Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

FirewallMonitor functional? #3

Closed
Volkanite opened this issue Jun 28, 2015 · 7 comments
Closed

FirewallMonitor functional? #3

Volkanite opened this issue Jun 28, 2015 · 7 comments

Comments

@Volkanite
Copy link

Is the FirewallMonitor plugin functional as yet? I get an error loading on r6153: "The specified procedure could not be found". I would have posted this issue on the Forums/plugins-extra thread but i didn't see this plugin listed for download yet which means it might be a new plugin still in testing. I'm on Win7 x64 SP1 (BuildLabEx: 7601.17514.amd64fre.win7sp1_rtm.101119-1850). Is it even for win7?

2015-06-28 17_59_50-process hacker
@VictorVG
Copy link

Linker naughty inserting an incorrect challenge - a challenge to monitor.c FwpmNetEventSubscribe, but linker delivers FwpmNetEventSubscribe1() where it is necessary to substitute FwpmNetEventSubscribe0() (possible Microsoft seems once again to make mistakes and do not hurry to change them :)) - this plug-in is import FwpmNetEventSubscribe1() specified for Windows 8 (https://msdn.microsoft.com/en-us/library/windows/desktop/hh969199%28v=vs.85%29.aspx), but for Windows 7 exists FwpmNetEventSubscribe0() (https://msdn.microsoft.com/en-us/library/windows/desktop/dd744937%28v=vs.85%29.aspx). This function can't compatible on Windows XP/Vista/Server 2003.

@VictorVG
Copy link

There's a second thing and get out if hex-editor to correct the name of the import - by an administrator with UAC disabled on Win7 tab appears, but the message is displayed insufficient privilege account, and this is possible only when UAC is enabled.

@VictorVG
Copy link

I build commit c0bbc3f but both of these problems is present:

  1. linker inserts code output API call for Win8 and try switching tools assembly failed:

imports fwpuclnt.dll:

FwpmEngineClose0
FwpmEngineOpen0
FwpmEngineSetOption0
FwpmFilterGetById0
FwpmFreeMemory0
FwpmLayerGetById0
FwpmNetEventSubscribe1 <--- Win8 API linker ignoririruet specify ld :: System == 5.01
FwpmNetEventUnsubscribe0

  1. even if the correct name manually import all one require administrator rights while ignoring their presence:

fwmon

@VictorVG
Copy link

Problem is presence, because voiced his hypothesis in a forum PM. :(

@dmex
Copy link
Member

dmex commented Jun 30, 2015

This plugin was originally created in 2012 but dropped due to issues with Windows 7 support.

It's back from the dead and for now will have some issues while it's updated to the latest sdk... This plugin doesn't show much information on Windows 7 because you only see Dropped events... Windows 8 and Windows 10 show both Dropped and Allowed plus substantially more information about the individual events.

Please confirm its actually working (e.g. Shows dropped events on Win7) for me to close this ticket 👍

@VictorVG
Copy link

Build, check - test is success:

test

OS Win7 SP1 x64, using internal IPFilter

@Volkanite
Copy link
Author

Works! can close.

@dmex dmex closed this as completed Jun 30, 2015
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@VictorVG @dmex @Volkanite