views:

5313

answers:

5

I want to have an application or service that is running that, on some schedule, can disable access to the internet for all applications except for specific ones.

I'm trying to create a filter that can be turned on or off under programmatic control. Not just IP addresses and ports, but I want to be able to block specific applications as well, much like Zone Alarm and other software firewalls let you block.

For example, iexplore.exe, skype.exe, firefox.exe, aim.exe. But still need to allow other applications to connect as needed.

It has to work on Vista as well as XP, but I kind of expect that the method will be different on each of those platforms.

Basically, the filter has to tie the network communication back to the executable that is making the request and then allow or deny it.

Update:

On Vista at least, it looks like I want to use filters in the ALE layers of the WFP.

On XP, I'm still looking for the best way to do it. Do I really need to be writing device drivers and dealing with kernel stuff? I'm just a lowly application developer. Kill me now.

Update 2:

Currently looking at the PfCreateInterface and related Pf* API's for pre-Vista systems.

A: 

I'm not sure, but I think you'd need to do it by getting the program to run as a user that has limited permissions, the question is, can you make a user account that stops such things?

Jesse Pepper
It has to run in limited and administrator accounts in Windows. I'm not trying to prevent all applications from executing. I just want the attempt to access the internet by the application to fail (ie, drop the packets or refuse the connection)
MarkS
A single application can be run as a different user than the currently logged in user.
Jesse Pepper
... that is, if you know the programs that you're talking about, you can put the executables somewhere where the normal user doesn't have access to them, and then provide access to each locked-down application only through a shortcut that run's it as the locked-down user.
Jesse Pepper
I appreciate the suggestions. But I can't move apps around creating shortcuts, etc. "my app" will be installed on machines where it won't even know what apps will be trying to access the internet. Firefox could be up, with access now, but at 8pm, it no longer has access. Next http request blocked.
MarkS
+1  A: 

You'll have to write a device driver that filters traffic based on the executable requesting the traffic.

Paul Whitehurst
A: 

You'll need to redirect all (or at least many) calls to the WinSock API functions of any running program to your own replacement functions. That means getting into the memory of each running program and hijacking those functions, which is an... interesting... exercise. :-)

That might be enough of a pointer to get you started, or at least to suggest some more specific questions to ask.

Head Geek
A: 

Could you move aside (ie rename) the system's winsock DLL and replace it with your own ? Yours should provide the same API, but check the the process name of incoming requests... return an error code to blocked applications and forward the calls from allowed apps onto the real DLL.

timday
Nice idea, but since Windows 2000, the OS has code to prevent that kind of thing, so malware can't replace system files. It could also cause problems with upgrades.
Head Geek
Not to mention, if this was a good way to do it, then what's to stop another app from installing their version of winsock and essentially disabling mine.
MarkS
+3  A: 

You can change both Vista and XP's firewall policies dynamically using the INetFwAuthorizedApplications interface from the Windows Firewall API.

Also see this question.

Max Caceres