Is possible to hide a connection using windows filtering platform (WFP) ?

Forum for discussion about kernel-mode development.
Post Reply
Shinji
Posts: 2
Joined: Wed Apr 11, 2018 9:50 am

Is possible to hide a connection using windows filtering platform (WFP) ?

Post by Shinji » Wed Apr 11, 2018 1:14 pm

Hi,

I'm using WFP to monitor network activity but reading de documentation I think is not possible to hide a connection using it. I've been
reviewing several rootkits capabilities and turla for example use WFP and Ndis driver....


Does anyone know if hide a connection using WFP is possible?

Thx

User avatar
Vrtule
Posts: 459
Joined: Sat Mar 13, 2010 9:14 pm
Location: Czech Republic
Contact:

Re: Is possible to hide a connection using windows filtering platform (WFP) ?

Post by Vrtule » Thu Apr 12, 2018 1:18 pm

It definitely does not allow you to hide a connection from software like netstat. It may be used to hide information in data sent from the machine.

IIRC the tcpip.sys driver (\Driver\TcpIp) handles requests for connection listing. At least, Greg Hoglund has a sample code interecepting these requests in his Rootkits: Subverting the Windows Kernel book. However, the book is old (Dec 2005), so it may be inaccurate when speaking about Windows versions newer than XP.

Shinji
Posts: 2
Joined: Wed Apr 11, 2018 9:50 am

Re: Is possible to hide a connection using windows filtering platform (WFP) ?

Post by Shinji » Fri Apr 13, 2018 12:05 pm

Thanks for your reply Vrtule, I appreciate your help.

I think is possible( I have not checked it on news windows ) intercept IOCTL_TCP_QUERY_INFORMATION_EX but it would be necessary use VT-X/EPT to avoid Patchguard.
Another solution could be write entireTCP stack using NDIS....


I would really appreciate others solutions.

Thx.

Post Reply