AirDog46/ProcessHacker
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity

add plugins-extra

Browse Source
This commit is contained in:
AirDog46
2025-05-13 19:49:49 +03:00
parent c5fab8aa94
commit 3575d86c17
531 changed files with 70258 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
plugins-extra/FirewallMonitorPlugin/CHANGELOG.txt Normal file
View File

@@ -0,0 +1,2 @@
1.0
* Initial release

150
plugins-extra/FirewallMonitorPlugin/FirewallMonitorPlugin.rc Normal file
View File

@@ -0,0 +1,150 @@
// Microsoft Visual C++ generated resource script.
//
#include "resource.h"
#define APSTUDIO_READONLY_SYMBOLS
/////////////////////////////////////////////////////////////////////////////
//
// Generated from the TEXTINCLUDE 2 resource.
//
#include "winres.h"
/////////////////////////////////////////////////////////////////////////////
#undef APSTUDIO_READONLY_SYMBOLS
/////////////////////////////////////////////////////////////////////////////
// English (Australia) resources
#if !defined(AFX_RESOURCE_DLL) || defined(AFX_TARG_ENA)
LANGUAGE LANG_ENGLISH, SUBLANG_ENGLISH_AUS
#pragma code_page(1252)
#ifdef APSTUDIO_INVOKED
/////////////////////////////////////////////////////////////////////////////
//
// TEXTINCLUDE
//
1 TEXTINCLUDE
BEGIN
"resource.h\0"
END
2 TEXTINCLUDE
BEGIN
"#include ""winres.h""\r\n"
"\0"
END
3 TEXTINCLUDE
BEGIN
"\r\n"
"\0"
END
#endif // APSTUDIO_INVOKED
/////////////////////////////////////////////////////////////////////////////
//
// Version
//
VS_VERSION_INFO VERSIONINFO
FILEVERSION 1,0,0,0
PRODUCTVERSION 1,0,0,0
FILEFLAGSMASK 0x17L
#ifdef _DEBUG
FILEFLAGS 0x1L
#else
FILEFLAGS 0x0L
#endif
FILEOS 0x4L
FILETYPE 0x2L
FILESUBTYPE 0x0L
BEGIN
BLOCK "StringFileInfo"
BEGIN
BLOCK "0c0904b0"
BEGIN
VALUE "CompanyName", "dmex"
VALUE "FileDescription", "Firewall Monitor plugin for Process Hacker"
VALUE "FileVersion", "1.0"
VALUE "InternalName", "FirewallMonitorPlugin"
VALUE "LegalCopyright", "Licensed under the GNU GPL, v3."
VALUE "OriginalFilename", "FirewallMonitorPlugin.dll"
VALUE "ProductName", "Firewall Monitor plugin for Process Hacker"
VALUE "ProductVersion", "1.0.0.0"
END
END
BLOCK "VarFileInfo"
BEGIN
VALUE "Translation", 0xc09, 1200
END
END
/////////////////////////////////////////////////////////////////////////////
//
// Menu
//
IDR_FW_MENU MENU
BEGIN
POPUP "Event"
BEGIN
MENUITEM "&Copy\aCtrl+C", ID_EVENT_COPY
MENUITEM SEPARATOR
MENUITEM "Properties", ID_FW_PROPERTIES
END
END
/////////////////////////////////////////////////////////////////////////////
//
// Dialog
//
IDD_FWTABERROR DIALOGEX 0, 0, 309, 176
STYLE DS_SETFONT | DS_FIXEDSYS | WS_CHILD | WS_SYSMENU
EXSTYLE WS_EX_TRANSPARENT
FONT 8, "MS Shell Dlg", 400, 0, 0x1
BEGIN
PUSHBUTTON "Restart",IDC_RESTART,20,28,50,14
LTEXT "Firewall monitoring requires Process Hacker to be restarted with administrative privileges.",IDC_STATIC,16,14,286,8
END
/////////////////////////////////////////////////////////////////////////////
//
// DESIGNINFO
//
#ifdef APSTUDIO_INVOKED
GUIDELINES DESIGNINFO
BEGIN
IDD_FWTABERROR, DIALOG
BEGIN
LEFTMARGIN, 7
RIGHTMARGIN, 302
TOPMARGIN, 7
BOTTOMMARGIN, 169
END
END
#endif // APSTUDIO_INVOKED
#endif // English (Australia) resources
/////////////////////////////////////////////////////////////////////////////
#ifndef APSTUDIO_INVOKED
/////////////////////////////////////////////////////////////////////////////
//
// Generated from the TEXTINCLUDE 3 resource.
//
/////////////////////////////////////////////////////////////////////////////
#endif // not APSTUDIO_INVOKED

96
plugins-extra/FirewallMonitorPlugin/FirewallMonitorPlugin.vcxproj Normal file
View File

@@ -0,0 +1,96 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" ToolsVersion="14.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|Win32">
<Configuration>Debug</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Debug|x64">
<Configuration>Debug</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|Win32">
<Configuration>Release</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|x64">
<Configuration>Release</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
</ItemGroup>
<PropertyGroup Label="Globals">
<ProjectGuid>{44A7C3BA-BAD5-40F3-AB70-442D44539053}</ProjectGuid>
<RootNamespace>FirewallMonitorPlugin</RootNamespace>
<Keyword>Win32Proj</Keyword>
<ProjectName>FirewallMonitorPlugin</ProjectName>
<WindowsTargetPlatformVersion>10.0.10586.0</WindowsTargetPlatformVersion>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<CharacterSet>Unicode</CharacterSet>
<PlatformToolset>v140</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<CharacterSet>Unicode</CharacterSet>
<PlatformToolset>v140</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<CharacterSet>Unicode</CharacterSet>
<WholeProgramOptimization>true</WholeProgramOptimization>
<PlatformToolset>v140</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<CharacterSet>Unicode</CharacterSet>
<PlatformToolset>v140</PlatformToolset>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="PropertySheets">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
<Import Project="..\ExtraPlugins.props" />
</ImportGroup>
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="PropertySheets">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
<Import Project="..\ExtraPlugins.props" />
</ImportGroup>
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="PropertySheets">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
<Import Project="..\ExtraPlugins.props" />
</ImportGroup>
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="PropertySheets">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
<Import Project="..\ExtraPlugins.props" />
</ImportGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<LibraryPath>$(VC_LibraryPath_x86);$(WindowsSDK_LibraryPath_x86);$(NETFXKitsDir)Lib\um\x86;C:\Users\AirDog46\Downloads\processhacker-2.39-src\bin\Debug32</LibraryPath>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<LibraryPath>$(VC_LibraryPath_x86);$(WindowsSDK_LibraryPath_x86);$(NETFXKitsDir)Lib\um\x86;$(VC_LibraryPath_x86);$(WindowsSDK_LibraryPath_x86);$(NETFXKitsDir)Lib\um\x86;C:\Users\AirDog46\Downloads\processhacker-2.39-src\bin\Release32</LibraryPath>
</PropertyGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<ClCompile>
<TreatWarningAsError>false</TreatWarningAsError>
</ClCompile>
</ItemDefinitionGroup>
<ItemGroup>
<ClCompile Include="fwdialog.c" />
<ClCompile Include="fwtab.c" />
<ClCompile Include="main.c" />
<ClCompile Include="monitor.c" />
</ItemGroup>
<ItemGroup>
<None Include="CHANGELOG.txt" />
</ItemGroup>
<ItemGroup>
<ResourceCompile Include="FirewallMonitorPlugin.rc" />
</ItemGroup>
<ItemGroup>
<ClInclude Include="fwtabp.h" />
<ClInclude Include="fwmon.h" />
<ClInclude Include="resource.h" />
</ItemGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
</Project>

