What Happens When an App Sends Data?
Let's say a browser sends request to http://example.com
. Here' what happens internally on Windows:
[ Application Layer (e.g., Chrome) ]
|
[ Winsock API (user-mode socket calls) ]
|
[ Transport Layer (TCP/UDP) - kernel-mode ]
|
[ Network Layer (IP, routing) - kernel-mode ]
|
[ NDIS (Network Driver Interface Specification) ]
|
[ Physical NIC Driver (e.g., Intel Ethernet driver) ]
|
[ Ethernet/Internet ]
- Your app calls
send()
orconnect()
. - That passes through Winsock, which interfaces with the Windows TCP/IP stack.
- From there, data goes through multiple kernel-mode layers before hitting the network
Why Do We Care About Kernel-Mode?
User-Mode (App code)
- Limited access to system resources
- Safe (isolated from the OS kernel)
- Slower access to low-level events
Kernel-Mode (Drivers)
- Full access to memory, hardware, and networking stack
- Used by antivirus, firewalls, VPNs, and system utilities
- Risk of BSOD (blue screen) if misused
WFP works in kernel mode to intercept and inspect/modify traffic at various layers.
What Is Windows Filtering Platform?
Windows Filtering Platform (WFP) is a set of APIs and system services provided by Microsoft that allows kernel and user mode software to intercept, filter, or modify network traffic.
WFP is used by:
- Windows Defender Firewall
- VPN software
- Antivirus/EDR tools
- DLP (Data Loss Prevention) systems
- 3rd-party firewalls and network monitors
It was introduced in Windows Vista / Server 2008, and is now a critical part of Windows security and networking.
WFP Architecture: Where It Hooks
WFP operates across the entire Windows networking stack, form the lowest hardware levels (NDIS drivers) to high-level HTTP traffic.
Here's a simplified diagram:
Application Layer (HTTP, DNS, SMB, etc.)
↓
Transport Layer (TCP, UDP, etc.)
↓
Network Layer (IPv4/IPv6)
↓
Link Layer (NDIS, network drivers)
You can insert filters at any of these layers. That's what makes WFP so powerful – you choose where and how deeply you want to inspect or block traffic.
For example:
- Want to block HTTP POSTs? Filter at stream layer.
- Want to scan DNS? Filter at datagram layer.
- Want to reroute packets? Filter at network layer.
WFP Filtering Flow
WFP filtering is done through:
- Filters: Rules that define what traffic to act on
- Callouts: Optional handlers (usually in kernel) that inspect, modify, or log traffic
- Sublayers: Logical groups of filters with priorities
- BFE (Base Filtering Engine): Core service that coordinates filters
Each packet that travels through the system passes through multiple layers. Your filter gets a chance to:
- Allow (
FWP_ACTION_PERMIT
) - Block (
FWP_ACTION_BLOCK
) - Inspect further via callout
Leave a comment
Your email address will not be published. Required fields are marked *