Hi there,
since my young age I'm wondering how windows works and I'm trying to code something really orginal, not that many on the market: a Firewall ;)
I think I read all it can be written and found on the Net. Read all the Firewalling techniques and must admit:
since my young age I'm wondering how windows works and I'm trying to code something really orginal, not that many on the market: a Firewall ;)
I think I read all it can be written and found on the Net. Read all the Firewalling techniques and must admit:
[*]LSP (Layered Service Providers) sounds like crap (you can still bypass it), even more if to be coded in Win32Asm, in which I'm still a noob
[*]Windows Hooking + DLL injecting = Crap. Hooks, to say it briefly, work only on "Windowed" applications, console apps or services get through.
[*]Proxy DLL : don't even want to speak about it ;)
There ore others, the list is long
Two are stayiing in my mind:
[*]Process execution detection via "Notify" API + API hooking/patching (to solve: "ordinal loaded" API problem) could be nice if performed at boot, via a Service...
[*]Second solution could be to Hook INT 2eh at kernel lvl and then patch in memory created process.
The info I'm asking is:
am I mad to code a Firewall in Win32Asm?
as anybody ever tried? Could be nice if someone told me I'm at least on the right way (one of the last two)
Does anybody see any other good, "Asmable" hooking mechanism?
And Jolly question: DLLs are mapped in every process. Good, now, is there a way to patch in memory the "master copy", the image loaded by the Kernel, which is then "copied" (if needed, if not shared) in every process? 9x and NTs
Thanks,
Ka.
P.S. At the moment I'm very far from finishing. Have a nice Service with all the Winsock APIs exported ;)
Hi KaSt,
no you are not mad to write firewall in win32asm, you are actually crazy and dont know what you are into :) just kidding :tongue:
AFAIK there is only one article about writing firewalls for windows NT platform, you can find it on www.codeproject.com site, do a little search
from my expirience, all those things you listed would be dirty way to do such thing, only clean way is geting below ring3, that is writing KMD filter driver which can filter network traffic. Thats all I know right now, that article will probably help you to get start, it is provided with source code too (c++ though)
good luck
no you are not mad to write firewall in win32asm, you are actually crazy and dont know what you are into :) just kidding :tongue:
AFAIK there is only one article about writing firewalls for windows NT platform, you can find it on www.codeproject.com site, do a little search
from my expirience, all those things you listed would be dirty way to do such thing, only clean way is geting below ring3, that is writing KMD filter driver which can filter network traffic. Thats all I know right now, that article will probably help you to get start, it is provided with source code too (c++ though)
good luck
Why not make an intermediate filter .SYS driver (on Win2k/NT i mean) that will filter all network packets and act acordingly?
-- that could be complicated though
-- might be very diferent for dial-up (modem) connections
-- services/drivers loaded BEFORE you will get by :(
Besides that all i can think of will be special hooking into winsockets system dll's
-- that could be complicated though
-- might be very diferent for dial-up (modem) connections
-- services/drivers loaded BEFORE you will get by :(
Besides that all i can think of will be special hooking into winsockets system dll's
First of all, thank you very much!
Didn't know that article on CodeProject, will have a look at it!
Sure the ways I was thinking of (those two in my post) aren't maybe the most "clean" but I'm trying as well to build a base for some other protection techniques like "ProcessExecution detection"...
My main idea was to build a service or driver (only way to run below Ring3, AFAIK) to do the job.
BogdanOntanu raised the eternal question:
"Besides that all i can think of will be special hooking into winsockets system dll's"
The true question for me is how can I modify the "kernel loaded" copy of Winsock?
AFAIK it's the Kernel that maps DLLs into process, I want to modify the image loaded by the kernel. This way no need for "Filter drivers" or stuff like this. Would be transparent for windows.
Thanks again,
Ka.
Didn't know that article on CodeProject, will have a look at it!
Sure the ways I was thinking of (those two in my post) aren't maybe the most "clean" but I'm trying as well to build a base for some other protection techniques like "ProcessExecution detection"...
My main idea was to build a service or driver (only way to run below Ring3, AFAIK) to do the job.
BogdanOntanu raised the eternal question:
"Besides that all i can think of will be special hooking into winsockets system dll's"
The true question for me is how can I modify the "kernel loaded" copy of Winsock?
AFAIK it's the Kernel that maps DLLs into process, I want to modify the image loaded by the kernel. This way no need for "Filter drivers" or stuff like this. Would be transparent for windows.
Thanks again,
Ka.
Why not just wrap ws2_32.dll place your wrapper inn system folder and forward to real DLL, then you can monitor all packets and socket stuff...
Thanks again!