From 4012569a93490f1a6ce7aa3f58c69b87f650a99d Mon Sep 17 00:00:00 2001 From: Michael Agun Date: Wed, 13 Aug 2025 13:39:45 -0700 Subject: [PATCH 1/3] Add support for SOCK_OPS listen hook. --- inc/usersim/fwp_test.h | 6 ++++++ src/fwp_um.cpp | 44 ++++++++++++++++++++++++++++++++++++++++++ src/fwp_um.h | 6 ++++++ 3 files changed, 56 insertions(+) diff --git a/inc/usersim/fwp_test.h b/inc/usersim/fwp_test.h index 64284cd..08cb8cd 100644 --- a/inc/usersim/fwp_test.h +++ b/inc/usersim/fwp_test.h @@ -52,6 +52,12 @@ usersim_fwp_sock_ops_v4(_In_ fwp_classify_parameters_t* parameters, _Out_opt_ ui USERSIM_API FWP_ACTION_TYPE usersim_fwp_sock_ops_v6(_In_ fwp_classify_parameters_t* parameters, _Out_opt_ uint64_t* flow_id); +USERSIM_API FWP_ACTION_TYPE +usersim_fwp_sock_ops_listen_v4(_In_ fwp_classify_parameters_t* parameters); + +USERSIM_API FWP_ACTION_TYPE +usersim_fwp_sock_ops_listen_v6(_In_ fwp_classify_parameters_t* parameters); + USERSIM_API void usersim_fwp_set_sublayer_guids( _In_ const GUID& default_sublayer, _In_ const GUID& connect_v4_sublayer, _In_ const GUID& connect_v6_sublayer); diff --git a/src/fwp_um.cpp b/src/fwp_um.cpp index 68b7761..72260d6 100644 --- a/src/fwp_um.cpp +++ b/src/fwp_um.cpp @@ -469,6 +469,38 @@ fwp_engine_t::test_sock_ops_v6(_In_ fwp_classify_parameters_t* parameters, _Out_ FWPS_LAYER_ALE_FLOW_ESTABLISHED_V6, FWPM_LAYER_ALE_FLOW_ESTABLISHED_V6, _default_sublayer, incoming_value, flow_id); } +// This is used to test the SOCK_OPS listen hook for IPv4 traffic. +FWP_ACTION_TYPE +fwp_engine_t::test_sock_ops_listen_v4(_In_ fwp_classify_parameters_t* parameters) +{ + FWPS_INCOMING_VALUE0 incoming_value[FWPS_FIELD_ALE_AUTH_LISTEN_V4_MAX] = {}; + incoming_value[FWPS_FIELD_ALE_AUTH_LISTEN_V4_IP_LOCAL_ADDRESS].value.uint32 = parameters->destination_ipv4_address; + incoming_value[FWPS_FIELD_ALE_AUTH_LISTEN_V4_IP_LOCAL_PORT].value.uint16 = parameters->destination_port; + incoming_value[FWPS_FIELD_ALE_AUTH_LISTEN_V4_COMPARTMENT_ID].value.uint32 = parameters->compartment_id; + incoming_value[FWPS_FIELD_ALE_AUTH_LISTEN_V4_IP_LOCAL_INTERFACE].value.uint64 = ¶meters->interface_luid; + incoming_value[FWPS_FIELD_ALE_AUTH_LISTEN_V4_ALE_APP_ID].value.byteBlob = ¶meters->app_id; + + return test_callout( + FWPS_LAYER_ALE_AUTH_LISTEN_V4, FWPM_LAYER_ALE_AUTH_LISTEN_V4, _default_sublayer, incoming_value); +} + +// This is used to test the SOCK_OPS listen hook for IPv6 traffic. +FWP_ACTION_TYPE +fwp_engine_t::test_sock_ops_listen_v6(_In_ fwp_classify_parameters_t* parameters) +{ + FWPS_INCOMING_VALUE0 incoming_value[FWPS_FIELD_ALE_AUTH_LISTEN_V6_MAX] = {}; + incoming_value[FWPS_FIELD_ALE_AUTH_LISTEN_V6_IP_LOCAL_ADDRESS].value.byteArray16 = + ¶meters->destination_ipv6_address; + incoming_value[FWPS_FIELD_ALE_AUTH_LISTEN_V6_IP_LOCAL_PORT].value.uint16 = parameters->destination_port; + incoming_value[FWPS_FIELD_ALE_AUTH_LISTEN_V6_COMPARTMENT_ID].value.uint32 = parameters->compartment_id; + incoming_value[FWPS_FIELD_ALE_AUTH_LISTEN_V6_IP_LOCAL_INTERFACE].value.uint64 = ¶meters->interface_luid; + incoming_value[FWPS_FIELD_ALE_AUTH_LISTEN_V6_ALE_APP_ID].value.byteBlob = ¶meters->app_id; + + return test_callout( + FWPS_LAYER_ALE_AUTH_LISTEN_V6, FWPM_LAYER_ALE_AUTH_LISTEN_V6, _default_sublayer, incoming_value); +} + +#pragma endregion fwp_engine_t #pragma region fwpm_apis @@ -1042,6 +1074,18 @@ usersim_fwp_sock_ops_v6(_In_ fwp_classify_parameters_t* parameters, _Out_opt_ ui return fwp_engine_t::get()->test_sock_ops_v6(parameters, flow_id); } +FWP_ACTION_TYPE +usersim_fwp_sock_ops_listen_v4(_In_ fwp_classify_parameters_t* parameters) +{ + return fwp_engine_t::get()->test_sock_ops_listen_v4(parameters); +} + +FWP_ACTION_TYPE +usersim_fwp_sock_ops_listen_v6(_In_ fwp_classify_parameters_t* parameters) +{ + return fwp_engine_t::get()->test_sock_ops_listen_v6(parameters); +} + void usersim_fwp_set_sublayer_guids( _In_ const GUID& default_sublayer, _In_ const GUID& connect_v4_sublayer, _In_ const GUID& connect_v6_sublayer) diff --git a/src/fwp_um.h b/src/fwp_um.h index 44c31d5..0f08750 100644 --- a/src/fwp_um.h +++ b/src/fwp_um.h @@ -244,6 +244,12 @@ typedef class fwp_engine_t void test_sock_ops_v6_remove_flow_context(_In_ uint64_t flow_id); + FWP_ACTION_TYPE + test_sock_ops_listen_v4(_In_ fwp_classify_parameters_t* parameters); + + FWP_ACTION_TYPE + test_sock_ops_listen_v6(_In_ fwp_classify_parameters_t* parameters); + static fwp_engine_t* get() { From 05e548f1198b49cfe73c466ccd6b91e2c4a9aca6 Mon Sep 17 00:00:00 2001 From: Michael Agun Date: Wed, 13 Aug 2025 17:19:54 -0700 Subject: [PATCH 2/3] fix for flow_id. --- src/fwp_um.cpp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/fwp_um.cpp b/src/fwp_um.cpp index 72260d6..111efdf 100644 --- a/src/fwp_um.cpp +++ b/src/fwp_um.cpp @@ -481,7 +481,7 @@ fwp_engine_t::test_sock_ops_listen_v4(_In_ fwp_classify_parameters_t* parameters incoming_value[FWPS_FIELD_ALE_AUTH_LISTEN_V4_ALE_APP_ID].value.byteBlob = ¶meters->app_id; return test_callout( - FWPS_LAYER_ALE_AUTH_LISTEN_V4, FWPM_LAYER_ALE_AUTH_LISTEN_V4, _default_sublayer, incoming_value); + FWPS_LAYER_ALE_AUTH_LISTEN_V4, FWPM_LAYER_ALE_AUTH_LISTEN_V4, _default_sublayer, incoming_value, nullptr); } // This is used to test the SOCK_OPS listen hook for IPv6 traffic. @@ -497,7 +497,7 @@ fwp_engine_t::test_sock_ops_listen_v6(_In_ fwp_classify_parameters_t* parameters incoming_value[FWPS_FIELD_ALE_AUTH_LISTEN_V6_ALE_APP_ID].value.byteBlob = ¶meters->app_id; return test_callout( - FWPS_LAYER_ALE_AUTH_LISTEN_V6, FWPM_LAYER_ALE_AUTH_LISTEN_V6, _default_sublayer, incoming_value); + FWPS_LAYER_ALE_AUTH_LISTEN_V6, FWPM_LAYER_ALE_AUTH_LISTEN_V6, _default_sublayer, incoming_value, nullptr); } #pragma endregion fwp_engine_t From 40562a6d521645e94620a4b77e7161437608e103 Mon Sep 17 00:00:00 2001 From: Michael Agun Date: Wed, 13 May 2026 12:18:24 -0700 Subject: [PATCH 3/3] Rename sock_ops_listen to cgroup_inet_listen for sock_addr alignment Rename usersim listen hook test functions from sock_ops naming to cgroup_inet naming to match the sock_addr-based listen hook design: - usersim_fwp_sock_ops_listen_v4 -> usersim_fwp_cgroup_inet4_listen - usersim_fwp_sock_ops_listen_v6 -> usersim_fwp_cgroup_inet6_listen - test_sock_ops_listen_v4 -> test_cgroup_inet4_listen - test_sock_ops_listen_v6 -> test_cgroup_inet6_listen Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- inc/usersim/fwp_test.h | 4 ++-- src/fwp_um.cpp | 16 ++++++++-------- src/fwp_um.h | 4 ++-- 3 files changed, 12 insertions(+), 12 deletions(-) diff --git a/inc/usersim/fwp_test.h b/inc/usersim/fwp_test.h index 08cb8cd..cbe750a 100644 --- a/inc/usersim/fwp_test.h +++ b/inc/usersim/fwp_test.h @@ -53,10 +53,10 @@ USERSIM_API FWP_ACTION_TYPE