Security tools: Preparation of USB flash drive Firewall

I. Preface

In the previous article, I discussed how to create the autorun. inf immune program. Although this immune program can be effective for all drive letters, it is mainly used for USB flash disks for protection. Because the new operating system does not support autorun. inf, we generally do not need to pay special attention to this issue. As the final part of the study on USB flash drive defense, I will discuss how to create a USB flash drive firewall. Through this firewall, when a USB flash drive is detected to be inserted, a prompt will be generated and the system will automatically check whether there is Autorun in the USB flash drive. the inf file, parse the file, and then delete the file. With this firewall, you can safely open the USB flash disk.

In fact, many anti-virus software is now integrated with this function. When a user inserts a USB flash drive, the system will detect the drive letter of the USB flash drive and then automatically scan the virus Trojan, as shown in:

Figure 1 anti-virus software checks the USB flash drive

Although the USB flash drive firewall I have created is not as beautiful as commercial software and its functions are not so complete, the principles used are similar. With the further discussion, my security tools will evolve constantly. I believe that in the near future, their functions will basically achieve the effects of professional software.

 

2. Create an InterfaceI still use MFC to create this program. I only need to add a button control to the interface, as shown in:

Figure 2 Creation of the interface

The drive letter is displayed in a dialog box without being drawn on the program interface. You only need to set a button control for "safely Enable USB flash drive" on the interface. To facilitate subsequent operations, you also need to create a variable named "control" and "m_safeopen" for the button control.

 

3. Compile the code for displaying the USB drive letter

Because the program is developed under MFC, you can use the ondevicechange () Message response function. Here is a brief introduction to the "ing mechanism ":

MFC uses a message ing mechanism to process messages. In the application framework, a message ing table is a one-to-one correspondence between messages and message processing functions, and message processing function declaration and implementation code. When the window receives a message, it searches for the message processing function corresponding to the message in the message ing table, and then processes the message processing function accordingly. In SDK programming, You need to determine the Message Value in the window for corresponding processing. In contrast, the message ing mechanism of MFC is much easier to use.

The first step is to add a message ing in the file ufirewalldlg. cpp:

BEGIN_MESSAGE_MAP(CUFireWallDlg, CDialog)        //{{AFX_MSG_MAP(CUFireWallDlg)        ON_WM_SYSCOMMAND()        ON_WM_PAINT()        ON_WM_QUERYDRAGICON()        ON_BN_CLICKED(IDC_BTN_SAFEOPEN, OnBtnSafeopen)        ON_MESSAGE(WM_DEVICECHANGE, OnDeviceChange)        //}}AFX_MSG_MAPEND_MESSAGE_MAP()

Next, add the definition of the message response function under protected in the header file ufirewalldlg. h:

// Generated message map functions        //{{AFX_MSG(CUFireWallDlg)        virtual BOOL OnInitDialog();        afx_msg void OnSysCommand(UINT nID, LPARAM lParam);        afx_msg void OnPaint();        afx_msg HCURSOR OnQueryDragIcon();        afx_msg BOOL OnDeviceChange(UINT nEventType, DWORD dwData);        afx_msg void OnBtnSafeopen();        //}}AFX_MSG

Then add the code to get the drive letter:

Void cufirewalldlg: getdrivername (DWORD dwdata) {pdev_broadcast_hdr pdevhdr = (pdev_broadcast_hdr) dwdata; // if the device type is dbt_devtyp_volume, convert the current struct to a struct of the // dbt_devtyp_volume type if (pdevhdr-> dbch_devicetype = dbt_devtyp_volume) {// convert the struct to pdev_broadcast_volume pdevvolume = (bytes) pdevhdr; // If pdevvolume-> dbcv_flags is 0, it indicates a removable disk. If (pdevvolume-> dbcv_flags = 0) {// you can set pdevvolume-> dbcv_unitm Ask shift to determine the logical drive letter, // 0th bits represent a disk, 1st bits represent B disk, and so on. DWORD dwunitmask = pdevvolume-> dbcv_unitmask; // a maximum of 26 bits can be moved cyclically, because up to 26 bits for (I = 0; I <26; ++ I) {// because the newly inserted Removable device will surely be the last drive letter, // here we will look for a value of 0 X1 in dwunitmask. If (dwunitmask & 0x1) {// if it is found, it will jump out of the loop break;} // if it is not found, it will continue to shift to find dwunitmask = dwunitmask> 1 ;} // If 26 bits are still not found after the loop, if (I> = 26) {return;} // The format operation is returned to the string drivername. format ("% C:", I + 'A ');}}}

Finally, add the following in the public section of the header file ufirewalldlg. h:

void GetDriverName(DWORD dwData);CString DriverName;

It should be noted that, because the program uses a macro starting with DBT _ such as dbt_devtyp_volume, it must contain the header file "DBT. H ". Define another portable global variable I to save the drive letter of the removable disk. So far, the Program for judging the drive letter has been completed. After writing the above program, the program cannot run, because we still need to improve the ondevicechange () function.

