Open BOT-Man-JL opened 6 years ago
I met the same problem, when try to use proxy scenarios. In the proxy scenario, WFPSampler hooks FWPS_LAYER_OUTBOUND_TRANSPORT_V4 and FWPS_LAYER_INBOUND_IPPACKET_V4.
when deals with TCP, connection establishment SYN ->, SYNACK <-, ACK -> are proxied, when the connection is closing, the first FIN ->, ACK <-, FIN ACK <- are proxied, however the last ACK -> packet can not be sent using FwpsInjectTransportSendAsync event the status is 0.
I saw somewhere in the documentation that "injecting arbitrary FINs into the transport layer" is not permitted. My guess is that Microsoft is enforcing this rule somehow in a sloppy way.
The transport layer is a mess when it comes to TCP. There are so many rules prohibiting so many things, I'm not quite sure what use the layer is beyond passive inspection and binary permit/deny.
I think it's a bug in the Windows TCP/IP stack
What is the current status of this issue? It reveals a serious flaw in WFP architecture. It makes F in WFP impossible.
i also faced a similar problem for reinjecting back the dns request packet(udp) , captured in the datagram layer. for reinjection it back i was using FwpsInjectTransportSendAsync() and the packet was not sent out , same can be verified through wireshark. In the completion handle of the packet i dumped the NET_BUFFER_LIST_STATUS(pNetBufferList)) and it showed 0xC0000225. Later on i figured out i was not filling the endpointHandle, once that is taken care of the problem gets resolved.
Hi all,
Description
While running the latest inspection sample of WFP, I set
BlockTraffic
to0
andRemoteAddressToInspect
to10.109.17.103
.I used
curl
to send data to the host I inspected, the TCP connection establishment / data transition worked fine, but the finalACK
of connection release was not sent. (And the remote host resent 5FIN
and 1RST
to release the connection)My Investigation
I tried both
FWPM_LAYER_OUTBOUND_IPPACKET_V4
filter and Wireshark to sniff the finalACK
outbound packet, but captured nothing.And I got
netBufferList->Status
ofSTATUS_NOT_FOUND 0xC0000225L
in thecompleteFn
ofFwpsInjectTransportSendAsync
. So I wondered if theendpointHandle
was invalid at finalACK
, which is documented in MSDN:Thanks 😄