There are several options if you are looking to create a firewall. This list is by no means complete, just as a reference for myself basically : )

1. NDIS driver (Protocol - implements a protocol, Intermediate Level - can do filtering,translations, and packet scheduling and Miniport drivers - the final level that actually talks to the nic) - Best but most difficult

2. TDI filter driver - decent, can be circumvented via RawIp

3. Layered Service Provider - can be circumvented easily.

4. Winsock Hooks (pain to implement, can be circumvented fairly easily)

5. Filter-hook driver (only one allowed on a system - if another app uses it - you are out of luck) Cant access data

uses IOCTL_PF_SET_EXTENSION_POINTER with IoBuildDeviceIoControlRequest();

6. Firewall hook driver (relatively undocumented way -  see http://www.codeproject.com/internet/FwHookDrv.asp) Not recommended by MS. More difficult to modify data than TDI as its pretty undocumented

From Microsoft:

It is not recommended to implement a firewall-hook driver (or firewall driver) for Microsoft Windows XP and later versions of the operating system.

The Microsoft Windows 2000 DDK introduced the concept of a firewall-hook driver. The intent of a firewall-hook driver was to manage network packets that were sent and received across a firewall in the context of the TCP/IP protocol. A firewall is a control system that prevents unauthorized users from gaining access to a local network that is connected to the Internet.

A firewall-hook driver did not meet firewall requirements because it ran too high in the network stack. A firewall-hook driver could also interfere with the operations of Internet Connection Sharing (ICS) or a personal firewall implementation.

To provide firewall functionality on Windows XP and later, you should create an NDIS intermediate miniport driver to manage packets sent and received across a firewall. For information on creating an NDIS intermediate miniport driver, see NDIS Intermediate Drivers.

I've decided it's time to fight back and provide some tools for people to fight malware.

The first step to fighting it on your machine (this article is geared to the more technical crowd) is being able to stop it from loading, replicating, and communicating.

1. Always review your firewall rules.

2 . Process Creation

NtCreateSection

MiFindImageSectionObject

MiLockPfnDatabase

MiInsertImageSectionObject

MiCreateImageFileMap

NtCreateProcessEx

MmCreateProcessAddressSpace

MmCreatePeb

BasePushProcessParameters

BaseCreateStack

Im working on a new utility to help systems guys fight spyware on their systems. I was quite frustrated trying to get one off my Mother's machine, random named exes would keep appearing, even after safe mode boots and removal of hklm\software\microsoft\windows\run keys. I tried also 'pausing' the process using process explorer from sysinternals with limited success. So.. now Im writing a kernel mode driver to help combat this.

For starters, lets visit the short list of how all things can load on the system.

ShellExecute Hooks
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks

Shell Delay Load Objects
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad

URL Search Hooks
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks

App Init DLLs
HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Windows, AppInit_DLLs

Download Manager
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer, DownloadUI
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer, DownloadUI

Notification Packages
HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\Notify

User\Start Menu\Programs\Startup;
All Users\Start Menu\Programs\Startup;
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run;
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run;
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce;
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce;
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices;
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices;
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce;
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run;
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx;
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon, Shell;
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon, System;
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon, VmApplet;
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon, UIHost;
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon, Userinit;
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows, run;
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows, load;
HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components;
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager, BootExecute;
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows CurrentVersion\Explorer\BrowserHelperObjects
win.ini, load;
win.ini, run;
system.ini, shell.

They can also install themselves as services:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services

All of these locations can be exploited.

So Im trying to compile a kernel mode driver I'm writing against the ddk rather than using vs.net.

First off, to use visual studio, read:

http://tiger.la.asu.edu/Quick_Ref/DeviceDriver.pdf

as well as there is a nice batch at http://www.osronline.com/article.cfm?article=43

but everyone says "hey - use the ddk - that what the compiler is there for"

Ok, so I keep getting an error on this line.

PHYSICAL_ADDRESS    PhysicalAddress; <-- error here -

PhysicalAddress = MmGetPhysicalAddress((void*)block);

error:

 error C2275: 'PHYSICAL_ADDRESS' : illegal use of this type as an expression

hmm... its used throughout the ddk samples that I can build. So I try PVOID, void*, ULONG all with the same result.

Then it occurs to me - the types are recognized, how about moving the defs to the top of the procedure (sorry - I've been so used to modern compilers

where you can gladly declare vars anywhere) and voila. Thats an hour of my life I'll never get back - thanks ddk guys for packaging that wonderful compiler with the ddk!!