4. Check the autorun. inf file in the USB flash drive.I will not explain it here. I have added enough comments to the Code:

Bool cufirewalldlg: ondevicechange (uint neventtype, // an event type. DWORD dwdata // the address of a structure that contains event-specific data .) {// The System Broadcasts the dbt_devicearrival device event when // a device or piece of media has been inserted and becomes available. if (neventtype = dbt_devicearrival) {// obtain the drive letter name getdrivername (dwdata); // display the drive letter of the removable disk. Because it is not displayed for debugging purposes, afxmessagebo is not used. X () function cstring tmpfile; tmpfile. format ("detected removable disk: % C", I + 'A'); MessageBox (tmpfile); // If the drive letter is obtained successfully, run if (drivername! = "") {// Make the "Enable USB flash drive safely" button available m_safeopen.enablewindow (true); // create a cstring file to save Autorun. INF complete path cstring file = drivername; file + = "\ autorun. INF "; char szbuff [max_path] = {0}; // determines the Autorun. whether the INF file exists or not. If (getfileattributes (file. getbuffer (0) =-1) {m_safeopen.enablewindow (false); Return false;} // get Autorun. the content after the open in the INF file, that is, the suspicious file to be automatically opened, getprivateprofilestring ("autorun", // The name of the section containing the key name. "Shell \ auto \ command", // The Name Of The Key whose associated string is to be retrieved. null, // a default string. szbuff, // a pointer to the buffer that matches es the retrieved string. max_path, // the size of the buffer pointed to by the lpreturnedstring parameter, in characters. file. getbuffer (0) // The Name Of The initialization file .); // save by Autorun. the path of the program started by INF is cstring delfile = drivername; delfile + = szbuff; cstring STR; STR = "Please select whether to delete the Suspicious File:"; STR + = szbuff; if (MessageBox (STR, null, mb_yesno) = idyes) {// Delete Autorun. INF and the started file deletefile (File); deletefile (delfile );}}} // The System Broadcasts the dbt_deviceremovecomplete device event // when a device or piece of media has been physically removed. else if (neventtype = dbt_deviceremovecomplete) {// when the USB flash drive is pulled out, m_safeopen.enablewindow (false) cannot be used when the "Enable USB flash drive safely" button;} return true ;}

The program can check whether Autorun exists in the USB flash disk. if the INF file exists, parse it, find the suspicious program to be run in it, and ask the user whether to delete it. If the user agrees, delete the two.

 

5. Compile the button control codeBecause the special effect of the button control is used, you need to add a declaration to the button control. Find the ufirewalldlg. cpp file and add:

// TODO: Add extra initialization herem_SafeOpen.EnableWindow(FALSE);

Finally, add the button control code:

Void cufirewalldlg: onbtnsafeopen () {// todo: add your control notification handler code here ShellExecute (null, // specifies the parent window handle "open", // specifies the action, for example: open, print, edit, release E, find drivername. getbuffer (0), // specify the file or program to be opened null, // specify a parameter for the program to be opened; if the file is opened, it should be null, // default directory sw_show // open option );}

Now all the code has been written, and the next step is to test.

 

6. Software operation testingTo test our program, I first compile an autorun. inf program in the USB flash drive:

[autorun]shell\auto\command=Hacked.exe

Or ). Then run the USB flash drive firewall program and insert the USB flash drive to detect the drive letter:

Figure 3 drive letter detected by the program

After you click "OK", the program detects that the USB flash drive contains "autorun. "inf" program, parse the file name of the file to be started in the program, and then pop up a dialog box asking the user to delete the suspicious file:

Figure 4 check whether suspicious files are deleted

Click "yes" here, and the program will delete the autorun. inf file in the USB flash drive and the malicious program to run. Finally, you can click the "Enable USB flash drive safely" button to enable the USB flash drive safely.

 

VII. SummaryFrom the above analysis, we can see that Microsoft provides a wide range of API functions for us to implement a variety of functions. In actual programming, we are actually pursuing "tailism", so we usually need to accumulate more. One thing to note is that for autorun. inf, the "open" command may be used to enable malicious programs. If so, you only need to slightly modify the above program. I also hope that the above programs will be able to serve as an example.

Security tools: Preparation of USB flash drive Firewall