I've been scooping around for functions that can be used on firewalls to warn an application that certain events are occouring and stumbled on SHNotifyChangeRegisyer but cant make anything out of it. ^Can this be used?
from what i can find, it is used to "register" a request for notification if a device is changed...
http://www.codeproject.com/Articles/3226/Using-the-shell-to-receive-notification-of-removab
Maybe this site help you about firewall
http://www.te-home.net/HeXHub/
a naive approach would be to hook the corresponding winsock functions ...
You could look into functions that Windows exposes through the Windows Filtering Platform (WFP)
If you are actually writing a firewall, at the lowest level this can be achieved using a windows TDI driver.
See: http://www.iseclab.org/papers/Writing_TDI_Drivers.pdf
edit:
It seems TDI has been deprecated, see: http://msdn.microsoft.com/en-us/library/ff565094%28v=vs.85%29.aspx
Quote"The TDI feature is deprecated and will be removed in future versions of Microsoft Windows. Depending on how you use TDI, use either the Winsock Kernel (WSK) or Windows Filtering Platform (WFP). For more information about WFP and WSK, see Windows Filtering Platform and Winsock Kernel. For a Windows Core Networking blog entry about WSK and TDI, see Introduction to Winsock Kernel (WSK)."
S.
If I was going to build the ULTIMATE FIREWALL,...I think it would be a kernel mode component (or several of them).
WHY ???
...Because that's where the SERIOUS DAMAGE occurs. And, any user mode application will be oblivious to it,...
And,...of course, the user needs to know.
...Not that they will know what to do about it,...
Quote from: Force on April 29, 2012, 11:07:35 PM
Maybe this site help you about firewall
http://www.te-home.net/HeXHub/
One interesting thing about those downloads... the install files are 2x+ the source code size - This is not right ???
Edt: the install files are full of stuff!!
:green2
Thanks guys...so many replies. Well.... the function i mentioned doesn't do the trick. A kernel mode thing would prolly be the best way, except that building drivers is out of my league. I'm looking into the posts for answers.
Let me just post what little i had done. The thing is it only respondes to shell operations and also i always get the Desktop pidl when the message comes in. The user.inc is kinda taken from shlobj - only took what was needed. A lot structure redefs and other non-benign stuff.
Thanks a lot.
what if i wanted to prevent a certain program from running. or at least prompt before it does? does anyone know how to do that? thx
Quote from: xandaz on May 01, 2012, 10:03:37 PM
what if i wanted to prevent a certain program from running. or at least prompt before it does? does anyone know how to do that? thx
For what OS ???
Regards, P1 :8)
Quote from: xandaz on May 01, 2012, 10:03:37 PM
what if i wanted to prevent a certain program from running. or at least prompt before it does? does anyone know how to do that? thx
That would be very complicated, and will require the use of API hooks which are not allowed in discussions here.
Quote from: shlomok on May 02, 2012, 04:06:11 AMThat would be very complicated, and will require the use of API hooks which are not allowed in discussions here.
Moderators do help guide a discussion into areas of stated purpose.
But many times, it is just a cover story for less than honorable purposes.
There are other solutions available that do not compromise the security and stability of the OS to achieve a goal.
But there is the rub, many do want to compromise the OS, at the loss of the user.
If this is a single executable, there are some simple effective solutions for that.
I have written many loaders for exe files, that check for updated versions first. Saves a lot of software maintenance on a network.
Regards, P1 :8)
Well....if it can't be discussed then no point going any further. OS is Vista. I heard of some kernel mode functions that do the trick. PS...something if i recall correctelly. Drivers are a bit beyond me.
Thanks guys.
So...P1. Does that mean we can talk about it? Show me...pls.
Quote from: xandaz on May 06, 2012, 01:11:15 PM
So...P1. Does that mean we can talk about it? Show me...pls.
Be more specific, high level design goals?
Meanwhile see "Preventing the Execution of Unauthorized Win32 Applications": www.cigital.com/papers/download/discex2.doc
If you need help with drivers I am here :)
Quote from: xandaz on May 06, 2012, 01:11:15 PMSo...P1. Does that mean we can talk about it? Show me...pls.
Personally, you can detour any exe file execution with a loader, for control execution on a single file.
I have adjusted many firewall rules, to let a file access the outside TCPIP world. It is interesting they NEVER needed to touch the file itself to operate. It's accept or deny the connection direction in the firewall.
So the question of the moment is, What makes interrupting the OS FILE APIs level so important to your programming task ???
Regards, P1 :8)
Thanks guys. You've been very helpful.
Laterz