These days lot of bloggers have been writing about the new API of Google: Google Safe Browsing API. The Safe Browsing API is an experimental API that enables client applications to check URLs against Google's constantly updated blacklists of suspected phishing and malware pages.

I think this is a cool API and if you want to take profit of it you already have it with FireFox. But, I like Internet Explorer so I woud like to use both together.

If you take a look to the documentation, you will see that its usage is actually very easy. The idea is that you get a list of URL hashes, which are marked as phishing or malware; then you only need to validate the url's you want to check against these hash tables. I'm not going to enter in too much details since you can read the guide that Google provides you.

What I've done is let's say: a  "proof of concept", that it's possible to use Google Safe Browsing with IE. I've built an implementation of this using C#.  The code you can download consists in two main parts: 

• A Windows Service that hosts a WCF Service with the logic to perform updates and the validation against the hash tables.
• An BHO (Browser Helper Object) that queries the information to the WCF Service.

The BHO is configured as an add-on for IE. It just handles the BeforeNavigate2 event and checks the URL making a call to the published service, if the URL is safe then nothing happens otherwise the navigation is cancelled and the message displayed:

The code for the BHO is pretty simple, the first you need to do is to declare the interface IObjectWithSite to make available for .NET

1 [ComImport]
2 [InterfaceType(ComInterfaceType.InterfaceIsIUnknown)]
3 [Guid("FC4801A3-2BA9-11CF-A229-00AA003D7352")]
4 public interface IObjectWithSite
5 {
6     void SetSite([In, MarshalAs(UnmanagedType.IUnknown)] Object pUnkSite);
7     void GetSite(ref Guid riid, [MarshalAs(UnmanagedType.IUnknown)] out Object ppvSite);
8 }

 Once you have done this you need to do a class that implements it, this class will be the one loaded by IE and where you will capture the events.

 1 namespace BalearesOnNet.GoogleSafeBrowsing.BHO
 2 {
 3     [ComVisible(true),
 4     ClassInterface(ClassInterfaceType.None), Guid("D5423C28-959D-4909-BB9B-431286B62483")]
 5     public class SafeBrowsingBHO : IObjectWithSite
 6     {
 7         private const string bhoRegistryKey = @"SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects";
 8 
 9         private SHDocVw.WebBrowser webBrowser;
10 
11         #region IObjectWithSite Members
12 
13         public void SetSite(object pUnkSite)
14         {
15             if (pUnkSite == null)
16             {
17                 webBrowser.BeforeNavigate2 -= new DWebBrowserEvents2_BeforeNavigate2EventHandler(this.webBrowser_BeforeNavigate2);
18                 webBrowser = null;
19             }
20             else
21             {
22                 webBrowser = (SHDocVw.WebBrowser)pUnkSite;
23                 webBrowser.BeforeNavigate2 += new DWebBrowserEvents2_BeforeNavigate2EventHandler(webBrowser_BeforeNavigate2);
24             }
25         }
26 ...

 The other interesting part of it, is how to cancel the navigation and modify the HtmlDocument, with our custom html.

 1 void webBrowser_BeforeNavigate2(object pDisp, ref object URL, ref object Flags, ref object TargetFrameName, ref object PostData, ref object Headers, ref bool Cancel)
 2 {
 3     ....
 4 
 5     if (result == UrlValidationResult.Malware || result == UrlValidationResult.BlackList)
 6     {
 7         IHTMLDocument2 doc = webBrowser.Document as IHTMLDocument2;
 8 
 9         if (doc != null)
10         {
11             doc.clear();
12             doc.writeln(result == UrlValidationResult.Malware ? Resources.MalwareWarning : Resources.BlackWarning);
13             doc.close();
14         }
15 
16         Cancel = true;
17     }
18 }

The WCF Service exposes only two methods: "public void Update()" and "public UrlValidationResult ValidateUrl(Uri uri)". This service what it does is to obtain and keep updated the hash tables doing incremental updates, as well as the logic to validate the url's against these tables. The tables are stored in an IsolatedStorage to avoid obtaining them from internet every time, nevertheless the tables are loaded and operated in memory.

In order to validate a url you need to perform some steps, first of all you need to obtain a 128 bit MD5 Hash of the URL you want to check, then you need to get the string representation of this hash. With .NET you can accomplish this easily.

 1 private string GetHash(string url)
 2 {
 3     byte[] hashBytes;
 4     using (MD5 md5 = MD5.Create())
 5     {
 6         hashBytes = md5.ComputeHash(System.Text.Encoding.ASCII.GetBytes(url));
 7     }
 8 
 9     StringBuilder sb = new StringBuilder(32);
10 
11     int length = hashBytes.Length;
12     for (int i = 0; i < length; i++)
13     {
14         sb.Append(hashBytes[i].ToString("x2"));
15     }
16 
17     return sb.ToString();
18 }

 Google suggest you also to perform several lookups from the same URL to get an accurated result, which consists of: the exact hostname in the URL, up to 4 hostnames formed by starting with the last 4 components and successively removing the leading component. In addition for the path you should try at most 6 different strings: the exact path of the url, including query parameters; the exact path of the url, without query parameters and the 4 paths formed by starting at the root (/) and succesively appending path components, including a trailing slahsh. A sample displays better what this means.

