Package for controlling the Windows firewall (aka Windows Filtering Platform, WFP)

Related tags

Security wf
Overview

wf

What

This is a package for controlling the Windows Filtering Platform (WFP), also known as the Windows firewall.

See its docs: https://godoc.org/inet.af/wf

Maturity

This package is under active development, and isn't used in production yet. API stability is not guaranteed, and functionality is missing.

Issues
  • Fixed SECURITY_DESCRIPTOR serialization

    Fixed SECURITY_DESCRIPTOR serialization

    This fix wraps the SECURITY_DESCRIPTOR structure in a FWP_BYTE_BLOB structure to adhere to the documentation. I also corrected my tab/space usage from the previous merge (really, I just ran go fmt).

    Relevant Documentation

    This would fix #13.

    opened by calebstewart 2
  • Incorrect Serialization of SECURITY_DESCRIPTOR field

    Incorrect Serialization of SECURITY_DESCRIPTOR field

    The FWP_SECURITY_DESCRIPTOR_TYPE field type is being incorrectly serialized/copied in toValue0. Currently, the module copies the given security descriptor to the arena allocator and then sets the field value to the SECURITY_DESCRIPTOR pointer. However, according to the documentation, security descriptors are passed inside a FWP_BYTE_BLOB struct.

    I have some local modifications to make this work by copying the golang SECURITY_DESCRIPTOR to the arena (same as before), then creating a fwpByteBlob struct, and assigning Length to security_descriptor.Length() and Data to the arena-allocated SECURITY_DESCRIPTOR pointer. This is working for me to assign FWP_SECURITY_DESCRIPTOR_TYPE fields.

    ~~I will try to clean this up and bundle both this and #12 together in one PR since I have them working on my end if you're open to it.~~

    Edit: Instead of putting them together, I made two separate pull requests, since they are technically separate problems. I assume that will make review a bit easier. :+1:

    opened by calebstewart 1
  • Added persistent flag in toSublayer0

    Added persistent flag in toSublayer0

    This PR simply adds the correct flag to the fwpmSublayer0 struct in toSublayer0 based on the Persistent flag. I've tested this to work for me.

    This would fix #10.

    opened by calebstewart 1
  • toSublayer0 does not pass Persistent flag

    toSublayer0 does not pass Persistent flag

    When creating a sublayer, the function toSublayer0 is used to serialize the wf.Sublayer struct into the required fwpmSublayer0 struct in order to pass into the Win32 API. The Flags field should be set to fwpmSublayerFlagsPersistent when the Persistent option is set to true.

    This is the same process as when constructing the fwpmProvider0 structure as seen just below it in compose.go:

    // toSublayer0 converts sl into an arena-allocated fwpmSublayer0.
    func toSublayer0(a *arena, sl *Sublayer) *fwpmSublayer0 {
    	ret := (*fwpmSublayer0)(a.Alloc(unsafe.Sizeof(fwpmSublayer0{})))
    	*ret = fwpmSublayer0{
    		SublayerKey: sl.ID,
    		DisplayData: fwpmDisplayData0{
    			Name:        toUint16(a, sl.Name),
    			Description: toUint16(a, sl.Description),
    		},
    		ProviderKey: toGUID(a, windows.GUID(sl.Provider)),
    		ProviderData: fwpByteBlob{
    			Size: uint32(len(sl.ProviderData)),
    			Data: toBytes(a, sl.ProviderData),
    		},
    		Weight: sl.Weight,
    	}
    
    	return ret
    }
    
    // toProvider0 converts p into an arena-allocated fwpmProvider0.
    func toProvider0(a *arena, p *Provider) *fwpmProvider0 {
    	ret := (*fwpmProvider0)(a.Alloc(unsafe.Sizeof(fwpmProvider0{})))
    	*ret = fwpmProvider0{
    		ProviderKey: p.ID,
    		DisplayData: fwpmDisplayData0{
    			Name:        toUint16(a, p.Name),
    			Description: toUint16(a, p.Description),
    		},
    		ProviderData: fwpByteBlob{
    			Size: uint32(len(p.Data)),
    			Data: toBytes(a, p.Data),
    		},
    		ServiceName: toUint16(a, p.ServiceName),
    	}
    	if p.Persistent {
    		ret.Flags = fwpmProviderFlagsPersistent
    	}
    
