nlited

NetMon is in even better shape than I expected. I have not had a single crash over the course of about 8 hours. VS15 now displays a live memory/cpu usage chart while debugging, which is very nice. It tells me NetMon quickly ramps up to a bit less than 4MB and then stays there, and rarely uses more than 10% cpu. Nice to know.

The trust list is now working about 99%. I still see occasional single entries that should be hidden. This may be a race condition on the trust list, I should guard it with a mutex.

Using NetMon casts a lot of suspicion on my old friend svchost. It seems to be a commonly used way to obfuscate the source of outboard network traffic. I need to be able to display the command line for the process so I can check the pedigree on the requesting DLL.

I also need to work on displaying the captured streams. I am more interested in the outbound data than inbound. Inbound data can be both overwhelming and indecipherable while mostly benign. Outbound data should be much smaller and contain the evidence of privacy violations. I need to remember that I am looking for privacy leaks, not trying to build a virus/malware detector.

Very strange: I want to create a popup dialog to display detailed process information when I double-click an item in the EventList. I added a WM_COMMAND handler that parses out the LBN_DBLCLK notification, but EventList::ListCmdDblClk() was never called. I verified that the Notify property for the listbox was set to TRUE. I noticed that the resource file did not include LBS_NOTIFY in the style for the listbox, so I manually added it. Still no callback.

EventList.cpp: INT_PTR EventList::ListProc(HWND hDlg, UINT Msg, WPARAM wParm, LPARAM lParm) { BOOL IsHandled= 0; EventList *pList= (Msg==WM_INITDIALOG) ? Ptr((HEVENTLIST)lParm) : PtrWnd(hDlg); if(pList) { switch(Msg) { case WM_COMMAND: IsHandled= pList->ListCmd(LOWORD(wParm),HIWORD(wParm),(HWND)lParm); break; } } return(IsHandled); } BOOL EventList::ListCmd(UINT CtrlID,UINT Msg,HWND hCtrl) { switch(Msg) { case LBN_DBLCLK: return(ListCmdDblClk(CtrlID)); } return(0); } BOOL EventList::ListCmdDblClk(UINT CtrlID) { int nItem= (int)SendMessage(hItems,LB_GETCURSEL,0,0); return(1); }

So I manually set the bit when I create the window, and finally the callback occurred. This is very strange because according to the definition in WinUser.h, LBS_NOTIFY is normally set. ListProc is the message handler for the child dialog containing the listbox.

EventList.cpp: INT_PTR EventList::ListProc(HWND hDlg, UINT Msg, WPARAM wParm, LPARAM lParm) { BOOL IsHandled= 0; EventList *pList= (Msg==WM_INITDIALOG) ? Ptr((HEVENTLIST)lParm) : PtrWnd(hDlg); if(pList) { switch(Msg) { case WM_INITDIALOG: IsHandled= pList->ListInit(hDlg); break; case WM_COMMAND: IsHandled= pList->ListCmd(LOWORD(wParm),HIWORD(wParm),(HWND)lParm); break; //case LBN_DBLCLK: IsHandled= pList->ListCmdDblClk(LOWORD(wParm)); break; } } return(IsHandled); } BOOL EventList::ListInit(HWND hDlg) { UINT n1; //Need to copy gpOpt->Cfg because it will be changed //during the call to ColHeaderIns() struct Config_s Cfg= gpOpt->Cfg; this->hDlg= hDlg; SetWindowLongPtr(hDlg,DWLP_USER,(LONG_PTR)this); hItems= GetDlgItem(hDlg,IDC_LIST_ITEMS); DWORD Style= GetWindowLong(hItems,GWL_STYLE); SetWindowLong(hItems,GWL_STYLE,Style|LBS_NOTIFY); ... return(0); }

WinUser.h /* * Listbox Styles */ #define LBS_NOTIFY 0x0001L ... #if(WINVER >= 0x0400) #define LBS_NOSEL 0x4000L #endif /* WINVER >= 0x0400 */ #define LBS_COMBOBOX 0x8000L #define LBS_STANDARD (LBS_NOTIFY | LBS_SORT | WS_VSCROLL | WS_BORDER)