Reputation: 1
WFP StmEdit not calling callout functions for inbound traffic
I'm trying to get Microsoft's Windows Filtering Platform stmedit sample to work and am running into some difficulties.
When I turn on the InspectOutbound flag in the registry, set EditInline to 1, set InspectionPort to 80, set StringToFind to A and StringToReplace to B, and use a proxy, going to www.A.com redirects to www.B.com as expected since the destination is moved to part of the payload.
When I turn off the InspectOutbound flag in the registry (in order to inspect inbound packets), still using EditInline, still InspectionPort=80, accessing a simple http://www.somewebsite.com/somepage.html page I see that no functions from the driver source code have been called. I can see on WireShark that packets are in fact going through port 80 as expected.
I added a DbgPrint() call to every function in the source code to see the basic code flow without having to use the debugger for everything, although I do have it working and haven't been able to find the issue here.
Any help would be really appreciated.
Upvotes: 0
Views: 190
Answers (0)
Related Questions
- WFP driver giving 0.0.0.0 as local ip address for connection
- How to call NtUserPostMessage from kernel-mode WFP callout driver?
- FwpmEngineOpen returns EPT_NT_CANT_PERFORM_OP when WFP callout driver is started with SERVICE_SYSTEM_START
- What are options for debugging WFP callout driver
- Examine data at in callout driver for FWPM_LAYER_EGRESS_VSWITCH_TRANSPORT_V4 layer in WFP