WFP - can a callout driver catch and inject packets at layer above TCP

Hi,
I’m trying to understand if I can implement a WFP callout driver that will intercept connection establishment and terminate with success before it ever gets to the TCP layer.
and if it can, can it than intercept the traffic of the payload that the application sends and inject incoming traffic to the application in return.
it means that the session from application point of view is established and it can send an recv data, but there was never a 4 ways handshake of SYN and SYN+ACK.
Regards,
Sagi

I think what you are asking for is a contradiction in terms. Unless you plan to implement your own TCP stack and somehow get applications to talk to it, you can’t both hide the connection from the regular TCP stack and later hand it off to the regular stack once established.

usually, connection establishment is rejected based on the first SYN (firewall rules etc.)

and later on content filtering can terminate established TCP connections - but they are established before they get terminated.

Note that the handshake is 3 way for TCP

Hi,
Thanks for the answer.
What I’m trying to do with WFP is not similar to firewall and blocking sessions but more similar to VPN based on IP and port with usage of a user-mode service for actual communication with a proxy server.
when I read the documentation for API like: FwpsStreamInjectAsync0() it seems that you can inject inbound TCP payload without TCP/IP headers. So it means that you inject above the TCP layer.
I thought that when you capture at stream layer, it means that you capture above the TCP layer and can communicate with the application before and without TCP/IP stack at all.
is this possible?
what happen to the TCP payload that you inject inbound using FwpsStreamInjectAsync0()?
Thanks,
Sagi

I have never used these functions, but the way that i read the documentation

https://docs.microsoft.com/en-us/windows-hardware/drivers/network/packet-injection-functions

suggests to me that direct injection into a TCP stream requires an established TCP stream. you might be able to create one by also filtering at a lower level