WFP Traffic Redirection Driver

WFP Traffic Redirection Driver is used to redirect NIC traffic on network layer and framing layer, based on Windows Filtering Platform (WFP).

This project is forked from Windows Filtering Platform Traffic Inspection Sample.

Features

• Flexible & configurable
• Anti traffic sniffing (WinPcap/Npcap/Rawsock Sniffing)

How to build/deploy

Requirements

• Visual Studio 2017
• Windows Driver Kit 10

Steps to build/deploy

1. Build .vcxproj in Visual Studio on host computer
2. Enable test signing on target computer
3. Install .cer (Certificate) and .inf (Driver Config) on target computer

For more, see Windows Filtering Platform Traffic Inspection Sample.

How to use

Setup Registries

Setup values under the key:

HKLM\System\CurrentControlSet\Services\inspect\Parameters

All values are shown in the following table:

Note that:

• Address, Port and EthernetAddress stand for IP address, TCP/UDP port and ethernet MAC address respectively.
• Local means src of outbound / dst of inbound traffic, while Remote means dst of outbound / src of inbound traffic.
• For outbound traffic, Real address/port are replaced with Fake; for inbound traffic, Fake address/port are restored by Real.
• Config cascade:
  • Port values are used at network layer only if enabling RemoteAddress modification.
  • Value LocalEthernetAddress and RemoteEthernetAddress are used for outbound traffic at framing layer only if enabling LocalAddress modification.
• Setting value of zero (0.0.0.0/0/00-00-00-00-00-00) will disable address/port modification.

Start/Stop driver

• Run net start inspect as administrator to start the driver service
• Run net stop inspect as administrator to stop the driver service

Internals

Key ideas are posted by BOT Man in Chinese:

• Learn TCP/IP from WFP 1
• Learn TCP/IP from WFP 2
• Anonymous Communication Client Design

./sys

• tl_drv.c: entry and init
• protocol-headers.h: Ethernet/IPv4/ICMP/TCP/UDP header
• inspect.h/c: handle classification/reinjection logic
• util.h/c: helper functions
• inspect.inf: driver config

./helpers

• enable-promisc: enable Promisc Mode on all NICs (based on wpcap)
  • enable-promisc.exe: calling pcap_findalldevs_ex
  • wpcap.dll: modified pcap_activate_win32
• check-promisc.ps1: check if all NICs in Promisc Mode
• restart-nic.bat: restart NIC 以太网
• enable-dbgprint.reg: enable dbgprint on DbgView (use once)
• enable-testsigning.bat: enable test signing (use once)

License

Copyright (C) 2018 BOT Man

GPL-3.0 License