April 22nd, 2002 01:03 PM
W32 and Software firewalls
I was wondering about software firewalls and how they are designed for win32? Im not plaing to develop one myself since there are tons of them out there. How does it work? Do they use winsock wrappers, packet sniffers or?
April 23rd, 2002 12:03 AM
As far as I know, most of them intercept things at either the socket level, packet level or typically both.
For incoming connections, when behaving like a normal firewall, I think they have some sort of network driver which inserts itself between the network and the OS, and blocks packets based on rules.
They also seem to hook into the sockets API. I'm guessing that they do this at a lower level than wsock32.dll because if they did this then applications could bypass them by using the NT native APIs (which are badly documented and subject to change but do exist) in ntdll.dll
Clearly many functions are intercepted, particularly the underlying functions of listen() and connect() which allow applications to listen for or connect out on TCP connections.
The application level firewalls work out which process is making the request, and determine based on some set of rules whether to veto the operation (or indeed ask the user).
It's generally ok for them to block, because some of these functions (notably connect()), can block anyway normally.
Application firewalls might be a good idea if you want to stop lame spyware etc, but I can't see them detering a determined trojan, as it can either:
- Scan the system for application firewalls and kill them
- Install itself as a plug-in in Internet Explorer and only make outgoing HTTP requests when you're online anyway
- Or completely bypass the firewall by using a lower level API