Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTDEV

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


Before Posting...

Please check out the Community Guidelines in the Announcements and Administration Category.

About filter dns query in WFP

xwh9315xwh9315 Member Posts: 14

Hi,i'm using WFP to block dns query,i had set condition of udp port 53,and then i catch all of the dns query,but when I check the process path of these query,i found that the result is all svchost,i really want the real process,if i don't want to disable DNScache(DNS client),what else i can do to get real process path?
Thanks...

Comments

  • Jason_StephensonJason_Stephenson Member Posts: 105

    AFAIK, nothing.

  • MBond2MBond2 Member Posts: 331

    There is certainly no systemic way to do this. And there is probably no good reason why you would want to, but if there is a certain process that you want to provide false DNS responses to, then UM hooks would be by far the easiest way. I don't think I need to provide any further hints on how to do that, but if you have another goal, please let us know and we can probably help you

  • xwh9315xwh9315 Member Posts: 14

    @MBond2 said:
    There is certainly no systemic way to do this. And there is probably no good reason why you would want to, but if there is a certain process that you want to provide false DNS responses to, then UM hooks would be by far the easiest way. I don't think I need to provide any further hints on how to do that, but if you have another goal, please let us know and we can probably help you

    Thanks,i'm doing a sandbox program(just like sandboxie),i hope when process queries DNS,i can block the query in the sandbox and permit it out the sandbox,so i need to get the real process id of the dns query,i know disable DNSCache service can do it,but i can't disable it,It will affect performance of the dns query...can you help me ?

  • MBond2MBond2 Member Posts: 331

    use a hypervisor or don't try

  • xwh9315xwh9315 Member Posts: 14

    @MBond2 said:
    use a hypervisor or don't try

    Thank you.Finally, i decide to hook dns api to resolve this problem...

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Developing Minifilters 24 May 2021 Live, Online
Writing WDF Drivers 14 June 2021 Live, Online
Internals & Software Drivers 27 September 2021 Live, Online
Kernel Debugging 15 November 2021 Live, Online