Hi guy .
I started with Windows Filtering Platform . I using VS2012 create some filter in my local network . Some of filters block connection to host .
Now i want to delete all filters in my location .
I try delete filter with
FwpmFilterDeleteById(0,67422);
But not untill connect to host because after each run, I get another filterID, 67422, 67661 , 69320
This is sniff code by me
#define _WIN32_WINNT _WIN32_WINNT_WIN7
#define WINVER _WIN32_WINNT_WIN7
#define NTDDI_VERSION NTDDI_WIN7
#include <windows.h>
#include <fwpmu.h>
#pragma comment (lib, "fwpuclnt.lib")
void Block()
{
HANDLE *engineHandle;
FwpmEngineOpen0(NULL,RPC_C_AUTHN_DEFAULT,NULL,NULL,engineHandle);
FWPM_FILTER0 filter;
FWPM_SUBLAYER0 sublayer;
ZeroMemory(&filter,sizeof(FWPM_FILTER0));
filter.layerKey=FWPM_LAYER_ALE_AUTH_CONNECT_V4;
filter.action.type = FWP_ACTION_BLOCK;
if (&sublayer.subLayerKey != NULL)
filter.subLayerKey = sublayer.subLayerKey;
filter.weight.type = FWP_UINT32;
filter.weight.uint32 = 0x01180690126040; filter.numFilterConditions = 0;
filter.filterCondition = 0;
filter.displayData.name = L"Block";
filter.displayData.description = L"Filter";
int res;
res = FwpmFilterAdd0(engineHandle,&filter,NULL,NULL);
}
void main()
{
Block();
system("pause");
}
After running in first time . It`s block connect to host .
Now I want to delete all filters in my computer.
This is .XML wfpdiaglog
<netEvent>
<header>
<timeStamp>2012-09-26T09:58:48.747Z</timeStamp>
<flags numItems="6">
<item>FWPM_NET_EVENT_FLAG_IP_PROTOCOL_SET</item>
<item>FWPM_NET_EVENT_FLAG_LOCAL_ADDR_SET</item>
<item>FWPM_NET_EVENT_FLAG_REMOTE_ADDR_SET</item>
<item>FWPM_NET_EVENT_FLAG_LOCAL_PORT_SET</item>
<item>FWPM_NET_EVENT_FLAG_REMOTE_PORT_SET</item>
<item>FWPM_NET_EVENT_FLAG_IP_VERSION_SET</item>
</flags>
<ipVersion>FWP_IP_VERSION_V4</ipVersion>
<ipProtocol>6</ipProtocol>
<localAddrV4>192.168.1.101</localAddrV4>
<remoteAddrV4>118.69.126.40</remoteAddrV4>
<localPort>2293</localPort>
<remotePort>80</remotePort>
<scopeId>0</scopeId>
<appId/>
<userId/>
</header>
<type>FWPM_NET_EVENT_TYPE_CLASSIFY_DROP</type>
<classifyDrop>
<filterId>69320</filterId>
<layerId>13</layerId>
<reauthReason>0</reauthReason>
<originalProfile>0</originalProfile>
<currentProfile>0</currentProfile>
</classifyDrop>
</netEvent>
<action>
<type>FWP_ACTION_CALLOUT_TERMINATING</type>
<calloutKey>FWPM_CALLOUT_WFP_TRANSPORT_LAYER_V4_SILENT_DROP</calloutKey>
</action>
<rawContext>0</rawContext>
<reserved/>
<filterId>69320</filterId>
<effectiveWeight>
<type>FWP_UINT64</type>
<uint64>13835058055315718144</uint64>
</effectiveWeight>
Thank you .