Is there a .NET wrapper for the windows filtring platfrom? Im looking to use WFP to observe application level network traffic observations in my c# app.
Thanks!
windows filtering platform. net wrapper?
No, I don't believe there is, although lots of people seem to want one. I think you have to fall back to hitting the Win32 API.
I'm writing my own .net wrapper for WFP using P/Invoke Interop Assistant. Here's the thread I used to get it working.
http://social.msdn.microsoft.com/Forums/en-US/wfp/thread/a65bf197-937b-401e-b15f-0e1c3decdb14/
Did you ever finish your wrapper? Are you willing to share? –
Calzada
Do you have any plans of showing it to public (with source code)? –
Viol
You can do this with the nuget package vanara.PInvoke
Have a look at his GitHub
Implementations can be "inspired" by the unit tests
[Test]
public void FwpmCalloutEnum0Test()
{
FWPM_CALLOUT_ENUM_TEMPLATE0 template = new() { layerKey = FWPM_LAYER_DATAGRAM_DATA_V4 };
using SafeCoTaskMemStruct<FWPM_CALLOUT_ENUM_TEMPLATE0> pTemplate = template;
FWPM_CALLOUT_SUBSCRIPTION0 subscr = new()
{
flags = FWPM_SUBSCRIPTION_FLAG.FWPM_SUBSCRIPTION_FLAG_NOTIFY_ON_ADD,
//sessionKey = Guid.NewGuid(),
enumTemplate = pTemplate
};
var changed = 0;
using var pchng = new PinnedObject(changed);
static void callback(IntPtr context, in FWPM_CALLOUT_CHANGE0 change) { unsafe { *(int*)context = 1; } }
Assert.That(FwpmCalloutSubscribeChanges0(fwpEngineHandle, subscr, callback, pchng, out HFWPCALLOUTCHANGE hChange), ResultIs.Successful);
Assert.That(FwpmCalloutSubscriptionsGet0(fwpEngineHandle, out SafeFwpmArray<FWPM_CALLOUT_SUBSCRIPTION0> subs), ResultIs.Successful);
Assert.That(subs.Count, Is.EqualTo(1));
FWPM_DISPLAY_DATA0 dd = new() { name = "Datagram-Data Proxy Callout", description = "Datagram-Data Proxy Callout" };
FWPM_CALLOUT0 callout = new() { calloutKey = Guid.NewGuid(), displayData = dd, applicableLayer = FWPM_LAYER_DATAGRAM_DATA_V4 };
Assert.That(FwpmCalloutAdd0(fwpEngineHandle, callout, default, out var id), ResultIs.Successful);
//System.Threading.Thread.SpinWait(200);
//Assert.That(changed, Is.Not.Zero);
Assert.That(FwpmCalloutUnsubscribeChanges0(fwpEngineHandle, hChange), ResultIs.Successful);
Assert.That(FwpmCalloutGetById0(fwpEngineHandle, id, out SafeFwpmStruct<FWPM_CALLOUT0> byId), ResultIs.Successful);
Assert.True(byId.Value.HasValue && byId.Value.Value.calloutId == id);
Assert.That(FwpmCalloutGetByKey0(fwpEngineHandle, callout.calloutKey, out SafeFwpmStruct<FWPM_CALLOUT0> byKey), ResultIs.Successful);
Assert.True(byKey.Value.HasValue && byKey.Value.Value.calloutId == id);
Assert.That(FwpmCalloutGetSecurityInfoByKey0(fwpEngineHandle, callout.calloutKey,
SECURITY_INFORMATION.OWNER_SECURITY_INFORMATION|SECURITY_INFORMATION.GROUP_SECURITY_INFORMATION|SECURITY_INFORMATION.DACL_SECURITY_INFORMATION,
out PSID sOwn, out PSID sGrp, out PACL dacl, out PACL sacl, out SafeFwpmMem sd), ResultIs.Successful);
Assert.True(!sOwn.IsNull && !sGrp.IsNull && !dacl.IsNull);
Assert.True(sOwn.IsValidSid() && sGrp.IsValidSid() && dacl.IsValidAcl());
Assert.That(FwpmCalloutDeleteById0(fwpEngineHandle, id), ResultIs.Successful);
//-----------------------------------------
// Get the events from enumeration
Assert.That(FwpmCalloutEnum0(fwpEngineHandle, out SafeFwpmArray<FWPM_CALLOUT0> h), ResultIs.Successful);
foreach (FWPM_CALLOUT0 e in h)
{
TestContext.WriteLine($"{e.calloutKey}=({e.flags})=========");
TestContext.WriteLine($"{e.displayData.name ?? nullStr} ({e.displayData.description ?? nullStr})");
TestContext.WriteLine($"Prov={GetNameOf(e.providerKey.Value.GetValueOrDefault()) ?? nullStr}; Layer={GetNameOf(e.applicableLayer)}");
}
}
Holy cow that is unreadable! –
Actinotherapy
@CodeJunkie, well it's not my test, I am just showing the code that you can use to step through –
Toolmaker
I know, just felt I had to point out how bad it looks :) –
Actinotherapy
@CodeJunkie, it's an answer that shows you can do WFP from c#, and there is a NuGet package and a GitHub lib that goes with it. –
Toolmaker
© 2022 - 2024 — McMap. All rights reserved.