CN110417771B - Method for automatically intercepting Windows automatic update through driving - Google Patents

Method for automatically intercepting Windows automatic update through driving Download PDF

Info

Publication number
CN110417771B
CN110417771B CN201910676339.6A CN201910676339A CN110417771B CN 110417771 B CN110417771 B CN 110417771B CN 201910676339 A CN201910676339 A CN 201910676339A CN 110417771 B CN110417771 B CN 110417771B
Authority
CN
China
Prior art keywords
layer
data
data packet
function
domain name
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910676339.6A
Other languages
Chinese (zh)
Other versions
CN110417771A (en
Inventor
刘德建
任佳伟
陈宏展
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Fujian Tianqing Online Interactive Technology Co Ltd
Original Assignee
Fujian Tianqing Online Interactive Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Fujian Tianqing Online Interactive Technology Co Ltd filed Critical Fujian Tianqing Online Interactive Technology Co Ltd
Priority to CN201910676339.6A priority Critical patent/CN110417771B/en
Publication of CN110417771A publication Critical patent/CN110417771A/en
Application granted granted Critical
Publication of CN110417771B publication Critical patent/CN110417771B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4505Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
    • H04L61/4511Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/30Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
    • H04L63/306Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information intercepting packet switched data communications, e.g. Web, Internet or IMS communications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/34Network arrangements or protocols for supporting network services or applications involving the movement of software or configuration parameters 

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Technology Law (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides a method for intercepting Windows automatic update automatically by driving, which comprises the following steps: installing a WFP network filter at the bottom layer of the Windows operating system, setting a driver, registering and starting the WFP network filter, wherein the WFP network filter can intercept a network data packet received by the Windows operating system to the Microsoft update server and a network data packet sent by the Microsoft update server in real time, thereby realizing the interception of the automatic update of the Windows operating system; the experience degree of the client is improved.

