Share via

WFP Basic implementation with FWPM_CONDITION_PEER_NAME

Jake11 0 Reputation points
2023-08-25T13:55:21.87+00:00

I can't find documentation or examples of how to implement a WFP filter (without the use of a callout driver preferably) that will block on DNS names NOT the IP that resolves.

Has anyone been able to get this to work / can point me in the right direction? 

var bytes = Encoding.Unicode.GetBytes(url);
         
         fixed (byte* bytesPtr = bytes)
         {
             var blob = new FWP_BYTE_BLOB
             {
                 data = bytesPtr,
                 size = (uint)bytes.Length,
             };
             
             return AddFilter(handle, providerKey, subLayerKey, layerKey, weight, name, description,
                 FWP_ACTION_TYPE.FWP_ACTION_BLOCK, new FWPM_FILTER_CONDITION0
                 {
                     fieldKey = PInvoke.FWPM_CONDITION_PEER_NAME,
                     matchType = FWP_MATCH_TYPE.FWP_MATCH_PREFIX,
                     conditionValue = new FWP_CONDITION_VALUE0
                     {
                         type = FWP_DATA_TYPE.FWP_BYTE_BLOB_TYPE,
                         Anonymous = new FWP_CONDITION_VALUE0._Anonymous_e__Union
                         {
                             byteBlob = &blob,
                         }
                     }
                 });
         }
Developer technologies .NET Other

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2023-08-29T06:55:16.0266667+00:00

    Hi @Jake11 , Welcome to Microsoft Q&A,

    About the components into which the Windows Filtering Platform (WFP) API is divided, I suggest you could refer to the Doc: https://learn.microsoft.com/en-us/windows/win32/fwp/api-sets

    For WFP learning, you can check https://learn.microsoft.com/en-us/windows/win32/fwp/using-windows-filtering-platform.

    Regarding what you said about using Ip to filter, there are documents: https://learn.microsoft.com/en-us/windows/win32/fwp/preventing-port-scanning.

    Best Regards,

    Jiale

    If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment". 

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.