{"id":49519151,"url":"https://github.com/BOT-Man-JL/WFP-Traffic-Redirection-Driver","last_synced_at":"2026-06-20T19:00:49.634Z","repository":{"id":44454161,"uuid":"139233134","full_name":"BOT-Man-JL/WFP-Traffic-Redirection-Driver","owner":"BOT-Man-JL","description":"WFP Traffic Redirection Driver is used to redirect NIC traffic on network layer and framing layer, based on Windows Filtering Platform (WFP).","archived":false,"fork":false,"pushed_at":"2018-06-30T08:51:20.000Z","size":405,"stargazers_count":90,"open_issues_count":0,"forks_count":43,"subscribers_count":6,"default_branch":"master","last_synced_at":"2023-08-05T18:11:24.241Z","etag":null,"topics":["anti-pcap","anti-sniffing","traffic-redirection","wfp","windows-driver"],"latest_commit_sha":null,"homepage":"https://bot-man-jl.github.io/articles/?post=2018/Anonymous-Communication-Client-Design","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/BOT-Man-JL.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2018-06-30T08:35:24.000Z","updated_at":"2023-07-18T07:45:37.000Z","dependencies_parsed_at":"2022-09-06T05:32:11.035Z","dependency_job_id":null,"html_url":"https://github.com/BOT-Man-JL/WFP-Traffic-Redirection-Driver","commit_stats":null,"previous_names":[],"tags_count":0,"template":null,"template_full_name":null,"purl":"pkg:github/BOT-Man-JL/WFP-Traffic-Redirection-Driver","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/BOT-Man-JL%2FWFP-Traffic-Redirection-Driver","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/BOT-Man-JL%2FWFP-Traffic-Redirection-Driver/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/BOT-Man-JL%2FWFP-Traffic-Redirection-Driver/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/BOT-Man-JL%2FWFP-Traffic-Redirection-Driver/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/BOT-Man-JL","download_url":"https://codeload.github.com/BOT-Man-JL/WFP-Traffic-Redirection-Driver/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/BOT-Man-JL%2FWFP-Traffic-Redirection-Driver/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34581934,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-20T02:00:06.407Z","response_time":98,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["anti-pcap","anti-sniffing","traffic-redirection","wfp","windows-driver"],"created_at":"2026-05-01T23:01:10.348Z","updated_at":"2026-06-20T19:00:49.626Z","avatar_url":"https://github.com/BOT-Man-JL.png","language":"C","funding_links":[],"categories":["***Rootkits***"],"sub_categories":["***Techniques***"],"readme":"# WFP Traffic Redirection Driver\n\n_WFP Traffic Redirection Driver_ is used to redirect NIC traffic on network layer and framing layer, based on Windows Filtering Platform (WFP).\n\nThis project is forked from [Windows Filtering Platform Traffic Inspection Sample](https://github.com/Microsoft/Windows-driver-samples/tree/master/network/trans/inspect).\n\n## Features\n\n- Flexible \u0026 configurable\n- Anti _traffic sniffing_ (WinPcap/Npcap/Rawsock Sniffing)\n\n## How to build/deploy\n\n### Requirements\n\n- Visual Studio 2017\n- Windows Driver Kit 10\n\n### Steps to build/deploy\n\n1. Build `.vcxproj` in Visual Studio on _host computer_\n2. Enable _test signing_ on _target computer_\n3. Install `.cer` (Certificate) and `.inf` (Driver Config) on _target computer_\n\n\u003e For more, see [Windows Filtering Platform Traffic Inspection Sample](https://github.com/Microsoft/Windows-driver-samples/tree/master/network/trans/inspect).\n\n## How to use\n\n### Setup Registries\n\nSetup values under the key:\n\n```\nHKLM\\System\\CurrentControlSet\\Services\\inspect\\Parameters\n```\n\nAll values are shown in the following table:\n\nValue                 | Type      | Example\n----------------------|-----------|------------------\nLocalRealAddress      | REG_SZ    | 10.109.16.202\nLocalFakeAddress      | REG_SZ    | 10.109.19.108\nRemoteRealAddress     | REG_SZ    | 10.109.18.799\nRemoteFakeAddress     | REG_SZ    | 10.109.17.253\nLocalRealPort         | REG_DWORD | 80\nLocalFakePort         | REG_DWORD | 202\nRemoteRealPort        | REG_DWORD | 80\nRemoteFakePort        | REG_DWORD | 799\nLocalEthernetAddress  | REG_SZ    | 74-27-ea-00-00-02\nRemoteEthernetAddress | REG_SZ    | 74-27-ea-00-00-03\n\nNote that:\n\n- _Address_, _Port_ and _EthernetAddress_ stand for IP address, TCP/UDP port and ethernet MAC address respectively.\n- _Local_ means _src of outbound_ / _dst of inbound_ traffic, while _Remote_ means _dst of outbound_ / _src of inbound_ traffic.\n- For _outbound traffic_, _Real_ address/port are replaced with _Fake_; for _inbound traffic_, _Fake_ address/port are restored by _Real_.\n- Config cascade:\n  - _Port_ values are used at network layer only if enabling _RemoteAddress_ modification.\n  - Value `LocalEthernetAddress` and `RemoteEthernetAddress` are used for _outbound traffic_ at framing layer only if enabling _LocalAddress_ modification.\n- Setting value of zero (`0.0.0.0`/`0`/`00-00-00-00-00-00`) will disable address/port modification.\n\n### Start/Stop driver\n\n- Run `net start inspect` as administrator to start the driver service\n- Run `net stop inspect` as administrator to stop the driver service\n\n## Internals\n\nKey ideas are posted by _BOT Man_ in **Chinese**:\n\n- [Learn TCP/IP from WFP 1](https://bot-man-jl.github.io/articles/?post=2018/Learn-TCP-IP-from-WFP-1)\n- [Learn TCP/IP from WFP 2](https://bot-man-jl.github.io/articles/?post=2018/Learn-TCP-IP-from-WFP-2)\n- [Anonymous Communication Client Design](https://bot-man-jl.github.io/articles/?post=2018/Anonymous-Communication-Client-Design)\n\n### ./sys\n\n- `tl_drv.c`: entry and init\n- `protocol-headers.h`: Ethernet/IPv4/ICMP/TCP/UDP header\n- `inspect.h/c`: handle classification/reinjection logic\n- `util.h/c`: helper functions\n- `inspect.inf`: driver config\n\n### ./helpers\n\n- _enable-promisc_: enable _Promisc Mode_ on all NICs (based on wpcap)\n  - `enable-promisc.exe`: calling pcap_findalldevs_ex\n  - `wpcap.dll`: modified pcap_activate_win32\n- `check-promisc.ps1`: check if all NICs in _Promisc Mode_\n- `restart-nic.bat`: restart NIC `以太网`\n- `enable-dbgprint.reg`: enable `dbgprint` on DbgView (use once)\n- `enable-testsigning.bat:` enable test signing (use once)\n\n## License\n\nCopyright (C) 2018  BOT Man\n\nGPL-3.0 License","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FBOT-Man-JL%2FWFP-Traffic-Redirection-Driver","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FBOT-Man-JL%2FWFP-Traffic-Redirection-Driver","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FBOT-Man-JL%2FWFP-Traffic-Redirection-Driver/lists"}