前言
之前的文档中,描写了如何对WFP防火墙进行操作[链接在此],这篇文档中,描述如何获取WFP防火墙进行阻断的操作记录。
需要注意的坑点
- 使用FWPM_NET_EVENT_TYPE获取防火墙日志时,需要注意,只有丢弃和内核丢弃,以及几个错误信息是所有操作系统都可用,其它类型无法应用到所有操作系统。所以我们一般不会使用FWPM_NET_EVENT_TYPE来获取防火墙的放行日志。如果有需要读取放行日志的话,可以查询安全日志5156的方式进行(下次专门写文档来描述常用的三种读取方式)。
- 使用主动读取的方式,在极个别系统上可能存在少量内存泄露(在保障所有内存都按照MSDN的要求释放的基础上,24小时有几十K的级别,没有仔细进行过日志条数的量化。有明白的也请指教)
- 订阅的方式仅支持win7/2008 R2以上操作系统,建议使用loadlibrary动态加载,避免模块在vista或2008(SP2)操作系统上整体运行失败。
读取阻断日志(方案一:主动读取)
阻断日志即防火墙返回FWP_ACTION_BLOCK动作的记录信息,读取流程大体上分为:创建枚举句柄、执行枚举、释放枚举句柄简单的三步。
创建枚举句柄
DWORD FwpmNetEventCreateEnumHandle0( HANDLE engineHandle, const FWPM_NET_EVENT_ENUM_TEMPLATE0 *enumTemplate, HANDLE *enumHandle );
- 输入参数:
- engineHandle:防火墙句柄,前一章提到过,使用FwpmEngineOpen0打开
- enumTemplate:枚举的限制条件,常用的是枚举起止时间,也可以设置网络条件以供筛选。
- enumHandle:输出函数,用于输出枚举句柄
- 输出参数:
- 成功返回0,错误时返回WFP Error Codes
执行枚举操作
DWORD FwpmNetEventEnum0( HANDLE engineHandle, HANDLE enumHandle, UINT32 numEntriesRequested, FWPM_NET_EVENT0 ***entries, UINT32 *numEntriesReturned );
- 输入参数:
- engineHandle:防火墙句柄,FwpmEngineOpen0打开
- enumHandle:枚举句柄,由上一步创建
- numEnteiesRequested:本次想要枚举的最大数量,如果想要一次性返回所有,可以传-1(0xffffffff)
- entries:用于输出事件数组,需要使用FwpmFreeMemory0释放
- numEntriesReturned:用于输出事件数目,用于枚举entries
- 输出参数:
- 成功返回0,错误时返回WFP Error Codes
释放枚举句柄
DWORD FwpmNetEventDestroyEnumHandle0( HANDLE engineHandle, HANDLE enumHandle );
- 输入参数:
- 没啥好说的,两个句柄,参照上面
- 输出参数:
- 同上
相关函数1:启用防火墙事件采集
默认防火墙事件采集就是处于开启状态,因此不调用这个函数在大多数系统上可以正常进行事件读取。但是也发现过某些系统需要调用后才可以进行事件读取,建议还是增加此函数的调用
DWORD FwpmEngineSetOption0( HANDLE engineHandle, FWPM_ENGINE_OPTION option, const FWP_VALUE0 *newValue );
- 输入参数
- engineHandle:防火墙句柄,由FwpmEngineOpen0打开
- 需要设置的参数,这个地方可以设置的类型还是蛮多的,可以参考
- 设置参数对应的值,当option为FWPM_ENGINE_COLLECT_NET_EVENTS时,newValue为1则代表启用。
- 输出参数
- 成功返回ERROR_SUCCESS, 失败返回 WFP Error Codes
参考代码
void enumDemoCode()
{FWPM_SESSION0 session = { 0 };ZeroMemory(&session, sizeof(session));session.displayData.name = demoSession;session.txnWaitTimeoutInMSec = INFINITE;session.flags = FWPM_SESSION_FLAG_DYNAMIC;HANDLE hEngine = NULL;DWORD dwResult = FwpmEngineOpen0(NULL, RPC_C_AUTHN_DEFAULT, NULL, &session, &hEngine);if (dwResult != ERROR_SUCCESS || hEngine == NULL){std::cout << "FwpmEngineOpen0 Failed. ec:" << GetLastError() << std::endl;return;}FWP_VALUE0 inValue = {FWP_EMPTY};inValue.type = FWP_UINT32;inValue.uint32 = 1;FwpmEngineSetOption0(hEngine, FWPM_ENGINE_COLLECT_NET_EVENTS, &inValue);FWPM_NET_EVENT_ENUM_TEMPLATE0 