOW _ ESTABLISHED _ V4 LAYER, the FWPM _ LAYER _ STREAM _ V4 LAYER and the FWPM _ LAYER _ DATA _ V4 LAYER, and the network filter module completes initialization and starts to function.
Assuming that the system process svchoros. exe attempts to access the network at this time, a packet is first sent to request connection to an external server, and the filter of FWPM _ LAYER _ ALE _ FLOW _ ESTABLISHED _ V4 sublayer captures this packet, extracts the process ID, process path, local IP address, remote IP address, local port, and remote port information of the process svchoros. exe from it and saves these information into a context DATA STREAM, which is then bound to the FWPM _ LAYER _ STREAM _ V4 LAYER and FWPM _ LAYER _ DATAGRAM _ DATA _ V4 LAYER.
The following discussion is divided into several cases:
exte sends a packet to the DNS server requesting resolution of the domain name "baidu. After capturing the packet, the filter at FWPM _ LAYER _ DATAGRAM _ DATA _ V4 traverses each domain name string in the blacklist database by comparing the strings, and determines whether the strings are located in the domain name requested this time. The lookup result is that no domain name string in the blacklist database matches "baidu.com", thus passing through the DNS packet.
The DNS server sends a data packet to svchost.exe, wherein the content of the data packet is a domain name 'a.windows update.com' and a domain name resolution IP result thereof: 1.2.3.4 and 5.6.7.8. After capturing the packet, the filter at the DATAGRAM _ DATA _ V4 traverses each domain name string in the blacklist database through string comparison to determine whether the strings are located in the domain name requested this time. The lookup results in a match of the string "windows update.com" in the blacklist database with the domain name "a.windows update.com" requested to resolve, thus blocking the DNS packet, while adding domain name resolution IP results 1.2.3.4 and 5.6.7.8 to the blacklist database. The blacklist database now contains the following members: "update. microsoft. com", "windows. com", 1.2.3.4 and 5.6.7.8.
And scvhos. exe directly sends an HTTP request to IP 1.2.3.4 without domain name resolution, and inquires whether an updated version is needed from a Microsoft server. After capturing the packet, the filter at FWPM _ LAYER _ STREAM _ V4 extracts the remote IP address 1.2.3.4 from the context data STREAM associated with FWPM _ LAYER _ ALE _ FLOW _ ESTABLISHED _ V4 LAYER, and then determines whether the remote IP address 1.2.3.4 is located in the blacklist database. Since 1.2.3.4 is located in the blacklist database, this HTTP request is intercepted.
In summary, the present invention can be applied to 1. users who normally use the Windows operating system but do not want to be automatically updated to interfere with scheduled trips, or who have low interest and low demand for system version changes, such as business people in meetings, students on examinations, and the like.
2. It is desirable to keep busy for a long period of time, not want to be automatically updated to occupy network bandwidth and other system resources, or not want to have the system be forced to restart by automatic update, such as a server.
3. It is desirable to protect the software itself or some software that maintains system stability. Such as large software being installed, a program that is modifying the system environment and may cause unexpected errors if aborted during the process, such as an unexpected restart during the installation of Visual Studio, which may cause unexpected errors in the development environment; and the invention improves the experience of the user.
The above description is only a preferred embodiment of the present invention, and all equivalent changes and modifications made in accordance with the claims of the present invention should be covered by the present invention.
Claims (4)
1. A method for intercepting Windows automatic update automatically by driving is characterized in that: the method comprises the following steps: installing a WFP network filter at the bottom layer of the Windows operating system, setting a driver, registering and starting the WFP network filter, wherein the WFP network filter can intercept a network data packet received by the Windows operating system to the Microsoft update server and a network data packet sent by the Microsoft update server in real time, thereby realizing the interception of the automatic update of the Windows operating system;
the specific way for intercepting the automatic update of the Windows operating system by the WFP network filter is as follows:
step 1, setting a blacklist database for storing a domain name blacklist and an IP blacklist, initializing the blacklist database, and adding two items of domain name information, namely, update.