Description

Method for automatically intercepting Windows automatic update through driving
Technical Field
The invention relates to the technical field of computer system communication, in particular to a method for intercepting Windows automatic update automatically by driving automation.
Background
The existing Windows operating system is automatically updated, but some users do not want the system to be updated when using the Windows operating system, as shown in the following three cases 1. users who normally use the Windows operating system but do not want to be automatically updated to interfere with the planned journey or to change the system version with low interest and low demand, such as business people in a meeting, students on tests, and the like.
2. It is desirable to keep busy for a long period of time, not want to be automatically updated to occupy network bandwidth and other system resources, or not want to have the system be forced to restart by automatic update, such as a server.
3. It is desirable to protect the software itself or some software that maintains system stability. Such as large software being installed, a program that is modifying the system environment and may cause unexpected errors if aborted during the process, such as if an unexpected restart occurs during the installation of Visual Studio, may cause unexpected errors in the development environment.
The existing method for intercepting the update of the Windows operating system has the following defects: 1. the existing scheme for intercepting Windows automatic update needs manual setting by users, the process is relatively complicated, and the difficulty is higher for some users unfamiliar with computer operation.
2. The existing scheme needs to restore the automatic update of the system through a complicated manual operation after the automatic update is closed.
3. The existing scheme cannot be automatically called by other programs.
The prior art provides a method for intercepting network data by using a WFP, and the application number is as follows: s1, opening a session of a WFP filtering engine in a Windows kernel, adding a sub-layer in the session, respectively registering a label on an ALE and a transmission layer of the WFP filtering engine, adding the label into the sub-layer, and setting labeled filtering information, wherein the filtering information comprises filtering conditions; s2, setting a callback function in the ALE label, obtaining the corresponding relation between the port and the process in the callback function, judging whether the data of the port can be successfully sent according to the process strategy, and then recording the data that can be sent by the port; and S3, setting a filtering callback function in the label of the transmission layer, analyzing the data packet in the filtering callback function to obtain a port corresponding to the data packet, and judging whether the port corresponding to the data packet can send data or not according to the information recorded in the S2. The invention is simple to realize, convenient to install and compatible with any third-party secure network product. Although the patent also realizes the WFP to intercept the network data, the technical problem to be solved and the technical scheme adopted are not the same as the patent.
Wfp (Windows File protection), computer terminology, is a Windows File protection program that prevents programs from replacing important Windows system files.
Disclosure of Invention
In order to overcome the problems, the invention aims to provide a method for intercepting automatic Windows updates automatically by driving, which can intercept automatic Windows updates and can be called by other programs as functional modules.
The invention is realized by adopting the following scheme: a method for intercepting Windows automatic update automatically by driving automation, the method is: the WFP network filter is installed on the bottom layer of the Windows operating system, a driver is set, the driver registers and starts the WFP network filter, and the WFP network filter can intercept a network data packet received by the Windows operating system to the Microsoft update server and a network data packet sent by the Microsoft update server in real time, so that the automatic update of the Windows operating system is intercepted.
Further, the method further specifically comprises the following steps: step S1, starting an application program of the Windows operating system, wherein the application program loads a driver program, if the loading is successful, the step S2 is entered; if not, unloading the drive program which fails to be loaded and then reloading the drive program once again; then, the process proceeds to step S2;
step S2, the application program refreshes the DNS cache and starts the driving program to make the driving program run in the kernel layer of the Windows operating system;
step S3, the driver registers and starts the WFP network filter, and starts to execute the interception function;
step S4, the application program waits for the request for stopping intercepting the Windows operating system updating from the user;
