Thanks to Brock and Vrtule. I've got a few more questions for this old thread.Brock wrote:As Vrtule mentioned in his post, you can use ALE with WFP and identify things such as the process information you seek. It's a layer that makes it possible to identify the application associated with the network operation(s). Refer to WDK's WFP layered samples under \src\network\trans. "inspect" sample may be helpful for instance
I understand that using WFP and one of the samples as you have mentioned should be sufficient for what I need. But moving forward with a few more questions:
1. Will the WFP filter driver be sufficient for Windows services that makes use of the TCP communications such as the one behind Windows update and DCOM technologies and so on ? I believe the answer would be yes but I want to be sure.
2. Now were talking about higher 7/8 layers (application) in the OSI model such as applications such as HTTP/POP/SMTP and FTP applications or other types of user mode applications that make use of likely sockets or something equivalent in order to send and receive TCP data but would there be any other interface (lower than sockets at an application layer) for TCP/IP communications that Microsoft makes readily available as you go lower in the OSI model and the TCP stack ? Would there be anyway that once you've passed the application layer that a packet could be injected into the stack even if the packet is entirely constructed without the use of formal API's Microsoft makes available ? So basically what I'm trying to say about malware is can they bypass a WFP filter driver if they choose to do so ? I cannot afford this to happen but will have to address it if this is the case.
3. Brock you said Microsoft is trying to phase out NDIS and TDI driver development in order to push WFP yes ? When will this happen ? Also does this mean the question #2 above that one cannot make use of technology a driver per se which will be able to by-pass a WFP filtering driver ? At this point I only want to monitor traffic but possibly modify it also at a layer stage.
4. What about malware that writes its own entire and complete TCP stack will they be able to by-pass a WFP filtering driver such as the one you have suggested that I take a look at ?