WFP Traffic Redirection Driver is used to redirect NIC traffic on network layer and framing layer, based on Windows Filtering Platform (WFP).
WFP Traffic Redirection Driver is used to redirect NIC traffic on network layer and framing layer, based on Windows Filtering Platform (WFP).
This project is forked from Windows Filtering Platform Traffic Inspection Sample.
.vcxproj
in Visual Studio on host computer
.cer
(Certificate) and .inf
(Driver Config) on target computer
For more, see Windows Filtering Platform Traffic Inspection Sample.
Setup values under the key:
HKLM\System\CurrentControlSet\Services\inspect\Parameters
All values are shown in the following table:
Value | Type | Example |
---|---|---|
LocalRealAddress | REG_SZ | 10.109.16.202 |
LocalFakeAddress | REG_SZ | 10.109.19.108 |
RemoteRealAddress | REG_SZ | 10.109.18.799 |
RemoteFakeAddress | REG_SZ | 10.109.17.253 |
LocalRealPort | REG_DWORD | 80 |
LocalFakePort | REG_DWORD | 202 |
RemoteRealPort | REG_DWORD | 80 |
RemoteFakePort | REG_DWORD | 799 |
LocalEthernetAddress | REG_SZ | 74-27-ea-00-00-02 |
RemoteEthernetAddress | REG_SZ | 74-27-ea-00-00-03 |
Note that:
LocalEthernetAddress
and RemoteEthernetAddress
are used for outbound traffic at framing layer only if enabling LocalAddress modification.0.0.0.0
/0
/00-00-00-00-00-00
) will disable address/port modification.net start inspect
as administrator to start the driver servicenet stop inspect
as administrator to stop the driver serviceKey ideas are posted by BOT Man in Chinese:
tl_drv.c
: entry and initprotocol-headers.h
: Ethernet/IPv4/ICMP/TCP/UDP headerinspect.h/c
: handle classification/reinjection logicutil.h/c
: helper functionsinspect.inf
: driver configenable-promisc.exe
: calling pcap_findalldevs_exwpcap.dll
: modified pcap_activate_win32check-promisc.ps1
: check if all NICs in Promisc Mode
restart-nic.bat
: restart NIC 以太网
enable-dbgprint.reg
: enable dbgprint
on DbgView (use once)enable-testsigning.bat:
enable test signing (use once)Copyright (C) 2018 BOT Man
GPL-3.0 License