internal void HandleEventLogNotification(EventLogEntry entry)
{
try
{
int pid = int.Parse(GetReplacementString(entry, 0));
Direction direction = GetReplacementString(entry, 2) == @"%%14593" ? Direction.Out : Direction.In;
int protocol = int.Parse(GetReplacementString(entry, 7));
string targetIp = GetReplacementString(entry, 5);
int targetPort = int.Parse(GetReplacementString(entry, 6));
string sourceIp = GetReplacementString(entry, 3);
int sourcePort = int.Parse(GetReplacementString(entry, 4));
string friendlyPath = GetReplacementString(entry, 1) == "-" ? "System" : Common.IO.Files.PathResolver.GetFriendlyPath(GetReplacementString(entry, 1));
string fileName = System.IO.Path.GetFileName(friendlyPath);
// try to get the servicename from pid (works only if service is running)
string serviceName = AsyncTaskRunner.GetServicName(pid);
LogHelper.Info($"Handle {direction.ToString().ToUpper(CultureInfo.InvariantCulture)}-going connection for '{fileName}', service: {serviceName} ...");
if (!AddItem(pid, friendlyPath, targetIp, protocol: protocol, targetPort: targetPort, localPort: sourcePort))
{
//This connection is blocked by a specific rule. No action necessary.
LogHelper.Info($"{direction}-going connection for '{fileName}' is blocked by a rule - ignored.");
return;
}
//if (notifierWindow.WindowState == WindowState.Minimized)
//{
// notifierWindow.ShowActivityTrayIcon($"Notifier blocked connections - click tray icon to show"); // max 64 chars!
//}
}
catch (Exception e)
{
LogHelper.Error("HandleEventLogNotification exception", e);
}
}
public App() : base()
{
this.ShutdownMode = ShutdownMode.OnMainWindowClose;
LOGGER.Info("Initializing exclusions...");
initExclusions();
LOGGER.Info("Init notification window...");
notifierWindow = new NotificationWindow
{
WindowState = WindowState.Normal
};
MainWindow = notifierWindow;
activityWindow = ActivityWindow.Init(notifierWindow);
if (Settings.Default.ActivityWindow_Shown)
{
activityWindow.Show();
}
asyncTaskRunner = new AsyncTaskRunner(this);
asyncTaskRunner.StartTasks();
}
public App() : base()
{
this.ShutdownMode = ShutdownMode.OnMainWindowClose;
CommonHelper.OverrideSettingsFile("WFN.config");
LogHelper.Debug("Initializing exclusions...");
initExclusions();
LogHelper.Debug("Init notification window...");
notifierWindow = new NotificationWindow
{
WindowState = WindowState.Normal
};
MainWindow = notifierWindow;
activityWindow = ActivityWindow.Init(notifierWindow);
if (Settings.Default.ActivityWindow_Shown)
{
activityWindow.Show();
}
asyncTaskRunner = new AsyncTaskRunner(this);
asyncTaskRunner.StartTasks();
}
/// <summary>
/// Add item to internal query list (asking user whether to allow this connection request), if there is no block rule available.
/// </summary>
/// <param name="pid"></param>
/// <param name="threadid"></param>
/// <param name="path"></param>
/// <param name="target"></param>
/// <param name="protocol"></param>
/// <param name="targetPort"></param>
/// <param name="localPort"></param>
/// <returns>false if item is blocked and was thus not added to internal query list</returns>
internal bool AddItem(int pid, int threadid, string path, string target, int protocol, int targetPort, int localPort)
{
try
{
string fileName = System.IO.Path.GetFileName(path);
if (path != "System")
{
path = FileHelper.GetFriendlyPath(path);
}
//FIXME: Do a proper path compare...? CASE!
