Introduction
This new article is an update of the ex Process Monitor.
The new additions include a tray icon. In this new application, you don't have to write down what applications shouldn't start.
You'll just be asked if you want a certain application to run.
The application still uses Windows hooks but this time it is a little different. When an application is detected that wants to start, it is memorized in the Windows registry so you won't be asked again by the callback function if you want it to start or not. If you give it the approval to start, the application will be set as default to start.
This means it will start every time it wants. But if you tell the program that it should stop it, the application will never start until the hooks are stopped.
DLL_EXPORT void BagaHooku(void)
{
if (!bHooked)
{
CBT = SetWindowsHookEx(WH_CBT, (HOOKPROC)CBTProc, hInst,
(DWORD)NULL);
bHooked = TRUE;
}
}
Just to set the hook.
Now the callback function:
LRESULT CALLBACK CBTProc(int nCode,WPARAM wParam,LPARAM lParam)
{
if ((nCode==HCBT_ACTIVATE)||(nCode==HCBT_SYSCOMMAND)||(nCode==HCBT_QS)
||(nCode==HCBT_CREATEWND))
{
HANDLE hProc;
HMODULE hMods[1024];
DWORD n;
DWORD dwProcessId;
DWORD lpExitCode;
DWORD dwSize, dwType, dwDisp;
HKEY Regentry;
char *host1;
char host[1024];
char rezerva[1024];
GetWindowThreadProcessId((HWND)wParam, &dwProcessId);
hProc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, (DWORD)dwProcessId);
if (EnumProcessModules(hProc, hMods, sizeof(hMods), &n))
{
if (n>0)
GetModuleFileNameEx(hProc, hMods[0],
szModName, sizeof(szModName));
}
GetExitCodeProcess(hProc,&lpExitCode);
if (!(host1 = strrchr(szModName,'\\')))
strcpy(host,szModName);
else
strcpy(host,host1+1);
RegOpenKeyEx(HKEY_LOCAL_MACHINE, "SOFTWARE\\Gapula\\PEND", 0,
KEY_QUERY_VALUE, &Regentry);
RegQueryValueEx(Regentry,host , NULL, &dwType,
(unsigned char*)&rezerva, &dwSize);
if (RegQueryValueEx(Regentry,host , NULL, &dwType,
(unsigned char*)&rezerva, &dwSize)!=ERROR_SUCCESS)
{
RegOpenKeyEx(HKEY_LOCAL_MACHINE, "SOFTWARE\\Gapula\\OK", 0,
KEY_QUERY_VALUE, &Regentry);
RegQueryValueEx(Regentry,host , NULL, &dwType,
(unsigned char*)&rezerva, &dwSize);
if (RegQueryValueEx(Regentry,host , NULL, &dwType,
(unsigned char*)&rezerva, &dwSize)!=ERROR_SUCCESS)
{
RegCloseKey(Regentry);
RegOpenKeyEx(HKEY_LOCAL_MACHINE, "SOFTWARE\\Gapula\\RESTR",
0, KEY_QUERY_VALUE|KEY_ALL_ACCESS, &Regentry);
RegQueryValueEx(Regentry,host , NULL, &dwType,
(unsigned char*)&rezerva, &dwSize);
if (RegQueryValueEx(Regentry,host , NULL, &dwType,
(unsigned char*)&rezerva, &dwSize)!=ERROR_SUCCESS)
{
RegCreateKeyEx(HKEY_LOCAL_MACHINE,
"SOFTWARE\\Gapula\\PEND", 0, "",
REG_OPTION_NON_VOLATILE, KEY_WRITE,
NULL, &Regentry, &dwDisp);
RegSetValueEx(Regentry, host, 0, REG_SZ,
(unsigned char *)szModName,
strlen(szModName)+1);
RegCloseKey(Regentry);
strcat(szModName," is trying to start, do you allow that?
\n Please recall that if you say yes
this action will be happening every time
this program starts\nThis goes for NO as
well so be careful what you wish for");
if (MessageBox(NULL,szModName,"Gabby",
MB_ICONQUESTION|MB_SYSTEMMODAL|MB_APPLMODAL|
MB_TASKMODAL|MB_SETFOREGROUND|MB_TOPMOST|
MB_YESNO)==IDNO)
{
RegCreateKeyEx( HKEY_LOCAL_MACHINE,
"SOFTWARE\\Gapula\\RESTR", 0, "",
REG_OPTION_NON_VOLATILE,KEY_WRITE,
NULL, &Regentry, &dwDisp);
RegSetValueEx(Regentry, host, 0, REG_SZ,
(unsigned char *)szModName,
strlen(szModName)+1);
RegCloseKey(Regentry);
TerminateProcess(hProc, (UINT)lpExitCode);
}
else
{
RegCreateKeyEx(HKEY_LOCAL_MACHINE,
"SOFTWARE\\Gapula\\OK", 0, "",
REG_OPTION_NON_VOLATILE,KEY_WRITE, NULL,
&Regentry, &dwDisp);
RegSetValueEx(Regentry, host, 0, REG_SZ,
(unsigned char *)szModName,
strlen(szModName)+1);
RegCloseKey(Regentry);
return 0;
}
}
else
TerminateProcess(hProc, (UINT)lpExitCode);
}
else
{
return 0;
}
}
else
{
RegOpenKeyEx(HKEY_LOCAL_MACHINE, "SOFTWARE\\Gapula\\RESTR", 0,
KEY_QUERY_VALUE|KEY_ALL_ACCESS, &Regentry);
RegQueryValueEx(Regentry,host , NULL, &dwType, (unsigned
char*)&rezerva, &dwSize);
if(RegQueryValueEx(Regentry,host , NULL, &dwType,
(unsigned char*)&rezerva, &dwSize)!=ERROR_SUCCESS)
return 0;
else
TerminateProcess(hProc, (UINT)lpExitCode);
}
}
return CallNextHookEx(CBT,nCode,wParam,lParam);
}
The firewall is very powerful because it filters every application. The program that loads it is very simple because all it has to do is to load it.