50
plugins-extra/FirewallMonitorPlugin/FirewallMonitorPlugin.vcxproj.filters Normal file
View File

@@ -0,0 +1,50 @@
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup>
<Filter Include="Source Files">
<UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
<Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
</Filter>
<Filter Include="Header Files">
<UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
<Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
</Filter>
<Filter Include="Resource Files">
<UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
<Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav</Extensions>
</Filter>
</ItemGroup>
<ItemGroup>
<ClCompile Include="main.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="fwtab.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="monitor.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="fwdialog.c">
<Filter>Source Files</Filter>
</ClCompile>
</ItemGroup>
<ItemGroup>
<None Include="CHANGELOG.txt" />
</ItemGroup>
<ItemGroup>
<ResourceCompile Include="FirewallMonitorPlugin.rc">
<Filter>Resource Files</Filter>
</ResourceCompile>
</ItemGroup>
<ItemGroup>
<ClInclude Include="resource.h">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="fwmon.h">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="fwtabp.h">
<Filter>Header Files</Filter>
</ClInclude>
</ItemGroup>
</Project>

84
plugins-extra/FirewallMonitorPlugin/fwdialog.c Normal file
View File

@@ -0,0 +1,84 @@
/*
* Process Hacker Extra Plugins -
* Firewall Monitor
*
* Copyright (C) 2015 dmex
*
* This file is part of Process Hacker.
*
* Process Hacker is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* Process Hacker is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with Process Hacker. If not, see <http://www.gnu.org/licenses/>.
*/
#include "fwmon.h"
static INT_PTR CALLBACK OptionsDlgProc(
_In_ HWND hwndDlg,
_In_ UINT uMsg,
_In_ WPARAM wParam,
_In_ LPARAM lParam
)
{
PFW_EVENT_NODE context;
if (uMsg == WM_INITDIALOG)
{
SetProp(hwndDlg, L"Context", (HANDLE)lParam);
context = (PFW_EVENT_NODE)GetProp(hwndDlg, L"Context");
}
else
{
context = (PFW_EVENT_NODE)GetProp(hwndDlg, L"Context");
if (uMsg == WM_DESTROY)
RemoveProp(hwndDlg, L"Context");
}
if (!context)
return FALSE;
switch (uMsg)
{
case WM_INITDIALOG:
PhCenterWindow(hwndDlg, PhMainWndHandle);
break;
case WM_COMMAND:
{
switch (LOWORD(wParam))
{
case IDCANCEL:
case IDOK:
EndDialog(hwndDlg, IDOK);
break;
}
}
break;
}
return FALSE;
}
NTSTATUS NTAPI ShowFwRuleProperties(
_In_ PVOID ThreadParameter
)
{
//DialogBoxParam(
// PluginInstance->DllBase,
// MAKEINTRESOURCE(IDD_PROPDIALOG),
// PhMainWndHandle,
// OptionsDlgProc,
// (LPARAM)ThreadParameter
// );
return STATUS_SUCCESS;
}

105
plugins-extra/FirewallMonitorPlugin/fwmon.h Normal file
View File

@@ -0,0 +1,105 @@
#ifndef FWMON_H
#define FWMON_H
#include <phdk.h>
#include "resource.h"
#include <Winsock2.h>
#include <fwpmu.h>
#include <fwpsu.h>
#include <Ws2tcpip.h>
#pragma comment(lib, "fwpuclnt.lib")
#pragma comment(lib, "iphlpapi.lib")
#pragma comment(lib, "Ws2_32.lib")
#define PLUGIN_NAME L"dmex.FirewallMonitor"
#define SETTING_NAME_FW_TREE_LIST_COLUMNS (PLUGIN_NAME L".TreeListColumns")
#define SETTING_NAME_FW_TREE_LIST_SORT (PLUGIN_NAME L".TreeListSort")
extern PPH_PLUGIN PluginInstance;
extern BOOLEAN FwEnabled;
extern PPH_LIST FwNodeList;
typedef struct _FW_EVENT_ITEM
{
UINT16 LocalPort;
UINT16 RemotePort;
ULONG Index;
PPH_STRING IndexString;
LARGE_INTEGER AddedTime;
PPH_STRING TimeString;
PPH_STRING UserNameString;
PH_STRINGREF ProtocalString;
PPH_STRING ProcessNameString;
PPH_STRING ProcessBaseString;
PH_STRINGREF DirectionString;
PPH_STRING LocalPortString;
PPH_STRING LocalAddressString;
PPH_STRING RemotePortString;
PPH_STRING RemoteAddressString;
//HICON Icon;
PH_STRINGREF FwRuleActionString;
PPH_STRING FwRuleNameString;
PPH_STRING FwRuleDescriptionString;
PPH_STRING FwRuleLayerNameString;
PPH_STRING FwRuleLayerDescriptionString;
} FW_EVENT_ITEM, *PFW_EVENT_ITEM;
#define FWTNC_TIME 0
#define FWTNC_ACTION 1
#define FWTNC_RULENAME 2
#define FWTNC_RULEDESCRIPTION 3
#define FWTNC_PROCESSBASENAME 4
#define FWTNC_PROCESSFILENAME 5
#define FWTNC_USER 6
#define FWTNC_LOCALADDRESS 7
#define FWTNC_LOCALPORT 8
#define FWTNC_REMOTEADDRESS 9
#define FWTNC_REMOTEPORT 10
#define FWTNC_PROTOCOL 11
#define FWTNC_DIRECTION 12
#define FWTNC_INDEX 13
#define FWTNC_MAXIMUM 14
typedef struct _FW_EVENT_NODE
{
PH_TREENEW_NODE Node;
PH_STRINGREF TextCache[FWTNC_MAXIMUM];
PPH_STRING TooltipText;
PFW_EVENT_ITEM EventItem;
} FW_EVENT_NODE, *PFW_EVENT_NODE;
// monitor
extern PH_CALLBACK FwItemAddedEvent;
extern PH_CALLBACK FwItemModifiedEvent;
extern PH_CALLBACK FwItemRemovedEvent;
extern PH_CALLBACK FwItemsUpdatedEvent;
BOOLEAN StartFwMonitor(VOID);
VOID StopFwMonitor(VOID);
VOID InitializeFwTab(VOID);
VOID LoadSettingsFwTreeList(VOID);
VOID SaveSettingsFwTreeList(VOID);
NTSTATUS NTAPI ShowFwRuleProperties(
_In_ PVOID ThreadParameter
);
typedef ULONG (WINAPI* _FwpmNetEventSubscribe1)(
_In_ HANDLE engineHandle,
_In_ const FWPM_NET_EVENT_SUBSCRIPTION0* subscription,
_In_ FWPM_NET_EVENT_CALLBACK1 callback,
_In_opt_ void* context,
_Out_ HANDLE* eventsHandle
);
#endif

