Windows-driver-samples | repo contains driver samples

For security, the driver refuses to send these types of packets by default.

Of course, since you have the source code to the driver, you are free to modify this restriction however you like — it's your driver. You can add a line to specifically allow the 0x88A4 EtherType, or delete the entire if-statement to allow all EtherTypes. You can require the usermode process to be running as Administrator if it wants to send "suspicious" network frames.

A bit more detail on the security angle. If you allow untrusted users/programs to place arbitrary data onto the network, that may compromise or weaken network security. This is why the sample driver (and Windows in general) does not allow arbitrary programs to put arbitrary data on the network.

For example, a malicious program that has unrestricted access to the Ethernet layer can advertise a malicious DHCP server that points clients to a malicious DNS server, conduct ARP poisoning attacks on your switch, DoS a switch (with, for example, 802.3x PAUSE frames, or with LLDPDUs that undermine the QoS policy), or circumvent any firewall policies you might have.

These potential attacks aren't necessarily a deal-breaker: consider that this is roughly the equivalent of allowing someone to plug an arbitrary unmanaged device into an Ethernet jack on your network. If your network already has measures in place to defend against hostile Ethernet endpoints, then removing restrictions from the sample driver not making things much worse. Alternatively, if you have some level of trust for all the users & code on the PCs that will run your driver, then modifying the driver won't matter. Or if your threat model already assumes the network is hostile and unreliable, then removing these restrictions will only help fulfill your threat model's expectations. ;)

Found inspiration from a proprietary network driver code. This function turns interface on/off:

Thanks to comment by @Eryk, I was able to open a driver. I include a sample program below. All error checking was omitted for clarity. I used the CDROM driver class in this example. The real challenge is finding the elusive GUID to use - you must do some deep digging in the SDK, DDK, include files or your driver.

That's the right place to start. Consider this code:

GetFileSize is not a WDK function. Use ZwQueryInformationFile instead of GetFileSize.

Use the codes below

The sample you looked at is for an ETW Provider, not a consumer. I'm not sure there is a documented way to consume ETW events from kernel. You can check samples for consuming events from user mode: https://github.com/microsoft/Windows-driver-samples/tree/master/general/tracing/SystemTraceControl

Also note that Microsoft Windows Threat Intelligence ETW provider can only be consumed in Anti-Malware PPL type process. It requires having an Early Launch AntiMalware driver with a matching AntiMalware service. More info can be found at: https://docs.microsoft.com/en-us/windows-hardware/drivers/install/early-launch-antimalware https://docs.microsoft.com/en-us/windows/win32/services/protecting-anti-malware-services-