I have a question regarding how has windows actually Implemented the WFP, and by WFP, I mean the support for writing WFP drivers.
Has this been implemented the same way as minifilter was implemented? Which in the case of minifilter, if I recall correctly, a filter driver was developed (filter manager) which had the job of simplifying the job for driver developers and added the ability to write minifilters.
My question is, was WFP implemented the same way? If so, what is the fltmgr.sys equivalent for WFP?
Based on analyzing some crash dumps and the output of ndiskd.netreport, I assume this should be wfplwfs.sys, which is the equivalent of fltmgr.sys for the file system, and its job is to distribute NBLs to WFP drivers and also assign things such as PID, etc to each NBL, correct?
WFP is a large platform and permits callouts from many parts of the network stack. The most commonly-used callouts are at application (sockets), transport (tcp/udp), and network (ipv4/ipv6) layers. These layers are not implemented with an NDIS LWF drivers; they're implemented directly in tcpip.sys.
WFP also has mac layer (ethernet/wifi) callouts; in Windows 10 and Windows 11, these are implemented using an NDIS LWF driver. (This is an implementation detail, and theoretically could be changed later. Although, admittedly, I'm not sure why we would change it.)
Based on analyzing some crash dumps and the output of ndiskd.netreport, I assume this should be wfplwfs.sys, which is the equivalent of fltmgr.sys for the file system, and its job is to distribute NBLs to WFP drivers and also assign things such as PID, etc to each NBL, correct?
Yes, for mac layer callouts.