enumTemplate = {0};SYSTEMTIME nowSystemTime;ZeroMemory(&nowSystemTime, sizeof(nowSystemTime));GetLocalTime(&nowSystemTime);FILETIME nowFileTime;ZeroMemory(&nowFileTime, sizeof(nowFileTime));if (SystemTimeToFileTime(&nowSystemTime, &nowFileTime)){enumTemplate.endTime.dwLowDateTime = nowFileTime.dwLowDateTime;enumTemplate.endTime.dwHighDateTime = nowFileTime.dwHighDateTime;}enumTemplate.startTime.dwHighDateTime = 0;enumTemplate.startTime.dwLowDateTime = 0;enumTemplate.numFilterConditions = 0;HANDLE hEnumHandle = NULL;dwResult = FwpmNetEventCreateEnumHandle0(hEngine, &enumTemplate, &hEnumHandle);if (dwResult != ERROR_SUCCESS || hEnumHandle == NULL){std::cout << "Create Enum Handle Failed, ec:" << GetLastError() << std::endl;FwpmEngineClose0(hEngine);hEngine = NULL;return;}FWPM_NET_EVENT0** netEvents = NULL;UINT32 uEventNumber = 0;dwResult = FwpmNetEventEnum0(hEngine, hEnumHandle, INFINITE, &netEvents, &uEventNumber);if (uEventNumber > 0){for (int eventPos = 0; eventPos < uEventNumber; eventPos++){FWPM_NET_EVENT0* sigEvent = netEvents[eventPos];if (sigEvent->type != FWPM_NET_EVENT_TYPE_CLASSIFY_DROP){continue;}if (sigEvent->header.ipVersion == FWP_IP_VERSION_V4){std::wstring wstrLocalIp = ip2str(sigEvent->header.localAddrV4);std::wstring wstrRemoteIp = ip2str(sigEvent->header.remoteAddrV4);std::wstring wstrProtocol;switch (sigEvent->header.ipProtocol){case 1:wstrProtocol = L"ICMP";break;case 6:wstrProtocol = L"TCP";break;case 17:wstrProtocol = L"UDP";break;default:wstrProtocol = L"Other:";wstrProtocol.append(std::to_wstring(sigEvent->header.ipProtocol));break;}std::wcout << wstrLocalIp << "[" << sigEvent->header.localPort << "] ==> " << wstrRemoteIp << "[" << sigEvent->header.remotePort << "] protocol:" << wstrProtocol << std::endl;}}}if (netEvents){FwpmFreeMemory0((void**)&netEvents);netEvents = NULL;}if (hEnumHandle){FwpmNetEventDestroyEnumHandle0(hEngine, hEnumHandle);hEnumHandle = NULL;}if (hEngine){FwpmEngineClose0(hEngine);hEngine = NULL;}return;
}
执行结果
读取阻断日志(方案二:事件订阅)
使用事件订阅的方式在防火墙中读取日志,只需要开启和取消事件订阅即可
启动事件订阅
DWORD FwpmNetEventSubscribe0( HANDLE engineHandle, const FWPM_NET_EVENT_SUBSCRIPTION0 *subscription,FWPM_NET_EVENT_CALLBACK0 callback, void *context, HANDLE *eventsHandle );
- 输入参数
- engineHandle:防火墙句柄,由FwpmEngineOpen0打开
- subscription:需要订阅的通知类型
- callback:订阅的回调
- context:自定义指针,原封不动传递导callback函数
- eventsHandle:订阅句柄,在FwpmNetEventUnsubscribe0中取消订阅