1083
plugins-extra/FirewallMonitorPlugin/fwtab.c Normal file
View File

File diff suppressed because it is too large Load Diff

156
plugins-extra/FirewallMonitorPlugin/fwtabp.h Normal file
View File

@@ -0,0 +1,156 @@
#ifndef FWTABP_H
#define FWTABP_H
HWND NTAPI FwTabCreateFunction(
_In_ PVOID Context
);
VOID NTAPI FwTabSelectionChangedCallback(
_In_ PVOID Parameter1,
_In_ PVOID Parameter2,
_In_ PVOID Parameter3,
_In_ PVOID Context
);
VOID NTAPI FwTabSaveContentCallback(
_In_ PVOID Parameter1,
_In_ PVOID Parameter2,
_In_ PVOID Parameter3,
_In_ PVOID Context
);
VOID NTAPI FwTabFontChangedCallback(
_In_ PVOID Parameter1,
_In_ PVOID Parameter2,
_In_ PVOID Parameter3,
_In_ PVOID Context
);
BOOLEAN FwNodeHashtableCompareFunction(
_In_ PVOID Entry1,
_In_ PVOID Entry2
);
ULONG FwNodeHashtableHashFunction(
_In_ PVOID Entry
);
VOID InitializeFwTreeList(
_In_ HWND hwnd
);
PFW_EVENT_NODE AddFwNode(
_In_ PFW_EVENT_ITEM FwItem
);
VOID RemoveFwNode(
_In_ PFW_EVENT_NODE FwNode
);
VOID UpdateFwNode(
_In_ PFW_EVENT_NODE FwNode
);
BOOLEAN NTAPI FwTreeNewCallback(
_In_ HWND hwnd,
_In_ PH_TREENEW_MESSAGE Message,
_In_opt_ PVOID Parameter1,
_In_opt_ PVOID Parameter2,
_In_opt_ PVOID Context
);
PFW_EVENT_NODE GetSelectedFwItem(
VOID
);
VOID GetSelectedFwItems(
_Out_ PFW_EVENT_NODE **FwItems,
_Out_ PULONG NumberOfFwItems
);
VOID DeselectAllFwNodes(
VOID
);
VOID SelectAndEnsureVisibleFwNode(
_In_ PFW_EVENT_NODE FwNode
);
VOID CopyFwList(
VOID
);
VOID WriteFwList(
__inout PPH_FILE_STREAM FileStream,
_In_ ULONG Mode
);
VOID HandleFwCommand(
_In_ ULONG Id
);
VOID InitializeFwMenu(
_In_ PPH_EMENU Menu,
_In_ PFW_EVENT_NODE *FwItems,
_In_ ULONG NumberOfFwItems
);
VOID ShowFwContextMenu(
_In_ POINT Location
);
VOID NTAPI FwItemAddedHandler(
_In_opt_ PVOID Parameter,
_In_opt_ PVOID Context
);
VOID NTAPI FwItemModifiedHandler(
_In_opt_ PVOID Parameter,
_In_opt_ PVOID Context
);
VOID NTAPI FwItemRemovedHandler(
_In_opt_ PVOID Parameter,
_In_opt_ PVOID Context
);
VOID NTAPI FwItemsUpdatedHandler(
_In_opt_ PVOID Parameter,
_In_opt_ PVOID Context
);
VOID NTAPI OnFwItemAdded(
_In_ PVOID Parameter
);
VOID NTAPI OnFwItemModified(
_In_ PVOID Parameter
);
VOID NTAPI OnFwItemRemoved(
_In_ PVOID Parameter
);
VOID NTAPI OnFwItemsUpdated(
_In_ PVOID Parameter
);
BOOLEAN NTAPI FwSearchFilterCallback(
_In_ PPH_TREENEW_NODE Node,
_In_opt_ PVOID Context
);
VOID NTAPI FwSearchChangedHandler(
_In_opt_ PVOID Parameter,
_In_opt_ PVOID Context
);
VOID NTAPI FwToolStatusActivateContent(
_In_ BOOLEAN Select
);
HWND NTAPI FwToolStatusGetTreeNewHandle(
VOID
);
#endif

122
plugins-extra/FirewallMonitorPlugin/main.c Normal file
View File

@@ -0,0 +1,122 @@
/*
* Process Hacker Extra Plugins -
* Firewall Monitor
*
* Copyright (C) 2015 dmex
*
* This file is part of Process Hacker.
*
* Process Hacker is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* Process Hacker is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with Process Hacker. If not, see <http://www.gnu.org/licenses/>.
*/
#include "fwmon.h"
PPH_PLUGIN PluginInstance;
static PH_CALLBACK_REGISTRATION PluginLoadCallbackRegistration;
static PH_CALLBACK_REGISTRATION PluginUnloadCallbackRegistration;
static PH_CALLBACK_REGISTRATION PluginShowOptionsCallbackRegistration;
static PH_CALLBACK_REGISTRATION MainWindowShowingCallbackRegistration;
static VOID NTAPI LoadCallback(
_In_opt_ PVOID Parameter,
_In_opt_ PVOID Context
)
{
FwEnabled = StartFwMonitor();
}
static VOID NTAPI UnloadCallback(
_In_opt_ PVOID Parameter,
_In_opt_ PVOID Context
)
{
StopFwMonitor();
SaveSettingsFwTreeList();
}
static VOID NTAPI ShowOptionsCallback(
_In_opt_ PVOID Parameter,
_In_opt_ PVOID Context
)
{
NOTHING;
}
static VOID NTAPI MainWindowShowingCallback(
_In_opt_ PVOID Parameter,
_In_opt_ PVOID Context
)
{
InitializeFwTab();
}
LOGICAL DllMain(
_In_ HINSTANCE Instance,
_In_ ULONG Reason,
_Reserved_ PVOID Reserved
)
{
switch (Reason)
{
case DLL_PROCESS_ATTACH:
{
PPH_PLUGIN_INFORMATION info;
PH_SETTING_CREATE settings[] =
{
{ StringSettingType, SETTING_NAME_FW_TREE_LIST_COLUMNS, L"" },
{ IntegerPairSettingType, SETTING_NAME_FW_TREE_LIST_SORT, L"0,2" }
};
PluginInstance = PhRegisterPlugin(PLUGIN_NAME, Instance, &info);
if (!PluginInstance)
return FALSE;
info->DisplayName = L"Firewall Monitor";
info->Author = L"dmex";
info->Description = L"Adds a new tab for monitoring kernel/process firewall events.";
info->HasOptions = FALSE;
PhRegisterCallback(
PhGetPluginCallback(PluginInstance, PluginCallbackLoad),
LoadCallback,
NULL,
&PluginLoadCallbackRegistration
);
PhRegisterCallback(
PhGetPluginCallback(PluginInstance, PluginCallbackUnload),
UnloadCallback,
NULL,
&PluginUnloadCallbackRegistration
);
PhRegisterCallback(
PhGetPluginCallback(PluginInstance, PluginCallbackShowOptions),
ShowOptionsCallback,
NULL,
&PluginShowOptionsCallbackRegistration
);
PhRegisterCallback(
PhGetGeneralCallback(GeneralCallbackMainWindowShowing),
MainWindowShowingCallback,
NULL,
&MainWindowShowingCallbackRegistration
);
PhAddSettings(settings, ARRAYSIZE(settings));
}
break;
}
return TRUE;
}

