search

microsoft / Windows-driver-samples

This repo contains driver samples prepared for use with Microsoft Visual Studio and the Windows Driver Kit (WDK). It contains both Universal Windows Driver and desktop-only driver samples.
Microsoft Public License
6.88k stars 4.92k forks source link

WFP Traffic Inspection Sample: the last ACK at release not send #234

Open BOT-Man-JL opened 6 years ago

BOT-Man-JL commented 6 years ago

Hi all,

Description

While running the latest inspection sample of WFP, I set BlockTraffic to 0 and RemoteAddressToInspect to 10.109.17.103.

I used curl to send data to the host I inspected, the TCP connection establishment / data transition worked fine, but the final ACK of connection release was not sent. (And the remote host resent 5 FIN and 1 RST to release the connection)

shot

My Investigation

I tried both FWPM_LAYER_OUTBOUND_IPPACKET_V4 filter and Wireshark to sniff the final ACK outbound packet, but captured nothing.

And I got netBufferList->Status of STATUS_NOT_FOUND 0xC0000225L in the completeFn of FwpsInjectTransportSendAsync. So I wondered if the endpointHandle was invalid at final ACK, which is documented in MSDN:

Callout drivers should use the provided handle to inject cloned packets back into the data path as soon as possible, before the socket associated with the stack endpoint is closed and the handle becomes no longer valid.

Thanks 😄

yin8086 commented 6 years ago

I met the same problem, when try to use proxy scenarios. In the proxy scenario, WFPSampler hooks FWPS_LAYER_OUTBOUND_TRANSPORT_V4 and FWPS_LAYER_INBOUND_IPPACKET_V4.

when deals with TCP, connection establishment SYN ->, SYNACK <-, ACK -> are proxied, when the connection is closing, the first FIN ->, ACK <-, FIN ACK <- are proxied, however the last ACK -> packet can not be sent using FwpsInjectTransportSendAsync event the status is 0.

TechnikEmpire commented 4 years ago

I saw somewhere in the documentation that "injecting arbitrary FINs into the transport layer" is not permitted. My guess is that Microsoft is enforcing this rule somehow in a sloppy way.

The transport layer is a mess when it comes to TCP. There are so many rules prohibiting so many things, I'm not quite sure what use the layer is beyond passive inspection and binary permit/deny.

OZ1 commented 3 years ago

I think it's a bug in the Windows TCP/IP stack

OZ1 commented 3 years ago

What is the current status of this issue? It reveals a serious flaw in WFP architecture. It makes F in WFP impossible.

shivraj-shekhawat commented 1 year ago

i also faced a similar problem for reinjecting back the dns request packet(udp) , captured in the datagram layer. for reinjection it back i was using FwpsInjectTransportSendAsync() and the packet was not sent out , same can be verified through wireshark. In the completion handle of the packet i dumped the NET_BUFFER_LIST_STATUS(pNetBufferList)) and it showed 0xC0000225. Later on i figured out i was not filling the endpointHandle, once that is taken care of the problem gets resolved.