step S5, after waiting for the termination request, the driver closes and logs off the WFP network filter;
at step S6, the application stops and uninstalls the driver, and then the application terminates.
Further, in step S4, the user stops intercepting the request for Windows os update through DeviceIoControl.
Further, the specific way of intercepting the automatic update of the Windows operating system by the WFP network filter is as follows:
step 1, setting a blacklist database for storing a domain name blacklist and an IP blacklist, initializing the blacklist database, and adding two items of domain name information, namely, update.
Step 2, the driver obtains a basic filtering engine BFE handle by using a FwpmEngineopen function as a parameter of subsequent operation;
step 3, driving and using a FwpsCalloutRegister function, and respectively establishing callback functions of the registered monitoring data corresponding to the layer, the data flow layer and the data cladding on the application layer data flow; the callback function of the application layer data stream establishing layer is used for processing a data packet requesting network link, the callback function of the data stream layer is used for processing a TCP data packet, and the callback function of the data cladding layer is used for processing a UDP data packet;
step 4, driving to use the FwpmCalloutAdd function to apply for adding the registered 3 callback functions to the filtering engine;
step 5, driving to use a FwpmSubLayerARD function, and respectively creating sub-layers on an application layer data stream establishing layer, a data stream layer and a data cladding layer for capturing data;
step 6, driving to use a FwpmFilterAdd function, respectively establishing filters in an application layer data flow layer, a data flow layer and a data cladding layer through a filter engine, and associating a callback function with a sublayer; after the association is completed, when the sub-layer captures a network data packet, the Windows operating system calls a callback function corresponding to the sub-layer to process the data packet;
step 7, when a callback function of the application layer data flow establishing layer is called by a system, analyzing a process path, a process ID, a local IP address, a far-end IP address, a local port and far-end port information of a network data packet, storing the information into the context data flow, and then using a FwpsflowAssociation context function to associate and bind the context data flow with the data flow layer and the data cladding; the filter transmits the context data stream to the data stream layer and the data cladding layer in a cross-layer manner, and when the data packet captured by the callback function processing sub-layer of the data stream layer and the data cladding layer is analyzed, the process path, the process ID, the local IP address, the far-end IP address, the local port and the far-end port information of the data packet are obtained through analyzing the context data stream;
step 8, after capturing the UDP and TCP data packets by the callback functions of the data stream layer and the data cladding layer, judging whether the far-end IP of the data packet is positioned in an IP blacklist of a blacklist database, if so, intercepting the data packet and preventing the data packet from being transmitted to the next layer, and if not, entering the next step;
step 9, the data stream layer and the data cladding layer respectively judge whether the intercepted data packet is an HTTP data packet or a DNS data packet, if so, the next step is carried out, and otherwise, the data packet is released;
step 10, the data flow layer and the data cladding layer respectively analyze the HTTP message and the DNS message; judging whether the request domain name in the message is located in a domain name blacklist in a blacklist database or not through character string comparison, and if not, releasing the data packet; if the domain name is in the domain name blacklist, intercepting processing is carried out;
step 11, when needing to STOP intercepting the automatic update of the Windows operating system, calling a ControlService function to transmit a CONTROL code SERVICE _ CONTROL _ STOP to the drive to STOP the action of the drive, calling a default drive unloading callback function after the drive receives the CONTROL code, unloading and canceling the filter in the calling process of the drive unloading callback function, and finally calling a DeleteService function unloading driver by an application program.
Further, the intercepting process performed in the domain name blacklist in the step 10 specifically includes: step 10.1, the data flow layer judges whether the far-end IP of the data packet is in the blacklist database, if not, the far-end IP is added into the IP library of the blacklist database, otherwise, the data packet is released;
and step 10.2, judging whether the feedback information of the data packet contains the resolution IP information corresponding to the domain name or not by the data cladding, if so, judging whether the resolution IP corresponding to the domain name is in a blacklist database or not, if not, adding the resolution IP corresponding to the domain name into a domain name blacklist, and if not, releasing the data packet.