788
plugins-extra/FirewallMonitorPlugin/monitor.c Normal file
View File

@@ -0,0 +1,788 @@
/*
* Process Hacker Extra Plugins -
* Firewall Monitor
*
* Copyright (C) 2015 dmex
*
* This file is part of Process Hacker.
*
* Process Hacker is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* Process Hacker is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with Process Hacker. If not, see <http://www.gnu.org/licenses/>.
*/
#include "fwmon.h"
#define FWP_DIRECTION_IN 0x00003900L
#define FWP_DIRECTION_OUT 0x00003901L
#define FWP_DIRECTION_FORWARD 0x00003902L
PH_CALLBACK_DECLARE(FwItemAddedEvent);
PH_CALLBACK_DECLARE(FwItemModifiedEvent);
PH_CALLBACK_DECLARE(FwItemRemovedEvent);
PH_CALLBACK_DECLARE(FwItemsUpdatedEvent);
static PH_CALLBACK_REGISTRATION ProcessesUpdatedCallbackRegistration;
static PPH_OBJECT_TYPE FwObjectType = NULL;
static HANDLE FwEngineHandle = NULL;
static HANDLE FwEventHandle = NULL;
static HANDLE FwEnumHandle = NULL;
static _FwpmNetEventSubscribe1 FwpmNetEventSubscribe1_I = NULL;
static VOID NTAPI FwObjectTypeDeleteProcedure(
_In_ PVOID Object,
_In_ ULONG Flags
)
{
PhClearReference(&Object);
}
PFW_EVENT_ITEM EtCreateFirewallEntryItem(
VOID
)
{
static ULONG itemCount = 0;
PFW_EVENT_ITEM diskItem;
diskItem = PhCreateObject(sizeof(FW_EVENT_ITEM), FwObjectType);
memset(diskItem, 0, sizeof(FW_EVENT_ITEM));
diskItem->Index = itemCount;
diskItem->IndexString = PhFormatString(L"%lu", itemCount);
itemCount++;
return diskItem;
}
static VOID CALLBACK DropEventCallback(
_Inout_ PVOID FwContext,
_In_ const FWPM_NET_EVENT* FwEvent
)
{
PFW_EVENT_ITEM fwEventItem = EtCreateFirewallEntryItem();
SYSTEMTIME systemTime;
PhQuerySystemTime(&fwEventItem->AddedTime);
PhLargeIntegerToLocalSystemTime(&systemTime, &fwEventItem->AddedTime);
fwEventItem->TimeString = PhFormatDateTime(&systemTime);
switch (FwEvent->type)
{
case FWPM_NET_EVENT_TYPE_CLASSIFY_DROP:
{
FWPM_FILTER* fwFilterItem = NULL;
FWPM_LAYER* fwLayerItem = NULL;
FWPM_NET_EVENT_CLASSIFY_DROP* fwDropEvent = FwEvent->classifyDrop;
PhInitializeStringRef(&fwEventItem->FwRuleActionString, L"DROP");
if (FwpmFilterGetById(FwEngineHandle, fwDropEvent->filterId, &fwFilterItem) == ERROR_SUCCESS)
{
if (fwFilterItem->displayData.name)
{
fwEventItem->FwRuleNameString = PhCreateString(fwFilterItem->displayData.name);
}
if (fwFilterItem->displayData.description)
{
fwEventItem->FwRuleDescriptionString = PhCreateString(fwFilterItem->displayData.description);
}
if ((fwFilterItem->action.type & FWP_ACTION_BLOCK) != 0)
{
}
FwpmFreeMemory(&fwFilterItem);
}
if (FwpmLayerGetById(FwEngineHandle, fwDropEvent->layerId, &fwLayerItem) == ERROR_SUCCESS)
{
if (fwLayerItem->displayData.name)
{
fwEventItem->FwRuleLayerNameString = PhCreateString(fwLayerItem->displayData.name);
}
//fwEventItem->FwRuleLayerDescriptionString = PhCreateString(fwLayerRuleItem->displayData.description);
for (UINT32 i = 0; i < fwLayerItem->numFields; i++)
{
FWPM_FIELD fwRuleField = fwLayerItem->field[i];
// http://msdn.microsoft.com/en-us/library/windows/desktop/aa363996.aspx
if (memcmp(fwRuleField.fieldKey, &FWPM_CONDITION_ALE_APP_ID, sizeof(GUID)) == 0)
{
//The fully qualified device path of the application, as returned by the FwpmGetAppIdFromFileName0 function.
// (For example, "\device0\hardiskvolume1\Program Files\Application.exe".)
// Data type : FWP_BYTE_BLOB_TYPE
//fwDropEvent->
}
else if (IsEqualGUID(fwRuleField.fieldKey, &FWPM_CONDITION_ALE_ORIGINAL_APP_ID))
{
// The fully qualified device path of the application, such as "\device0\hardiskvolume1\Program Files\Application.exe".
// When a connection has been redirected, this will be the identifier of the originating app,
// otherwise this will be the same as FWPM_CONDITION_ALE_APP_ID.
}
else if (IsEqualGUID(fwRuleField.fieldKey, &FWPM_CONDITION_ALE_USER_ID))
{
//The identification of the local user.
//Data type : FWP_SECURITY_DESCRIPTOR_TYPE
}
else if (IsEqualGUID(fwRuleField.fieldKey, &FWPM_CONDITION_IP_LOCAL_ADDRESS))
{
}
else if (IsEqualGUID(fwRuleField.fieldKey, &FWPM_CONDITION_IP_LOCAL_ADDRESS_TYPE))
{
//The local IP address type.
//Possible values : Any of the following NL_ADDRESS_TYPE enumeration values.
//NlatUnspecified
//NlatUnicast
//NlatAnycast
//NlatMulticast
//NlatBroadcast
//Data type : FWP_UINT8
}
else if (IsEqualGUID(fwRuleField.fieldKey, &FWPM_CONDITION_IP_LOCAL_PORT))
{
//The local transport protocol port number.
//Data type : FWP_UINT16
}
//else
//{
// PhInitializeStringRef(&fwEventItem->FwRuleModeString, L"UNKNOWN");
