locked
how to test a wfp driver RRS feed

  • Question

  •  

    hi, guys:

     

    I wanna test a wfp driver. That means when I run my testing program, I can exactly know some internal information of the driver, like, having created callback objects and having releasing callback objects, the changes of some internal data structures(if I define a process list to have a record for all processes monitored and define a flow list to have a record for all flows monitored), and having loaded or unloaded callouts.

     

    But it seems that all wfp api functions (either fwps*** or fwpm***) should be called by a driver (in kernel mode). How can I call wfp api functions by an applicaton (in user mode)?

     

    Do I need to write another wfp driver which exports some functions used by applications?

     

    Thank you very much.

     

    Best

     

     

    Tuesday, August 19, 2008 5:27 PM

Answers

  •  

    FwpmXxx functions are WFP's "management" API set (to manage filters, callouts, etc) and most of them are callable from usermode and kernel mode.

     

    FwpsXxx functions are WFP's "system" API set and most of them are kernel mode only. They are for functions such are kernel mode callout registration, flow management, packet injection, etc.

     

    General speaking you can write user-mode only applications to implement simple permit/block policies and filter/callout enumerations. However you will need to develop kernel mode driver for deep packet inspection (e.g. content inspection) or flow management functions.

     

    Hope this helps,

    Thanks,

    Biao.w.

    Thursday, August 28, 2008 1:17 AM