The invention has the beneficial effects that: 1. the invention realizes automation and can be used as a functional module to be called by other programs. 2. The invention adopts a network filtering driving technology, network data packets which accord with characteristics are intercepted at the bottom layer of the system, and Windwos automatic updating is intercepted on a Windows operating system which does not open a VPN in theory successfully; in addition, the scheme is based on a network filtering framework provided by Microsoft and has system compatibility and system stability. 3. The method and the device are convenient and fast in process, the user can intercept or release the automatically updated data packet only by starting or stopping driving, and complicated manual setting with unstable effect is omitted. 4. The invention separates the control end and the function end, processes user interaction in the application layer, and realizes the core function in the kernel layer; the stability can be improved, and unexpected events caused by misoperation of a user can be prevented from occurring.
Drawings
FIG. 1 is a schematic flow diagram of the process of the present invention.
FIG. 2 is a schematic diagram of a blacklist database for storing a domain name blacklist and an IP blacklist of the present invention.
FIG. 3 is a flow chart illustrating the specific manner of intercepting the automatic update of the Windows operating system by the WFP network filter according to the present invention.
Detailed Description
The invention is further described below with reference to the accompanying drawings.
Referring to fig. 1 to 3, a method for intercepting Windows automatic update automatically by driving according to the present invention includes: the WFP network filter is installed on the bottom layer of the Windows operating system, a driver is set, the driver registers and starts the WFP network filter, and the WFP network filter can intercept a network data packet received by the Windows operating system to the Microsoft update server and a network data packet sent by the Microsoft update server in real time, so that the automatic update of the Windows operating system is intercepted.
Wherein, the method further comprises the following steps: step S1, starting an application program of the Windows operating system, wherein the application program loads a driver program, if the loading is successful, the step S2 is entered; if not, unloading the drive program which fails to be loaded and then reloading the drive program once again; then, the process proceeds to step S2;
step S2, the application program refreshes the DNS cache and starts the driving program to make the driving program run in the kernel layer of the Windows operating system;
step S3, the driver registers and starts the WFP network filter, and starts to execute the interception function;
step S4, the application program waits for the request for stopping intercepting the Windows operating system updating from the user; in step S4, the user stops intercepting the request for Windows os update through DeviceIoControl.
Step S5, after waiting for the termination request, the driver closes and logs off the WFP network filter;
at step S6, the application stops and uninstalls the driver, and then the application terminates.
Further, the specific way of intercepting the automatic update of the Windows operating system by the WFP network filter is as follows:
step 1, setting a blacklist database for storing a domain name blacklist and an IP blacklist, initializing the blacklist database, and adding two items of domain name information, namely, update. The Windows operating system can realize the functions of inquiring the update version, downloading the update package and the like through network interaction with the two domain names. And prohibiting the operating system from accessing the two domain names and receiving the data packets sent by the servers corresponding to the two domain names, so that the automatic update of the Windows system can be intercepted.
Step 2, the driver obtains a basic filtering engine BFE handle by using a FwpmEngineopen function as a parameter of subsequent operation; the basic filtering engine BFE is a user mode service of a Windows operating system, coordinates WFP components, and executes main tasks of adding or removing filters into the system, storing filter configurations and strengthening WFP configuration security. The communication between the application program and the basic filtering engine BFE is carried out through WFP management functions of FwpmEngineopen and the like.
