locked
Get notification when application tries to communicate over socket RRS feed

  • Question

  • Hi,

     

    I would like to build kind of very simple firewall control that adds filter rule when the application creates socket. Is there any possible way to capture such event and hold the application for the necessary period of setting filter before letting application continue?

     

    As I understand I could block all apps and then do FwpmNetEventEnum (periodically) and based on the result give apps rights to access socket. However this method would make applications fail in the first run.

     

    Thanks and regards! 

    Saturday, May 14, 2011 3:21 PM

Answers

  • You can filter everything @ ALE_RESOURCE_ASSIGNMENT.  pend the authorization, add specific filters, and unpend.  This will require a callout.

     

    Hope this helps,

     


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------
    Saturday, May 14, 2011 6:21 PM
    Moderator

All replies

  • You can filter everything @ ALE_RESOURCE_ASSIGNMENT.  pend the authorization, add specific filters, and unpend.  This will require a callout.

     

    Hope this helps,

     


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------
    Saturday, May 14, 2011 6:21 PM
    Moderator
  • Hi Dusty,

    You seem to be an expert on WFP, like Duddie I want to implement a firewall.

    I already implement an application in user mode with WFP to blacklist Ip, and I am reading the msn sample on the DDK to see if I can perform packet analyse.

    Could you give me more explanation about your answer or sample code to help me?

    Thanks for your help,

    Arnaud

    Wednesday, August 24, 2011 2:44 PM
  • Your question is very open and vague.  I suggest for starters reading over the WFP documentation:

    SDK: http://msdn.microsoft.com/en-us/library/aa366510(VS.85).aspx

    DDK: http://msdn.microsoft.com/en-us/library/ff571067.aspx

    When you have a more specific question, please post back and we'll see what we can do.  Also please create your own thread unless it pertains exactly to the topic.

     

    Thanks,

     

     


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------
    Wednesday, August 24, 2011 8:46 PM
    Moderator
  • Hi,

    I am working on sample "Inspect" from DDK who can lock or not an ip.

     

    Base sample use FWPM_CONDITION_IP_REMOTE_ADDRESS and FWP_MATCH_EQUAL to filter a specific IP, when i set an ip the function TlInspectCompletePendedConnection is call.

     

    I try to modify the sample to filter all IP by replacing FWP_MATCH_EQUAL by FWP_MATCH_NOT_EQUAL and i have a BSoD :(

     

    Is it possible to modify this sample to filter all Ip ?

     

    Thanks,

    Thursday, August 25, 2011 3:12 PM
  • To filter everything, you can specify filter.numFilterConditions = 0 and filter.filterCondition =0.  for the BSOD, you would need to attach a KD so you can see where the bugcheck is.

    If you search this forum for posts with code, you will come across multiple snippets of various code that can help.

    Hope this helps,

     


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------
    Friday, August 26, 2011 7:07 AM
    Moderator
  • Thanks for your answer, I found another solution using range, I put it below, maybe it can help some one...

    Other solution for a range:

    On function TLInspectAddFilter:

    if (remoteAddr != NULL)
    {
            // Wizard - Or.
            //filterConditions[conditionIndex].fieldKey = FWPM_CONDITION_IP_REMOTE_ADDRESS;
            //filterConditions[conditionIndex].matchType = FWP_MATCH_EQUAL;    // Bad idea (BSOD): FWP_MATCH_NOT_EQUAL;

            // Wizard - Ch.
            filterConditions[conditionIndex].fieldKey = FWPM_CONDITION_IP_REMOTE_ADDRESS;
            filterConditions[conditionIndex].matchType = FWP_MATCH_RANGE;

           if ( IsEqualGUID(layerKey, &FWPM_LAYER_ALE_AUTH_CONNECT_V4 )||
                 IsEqualGUID(layerKey, &FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4 )||
                 IsEqualGUID(layerKey, &FWPM_LAYER_INBOUND_TRANSPORT_V4 )||
                 IsEqualGUID(layerKey, &FWPM_LAYER_OUTBOUND_TRANSPORT_V4 ))
            {
                // Wizard - Or.
                //filterConditions[conditionIndex].conditionValue.type = FWP_UINT32;
                //filterConditions[conditionIndex].conditionValue.uint32 = *(UINT32*)remoteAddr;

                // Wizard - Ch.
                FWP_RANGE0 IpRange;
               
                // Lower Ip.
                IpRange.valueLow.type = FWP_UINT32;
                IpRange.valueLow.uint32 = 0x57F87800;    // 87.248.120.0

                // Higher Ip.
                IpRange.valueHigh.type = FWP_UINT32;
                IpRange.valueHigh.uint32 = 0x57F878FF; // 87.248.120.255
           
                filterConditions[conditionIndex].conditionValue.type = FWP_RANGE_TYPE;
                filterConditions[conditionIndex].conditionValue.rangeValue = &IpRange;

                DbgPrint ( "\n IP filtering range [0x%X;0x%X] \n", IpRange.valueLow.uint32, IpRange.valueHigh.uint32 );
            }
            else
            {
                DbgPrint ( "\n Error IP v6 not implemented !
    \n" );

     

    Localisation of destination server IP :

    Go to TlInspectCompletePendedConnection and look at ipv4RemoteAddr on pendedConnectLocal, for the local IP it on ipv4LocalAddr.

     

    Bye, thanks for your help

    Friday, August 26, 2011 7:47 AM