WFP - Filtering child processes

I have a callout driver at FWPM_LAYER_ALE_FLOW_ESTABLISHED_V4 layer with the filter condition is FWPM_CONDITION_ALE_APP_ID to filter traffic from a specific application.

However, with some applications, they also spawn some child processes and one of them may communicate with the Internet, so filtering the parent process will give no output, with the filtering condition FWPM_CONDITION_ALE_APP_ID, WFP filters the process created by this application only.

So how can I filter either the parent and all its child processes?

PsSetCreateProcessNotifyRoutine is your friend .

Hi Slava Imameev, thank you for your answer!

I got that when using PsSetCreateProcessNotifyRoutine, I will have a change to do something with a new created process. What I need to do is to filter the new process as well as the parent process, I cannot run the driver again to add the new process’s path, and cannot add more filtering condition, so with your experiences, do you have any idea to help me to filter both processes?

You can call FwpmFilterAdd from a driver and add a new filter but I am not sure that you will be able to add a filter for a particular process/application from a driver. Looks like you will have to add a filter for all established connections and filter by process ID in your filter. You can also communicate with your application to add application filters.

Also, read this