Step 3, the driver uses the FwpsCalloutRegister function to respectively register a callback function of the monitoring DATA in correspondence with an application LAYER DATA FLOW establishing LAYER (namely, FWPM _ LAYER _ ALE _ FLOW _ ESTABLISED _ V4 LAYER), a DATA FLOW LAYER (namely, FWPM _ LAYER _ STREAM _ V4 LAYER) and a DATA cladding LAYER (namely, FWPM _ LAYER _ DATAGRAM _ DATA _ V4 LAYER); the callback function of the application layer data stream establishing layer is used for processing a data packet requesting network link, the callback function of the data stream layer is used for processing a TCP data packet, and the callback function of the data cladding layer is used for processing a UDP data packet; the WFP filtering framework provided by Microsoft defines a plurality of layers in the transmission process of network data packets, and because the data packets are required to be encapsulated according to different network protocols at the bottom layer of the system, the data contents captured by different layers are different; the invention relates to a system which comprises a FWPM _ LAYER _ ALE _ FLOW _ ESTABLISHING _ V4 LAYER, a FWPM _ LAYER _ STREAM _ V4 LAYER and a FWPM _ LAYER _ DATAGRAM _ DATA _ V4 LAYER, wherein the FWPM _ LAYER _ ALE _ FLOW _ ESTABLISHING _ V4 LAYER can capture an authorized connection request transmitted by a process, and can obtain transceiving process information, transceiving IP information and transceiving port information of a DATA packet. The FWPM _ LAYER _ STREAM _ V4 LAYER may capture all TCP packets without IP headers, and the FWPM _ LAYER _ DATA _ V4 LAYER may capture all UDP packets without IP headers.
Step 4, driving to use the FwpmCalloutAdd function to apply for adding the registered 3 callback functions to the filtering engine;
step 5, the driver uses the FwpmsubLayerARD function to respectively create sub-LAYERs at an application LAYER DATA FLOW establishing LAYER (namely, FWPM _ LAYER _ ALE _ FLOW _ ESTABLISED _ V4 LAYER), a DATA FLOW LAYER (namely, FWPM _ LAYER _ STREAM _ V4 LAYER) and a DATA cladding LAYER (namely, FWPM _ LAYER _ DATAGRAM _ DATA _ V4 LAYER) for capturing DATA;
step 6, using a FwpmFilterAdd function, respectively establishing a filter at an application LAYER DATA FLOW LAYER (namely an FWPM _ LAYER _ ALE _ FLOW _ ESTABLISHED _ V4 LAYER), a DATA FLOW LAYER (namely an FWPM _ LAYER _ STREAM _ V4 LAYER) and a DATA cladding LAYER (namely an FWPM _ LAYER _ DATAGRAM _ DATA _ V4 LAYER) through a filter engine, and associating a callback function with a sublayer; after the association is completed, when the sub-layer captures a network data packet, the Windows operating system calls a callback function corresponding to the sub-layer to process the data packet;
step 7, when a callback function of the application layer data flow establishing layer is called by a system, analyzing a process path, a process ID, a local IP address, a far-end IP address, a local port and far-end port information of a network data packet, storing the information into the context data flow, and then using a FwpsflowAssociation context function to associate and bind the context data flow with the data flow layer and the data cladding; the filter transmits the context data stream to the data stream layer and the data cladding layer in a cross-layer manner, and when the data packet captured by the callback function processing sub-layer of the data stream layer and the data cladding layer is analyzed, the process path, the process ID, the local IP address, the far-end IP address, the local port and the far-end port information of the data packet are obtained through analyzing the context data stream;
step 8, after capturing the UDP and TCP data packets by the callback functions of the data stream layer and the data cladding layer, judging whether the far-end IP of the data packet is positioned in an IP blacklist of a blacklist database, if so, intercepting the data packet and preventing the data packet from being transmitted to the next layer, and if not, entering the next step;
step 9, the data stream layer and the data cladding layer respectively judge whether the intercepted data packet is an HTTP data packet or a DNS data packet, if so, the next step is carried out, and otherwise, the data packet is released;
step 10, the data flow layer and the data cladding layer respectively analyze the HTTP message and the DNS message; judging whether the request domain name in the message is located in a domain name blacklist in a blacklist database or not through character string comparison, and if not, releasing the data packet; if the domain name is in the domain name blacklist, intercepting processing is carried out;
the intercepting process performed in the domain name blacklist in the step 10 specifically includes: step 10.1, the data flow layer judges whether the far-end IP of the data packet is in the blacklist database, if not, the far-end IP is added into the IP library of the blacklist database, otherwise, the data packet is released;
and step 10.2, judging whether the feedback information of the data packet contains the resolution IP information corresponding to the domain name or not by the data cladding, if so, judging whether the resolution IP corresponding to the domain name is in a blacklist database or not, if not, adding the resolution IP corresponding to the domain name into a domain name blacklist, and if not, releasing the data packet.
