public App() : base()
{
this.ShutdownMode = ShutdownMode.OnMainWindowClose;
#if DEBUG
this.Connections.Add(AppDataSample.DemoConnection);
#endif
LogHelper.Info("Init notification window...");
notifierWindow = new NotificationWindow
{
WindowState = WindowState.Normal
};
MainWindow = notifierWindow;
activityWindow = new ActivityWindow(notifierWindow, Settings.Default.ActivityWindow_Shown);
try
{
eventLogListener = new EventLogAsyncReader <LogEntryViewModel>(EventLogAsyncReader.EVENTLOG_SECURITY, LogEntryViewModel.CreateFromEventLogEntry);
eventLogListener.FilterPredicate = EventLogAsyncReader.IsFirewallEventSimple;
eventLogListener.EntryWritten += HandleEventLogNotification;
}
catch (SecurityException se)
{
LogHelper.Error($"Notifier cannot access security event log: {se.Message}. Notifier needs to be started with admin rights and will exit now", se);
MessageBox.Show($"Notifier cannot access security event log:\n{se.Message}\nNotifier needs to be started with admin rights.\nNotifier will exit.", "Error", MessageBoxButton.OK, MessageBoxImage.Error);
Shutdown();
}
}
internal void HandleEventLogNotification(object sender, EntryWrittenEventArgs eventArgs)
{
var entry = eventArgs.Entry;
bool allowed = EventLogAsyncReader.IsFirewallEventAllowed(entry.InstanceId);
activityWindow.ShowActivity(allowed ? ActivityWindow.ActivityEnum.Allowed : ActivityWindow.ActivityEnum.Blocked);
if (allowed || !LogEntryViewModel.TryCreateFromEventLogEntry(entry, 0, out CurrentConn view))
{
return;
}
LogHelper.Info($"Handle {view.Direction}-going connection for '{view.FileName}', service: {view.ServiceName} ...");
if (!AddItem(view))
{
//This connection is blocked by a specific rule. No action necessary.
LogHelper.Info($"{view.Direction}-going connection for '{view.FileName}' is blocked by a rule - ignored.");
return;
}
//if (notifierWindow.WindowState == WindowState.Minimized)
//{
// notifierWindow.ShowActivityTrayIcon($"Notifier blocked connections - click tray icon to show"); // max 64 chars!
//}
}
public static bool TryCreateFromEventLogEntry <T>(EventLogEntry entry, int index, out T?view) where T : LogEntryViewModel, new()
{
if (entry == null)
{
view = null;
return(false);
}
try
{
//LogHelper.Debug($"Create EntryViewModel entry...");
var pid = uint.Parse(GetReplacementString(entry, 0));
var direction = GetReplacementString(entry, 2) == @"%%14593" ? "Out" : "In";
var protocol = int.Parse(GetReplacementString(entry, 7));
var path = GetReplacementString(entry, 1);
if (path == "-")
{
path = "System";
}
else
{
path = PathResolver.ResolvePath(path);
}
var fileName = System.IO.Path.GetFileName(path);
// try to get the servicename from pid (works only if service is running)
var serviceName = ServiceNameResolver.GetServicName(pid);
var le = new T()
{
Index = index,
Id = entry.Index,
Pid = pid,
CreationTime = entry.TimeGenerated,
Path = (path == "-" ? "System" : path),
FileName = fileName,
ServiceName = serviceName,
SourceIP = GetReplacementString(entry, 3),
SourcePort = GetReplacementString(entry, 4),
TargetIP = GetReplacementString(entry, 5),
TargetPort = GetReplacementString(entry, 6),
RawProtocol = protocol,
Protocol = WFP.Protocol.GetProtocolAsString(protocol),
Direction = direction,
FilterId = GetReplacementString(entry, 8),
Reason = EventLogAsyncReader.GetEventInstanceIdAsString(entry.InstanceId),
Message = entry.Message
};
le.ReasonColor = le.Reason.StartsWith("Block") ? Brushes.OrangeRed : Brushes.Blue;
le.DirectionColor = le.Direction.StartsWith("In") ? Brushes.OrangeRed : Brushes.Black;
view = le;
return(true);
}
catch (Exception ex)
{
LogHelper.Error("Cannot parse eventlog entry: eventID=" + entry.InstanceId.ToString(), ex);
}
view = null;
return(false);
}