/WFP-Traffic-Redirection-Driver

WFP Traffic Redirection Driver is used to redirect NIC traffic on network layer and framing layer, based on Windows Filtering Platform (WFP).

Primary LanguageCGNU General Public License v3.0GPL-3.0

WFP Traffic Redirection Driver

WFP Traffic Redirection Driver is used to redirect NIC traffic on network layer and framing layer, based on Windows Filtering Platform (WFP).

This project is forked from Windows Filtering Platform Traffic Inspection Sample.

Features

  • Flexible & configurable
  • Anti traffic sniffing (WinPcap/Npcap/Rawsock Sniffing)

How to build/deploy

Requirements

  • Visual Studio 2017
  • Windows Driver Kit 10

Steps to build/deploy

  1. Build .vcxproj in Visual Studio on host computer
  2. Enable test signing on target computer
  3. Install .cer (Certificate) and .inf (Driver Config) on target computer

For more, see Windows Filtering Platform Traffic Inspection Sample.

How to use

Setup Registries

Setup values under the key:

HKLM\System\CurrentControlSet\Services\inspect\Parameters

All values are shown in the following table:

Value Type Example
LocalRealAddress REG_SZ 10.109.16.202
LocalFakeAddress REG_SZ 10.109.19.108
RemoteRealAddress REG_SZ 10.109.18.799
RemoteFakeAddress REG_SZ 10.109.17.253
LocalRealPort REG_DWORD 80
LocalFakePort REG_DWORD 202
RemoteRealPort REG_DWORD 80
RemoteFakePort REG_DWORD 799
LocalEthernetAddress REG_SZ 74-27-ea-00-00-02
RemoteEthernetAddress REG_SZ 74-27-ea-00-00-03

Note that:

  • Address, Port and EthernetAddress stand for IP address, TCP/UDP port and ethernet MAC address respectively.
  • Local means src of outbound / dst of inbound traffic, while Remote means dst of outbound / src of inbound traffic.
  • For outbound traffic, Real address/port are replaced with Fake; for inbound traffic, Fake address/port are restored by Real.
  • Config cascade:
    • Port values are used at network layer only if enabling RemoteAddress modification.
    • Value LocalEthernetAddress and RemoteEthernetAddress are used for outbound traffic at framing layer only if enabling LocalAddress modification.
  • Setting value of zero (0.0.0.0/0/00-00-00-00-00-00) will disable address/port modification.

Start/Stop driver

  • Run net start inspect as administrator to start the driver service
  • Run net stop inspect as administrator to stop the driver service

Internals

Key ideas are posted by BOT Man in Chinese:

./sys

  • tl_drv.c: entry and init
  • protocol-headers.h: Ethernet/IPv4/ICMP/TCP/UDP header
  • inspect.h/c: handle classification/reinjection logic
  • util.h/c: helper functions
  • inspect.inf: driver config

./helpers

  • enable-promisc: enable Promisc Mode on all NICs (based on wpcap)
    • enable-promisc.exe: calling pcap_findalldevs_ex
    • wpcap.dll: modified pcap_activate_win32
  • check-promisc.ps1: check if all NICs in Promisc Mode
  • restart-nic.bat: restart NIC 以太网
  • enable-dbgprint.reg: enable dbgprint on DbgView (use once)
  • enable-testsigning.bat: enable test signing (use once)

License

Copyright (C) 2018 BOT Man

GPL-3.0 License