//}
}
FwpmFreeMemory(&fwLayerItem);
}
if (fwDropEvent->isLoopback)
{
PhInitializeStringRef(&fwEventItem->DirectionString, L"Loopback");
}
else
{
switch (fwDropEvent->msFwpDirection)
{
case FWP_DIRECTION_IN:
case FWP_DIRECTION_INBOUND:
PhInitializeStringRef(&fwEventItem->DirectionString, L"In");
break;
case FWP_DIRECTION_OUT:
case FWP_DIRECTION_OUTBOUND:
PhInitializeStringRef(&fwEventItem->DirectionString, L"Out");
break;
case FWP_DIRECTION_FORWARD:
PhInitializeStringRef(&fwEventItem->DirectionString, L"Forward");
break;
default:
PhInitializeStringRef(&fwEventItem->DirectionString, L"");
break;
}
}
}
break;
case FWPM_NET_EVENT_TYPE_CLASSIFY_ALLOW:
{
FWPM_FILTER* fwFilterItem = NULL;
FWPM_LAYER* fwLayerItem = NULL;
FWPM_NET_EVENT_CLASSIFY_ALLOW* fwAllowEvent = FwEvent->classifyAllow;
PhInitializeStringRef(&fwEventItem->FwRuleActionString, L"ALLOW");
if (FwpmFilterGetById(FwEngineHandle, fwAllowEvent->filterId, &fwFilterItem) == ERROR_SUCCESS)
{
if (fwFilterItem->displayData.name)
{
fwEventItem->FwRuleNameString = PhCreateString(fwFilterItem->displayData.name);
}
if (fwFilterItem->displayData.description)
{
fwEventItem->FwRuleDescriptionString = PhCreateString(fwFilterItem->displayData.description);
}
if ((fwFilterItem->action.type & FWP_ACTION_BLOCK) != 0)
{
}
FwpmFreeMemory(&fwFilterItem);
}
if (FwpmLayerGetById(FwEngineHandle, fwAllowEvent->layerId, &fwLayerItem) == ERROR_SUCCESS)
{
for (UINT32 i = 0; i < fwLayerItem->numFields; i++)
{
FWPM_FIELD fwRuleField = fwLayerItem->field[i];
// http://msdn.microsoft.com/en-us/library/windows/desktop/aa363996.aspx
if (memcmp(fwRuleField.fieldKey, &FWPM_CONDITION_ALE_APP_ID, sizeof(GUID)) == 0)
{
//The fully qualified device path of the application, as returned by the FwpmGetAppIdFromFileName0 function.
// (For example, "\device0\hardiskvolume1\Program Files\Application.exe".)
// Data type : FWP_BYTE_BLOB_TYPE
//fwAllowEvent->
}
else if (IsEqualGUID(fwRuleField.fieldKey, &FWPM_CONDITION_ALE_ORIGINAL_APP_ID))
{
// The fully qualified device path of the application, such as "\device0\hardiskvolume1\Program Files\Application.exe".
// When a connection has been redirected, this will be the identifier of the originating app,
// otherwise this will be the same as FWPM_CONDITION_ALE_APP_ID.
}
else if (IsEqualGUID(fwRuleField.fieldKey, &FWPM_CONDITION_ALE_USER_ID))
{
//The identification of the local user.
//Data type : FWP_SECURITY_DESCRIPTOR_TYPE
}
else if (IsEqualGUID(fwRuleField.fieldKey, &FWPM_CONDITION_IP_LOCAL_ADDRESS))
{
}
else if (IsEqualGUID(fwRuleField.fieldKey, &FWPM_CONDITION_IP_LOCAL_ADDRESS_TYPE))
{
//The local IP address type.
//Possible values : Any of the following NL_ADDRESS_TYPE enumeration values.
//NlatUnspecified
//NlatUnicast
//NlatAnycast
//NlatMulticast
//NlatBroadcast
//Data type : FWP_UINT8
}
else if (IsEqualGUID(fwRuleField.fieldKey, &FWPM_CONDITION_IP_LOCAL_PORT))
{
//The local transport protocol port number.
//Data type : FWP_UINT16
}
//else
//{
// PhInitializeStringRef(&fwEventItem->FwRuleModeString, L"UNKNOWN");
//}
}
fwEventItem->FwRuleLayerNameString = PhCreateString(fwLayerItem->displayData.name);
//fwEventItem->FwRuleLayerDescriptionString = PhCreateString(fwLayerRuleItem->displayData.description);
FwpmFreeMemory(&fwLayerItem);
}
if (fwAllowEvent->isLoopback)
{
PhInitializeStringRef(&fwEventItem->DirectionString, L"Loopback");
}
else
{
switch (fwAllowEvent->msFwpDirection)
{
case FWP_DIRECTION_IN:
case FWP_DIRECTION_INBOUND:
PhInitializeStringRef(&fwEventItem->DirectionString, L"In");
break;
case FWP_DIRECTION_OUT:
case FWP_DIRECTION_OUTBOUND:
PhInitializeStringRef(&fwEventItem->DirectionString, L"Out");
break;
case FWP_DIRECTION_FORWARD:
PhInitializeStringRef(&fwEventItem->DirectionString, L"Forward");
break;
default:
PhInitializeStringRef(&fwEventItem->DirectionString, L"");
break;
}
}
}
break;
case FWPM_NET_EVENT_TYPE_CAPABILITY_DROP:
//FWPM_NET_EVENT_CAPABILITY_DROP* fwCapDropEvent = FwEvent->capabilityDrop;
PhInitializeStringRef(&fwEventItem->FwRuleActionString, L"CAPABILITY_DROP");
return;
case FWPM_NET_EVENT_TYPE_CAPABILITY_ALLOW:
//FWPM_NET_EVENT_CAPABILITY_ALLOW* fwCapAllowEvent = FwEvent->capabilityAllow;
PhInitializeStringRef(&fwEventItem->FwRuleActionString, L"CAPABILITY_ALLOW");
return;
case FWPM_NET_EVENT_TYPE_CLASSIFY_DROP_MAC:
//FWPM_NET_EVENT_CLASSIFY_DROP_MAC* fwMacDropEvent = FwEvent->classifyDropMac;
PhInitializeStringRef(&fwEventItem->FwRuleActionString, L"CLASSIFY_DROP_MAC");
break;
