A not so simple firewall.
3.48/5 (34 votes)
Jun 22, 2004
123297
1776
A not so simple firewall if I can call it so. This application will ask you if you want a certain program to start.
Introduction
This new article is an update of the ex Process Monitor.
The new additions include a tray icon. In this new application, you don't have to write down what applications shouldn't start.
You'll just be asked if you want a certain application to run.
The application still uses Windows hooks but this time it is a little different. When an application is detected that wants to start, it is memorized in the Windows registry so you won't be asked again by the callback function if you want it to start or not. If you give it the approval to start, the application will be set as default to start.
This means it will start every time it wants. But if you tell the program that it should stop it, the application will never start until the hooks are stopped.
DLL_EXPORT void BagaHooku(void) { if (!bHooked) { CBT = SetWindowsHookEx(WH_CBT, (HOOKPROC)CBTProc, hInst, (DWORD)NULL); bHooked = TRUE; } }
Just to set the hook.
Now the callback function:
LRESULT CALLBACK CBTProc(int nCode,WPARAM wParam,LPARAM lParam)
{
if ((nCode==HCBT_ACTIVATE)||(nCode==HCBT_SYSCOMMAND)||(nCode==HCBT_QS)
||(nCode==HCBT_CREATEWND))
{
HANDLE hProc;
HMODULE hMods[1024];
DWORD n;
DWORD dwProcessId;
DWORD lpExitCode;
DWORD dwSize, dwType, dwDisp;
HKEY Regentry;
char *host1;
char host[1024];
char rezerva[1024];
GetWindowThreadProcessId((HWND)wParam, &dwProcessId);
hProc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, (DWORD)dwProcessId);
if (EnumProcessModules(hProc, hMods, sizeof(hMods), &n))
{
if (n>0)
GetModuleFileNameEx(hProc, hMods[0],
szModName, sizeof(szModName));
}
GetExitCodeProcess(hProc,&lpExitCode); //gets the exit code
if (!(host1 = strrchr(szModName,'\\')))
strcpy(host,szModName);
else
strcpy(host,host1+1);
//get the program name
RegOpenKeyEx(HKEY_LOCAL_MACHINE, "SOFTWARE\\Gapula\\PEND", 0,
KEY_QUERY_VALUE, &Regentry);
RegQueryValueEx(Regentry,host , NULL, &dwType,
(unsigned char*)&rezerva, &dwSize);
if (RegQueryValueEx(Regentry,host , NULL, &dwType,
(unsigned char*)&rezerva, &dwSize)!=ERROR_SUCCESS)
//check if the application was filtred once
{
RegOpenKeyEx(HKEY_LOCAL_MACHINE, "SOFTWARE\\Gapula\\OK", 0,
KEY_QUERY_VALUE, &Regentry);
RegQueryValueEx(Regentry,host , NULL, &dwType,
(unsigned char*)&rezerva, &dwSize);
if (RegQueryValueEx(Regentry,host , NULL, &dwType,
(unsigned char*)&rezerva, &dwSize)!=ERROR_SUCCESS)
//if it is not in the OK folder
{
RegCloseKey(Regentry);
RegOpenKeyEx(HKEY_LOCAL_MACHINE, "SOFTWARE\\Gapula\\RESTR",
0, KEY_QUERY_VALUE|KEY_ALL_ACCESS, &Regentry);
RegQueryValueEx(Regentry,host , NULL, &dwType,
(unsigned char*)&rezerva, &dwSize);
if (RegQueryValueEx(Regentry,host , NULL, &dwType,
(unsigned char*)&rezerva, &dwSize)!=ERROR_SUCCESS)
//if it is not in the restricted folder as well
{
RegCreateKeyEx(HKEY_LOCAL_MACHINE,
"SOFTWARE\\Gapula\\PEND", 0, "",
REG_OPTION_NON_VOLATILE, KEY_WRITE,
NULL, &Regentry, &dwDisp);
RegSetValueEx(Regentry, host, 0, REG_SZ,
(unsigned char *)szModName,
strlen(szModName)+1);
RegCloseKey(Regentry);
//we put it in the pending folder so the callback
//function will never ask about this again
strcat(szModName," is trying to start, do you allow that?
\n Please recall that if you say yes
this action will be happening every time
this program starts\nThis goes for NO as
well so be careful what you wish for");
if (MessageBox(NULL,szModName,"Gabby",
MB_ICONQUESTION|MB_SYSTEMMODAL|MB_APPLMODAL|
MB_TASKMODAL|MB_SETFOREGROUND|MB_TOPMOST|
MB_YESNO)==IDNO)
//if IDNO so if you don't want it to start we put it in
//the restricted folder
{
RegCreateKeyEx( HKEY_LOCAL_MACHINE,
"SOFTWARE\\Gapula\\RESTR", 0, "",
REG_OPTION_NON_VOLATILE,KEY_WRITE,
NULL, &Regentry, &dwDisp);
RegSetValueEx(Regentry, host, 0, REG_SZ,
(unsigned char *)szModName,
strlen(szModName)+1);
RegCloseKey(Regentry);
TerminateProcess(hProc, (UINT)lpExitCode);
}
else
//else if you said IDYES we put it in the OK folder
{
RegCreateKeyEx(HKEY_LOCAL_MACHINE,
"SOFTWARE\\Gapula\\OK", 0, "",
REG_OPTION_NON_VOLATILE,KEY_WRITE, NULL,
&Regentry, &dwDisp);
RegSetValueEx(Regentry, host, 0, REG_SZ,
(unsigned char *)szModName,
strlen(szModName)+1);
RegCloseKey(Regentry);
return 0;
}
}
//else if the application is in the restricted folder we
//terminate the application
else
TerminateProcess(hProc, (UINT)lpExitCode);
}
else
//else if it is in the OK folder we return 0; which means success
{
return 0;
}
}
//else if it is in the pending folder it means it was already
//filtered so we have to check if it in the RESTR folder or in
//the OK folder
else
{
RegOpenKeyEx(HKEY_LOCAL_MACHINE, "SOFTWARE\\Gapula\\RESTR", 0,
KEY_QUERY_VALUE|KEY_ALL_ACCESS, &Regentry);
RegQueryValueEx(Regentry,host , NULL, &dwType, (unsigned
char*)&rezerva, &dwSize);
if(RegQueryValueEx(Regentry,host , NULL, &dwType,
(unsigned char*)&rezerva, &dwSize)!=ERROR_SUCCESS)
//if not in the restricted return 0; success
return 0;
else
//else terminate it
TerminateProcess(hProc, (UINT)lpExitCode);
}
}
//all we have to do now is call the next hook;
return CallNextHookEx(CBT,nCode,wParam,lParam);
}
The firewall is very powerful because it filters every application. The program that loads it is very simple because all it has to do is to load it.