A forum for reverse engineering, OS internals and malware analysis 

Forum for discussion about kernel-mode development.
 #31433  by Shinji
 Wed Apr 11, 2018 1:14 pm
Hi,

I'm using WFP to monitor network activity but reading de documentation I think is not possible to hide a connection using it. I've been
reviewing several rootkits capabilities and turla for example use WFP and Ndis driver....


Does anyone know if hide a connection using WFP is possible?

Thx
 #31437  by Vrtule
 Thu Apr 12, 2018 1:18 pm
It definitely does not allow you to hide a connection from software like netstat. It may be used to hide information in data sent from the machine.

IIRC the tcpip.sys driver (\Driver\TcpIp) handles requests for connection listing. At least, Greg Hoglund has a sample code interecepting these requests in his Rootkits: Subverting the Windows Kernel book. However, the book is old (Dec 2005), so it may be inaccurate when speaking about Windows versions newer than XP.
 #31442  by Shinji
 Fri Apr 13, 2018 12:05 pm
Thanks for your reply Vrtule, I appreciate your help.

I think is possible( I have not checked it on news windows ) intercept IOCTL_TCP_QUERY_INFORMATION_EX but it would be necessary use VT-X/EPT to avoid Patchguard.
Another solution could be write entireTCP stack using NDIS....


I would really appreciate others solutions.

Thx.