Click here to Skip to main content
Click here to Skip to main content

Proxy WS2_32.DLL to create your own firewall

, 22 May 2007 CPOL
Rate this:
Please Sign up or sign in to vote.
An article on replacing the Windows Sockets DLLs

Disclaimer

The files included and/or the code are dangerous, because they hack Windows system files. Incomplete or invalid usage may lead to system hang. I make absolutely no guarantees that it will work for you. It worked for me, at least. Smile | :)

Introduction

This code is an experimental attempt at creating a small firewall system. This was done by replacing Windows Sockets DLLs WSOCK32.DLL and WS2_32.DLL with my own versions that perform a check on the transferred data.

Background

Before trying to understand my code, please take a look at my other 2 articles that explain

  • How the source code is created from the .dll to be proxied, here
  • How the XML configuration file is parsed, here

Creating the source

I used Wrappit to create the CPP and the DEF files for ws2_32.dll and wsock32.dll. Apparently, you need to hack both .dll files. Then the following functions were replaced in the code:

  • connect() and WSAConnect()
  • accept() and WSAAccept()
  • send() currently does nothing
  • recv() currently does nothing

Each of these functions simply allow -- by forwarding the call to the original .dll -- or deny -- by returning an error -- the connection or the transfer after parsing an XML configuration file found in WIN.INI's [WSOCK_WRAPPER].

[WSOCK_WRAPPER]XmlF=f:\tools\frw\frw.xml

Here is a sample, frw.xml:

<root>
    <levels>
        <l v="0" ipmask="127.0.0.1"/>
        <l v="1" ipmask="192.168.*.*"/>
        <l v="9" ipmask="*"/>
    </levels>
    <defaultrules>
        <r type="0"/>
        <r type="1" prot="6">
            <src ipmask="*" level="*" port="*"/>
            <trg ipmask="*" level="1" port="*"/>
            <act do="1"/>
        </r>
        <r type="1" prot="6">
            <src ipmask="*" level="*" port="*"/>
            <trg ipmask="*" level="*" port="*"/>
            <act do="4" time="30"/>
        </r>
        <r type="2" prot="6">
            <src ipmask="*" level="*" port="*"/>
            <trg ipmask="*" level="*" port="*"/>
            <act do="5" time="30"/>
        </r>
    </defaultrules>
    <rules>
        <app an="c:\Program Files\MSN Messenger\msnmsgr.exe">
            <r type="1" prot="6">
                <src ipmask="*" level="*" port="*"/>
                <trg ipmask="*" level="*" port="80"/>
                <act do="2"/>
            </r>
            <r type="1" prot="6">
                <src ipmask="*" port="*" level="*"/>
                <trg ipmask="*" port="*" level="*"/>
                <act do="1"/>
            </r>
        </app>
    </rules>
    <options run="1"/>
</root>

So what we have here? First, we define IP levels. Lower level = safer level. For this example, I've defined 127.0.0.1 to level 0 , 192.168.*.* to level 1, and everything else to level 9.

Then come the default rules, the rules that are applied when no custom application rule is found. Each rule has a type and 2 types are defined:

  • type = 1 -> Outgoing connection, IPv6 is supported.
  • type = 2 -> Incoming connection, IPv6 is supported.

prot=6 => TCP. UDP filtering is not yet implemented.

There are 3 default rules:

Rule 1: Matches any source (<src ipmask="*" level="*" port="*"/>) , matches targets for at least level 1 IPs (<trg ipmask="*" level="1" port="*"/>). Action? <act do="1"/> . do = 1 <=> allow the connection.

Here are values for do=:

  • 1 = allow
  • 2 = deny
  • 3 = ask (no timeout)
  • 4 = ask (after timeout, auto allow)
  • 5 = ask (after timeout, auto deny)

Rule 2: For any other outgoing connections, will ask (4) and then auto allow after 30 seconds.

Rule 3: For any incoming connections, will ask (5) and then auto block after 30 seconds.

And now for a custom rule for MSN messenger. Rule 1 will block outgoing connections to port 80, killing the advertisement, and Rule 2 will allow all other outgoing connections.

Control console

Installation

Try frw.exe -install. This:

  • temporarily disables Windows XP SP2's file protection mechanism for WSOCK32.DLL and WS2_32.DLL.
  • Moves WSOCK32.DLL to WSOCK32OLD.DLL, and WS2_32.DLL to WS2_32OLD.DLL.
  • Puts WSOCK32NEW.DLL and WS2_32NEW.DLL as WSOCK32.DLL and WS2_32.DLL in the system directory.

All these are done only if the CRCs match, i.e. only for files found in Windows XP SP2. Now, restart and the firewall is ready! After trying the firewall, try frw.exe -uninstall and then reboot. This reverses the above process, restoring original DLLs. Try frw.exe -enable and frw.exe -disable to enable or disable the firewall. -update , -makecrc , -fly and -removefly command line switches found in frwmain.cpp are used by me to build and test the DLLs; you shouldn't need them.

Emergency situations

Make sure you save the original DLL files somewhere safe, so should your system fail to boot after installation of my files, you can easily restore the 2 files using a boot CD, i.e. the Windows XP recovery console or the Ultimate Boot CD!

Windows Vista?

The above stuff works nice for Windows XP SP2, but I 've not managed yet to make a working solution for Vista. First, you can't install the files using frw -install. Even if you plant them manually, the system won't boot. If anyone wants to give it a try in Vista and/or help me develop the same solution for it, send me an e-mail so we can share the Vista files.

History

  • 22 May, 2007 - Original version posted

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Share

About the Author

Michael Chourdakis
Engineer
Greece Greece
I'm working in C++, PHP , Flash and DSP Programming, currently experimenting with Windows 7 technologies and professional audio applications.
 
I 've a PhD in Digital Signal Processing.
 
My home page: http://www.michaelchourdakis.com

Comments and Discussions

 
GeneralMy vote of 5 PinmemberAshley Davis22-Jan-12 18:13 
GeneralDont work on XP SP3 Pinmemberseocoder13-Dec-08 13:01 
QuestionWinsock versions PinmemberNateD30-Aug-07 6:26 
AnswerRe: Winsock versions PinmemberMichael Chourdakis30-Aug-07 6:31 
GeneralVery interesting experiment PinmemberHokei1-Jun-07 11:51 
GeneralRe: Very interesting experiment PinmemberMichael Chourdakis1-Jun-07 19:07 
Generalhook is more safe if just for monitor MSN or ICQ Pinmembercoslpumo22-May-07 18:08 
GeneralRe: hook is more safe if just for monitor MSN or ICQ PinmemberZUPERKOOL7-Feb-10 8:06 
GeneralRe: hook is more safe if just for monitor MSN or ICQ PinmemberMichael Chourdakis7-Feb-10 8:33 
GeneralRe: hook is more safe if just for monitor MSN or ICQ PinmemberZUPERKOOL7-Feb-10 10:09 
GeneralRe: hook is more safe if just for monitor MSN or ICQ PinmemberMichael Chourdakis7-Feb-10 10:35 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

| Advertise | Privacy | Terms of Use | Mobile
Web04 | 2.8.1411023.1 | Last Updated 22 May 2007
Article Copyright 2007 by Michael Chourdakis
Everything else Copyright © CodeProject, 1999-2014
Layout: fixed | fluid