[Vrtule]

Can you tell me is it possible for a driver to maintain a driver to driver or driver to use mode application communications that is encrypted in both directions ? Could a public/private key channel be created using only kernel mode driver ? Secondly can a WFP filter driver or NDIS filter driver communicate with a user mode application or with another kernel mode filter driver located somewhere else on the local subnet or local network ?

Yes. Starting witn Windows Vista, you can use CNG API to do encryption, signing and other cryptographic tasks. The advantage of the API is that it is the same for kernel and user code, so its kinda portable.
https://msdn.microsoft.com/en-us/librar ... s.85).aspx

WFP and NDIS drivers definitely can communicate with applications or other drivers. Probably the easiest way of doing this is to create a device object and communicate via IRPs.

[Victor43]

Can you tell me is it possible for a driver to maintain a driver to driver or driver to use mode application communications that is encrypted in both directions ? Could a public/private key channel be created using only kernel mode driver ? Secondly can a WFP filter driver or NDIS filter driver communicate with a user mode application or with another kernel mode filter driver located somewhere else on the local subnet or local network ?

Yes. Starting witn Windows Vista, you can use CNG API to do encryption, signing and other cryptographic tasks. The advantage of the API is that it is the same for kernel and user code, so its kinda portable.
https://msdn.microsoft.com/en-us/librar ... s.85).aspx

WFP and NDIS drivers definitely can communicate with applications or other drivers. Probably the easiest way of doing this is to create a device object and communicate via IRPs.

Thank you Vrtule. Just to summarize so it would be possible for a WFP filter driver or a NDIS filter driver to encrypt communications with another WFP filter driver or NDIS filter driver situated on a different subnet ? This can be done via creating a device object and IRPs ?

[Vrtule]

Well, I forgot to tell you about ways of communicating with other computers from the kernel.

The device object and IRPs are good for communication with other drivers and applications on the same machine. For a quite convenion communication with entities on other computers (drivers, applications) you can use Winsock kernel which is an implementation of sockets for kernel drivers. Yes, it is built on top of the network stack. Of course, it would be possible to directly insert packets and/or ethernet frames to the stack but if you want an easy way, just use Winsocke Kernel and be happy .
https://msdn.microsoft.com/en-us/window ... ck-kernel4

If you wish to get more information about how to insert ethernet frames directly to the network stack, have a look at the ndisprot sample from WDK. Or look at my Github (I modified the sample to be able to send ICMP echo requests directly from the link layer):
https://github.com/MartinDrab/Hackerfes ... /ndisprot6
https://github.com/MartinDrab/Hackerfes ... prot6-test

[Victor43]

Well, I forgot to tell you about ways of communicating with other computers from the kernel.

The device object and IRPs are good for communication with other drivers and applications on the same machine. For a quite convenion communication with entities on other computers (drivers, applications) you can use Winsock kernel which is an implementation of sockets for kernel drivers. Yes, it is built on top of the network stack. Of course, it would be possible to directly insert packets and/or ethernet frames to the stack but if you want an easy way, just use Winsock Kernel and be happy .
https://msdn.microsoft.com/en-us/window ... ck-kernel4

If you wish to get more information about how to insert ethernet frames directly to the network stack, have a look at the ndisprot sample from WDK. Or look at my Github (I modified the sample to be able to send ICMP echo requests directly from the link layer):
https://github.com/MartinDrab/Hackerfes ... /ndisprot6
https://github.com/MartinDrab/Hackerfes ... prot6-test

Thank you again Vrtule. What do you mean by "Yes, it is built on top of the network stack" ? Do you mean that the TCP packet are inserted at the top of the stack going down to the lower layers of stack when sending ? I'm not sure what is implied here sorry. Would you be able to provide some sample WFP filter code retrieving the name(s) of processes that are sending out a packet of data ? I assume that the processes (kernel mode drivers) that make use of Winsock kernel packets their process name will also be retrievable via WFP filter driver process name retrieval code ?

Great work on the Github contribution.

[Vrtule]

I just wanted to say that Winsock kernel behaves much like sockets in user mode – WFP filters (including WIndows Firewall) can monitor/block/intercept their operations.

Well, I have a sample WFP filter that does exactly what you want but I did not publish it yet. The filter is a part of much bigger system (there is also a file system minifilter, a registry filter, filter of process creation events and filter of some GUI system calls (Windows 7- only)). I did not managed to make the whole project public for now, however, I plan to do so.

Did you look at the trans sample in the WDK. I believe it demonstrates how to obtain application name for WFP events.

[Victor43]

I just wanted to say that Winsock kernel behaves much like sockets in user mode – WFP filters (including WIndows Firewall) can monitor/block/intercept their operations.

Well, I have a sample WFP filter that does exactly what you want but I did not publish it yet. The filter is a part of much bigger system (there is also a file system minifilter, a registry filter, filter of process creation events and filter of some GUI system calls (Windows 7- only)). I did not managed to make the whole project public for now, however, I plan to do so.

Did you look at the trans sample in the WDK. I believe it demonstrates how to obtain application name for WFP events.

Hello Vrtule. I have not had a chance to take a look at the trans sample to the depth you have asked about. However I was looking at the inspect sample project. I've only skimmed over some of the functions. But still cannot figure out where to make the function call and which function call to make. Could you provide some sample code that make use of the inspect project solution ? Happy Easter everyone !