News:

MASM32 SDK Description, downloads and other helpful links
MASM32.com New Forum Link
masmforum WebSite

Building your own firewall....

Started by xandaz, April 29, 2012, 10:08:07 PM

Previous topic - Next topic
Print
Go Down Pages1 2
User actions

xandaz

April 29, 2012, 10:08:07 PM
    I've been scooping around for functions that can be used on firewalls to warn an application that certain events are occouring and stumbled on SHNotifyChangeRegisyer but cant make anything out of it. ^Can this be used?

dedndave

#1
April 29, 2012, 11:05:01 PM
from what i can find, it is used to "register" a request for notification if a device is changed...
http://www.codeproject.com/Articles/3226/Using-the-shell-to-receive-notification-of-removab

Force

#2
April 29, 2012, 11:07:35 PM
Maybe this site help you about firewall

http://www.te-home.net/HeXHub/
Never Stop Until You Are Better Than The Best

qWord

#3
April 30, 2012, 12:01:46 AM
a naive approach would be to hook the corresponding winsock functions ...
FPU in a trice: SmplMath
It's that simple!

Gunner

#4
April 30, 2012, 12:37:23 AM
You could look into functions that Windows exposes through the Windows Filtering Platform (WFP)
~Rob (Gunner)
- IE Zone Editor
- Gunners File Type Editor
http://www.gunnerinc.com

shlomok

#5
April 30, 2012, 01:36:50 PM
If you are actually writing a firewall, at the lowest level this can be achieved using a windows TDI driver.
See: http://www.iseclab.org/papers/Writing_TDI_Drivers.pdf 

edit:
It seems TDI has been deprecated, see: http://msdn.microsoft.com/en-us/library/ff565094%28v=vs.85%29.aspx

Quote"The TDI feature is deprecated and will be removed in future versions of Microsoft Windows. Depending on how you use TDI, use either the Winsock Kernel (WSK) or Windows Filtering Platform (WFP). For more information about WFP and WSK, see Windows Filtering Platform and Winsock Kernel. For a Windows Core Networking blog entry about WSK and TDI, see Introduction to Winsock Kernel (WSK)."

S.

baltoro

#6
April 30, 2012, 09:10:14 PM
If I was going to build the ULTIMATE FIREWALL,...I think it would be a kernel mode component (or several of them).
WHY ???
...Because that's where the SERIOUS DAMAGE occurs. And, any user mode application will be oblivious to it,...
And,...of course, the user needs to know.
...Not that they will know what to do about it,...
Baltoro

vanjast

#7
April 30, 2012, 09:47:40 PM
Quote from: Force on April 29, 2012, 11:07:35 PM
Maybe this site help you about firewall

http://www.te-home.net/HeXHub/
One interesting thing about those downloads... the install files are 2x+ the source code size - This is not right ???

Edt: the install files are full of stuff!!
:green2

xandaz

#8
May 01, 2012, 09:52:55 PM
    Thanks guys...so many replies. Well.... the function i mentioned doesn't do the trick. A kernel mode thing would prolly be the best way, except that building drivers is out of my league. I'm looking into the posts for answers.
    Let me just post what little i had done. The thing is it only respondes to shell operations and also i always get the Desktop pidl when the message comes in. The user.inc is kinda taken from shlobj - only took what was needed. A lot structure redefs and other non-benign stuff.
    Thanks a lot.

xandaz

#9
May 01, 2012, 10:03:37 PM
    what if i wanted to prevent a certain program from running. or at least prompt before it does? does anyone know how to do that? thx

P1

#10
May 01, 2012, 11:14:18 PM
Quote from: xandaz on May 01, 2012, 10:03:37 PM
    what if i wanted to prevent a certain program from running. or at least prompt before it does? does anyone know how to do that? thx
For what OS ???

Regards,  P1   :8)

shlomok

#11
May 02, 2012, 04:06:11 AM
Quote from: xandaz on May 01, 2012, 10:03:37 PM
    what if i wanted to prevent a certain program from running. or at least prompt before it does? does anyone know how to do that? thx

That would be very complicated, and will require the use of API hooks which are not allowed in discussions here.

P1

#12
May 03, 2012, 04:34:07 AM
Quote from: shlomok on May 02, 2012, 04:06:11 AMThat would be very complicated, and will require the use of API hooks which are not allowed in discussions here.
Moderators do help guide a discussion into areas of stated purpose.

But many times, it is just a cover story for less than honorable purposes.

There are other solutions available that do not compromise the security and stability of the OS to achieve a goal.

But there is the rub, many do want to compromise the OS, at the loss of the user.

If this is a single executable, there are some simple effective solutions for that.

I have written many loaders for exe files, that check for updated versions first.  Saves a lot of software maintenance on a network. 

Regards,  P1   :8)

xandaz

#13
May 06, 2012, 01:09:56 PM
    Well....if it can't be discussed then no point going any further. OS is Vista. I heard of some kernel mode functions that do the trick. PS...something if i recall correctelly. Drivers are a bit beyond me.
    Thanks guys.

xandaz

#14
May 06, 2012, 01:11:15 PM
    So...P1. Does that mean we can talk about it? Show me...pls.
Print
Go Up Pages1 2
User actions