Abstract: The disadvantage of the function of the most firewall production is capturing the attack from the outer network not form the inner network. A new double filtering packet mechanism based on kernel and user mode scheme is presented and accomplished with the development of the personal firewall technology. In the kernel mode, the network driver program is developed to implement the raw net packet capturing through the TDI virtual driver interface technology. In the user mode, all program are developed to implement the services based on Socket capturing and filtering through the Winsock 2 SPI technology. Therefore, the shortcoming is overcomed during capturing packet only by kernel mode or user mode, and greatly improved the system security performance.

Key words: Filtering driver, Layered IRP, Winsock 2 SPI, Capture

摘要： 针对多数防火墙防外不防内的致命缺点，提出了一种双重过滤设计方案：在内核模式下用TDI虚拟驱动接口挂接技术实现对通过传输层的数据封包截获，在应用模式下采用Winsock 2 SPI技术实现对基于Socket网络连接通信的服务截获，克服了单方面截获数据包的缺点。介绍了核心层虚拟驱动编程技术。

关键词: 过滤驱动, IRP分层, Winsock 2 SPI, 截获