locked
Methods available for application detection for firewall RRS feed

  • Question

  •  

    Hi i am currently using user mode APIs to develop my firewall and i can successfully get an application ID and block it using the APIs available with the sample code included. However i want to create a firewall similar to many 3rd party firewall available on the market.

     

    The idea is this:

     

    1) detect active connections or listening ports and block or allow them on case by case basis

    2) intercept new applications that are not in Ban list or allowed list and prompt for user intervention

     

    This is to block trojan or spyware from leaking information while allowing new trusted applications that are installed by the user to access the internet. The idea is to make a pop up to notify the user of new applications trying to connect to the network and block them by clicking a button.

     

    One method i have researched online so far is to use the IPHelper APIs. Are there any APIs in WFP that will allow me to do that? If yes what is the best or ideal way? Is it possible to use User Mode to program out such a firewall or do i need to develop a driver using Kernel mode? 

    Tuesday, November 25, 2008 4:38 PM

Answers

  • You should look into developing a WFP callout driver registering at the ALE_AUTH_CONNECT layers. From  ALE_AUTH_CONNECT you will be indicated the app path, user-id, network 5-tuple, and other info for you to decide whether to allow the connection to proceed or not. You can return pending from this layer and complete the classification later on (e.g. after consulting with a user-mode service).

     

    A good place to start would be -- Windows Filtering Platform Callout Drivers (http://msdn2.microsoft.com/en-us/library/ms796374.aspx).

     

    Hope this helps,

    Biao.W.

     

    Wednesday, December 10, 2008 5:40 AM