filterdefault.c

一文件过滤与加密,系统监视以及控制的东东,自己看

/******************************************************************/
/*                                                                */
/*  Winpooch : Windows Watchdog                                   */
/*  Copyright (C) 2004-2007  Benoit Blanchon                      */
/*                                                                */
/*  This program is free software; you can redistribute it        */
/*  and/or modify it under the terms of the GNU General Public    */
/*  License as published by the Free Software Foundation; either  */
/*  version 2 of the License, or (at your option) any later       */
/*  version.                                                      */
/*                                                                */
/*  This program is distributed in the hope that it will be       */
/*  useful, but WITHOUT ANY WARRANTY; without even the implied    */
/*  warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR       */
/*  PURPOSE.  See the GNU General Public License for more         */
/*  details.                                                      */
/*                                                                */
/*  You should have received a copy of the GNU General Public     */
/*  License along with this program; if not, write to the Free    */
/*  Software Foundation, Inc.,                                    */
/*  675 Mass Ave, Cambridge, MA 02139, USA.                       */
/*                                                                */
/******************************************************************/


/******************************************************************/
/* Build configuration                                            */
/******************************************************************/

#define TRACE_LEVEL	2	// warning level


/******************************************************************/
/* Includes                                                       */
/******************************************************************/

// module's interface
#include "FilterDefault.h"

// standard headers
#include <windows.h>
#include <shlobj.h>
#include <tchar.h>

// project's headers
#include "Assert.h"
#include "Trace.h"
#include "Wildcards.h"


/******************************************************************/
/* Internal macros                                                */
/******************************************************************/

#define arraysize(a) (sizeof(a)/sizeof((a)[0]))


/******************************************************************/
/* Exported function :                                            */
/******************************************************************/

BOOL FilterSet_InitDefaultFilter (HFILTERSET hFilterSet)
{
  HFILTER	hCurFilter ;
  TCHAR		szDir[MAX_PATH] ;
  TCHAR		szBuffer[MAX_PATH] ;

  TRACE ; 

  ASSERT (hFilterSet!=NULL) ;
  
  hCurFilter = FilterSet_GetDefaultFilter (hFilterSet) ;
  Filter_Clear (hCurFilter) ;

  // scan files on read
  Filter_AddNewRule (hCurFilter, 
		     RULE_ACCEPT, RULE_SILENT, RULE_SCAN,
		     FILTREASON_FILE_READ, TEXT("*")) ; 

  // create a process
  Filter_AddNewRule (hCurFilter, 
		     RULE_ACCEPT, RULE_LOG, 0,
		     FILTREASON_SYS_EXECUTE, TEXT("*")) ;

  // kill a process
  Filter_AddNewRule (hCurFilter, 
		     RULE_REJECT, RULE_LOG, RULE_ASK,
		     FILTREASON_SYS_KILLPROCESS, TEXT("*")) ;

  // listen local interface
  Filter_AddNewRule (hCurFilter, 
		     RULE_ACCEPT, RULE_SILENT, 0,
  		     FILTREASON_NET_LISTEN, TEXT("s**"), TEXT("127.0.0.1")) ; 

  // listen all interface
  Filter_AddNewRule (hCurFilter,
		     RULE_ACCEPT, RULE_ALERT, 0,
  		     FILTREASON_NET_LISTEN, TEXT("***")) ;

  // connect to local interface
  Filter_AddNewRule (hCurFilter,
		     RULE_ACCEPT, RULE_SILENT, 0,
  		     FILTREASON_NET_CONNECT, TEXT("s**"), TEXT("127.0.0.1")) ;

  // connect to HTTPS
  Filter_AddNewRule (hCurFilter, 
		     RULE_ACCEPT, RULE_SILENT, 0, 
  		     FILTREASON_NET_CONNECT, TEXT("*nn"), 443, 6) ;

  // connect to news
  Filter_AddNewRule (hCurFilter, 
		     RULE_ACCEPT, RULE_SILENT, 0,
  		     FILTREASON_NET_CONNECT, TEXT("*nn"), 119, 6) ;

  // connect to POP
  Filter_AddNewRule (hCurFilter, 
		     RULE_ACCEPT, RULE_SILENT, 0,
  		     FILTREASON_NET_CONNECT, TEXT("*nn"), 110, 6) ;

  // connect to HTTP
  Filter_AddNewRule (hCurFilter, 
		     RULE_ACCEPT, RULE_SILENT, 0,
  		     FILTREASON_NET_CONNECT, TEXT("*nn"), 80, 6) ;

  // connect to SMTP 
  Filter_AddNewRule (hCurFilter,
		     RULE_ACCEPT, RULE_SILENT, 0,
  		     FILTREASON_NET_CONNECT, TEXT("*nn"), 25, 6) ;

  // connect to FTP 
  Filter_AddNewRule (hCurFilter, 
		     RULE_ACCEPT, RULE_SILENT, 0,
  		     FILTREASON_NET_CONNECT, TEXT("*nn"), 21, 6) ;

  // connect to any port
  Filter_AddNewRule (hCurFilter, 
		     RULE_ACCEPT, RULE_LOG, 0, 
  		     FILTREASON_NET_CONNECT, TEXT("***")) ;

