Some antiviruses and firewals work as “Local Proxy” (ex ESET Smart Security), so using your NDIS and TDI libraries I can’t determine which application a packet belongs to.
Is there a way to defeat that?
Transparent local proxy? If you can’t intercept application network activity on the TDI level then probably mentioned antiviruses use Layered Service Provider (LSP) to redirect the connection to the local proxy and thus it does reach TDI only from the name of local proxy, not in the context of the calling application. If this is really so you have to create your own LSP and layer it just above AV LSP to get connection first.