locked
Problem with code ... (Block an application using WFP) ... RRS feed

  • Question

  • I wrote a code to block an application used the MSDN code along with some glue code to get the code running. But it does not block the application. The filter is addressed at FWPM_LAYER_ALE_AUTH_CONNECT_V4 layer.

    But it does not block the application.

    How do i block an application from using internet using WFP (like disabling messengers) ...

    This is the code ..

    #include "windows.h"
    #include "winioctl.h"
    #include "strsafe.h"
    
    #ifndef _CTYPE_DISABLE_MACROS
    #define _CTYPE_DISABLE_MACROS
    #endif
    
    #include "fwpmu.h"
    
    #include "winsock2.h"
    #include "ws2def.h"
    
    #include <conio.h>
    #include <stdio.h>
    
    
    
    #define INITGUID
    #include <guiddef.h>
    
    
    
    static const GUID WFPSAMPLER_PROVIDER = 
    {
     /* 53504657-6D61-5F70-5072-6F7669646572 */
     0x53504657,
     0x6D61,
     0x5F70,
     {0x50, 0x72, 0x6F, 0x76, 0x69, 0x64, 0x65, 0x72}
    };
    
    /*
     FWPM_SUBLAYER Key
    **/
    
    static const GUID WFPSAMPLER_SUBLAYER = 
    {
     /* 53504657-6D61-5F70-5375-624C61796572 */
     0x53504657,
     0x6D61,
     0x5F70,
     {0x53, 0x75, 0x62, 0x4C, 0x61, 0x79, 0x65, 0x72}
    };
    
    
    
    
    
    #define FILE_PATH L"%ProgramFiles%\\Windows Live\\Messenger\\msnmsgr.exe"
    
    	FWP_BYTE_BLOB *fwpApplicationByteBlob;
      FWPM_FILTER0 fwpFilter;
      FWPM_FILTER_CONDITION0 fwpConditions[4];
      int conCount = 0;
      DWORD result = ERROR_SUCCESS; 
    	FWPM_SESSION session;
    	HANDLE engineHanle;
    	FWPM_PROVIDER provider;
    	FWPM_SUBLAYER sublayer;
    
    
    void
    RemoveFilter()
    {
    	printf("Unloading Driver");
    	FwpmFilterDeleteById0(engineHanle, fwpFilter.filterId);
    	
    	 FwpmEngineClose0(engineHanle);
    	 engineHanle=0;
    
    	return;
    }
    
    
    void FilterByApp()
         
    {
    	
    	 session.displayData.name=L"My Session";
    	 session.flags=FWPM_SESSION_FLAG_DYNAMIC;
    
    	 provider.displayData.name=L"My Provider";
    	 provider.providerKey=WFPSAMPLER_PROVIDER;
    	 
    	sublayer.displayData.name=L"My Sublayer";
    	sublayer.subLayerKey=WFPSAMPLER_SUBLAYER;
    	sublayer.providerKey=(GUID *)&WFPSAMPLER_PROVIDER;
    
      fwpApplicationByteBlob = 0;//(FWP_BYTE_BLOB*) malloc(sizeof(FWP_BYTE_BLOB));
      
      printf("Retrieving application identifier for filter testing.\n"); 
      result = FwpmGetAppIdFromFileName0(FILE_PATH, &fwpApplicationByteBlob);
    	
      if (result != ERROR_SUCCESS)
      {
        printf("FwpmGetAppIdFromFileName failed (%d).\n", result);
        return;
      }
    
    	 // Application identifier filter condition.
    	 fwpConditions[conCount].fieldKey = FWPM_CONDITION_ALE_APP_ID;
    	 fwpConditions[conCount].matchType = FWP_MATCH_EQUAL;
    	 fwpConditions[conCount].conditionValue.type = FWP_BYTE_BLOB_TYPE;
    	 fwpConditions[conCount].conditionValue.byteBlob = fwpApplicationByteBlob;
    			
    	 ++conCount;
    
    	 // TCP protocol filter condition
    	 fwpConditions[conCount].fieldKey = FWPM_CONDITION_IP_PROTOCOL;
    	 fwpConditions[conCount].matchType = FWP_MATCH_EQUAL;
    	 fwpConditions[conCount].conditionValue.type = FWP_UINT8;
    	 fwpConditions[conCount].conditionValue.uint8 = IPPROTO_TCP;
    
    	 ++conCount;
    
    	 // Add conditions and condition count to a filter.
    	 memset(&fwpFilter, 0, sizeof(FWPM_FILTER0));
    	 	 
    	 FwpmEngineOpen(0,
           RPC_C_AUTHN_WINNT,
           0,
           &session,
    			 &engineHanle);
    	 
    	 
    	fwpFilter.layerKey=FWPM_LAYER_ALE_AUTH_CONNECT_V4 ;
    	fwpFilter.subLayerKey=sublayer.subLayerKey;
    	 fwpFilter.numFilterConditions = conCount;
    	 fwpFilter.action.type= FWP_ACTION_BLOCK;
    	 fwpFilter.filterCondition = fwpConditions;
    
    	 FwpmTransactionBegin(engineHanle,0);
    
    	 FwpmProviderAdd(engineHanle,&provider,0);
    	 FwpmSubLayerAdd(engineHanle,&sublayer,0);
    	 FwpmFilterAdd(engineHanle,&fwpFilter,0,&(fwpFilter.filterId));
    
    
    	 FwpmTransactionCommit(engineHanle);
    
      return;
    }
    
    
    
    DWORD
    MonitorAppProcessArguments(__in int argc, __in_ecount(argc) PCSTR argv[])
    {
      DWORD result = ERROR_NOT_FOUND;
    
      /*if (argc != 2)
      {
       return ERROR_TOO_MANY_CMDS;
      }*/
      if (_stricmp(argv[1], "addfilter") == 0)
      {
       FilterByApp();
      }
      else if (_stricmp(argv[1], "delfilter") == 0)
      {
       RemoveFilter();
      }
      else
      {
    		printf("ERROR IN ARGUMENTS");
      }
      
      
      return result;
    }
    
    
    void __cdecl main(__in int argc, __in_ecount(argc) PCSTR argv[])
    {
    	   MonitorAppProcessArguments(argc, argv);
    	 
      return;
    }
    
    

    Please help me ..... 

    Thanks .........

    Tuesday, October 12, 2010 7:33 PM

All replies

  • I have a similar problem
    Friday, May 13, 2011 11:18 AM
  • What does the traffic look like that leaves the machine?  Is there a local proxy?  Are you executing firefox from the exact path you provided?  can you supply a dump of what your filter looks like? 

    From a command line:
       Netsh.exe WFP Capture Start
       Add your filter
       Netsh.exe WFP Capture Stop

    in the cab file is an xml.  look for an entry under the net events for FILTER_ADD which  matches your filter conditions, and paste the resultant output here.

     

    Thanks,


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------
    Saturday, May 14, 2011 6:34 PM
    Moderator