I’m working on a “kill-switch” ndis filter that will shutdown internet until a certain app loads (to prevent ip leaks). And I realized the ethernet driver is already loaded by the time my filter loads.
And that seems like it could give away the users ip, which would be bad. Is there any way to load a Ndis filter before the ethernet drivers or prevent ethernet from sending packets until my filter loads?
EDIT: I accidentally posted in the wrong forum, can’t find any way to move or delete the post, i apologize in advance
(moved at OP’s request)
Is there any way to load a Ndis filter before the ethernet drivers
No, the ethernet is the lowest layer (medium) ; an NDIS entity cannot be placed below it.
or prevent ethernet from sending packets until my filter loads?
Hmm. Maybe. For example, if you disable the ethernet controller at boot time and enable later.
– pa
if you control the hardware, this can be done. if not, then a task of preventing any packets with ‘unauthorized’ content from being sent over the wire is infeasible.
confining yourself preventing the transmission of particular data in TCP connections or UDP packets is one thing, but the actual IP address of the interface (presumably static since DHCP traffic could be sniffed) and other lower level details is another. even if you could prevent any packets from Windows, consider features like PXE boot and whatever else the UEFI / hypervisor might do underneath you. and the Ethernet switch (physical or virtual) will certainly discover your IP eventually if you have any meaningful communication on that interface so there seems little point to this
I recall that a Mandatory Filter Driver might be helpful in this case but I don’t recall what happens exactly during Boot https://docs.microsoft.com/en-us/windows-hardware/drivers/network/mandatory-filter-drivers Good luck, Dave Cattley
@“David_R._Cattley” said:
I recall that a Mandatory Filter Driver might be helpful in this case but I don’t recall what happens exactly during Boothttps://docs.microsoft.com/en-us/windows-hardware/drivers/network/mandatory-filter-drivers
Good luck,
Dave Cattley
That might be my saving grace, I will read up on it 