{"id":36924219,"url":"https://github.com/wiresock/WFPCalloutExplorer","last_synced_at":"2026-01-28T10:00:58.214Z","repository":{"id":210743762,"uuid":"687023648","full_name":"wiresock/WFPCalloutExplorer","owner":"wiresock","description":"Simple command line tool to enumerate loaded WFP callout drivers","archived":false,"fork":false,"pushed_at":"2024-02-02T11:30:23.000Z","size":24,"stargazers_count":7,"open_issues_count":0,"forks_count":4,"subscribers_count":4,"default_branch":"master","last_synced_at":"2025-04-05T20:34:57.265Z","etag":null,"topics":["callout","drivers","filtering","platform","windows"],"latest_commit_sha":null,"homepage":"","language":"C++","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/wiresock.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-09-04T12:45:28.000Z","updated_at":"2025-03-11T02:03:16.000Z","dependencies_parsed_at":"2024-02-02T12:32:31.673Z","dependency_job_id":"4a4c4334-f6ee-48db-83d9-903ca53218d0","html_url":"https://github.com/wiresock/WFPCalloutExplorer","commit_stats":null,"previous_names":["wiresock/wfpcalloutexplorer"],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/wiresock/WFPCalloutExplorer","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/wiresock%2FWFPCalloutExplorer","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/wiresock%2FWFPCalloutExplorer/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/wiresock%2FWFPCalloutExplorer/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/wiresock%2FWFPCalloutExplorer/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/wiresock","download_url":"https://codeload.github.com/wiresock/WFPCalloutExplorer/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/wiresock%2FWFPCalloutExplorer/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28844011,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-28T07:39:25.367Z","status":"ssl_error","status_checked_at":"2026-01-28T07:39:24.487Z","response_time":57,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["callout","drivers","filtering","platform","windows"],"created_at":"2026-01-12T19:00:25.489Z","updated_at":"2026-01-28T10:00:58.200Z","avatar_url":"https://github.com/wiresock.png","language":"C++","funding_links":[],"categories":["***Rootkits***","C++"],"sub_categories":["***Techniques***"],"readme":"# WFPCalloutExplorer\n\n`WFPCalloutExplorer` is a specialized tool meticulously designed to identify currently loaded Windows Filtering Platform (WFP) callout filter drivers. It achieves this objective by scrutinizing whether these drivers import the vital `FWPKCLNT!FwpsCalloutRegister` function.\n\n## Prerequisites\n\n- Visual Studio 2022.\n- Dependency on `pe-parse`. You can easily install it using `vcpkg` with the following commands:\n\n```bash\nvcpkg install pe-parse:x64-windows pe-parse:x86-windows pe-parse:arm64-windows pe-parse:x64-windows-static pe-parse:x86-windows-static pe-parse:arm64-windows-static\n```\n\n## Usage\n\n1. Build the `WFPCalloutExplorer` project using Visual Studio 2022.\n2. Run the executable. The program will dynamically load the `ntdll.dll`, query system modules, and inspect each module to determine if it is a WFP callout filter driver.\n\nAlternatively, precompiled binaries for `x86`, `x64`, and `arm64` platforms are available in the [Releases section](https://github.com/wiresock/WFPCalloutExplorer/releases) of this repository.\n\n## Functionality\n\n- Dynamically retrieves system modules using the `NtQuerySystemInformation` function.\n- Translates the path of system modules to ensure correct file paths.\n- Parses the PE headers of modules to identify if they link against the `FWPKCLNT.SYS` library and import the `FwpsCalloutRegister` function.\n\n## Output\n\nThe program outputs the names of drivers that are highly likely to be WFP callout filters based on their imports.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fwiresock%2FWFPCalloutExplorer","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fwiresock%2FWFPCalloutExplorer","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fwiresock%2FWFPCalloutExplorer/lists"}