What would be the simplest way for an application I'm writing to block all Internet access on a Windows machine?
More details:
Windows: XP or higher
Application: A basic Win32 app written in C/C++.
Blocking: It needs to be able to block and unblock at will, ideally in a way that the user can't easily reverse. (By, say, right clicking on a network connection icon in the system tray.) Also, ideally, I'd like the method it uses to allow access to be restored should the user restart Windows or reset the machine, though I'd also be willing to have the app auto launch with Windows and unblock access upon startup if the machine was reset while in a blocked state.
Internet access: Primarily, I'd like to block conventional browsers from hitting conventional http/https sites. Secondarily, it would be nice to block IM clients and client-side social networking apps. It would also be nice, but not required, to still allow local networking for file sharing, etc. (Note that only the first requirement is absolute.)
Final notes: This is not meant to be a security utility, nor will its relationship to the user be adversarial (as, for example, with a parental control utility) so it's not important for it to use a scheme that can't be worked around by a determined user. (Consider that I intend for a reboot or reset to clear the blocking. This means that any workaround a user might discover that would take more effort than this is okay.)
Thanks!
p.s. I suspect that the Windows Firewall API won't work for me because this needs to work for users that haven't enabled the firewall or don't have admin privileges, but I'll be thrilled if I'm corrected on this.
It sounds like you're intending to run applications that you don't want to access the internet. Perhaps you could run them inside a virtual machine such as VirtualBox with networking disabled.
You could do it with a Winsock SPI. The Windows SDK has a sample (under Samples\netds\winsock\lsp) which implements what is called a layered service provider which allows you to hook all the user mode functions provided by Winsock and reject/modify the calls to block network access or redirect traffic to different locations. All installed winsock applications will be affected, so in your code you could have policys for what applications can go out and the like and disabled/enable on the fly. Now a determined person could find ways around this but it would be a pain.
That said this isn't trivial to do but the sample should get you most of the way there.
You cannot effectively or practically write your tool with only a user mode application.
What you need to write is a network I/O stack filter driver. This done by writing a Windows Driver. This is different from a Windows Win32 application. Drivers run in kernel mode and applications run in user mode.
On Windows Vista and later, the kernel mode Network Programming Interface (NPI) is designed for this. This is the same API that Windows Firewalls use. These are sometimes called the Winsock kernel (WSK) APIs.
In effect, you are writing a network firewall (more or less)
here are some links
Introduction to Winsock Kernel (WSK)
Windows Core Networking Blog
The Network Programming Interface Docs on MSDN
Note, your will likely need at least two components
Your driver
A Graphical application that a person can use to control your tool
If you want to do any monitoring, you will likely need a user mode service that collects data from your driver. This works better than trying to do this in the driver. In general, you should do the minimal amount of work in the driver.
A few notes:
You need to be very conscious of security when writing this kind of software. This is very much non trivial. Software that is network facing has the highest security requirements.
Be cognizant of performance.
Your driver and/or service must be aware of the context of a calling application. This is also a security boundary. For example, an application not running as administrator should not be able to control your driver.
take a look at firewall sourcecodes
Related
I am working on app (c++) that consist from two parts.
Control Panel working under restricted user account (with UAC enabled)
Windows Service, performing some useful tasks
I need to collect user preferences in control panel and send them to service.
What is the best method for sending/receiving data from control panel to service?
The sockets and named pipes are good, but they may cause windows firewall to show security warnings.
Shared memory also is good, but it requires a lot of synchronization between sending and receiving threads.
Is there any other method that I can use?
Thanks,
Khachatur
Shared memory requires three extra mutex objects on each side. Not so much. If you don't want to write anything, our MsgConnect (open-source) implements MMF transport and has a sample of communicating between the service and the UI application.
And oppositely, how much information can an application gather about local network traffic?
And how can one restrict such behavior so that any application trying to check it will come up with nothing?
The application uses a socket connection to communicate with another computer on the network.
Also, I'm talking strictly about the Windows platform, 7 and up.
Unless your application can run at a higher privilidge level than the network service (which I doubt, because this means you can gain unrestricted access to the network device),
not,
the only thing you can try is using an already running application as disguise and use it's networking capabilities.
I am writing a Desktop application for professional users using C++. My current design relies on a third-party C++ component whose API is based on TCP/IP. To integrate this component might involve modifying it to replace the networking code with a conventional C++ API.
