Windivert ProcessId at NETWORK layer

Question

I am using Windivert 2.0.

I wonder if I can build a map of ProcessID to 5-tuple(protocal, source ip, source port, dest ip, dest port) with a open Windivert handle at SOCKET layer and use this map with another open Windivert handle at NETWORK layer to filter/block/reject packets.

Is that possible? I can think of 2 potential problems:

1. I have to open 2 Windivert handles of different layers in the same user application.

2. for one specified socket, which layer will receive the events first? Cause I need to build the map first and use it in NETWORK layer.

Thanks a lot.

Answer 1

Your basic approach is correct. To filter at the NETWORK layer based on process ID it is necessary to open two WinDivert handles:

1. One handle at the SOCKET layer to build a mapping from network 5-tuples to the ProcessIDs.
2. Another handle at the NETWORK layer to do the actual filtering. To do so, the network 5-tuple of the packet is mapped to ProcessID using the SOCKET-layer mapping, and the packet can be filtered accordingly.

So, yes you do need to handles.

The other problem you mentioned is that, for a new connection, it is not guaranteed that the SOCKET-layer event will arrive first. This is also true. To work around this issue the user application should queue the NETWORK-layer event until the corresponding SOCKET-layer event arrives, and only process the packet once both events arrive. This is a bit complicated, but it resolves the issue. This is also the approached used by Tallow.