Step 2, the driver obtains a basic filtering engine BFE handle by using a FwpmEngineopen function as a parameter of subsequent operation;
step 3, driving and using a FwpsCalloutRegister function, and respectively establishing callback functions of the registered monitoring data corresponding to the layer, the data flow layer and the data cladding on the application layer data flow; the callback function of the application layer data stream establishing layer is used for processing a data packet requesting network link, the callback function of the data stream layer is used for processing a TCP data packet, and the callback function of the data cladding layer is used for processing a UDP data packet;
step 4, driving to use the FwpmCalloutAdd function to apply for adding the registered 3 callback functions to the filtering engine;
step 5, driving to use a FwpmSubLayerARD function, and respectively creating sub-layers on an application layer data stream establishing layer, a data stream layer and a data cladding layer for capturing data;
step 6, driving to use a FwpmFilterAdd function, respectively establishing filters in an application layer data flow layer, a data flow layer and a data cladding layer through a filter engine, and associating a callback function with a sublayer; after the association is completed, when the sub-layer captures a network data packet, the Windows operating system calls a callback function corresponding to the sub-layer to process the data packet;
step 7, when a callback function of the application layer data flow establishing layer is called by a system, analyzing a process path, a process ID, a local IP address, a far-end IP address, a local port and far-end port information of a network data packet, storing the information into the context data flow, and then using a FwpsflowAssociation context function to associate and bind the context data flow with the data flow layer and the data cladding; the filter transmits the context data stream to the data stream layer and the data cladding layer in a cross-layer manner, and when the data packet captured by the callback function processing sub-layer of the data stream layer and the data cladding layer is analyzed, the process path, the process ID, the local IP address, the far-end IP address, the local port and the far-end port information of the data packet are obtained through analyzing the context data stream;
step 8, after capturing the UDP and TCP data packets by the callback functions of the data stream layer and the data cladding layer, judging whether the far-end IP of the data packet is positioned in an IP blacklist of a blacklist database, if so, intercepting the data packet and preventing the data packet from being transmitted to the next layer, and if not, entering the next step;
step 9, the data stream layer and the data cladding layer respectively judge whether the intercepted data packet is an HTTP data packet or a DNS data packet, if so, the next step is carried out, and otherwise, the data packet is released;
step 10, the data flow layer and the data cladding layer respectively analyze the HTTP message and the DNS message; judging whether the request domain name in the message is located in a domain name blacklist in a blacklist database or not through character string comparison, and if not, releasing the data packet; if the domain name is in the domain name blacklist, intercepting processing is carried out;
step 11, when needing to STOP intercepting the automatic update of the Windows operating system, calling a ControlService function to transmit a CONTROL code SERVICE _ CONTROL _ STOP to the drive to STOP the action of the drive, calling a default drive unloading callback function after the drive receives the CONTROL code, unloading and canceling the filter in the calling process of the drive unloading callback function, and finally calling a DeleteService function unloading driver by an application program.
2. The method for automatically intercepting Windows automatic update by driver according to claim 1, wherein: the method further comprises the following steps: step S1, starting an application program of the Windows operating system, wherein the application program loads a driver program, if the loading is successful, the step S2 is entered; if not, unloading the drive program which fails to be loaded and then reloading the drive program once again; then, the process proceeds to step S2;
step S2, the application program refreshes the DNS cache and starts the driving program to make the driving program run in the kernel layer of the Windows operating system;
step S3, the driver registers and starts the WFP network filter, and starts to execute the interception function;
step S4, the application program waits for the request for stopping intercepting the Windows operating system updating from the user;
step S5, after waiting for the termination request, the driver closes and logs off the WFP network filter;
at step S6, the application stops and uninstalls the driver, and then the application terminates.
3. The method for automatically intercepting Windows automatic update by driver according to claim 2, wherein: in step S4, the user stops intercepting the request for Windows os update through DeviceIoControl.
4. The method for automatically intercepting Windows automatic update by driver according to claim 1, wherein: the intercepting process performed in the domain name blacklist in the step 10 specifically includes: step 10.1, the data flow layer judges whether the far-end IP of the data packet is in the blacklist database, if not, the far-end IP is added into the IP library of the blacklist database, otherwise, the data packet is released;
