All Articles

A PART OF ANTI-VIRUS 3 - Learning Windows Filtering Platform (WFP) from Public Sample Code - (Web Edition)

This page has been machine-translated from the original page.

This article presents the contents of A PART OF ANTI-VIRUS 3 - WFP Edition -, which was distributed free of charge at Tech Book Fest 20.

img

The PDF edition can still be downloaded from the Tech Book Fest online market page linked above.

All content in this book is based on information described in official documentation and other websites, or on generally available books and source code. When discussing technical details, I will note the sources in footnotes whenever possible. In addition, everything written in this book reflects my personal views and does not represent the companies or organizations I belong to.

Table of Contents

Preface

About This Book

Thank you very much for picking up this book. My name is kashiwaba (@kash1064).

My main interests are the technical fields of reverse engineering and forensics, and lately I spend much of my time reading the source code of various applications and technical books while raising children.

I also work as a technical support engineer at a security product vendor, and at two companies so far I have worked on troubleshooting and debugging anti-malware products for Windows and Linux.

In this book, following the “A part of Anti-Virus” series 1 2 that I have published so far, I explain the overview of Windows Filtering Platform (WFP) and WFP callout drivers used in various security products, including antivirus and Endpoint Detection and Response (EDR).

As explained in more detail in Chapter 1, WFP is a set of APIs and system services that provides a platform for creating network filtering applications on Windows Vista and Windows Server 2008 and later.3

By using WFP, developers and application vendors can implement a variety of software on Windows, such as firewalls, intrusion detection and prevention systems (IDS/IPS), communication inspection and blocking by antivirus products, and other network monitoring tools.

For example, Microsoft Defender Firewall (formerly Windows Defender Firewall), which is included with Windows by default, also uses this WFP mechanism to filter traffic based on various conditions.4

In this book, I explain in as much detail as possible, based on publicly available information, why endpoint-based network filtering is needed in security, and what WFP features antivirus products and EDR use to protect endpoints.

I also hope this book will help many users deepen their understanding of network security at the endpoint and how antivirus products use WFP.

What This Book Covers

To deepen understanding of WFP and the antivirus functionality used in endpoint network security measures, each chapter covers the following topics.

  • Chapter 1: WFP’s overview and basic architecture, the benefits of endpoint-based network filtering/monitoring, and how antivirus products and EDR use WFP.
  • Chapter 2: A user-mode program that uses the Base Filtering Engine (BFE) to register filters that control traffic with WFP.
  • Chapter 3: A sample program that controls traffic with a WFP callout driver, blocking communication based on scan results from the user-mode program.

Prerequisites for Reading This Book

This book explains WFP starting from the basic concepts, but having the following knowledge will make it easier to follow.

  • Basic C/C++ syntax
  • Basic knowledge of Windows user mode / kernel mode
  • Basic familiarity with using a driver development environment based on Visual Studio and the WDK
  • Basic PowerShell command execution

Tools Used in This Book and Environment Setup

In this book, we verify the behavior by building sample programs that use WFP and running them in a virtual machine.

To keep the structure of this book focused, I omit detailed environment setup instructions. Here I will briefly list the main tools and environment for readers who want to actually verify the samples themselves.

Virtual Machine Setup

This book uses a Windows 10 22H2 virtual machine built on Hyper-V.

On this virtual machine, enable test signing mode and kernel debugging with the following commands (run them with administrator privileges, and reboot afterward). Note that depending on your Secure Boot or BitLocker configuration, you may not be able to change these settings. These settings are for verification purposes, and should not be enabled on production endpoints.

bcdedit /set testsigning on
bcdedit /debug on

Also, to perform kernel debugging from a remote machine, use kdnet.exe to register kernel debugging settings over the network.

The procedure used to set up the virtual machine for this book is almost the same as the one introduced in Chapter 1 of my earlier book, “A part of Anti-Virus,” which is also distributed free of charge, so I recommend reading that as well.

Installing Visual Studio 2022

Next, to build the programs and sample code used in this book, we use Visual Studio 2022 Community.

At the time of writing, the WDK assumes driver development with Visual Studio 2022, and compatibility with Visual Studio 2026 is not guaranteed. For that reason, this book uses Visual Studio 2022.5

At the moment, the official download site does not provide Visual Studio 2022 Community.

Therefore, I download the installer directly from https://aka.ms/vs/17/release/vs_community.exe.

Installing Various Tools

Below are the main tools used in this book.

These tools are installed on the virtual machine and used to install kernel drivers, verify their behavior, and inspect the registration status of WFP filters.

  • WFP Explorer

https://github.com/zodiacon/AllTools/blob/master/WFPExp.exe

  • Driver Loader

https://www.osronline.com/article.cfm%5Earticle=157.htm

  • Sysinternals Suite

https://learn.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite

  • Wireshark

https://www.wireshark.org/

Acknowledgements

I received tremendous support from the members of the CTF team 0nePadding in writing this book.

I would like to express my deep gratitude to 0nePadding members @salty_byte and @rikoteki for helping with proofreading.

  1. A part of Anti-Virus https://techbookfest.org/product/iFrVq6PX0PPJhivrGzhi32

  2. A part of Anti-Virus 2 https://techbookfest.org/product/8RXYbx8JnsHZeFNHGRmMJU

  3. Windows Filtering Platform https://learn.microsoft.com/ja-jp/windows/win32/fwp/windows-filtering-platform-start-page

  4. Windows Filtering Platform https://learn.microsoft.com/windows/win32/fwp/windows-filtering-platform-start-page

  5. Download the Windows Driver Kit (WDK) https://learn.microsoft.com/ja-jp/windows-hardware/drivers/download-the-wdk

Published Apr 11, 2026

Aspiring Reverse Engineer and CTF Player (Team: 0nePadding). Passionate about WinDbg and Anti-Virus internals. OSCP / CISSP. Working at Microsoft Japan, but all views expressed are my own.かしわば(@kash1064) on Twitter