Various WinDivert improvements.

- Add UNBIND/DISCONNECT events to the SOCKET
  layer.  These events can only be sniffed.
- Remove the RECV_PARTIAL flag.  The user
  application can just ignore the error code
  instead.
- WINDIVERT_ADDRESS is now 64bytes.  Some extra
  padding added for future-proofing.
- Ignore SOCKET-layer REAUTHORIZE.
- The REFLECT layer returns the filter object
  directly (no IPv4 "pseudo" packet).

Author: basil00

CHANGELOG

@@ -167,10 +167,15 @@ WinDivert 2.0.0-rc
         deleted.
       * WINDIVERT_EVENT_SOCKET_BIND: (SOCKET layer) a socket bind()
         operation occurred.
-      * WINDIVERT_EVENT_SOCKET_LISTEN: (SOCKET layer) a socket listen()
+      * WINDIVERT_EVENT_SOCKET_UNBIND: (SOCKET layer) a previous binding
+        is removed.
         operation occurred.
       * WINDIVERT_EVENT_SOCKET_CONNECT: (SOCKET layer) a socket connect()
         operation occurred.
+      * WINDIVERT_EVENT_SOCKET_DISCONNECT: (SOCKET layer) a previous
+        connection is terminated.
+      * WINDIVERT_EVENT_SOCKET_LISTEN: (SOCKET layer) a socket listen()
+        operation occurred.
       * WINDIVERT_EVENT_SOCKET_ACCEPT: (SOCKET layer) a socket accept()
         operation occurred.
       * WINDIVERT_EVENT_REFLECT_OPEN: (REFLECT layer) a WinDivertOpen()
@@ -217,28 +222,29 @@ WinDivert 2.0.0-rc
         packet/payload.
       * Negative, representing addressing from the end of the packet/payload.
     - The WinDivert filter language now supports several symbolic values:
-      * ACCEPT: (SOCKET layer) equal to WINDIVERT_EVENT_SOCKET_ACCEPT.
-      * BIND: (SOCKET layer) equal to WINDIVERT_EVENT_SOCKET_BIND.
-      * CLOSE: (REFLECT layer) equal to WINDIVERT_EVENT_REFLECT_CLOSE.
-      * DELETED: (FLOW LAYER) equal to WINDIVERT_EVENT_FLOW_DELETED.
+      * PACKET: (NETWORK/NETWORK_FORWARD layers) equal to
+        WINDIVERT_EVENT_NETWORK_PACKET
       * ESTABLISHED: (FLOW layer) equal to WINDIVERT_EVENT_FLOW_ESTABLISHED.
-      * FLOW: (REFLECT layer) equal to WINDIVERT_LAYER_FLOW.
+      * DELETED: (FLOW LAYER) equal to WINDIVERT_EVENT_FLOW_DELETED.
+      * BIND: (SOCKET layer) equal to WINDIVERT_EVENT_SOCKET_BIND.
+      * UNBIND: (SOCKET layer) equal to WINDIVERT_EVENT_SOCKET_UNBIND.
+      * CONNECT: (SOCKET layer) equal to WINDIVERT_EVENT_SOCKET_CONNECT.
+      * DISCONNECT: (SOCKET layer) equal to WINDIVERT_EVENT_SOCKET_DISCONNECT.
       * LISTEN: (SOCKET layer) equal to WINDIVERT_EVENT_SOCKET_LISTEN.
-      * NETWORK: (REFLECT layer) equal to WINDIVERT_LAYER_NETWORK.
-      * NETWORK_FORWARD: (REFLECT layer) equal to
+      * ACCEPT: (SOCKET layer) equal to WINDIVERT_EVENT_SOCKET_ACCEPT.
         WINDIVERT_LAYER_NETWORK_FORWARD.
       * OPEN: (REFLECT layer) equal to WINDIVERT_EVENT_REFLECT_OPEN.
-      * PACKET: (NETWORK/NETWORK_FORWARD layers) equal to
-        WINDIVERT_EVENT_NETWORK_PACKET
-      * REFLECT: (REFLECT layer) equal to WINDIVERT_LAYER_REFLECT.
+      * CLOSE: (REFLECT layer) equal to WINDIVERT_EVENT_REFLECT_CLOSE.
+      * NETWORK: (REFLECT layer) equal to WINDIVERT_LAYER_NETWORK.
+      * NETWORK_FORWARD: (REFLECT layer) equal to
+      * FLOW: (REFLECT layer) equal to WINDIVERT_LAYER_FLOW.
       * SOCKET: (REFLECT layer) equal to WINDIVERT_LAYER_SOCKET.
+      * REFLECT: (REFLECT layer) equal to WINDIVERT_LAYER_REFLECT.
     - WinDivertOpen() now supports several new flags:
       * WINDIVERT_FLAG_RECV_ONLY/WINDIVERT_FLAG_READ_ONLY: The handle cannot
         be used for send operations.
       * WINDIVERT_FLAG_SEND_ONLY/WINDIVERT_FLAG_WRITE_ONLY: The handle cannot
         be used for receive operations.
-      * WINDIVERT_FLAG_RECV_PARTIAL: The handle will support partial receives,
-        meaning that the buffer can be smaller than the packet.
       * WINDIVERT_FLAG_NO_INSTALL: If the WinDivert driver is not already
         installed/loaded, then WinDivertOpen() will fail with an error.
     - WinDivertRecvEx()/WinDivertSendEx() now support a "batch" mode that