    	return ret
    }
    
    opened by calebstewart 0
  • types: add missing RawContext field in fwpmFilter0

    types: add missing RawContext field in fwpmFilter0

    Addresses the first issue in https://github.com/tailscale/tailscale/issues/3260#issuecomment-962858025

    I have tested this on Windows 7 32bit and it works fine. I still have to test it on a 64 bit machine and other windows versions.

    Signed-off-by: Maisem Ali [email protected]

    opened by maisem 0
  • Support Ranges for all sortable types

    Support Ranges for all sortable types

    Range values currently seem to be only supported implicitly when using an IP address field with a value of type netaddr.IPRange or for fields whose type is explicitly dataTypeRange (of which I couldn't find any, in my brief overview). This means that adding a Rule that matches e.g. a port range is not possible.

    This PR makes Range values usable for all sortable types (a list of which is found in the comment for FWP_MATCH_GREATER here: https://docs.microsoft.com/en-us/windows/win32/api/fwptypes/ne-fwptypes-fwp_match_type#constants).

    Please let me know if I can improve anything!

    P.S.: It also seems that building a Range from netaddr.IPRange is not possible due to the Range being built as Range{m.From, m.To} instead of Range{m.From(), m.To()}. Should I add a fix to this PR or open a separate one?

    opened by elmeyer 3
  • Force ALE_USER_ID field to SECURITY_DESCRIPTOR type

    Force ALE_USER_ID field to SECURITY_DESCRIPTOR type

    Based on the documentation, the FWPM_CONDITION_ALE_USER_ID field should have the type FWP_SECURITY_DESCRIPTOR TYPE. This fix forces this type because WFP is incorrectly reporting TOKEN_ACCESS_INFORMATION_TYPE instead.

    Relevant Documentation.

    I believe I got the Sign-Off stuff right this time, but I've never used it before. :eye: :nose: :eye:

    This would fix #12.

    opened by calebstewart 6
  • Incorrect Type Reported by FWPM_CONDITION_ALE_USER_ID

    Incorrect Type Reported by FWPM_CONDITION_ALE_USER_ID

    For some reason, the WFP reports the User ID field as taking a TOKEN_ACCESS_INFORMATION as the value type. However, the documentation indicates that it takes a SECURITY_DESCRIPTOR type.

    Anecdotally, dumping existing WFP rules with netsh wfp show filters does show existing/default filters using the SECURITY_DESCRIPTOR type for ALE_USER_ID fields.

    Any idea why there is a mismatch here? It seems to be coming directly from the Win32 layer enumeration methods and not from your module, but I'm interested in any insight you may have. I've been able to work around this by forcing the type for this specific field to typeSecurityDescriptor in func fieldType(f *fwpmField0) (reflect.Type, error), but that seemed rather hacky.

    opened by calebstewart 0
  • Expose TOKEN_ACCESS_INFORMATION in x/sys/windows

    Expose TOKEN_ACCESS_INFORMATION in x/sys/windows

    WFP provides access to TOKEN_ACCESS_INFORMATION structs in some filters. This is a standard winnt.h struct, so it should be exposed by x/sys/windows.

    For now, there's just a placeholder in this package, so that field reflection can provide some type.

    opened by danderson 0
Owner
inet.af
inet.af
Simple attempt at making a program to Brute Force Gift codes for Roberts Space Industries AKA Star Citizen.

