nlited: LBN

NetMon is in even better shape than I expected. I have not had a single crash over the course of about 8 hours. VS15 now displays a live memory/cpu usage chart while debugging, which is very nice. It tells me NetMon quickly ramps up to a bit less than 4MB and then stays there, and rarely uses more than 10% cpu. Nice to know.

The trust list is now working about 99%. I still see occasional single entries that should be hidden. This may be a race condition on the trust list, I should guard it with a mutex.

Using NetMon casts a lot of suspicion on my old friend svchost. It seems to be a commonly used way to obfuscate the source of outboard network traffic. I need to be able to display the command line for the process so I can check the pedigree on the requesting DLL.

I also need to work on displaying the captured streams. I am more interested in the outbound data than inbound. Inbound data can be both overwhelming and indecipherable while mostly benign. Outbound data should be much smaller and contain the evidence of privacy violations. I need to remember that I am looking for privacy leaks, not trying to build a virus/malware detector.

Very strange: I want to create a popup dialog to display detailed process information when I double-click an item in the EventList. I added a WM_COMMAND handler that parses out the LBN_DBLCLK notification, but EventList::ListCmdDblClk() was never called. I verified that the Notify property for the listbox was set to TRUE. I noticed that the resource file did not include LBS_NOTIFY in the style for the listbox, so I manually added it. Still no callback.

EventList.cpp: 9INT_PTR EventList::ListProc(HWND hDlg, UINT Msg, WPARAM wParm, LPARAM lParm) { 10 BOOL IsHandled= 0; 11 EventList *pList= (Msg==WM_INITDIALOG) ? Ptr((HEVENTLIST)lParm) : PtrWnd(hDlg); 12 if(pList) { 13 switch(Msg) { 14 case WM_COMMAND: IsHandled= pList->ListCmd(LOWORD(wParm),HIWORD(wParm),(HWND)lParm); break; 15 } 16 } 17 return(IsHandled); 18} 19 20BOOL EventList::ListCmd(UINT CtrlID,UINT Msg,HWND hCtrl) { 21 switch(Msg) { 22 case LBN_DBLCLK: return(ListCmdDblClk(CtrlID)); 23 } 24 return(0); 25} 26 27BOOL EventList::ListCmdDblClk(UINT CtrlID) { 28 int nItem= (int)SendMessage(hItems,LB_GETCURSEL,0,0); 29 return(1); 30}

So I manually set the bit when I create the window, and finally the callback occurred. This is very strange because according to the definition in WinUser.h, LBS_NOTIFY is normally set. ListProc is the message handler for the child dialog containing the listbox.

EventList.cpp: 1INT_PTR EventList::ListProc(HWND hDlg, UINT Msg, WPARAM wParm, LPARAM lParm) { 2 BOOL IsHandled= 0; 3 EventList *pList= (Msg==WM_INITDIALOG) ? Ptr((HEVENTLIST)lParm) : PtrWnd(hDlg); 4 if(pList) { 5 switch(Msg) { 6 case WM_INITDIALOG: IsHandled= pList->ListInit(hDlg); break; 7 case WM_COMMAND: IsHandled= pList->ListCmd(LOWORD(wParm),HIWORD(wParm),(HWND)lParm); break; 8 //case LBN_DBLCLK: IsHandled= pList->ListCmdDblClk(LOWORD(wParm)); break; 9 } 10 } 11 return(IsHandled); 12} 13 14BOOL EventList::ListInit(HWND hDlg) { 15 UINT n1; 16 //Need to copy gpOpt->Cfg because it will be changed 17 //during the call to ColHeaderIns() 18 struct Config_s Cfg= gpOpt->Cfg; 19 this->hDlg= hDlg; 20 SetWindowLongPtr(hDlg,DWLP_USER,(LONG_PTR)this); 21 hItems= GetDlgItem(hDlg,IDC_LIST_ITEMS); 22 DWORD Style= GetWindowLong(hItems,GWL_STYLE); 23 SetWindowLong(hItems,GWL_STYLE,Style|LBS_NOTIFY); 24... 25 return(0); 26} 27

WinUser.h 28/* 29 * Listbox Styles 30 */ 31#define LBS_NOTIFY 0x0001L 32... 33#if(WINVER >= 0x0400) 34#define LBS_NOSEL 0x4000L 35#endif /* WINVER >= 0x0400 */ 36#define LBS_COMBOBOX 0x8000L 37 38#define LBS_STANDARD (LBS_NOTIFY | LBS_SORT | WS_VSCROLL | WS_BORDER)