- 输出参数
- 成功返回ERROR_SUCCESS, 失败返回 WFP Error Codes
取消事件订阅
DWORD FwpmNetEventUnsubscribe0( HANDLE engineHandle, HANDLE eventsHandle );
- 输入参数
- engineHandle:防火墙句柄,由FwpmEngineOpen0打开
- eventsHandle:订阅句柄,由FwpmNetEventSubscribe0返回
- 输出参数
- 成功返回ERROR_SUCCESS, 失败返回 WFP Error Codes
回调函数定义
void CALLBACK FuncFwpmNetEventCallback0(PVOID FwContext, FWPM_NET_EVENT1* FwEvent)
- 输入参数
- FwContext:自定义指针,FwpmNetEventSubscribe0函数的context指针
- FwEvent:订阅的事件
- 输出参数
- 无
参考代码
void CALLBACK FuncFwpmNetEventCallback0(_Inout_ PVOID FwContext, _In_ const FWPM_NET_EVENT1* FwEvent)
{if (FwEvent == NULL){return;}if (FwEvent->header.ipVersion == FWP_IP_VERSION_V4){std::wstring wstrLocalIp = ip2str(FwEvent->header.localAddrV4);std::wstring wstrRemoteIp = ip2str(FwEvent->header.remoteAddrV4);std::wstring wstrProtocol;switch (FwEvent->header.ipProtocol){case 1:wstrProtocol = L"ICMP";break;case 6:wstrProtocol = L"TCP";break;case 17:wstrProtocol = L"UDP";break;default:wstrProtocol = L"Other:";wstrProtocol.append(std::to_wstring(FwEvent->header.ipProtocol));break;}std::wcout << wstrLocalIp << "[" << FwEvent->header.localPort << "] ==> " << wstrRemoteIp << "[" << FwEvent->header.remotePort << "] protocol:" << wstrProtocol << std::endl;}return;
}void subscribeEvents()
{FWPM_SESSION0 session = { 0 };ZeroMemory(&session, sizeof(session));session.displayData.name = demoSession;session.txnWaitTimeoutInMSec = INFINITE;session.flags = FWPM_SESSION_FLAG_DYNAMIC;HANDLE hEngine = NULL;DWORD dwResult = FwpmEngineOpen0(NULL, RPC_C_AUTHN_DEFAULT, NULL, &session, &hEngine);if (dwResult != ERROR_SUCCESS || hEngine == NULL){std::cout << "FwpmEngineOpen0 Failed. ec:" << GetLastError() << std::endl;return;}FWP_VALUE0 inValue = { FWP_EMPTY };inValue.type = FWP_UINT32;inValue.uint32 = 1;FwpmEngineSetOption0(hEngine, FWPM_ENGINE_COLLECT_NET_EVENTS, &inValue);HANDLE hSubScribeHandle = NULL;FWPM_NET_EVENT_ENUM_TEMPLATE0 eventTemplate = { 0 };eventTemplate.numFilterConditions = 0;FWPM_NET_EVENT_SUBSCRIPTION0 subscription = { 0 };subscription.enumTemplate = &eventTemplate;subscription.sessionKey = session.sessionKey;FwpmNetEventSubscribe0(hEngine, &subscription, FuncFwpmNetEventCallback0, NULL, &hSubScribeHandle);std::cout << "Event Subscribe Started....." << std::endl;getchar();FwpmNetEventUnsubscribe0(hEngine, hSubScribeHandle);if (hEngine){FwpmEngineClose0(hEngine);hEngine = NULL;}
}
运行效果