Click here to Skip to main content
15,868,164 members
Please Sign up or sign in to vote.
5.00/5 (1 vote)
See more:
Hi guy .
I started with Windows Filtering Platform . I using VS2012 create some filter in my local network . Some of filters block connection to host .
Now i want to delete all filters in my location .
I try delete filter with
C++
FwpmFilterDeleteById(0,67422);
But not untill connect to host because after each run, I get another filterID, 67422, 67661 , 69320

This is sniff code by me
C++
#define _WIN32_WINNT	_WIN32_WINNT_WIN7
#define WINVER			_WIN32_WINNT_WIN7
#define NTDDI_VERSION	NTDDI_WIN7

#include <windows.h>
#include <fwpmu.h>

#pragma comment (lib, "fwpuclnt.lib")

void Block()
{
   HANDLE *engineHandle;
   FwpmEngineOpen0(NULL,RPC_C_AUTHN_DEFAULT,NULL,NULL,engineHandle);

   FWPM_FILTER0 filter;
   FWPM_SUBLAYER0 sublayer;

   ZeroMemory(&filter,sizeof(FWPM_FILTER0));

filter.layerKey=FWPM_LAYER_ALE_AUTH_CONNECT_V4;  

   filter.action.type = FWP_ACTION_BLOCK;

   if (&sublayer.subLayerKey != NULL)

   filter.subLayerKey = sublayer.subLayerKey;
   filter.weight.type     = FWP_UINT32;
    filter.weight.uint32    = 0x01180690126040; // IP  host
    filter.numFilterConditions = 0; 
    filter.filterCondition   = 0;

   filter.displayData.name = L"Block";
   filter.displayData.description = L"Filter";

   int res;
   res = FwpmFilterAdd0(engineHandle,&filter,NULL,NULL);

}

void main()
{
	Block();
//FwpmFilterDeleteById(0,67422);
//FwpmFilterDeleteById(0,67661);
//FwpmFilterDeleteById(0,69320);
	system("pause");
}


After running in first time . It`s block connect to host .
Now I want to delete all filters in my computer.

This is .XML wfpdiaglog
HTML
<netEvent>
			<header>
				<timeStamp>2012-09-26T09:58:48.747Z</timeStamp>
				<flags numItems="6">
					<item>FWPM_NET_EVENT_FLAG_IP_PROTOCOL_SET</item>
					<item>FWPM_NET_EVENT_FLAG_LOCAL_ADDR_SET</item>
					<item>FWPM_NET_EVENT_FLAG_REMOTE_ADDR_SET</item>
					<item>FWPM_NET_EVENT_FLAG_LOCAL_PORT_SET</item>
					<item>FWPM_NET_EVENT_FLAG_REMOTE_PORT_SET</item>
					<item>FWPM_NET_EVENT_FLAG_IP_VERSION_SET</item>
				</flags>
				<ipVersion>FWP_IP_VERSION_V4</ipVersion>
				<ipProtocol>6</ipProtocol>
				<localAddrV4>192.168.1.101</localAddrV4>
				<remoteAddrV4>118.69.126.40</remoteAddrV4>
				<localPort>2293</localPort>
				<remotePort>80</remotePort>
				<scopeId>0</scopeId>
				<appId/>
				<userId/>
			</header>
			<type>FWPM_NET_EVENT_TYPE_CLASSIFY_DROP</type>
			<classifyDrop>
				<filterId>69320</filterId>
				<layerId>13</layerId>
				<reauthReason>0</reauthReason>
				<originalProfile>0</originalProfile>
				<currentProfile>0</currentProfile>
			</classifyDrop>
		</netEvent>



	<action>
							<type>FWP_ACTION_CALLOUT_TERMINATING</type>
							<calloutKey>FWPM_CALLOUT_WFP_TRANSPORT_LAYER_V4_SILENT_DROP</calloutKey>
						</action>
						<rawContext>0</rawContext>
						<reserved/>
						<filterId>69320</filterId>
						<effectiveWeight>
							<type>FWP_UINT64</type>
							<uint64>13835058055315718144</uint64>
						</effectiveWeight>


Thank you .
Posted
Comments
headshot9x 27-Sep-12 1:10am    
Can you see it and help me ?

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)



CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900