case FWPM_NET_EVENT_TYPE_IPSEC_KERNEL_DROP:
//FWPM_NET_EVENT_IPSEC_KERNEL_DROP* fwIpSecDropEvent = FwEvent->ipsecDrop;
PhInitializeStringRef(&fwEventItem->FwRuleActionString, L"IPSEC_KERNEL_DROP");
break;
case FWPM_NET_EVENT_TYPE_IPSEC_DOSP_DROP:
//FWPM_NET_EVENT_IPSEC_DOSP_DROP* fwIpSecDoSDropEvent = FwEvent->idpDrop;
PhInitializeStringRef(&fwEventItem->FwRuleActionString, L"IPSEC_DOSP_DROP");
break;
case FWPM_NET_EVENT_TYPE_IKEEXT_MM_FAILURE:
//FWPM_NET_EVENT_IKEEXT_MM_FAILURE* fwIkeextMMFailureEvent = FwEvent->ikeMmFailure;
PhInitializeStringRef(&fwEventItem->FwRuleActionString, L"IKEEXT_MM_FAILURE");
break;
case FWPM_NET_EVENT_TYPE_IKEEXT_QM_FAILURE:
//FWPM_NET_EVENT_IKEEXT_QM_FAILURE* fwIkeextQMFailureEvent = FwEvent->ikeQmFailure;
PhInitializeStringRef(&fwEventItem->FwRuleActionString, L"QM_FAILURE");
break;
case FWPM_NET_EVENT_TYPE_IKEEXT_EM_FAILURE:
//FWPM_NET_EVENT_IKEEXT_EM_FAILURE* fwIkeextEMFailureEvent = FwEvent->ikeEmFailure;
PhInitializeStringRef(&fwEventItem->FwRuleActionString, L"EM_FAILURE");
break;
default:
PhInitializeStringRef(&fwEventItem->FwRuleActionString, L"unknown");
break;
}
if ((FwEvent->header.flags & FWPM_NET_EVENT_FLAG_LOCAL_PORT_SET) != 0)
{
fwEventItem->LocalPort = FwEvent->header.localPort;
fwEventItem->LocalPortString = PhFormatString(L"%u", FwEvent->header.localPort);
}
if ((FwEvent->header.flags & FWPM_NET_EVENT_FLAG_REMOTE_PORT_SET) != 0)
{
fwEventItem->RemotePort = FwEvent->header.remotePort;
fwEventItem->RemotePortString = PhFormatString(L"%u", FwEvent->header.remotePort);
}
if ((FwEvent->header.flags & FWPM_NET_EVENT_FLAG_IP_VERSION_SET) != 0)
{
if (FwEvent->header.ipVersion == FWP_IP_VERSION_V4)
{
if ((FwEvent->header.flags & FWPM_NET_EVENT_FLAG_LOCAL_ADDR_SET) != 0)
{
//IN_ADDR ipv4Address = { 0 };
//PWSTR ipv4StringTerminator = 0;
//WCHAR ipv4AddressString[INET_ADDRSTRLEN] = L"";
//
//ULONG localAddrV4 = _byteswap_ulong(FwEvent->header.localAddrV4);
//
//RtlIpv4AddressToString((PIN_ADDR)&localAddrV4, ipv4AddressString);
//RtlIpv4StringToAddress(ipv4AddressString, TRUE, &ipv4StringTerminator, &ipv4Address);
//
//fwEventItem->LocalAddressString = PhFormatString(L"%s", ipv4AddressString);
fwEventItem->LocalAddressString = PhFormatString(
L"%lu.%lu.%lu.%lu",
((PBYTE)&FwEvent->header.localAddrV4)[3],
((PBYTE)&FwEvent->header.localAddrV4)[2],
((PBYTE)&FwEvent->header.localAddrV4)[1],
((PBYTE)&FwEvent->header.localAddrV4)[0]
);
}
if ((FwEvent->header.flags & FWPM_NET_EVENT_FLAG_REMOTE_ADDR_SET) != 0)
{
//IN_ADDR ipv4Address = { 0 };
//PWSTR ipv4StringTerminator = 0;
//WCHAR ipv4AddressString[INET_ADDRSTRLEN] = L"";
//
//ULONG remoteAddrV4 = _byteswap_ulong(FwEvent->header.remoteAddrV4);
//
//RtlIpv4AddressToString((PIN_ADDR)&remoteAddrV4, ipv4AddressString);
//RtlIpv4StringToAddress(ipv4AddressString, TRUE, &ipv4StringTerminator, &ipv4Address);
//
//fwEventItem->RemoteAddressString = PhFormatString(L"%s", ipv4AddressString);
fwEventItem->RemoteAddressString = PhFormatString(
L"%lu.%lu.%lu.%lu",
((PBYTE)&FwEvent->header.remoteAddrV4)[3],
((PBYTE)&FwEvent->header.remoteAddrV4)[2],
((PBYTE)&FwEvent->header.remoteAddrV4)[1],
((PBYTE)&FwEvent->header.remoteAddrV4)[0]
);
}
}
else if (FwEvent->header.ipVersion == FWP_IP_VERSION_V6)
{
if ((FwEvent->header.flags & FWPM_NET_EVENT_FLAG_LOCAL_ADDR_SET) != 0)
{
IN6_ADDR ipv6Address = { 0 };
PWSTR ipv6StringTerminator = 0;
WCHAR ipv6AddressString[INET6_ADDRSTRLEN] = L"";
RtlIpv6AddressToString((struct in6_addr*)&FwEvent->header.localAddrV6, ipv6AddressString);
RtlIpv6StringToAddress(ipv6AddressString, &ipv6StringTerminator, &ipv6Address);
fwEventItem->LocalAddressString = PhFormatString(L"%s", ipv6AddressString);
//fwEventItem->LocalAddressString = PhFormatString(
// L"%x:%x:%x:%x%x:%x:%x:%x",
// ((WORD*)&FwEvent->header.localAddrV6)[7],
// ((WORD*)&FwEvent->header.localAddrV6)[6],
// ((WORD*)&FwEvent->header.localAddrV6)[5],
// ((WORD*)&FwEvent->header.localAddrV6)[4],
// ((WORD*)&FwEvent->header.localAddrV6)[3],
// ((WORD*)&FwEvent->header.localAddrV6)[2],
// ((WORD*)&FwEvent->header.localAddrV6)[1],
// ((WORD*)&FwEvent->header.localAddrV6)[0]
// );
}
if ((FwEvent->header.flags & FWPM_NET_EVENT_FLAG_REMOTE_ADDR_SET) != 0)
{
WCHAR ipv6AddressString[INET6_ADDRSTRLEN] = L"";
PWSTR ipv6StringTerminator = 0;
IN6_ADDR ipv6Address = { 0 };
RtlIpv6AddressToString((struct in6_addr*)&FwEvent->header.remoteAddrV6, ipv6AddressString);
RtlIpv6StringToAddress(ipv6AddressString, &ipv6StringTerminator, &ipv6Address);
