Method for judging process of TCP/IP packet in driver layer

Abstract

The invention discloses a method for judging a process of a TCP / IP packet in a driver layer, which can accurately distinguish the process of a packet in a network driver interface specification (NDIS) filter driver. The technical scheme comprises that the method comprises the following steps of: when a certain program uses a Windows socket interface, loading a layered service provider through a certain process; acquiring an identification number of the process and a source port opened by the process by the layered service provider; judging whether the process is an interested process according to the identification number of the layered service provider; if the process is the interested process, transmitting a user datagram protocol (UDP) notification packet to a specific address and a port; receiving the UDP notification packet, extracting the identification number of the process, a protocol used by the process and the source port opened by the process from the UDP notification packet, saving the identification number of the process, the protocol used by the process and the source port opened by the process as an association table, and discarding the UDP notification packet by using an intermediate layer driver / filter driver normalized by a network driver interface; and when the intermediate layer driver / the filter driver receives another TCP / IP packet transmitted by a local host, judging whether the TCP / IP packet comprises the information consistent with the contents in the association table, and determining the identification number of the process to which the TCP / IP packet belongs according to the judgment.

Description

technical field [0001] The invention relates to a method for judging the process to which a data packet belongs, in particular to a method for judging the process to which a TCP / IP packet belongs at a driver layer, which is applied in the fields of network firewall software, network proxy software, or network acceleration software. Background technique [0002] The filter driver (NDIS filter, Network Driver Interface Specification) of the network driver interface specification is located in the kernel driver layer of the Windows system, and can filter and process the packets of the data link layer. [0003] In network technology, it is necessary to be able to accurately distinguish the process to which a TCP / IP packet belongs in the NDIS filter driver. The existing method is to use the PsGetCurrentProcessId function to obtain the process ID to which the currently active data packet belongs. However, there is a certain randomness in the sending and receiving of network packe...

AI Technical Summary

Problems solved by technology

However, there is a certain randomness in the sending and receiving of network packets, and the layer where the NDIS filter driver resides is logically separated from the application layer. As a result, when the filter driver is used to process network packets, the PID obtained by calling the PsGetCurrentProcessId function may not be the current active data packet. owning process number

In the actual test, the result of PID is 0 is often obtained, which is obviously not suitable for some occasions with billing nature or accuracy requirements

Images