I have come across similar question here:
https://social.msdn.microsoft.com/Forums/en-US/5356cfd8-fecd-44b4-89ca-9c0675d9ac3a/how-to-get-original-destination-address-from-proxied-packet?forum=wfp
Question 1:
I would like to figure out if a connection is being redirected/proxied and if so what the original destination IP is. I want to do it in a proxy protocol independent way (For example in Socks5 proxy the destination IP is sent in one of the Socks5 handshake message, in HTTP proxy, the destination IP/URL is embedded in the HTTP request header, which sock5 or http5 proxy servers use to relay the packet. So I want to figure out the destination IP independent of the proxy protocol in use).
Referring to the post above, if the proxy is happening using re-injection at FWPM_LAYER_{INBOUND | OUTBOUND}_TRANSPORT_V{4 | 6}), how do I track such a packet. Essentially I would want to make a note of the original packet and it's destination IP and if this IP is then modified by anyone else's callout and reinjected, I want to identify if it was the same old packet with a new destination IP.
If I attach a flow context to help me identify this, my guess the context would get wiped out during Cloning and reinjection. My idea is to first check injection state FwpsQueryPacketInjectionState0 for FWPS_PACKET_INJECTED_BY_OTHER, somehow identify it's a previous packet I have seen before with a different destination IP.
One dumb brute force way would be to hash packets and compare but that just seem very impractical from implementation and performance point of view.
Is there a cleaner way to do something like this with minimum performance impact?
Question 2:
This might be a dumb question but what's the idea behind clone-modify-inject model. One of them could be for all the layers to have a relook at the packet. But if I only modify the remote IP of an outbound packet at TRANSPORT/NETWORK layer, and permit it to be passed down the stack, technically it should work or will it be discarded?
Thank you.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 16%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)