Network filtering in the original thread context

0xrepnz · January 24, 2020, 7:57pm

Hey,
Is there any way to filter TCP connect requests at the context of the original thread that called WSAConnect()? As far as I know you cannot (from kernel mode, in a documented way) do it - are all the networking callbacks run asynchronously / at DISPATCH_LEVEL?
Moreover, How would you recommend to learn about network filtering? I can just read the MSDN documentation but are there any other sources you think may be useful?

Thank you in advance!

anton_bassov · January 25, 2020, 5:05am

Is there any way to filter TCP connect requests at the context of the original thread that called WSAConnect()?

What about the WFP? After all, this is what packet filtering is all about

As far as I know you cannot (from kernel mode, in a documented way) do it - are all the networking callbacks run
asynchronously / at DISPATCH_LEVEL?

At the lower (i.e.NDIS) level there is, indeed, already no way to relate a network packet to a process or a thread, other than
using a protocol -specific info (i.e IP address/TCP or UDP port combination) in a packet header. This is why one needs to split the filtering functionality in 2 parts if they want to do the filtering at NDIS level. The upper part operates at WFP level, relating the protocol -specific info to the particular threads and processes, and the lower part that operates at NDIS level uses the information obtained by the upper one to make the filtering decisions.

My last Windows-based project (in fact,it was more than12 years ago, but anyway) was dealing specifically with the task you describe.
I was porting my pre-Vista filtering solution (i.e. the one based upon NDIS5 and TDI) to NDIS6 and WFP, and the whole thing was
really easy, compared to pre-Vista NDIS5/ TDI -based filter. To make it even more interesting, unlike its pre-Vista “ancestor”, the filter in question did not require any hackery of any description. WFP defines NUMEROUS filtering levels, so that you have a chance to choose the particular level that suits your needs best, and NDIS6+ LWF is really easy, compared to NDIS<6 IM filter

However, I believe that in your particular case WFP-based filter alone may, probably, suffice.

Moreover, How would you recommend to learn about network filtering?

IIRC, MSDN documentation that covers WFP is extensive…

Anton Bassov