dll/windivert.c

@@ -365,6 +365,7 @@ extern HANDLE WinDivertOpen(const char *filter, WINDIVERT_LAYER layer,
     UINT obj_len;
     ERROR comp_err;
     DWORD err;
+    BOOL sniff;
     HANDLE handle;
     SC_HANDLE service;
     UINT64 filter_flags;
@@ -404,7 +405,8 @@ extern HANDLE WinDivertOpen(const char *filter, WINDIVERT_LAYER layer,
         SetLastError(ERROR_INVALID_PARAMETER);
         return INVALID_HANDLE_VALUE;
     }
-    filter_flags = WinDivertAnalyzeFilter(layer, object, obj_len);
+    sniff = ((flags & WINDIVERT_FLAG_SNIFF) != 0);
+    filter_flags = WinDivertAnalyzeFilter(layer, sniff, object, obj_len);
 
     // Attempt to open the WinDivert device:
     handle = CreateFile(L"\\\\.\\" WINDIVERT_DEVICE_NAME,

dll/windivert_helper.c

@@ -147,7 +147,9 @@ typedef enum
     TOKEN_EVENT_ESTABLISHED,
     TOKEN_EVENT_DELETED,
     TOKEN_EVENT_BIND,
+    TOKEN_EVENT_UNBIND,
     TOKEN_EVENT_CONNECT,
+    TOKEN_EVENT_DISCONNECT,
     TOKEN_EVENT_LISTEN,
     TOKEN_EVENT_ACCEPT,
     TOKEN_EVENT_OPEN,
@@ -514,9 +516,15 @@ static BOOL WinDivertExpandMacro(KIND kind, WINDIVERT_LAYER layer,
         case TOKEN_EVENT_BIND:
             *val = WINDIVERT_EVENT_SOCKET_BIND;
             return (layer == WINDIVERT_LAYER_SOCKET);
+        case TOKEN_EVENT_UNBIND:
+            *val = WINDIVERT_EVENT_SOCKET_UNBIND;
+            return (layer == WINDIVERT_LAYER_SOCKET);
         case TOKEN_EVENT_CONNECT:
             *val = WINDIVERT_EVENT_SOCKET_CONNECT;
             return (layer == WINDIVERT_LAYER_SOCKET);
+        case TOKEN_EVENT_DISCONNECT:
+            *val = WINDIVERT_EVENT_SOCKET_DISCONNECT;
+            return (layer == WINDIVERT_LAYER_SOCKET);
         case TOKEN_EVENT_LISTEN:
             *val = WINDIVERT_EVENT_SOCKET_LISTEN;
             return (layer == WINDIVERT_LAYER_SOCKET);
@@ -547,6 +555,7 @@ static ERROR WinDivertTokenizeFilter(const char *filter, WINDIVERT_LAYER layer,
         {"CLOSE",               TOKEN_EVENT_CLOSE,         L____R},
         {"CONNECT",             TOKEN_EVENT_CONNECT,       L___S_},
         {"DELETED",             TOKEN_EVENT_DELETED,       L__F__},
+        {"DISCONNECT",          TOKEN_EVENT_DISCONNECT,    L___S_},
         {"ESTABLISHED",         TOKEN_EVENT_ESTABLISHED,   L__F__},
         {"FLOW",                TOKEN_FLOW,                L____R},
         {"LISTEN",              TOKEN_EVENT_LISTEN,        L___S_},
@@ -556,6 +565,7 @@ static ERROR WinDivertTokenizeFilter(const char *filter, WINDIVERT_LAYER layer,
         {"PACKET",              TOKEN_EVENT_PACKET,        LNM___},
         {"REFLECT",             TOKEN_REFLECT,             L____R},
         {"SOCKET",              TOKEN_SOCKET,              L____R},
+        {"UNBIND",              TOKEN_EVENT_UNBIND,        L___S_},
