Process Id

[ghost]

To get the process id it's currently required to execute the very expensive GetTcpTable2 (or similar) function. However, the process id already seems to be available in WFP (https://msdn.microsoft.com/en-us/library/windows/hardware/ff552397(v=vs.85).aspx). Maybe this could be added to PWINDIVERT_ADDRESS?

PS: Thanks for the great lib!

[TechnikEmpire]

Fyi I found a documentation link showing that it's possible to use a string absolute path to one or more binaries for filtering matching, supported back in Vista. So it should be possible to do that as well. When I have time I'd like to take a crack at one of these features and just do a PR.

[basil00]

Although that data-structure contains a processId field, the process ID is not actually available at the WFP network layer (e.g. FWPM_LAYER_OUTBOUND_IPPACKET_V4, etc.) at which WinDivert runs (i.e. the processId field will just be zero).

[ghost]

Thanks for the replies 👍
Please also check here @basil00, there are several ways mentioned to get processId from that layer.

[basil00]

Please also check here @basil00, there are several ways mentioned to get processId from that layer.

No, as the link mentions you still need to get the PID from the ALE layer, and WinDivert does not support this layer for now.

[ghost]

I see, you are indeed correct, thanks again @basil00!

[dfct]

@basil00, do you have any plans to support the ALE layer some day? A project of mine has me looking at it now. Cheers

[basil00]

Perhaps one day, but development on WinDivert is currently dormant until #53 is resolved.