Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging

The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.

Check out The OSR Learning Library at:

WFP - can a callout driver catch and inject packets at layer above TCP

sagi_zarsagi_zar Member - All Emails Posts: 26

I'm trying to understand if I can implement a WFP callout driver that will intercept connection establishment and terminate with success before it ever gets to the TCP layer.
and if it can, can it than intercept the traffic of the payload that the application sends and inject incoming traffic to the application in return.
it means that the session from application point of view is established and it can send an recv data, but there was never a 4 ways handshake of SYN and SYN+ACK.


  • MBond2MBond2 Member Posts: 276

    I think what you are asking for is a contradiction in terms. Unless you plan to implement your own TCP stack and somehow get applications to talk to it, you can't both hide the connection from the regular TCP stack and later hand it off to the regular stack once established.

    usually, connection establishment is rejected based on the first SYN (firewall rules etc.)

    and later on content filtering can terminate established TCP connections - but they are established before they get terminated.

    Note that the handshake is 3 way for TCP

  • sagi_zarsagi_zar Member - All Emails Posts: 26

    Thanks for the answer.
    What I'm trying to do with WFP is not similar to firewall and blocking sessions but more similar to VPN based on IP and port with usage of a user-mode service for actual communication with a proxy server.
    when I read the documentation for API like: FwpsStreamInjectAsync0() it seems that you can inject inbound TCP payload without TCP/IP headers. So it means that you inject above the TCP layer.
    I thought that when you capture at stream layer, it means that you capture above the TCP layer and can communicate with the application before and without TCP/IP stack at all.
    is this possible?
    what happen to the TCP payload that you inject inbound using FwpsStreamInjectAsync0()?

  • MBond2MBond2 Member Posts: 276

    I have never used these functions, but the way that i read the documentation

    suggests to me that direct injection into a TCP stream requires an established TCP stream. you might be able to create one by also filtering at a lower level

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Writing WDF Drivers 7 Dec 2020 LIVE ONLINE
Internals & Software Drivers 25 Jan 2021 LIVE ONLINE
Developing Minifilters 8 March 2021 LIVE ONLINE