Programming Forums
User Name Password Register
 

RSS Feed
FORUM INDEX | TODAY'S POSTS | UNANSWERED THREADS | ADVANCED SEARCH

Reply
 
Thread Tools Display Modes
Old Jun 12th, 2007, 12:59 AM   #1
Wizard1988
Professional Programmer
 
Wizard1988's Avatar
 
Join Date: Oct 2005
Location: Chitown
Posts: 414
Rep Power: 3 Wizard1988 is on a distinguished road
Send a message via AIM to Wizard1988
Lightbulb ApplicationScanner
I currently started working in the ITDepartment at my high school and one of the problems we face is users running applications which they are not supposed to. Some of the applications are blocked using GPO which checks the hash of the executable running. The problem with this is that each version of the blocked application will have a different hash. I put together an application which gets all the active windows and closes them based on the titlebar information. I have attempted writing this in C++ but I faced many problems. C# allowed me to write this in much less time. However it is a managed application and it does take up much more memory. I am looking for constructive criticism, ways to improve and stuff, or if anyone needs a good project they can rewrite this in C++

csharp Syntax (Toggle Plain Text) 
  1. //ApplicationScanner
  2. //Author: Greg Jarzab
  3. using System;
  4. using System.IO;
  5. using System.Text;
  6. using System.Collections;
  7. using System.Runtime.InteropServices;
  8. using Microsoft.Win32;
  9. using System.Threading;
  10.  
  11. namespace ApplicationScanner
  12. {
  13.     public delegate bool CallBack(IntPtr hWnd, int lParam);
  14.  
  15.     class WindowManager
  16.     {
  17.         static string WindowTitle;
  18.         ArrayList BlackListedApps;
  19.         bool done = false;
  20.  
  21.         public WindowManager()
  22.         {
  23.             SystemEvents.SessionEnding += new SessionEndingEventHandler(LoggingOff);
  24.         }
  25.  
  26.         public void GetWindows()
  27.         {
  28.             while (!done)
  29.             {
  30.                 NativeWIN32.EnumWindows(new CallBack(EnummerateWindows), 0);
  31.                 Thread.Sleep(5000);
  32.             }
  33.         }
  34.  
  35.         private void Warn(string title)
  36.         {
  37.             //This is for testing purposes.
  38.             System.Windows.Forms.MessageBox.Show(title + " detected!", "Blocked application has been detected!");
  39.         }
  40.  
  41.         private bool CheckViolations(string current)
  42.         {
  43.             foreach (string ae in BlackListedApps)
  44.             {
  45.                 if (current.ToUpper().Contains(ae.ToUpper()))
  46.                 {
  47.                     Warn(current);
  48.                     return true;
  49.                 }
  50.             }
  51.             return false;
  52.         }
  53.  
  54.         private bool EnummerateWindows(IntPtr hWnd, int lParam)
  55.         {
  56.             if (NativeWIN32.IsWindowVisible(hWnd))
  57.             {
  58.                 int length = NativeWIN32.GetWindowTextLength(hWnd);
  59.                 StringBuilder wt = new StringBuilder(length + 1);
  60.                 int result = NativeWIN32.GetWindowText(hWnd, wt, wt.Capacity);
  61.                 WindowTitle = wt.ToString();
  62.                 if (result > 0)
  63.                 {
  64.                     //System.Windows.Forms.MessageBox.Show("Window Title: " + WindowTitle.ToString());
  65.                     if (CheckViolations(WindowTitle.ToString()))
  66.                     {
  67.                         NativeWIN32.SendMessage(hWnd, NativeWIN32.WM_SYSCOMMAND, NativeWIN32.SC_CLOSE, 0);
  68.                     }
  69.                 }
  70.             }
  71.             return true;
  72.         }
  73.  
  74.         public bool LoadBlackList(string path)
  75.         {
  76.             BlackListedApps = new ArrayList();
  77.             StreamReader file = new StreamReader(path);
  78.             string line;
  79.  
  80.             while ((line = file.ReadLine()) != null)
  81.             {
  82.                 BlackListedApps.Add(line);
  83.             }
  84. 			file.Close();
  85.             return true;
  86.         }
  87.  
  88.         private void LoggingOff(object sender, SessionEndingEventArgs e)
  89.         {
  90.             done = true;
  91.             System.Windows.Forms.MessageBox.Show("Logging off");
  92.         }
  93.     }
  94.  
  95.     class NativeWIN32
  96.     {
  97.         public const int WM_SYSCOMMAND = 0x0112;
  98.         public const int SC_CLOSE = 0xF060;
  99.  
  100.         [DllImport("user32.dll")]
  101.         public static extern int EnumWindows(CallBack cb, int lParam);
  102.         [DllImport("user32.dll")]
  103.         public static extern int GetWindowText(IntPtr hWnd, StringBuilder s, int MaxCount);
  104.         [DllImport("user32.dll")]
  105.         public static extern int GetWindowTextLength(IntPtr hWnd);
  106.         [DllImport("user32.dll")]
  107.         public static extern int SendMessage(IntPtr hWnd, uint Msg, int wParam, int lParam);
  108.         [DllImport("user32.dll")]
  109.         public static extern bool IsWindowVisible(IntPtr hWnd);
  110.         [DllImport("user32.dll")]
  111.         public static extern bool ShowWindow(IntPtr hWnd, int nCmdShow);
  112.         [DllImport("kernel32.dll")]
  113.         public static extern IntPtr GetConsoleWindow();
  114.     }
  115. }