var existing = this.Connections.FirstOrDefault(c => c.CurrentPath == path && c.Target == target && c.TargetPort == targetPort.ToString() && (localPort >= IPHelper.GetMaxUserPort() || c.LocalPort == localPort.ToString()) && c.Protocol == protocol);
if (existing != null)
{
LogHelper.Debug("Connection matches an already existing connection request.");
if (!existing.LocalPortArray.Contains(localPort))
{
existing.LocalPortArray.Add(localPort);
existing.LocalPortArray.Sort(); //Note: Unfortunately, C# doesn't have a simple List that automatically sorts... :(
existing.LocalPort = IPHelper.MergePorts(existing.LocalPortArray);
}
existing.TentativesCounter++;
}
else
{
string[] svc = new string[0];
string[] svcdsc = new string[0];
bool unsure = false;
string description = null;
if (path == "System")
{
description = "System";
}
else
{
try
{
if (File.Exists(path))
{
description = FileVersionInfo.GetVersionInfo(path).FileDescription;
if (String.IsNullOrWhiteSpace(description))
{
description = path.Substring(path.LastIndexOf('\\') + 1);
}
}
else
{
// TODO: this happens when accessing system32 files from a x86 application i.e. File.Exists always returns false; solution would be to target AnyCPU
description = path;
}
}
catch (Exception exc)
{
LogHelper.Error("Unable to check the file description.", exc);
description = path + " (not found)";
}
if (Settings.Default.EnableServiceDetection)
{
ProcessHelper.ServiceInfoResult svcInfo = AsyncTaskRunner.GetServiceInfo(pid, fileName);
if (svcInfo != null)
{
svc = new string[] { svcInfo.Name };
svcdsc = new string[] { svcInfo.DisplayName };
unsure = false;
}
}
}
// Check whether this connection has been excluded - exclusion means ignore i.e do not notify
if (exclusions != null)
{
// WARNING: check for regressions
LogHelper.Debug("Checking exclusions...");
var exclusion = exclusions.FirstOrDefault(e => e.StartsWith(/*svc ??*/ path, StringComparison.InvariantCulture) || svc != null && svc.All(s => e.StartsWith(s, StringComparison.InvariantCulture)));
if (exclusion != null)
{
string[] esplit = exclusion.Split(';');
if (esplit.Length == 1 ||
(String.IsNullOrEmpty(esplit[1]) || esplit[1] == localPort.ToString()) &&
(String.IsNullOrEmpty(esplit[2]) || esplit[2] == target) &&
(String.IsNullOrEmpty(esplit[3]) || esplit[3] == targetPort.ToString())
)
{
LogHelper.Info($"Connection is excluded: {exclusion}");
return(false);
}
}
}
// Check whether this connection is blocked by a rule.
var blockingRules = FirewallHelper.GetMatchingRules(path, ProcessHelper.getAppPkgId(pid), protocol, target, targetPort.ToString(), localPort.ToString(), unsure ? svc : svc.Take(1), ProcessHelper.getLocalUserOwner(pid), blockOnly: true, outgoingOnly: true);
if (blockingRules.Any())
{
LogHelper.Info("Connection matches a block-rule!");
StringBuilder sb = new StringBuilder();
sb.Append("Blocked by: ");
foreach (FirewallHelper.Rule s in blockingRules)
{
sb.Append(s.Name + ": " + s.ApplicationName + ", " + s.Description + ", " + s.ActionStr + ", " + s.ServiceName + ", " + s.Enabled);
}
LogHelper.Debug("pid: " + Process.GetCurrentProcess().Id + " GetMatchingRules: " + path + ", " + protocol + ", " + target + ", " + targetPort + ", " + localPort + ", " + String.Join(",", svc));
return(false);
}
FileVersionInfo fileinfo = null;
try
{
fileinfo = FileVersionInfo.GetVersionInfo(path);
}
catch (FileNotFoundException)
{ }
var conn = new CurrentConn
{
Description = description,
CurrentAppPkgId = ProcessHelper.getAppPkgId(pid),
CurrentLocalUserOwner = ProcessHelper.getLocalUserOwner(pid),
ProductName = fileinfo != null ? fileinfo.ProductName : String.Empty,
Company = fileinfo != null ? fileinfo.CompanyName : String.Empty,
CurrentPath = path,
Protocol = protocol,
TargetPort = targetPort.ToString(),
RuleName = String.Format(Common.Properties.Resources.RULE_NAME_FORMAT, unsure || String.IsNullOrEmpty(svcdsc.FirstOrDefault()) ? description : svcdsc.FirstOrDefault()),
Target = target,
LocalPort = localPort.ToString()
};
conn.LocalPortArray.Add(localPort);
if (unsure)
{
//LogHelper.Debug("Adding services (unsure): " + String.Join(",", svc));
conn.PossibleServices = svc;
conn.PossibleServicesDesc = svcdsc;
}
else
{
//LogHelper.Debug("Adding services: " + svc.FirstOrDefault());
conn.CurrentService = svc.FirstOrDefault();
conn.CurrentServiceDesc = svcdsc.FirstOrDefault();
}
ResolveHostForConnection(conn);
this.Connections.Add(conn);
return(true);
}
}
catch (Exception e)
{
LogHelper.Error("Unable to add the connection to the pool.", e);
}
return(false);
}