         {"and",                 TOKEN_AND,                 LNMFSR},
         {"event",               TOKEN_EVENT,               LNMFSR},
         {"false",               TOKEN_FALSE,               LNMFSR},
@@ -1968,7 +1978,7 @@ static void WinDivertEmitFilter(PEXPR *stack, UINT len, UINT16 label,
  * Analyze a filter object.
  */
 static UINT64 WinDivertAnalyzeFilter(WINDIVERT_LAYER layer,
-    PWINDIVERT_FILTER filter, UINT length)
+    BOOL sniff, PWINDIVERT_FILTER filter, UINT length)
 {
     BOOL result;
     UINT64 flags = 0;
@@ -2041,9 +2051,25 @@ static UINT64 WinDivertAnalyzeFilter(WINDIVERT_LAYER layer,
             result = WinDivertCondExecFilter(filter, length,
                 WINDIVERT_FILTER_FIELD_EVENT, WINDIVERT_EVENT_SOCKET_BIND);
             flags |= (result? WINDIVERT_FILTER_FLAG_EVENT_SOCKET_BIND: 0);
+            if (sniff)
+            {
+                result = WinDivertCondExecFilter(filter, length,
+                    WINDIVERT_FILTER_FIELD_EVENT,
+                    WINDIVERT_EVENT_SOCKET_UNBIND);
+                flags |=
+                    (result? WINDIVERT_FILTER_FLAG_EVENT_SOCKET_UNBIND: 0);
+            }
             result = WinDivertCondExecFilter(filter, length,
                 WINDIVERT_FILTER_FIELD_EVENT, WINDIVERT_EVENT_SOCKET_CONNECT);
             flags |= (result? WINDIVERT_FILTER_FLAG_EVENT_SOCKET_CONNECT: 0);
+            if (sniff)
+            {
+                result = WinDivertCondExecFilter(filter, length,
+                    WINDIVERT_FILTER_FIELD_EVENT,
+                    WINDIVERT_EVENT_SOCKET_DISCONNECT);
+                flags |=
+                    (result? WINDIVERT_FILTER_FLAG_EVENT_SOCKET_DISCONNECT: 0);
+            }
             result = WinDivertCondExecFilter(filter, length,
                 WINDIVERT_FILTER_FIELD_EVENT, WINDIVERT_EVENT_SOCKET_LISTEN);
             flags |= (result? WINDIVERT_FILTER_FLAG_EVENT_SOCKET_LISTEN: 0);
@@ -4210,8 +4236,12 @@ static void WinDivertFormatTestExpr(PWINDIVERT_STREAM stream, PEXPR expr,
                 {
                     case WINDIVERT_EVENT_SOCKET_BIND:
                         WinDivertPutString(stream, "BIND"); break;
+                    case WINDIVERT_EVENT_SOCKET_UNBIND:
+                        WinDivertPutString(stream, "UNBIND"); break;
                     case WINDIVERT_EVENT_SOCKET_CONNECT:
                         WinDivertPutString(stream, "CONNECT"); break;
+                    case WINDIVERT_EVENT_SOCKET_DISCONNECT:
+                        WinDivertPutString(stream, "DISCONNECT"); break;
                     case WINDIVERT_EVENT_SOCKET_LISTEN:
                         WinDivertPutString(stream, "LISTEN"); break;
                     case WINDIVERT_EVENT_SOCKET_ACCEPT:

