Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging

The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.

Check out The OSR Learning Library at:

How to modify tcp packet and udp packet content

Minzhang_HeMinzhang_He Member Posts: 6
edited July 28 in NTDEV

I know that the packet can be modified in FWPM_LAYER_STREAM_V4 and FWPM_LAYER_DATAGRAM_DATA_V4. I know that the packet should be modified in NBL, NB, MDL.But after getting TCP and UDP NBL and traversing NB, what should I do?


  • Jason_StephensonJason_Stephenson Member Posts: 73

    What do you WANT to do?

  • Minzhang_HeMinzhang_He Member Posts: 6

    For example, tcpclient or udpclient sends "I like you" to the server, and after interception, modify it to "I love you, too"

  • Minzhang_HeMinzhang_He Member Posts: 6

    My own idea is to modify NBL, NB and MDL, but I don’t know how to get content("I like youe") and how to modify it

  • Jason_StephensonJason_Stephenson Member Posts: 73

    If you want to modify the content of a packet (For example at DATAGRAM_DATA) then you need to be using the layerData parameter mentioned here

    For TCP i'd use CONNECT_REDIRECT to proxy the TCP flow into usermode and alter the stream there before establishing an onward connection. Again, the best solution depends on your ultimate goal - but this should get you started

  • MBond2MBond2 Member Posts: 145

    Again, for UDP each write that the stack sees will be a whole UDP datagram. This might be split into multiple Ethernet frames, but it is a single logical message. For TCP it will be some arbitrary fragment of the TCP stream that underlies the next higher level protocol. For the simplest protocols like SMTP, each write probably encapsulates a single command or response, but more complex protocols especially at higher bandwidths will not be so simple.

    A more specific goal will help, but I hope these first principal items will help focus your thinking

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Kernel Debugging 30 Mar 2020 OSR Seminar Space
Developing Minifilters 15 Jun 2020 LIVE ONLINE
Writing WDF Drivers 22 June 2020 LIVE ONLINE
Internals & Software Drivers 28 Sept 2020 Dulles, VA