蚂蚁的天空II － 工作、生活和梦想

Layerd Service Provider(LSP)是微软为用户模式程序提供的一种网络分层结构，使用它
我们可以实现：
* 大部分网络数据的重定向，比如微软的ISA代理服务器
* 大部分网络数据的监听，可以开发诸如邮件病毒扫描、信息监控、不良信息过滤等应用
* 大部分网络数据的加密与QOS

有相当多的木马程序也是使用了这项技术来盗取网络游戏帐号等用户信息(科学是把双刃
剑那~~)

最早的官方LSP公开资料
Unraveling the Mysteries of Writing a Winsock 2 Layered Service Provider
( http://www.microsoft.com/msj/0599/LayeredService/LayeredService.aspx )

专业的网络/安全和LSP产品开发公司，有详细的文档和代码示例介绍LSP技术
( http://www.komodia.com/ )

为了LSP和平共处的提议，好像没啥效果
A Proposal for Managing the Ordering of Layered Providers in Protocol Chains
( http://www.sockets.com/apiorder.txt )

WINSOCK2邮件组(WINSOCK2 at 2cah.com)关于LSP冲突(War between Old and New LSPs)的讨论
片断（蚂蚁格式化了部分段落来强调要点）
Barak Weichselbaum  said:
"
...
Up to now (latest SDK sample) all LSPs initialized the lower providers on the 
first call to WSPStartup.

They would find out
--------------------------------------------------------------------------
* all the base providers and initialize them with the potocol info of the 
original WSPStartup * .
--------------------------------------------------------------------------

So if the first initialize was for UDP, the LSP would initialize UDP and TCP 
base provider with protocol information of UDP. When TCP WSPStartup cmes the 
LSP just ignores it.

Since most of the industry LSPs are based on m$ samples this "feature" (o bug)
didn't affect anyone.

Now in the new unreleased version the LSP actually initializes
--------------------------------------------------------------------------
* every baseprovider according to the protocol info *,
--------------------------------------------------------------------------
now if I layer an "old" LSP aboe it, it will never receive the TCP protocol and
TCP will never be initilized.

Solution - I "deprecated" WSPStartup to ignore the protocol info and initalize 
all base providers.

In a personal note - this "problem" or "feature" will not go away until m will 
introduce some sanity checking tool to disallow "bad" LSP from insalling into 
the system.

I think this was the hardest debug of my life 
...
"

还可以听听微软员工、《Windows网络程序开发》作者的发言说明加载方式改变的原因
Anthony Jones  said:
"
...I'll take a look at the LSP
sample and work on a fix. The change on how an LSP is loaded was due to
the IFS LSP sample. The new IFS sample is a good step for those LSP
writers that don't need to intercept the return calls from operations
(e.g. proxy LSPs and HTTP inspection - but not data modification).

The non-IFS sample was changed since to work with the IFS sample since
an IFS LSP doesn't need to implement every Winsock function call. It can
return function pointers directly from the lower provider. Since an IFS
provider could be layered over several separate providers, it is vital
the IFS LSP gets notified when each protocol provider is loaded so that
it can load the correct lower provider's function table.

For example if an IFS LSP is layered over a TCP and UDP provider where
the each TCP and UDP provider is implemented in a different DLL, the IFS
LSP could have two different Winsock SPI function tables for the lower
provider.
...
"

汇总一下。