I modified the WFP “test” example (bundled with WinDDK) to be able to analyze the payload of all incoming TCP packets (from the specified IP address) for specific strings. (I already changed the "check" so that only TCP filters are caught by the filter)
So far, my modifications have been included in the "TLInspectTransportClassify" classifyFn, as shown below. My goal is to have access to the payload of each captured TCP packet.
FWPS_STREAM_CALLOUT_IO_PACKET* ioPacket = (FWPS_STREAM_CALLOUT_IO_PACKET*)layerData;
FWPS_STREAM_DATA* streamData;
SIZE_T streamLength;
BYTE* stream = NULL;
SIZE_T bytesCopied = 0;
[...]
if(ioPacket == NULL) {
DbgPrint("ioPacket == NULL\n");
return STATUS_INSUFFICIENT_RESOURCES;
}
streamData = ioPacket->streamData;
if(!streamData) {
DbgPrint("streamData == NULL: no data\n");
classifyOut->actionType = FWP_ACTION_PERMIT;
classifyOut->rights &= ~FWPS_RIGHT_ACTION_WRITE;
goto Exit;
}
DbgPrint("tcp packet has some data\n");
streamLength = streamData->dataLength;
stream = ExAllocatePoolWithTag(NonPagedPool,
streamLength,
'yftN');
if (!stream)
return STATUS_INSUFFICIENT_RESOURCES;
RtlZeroMemory(stream,streamLength);
FwpsCopyStreamDataToBuffer0(
streamData,
stream,
streamLength,
&bytesCopied);
DbgPrint("reached parsing code\n");
[...]
From my understanding, after declaring ioPacket as above, ioPacket-> streamData should contain the packet payload. However, ioPacket-> streamData is ALWAYS NULL for me. How to get the payload on a package? I'm doing something wrong.
Thanks in advance.