  // UDP send to any addresses
  Filter_AddNewRule (hCurFilter,
		     RULE_ACCEPT, RULE_ALERT, 0,
  		     FILTREASON_NET_SEND, TEXT("**n"), 11) ;

  // Startup dirs

  if( SHGetSpecialFolderPath (NULL, szDir, CSIDL_COMMON_STARTUP, FALSE) ) {
    wsprintf (szBuffer, TEXT("%s\\*"), szDir) ;
    Filter_AddNewRule (hCurFilter, 
		       RULE_REJECT, RULE_LOG, RULE_ASK, 
		       FILTREASON_FILE_WRITE, TEXT("p"), szBuffer) ;
  }

  if( SHGetSpecialFolderPath (NULL, szDir, CSIDL_COMMON_ALTSTARTUP, FALSE) ) {
    wsprintf (szBuffer, TEXT("%s\\*"), szDir) ;
    Filter_AddNewRule (hCurFilter, 
		       RULE_REJECT, RULE_LOG, RULE_ASK,
		       FILTREASON_FILE_WRITE, TEXT("p"), szBuffer) ;
  }

  if( SHGetSpecialFolderPath (NULL, szDir, CSIDL_STARTUP, FALSE) ) {
    wsprintf (szBuffer, TEXT("%s\\*"), szDir) ;
    Filter_AddNewRule (hCurFilter,
		       RULE_REJECT, RULE_LOG, RULE_ASK, 
		       FILTREASON_FILE_WRITE, TEXT("p"), szBuffer) ;  
  }

  if( SHGetSpecialFolderPath (NULL, szDir, CSIDL_ALTSTARTUP, FALSE) ) {
    wsprintf (szBuffer, TEXT("%s\\*"), szDir) ;
    Filter_AddNewRule (hCurFilter, 
		       RULE_REJECT, RULE_LOG, RULE_ASK, 
		       FILTREASON_FILE_WRITE, TEXT("p"), szBuffer) ;  
  }

  // Windows directory
  SHGetSpecialFolderPath (NULL, szDir, CSIDL_WINDOWS, FALSE) ;

  wsprintf (szBuffer, TEXT("%s\\*.dll"), szDir) ;
  Filter_AddNewRule (hCurFilter, 
		     RULE_REJECT, RULE_LOG, RULE_ASK, 
		     FILTREASON_FILE_WRITE, TEXT("p"), szBuffer) ;

  wsprintf (szBuffer, TEXT("%s\\*.exe"), szDir) ;
  Filter_AddNewRule (hCurFilter, 
		     RULE_REJECT, RULE_LOG, RULE_ASK, 
		     FILTREASON_FILE_WRITE, TEXT("p"), szBuffer) ;

  wsprintf (szBuffer, TEXT("%s\\*.bat"), szDir) ;
  Filter_AddNewRule (hCurFilter, 
		     RULE_REJECT, RULE_LOG, RULE_ASK,
		     FILTREASON_FILE_WRITE, TEXT("p"), szBuffer) ;

  wsprintf (szBuffer, TEXT("%s\\*.ocx"), szDir) ;
  Filter_AddNewRule (hCurFilter, RULE_REJECT, RULE_LOG, RULE_ASK, 
		     FILTREASON_FILE_WRITE, TEXT("p"), szBuffer) ;

  wsprintf (szBuffer, TEXT("%s\\*.pif"), szDir) ;
  Filter_AddNewRule (hCurFilter, 
		     RULE_REJECT, RULE_LOG, RULE_ASK, 
		     FILTREASON_FILE_WRITE, TEXT("p"), szBuffer) ;

  wsprintf (szBuffer, TEXT("%s\\*.scr"), szDir) ;
  Filter_AddNewRule (hCurFilter, 
		     RULE_REJECT, RULE_LOG, RULE_ASK, 
		     FILTREASON_FILE_WRITE, TEXT("p"), szBuffer) ;

  wsprintf (szBuffer, TEXT("%s\\system.ini"), szDir) ;
  Filter_AddNewRule (hCurFilter, 
		     RULE_REJECT, RULE_LOG, RULE_ASK, 
		     FILTREASON_FILE_WRITE, TEXT("s"), szBuffer) ;

  wsprintf (szBuffer, TEXT("%s\\win.ini"), szDir) ;
  Filter_AddNewRule (hCurFilter, 
		     RULE_REJECT, RULE_LOG, RULE_ASK, 
		     FILTREASON_FILE_WRITE, TEXT("s"), szBuffer) ;

  wsprintf (szBuffer, TEXT("%s\\wininit.ini"), szDir) ;
  Filter_AddNewRule (hCurFilter, 
		     RULE_REJECT, RULE_LOG, RULE_ASK,
		     FILTREASON_FILE_WRITE, TEXT("s"), szBuffer) ;

  wsprintf (szBuffer, TEXT("%s\\Tasks\\*"), szDir) ;
  Filter_AddNewRule (hCurFilter, 
		     RULE_REJECT, RULE_LOG, RULE_ASK, 
		     FILTREASON_FILE_WRITE, TEXT("p"), szBuffer) ;

  // System32 directory
  SHGetSpecialFolderPath (NULL, szDir, CSIDL_SYSTEM, FALSE) ;