fwEventItem->RemoteAddressString = PhFormatString(L"%s", ipv6AddressString);
//fwEventItem->RemoteAddressString = PhFormatString(
// L"%x:%x:%x:%x%x:%x:%x:%x",
// ((WORD*)&FwEvent->header.remoteAddrV6)[7],
// ((WORD*)&FwEvent->header.remoteAddrV6)[6],
// ((WORD*)&FwEvent->header.remoteAddrV6)[5],
// ((WORD*)&FwEvent->header.remoteAddrV6)[4],
// ((WORD*)&FwEvent->header.remoteAddrV6)[3],
// ((WORD*)&FwEvent->header.remoteAddrV6)[2],
// ((WORD*)&FwEvent->header.remoteAddrV6)[1],
// ((WORD*)&FwEvent->header.remoteAddrV6)[0]
// );
}
}
else
{
//FwEvent->header.addressFamily Available when ipVersion is FWP_IP_VERSION_NONE.
}
}
if ((FwEvent->header.flags & FWPM_NET_EVENT_FLAG_APP_ID_SET) != 0)
{
PPH_STRING fileName = NULL;
PPH_STRING resolvedName = NULL;
if (FwEvent->header.appId.data && FwEvent->header.appId.size > 0)
{
fileName = PhCreateStringEx((PWSTR)FwEvent->header.appId.data, (SIZE_T)FwEvent->header.appId.size);
resolvedName = PhResolveDevicePrefix(fileName);
PhDereferenceObject(fileName);
}
if (resolvedName)
{
fwEventItem->ProcessNameString = PhGetFileName(resolvedName);
fwEventItem->ProcessBaseString = PhGetBaseName(resolvedName);
//FWP_BYTE_BLOB* fwpApplicationByteBlob = NULL;
//if (FwpmGetAppIdFromFileName(fileNameString->Buffer, &fwpApplicationByteBlob) == ERROR_SUCCESS)
//fwEventItem->ProcessBaseString = PhCreateStringEx(fwpApplicationByteBlob->data, fwpApplicationByteBlob->size);
//fwEventItem->Icon = PhGetFileShellIcon(PhGetString(resolvedName), L".exe", FALSE);
PhDereferenceObject(resolvedName);
}
}
if ((FwEvent->header.flags & FWPM_NET_EVENT_FLAG_USER_ID_SET) != 0)
{
if (RtlValidSid(FwEvent->header.userId))
{
fwEventItem->UserNameString = PhGetSidFullName(FwEvent->header.userId, TRUE, NULL);
}
}
if ((FwEvent->header.flags & FWPM_NET_EVENT_FLAG_IP_PROTOCOL_SET))
{
// The ipProtocol member is set.
}
if ((FwEvent->header.flags & FWPM_NET_EVENT_FLAG_SCOPE_ID_SET))
{
// The scopeId member is set.
}
if ((FwEvent->header.flags & FWPM_NET_EVENT_FLAG_REAUTH_REASON_SET) != 0)
{
// Indicates an existing connection was reauthorized.
}
if ((FwEvent->header.flags & FWPM_NET_EVENT_FLAG_PACKAGE_ID_SET) != 0)
{
// The packageSid member is set.
}
switch (FwEvent->header.ipProtocol)
{
case IPPROTO_HOPOPTS:
PhInitializeStringRef(&fwEventItem->ProtocalString, L"HOPOPTS");
break;
case IPPROTO_ICMP:
PhInitializeStringRef(&fwEventItem->ProtocalString, L"ICMP");
break;
case IPPROTO_IGMP:
PhInitializeStringRef(&fwEventItem->ProtocalString, L"IGMP");
break;
case IPPROTO_GGP:
PhInitializeStringRef(&fwEventItem->ProtocalString, L"GGP");
break;
case IPPROTO_IPV4:
PhInitializeStringRef(&fwEventItem->ProtocalString, L"IPv4");
break;
case IPPROTO_ST:
PhInitializeStringRef(&fwEventItem->ProtocalString, L"ST");
break;
case IPPROTO_TCP:
PhInitializeStringRef(&fwEventItem->ProtocalString, L"TCP");
break;
case IPPROTO_CBT:
PhInitializeStringRef(&fwEventItem->ProtocalString, L"CBT");
break;
case IPPROTO_EGP:
PhInitializeStringRef(&fwEventItem->ProtocalString, L"EGP");
break;
case IPPROTO_IGP:
PhInitializeStringRef(&fwEventItem->ProtocalString, L"IGP");
break;
case IPPROTO_PUP:
PhInitializeStringRef(&fwEventItem->ProtocalString, L"PUP");
break;
case IPPROTO_UDP:
PhInitializeStringRef(&fwEventItem->ProtocalString, L"UDP");
break;
case IPPROTO_IDP:
PhInitializeStringRef(&fwEventItem->ProtocalString, L"IDP");
break;
case IPPROTO_RDP:
PhInitializeStringRef(&fwEventItem->ProtocalString, L"RDP");
break;
case IPPROTO_IPV6:
PhInitializeStringRef(&fwEventItem->ProtocalString, L"IPv6");
break;
case IPPROTO_ROUTING:
PhInitializeStringRef(&fwEventItem->ProtocalString, L"ROUTING");
break;
case IPPROTO_FRAGMENT:
PhInitializeStringRef(&fwEventItem->ProtocalString, L"FRAGMENT");
break;
case IPPROTO_ESP:
PhInitializeStringRef(&fwEventItem->ProtocalString, L"ESP");
break;
case IPPROTO_AH:
PhInitializeStringRef(&fwEventItem->ProtocalString, L"AH");
break;
case IPPROTO_ICMPV6:
PhInitializeStringRef(&fwEventItem->ProtocalString, L"ICMPv6");
break;
case IPPROTO_DSTOPTS:
PhInitializeStringRef(&fwEventItem->ProtocalString, L"DSTOPTS");
break;
case IPPROTO_ND:
PhInitializeStringRef(&fwEventItem->ProtocalString, L"ND");
break;
case IPPROTO_ICLFXBM:
PhInitializeStringRef(&fwEventItem->ProtocalString, L"ICLFXBM");
break;
case IPPROTO_PIM:
PhInitializeStringRef(&fwEventItem->ProtocalString, L"PIM");
break;
case IPPROTO_PGM:
PhInitializeStringRef(&fwEventItem->ProtocalString, L"PGM");
break;
case IPPROTO_L2TP:
PhInitializeStringRef(&fwEventItem->ProtocalString, L"L2TP");