Step 11, when needing to STOP intercepting the automatic update of the Windows operating system, calling a ControlService function to transmit a CONTROL code SERVICE _ CONTROL _ STOP to the drive to STOP the action of the drive, calling a default drive unloading callback function after the drive receives the CONTROL code, unloading and canceling the filter in the calling process of the drive unloading callback function, and finally calling a DeleteService function unloading driver by an application program.
The invention is further illustrated below with reference to a specific embodiment:
the scheme of the invention is concretely realized as follows:
the method is supposed to intercept the network data packet sent or received by the Windows system in the process of trying to automatically update by the application program A, and prevent the automatic update behavior of the Windows system in the process of running the application program A. The application program A successfully loads a driver B, the driver B initializes a domain name-IP blacklist database of the driver, and domain names of "update. micro soft. com" and "windows update. com" are added into the database, and at the moment, the blacklist database comprises 2 domain name blacklist members and 0 IP blacklist member. Then, the driver B successfully completes a series of operations of registering a callback function, creating a sub-LAYER, opening a filter and the like at the FWPM _ LAYER _ ALE _ FLOW _ ESTABLISHED _ V4 LAYER, the FWPM _ LAYER _ STREAM _ V4 LAYER and the FWPM _ LAYER _ DATA _ V4 LAYER, and the network filter module completes initialization and starts to function.
Assuming that the system process svchoros. exe attempts to access the network at this time, a packet is first sent to request connection to an external server, and the filter of FWPM _ LAYER _ ALE _ FLOW _ ESTABLISHED _ V4 sublayer captures this packet, extracts the process ID, process path, local IP address, remote IP address, local port, and remote port information of the process svchoros. exe from it and saves these information into a context DATA STREAM, which is then bound to the FWPM _ LAYER _ STREAM _ V4 LAYER and FWPM _ LAYER _ DATAGRAM _ DATA _ V4 LAYER.
The following discussion is divided into several cases:
exte sends a packet to the DNS server requesting resolution of the domain name "baidu. After capturing the packet, the filter at FWPM _ LAYER _ DATAGRAM _ DATA _ V4 traverses each domain name string in the blacklist database by comparing the strings, and determines whether the strings are located in the domain name requested this time. The lookup result is that no domain name string in the blacklist database matches "baidu.com", thus passing through the DNS packet.
The DNS server sends a data packet to svchost.exe, wherein the content of the data packet is a domain name 'a.windows update.com' and a domain name resolution IP result thereof: 1.2.3.4 and 5.6.7.8. After capturing the packet, the filter at the DATAGRAM _ DATA _ V4 traverses each domain name string in the blacklist database through string comparison to determine whether the strings are located in the domain name requested this time. The lookup results in a match of the string "windows update.com" in the blacklist database with the domain name "a.windows update.com" requested to resolve, thus blocking the DNS packet, while adding domain name resolution IP results 1.2.3.4 and 5.6.7.8 to the blacklist database. The blacklist database now contains the following members: "update. microsoft. com", "windows. com", 1.2.3.4 and 5.6.7.8.
And scvhos. exe directly sends an HTTP request to IP 1.2.3.4 without domain name resolution, and inquires whether an updated version is needed from a Microsoft server. After capturing the packet, the filter at FWPM _ LAYER _ STREAM _ V4 extracts the remote IP address 1.2.3.4 from the context data STREAM associated with FWPM _ LAYER _ ALE _ FLOW _ ESTABLISHED _ V4 LAYER, and then determines whether the remote IP address 1.2.3.4 is located in the blacklist database. Since 1.2.3.4 is located in the blacklist database, this HTTP request is intercepted.
In summary, the present invention can be applied to 1. users who normally use the Windows operating system but do not want to be automatically updated to interfere with scheduled trips, or who have low interest and low demand for system version changes, such as business people in meetings, students on examinations, and the like.
2. It is desirable to keep busy for a long period of time, not want to be automatically updated to occupy network bandwidth and other system resources, or not want to have the system be forced to restart by automatic update, such as a server.
3. It is desirable to protect the software itself or some software that maintains system stability. Such as large software being installed, a program that is modifying the system environment and may cause unexpected errors if aborted during the process, such as an unexpected restart during the installation of Visual Studio, which may cause unexpected errors in the development environment; and the invention improves the experience of the user.
The above description is only a preferred embodiment of the present invention, and all equivalent changes and modifications made in accordance with the claims of the present invention should be covered by the present invention.

