CLOSE
Updated on 02 Aug, 20259 mins read 19 views

What Happens When an App Sends Data?

Let's say a browser sends request to http://example.com. Here' what happens internally on Windows:

[ Application Layer (e.g., Chrome) ]
            |
[ Winsock API (user-mode socket calls) ]
            |
[ Transport Layer (TCP/UDP) - kernel-mode ]
            |
[ Network Layer (IP, routing) - kernel-mode ]
            |
[ NDIS (Network Driver Interface Specification) ]
            |
[ Physical NIC Driver (e.g., Intel Ethernet driver) ]
            |
[ Ethernet/Internet ]
  • Your app calls send() or connect().
  • That passes through Winsock, which interfaces with the Windows TCP/IP stack.
  • From there, data goes through multiple kernel-mode layers before hitting the network

Why Do We Care About Kernel-Mode?

User-Mode (App code)

  • Limited access to system resources
  • Safe (isolated from the OS kernel)
  • Slower access to low-level events

Kernel-Mode (Drivers)

  • Full access to memory, hardware, and networking stack
  • Used by antivirus, firewalls, VPNs, and system utilities
  • Risk of BSOD (blue screen) if misused

WFP works in kernel mode to intercept and inspect/modify traffic at various layers.

 

What Is Windows Filtering Platform?

Windows Filtering Platform (WFP) is a set of APIs and system services provided by Microsoft that allows kernel and user mode software to intercept, filter, or modify network traffic.

WFP is used by:

  • Windows Defender Firewall
  • VPN software
  • Antivirus/EDR tools
  • DLP (Data Loss Prevention) systems
  • 3rd-party firewalls and network monitors

It was introduced in Windows Vista / Server 2008, and is now a critical part of Windows security and networking.

WFP Architecture: Where It Hooks

WFP operates across the entire Windows networking stack, form the lowest hardware levels (NDIS drivers) to high-level HTTP traffic.

Here's a simplified diagram:

Application Layer (HTTP, DNS, SMB, etc.)
        ↓
Transport Layer (TCP, UDP, etc.)
        ↓
Network Layer (IPv4/IPv6)
        ↓
Link Layer (NDIS, network drivers)

You can insert filters at any of these layers. That's what makes WFP so powerful – you choose where and how deeply you want to inspect or block traffic.

For example:

  • Want to block HTTP POSTs? Filter at stream layer.
  • Want to scan DNS? Filter at datagram layer.
  • Want to reroute packets? Filter at network layer.

WFP Filtering Flow

WFP filtering is done through:

  • Filters: Rules that define what traffic to act on
  • Callouts: Optional handlers (usually in kernel) that inspect, modify, or log traffic
  • Sublayers: Logical groups of filters with priorities
  • BFE (Base Filtering Engine): Core service that coordinates filters

Each packet that travels through the system passes through multiple layers. Your filter gets a chance to:

  • Allow (FWP_ACTION_PERMIT)
  • Block (FWP_ACTION_BLOCK)
  • Inspect further via callout

 

Leave a comment

Your email address will not be published. Required fields are marked *