Intercept winsock API and forwarding RRS feed

  • Question

  • Hello, I'm Yonghyeok Lee.

    I'm developing some protocols.

    What I want develop is intercept winsock api calls and if the api calls is fit to some conditions(ex. port num) forward to my protocol driver (not TCP driver)

    Can I develop that with TDI filter driver or Windows Fileter Platform?

    If yes, how can I intercept winsock api calls?

    I read some guide about TDI fileter driver and Windows Fileter Platform, but I can't find apis about intercept winsock calls

    Tuesday, July 28, 2015 7:44 AM

All replies

  • As I recall, WFP only works on the TCP/IP stack. For any other protocol, you'll need to write a TDI filter. There isn't any documentation on TDI filters, so you'll have to study the TDI interface in the WDK docs. The TDI interface is IRP-based, so you can layer a driver on top of an existing TDI driver and catch the IRPs as they go by. I wrote the first TDI filter 20 years ago, and several since then, and it is a lot of work! I don't know if a TDI filter can be loaded on top of the TCP device on Windows versions with the next gen network stack (Vista+), but I see that the TCP device does exist on Win10, so you might give it a try. Jeffrey Tippet could probably provide an authoritative answer.


    Azius Developer Training Windows device driver, internals, security, & forensics training and consulting. Blog at

    Thursday, July 30, 2015 11:24 PM