Hi,

This little article is only a more dettailed analysis of an 'old' article from codproject that inspired me.

Firewall hooking is a task in major part not well documented, MS doesnít provides a clear and exaustive documentation about structures and development, so the only mode to have more knowledge is the RCE method.

These filter-hooks obviously works only at kernel mode, installing a callback function, and the driver installs a callback into \device\IP (which can be seen with WinObj) but letís also parse \system32\Drivers

Fortunately, no extreme binary analysis is needed, we can study directly some header file from DDK, and precisely ipfirewall.h, so letís take a deeper look to this file. Immediately we can see two intersing structs, the first is IPPacketFirewallPtr that works as a callout routine, and the most interesting _IP_SET_FIREWALL_HOOK_INFO

First Struct:

Code:
Code:
typedef FORWARD_ACTION (*IPPacketFirewallPtr)(
  VOID **pData, //can be pMdl or pRcvBuf
  UINT RecvInterfaceIndex, //Received Data
  UINT *pSendInterfaceIndex, //Index where          data is sent
  UCHAR *pDestinationType, //Can be Local
  Network, Remote, Broadcast, Multicast.
  VOID *pContext, //Points to     _FIREWALL_CONTEXT_T
UINT ContextLength, //sizeof(FIREWALL_CONTEXT_T)
struct IPRcvBuf **pRcvBuf
);
Second Struct:

Code:
Code:
_IP_SET_FIREWALL_HOOK_INFO {
  IPPacketFirewallPtr FirewallPtr; // Packet filter   callout.
  UINT Priority; // Priority of the hook
  BOOLEAN Add; // if TRUE then ADD else DELETE
} IP_SET_FIREWALL_HOOK_INFO, *PIP_SET_FIREWALL_HOOK_INFO;
This is the heart structure necessary to set-up the filter-hook, which can be done by sending a IOCTL to \device\Ip

#define IOCTL_IP_SET_FIREWALL_HOOK \
_IP_CTL_CODE(12, METHOD_BUFFERED, FILE_WRITE_ACCESS)

IP_SET_FIREWALL_HOOK_INFO will be the Input Structure to be filled for the IOCTL.

By observing IPPacketFirewallPtr, we can see _FIREWALL_CONTEXT_T which is:

Code:
Code:
typedef struct _FIREWALL_CONTEXT_T {
  DIRECTION_E Direction;
  void *NTE;
  void *LinkCtxt;
  NDIS_HANDLE LContext1;
  UINT LContext2;
} FIREWALL_CONTEXT_T, *PFIREWALL_CONTEXT_T;
After installing the filter-hook, can be powered up a set of rules to FORWARD or DROP a packet.

Thanks to Jesus O.