It adopted two technologies of packets filter

• Application layer packets filter, adopt Winsock 2 SPI technology.
• Kernel Layer packets filter, adopt NDIS-HOOK technology.

Winsock 2 SPI technical characteristics

Winsock 2 SPI is working under the API and over Drivers. It belongs to Application layer. Utilize this technology be able to capture and intercept network packets that based on Socket communication. For example: Most application programs, such as Internet Explorer, Outlook etc, are all to use Socket to carry on communication. Its technological characteristics are:

• Virtue
  • Working on Application layer, it is a DLL, programming and debugging is very convenient.
  • Good compatibility, needn't modify, it can be applied to multi Windows platform directly, it supports Windows 95/98/ME/NT/2000/XP/2003, Windows 95 must be installed Winsock 2 for 95.
  • High efficiency, because it is working on Application layer, the CPU occupancy is low.
  • The network packets is very intact, because it has not been cut into slices according to the lower protocol yet, this is very fit to do contents filter.
  • Make the anti-porn software, it is unnecessary that differentiates programming according to the different Web Browser, simple and safe.
• Shortcoming
  • The network communication which does not use Socket is unable to intercept, for example: The network neighborhood of used NetBios, and Ping of used ICMP protocol, these network packets cannot be intercept.
  • If installation order make mistakes is very easy to cause network paralyse. If several software which use SPI technology are installed at the same time, and use the non-standard installation way, there maybe have some SPI programs will be overleaped.

The XFILTER.DLL is a Transport Service Provider

Protocol Chains Architecture is illustrated as follows:

The XFILTER.DLL is a Base protocol

NDIS-HOOK technical characteristics:

NDIS is Network Driver Interface Specification, Windows uses the NDIS library to realize network interface. All of the network communication must be passed through the NDIS interface finally.

The OSI reference model as following figure:

NDIS is working on Transport layer, Network layer and Data-link layer, it is a very lower interface layer.

The structure of NDIS as following figure:

NDIS supports the following types of programming interface of network drivers:

1. TDI filter drivers
2. Protocol drivers
3. Intermediate drivers (IM drivers)
4. Miniport drivers

TDI filter drivers belongs to Upper drivers, it works above of Tcpip.sys, it means that Tcpip.sys directly respondent packets cannot be captured by TDI filter drivers, so it cannot filter some incoming packets as well. For example, ICMP packets, when Tcpip.sys received a ICMP's request packet, it will make a response packet itself and directly reply it, but the TDI filter drivers above is entirely ignorant of.

Intermediate drivers function is stronger, but the programming interface has little intricacy and the auto-installation is very complicated.

NDIS-HOOK has no the defect above. The work principle of NDIS-HOOK is replacing the function address of NDIS library with our function directly. so the request of NDIS will be passed through our function at first, it is very simple like this, our function dealt with and transmit for aboriginal NDIS function to be finished.

NDIS-HOOK technology has the following characteristics:

1. Programming is convenient, the interface is simple, the train of thought is clear, performance is steady.
2. More flexible, can only hook that one's own demand, does not need redundant code.
3. Powerful, can hook all of NDIS and TDI function, and to finish all function of them. Certainly it is much more powerful than the standard way, and can also extend to hook all system function with this technology.
4. The security is high, intercept and capture the network packets in very low layer like this, that is difficult to be pierced through.
5. Installation is very simple.

Figure of after NDIS-HOOK is installed:

Copyright © 2001-2004 FILSECLAB