Claims (4)

1. A method for intercepting Windows automatic update automatically by driving is characterized in that: the method comprises the following steps: installing a WFP network filter at the bottom layer of the Windows operating system, setting a driver, registering and starting the WFP network filter, wherein the WFP network filter can intercept a network data packet received by the Windows operating system to the Microsoft update server and a network data packet sent by the Microsoft update server in real time, thereby realizing the interception of the automatic update of the Windows operating system;
the specific way for intercepting the automatic update of the Windows operating system by the WFP network filter is as follows:
step 1, setting a blacklist database for storing a domain name blacklist and an IP blacklist, initializing the blacklist database, and adding two items of domain name information, namely, update.
Step 2, the driver obtains a basic filtering engine BFE handle by using a FwpmEngineopen function as a parameter of subsequent operation;
step 3, driving and using a FwpsCalloutRegister function, and respectively establishing callback functions of the registered monitoring data corresponding to the layer, the data flow layer and the data cladding on the application layer data flow; the callback function of the application layer data stream establishing layer is used for processing a data packet requesting network link, the callback function of the data stream layer is used for processing a TCP data packet, and the callback function of the data cladding layer is used for processing a UDP data packet;
step 4, driving to use the FwpmCalloutAdd function to apply for adding the registered 3 callback functions to the filtering engine;
step 5, driving to use a FwpmSubLayerARD function, and respectively creating sub-layers on an application layer data stream establishing layer, a data stream layer and a data cladding layer for capturing data;
step 6, driving to use a FwpmFilterAdd function, respectively establishing filters in an application layer data flow layer, a data flow layer and a data cladding layer through a filter engine, and associating a callback function with a sublayer; after the association is completed, when the sub-layer captures a network data packet, the Windows operating system calls a callback function corresponding to the sub-layer to process the data packet;
step 7, when a callback function of the application layer data flow establishing layer is called by a system, analyzing a process path, a process ID, a local IP address, a far-end IP address, a local port and far-end port information of a network data packet, storing the information into the context data flow, and then using a FwpsflowAssociation context function to associate and bind the context data flow with the data flow layer and the data cladding; the filter transmits the context data stream to the data stream layer and the data cladding layer in a cross-layer manner, and when the data packet captured by the callback function processing sub-layer of the data stream layer and the data cladding layer is analyzed, the process path, the process ID, the local IP address, the far-end IP address, the local port and the far-end port information of the data packet are obtained through analyzing the context data stream;
step 8, after capturing the UDP and TCP data packets by the callback functions of the data stream layer and the data cladding layer, judging whether the far-end IP of the data packet is positioned in an IP blacklist of a blacklist database, if so, intercepting the data packet and preventing the data packet from being transmitted to the next layer, and if not, entering the next step;
step 9, the data stream layer and the data cladding layer respectively judge whether the intercepted data packet is an HTTP data packet or a DNS data packet, if so, the next step is carried out, and otherwise, the data packet is released;
step 10, the data flow layer and the data cladding layer respectively analyze the HTTP message and the DNS message; judging whether the request domain name in the message is located in a domain name blacklist in a blacklist database or not through character string comparison, and if not, releasing the data packet; if the domain name is in the domain name blacklist, intercepting processing is carried out;
step 11, when needing to STOP intercepting the automatic update of the Windows operating system, calling a ControlService function to transmit a CONTROL code SERVICE _ CONTROL _ STOP to the drive to STOP the action of the drive, calling a default drive unloading callback function after the drive receives the CONTROL code, unloading and canceling the filter in the calling process of the drive unloading callback function, and finally calling a DeleteService function unloading driver by an application program.
2. The method for automatically intercepting Windows automatic update by driver according to claim 1, wherein: the method further comprises the following steps: step S1, starting an application program of the Windows operating system, wherein the application program loads a driver program, if the loading is successful, the step S2 is entered; if not, unloading the drive program which fails to be loaded and then reloading the drive program once again; then, the process proceeds to step S2;
step S2, the application program refreshes the DNS cache and starts the driving program to make the driving program run in the kernel layer of the Windows operating system;
step S3, the driver registers and starts the WFP network filter, and starts to execute the interception function;
step S4, the application program waits for the request for stopping intercepting the Windows operating system updating from the user;
step S5, after waiting for the termination request, the driver closes and logs off the WFP network filter;
at step S6, the application stops and uninstalls the driver, and then the application terminates.
3. The method for automatically intercepting Windows automatic update by driver according to claim 2, wherein: in step S4, the user stops intercepting the request for Windows os update through DeviceIoControl.
4. The method for automatically intercepting Windows automatic update by driver according to claim 1, wherein: the intercepting process performed in the domain name blacklist in the step 10 specifically includes: step 10.1, the data flow layer judges whether the far-end IP of the data packet is in the blacklist database, if not, the far-end IP is added into the IP library of the blacklist database, otherwise, the data packet is released;
and step 10.2, judging whether the feedback information of the data packet contains the resolution IP information corresponding to the domain name or not by the data cladding, if so, judging whether the resolution IP corresponding to the domain name is in a blacklist database or not, if not, adding the resolution IP corresponding to the domain name into a domain name blacklist, and if not, releasing the data packet.
CN201910676339.6A 2019-07-25 2019-07-25 Method for automatically intercepting Windows automatic update through driving Active CN110417771B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910676339.6A CN110417771B (en) 2019-07-25 2019-07-25 Method for automatically intercepting Windows automatic update through driving