break;
case IPPROTO_SCTP:
PhInitializeStringRef(&fwEventItem->ProtocalString, L"SCTP");
break;
case IPPROTO_RESERVED_IPSEC:
PhInitializeStringRef(&fwEventItem->ProtocalString, L"IPSEC");
break;
case IPPROTO_RESERVED_IPSECOFFLOAD:
PhInitializeStringRef(&fwEventItem->ProtocalString, L"IPSECOFFLOAD");
break;
case IPPROTO_RESERVED_WNV:
PhInitializeStringRef(&fwEventItem->ProtocalString, L"WNV");
break;
case IPPROTO_RAW:
case IPPROTO_RESERVED_RAW:
PhInitializeStringRef(&fwEventItem->ProtocalString, L"RAW");
break;
case IPPROTO_NONE:
default:
PhInitializeStringRef(&fwEventItem->ProtocalString, L"Unknown");
break;
}
PhInvokeCallback(&FwItemAddedEvent, fwEventItem);
}
static VOID NTAPI ProcessesUpdatedCallback(
_In_opt_ PVOID Parameter,
_In_opt_ PVOID Context
)
{
static LARGE_INTEGER systemTime;
PhQuerySystemTime(&systemTime);
for (ULONG i = 0; i < FwNodeList->Count; i++)
{
PFW_EVENT_NODE node = (PFW_EVENT_NODE)FwNodeList->Items[i];
if (systemTime.QuadPart > (node->EventItem->AddedTime.QuadPart + (60 * PH_TIMEOUT_SEC)))
{
PhInvokeCallback(&FwItemRemovedEvent, node);
}
}
PhInvokeCallback(&FwItemsUpdatedEvent, NULL);
}
BOOLEAN StartFwMonitor(
VOID
)
{
FWP_VALUE value = { FWP_EMPTY };
FWPM_SESSION session = { 0 };
FWPM_NET_EVENT_SUBSCRIPTION subscription = { 0 };
FWPM_NET_EVENT_ENUM_TEMPLATE eventTemplate = { 0 };
FwpmNetEventSubscribe1_I = PhGetModuleProcAddress(L"fwpuclnt.dll", "FwpmNetEventSubscribe1");
FwNodeList = PhCreateList(100);
FwObjectType = PhCreateObjectType(L"FwObject", 0, FwObjectTypeDeleteProcedure);
session.flags = 0;
session.displayData.name = L"PhFirewallMonitoringSession";
session.displayData.description = L"Non-Dynamic session for Process Hacker";
// Create a non-dynamic BFE session
if (FwpmEngineOpen(
NULL,
RPC_C_AUTHN_WINNT,
NULL,
&session,
&FwEngineHandle
) != ERROR_SUCCESS)
{
return FALSE;
}
value.type = FWP_UINT32;
value.uint32 = 1;
// Enable collection of NetEvents
if (FwpmEngineSetOption(
FwEngineHandle,
FWPM_ENGINE_COLLECT_NET_EVENTS,
&value
) != ERROR_SUCCESS)
{
return FALSE;
}
if (WindowsVersion > WINDOWS_7)
{
value.type = FWP_UINT32;
value.uint32 = FWPM_NET_EVENT_KEYWORD_CAPABILITY_DROP | FWPM_NET_EVENT_KEYWORD_CAPABILITY_ALLOW | FWPM_NET_EVENT_KEYWORD_CLASSIFY_ALLOW; // FWPM_NET_EVENT_KEYWORD_INBOUND_MCAST | FWPM_NET_EVENT_KEYWORD_INBOUND_BCAST
if (FwpmEngineSetOption(
FwEngineHandle,
FWPM_ENGINE_NET_EVENT_MATCH_ANY_KEYWORDS,
&value
) != ERROR_SUCCESS)
{
return FALSE;
}
value.type = FWP_UINT32;
value.uint32 = 1;
if (FwpmEngineSetOption(
FwEngineHandle,
FWPM_ENGINE_MONITOR_IPSEC_CONNECTIONS,
&value
) != ERROR_SUCCESS)
{
return FALSE;
}
}
eventTemplate.numFilterConditions = 0; // get events for all conditions
subscription.sessionKey = session.sessionKey;
subscription.enumTemplate = &eventTemplate;
// Subscribe to the events
if (FwpmNetEventSubscribe1_I)
{
if (FwpmNetEventSubscribe1_I(
FwEngineHandle,
&subscription,
DropEventCallback,
NULL,
&FwEventHandle
) != ERROR_SUCCESS)
{
return FALSE;
}
}
else
{
if (FwpmNetEventSubscribe0(
FwEngineHandle,
&subscription,
(FWPM_NET_EVENT_CALLBACK0)DropEventCallback, // TODO: Use correct function.
NULL,
&FwEventHandle
) != ERROR_SUCCESS)
{
return FALSE;
}
}
PhRegisterCallback(
&PhProcessesUpdatedEvent,
ProcessesUpdatedCallback,
NULL,
&ProcessesUpdatedCallbackRegistration
);
return TRUE;
}
VOID StopFwMonitor(
VOID
)
{
if (FwEventHandle)
{
FwpmNetEventUnsubscribe(FwEngineHandle, FwEventHandle);
FwEventHandle = NULL;
}
if (FwEngineHandle)
{
//FWP_VALUE value = { FWP_EMPTY };
//value.type = FWP_UINT32;
//value.uint32 = 0;
// TODO: return to previous state if other applications require event collection enabled??
// Disable collection of NetEvents
//FwpmEngineSetOption(FwEngineHandle, FWPM_ENGINE_COLLECT_NET_EVENTS, &value);
FwpmEngineClose(FwEngineHandle);
FwEngineHandle = NULL;
}
}

23
plugins-extra/FirewallMonitorPlugin/resource.h Normal file
View File

@@ -0,0 +1,23 @@
//{{NO_DEPENDENCIES}}
// Microsoft Visual C++ generated include file.
// Used by FirewallMonitorPlugin.rc
//
#define IDR_FW 101
#define IDR_FW_MENU 101
#define IDD_PROPDIALOG 102
#define IDD_FWTABERROR 102
#define IDC_RESTART 1001
#define ID_EVENT_COPY 40001
#define ID_EVENT_PROPERTIES 40002
#define ID_FW_PROPERTIES 40003
// Next default values for new objects
//
#ifdef APSTUDIO_INVOKED
#ifndef APSTUDIO_READONLY_SYMBOLS
#define _APS_NEXT_RESOURCE_VALUE 103
#define _APS_NEXT_COMMAND_VALUE 40004
#define _APS_NEXT_CONTROL_VALUE 1002
#define _APS_NEXT_SYMED_VALUE 103
#endif
#endif