doc/windivert.html

@@ -401,14 +401,19 @@ <h2>Table of Contents</h2>
 </p>
 <ul>
 <li> <code>WINDIVERT_EVENT_SOCKET_BIND</code>: A <code>bind()</code> operation.</li>
-<li> <code>WINDIVERT_EVENT_SOCKET_LISTEN</code>: A <code>listen()</code> operation.</li>
+<li> <code>WINDIVERT_EVENT_SOCKET_UNBIND</code>: A previous binding is
+    removed.</li>
 <li> <code>WINDIVERT_EVENT_SOCKET_CONNECT</code>: A <code>connect()</code>
     operation.</li>
+<li> <code>WINDIVERT_EVENT_SOCKET_DISCONNECT</code>: A previous connection
+    is terminated.</li>
+<li> <code>WINDIVERT_EVENT_SOCKET_LISTEN</code>: A <code>listen()</code> operation.</li>
 <li> <code>WINDIVERT_EVENT_SOCKET_ACCEPT</code>: An <code>accept()</code>
     operation.</li>
 </ul>
 <p>
-Socket events can be blocked but not injected.
+Socket events, except for <code>UNBIND</code>/<code>DISCONNECT</code>,
+can be blocked, and no socket event can be injected.
 Process ID information is available at this layer.
 Due to technical limitations, the
 <code>WINDIVERT_LAYER_SOCKET</code> layer cannot capture events that
@@ -429,8 +434,12 @@ <h2>Table of Contents</h2>
 Process ID information is available at this layer,
 meaning that it is possible to determine which (if any) process is using
 WinDivert.
-The layer also returns a <q>pseudo packet</q> that encodes the filter string
-associated with the event.
+The layer also returns an <q>object</q> representation of the filter string
+used to open the handle.
+The object representation can be converted back into a human-readable
+filter string using the
+<a href="#divert_helper_format_filter"><code>WinDivertHelperFormatFilter()</code></a>
+function.
 The <code>WINDIVERT_LAYER_REFLECT</code> layer can also capture events that
 occurred before the handle was opened.
 </p>
@@ -626,7 +635,7 @@ <h2>Table of Contents</h2>
 For IPv4, the <code>Socket.LocalAddr</code> and <code>Socket.RemoteAddr</code>
 fields will be IPv4-mapped IPv6 addresses.
 The <code>WINDIVERT_EVENT_SOCKET_BIND</code> and
-<code>WINDIVERT_EVENT_SOCKET_LISTEN</code> events will occur before a
+<code>WINDIVERT_EVENT_SOCKET_LISTEN</code> events can occur before a
 connection attempt has been made, meaning that the
 <code>Socket.RemoteAddr</code> and <code>Socket.RemotePort</code> fields
 for these events will be zero.
@@ -955,21 +964,6 @@ <h2>Table of Contents</h2>
 </tr>
 <tr>
 <td>
-<code>WINDIVERT_FLAG_RECV_PARTIAL</code>
-</td>
-<td>
-This flags enables <q>partial receives</q>.
-By default, if a packet is too big for the buffer passed to
-<a href="#divert_recv"><code>WinDivertRecv()</code></a>, the operation
-will fail with <code>ERROR_INSUFFICIENT_BUFFER</code>.
-This flag silences this error and only copies part of the packet
-up to the buffer size.
-The <code>WINDIVERT_FLAG_RECV_PARTIAL</code> behavior was the default
-on older (pre-2.0) versions of WinDivert.
-</td>
-</tr>
-<tr>
-<td>
 <code>WINDIVERT_FLAG_NO_INSTALL</code>
 </td>
 <td>
@@ -985,8 +979,7 @@ <h2>Table of Contents</h2>
 <p>
 Note that any combination of
 <code>(WINDIVERT_FLAG_SNIFF | WINDIVERT_FLAG_DROP)</code> or
-<code>(WINDIVERT_FLAG_RECV_ONLY | WINDIVERT_FLAG_SEND_ONLY)</code> or
-<code>(WINDIVERT_FLAG_RECV_PARTIAL | WINDIVERT_FLAG_SEND_ONLY)</code>
+<code>(WINDIVERT_FLAG_RECV_ONLY | WINDIVERT_FLAG_SEND_ONLY)</code> 
 are considered invalid.
 </p>
 <p>
@@ -1165,10 +1158,11 @@ <h2>Table of Contents</h2>
 the <code>pPacket</code> buffer.
 If non-<code>NULL</code>, then the total number of bytes
 written to <code>pPacket</code> will be written to <code>recvLen</code>.
-Partial receives (where the packet data is truncated) is supported provided
-the handle was opened with the <code>WINDIVERT_FLAG_RECV_PARTIAL</code> flag set,
-otherwise the operation will fail with <code>ERROR_INSUFFICIENT_BUFFER</code>
-if the <code>pPacket</code> buffer is too small.
+If the <code>pPacket</code> buffer is too small, the packet will be
+truncated and the operation will fail with the
+<code>ERROR_INSUFFICIENT_BUFFER</code> error code.
+This error can be ignored if the application only intends to receive part
+of the packet, e.g., the IP headers only.
 For layers that do not capture packets, the <code>pPacket</code> parameter
 should be <code>NULL</code> and <code>packetLen</code> should be zero.
 </p><p>
@@ -2372,8 +2366,8 @@ <h2>Table of Contents</h2>
 This function is mainly useful for <q>decompiling</q> the filter object
 representation back into a human-readable filter string representation.
 One application is the <code>WINDIVERT_LAYER_REFLECT</code> layer,
-where a <q>pseudo packet</q> containing a filter object is returned by
-<a href="#divert_recv"><code>WinDivertRecv()</code></a>.
+where the filter object associated with the reflection event is
+returned by <a href="#divert_recv"><code>WinDivertRecv()</code></a>.
 </p>
 </dd></dl>
 
