\n\nThis page has been machine-translated from the original page.
\n
This article presents the contents of A PART OF ANTI-VIRUS 3 - WFP Edition -, which was distributed free of charge at Tech Book Fest 20.
\nThe PDF edition can still be downloaded from the Tech Book Fest online market page linked above.
\nAll content in this book is based on information described in official documentation and other websites, or on generally available books and source code. When discussing technical details, I will note the sources in footnotes whenever possible. In addition, everything written in this book reflects my personal views and does not represent the companies or organizations I belong to.
\nThank you very much for picking up this book. My name is kashiwaba (@kash1064).
\nMy main interests are the technical fields of reverse engineering and forensics, and lately I spend much of my time reading the source code of various applications and technical books while raising children.
\nI also work as a technical support engineer at a security product vendor, and at two companies so far I have worked on troubleshooting and debugging anti-malware products for Windows and Linux.
\nIn this book, following the “A part of Anti-Virus” series 1 2 that I have published so far, I explain the overview of Windows Filtering Platform (WFP) and WFP callout drivers used in various security products, including antivirus and Endpoint Detection and Response (EDR).
\nAs explained in more detail in Chapter 1, WFP is a set of APIs and system services that provides a platform for creating network filtering applications on Windows Vista and Windows Server 2008 and later.3
\nBy using WFP, developers and application vendors can implement a variety of software on Windows, such as firewalls, intrusion detection and prevention systems (IDS/IPS), communication inspection and blocking by antivirus products, and other network monitoring tools.
\nFor example, Microsoft Defender Firewall (formerly Windows Defender Firewall), which is included with Windows by default, also uses this WFP mechanism to filter traffic based on various conditions.4
\nIn this book, I explain in as much detail as possible, based on publicly available information, why endpoint-based network filtering is needed in security, and what WFP features antivirus products and EDR use to protect endpoints.
\nI also hope this book will help many users deepen their understanding of network security at the endpoint and how antivirus products use WFP.
\nTo deepen understanding of WFP and the antivirus functionality used in endpoint network security measures, each chapter covers the following topics.
\nThis book explains WFP starting from the basic concepts, but having the following knowledge will make it easier to follow.
\nIn this book, we verify the behavior by building sample programs that use WFP and running them in a virtual machine.
\nTo keep the structure of this book focused, I omit detailed environment setup instructions.\nHere I will briefly list the main tools and environment for readers who want to actually verify the samples themselves.
\nThis book uses a Windows 10 22H2 virtual machine built on Hyper-V.
\nOn this virtual machine, enable test signing mode and kernel debugging with the following commands (run them with administrator privileges, and reboot afterward).\nNote that depending on your Secure Boot or BitLocker configuration, you may not be able to change these settings.\nThese settings are for verification purposes, and should not be enabled on production endpoints.
\nbcdedit /set testsigning on\nbcdedit /debug onAlso, to perform kernel debugging from a remote machine, use kdnet.exe to register kernel debugging settings over the network.
The procedure used to set up the virtual machine for this book is almost the same as the one introduced in Chapter 1 of my earlier book, “A part of Anti-Virus,” which is also distributed free of charge, so I recommend reading that as well.
\nNext, to build the programs and sample code used in this book, we use Visual Studio 2022 Community.
\nAt the time of writing, the WDK assumes driver development with Visual Studio 2022, and compatibility with Visual Studio 2026 is not guaranteed.\nFor that reason, this book uses Visual Studio 2022.5
\nAt the moment, the official download site does not provide Visual Studio 2022 Community.
\nTherefore, I download the installer directly from https://aka.ms/vs/17/release/vs_community.exe.
\nBelow are the main tools used in this book.
\nThese tools are installed on the virtual machine and used to install kernel drivers, verify their behavior, and inspect the registration status of WFP filters.
\nhttps://github.com/zodiacon/AllTools/blob/master/WFPExp.exe
\nhttps://www.osronline.com/article.cfm%5Earticle=157.htm
\nhttps://learn.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite
\nI received tremendous support from the members of the CTF team 0nePadding in writing this book.
\nI would like to express my deep gratitude to 0nePadding members @salty_byte and @rikoteki for helping with proofreading.
\nA part of Anti-Virus https://techbookfest.org/product/iFrVq6PX0PPJhivrGzhi32
\n↩\nA part of Anti-Virus 2 https://techbookfest.org/product/8RXYbx8JnsHZeFNHGRmMJU
\n↩\nWindows Filtering Platform https://learn.microsoft.com/ja-jp/windows/win32/fwp/windows-filtering-platform-start-page
\n↩\nWindows Filtering Platform https://learn.microsoft.com/windows/win32/fwp/windows-filtering-platform-start-page
\n↩\nDownload the Windows Driver Kit (WDK) https://learn.microsoft.com/ja-jp/windows-hardware/drivers/download-the-wdk
\n↩\n