Programming Forums - ApplicationScanner

Programming Forums (http://www.programmingforums.org/forumindex.php)

- Existing Project Development (http://www.programmingforums.org/forum51.html)

- - ApplicationScanner (http://www.programmingforums.org/showthread.php?t=13333)

ApplicationScanner

I currently started working in the ITDepartment at my high school and one of the problems we face is users running applications which they are not supposed to. Some of the applications are blocked using GPO which checks the hash of the executable running. The problem with this is that each version of the blocked application will have a different hash. I put together an application which gets all the active windows and closes them based on the titlebar information. I have attempted writing this in C++ but I faced many problems. C# allowed me to write this in much less time. However it is a managed application and it does take up much more memory. I am looking for constructive criticism, ways to improve and stuff, or if anyone needs a good project they can rewrite this in C++:)

//ApplicationScanner
//Author: Greg Jarzab
using System;
using System.IO;
using System.Text;
using System.Collections;
using System.Runtime.InteropServices;
using Microsoft.Win32;
using System.Threading;
 
namespace ApplicationScanner
{
    public delegate bool CallBack(IntPtr hWnd, int lParam);
 
    class WindowManager
    {
        static string WindowTitle;
        ArrayList BlackListedApps;
        bool done = false;
 
        public WindowManager()
        {
            SystemEvents.SessionEnding += new SessionEndingEventHandler(LoggingOff);
        }
 
        public void GetWindows()
        {
            while (!done)
            {
                NativeWIN32.EnumWindows(new CallBack(EnummerateWindows), 0);
                Thread.Sleep(5000);
            }
        }
 
        private void Warn(string title)
        {
            //This is for testing purposes.
            System.Windows.Forms.MessageBox.Show(title + " detected!", "Blocked application has been detected!");
        }
 
        private bool CheckViolations(string current)
        {
            foreach (string ae in BlackListedApps)
            {
                if (current.ToUpper().Contains(ae.ToUpper()))
                {
                    Warn(current);
                    return true;
                }
            }
            return false;
        }
 
        private bool EnummerateWindows(IntPtr hWnd, int lParam)
        {
            if (NativeWIN32.IsWindowVisible(hWnd))
            {
                int length = NativeWIN32.GetWindowTextLength(hWnd);
                StringBuilder wt = new StringBuilder(length + 1);
                int result = NativeWIN32.GetWindowText(hWnd, wt, wt.Capacity);
                WindowTitle = wt.ToString();
                if (result > 0)
                {
                    //System.Windows.Forms.MessageBox.Show("Window Title: " + WindowTitle.ToString());
                    if (CheckViolations(WindowTitle.ToString()))
                    {
                        NativeWIN32.SendMessage(hWnd, NativeWIN32.WM_SYSCOMMAND, NativeWIN32.SC_CLOSE, 0);
                    }
                }
            }
            return true;
        }
 
        public bool LoadBlackList(string path)
        {
            BlackListedApps = new ArrayList();
            StreamReader file = new StreamReader(path);
            string line;
 
            while ((line = file.ReadLine()) != null)
            {
                BlackListedApps.Add(line);
            }
                        file.Close();
            return true;
        }
 
        private void LoggingOff(object sender, SessionEndingEventArgs e)
        {
            done = true;
            System.Windows.Forms.MessageBox.Show("Logging off");
        }
    }
 
    class NativeWIN32
    {
        public const int WM_SYSCOMMAND = 0x0112;
        public const int SC_CLOSE = 0xF060;
 
        [DllImport("user32.dll")]
        public static extern int EnumWindows(CallBack cb, int lParam);
        [DllImport("user32.dll")]
        public static extern int GetWindowText(IntPtr hWnd, StringBuilder s, int MaxCount);
        [DllImport("user32.dll")]
        public static extern int GetWindowTextLength(IntPtr hWnd);
        [DllImport("user32.dll")]
        public static extern int SendMessage(IntPtr hWnd, uint Msg, int wParam, int lParam);
        [DllImport("user32.dll")]
        public static extern bool IsWindowVisible(IntPtr hWnd);
        [DllImport("user32.dll")]
        public static extern bool ShowWindow(IntPtr hWnd, int nCmdShow);
        [DllImport("kernel32.dll")]
        public static extern IntPtr GetConsoleWindow();
    }
}

using System;
using System.Text;
using System.Threading;
using ApplicationScanner;
 
public class Monitor
{
    public static void Main()
    {
        WindowManager wm = new WindowManager();
        wm.LoadBlackList(@"C:\Blocked.txt");
 
        IntPtr handle = NativeWIN32.GetConsoleWindow();
        NativeWIN32.ShowWindow(handle, 0);
        wm.GetWindows();
    }
}

I hope you guys like it ;)

Titlebar information? do you mean just what it says on the title bar?
If so, that's rather weak, some one can just write a little app that has the sameTitlebar information as the evil app and your app will close it.

I think you should check the files the user has stored in their personal space at certain intervals and look for the evil applications and if found remove them and leave the user a little text file warning them.

You're reinventing the wheel

Except...your wheel is square.

It looks like your current group policy settings are already pointed in the right direction. Using hashes are only one option, however.

Disallow execution by default.
If it's in a trusted directory, allow it (They can't write to "C:\Program Files" or such, of course...you do have proper directory permissions, right?)
If it's signed by a trusted publisher, allow it (different than hashes, less annoying).

Quote:

Originally Posted by kruptof (Post 129097)

If so, that's rather weak, some one can just write a little app that has the sameTitlebar information as the evil app and your app will close it.

You make a good point however, it is a high school which does not offer any programming class anymore.:mad: I would be surprised if anyone was capable of doing that.

Quote:

Originally Posted by Dameon (Post 129099)

Disallow execution by default.
If it's in a trusted directory, allow it (They can't write to "C:\Program Files" or such, of course...you do have proper directory permissions, right?)
If it's signed by a trusted publisher, allow it (different than hashes, less annoying).

Will check with the boss. Thanks for pointing that out.:o

Quote:

Originally Posted by Wizard1988 (Post 129100)

You make a good point however, it is a high school which does not offer any programming class anymore.:mad: I would be surprised if anyone was capable of doing that.

That's not security.

Anyway, I thought I'd add for the sake of home users with particularly boneheaded siblings, children, etc. that you do not need a full-fledged domain controller to implement these restrictions. Just run secpol.msc from an admin account to tweak your local security settings. These restrictions can't be applied to a specific user group this way (to my knowledge), but as long as local administrators are exempt, its a workable feature.

Thanks for the tip :)

I made a program like this bout a year ago. I closed windows by windowclass, and windowname, or title I cant remember. I think it was title, but it worked good. It's also safer, because there are tolld that can allow you to change the windows titlebar, but not the window class that I know of.

The window classes are internal and can be assigned dynamically depending on environment settings among other things, so either way, caption or class, the process if fundementally flawed - as Dameon states, group policies are there for this reason.