@@ -2635,9 +2629,11 @@ <h2>Table of Contents</h2>
 <tr><td><code>PACKET</code></td><td>&#10004;</td><td>&#10004;</td><td></td><td></td><td></td><td><code>WINDIVERT_EVENT_NETWORK_PACKET</code></td></tr>
 <tr><td><code>ESTABLISHED</code></td><td></td><td></td><td>&#10004;</td><td></td><td></td><td><code>WINDIVERT_EVENT_FLOW_ESTABLISHED</code></td></tr>
 <tr><td><code>DELETED</code></td><td></td><td></td><td>&#10004;</td><td></td><td></td><td><code>WINDIVERT_EVENT_FLOW_DELETED</code></td></tr>
-<tr><td><code>ACCEPT</code></td><td></td><td></td><td></td><td>&#10004;</td><td></td><td><code>WINDIVERT_EVENT_SOCKET_ACCEPT</code></td></tr>
 <tr><td><code>BIND</code></td><td></td><td></td><td></td><td>&#10004;</td><td></td><td><code>WINDIVERT_EVENT_SOCKET_BIND</code></td></tr>
+<tr><td><code>UNBIND</code></td><td></td><td></td><td></td><td>&#10004;</td><td></td><td><code>WINDIVERT_EVENT_SOCKET_UNBIND</code></td></tr>
 <tr><td><code>CONNECT</code></td><td></td><td></td><td></td><td>&#10004;</td><td></td><td><code>WINDIVERT_EVENT_SOCKET_CONNECT</code></td></tr>
+<tr><td><code>DISCONNECT</code></td><td></td><td></td><td></td><td>&#10004;</td><td></td><td><code>WINDIVERT_EVENT_SOCKET_DISCONNECT</code></td></tr>
+<tr><td><code>ACCEPT</code></td><td></td><td></td><td></td><td>&#10004;</td><td></td><td><code>WINDIVERT_EVENT_SOCKET_ACCEPT</code></td></tr>
 <tr><td><code>LISTEN</code></td><td></td><td></td><td></td><td>&#10004;</td><td></td><td><code>WINDIVERT_EVENT_SOCKET_LISTEN</code></td></tr>
 <tr><td><code>OPEN</code></td><td></td><td></td><td></td><td></td><td>&#10004;</td><td><code>WINDIVERT_EVENT_REFLECT_OPEN</code></td></tr>
 <tr><td><code>CLOSE</code></td><td></td><td></td><td></td><td></td><td>&#10004;</td><td><code>WINDIVERT_EVENT_REFLECT_CLOSE</code></td></tr>