csharp Syntax (Toggle Plain Text) 
  1. using System;
  2. using System.Text;
  3. using System.Threading;
  4. using ApplicationScanner;
  5.  
  6. public class Monitor
  7. {
  8.     public static void Main()
  9.     {
  10.         WindowManager wm = new WindowManager();
  11.         wm.LoadBlackList(@"C:\Blocked.txt");
  12.  
  13.         IntPtr handle = NativeWIN32.GetConsoleWindow();
  14.         NativeWIN32.ShowWindow(handle, 0);
  15.         wm.GetWindows();
  16.     }
  17. }

I hope you guys like it
__________________
JG-Webdesign
Last edited by Wizard1988; Jun 12th, 2007 at 1:51 AM.
Wizard1988 is offline   Reply With Quote
Old Jun 12th, 2007, 4:25 AM   #2
kruptof
Professional Programmer
 
kruptof's Avatar
 
Join Date: May 2006
Location: UK - London
Posts: 327
Rep Power: 3 kruptof is on a distinguished road
Titlebar information? do you mean just what it says on the title bar?
If so, that's rather weak, some one can just write a little app that has the sameTitlebar information as the evil app and your app will close it.

I think you should check the files the user has stored in their personal space at certain intervals and look for the evil applications and if found remove them and leave the user a little text file warning them.
__________________
Quote:
When I was young it seemed that life was so wonderful,a miracle, oh it was beautiful, magical.
Now watch what you say or they'll be calling you a radical,a liberal, oh fanatical, criminal. Oh won't you sign up your name,we'd like to feel you're acceptable, respectable, oh presentable, a vegetable
kruptof is offline   Reply With Quote
Old Jun 12th, 2007, 6:11 AM   #3
Dameon
Troll
 
Dameon's Avatar
 
Join Date: Apr 2005
Location: Texas
Posts: 730
Rep Power: 4 Dameon is on a distinguished road
You're reinventing the wheel

Except...your wheel is square.

It looks like your current group policy settings are already pointed in the right direction. Using hashes are only one option, however.

Disallow execution by default.
If it's in a trusted directory, allow it (They can't write to "C:\Program Files" or such, of course...you do have proper directory permissions, right?)
If it's signed by a trusted publisher, allow it (different than hashes, less annoying).
__________________
MD5(sig) = bcef75433db02e9ad9bf81d6f7c5c270
Dameon is offline   Reply With Quote
Old Jun 12th, 2007, 6:23 AM   #4
Wizard1988
Professional Programmer
 
Wizard1988's Avatar
 
Join Date: Oct 2005
Location: Chitown
Posts: 414
Rep Power: 3 Wizard1988 is on a distinguished road
Send a message via AIM to Wizard1988
Quote:
Originally Posted by kruptof View Post
If so, that's rather weak, some one can just write a little app that has the sameTitlebar information as the evil app and your app will close it.
You make a good point however, it is a high school which does not offer any programming class anymore.:mad: I would be surprised if anyone was capable of doing that.

