# 360WFP_Exploit A proof-of-concept (PoC) demonstrating potential abuse of the **360 Security WFP driver (`360netmon_x64_wfp.sys`)** interface, aimed at verifying the risk that IOCTL interfaces without caller authentication may be misused by third-party programs. > This project is intended for security research and vulnerability analysis only. It must not be used for any illegal purposes. --- ## Project Overview During reverse engineering of the 360 Security network monitoring driver `360netmon_x64_wfp.sys`, the following behaviors were discovered: * The driver exposes two device objects to user mode: * `\\.\360TdiFilter` * `\\.\360TdiSpeed` * These device objects can be accessed by any administrator-level process via `DeviceIoControl` * The `IrpMjDeviceControl` handler performs **no caller identity or signature verification** * Certain IOCTL functions can be directly used to: * Dynamically add WFP filters * Configure process network throttling * Completely block network access for arbitrary processes This repository provides a minimal PoC to demonstrate: > How a process running on a system with 360 Security installed can block network access of any specified process using legitimate driver interfaces. --- ## Vulnerability / Issue Summary ### Core Problem At the entry point of the driver’s `IrpMjDeviceControl` routine, only the device object is validated: ```asm cmp rdi, g_pDeviceObject_TdiFilter jz ... ``` **No caller privilege validation or source authentication is performed at all.** As a result, any administrator-privileged process can: * Call IOCTL `0x220804` to configure process network throttling or blocking * Call IOCTL `0x220444` to dynamically modify WFP filtering rules --- ## Demonstration This PoC implements the following operations: * Open the device object `\\.\360TdiFilter` * Construct the input data structure expected by the driver * Use IOCTL `0x220804` to set a target process into “fully block network” mode Result: * All TCP/UDP connections of the specified process are dropped at the WFP layer * No code injection or hooking is required * The operation is performed entirely through legitimate driver interfaces --- ## Usage ### Build Open the project in Visual Studio and build: ``` x64 Release ``` ### Example ```bash 360WFP_Exploit.exe "C:\Windows\System32\notepad.exe" ``` After execution, the target process will immediately lose all network connectivity. --- ## Project Structure ``` . ├── src/ │ ├── main.c // PoC main logic │ ├── driver_io.c // IOCTL invocation wrapper │ └── utils.c // helper functions (e.g., path conversion) ├── README.md └── LICENSE ``` --- ## Technical Details Core data structure expected by the driver: ```c typedef struct _PACK { WCHAR szNtPath[MAX_PATH + 40]; WCHAR szPath[MAX_PATH]; BOOL bCancelFlag; LONGLONG qwBlockCnnt; LONGLONG nLimitSend; LONGLONG nLimitRecv; DWORD dwZeroCheck; } PACK, *PPACK; ``` When: ``` qwBlockCnnt = LLONG_MAX ``` the driver returns in the WFP Callout: ``` FWP_ACTION_BLOCK ``` which results in complete network blocking for the target process. --- ## Disclaimer * This project is provided for **security research and technical learning purposes only** * Do not use it for any illegal or unauthorized activities * The author bears no responsibility for any consequences resulting from misuse of this tool --- # 360WFP_Exploit 一个针对 **360 安全卫士 WFP 驱动(`360netmon_x64_wfp.sys`)的接口滥用演示 PoC**,用于验证驱动 IOCTL 接口在未进行调用者身份校验情况下,可能被第三方程序滥用的问题。 > 本项目仅用于安全研究与漏洞分析演示,不用于任何非法用途。 --- ## 项目简介 在对 360 安全卫士网络监控驱动 `360netmon_x64_wfp.sys` 的逆向分析过程中发现: * 驱动向用户态暴露了两个设备对象: * `\\.\360TdiFilter` * `\\.\360TdiSpeed` * 这些设备对象允许普通管理员进程通过 `DeviceIoControl` 发送 IOCTL 请求 * `IrpMjDeviceControl` 中**没有对调用者进行任何身份或签名验证** * 部分 IOCTL 功能可以被直接用于: * 动态添加 WFP Filter * 设置进程网络限速 * 直接阻断任意进程的网络连接 本仓库提供了一个最小化 PoC,用于演示: > 在已安装 360 安全卫士的系统上,如何通过合法接口阻断任意指定进程的网络访问。 --- ## 漏洞/问题概述 ### 核心问题 驱动的 `IrpMjDeviceControl` 入口处仅验证设备对象是否匹配: ```asm cmp rdi, g_pDeviceObject_TdiFilter jz ... ``` **完全没有进行调用者权限校验或来源验证**。 因此,任何具有管理员权限的进程,都可以: * 调用 IOCTL `0x220804` 设置进程网络限速/阻断 * 调用 IOCTL `0x220444` 动态修改 WFP 过滤规则 --- ## 功能演示 本 PoC 实现了: * 打开 `\\.\360TdiFilter` 设备 * 构造驱动期望的数据结构 * 通过 IOCTL `0x220804` 将目标进程设置为“完全阻断网络”模式 效果: * 指定进程所有 TCP/UDP 连接被 WFP 层直接丢弃 * 无需注入、无需 HOOK、完全通过驱动合法接口实现 --- ## 使用方法 ### 编译 使用 Visual Studio 打开项目并编译: ``` x64 Release ``` ### 使用示例 ```bash 360WFP_Exploit.exe "C:\Windows\System32\notepad.exe" ``` 执行后,目标进程将被立即阻断网络访问。 --- ## 项目结构 ``` . ├── src/ │ ├── main.c // PoC 主逻辑 │ ├── driver_io.c // IOCTL 调用封装 │ └── utils.c // 路径转换等辅助函数 ├── README.md └── LICENSE ``` --- ## 技术细节 驱动期望的核心数据结构: ```c typedef struct _PACK { WCHAR szNtPath[MAX_PATH + 40]; WCHAR szPath[MAX_PATH]; BOOL bCancelFlag; LONGLONG qwBlockCnnt; LONGLONG nLimitSend; LONGLONG nLimitRecv; DWORD dwZeroCheck; } PACK, *PPACK; ``` 当: ``` qwBlockCnnt = LLONG_MAX ``` 时,驱动会在 WFP Callout 中直接返回: ``` FWP_ACTION_BLOCK ``` 从而彻底阻断目标进程的网络通信。 --- ## 免责声明 * 本项目仅用于**安全研究与技术交流** * 请勿用于任何非法用途 * 因滥用本工具造成的任何后果与作者无关 ---