examples/socketdump/socketdump.c

@@ -103,22 +103,34 @@ int __cdecl main(int argc, char **argv)
             continue;
         }
 
-        SetConsoleTextAttribute(console, FOREGROUND_GREEN);
         switch (addr.Event)
         {
             case WINDIVERT_EVENT_SOCKET_BIND:
+                SetConsoleTextAttribute(console, FOREGROUND_GREEN);
                 printf("BIND");
                 break;
+            case WINDIVERT_EVENT_SOCKET_UNBIND:
+                SetConsoleTextAttribute(console, FOREGROUND_RED);
+                printf("UNBIND");
+                break;
             case WINDIVERT_EVENT_SOCKET_LISTEN:
+                SetConsoleTextAttribute(console, FOREGROUND_GREEN);
                 printf("LISTEN");
                 break;
             case WINDIVERT_EVENT_SOCKET_CONNECT:
+                SetConsoleTextAttribute(console, FOREGROUND_GREEN);
                 printf("CONNECT");
                 break;
+            case WINDIVERT_EVENT_SOCKET_DISCONNECT:
+                SetConsoleTextAttribute(console, FOREGROUND_RED);
+                printf("DISCONNECT");
+                break;
             case WINDIVERT_EVENT_SOCKET_ACCEPT:
+                SetConsoleTextAttribute(console, FOREGROUND_GREEN);
                 printf("ACCEPT");
                 break;
             default:
+                SetConsoleTextAttribute(console, FOREGROUND_BLUE);
                 printf("???");
                 break;
         }

examples/windivertctl/windivertctl.c

@@ -173,7 +173,6 @@ int __cdecl main(int argc, char **argv)
     static UINT8 packet[MAX_PACKET];
     static char path[MAX_PATH+1];
     static char filter_str[MAX_FILTER_LEN];
-    PVOID object;
     DWORD path_len;
     BOOL or;
     WINDIVERT_ADDRESS addr;
@@ -369,11 +368,6 @@ int __cdecl main(int argc, char **argv)
                 printf("%sSEND_ONLY", (or? "|": ""));
                 or = TRUE;
             }
-            if ((addr.Reflect.Flags & WINDIVERT_FLAG_RECV_PARTIAL) != 0)
-            {
-                printf("%sRECV_PARTIAL", (or? "|": ""));
-                or = TRUE;
-            }
             if ((addr.Reflect.Flags & WINDIVERT_FLAG_NO_INSTALL) != 0)
             {
                 printf("%sNO_INSTALL", (or? "|": ""));
@@ -389,9 +383,7 @@ int __cdecl main(int argc, char **argv)
             FOREGROUND_RED | FOREGROUND_GREEN | FOREGROUND_BLUE);
         fputs(" filter=", stdout);
         SetConsoleTextAttribute(console, FOREGROUND_RED | FOREGROUND_GREEN);
-        WinDivertHelperParsePacket(packet, packet_len, NULL, NULL, NULL, NULL,
-            NULL, NULL, NULL, &object, NULL, NULL, NULL);
-        if (WinDivertHelperFormatFilter((char *)object, addr.Reflect.Layer,
+        if (WinDivertHelperFormatFilter((char *)packet, addr.Reflect.Layer,
             filter_str, sizeof(filter_str)))
         {
             printf("\"%s\"", filter_str);