Quote:
Originally Posted by Dameon View Post
Disallow execution by default.
If it's in a trusted directory, allow it (They can't write to "C:\Program Files" or such, of course...you do have proper directory permissions, right?)
If it's signed by a trusted publisher, allow it (different than hashes, less annoying).
Will check with the boss. Thanks for pointing that out.:o
__________________
JG-Webdesign
Wizard1988 is offline   Reply With Quote
Old Jun 13th, 2007, 9:38 AM   #5
Dameon
Troll
 
Dameon's Avatar
 
Join Date: Apr 2005
Location: Texas
Posts: 730
Rep Power: 4 Dameon is on a distinguished road
Quote:
Originally Posted by Wizard1988 View Post
You make a good point however, it is a high school which does not offer any programming class anymore.:mad: I would be surprised if anyone was capable of doing that.
That's not security.

Anyway, I thought I'd add for the sake of home users with particularly boneheaded siblings, children, etc. that you do not need a full-fledged domain controller to implement these restrictions. Just run secpol.msc from an admin account to tweak your local security settings. These restrictions can't be applied to a specific user group this way (to my knowledge), but as long as local administrators are exempt, its a workable feature.
__________________
MD5(sig) = bcef75433db02e9ad9bf81d6f7c5c270
Dameon is offline   Reply With Quote
Old Jun 14th, 2007, 8:04 PM   #6
Wizard1988
Professional Programmer
 
Wizard1988's Avatar
 
Join Date: Oct 2005
Location: Chitown
Posts: 414
Rep Power: 3 Wizard1988 is on a distinguished road
Send a message via AIM to Wizard1988
Thanks for the tip
__________________
JG-Webdesign
Wizard1988 is offline   Reply With Quote
Old Jul 15th, 2007, 4:36 PM   #7
bigguy
Professional Programmer
 
bigguy's Avatar
 
Join Date: Sep 2005
Location: Arkansas
Posts: 292
Rep Power: 0 bigguy is an unknown quantity at this point
Send a message via AIM to bigguy Send a message via MSN to bigguy Send a message via Yahoo to bigguy
I made a program like this bout a year ago. I closed windows by windowclass, and windowname, or title I cant remember. I think it was title, but it worked good. It's also safer, because there are tolld that can allow you to change the windows titlebar, but not the window class that I know of.
__________________
Forgiveness is the fragrance that the violet sheds on the heal that has crushed it. - Mark Twain

We all make mistakes. If it doesn't kill us, it will make us stronger. If it does kill us, then it's to late, but it was a great ride while it lasted. - Seth Hall
bigguy is offline   Reply With Quote
Old Jul 15th, 2007, 8:13 PM   #8
john Wesley
Hobbyist Programmer
 
john Wesley's Avatar
 
Join Date: May 2006
Location: United Kingdom
Posts: 119
Rep Power: 3 john Wesley is on a distinguished road
Send a message via MSN to john Wesley Send a message via Yahoo to john Wesley
The window classes are internal and can be assigned dynamically depending on environment settings among other things, so either way, caption or class, the process if fundementally flawed - as Dameon states, group policies are there for this reason.
__________________
Mona Lisa must of had the highway blues you can tell by the way she smiles..
john Wesley is offline   Reply With Quote
Reply

Bookmarks

« Previous Thread in Forum | Next Thread in Forum »

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


Contact Us - DaniWeb IT Discussion Community - Privacy Statement - Top


DaniWeb IT Discussion Community
All times are GMT -5. The time now is 6:20 AM.

Powered by vBulletin® Version 3.7.0, Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Copyright ©2007 DaniWeb® LLC