A not so simple firewall.

• Download demo project - 723 Kb

Introduction

This new article is an update of the ex Process Monitor.

The new additions include a tray icon. In this new application, you don't have to write down what applications shouldn't start.

You'll just be asked if you want a certain application to run.

The application still uses Windows hooks but this time it is a little different. When an application is detected that wants to start, it is memorized in the Windows registry so you won't be asked again by the callback function if you want it to start or not. If you give it the approval to start, the application will be set as default to start.

This means it will start every time it wants. But if you tell the program that it should stop it, the application will never start until the hooks are stopped.

DLL_EXPORT void BagaHooku(void)
{
    if (!bHooked)
    {
        CBT = SetWindowsHookEx(WH_CBT, (HOOKPROC)CBTProc, hInst, 
                               (DWORD)NULL);
        bHooked = TRUE; 
    }
}

Just to set the hook.

Now the callback function:

LRESULT CALLBACK CBTProc(int nCode,WPARAM wParam,LPARAM lParam)
{
    if ((nCode==HCBT_ACTIVATE)||(nCode==HCBT_SYSCOMMAND)||(nCode==HCBT_QS) 
        ||(nCode==HCBT_CREATEWND))
    {
        HANDLE hProc;
        HMODULE hMods[1024];
        DWORD n;
        DWORD dwProcessId;
        DWORD lpExitCode;
        DWORD dwSize, dwType, dwDisp;
        HKEY Regentry;
        char *host1;
        char host[1024];
        char rezerva[1024];

        GetWindowThreadProcessId((HWND)wParam, &dwProcessId);
        hProc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, (DWORD)dwProcessId); 

        if (EnumProcessModules(hProc, hMods, sizeof(hMods), &n))
        {
            if (n>0)
                GetModuleFileNameEx(hProc, hMods[0], 
                         szModName, sizeof(szModName));
        }

        GetExitCodeProcess(hProc,&lpExitCode); //gets the exit code

        if (!(host1 = strrchr(szModName,'\\')))
            strcpy(host,szModName);
        else
            strcpy(host,host1+1);

        //get the program name
        RegOpenKeyEx(HKEY_LOCAL_MACHINE, "SOFTWARE\\Gapula\\PEND", 0, 
                     KEY_QUERY_VALUE, &Regentry);
        RegQueryValueEx(Regentry,host , NULL, &dwType, 
                        (unsigned char*)&rezerva, &dwSize);

        if (RegQueryValueEx(Regentry,host , NULL, &dwType, 
                        (unsigned char*)&rezerva, &dwSize)!=ERROR_SUCCESS)

        //check if the application was filtred once
        {
            RegOpenKeyEx(HKEY_LOCAL_MACHINE, "SOFTWARE\\Gapula\\OK", 0, 
                         KEY_QUERY_VALUE, &Regentry);
            RegQueryValueEx(Regentry,host , NULL, &dwType, 
                         (unsigned char*)&rezerva, &dwSize);

            if (RegQueryValueEx(Regentry,host , NULL, &dwType, 
                         (unsigned char*)&rezerva, &dwSize)!=ERROR_SUCCESS)
            //if it is not in the OK folder 

            {
                RegCloseKey(Regentry);
                RegOpenKeyEx(HKEY_LOCAL_MACHINE, "SOFTWARE\\Gapula\\RESTR", 
                            0, KEY_QUERY_VALUE|KEY_ALL_ACCESS, &Regentry);
                RegQueryValueEx(Regentry,host , NULL, &dwType, 
                            (unsigned char*)&rezerva, &dwSize);

                if (RegQueryValueEx(Regentry,host , NULL, &dwType, 
                            (unsigned char*)&rezerva, &dwSize)!=ERROR_SUCCESS)
                //if it is not in the restricted folder as well

                {
                    RegCreateKeyEx(HKEY_LOCAL_MACHINE, 
                                "SOFTWARE\\Gapula\\PEND", 0, "", 
                                REG_OPTION_NON_VOLATILE, KEY_WRITE, 
                                NULL, &Regentry, &dwDisp);
                    RegSetValueEx(Regentry, host, 0, REG_SZ,
                                (unsigned char *)szModName, 
                                strlen(szModName)+1);
                    RegCloseKey(Regentry);

                    //we put it in the pending folder so the callback 
                    //function will never ask about this again

                    strcat(szModName," is trying to start, do you allow that?
                                     \n Please recall that if you say yes 
                                     this action will be happening every time
                                     this program starts\nThis goes for NO as
                                     well so be careful what you wish for");

                    if (MessageBox(NULL,szModName,"Gabby",
                            MB_ICONQUESTION|MB_SYSTEMMODAL|MB_APPLMODAL| 
                            MB_TASKMODAL|MB_SETFOREGROUND|MB_TOPMOST|
                            MB_YESNO)==IDNO)

                    //if IDNO so if you don't want it to start we put it in
                    //the restricted folder
                    {
                        RegCreateKeyEx( HKEY_LOCAL_MACHINE, 
                                    "SOFTWARE\\Gapula\\RESTR", 0, "", 
                                    REG_OPTION_NON_VOLATILE,KEY_WRITE, 
                                    NULL, &Regentry, &dwDisp);
                        RegSetValueEx(Regentry, host, 0, REG_SZ,
                                    (unsigned char *)szModName, 
                                    strlen(szModName)+1);
                        RegCloseKey(Regentry);

                        TerminateProcess(hProc, (UINT)lpExitCode);

                    }
                    else
                    //else if you said IDYES we put it in the OK folder
                    {
                        RegCreateKeyEx(HKEY_LOCAL_MACHINE, 
                                    "SOFTWARE\\Gapula\\OK", 0, "", 
                                    REG_OPTION_NON_VOLATILE,KEY_WRITE, NULL, 
                                    &Regentry, &dwDisp);
                        RegSetValueEx(Regentry, host, 0, REG_SZ,
                                    (unsigned char *)szModName, 
                                    strlen(szModName)+1);
                        RegCloseKey(Regentry);
                        return 0;
                    }
                }
                //else if the application is in the restricted folder we 
                //terminate the application
                else
                    TerminateProcess(hProc, (UINT)lpExitCode);
            }
            else
            //else if it is in the OK folder we return 0; which means success
            {
                return 0;
            }
        }
        //else if it is in the pending folder it means it was already 
        //filtered so we have to check if it in the RESTR folder or in 
        //the OK folder 
        else
        {
            RegOpenKeyEx(HKEY_LOCAL_MACHINE, "SOFTWARE\\Gapula\\RESTR", 0, 
                         KEY_QUERY_VALUE|KEY_ALL_ACCESS, &Regentry);
            RegQueryValueEx(Regentry,host , NULL, &dwType, (unsigned 
                         char*)&rezerva, &dwSize);

            if(RegQueryValueEx(Regentry,host , NULL, &dwType, 
                         (unsigned char*)&rezerva, &dwSize)!=ERROR_SUCCESS)
            //if not in the restricted return 0; success 
                return 0;
            else
            //else terminate it
                TerminateProcess(hProc, (UINT)lpExitCode);
        }
    }

    //all we have to do now is call the next hook;
    return CallNextHookEx(CBT,nCode,wParam,lParam);
}

The firewall is very powerful because it filters every application. The program that loads it is very simple because all it has to do is to load it.

This article has no explicit license attached to it but may contain usage terms in the article text or the download files themselves. If in doubt please contact the author via the discussion board below.

A list of licenses authors might use can be found here