Oct 20 2015
I am a bit burnt out on the ImOk project. It is functionally complete (more or less) but I am stuck at the point where it works but looks ugly. As a (hopefully brief) diversion, I am reviving my NetMon project that has lain fallow for over two years. Tempus fugit, I guess.
I have upgraded to Visual Studio 2015 since last working on NetMon.
VS2015 complains that "/ZI and /Ox command-line options are
incompatible" so I need to change
Project Properties... >
Configuration Properties >
C/C++ >
General >
Debug Information Format
from /ZI (Edit and Continue) to /Zi (Program Database) for all
projects, all configurations, all platforms.
OsUser failed:
2>Log.obj : error LNK2019: unresolved external symbol "void __cdecl operator delete(void *,unsigned __int64)" (??3@YAXPEAX_K@Z) referenced in function "public: static int __cdecl Log::Create(struct Handle_s * *,unsigned int)" (?Create@Log@@SAHPEAPEAUHandle_s@@I@Z)
2>TmpBuf.obj : error LNK2001: unresolved external symbol "void __cdecl operator delete(void *,unsigned __int64)" (??3@YAXPEAX_K@Z)
2>S:\Src\HQ\Dev\SB\Chip\win8\NetMon\Out/Winx64Debug/NetMon.sys : fatal error LNK1120: 1 unresolved externals
I had created my own new() and delete() operators so I could route all
memory allocations through my own MemAlloc() function and better debug
memory leaks and buffer overwrites. Apparently, Microsoft (finally)
added a block size argument to delete() in VS15. This is a simple fix:
4>Build succeeded. 4> 4>Time Elapsed 00:00:14.03 ========== Rebuild All: 5 succeeded, 0 failed, 0 skipped ==========
Now I need to deploy and test the build. I used Win7 as my target system before, but I am reluctant to drive into that for two reasons: I have never run Win7 on Pogo (Surface Pro 3) so it could turn into a rabbit hole. Win7 is no longer the dominant OS, it has been superceded by Win8 and Win10 is on the horizon. The quickest and easiest test is to run NetMon directly on VS12 (Win8.1). I backed up VS12 a few days ago, so this should be low-risk...
NetMon is not currently installed on VS12, so I need to restart VS15 as Admin. VS15 under Admin is a whole new environment that requires a bit of customization.
And NetMon is running once again!
=====
It only takes a minute or so for NetMon's biggest problem to emerge: TMI/TLI -- Too Much Information and Too Little Information. There is too much information about the real-time connections, making it difficult to concentrate on the suspicious connections. Then there is too little information about the connections that stand out: Why is svchost connecting to Bogota Columbia every five minutes?
I need to be able to hide trusted connections, only displaying unknown or untrusted connections. Then I need to be able to quickly and easily capture and display the outbound packet data for a specific connection.
The index is a session-unique ID for a connection. I can use that
as the ID for commands. The current command parse expects me to provide
a complete ip/subnet specification. This needs to change to the index
ID and let the computer extract the ip/subnet. The command to hide a
server should be:
trust 11
The command to capture all future data packets for a command:
capture 11
It is quickest to implement these as text commands, deferring the
work of creating a GUI until I am sure the feature is functional.
The trust list needs to persist between sessions so it can grow.
15:24> I added the "trust" command and I am now debugging...
15:33> The trust command is now working, marking a server as
trusted by connection index. I immediately wanted to be able to do
the same thing for the process name, so the trust command is already
expanding:
TRUST index [by {addr|process}]
Before working on this, I need to save the trust list to disk to avoid rebuilding it every time.
I implemented two commands, "trustproc" and "trustaddr".
I later created a "Detail" dialog when the user double-clicked a connection, into which I can dump all sorts of detailed information about just that particular connection.