WFP -> local proxy traffic filtering

Hi all, seems like this forum is the only place that has sufficiently enough discussions on the dreaded Windows Filtering Platform so i’ll give it a shot incase someone can help me here :slight_smile:

I got the WFPSample project setup and working for doing basic actions like blocking a single outgoing IP address, but i cannot figure out a way how to make the Proxying part work at all.
I’m trying to use the sample project first to prove my concept before i move on to taking the necessary parts of the sample project and creating my own project.

What i’m doing:

  • I try to redirect all of the traffic using the WFPSample using the following command (and many different variations of -ipla, ipra just incase i got it wrong)
    WFPSampler -s Proxy -l FWPM_LAYER_ALE_CONNECT_REDIRECT_V4 -p TCP -pra -prp 8080 -v -plspid whatever the proxy pid is at the time ( i tried with and without the ‘-p TCP’)

I clean all the filters before trying a new combination of the above command using ‘WFPSampler -clean all’

The problem is that most of the time the traffic doesn’t get to the proxy. If i have an open browser tab for example for google, i run the above command, refresh the browser tab again, then i see some requests coming to the proxy and they all fail with ‘[Errno 1101] getaddinfo failed’, newly opened tabs just fail immediately without any trace in the proxy logs and the browser just saying “You’re not connected”.

My goal is to have WFP redirect all of the browser traffic to the proxy, which is doing a mitm attack, decrypt https headers and then make a decision on whether the traffic should be allowed or dropped (maybe even redirected somewhere else saying the domain is not allowed).

Could it be that mitmproxy application i’m using is not able to understand the traffic redirected by WFP? Are there examples of proxies that work with WFP redirects that i could get some ideas from to build my own?

Thank you in advance!

@sagi_zar @Jason_Stephenson I know you guys discussed this before (, maybe you can give some insight here? :smile:

It’s been years since I’ve looked specifically at the WFPSampler codebase so i can’t provide specifics.

[Errno 1101] getaddinfo failed
This looks like a DNS related problem. If your DNS is failing, there won’t be any following HTTP/S connection for you to receive in your proxy.

If you are looking to receive HTTP/S traffic I would follow the Connection Redirection steps here This, in conjunction with the WFPSampler codebase should be plenty for you to get something working.

I would also suggest you look more deeply into what “browser traffic” really is. If you are legitimately interested in all of it there is a wide range of things you need to think about. UDP/TCP/HTTP/HTTPS/DNS/DOH/Certificates/Encryption etc…

Good luck