search

wiresock / ndisapi

Windows Packet Filter library for network packet interception and manipulation, suitable for custom firewall, VPN and traffic analysis applications.
https://www.ntkernel.com/windows-packet-filter/
MIT License
289 stars 78 forks source link

How to get request process PID address #5

Closed Miracle-doctor closed 4 years ago

Miracle-doctor commented 4 years ago

How to get requestor process PID address

wiresock commented 4 years ago

Process context is not available on the NDIS level, moreover some packets don't have associated PID (e.g. routed ones). However, you can use IP Helper API for this purpose. For the TCP protocol it can be done with the following steps: 1) Use GetExtendedTcpTable and GetOwnerModuleFromTcpEntry to build the mapping from the local (IP address, TCP port) to process executable. 2) Extract IP and port information from the packet and use the mapping built on previous step to look up the process executable. 3) Update the mapping periodically or when you can’t lookup process for the certain packet.

For the UDP just use GetExtendedUdpTable and GetOwnerModuleFromUdpEntry instead.

Miracle-doctor commented 4 years ago

Thanks a lot.