usersim_fwp_sock_ops_v6(_In_ fwp_classify_parameters_t* parameters, _Out_opt_ uint64_t* flow_id); USERSIM_API FWP_ACTION_TYPE -usersim_fwp_sock_ops_listen_v4(_In_ fwp_classify_parameters_t* parameters); +usersim_fwp_cgroup_inet4_listen(_In_ fwp_classify_parameters_t* parameters); USERSIM_API FWP_ACTION_TYPE -usersim_fwp_sock_ops_listen_v6(_In_ fwp_classify_parameters_t* parameters); +usersim_fwp_cgroup_inet6_listen(_In_ fwp_classify_parameters_t* parameters); USERSIM_API void usersim_fwp_set_sublayer_guids( diff --git a/src/fwp_um.cpp b/src/fwp_um.cpp index 111efdf..0b08fa2 100644 --- a/src/fwp_um.cpp +++ b/src/fwp_um.cpp @@ -469,9 +469,9 @@ fwp_engine_t::test_sock_ops_v6(_In_ fwp_classify_parameters_t* parameters, _Out_ FWPS_LAYER_ALE_FLOW_ESTABLISHED_V6, FWPM_LAYER_ALE_FLOW_ESTABLISHED_V6, _default_sublayer, incoming_value, flow_id); } -// This is used to test the SOCK_OPS listen hook for IPv4 traffic. +// This is used to test the sock_addr listen hook for IPv4 traffic. FWP_ACTION_TYPE -fwp_engine_t::test_sock_ops_listen_v4(_In_ fwp_classify_parameters_t* parameters) +fwp_engine_t::test_cgroup_inet4_listen(_In_ fwp_classify_parameters_t* parameters) { FWPS_INCOMING_VALUE0 incoming_value[FWPS_FIELD_ALE_AUTH_LISTEN_V4_MAX] = {}; incoming_value[FWPS_FIELD_ALE_AUTH_LISTEN_V4_IP_LOCAL_ADDRESS].value.uint32 = parameters->destination_ipv4_address; @@ -484,9 +484,9 @@ fwp_engine_t::test_sock_ops_listen_v4(_In_ fwp_classify_parameters_t* parameters FWPS_LAYER_ALE_AUTH_LISTEN_V4, FWPM_LAYER_ALE_AUTH_LISTEN_V4, _default_sublayer, incoming_value, nullptr); } -// This is used to test the SOCK_OPS listen hook for IPv6 traffic. +// This is used to test the sock_addr listen hook for IPv6 traffic. FWP_ACTION_TYPE -fwp_engine_t::test_sock_ops_listen_v6(_In_ fwp_classify_parameters_t* parameters) +fwp_engine_t::test_cgroup_inet6_listen(_In_ fwp_classify_parameters_t* parameters) { FWPS_INCOMING_VALUE0 incoming_value[FWPS_FIELD_ALE_AUTH_LISTEN_V6_MAX] = {}; incoming_value[FWPS_FIELD_ALE_AUTH_LISTEN_V6_IP_LOCAL_ADDRESS].value.byteArray16 = @@ -1075,15 +1075,15 @@ usersim_fwp_sock_ops_v6(_In_ fwp_classify_parameters_t* parameters, _Out_opt_ ui } FWP_ACTION_TYPE -usersim_fwp_sock_ops_listen_v4(_In_ fwp_classify_parameters_t* parameters) +usersim_fwp_cgroup_inet4_listen(_In_ fwp_classify_parameters_t* parameters) { - return fwp_engine_t::get()->test_sock_ops_listen_v4(parameters); + return fwp_engine_t::get()->test_cgroup_inet4_listen(parameters); } FWP_ACTION_TYPE -usersim_fwp_sock_ops_listen_v6(_In_ fwp_classify_parameters_t* parameters) +usersim_fwp_cgroup_inet6_listen(_In_ fwp_classify_parameters_t* parameters) { - return fwp_engine_t::get()->test_sock_ops_listen_v6(parameters); + return fwp_engine_t::get()->test_cgroup_inet6_listen(parameters); } void diff --git a/src/fwp_um.h b/src/fwp_um.h index 0f08750..d9d215e 100644 --- a/src/fwp_um.h +++ b/src/fwp_um.h @@ -245,10 +245,10 @@ typedef class fwp_engine_t test_sock_ops_v6_remove_flow_context(_In_ uint64_t flow_id); FWP_ACTION_TYPE - test_sock_ops_listen_v4(_In_ fwp_classify_parameters_t* parameters); + test_cgroup_inet4_listen(_In_ fwp_classify_parameters_t* parameters); FWP_ACTION_TYPE - test_sock_ops_listen_v6(_In_ fwp_classify_parameters_t* parameters); + test_cgroup_inet6_listen(_In_ fwp_classify_parameters_t* parameters); static fwp_engine_t* get()