Filseclab Personal Firewall
Kernel Technology Introduction

It adopted two technologies of packets filter

Winsock 2 SPI technical characteristics

Winsock 2 SPI is working under the API and over Drivers. It belongs to Application layer. Utilize this technology be able to capture and intercept network packets that based on Socket communication. For example: Most application programs, such as Internet Explorer, Outlook etc, are all to use Socket to carry on communication. Its technological characteristics are:

The Windows Open System Architecture (WOSA)-compliant Windows Sockets 2 architecture is illustrated as follows:

The XFILTER.DLL is a Transport Service Provider

Protocol Chains Architecture is illustrated as follows:

The XFILTER.DLL is a Base protocol

NDIS-HOOK technical characteristics:

NDIS is Network Driver Interface Specification, Windows uses the NDIS library to realize network interface. All of the network communication must be passed through the NDIS interface finally.

The OSI reference model as following figure:

NDIS is working on Transport layer, Network layer and Data-link layer, it is a very lower interface layer.

The structure of NDIS as following figure:

NDIS supports the following types of programming interface of network drivers:

  1. TDI filter drivers
  2. Protocol drivers
  3. Intermediate drivers (IM drivers)
  4. Miniport drivers
TDI filter drivers and protocol drivers usually be used to capture and filter network packets. They are commonly used technology of firewall and VPN software. But they all have some defects:

TDI filter drivers belongs to Upper drivers, it works above of Tcpip.sys, it means that Tcpip.sys directly respondent packets cannot be captured by TDI filter drivers, so it cannot filter some incoming packets as well. For example, ICMP packets, when Tcpip.sys received a ICMP's request packet, it will make a response packet itself and directly reply it, but the TDI filter drivers above is entirely ignorant of.

Intermediate drivers function is stronger, but the programming interface has little intricacy and the auto-installation is very complicated.

NDIS-HOOK has no the defect above. The work principle of NDIS-HOOK is replacing the function address of NDIS library with our function directly. so the request of NDIS will be passed through our function at first, it is very simple like this, our function dealt with and transmit for aboriginal NDIS function to be finished.

NDIS-HOOK technology has the following characteristics:

  1. Programming is convenient, the interface is simple, the train of thought is clear, performance is steady.
  2. More flexible, can only hook that one's own demand, does not need redundant code.
  3. Powerful, can hook all of NDIS and TDI function, and to finish all function of them. Certainly it is much more powerful than the standard way, and can also extend to hook all system function with this technology.
  4. The security is high, intercept and capture the network packets in very low layer like this, that is difficult to be pierced through.
  5. Installation is very simple.
Figure of before NDIS-HOOK is installed:

Figure of after NDIS-HOOK is installed:

Copyright 2001-2004 FILSECLAB