I've looked around for any info on how a personal firewall (e.g Sygate) works. I've found virtually nothing. :(

I wanted to write the simplest prog to monitor what processes were trying to connect. My very first thought was some sort of dll hooking was being used, but apparently not.

Any info or links would be appreciated!
Posted on 2003-01-13 12:41:47 by Manxcat
If you want to code a real firewall, that also stops incoming packets to closed ports, you most likely need to write a driver which layers itself between NDIS and the protocol drivers.

I'm not quite certain how to do it exactly, as I haven't had (yet) need to do this, but you need to learn to code drivers (in case you don't have knowledge of VXDs or KMDs), and take a look at the NDIS reference, I remember there's an online version of the whole DDK at www.osr.com, that includes this.

Here's a guess how it should be done (it's guess, don't trust it's neccesarily correct):
I think you should begin with registering the protocol, and binding it to the adapter, and the to the real protocol (TCP/IP, for example). Then you'll just relay all the accepted packets to the protocol and discard the bad ones.

I might look at this more closely someday soon.

-Stealth
P.S. The network forum might be more approriate for this thread.
Posted on 2003-01-13 14:05:51 by Stealth
I've just ordered WDM and will take another look at this after hopefully figuring it out. :)
Posted on 2003-01-14 07:23:54 by Manxcat
look into writing a layered service provider for winsock2. There was an article about it in msj may 1999
Posted on 2003-01-16 05:12:53 by Hiroshimator
Heya.
If you are interested in monitoring winsock stuff without getting into lowlevel packet monitoring (if you just want to watch and be able to terminate actual TCP socket connections) you can do this rather easily by simply creating a "wedge" DLL, which replaces the real winsock dll. I can't provide a link, sorry, but I can describe it.
The DLL contains the same number of functions as the real one. You rename the real winsock dll, and have the "load" code in your fake winsock load the real (renamed) winsock DLL. The functions in the fake one ultimately can call the appropriate functions in the real one, and before they do, you can insert any code you like. This allows you to intercept ALL calls to winsock functions, capture socket handle values, monitor data exchanges, terminate sockets belonging to other applications without knowing anything about them etc.
I'm sure one of our fellow travellers can provide a link to source for this.
Note that anything lower level, like a VXD, is also a wedge.
Wedges have been used since the dawn of time to do everything from writing virii (IRQ's et al), even to extending languages (BASIC) by wedging procedures belonging to the Operating System...
Have a nice day :)
Posted on 2003-01-16 06:58:44 by Homer