It would be a lot easier if I could leave the component unmodified and communicate with it in the way it expects - over the network. To do so I would need to run the component as a server listening on some high port for loopback connections.
I have two concerns with this loopback approach. Can anyone allay or confirm my fears?
Reliability and performance
The loopback connection might fail, be blocked or intercepted by antivirus software. Something like this: Loopback connections working in user's context but not working from Local System account
Security
I am not too concerned about someone sniffing my loopback packets but I don't want my server to become a security risk itself. Is it risky to have a process listening on some high port?
Do many desktop applications operate like this?
I am initially developing on Windows but may move to Mac and Linux in future so this question applies to all the common desktop OSs.
Reliability: if component itself is reliable then there's no problem with listening to loopback interface. If component is not reliable then it's better to talk with it via loopback interface instead of calling it's functions directly. You can easily handle disconnects and restart component to continue working, but if you would link to the component and component will fail - your app will fail too.
Performance: There's some performance penalty. Not really big with current CPU power. It should be acceptable for most applications.
Security: component should bind to localhost address to avoid security issues. But local 3-d party software (virus) software with sufficient access level can intercept or even modify communication streams. Same for any other method of communication.
Loopback connections are widly used (java uses it for intercommunication, named used it for master service control, etc.)
There are different ways of shutting down a computer remotely.
Here are three I know of:
Invoking the Shutdown method of the Win32_OperatingSystem class through a remote WMI connection
Using the Microsoft Windows shutdown.exe
Letting your (whatever).exe copy itself to the systemfolder on the target machine, register itself as a service and start it remotely with parameters so that it initiates a local shutdown.
Number 3 is why sysinternals does, e.g. However, it requires that you have file & printer sharing active so that it is able to copy itself to the target and invoke the service.
Number 2 works almost everywhere... but also needs to have file & printer sharing being enabled. Because: This activates the RPC service which is needed for remotely invoking the shutdown.
As far as I can tell, even Number 1, the WMI solution, not only needs WMI installed on the target, but also the RPC service enabled.
My problem is:
I need a solution that allows me to shutdown a remote computer without RPC being enabled on it.
Is there a way?
Note: A way within a context of a business solution ;-)
I believe that you can use IPMI for such tasks. It requires hardware support though. We used it for lights-out management over a serial port in a solution a few years ago. We had some issues with the hardware support for soft shutdown since it requires some integration with the OS. From what I remember, you can mimic the hardware reaction to pressing the power button using a network packet sent by an IPMI utility. HTH.
I want to have an application or service that is running that, on some schedule, can disable access to the internet for all applications except for specific ones.
I'm trying to create a filter that can be turned on or off under programmatic control. Not just IP addresses and ports, but I want to be able to block specific applications as well, much like Zone Alarm and other software firewalls let you block.
For example, iexplore.exe, skype.exe, firefox.exe, aim.exe. But still need to allow other applications to connect as needed.
It has to work on Vista as well as XP, but I kind of expect that the method will be different on each of those platforms.
Basically, the filter has to tie the network communication back to the executable that is making the request and then allow or deny it.
Update:
On Vista at least, it looks like I want to use filters in the ALE layers of the WFP.
On XP, I'm still looking for the best way to do it. Do I really need to be writing device drivers and dealing with kernel stuff? I'm just a lowly application developer. Kill me now.
Update 2:
Currently looking at the PfCreateInterface and related Pf* API's for pre-Vista systems.
You can change both Vista and XP's firewall policies dynamically using the INetFwAuthorizedApplications interface from the Windows Firewall API.
Also see this question.
You'll have to write a device driver that filters traffic based on the executable requesting the traffic.
by limiting its access to internet using firewall. go to firewall setting advanced tab (win 7)
and do that
I'm not sure, but I think you'd need to do it by getting the program to run as a user that has limited permissions, the question is, can you make a user account that stops such things?
You'll need to redirect all (or at least many) calls to the WinSock API functions of any running program to your own replacement functions. That means getting into the memory of each running program and hijacking those functions, which is an... interesting... exercise. :-)
That might be enough of a pointer to get you started, or at least to suggest some more specific questions to ask.
Could you move aside (ie rename) the system's winsock DLL and replace it with your own ?
Yours should provide the same API, but check the the process name of incoming requests... return an error code to blocked applications and forward the calls from allowed apps onto the real DLL.