I am very curious how does popular personal firewall like ZoneAlarm work. When they discover outgoing packets, how do they know what program is sending them?
Usually they utilize NDIS level filter and TDI one.
Do all such firewalls work similarily?
From the general point of view the answer is YES, but concrete realization and set of features can be very different.
I was thinking if any malware application could fake returned command line so the firewall would think it’s the other process. Is it possible?
Yes, this is possible.