and step 10.2, judging whether the feedback information of the data packet contains the resolution IP information corresponding to the domain name or not by the data cladding, if so, judging whether the resolution IP corresponding to the domain name is in a blacklist database or not, if not, adding the resolution IP corresponding to the domain name into a domain name blacklist, and if not, releasing the data packet.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910676339.6A CN110417771B (en) | 2019-07-25 | 2019-07-25 | Method for automatically intercepting Windows automatic update through driving |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910676339.6A CN110417771B (en) | 2019-07-25 | 2019-07-25 | Method for automatically intercepting Windows automatic update through driving |
Publications (2)
Publication Number | Publication Date |
---|---|
CN110417771A CN110417771A (en) | 2019-11-05 |
CN110417771B true CN110417771B (en) | 2021-07-09 |
Family
ID=68363126
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910676339.6A Active CN110417771B (en) | 2019-07-25 | 2019-07-25 | Method for automatically intercepting Windows automatic update through driving |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110417771B (en) |
Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102195972A (en) * | 2011-03-24 | 2011-09-21 | 北京思创银联科技股份有限公司 | Method for intercepting network data by using WFP (Windows Filter Platform) |
CN103065092A (en) * | 2012-12-24 | 2013-04-24 | 公安部第一研究所 | Method for intercepting operating of suspicious programs |
CN104915598A (en) * | 2015-05-29 | 2015-09-16 | 南京信息工程大学 | Monitoring method and monitoring system for C/S client side |
CN105844146A (en) * | 2016-03-16 | 2016-08-10 | 北京金山安全软件有限公司 | Method and device for protecting driver and electronic equipment |
CN106936846A (en) * | 2017-04-10 | 2017-07-07 | 北京明朝万达科技股份有限公司 | A kind of method for network access control and device based on WFP platforms |
CN109347817A (en) * | 2018-10-12 | 2019-02-15 | 厦门安胜网络科技有限公司 | A kind of method and device that network security redirects |
CN109587269A (en) * | 2018-12-27 | 2019-04-05 | 迅雷计算机(深圳)有限公司 | A kind of hold-up interception method, unit, system and the storage medium of downloading behavior |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20170054686A1 (en) * | 2015-08-18 | 2017-02-23 | Konstantin Malkov | Agentless Security of Virtual Machines using a Filtering Platform |
-
2019
- 2019-07-25 CN CN201910676339.6A patent/CN110417771B/en active Active
Patent Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102195972A (en) * | 2011-03-24 | 2011-09-21 | 北京思创银联科技股份有限公司 | Method for intercepting network data by using WFP (Windows Filter Platform) |
CN103065092A (en) * | 2012-12-24 | 2013-04-24 | 公安部第一研究所 | Method for intercepting operating of suspicious programs |
CN104915598A (en) * | 2015-05-29 | 2015-09-16 | 南京信息工程大学 | Monitoring method and monitoring system for C/S client side |
CN105844146A (en) * | 2016-03-16 | 2016-08-10 | 北京金山安全软件有限公司 | Method and device for protecting driver and electronic equipment |
CN106936846A (en) * | 2017-04-10 | 2017-07-07 | 北京明朝万达科技股份有限公司 | A kind of method for network access control and device based on WFP platforms |
CN109347817A (en) * | 2018-10-12 | 2019-02-15 | 厦门安胜网络科技有限公司 | A kind of method and device that network security redirects |
CN109587269A (en) * | 2018-12-27 | 2019-04-05 | 迅雷计算机(深圳)有限公司 | A kind of hold-up interception method, unit, system and the storage medium of downloading behavior |
Non-Patent Citations (2)
Title |
---|
《windows驱动-WFP框架介绍及其编程》;windows;《https://qwertwwwe.gihub.io/windows-driver-develop-wfp-framework》;20170817;全文 * |
Win64 驱动内核编程-16.WFP网络监控驱动(防火墙);TK13;《程序园》;20170314;全文 * |
Also Published As
Publication number | Publication date |
---|---|
CN110417771A (en) | 2019-11-05 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
FI113927B (en) | Method of intercepting the network packets in a network connected device | |
US11824962B2 (en) | Methods and apparatus for sharing and arbitration of host stack information with user space communication stacks | |
US7114159B2 (en) | Processing resource for use in a distributed processing framework system and methods for implementing the same | |
US6961937B2 (en) | Registry service for use in a distributed processing framework system and methods for implementing the same | |
JP4734592B2 (en) | Method and system for providing secure access to private network by client redirection | |
US7127526B1 (en) | Method and apparatus for dynamically loading and managing software services on a network device | |
US7219140B2 (en) | Configuration and management systems for mobile and embedded devices | |
CN110391937B (en) | Internet of things honey net system based on SOAP service simulation | |
US20030028869A1 (en) | Method and computer program product for integrating non-redistributable software applications in a customer driven installable package | |
US20020147974A1 (en) | Networked installation system for deploying systems management platforms | |
JP2001525585A (en) | Method and system for complying with communication security policies | |
US20010049795A1 (en) | Method and system for the identification and the suppression of executable objects | |
CN112738137B (en) | Data acquisition and link processing method and device, computer equipment and storage medium | |
EP3834084A1 (en) | A remediation system to prevent incompatible program module installation in an information processing system | |
JP2011520169A (en) | Method and device for accessing a directory | |
US20080209438A1 (en) | Method and apparatus for a service control layer | |
US20130247128A1 (en) | Distribution of security policies for small to medium-sized organizations | |
CN111367684B (en) | Method and device for filtering remote procedure call | |
CN110417771B (en) | Method for automatically intercepting Windows automatic update through driving | |
AU2004272201A1 (en) | Systems and methods for dynamically updating software in a protocol gateway | |
CN114827133A (en) | Application software management method and device and computer | |
KR100807055B1 (en) | Automatically internet connection method using point-to-point protocol | |
CN115391630A (en) | WFP-based patch updating method and system | |
Juster | Message Queuing Frequently Asked Questions | |
CN117435214A (en) | FPGA program burning method, device, equipment and storage medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |