locked
How to get the process full path at FWPM_LAYER_OUTBOUND_TRANSPORT_V4 layer? RRS feed

  • Question

  •  I have registered a callout at FWPM_LAYER_OUTBOUND_TRANSPORT_V4 layer , I wanna get process full path, but when I used the pMetaValues->processPath->data, it always NULL, how can get the process full path at FWPM_LAYER_OUTBOUND_TRANSPORT_V4 layer, thanks. 
    Friday, December 10, 2010 9:29 AM

Answers

All replies

  • There is no universal solution to this problem. Try to move processing to other layers: ALE_XXX / STREAM / DATAGRAM_DATA
    Friday, December 10, 2010 10:18 AM
  • I'm also looking solution for similar problem and wondering would the following work:

    1. Register callout also at FWPM_LAYER_ALE_FLOW_ESTABLISHED_V4 layer. On this layer process path should be available.
    2. Allocate flow context at ClassifyFn on ALE_FLOW_ESTABLISHED layer. Copy process path to flow context structure and associate context using FnpwpsFlowAssociateContext0().
    3. Flow context, associated at step 2, should be avalailable as parameter to ClassifyFn on FWPM_LAYER_OUTBOUND_TRANSPORT_V4 layer.

    Ddproxy sample on WDK has some example of using flow context.

    -- Antti

    Thursday, December 16, 2010 4:43 PM
  • You should not be blindly looking at the metadata.  Use the macro FWPS_IS_METADATA_FIELD_PRESENT. 
    http://msdn.microsoft.com/en-us/library/ff559179(v=VS.85).aspx.

    Additionally as stated, you can associate the process path as context http://msdn.microsoft.com/en-us/library/ff543787.aspx if you are dealing with flows, or you can use Win7's packet tagging to do something similar: http://msdn.microsoft.com/en-us/library/ff571010(VS.85).aspx.

    No matter which method you use, you will need to sit at a layer that exposes the process path in order to do the association / tagging.

    Hope this helps,

     


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------
    Wednesday, January 5, 2011 7:12 PM
    Moderator