Hi list,
I have a WFP driver filter, which registers several ALE Classify callouts, mainly for detecting inbound and outbound connections: FWPM_LAYER_ALE_AUTH_CONNECT_V4, FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4, FWPM_LAYER_ALE_AUTH_LISTEN_V4 and so on.
In these callouts, I am getting the process id by querying the metadata FWPS_METADATA_FIELD_PROCESS_ID, and it works fine, most of the time.
However, I have noticed (on RECV_ACCEPT and LISTEN callouts) that frequently the pid that I receive is 4 (system process), instead of the process that is carrying the listen or accept operation.
But in this situation, PsGetCurrentProcessId() hands me the right process id.
I also tried to go “earlier” and see what PID would I get during the RESOURCE_ASSIGNMENT callout, and for these cases, the process id is also 4, so there is a match between the resource assignment PID and the listen and accept operations’ PID.
So, is this the expected behavior of WFP?
Is there any way of getting the ID for the process that accepts the connection, instead of system process?
Thanks a lot in advance!