Roberts Space Industries: Gift Generator Simple attempt at making a program to Brute Force Gift codes for Roberts Space Industries AKA Star Citizen. I

SaturnsVoid 2 Nov 2, 2021
gup aka Get All Urls parameters to create wordlists for brute forcing parameters.

Description GUP is a tool to create wrodlists from the urls. Purpose The purpose of this tool is to create wordlists for brute forcing parameters. Ins

Chan Nyein Wai 14 Feb 25, 2022
zero-trust remote firewall instrumentation

ShieldWall embraces the zero-trust principle and instruments your server firewall to block inbound connections from every IP on any port, by default.

Simone Margaritelli 171 Jun 9, 2022
Open Source Web Application Firewall

DEPRECATED This repository started as a good idea but I didn't have enough time or desire to work on it. So, it's left here for historical / education

Ahmet Salih 182 Jun 16, 2022
crowdsec 5.3k Jun 27, 2022
Coraza WAF is a golang modsecurity compatible web application firewall library

Coraza Web Application Firewall, this project is a Golang port of ModSecurity with the goal to become the first enterprise-grade Open Source Web Application Firewall, flexible and powerful enough to serve as the baseline for many projects.

Juan Pablo Tosso 540 Jun 24, 2022
A Declarative Cloud Firewall Reverse Proxy Solution with Companion Mobile App

A declarative Cloud firewall reverse proxy solution with inbuilt DDoS protection and alerting mechanism to protect your servers and keeping an eye on those malicious requests

null 12 Apr 4, 2022
Search for vulnerabilities and exposures while filtering based on age, keywords, and other parameters.

FAV/E FAV/E (Find A Vulnerability/Exposure) utilizes the NIST CVE database search API to search for vulnerabilities and exposures while filtering base

Tony West 104 Jun 13, 2022
Based on user32.dll, go language is implemented to call function MessageBoxW of Windows platform

go-mbw 一个通过user32.dll调用 Windows 平台的MessageBoxW函数的 Go 语言库 A Go lib for call windows platform function MessageBoxW from user32.dll. 安装(Install) go get g

null 1 May 16, 2022
null 949 Jun 28, 2022
A modern tool for the Windows kernel exploration and tracing

Fibratus A modern tool for the Windows kernel exploration and observability Get Started » Docs • Filaments • Download • Discussions What is Fibratus?

Nedim Šabić² 1.6k Jun 23, 2022
Windows 11 TPM 2.0 and Secure Boot Setup.exe/Registry bypass written in Go.

Win11-Patcher Windows 11 TPM 2.0 and Secure Boot Setup.exe bypass written in Go. Compiling Requires Go (no shit) Requires a version of 7zip that you c

Fire 26 Jun 8, 2022
Gofrette is a reverse shell payload developed in Golang that bypasses Windows defender and many others anti-virus.

Gofrette Gofrette is a reverse shell payload developed in Golang that bypasses Windows defender and many others anti-virus.

null 11 May 9, 2022
Log4j 2 (CVE-2021-44228) vulnerability scanner for Windows OS

log4j-scanner Log4j 2 (CVE-2021-44228) vulnerability scanner for Windows OS. Example Usage Usage .\log4j-scanner.exe Terminal is used to output resul

null 0 Dec 13, 2021
Golang Port Knocking for Linux + Windows

Vishnu(The Hidden Backdoor) RS{JOIN_REDTEAM} Taken from the Trimurit, the triple deity of supreme divinity. Vishnu is known as "The Preserver". This p

RITSEC Redteam 9 May 15, 2022
Gryffin is a large scale web security scanning platform.

Gryffin (beta) Gryffin is a large scale web security scanning platform. It is not yet another scanner. It was written to solve two specific problems w

Yahoo 2.1k Jun 29, 2022
✒ A self-hosted, cross-platform service to sign iOS apps using any CI as a builder

iOS Signer Service A self-hosted, cross-platform service to sign iOS apps using any CI as a builder Introduction There are many reasons to install app

null 745 Jun 28, 2022