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910676339.6A CN110417771B (en) 2019-07-25 2019-07-25 Method for automatically intercepting Windows automatic update through driving

Publications (2)

Publication Number Publication Date
CN110417771A CN110417771A (en) 2019-11-05
CN110417771B true CN110417771B (en) 2021-07-09

Family

ID=68363126

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910676339.6A Active CN110417771B (en) 2019-07-25 2019-07-25 Method for automatically intercepting Windows automatic update through driving

Country Status (1)

Country Link
CN (1) CN110417771B (en)

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102195972A (en) * 2011-03-24 2011-09-21 北京思创银联科技股份有限公司 Method for intercepting network data by using WFP (Windows Filter Platform)
CN103065092A (en) * 2012-12-24 2013-04-24 公安部第一研究所 Method for intercepting operating of suspicious programs
CN104915598A (en) * 2015-05-29 2015-09-16 南京信息工程大学 Monitoring method and monitoring system for C/S client side
CN105844146A (en) * 2016-03-16 2016-08-10 北京金山安全软件有限公司 Method and device for protecting driver and electronic equipment
CN106936846A (en) * 2017-04-10 2017-07-07 北京明朝万达科技股份有限公司 A kind of method for network access control and device based on WFP platforms
CN109347817A (en) * 2018-10-12 2019-02-15 厦门安胜网络科技有限公司 A kind of method and device that network security redirects
CN109587269A (en) * 2018-12-27 2019-04-05 迅雷计算机(深圳)有限公司 A kind of hold-up interception method, unit, system and the storage medium of downloading behavior

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20170054686A1 (en) * 2015-08-18 2017-02-23 Konstantin Malkov Agentless Security of Virtual Machines using a Filtering Platform

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102195972A (en) * 2011-03-24 2011-09-21 北京思创银联科技股份有限公司 Method for intercepting network data by using WFP (Windows Filter Platform)
CN103065092A (en) * 2012-12-24 2013-04-24 公安部第一研究所 Method for intercepting operating of suspicious programs
CN104915598A (en) * 2015-05-29 2015-09-16 南京信息工程大学 Monitoring method and monitoring system for C/S client side
CN105844146A (en) * 2016-03-16 2016-08-10 北京金山安全软件有限公司 Method and device for protecting driver and electronic equipment
CN106936846A (en) * 2017-04-10 2017-07-07 北京明朝万达科技股份有限公司 A kind of method for network access control and device based on WFP platforms
CN109347817A (en) * 2018-10-12 2019-02-15 厦门安胜网络科技有限公司 A kind of method and device that network security redirects
CN109587269A (en) * 2018-12-27 2019-04-05 迅雷计算机(深圳)有限公司 A kind of hold-up interception method, unit, system and the storage medium of downloading behavior

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
《windows驱动-WFP框架介绍及其编程》;windows;《https://qwertwwwe.gihub.io/windows-driver-develop-wfp-framework》;20170817;全文 *
Win64 驱动内核编程-16.WFP网络监控驱动(防火墙);TK13;《程序园》;20170314;全文 *

Also Published As

Publication number Publication date
CN110417771A (en) 2019-11-05

Similar Documents

Publication Publication Date Title
FI113927B (en) Method of intercepting the network packets in a network connected device
US11824962B2 (en) Methods and apparatus for sharing and arbitration of host stack information with user space communication stacks
US7114159B2 (en) Processing resource for use in a distributed processing framework system and methods for implementing the same
US6961937B2 (en) Registry service for use in a distributed processing framework system and methods for implementing the same
JP4734592B2 (en) Method and system for providing secure access to private network by client redirection
US7127526B1 (en) Method and apparatus for dynamically loading and managing software services on a network device
US7219140B2 (en) Configuration and management systems for mobile and embedded devices
CN110391937B (en) Internet of things honey net system based on SOAP service simulation
US20030028869A1 (en) Method and computer program product for integrating non-redistributable software applications in a customer driven installable package
US20020147974A1 (en) Networked installation system for deploying systems management platforms
JP2001525585A (en) Method and system for complying with communication security policies
US20010049795A1 (en) Method and system for the identification and the suppression of executable objects
CN112738137B (en) Data acquisition and link processing method and device, computer equipment and storage medium
EP3834084A1 (en) A remediation system to prevent incompatible program module installation in an information processing system
JP2011520169A (en) Method and device for accessing a directory
US20080209438A1 (en) Method and apparatus for a service control layer
US20130247128A1 (en) Distribution of security policies for small to medium-sized organizations
CN111367684B (en) Method and device for filtering remote procedure call
CN110417771B (en) Method for automatically intercepting Windows automatic update through driving
AU2004272201A1 (en) Systems and methods for dynamically updating software in a protocol gateway
CN114827133A (en) Application software management method and device and computer
KR100807055B1 (en) Automatically internet connection method using point-to-point protocol
CN115391630A (en) WFP-based patch updating method and system
Juster Message Queuing Frequently Asked Questions
CN117435214A (en) FPGA program burning method, device, equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant