Hi there,
since my young age I'm wondering how windows works and I'm trying to code something really orginal, not that many on the market: a Firewall ;)

I think I read all it can be written and found on the Net. Read all the Firewalling techniques and must admit:

    [*]LSP (Layered Service Providers) sounds like crap (you can still bypass it), even more if to be coded in Win32Asm, in which I'm still a noob
    [*]Windows Hooking + DLL injecting = Crap. Hooks, to say it briefly, work only on "Windowed" applications, console apps or services get through.
    [*]Proxy DLL : don't even want to speak about it ;)

    There ore others, the list is long

    Two are stayiing in my mind:

      [*]Process execution detection via "Notify" API + API hooking/patching (to solve: "ordinal loaded" API problem) could be nice if performed at boot, via a Service...
      [*]Second solution could be to Hook INT 2eh at kernel lvl and then patch in memory created process.


      The info I'm asking is:
      am I mad to code a Firewall in Win32Asm?
      as anybody ever tried? Could be nice if someone told me I'm at least on the right way (one of the last two)
      Does anybody see any other good, "Asmable" hooking mechanism?
      And Jolly question: DLLs are mapped in every process. Good, now, is there a way to patch in memory the "master copy", the image loaded by the Kernel, which is then "copied" (if needed, if not shared) in every process? 9x and NTs

      Thanks,

      Ka.

      P.S. At the moment I'm very far from finishing. Have a nice Service with all the Winsock APIs exported ;)
Posted on 2003-03-11 19:23:19 by KaSt
Hi KaSt,
no you are not mad to write firewall in win32asm, you are actually crazy and dont know what you are into :) just kidding :tongue:
AFAIK there is only one article about writing firewalls for windows NT platform, you can find it on www.codeproject.com site, do a little search

from my expirience, all those things you listed would be dirty way to do such thing, only clean way is geting below ring3, that is writing KMD filter driver which can filter network traffic. Thats all I know right now, that article will probably help you to get start, it is provided with source code too (c++ though)

good luck
Posted on 2003-03-11 19:51:50 by Mikky
Why not make an intermediate filter .SYS driver (on Win2k/NT i mean) that will filter all network packets and act acordingly?

-- that could be complicated though
-- might be very diferent for dial-up (modem) connections
-- services/drivers loaded BEFORE you will get by :(

Besides that all i can think of will be special hooking into winsockets system dll's
Posted on 2003-03-11 19:54:08 by BogdanOntanu
First of all, thank you very much!

Didn't know that article on CodeProject, will have a look at it!

Sure the ways I was thinking of (those two in my post) aren't maybe the most "clean" but I'm trying as well to build a base for some other protection techniques like "ProcessExecution detection"...

My main idea was to build a service or driver (only way to run below Ring3, AFAIK) to do the job.

BogdanOntanu raised the eternal question:

"Besides that all i can think of will be special hooking into winsockets system dll's"

The true question for me is how can I modify the "kernel loaded" copy of Winsock?
AFAIK it's the Kernel that maps DLLs into process, I want to modify the image loaded by the kernel. This way no need for "Filter drivers" or stuff like this. Would be transparent for windows.

Thanks again,

Ka.
Posted on 2003-03-12 05:18:50 by KaSt
Why not just wrap ws2_32.dll place your wrapper inn system folder and forward to real DLL, then you can monitor all packets and socket stuff...
Posted on 2003-03-12 07:02:31 by SFP
Posted on 2003-03-12 09:38:30 by roticv
Thanks again!
Posted on 2003-03-12 14:45:02 by KaSt