For the url http://a.b.c.d.e.f.g/1.html

a.b.c.d.e.f.g/1.html

a.b.c.d.e.f.g/

c.d.e.f.g/1.html

c.d.e.f.g/

d.e.f.g/1.html

d.e.f.g/

e.f.g/1.html

e.f.g/

f.g/1.html

f.g/

*(Note that b.c.d.e.f.g, is skipped since we'll take only the last 5 hostname components, and the full hostname)

Another interesting feature is that you can verify that the tables obtained in the requests come from Google, this is obtained by requesting a pair of keys, client key and wrapped key. The wrapped key must be sent along the requests for updates, then Google will include a MAC (Message Authentication Code) in the header of each response following the structure "[mac=dRalfTU+bXwUhlk0NCGJtQ==]". In order to validate this mac you need to do again a 128 bit MD5 Hash with the following information: client_key|separator|table data|separator|client_key. Where the separator is the string:coolgoog: - that is a colon followed by "coolgoog" followed by a colon. To be honest I got a bit stuck here, I've tried a few ways to verify a MAC but there is something I'm missing and I cannot get the expected result. Maybe I try again when I come back from holidays.

You can download the code and test it, but remember that this code is provided as is and cannot be considered finished code. There is room enough for improvement in many areas including exception handling that has not been considered for this sample.

In order to test you will need to install and start the windows service included, before start it be sure that you include your own key in the appSettings section of the file "BalearesOnNet.GoogleSafeBrowsing.Service.exe.config". The BHO is configured to be installed when you compile it with Visual Studio, you can disable this option by unchecking the option "Register for COM interop" in the properties of the project.

I hope you like it.

In the forums of Baleares on .NET (Spanish) a member asked a general question about hooking functions, avoiding the easy joke about what hooking functions are, we could define them basically as a technique which allows putting your own code between the caller and the destination.

One of the easiest and common hooks is the one to capture keyboard and mouse events, something that you can easily implement in .NET making use of InteropServices.

We will see with a sample how to build a class that intercepts the mouse and keyboard messages and raises a .net event, which users can handle (see below to download the full source code).

The first thing is to obtain the functions to install and remove the hooks, which we can find in the user32.dll.

1 [DllImport("user32.dll", CharSet = CharSet.Auto, CallingConvention = CallingConvention.StdCall)]
2 public static extern int SetWindowsHookEx(int idHook, HookProc lpfn, IntPtr hMod, int dwThreadId);
3 
4 [DllImport("user32.dll", CharSet = CharSet.Auto, CallingConvention = CallingConvention.StdCall)]
5 public static extern bool UnhookWindowsHookEx(int idHook);
6 
7 [DllImport("user32.dll", CharSet = CharSet.Auto, CallingConvention = CallingConvention.StdCall)]
8 public static extern int CallNextHookEx(int idHook, int nCode, IntPtr wParam, IntPtr lParam);

You can find detailed information about what every parameter is in the MSDN, but just as a fast review: idHook is the type of hook to install, lpfn is a pointer to our hook method, hMod is a handle to the DLL that will contain the method pointed by lpfn and finally dwThreadId, which specifies the identifer of the thread with which the hook method is to be associated. The type we have set to lpfn is HookProc, as you will see next, this is just a delegate with the next signature: public delegate int HookProc(int nCode, IntPtr wParam, IntPtr lParam);

Another important thing to stand up is the third DllImport, what we are going to do is to install and remove hooks from a hook chain, because of that it will be necessary to call the next installed hooks, otherwise we will prevent they are executed.

To install the hook the only thing we need to do is to call SetWiwnodwsHookEx with the rigth parameters.

 1 HookProc mouseHookProc = new HookProc(MouseHookProc);
 2 ...
 3 public void InstallMouseHook()
 4 {
 5      idHookMouse = NativeMethods.SetWindowsHookEx(NativeConstants.WH_MOUSE_LL, mouseHookProc, Marshal.GetHINSTANCE(this.GetType().Module), 0);
 6     if (idHookMouse == 0)
 7         throw new ApplicationException("MouseHook cannot be set");
 8 }
 9 ...
10 private int MouseHookProc(int nCode, IntPtr wParam, IntPtr lParam)
11 {
12     if (nCode < 0)
13     {
14         return NativeMethods.CallNextHookEx(NativeConstants.WH_MOUSE_LL, nCode, wParam, lParam);
15     }
16     else
17     {
18         MSLLHOOKSTRUCT mouseHookStruct = (MSLLHOOKSTRUCT)Marshal.PtrToStructure(lParam, typeof(MSLLHOOKSTRUCT));
19 
20         HookMouseEventArgs args = new HookMouseEventArgs();
21         args.Point = new Point(mouseHookStruct.pt.x, mouseHookStruct.pt.y);
22         args.Message = wParam.ToInt32();
23 
24         OnHookMouse(args);
25 
26         return NativeMethods.CallNextHookEx(NativeConstants.WH_MOUSE_LL, nCode, wParam, lParam);
27     }
28 }
29 ...
30 [StructLayout(LayoutKind.Sequential)]
31 public class MSLLHOOKSTRUCT
32 {
33     public POINT pt;
34     public int mouseData;
35     public int flags;
36     public int time;
37     public int dwExtraInfo;
38 }

In the excerpt of the above code we set a global hook to intercept all the messages of the mouse. When there is a message the method MouseHookProc is called and we will fire an event with the HookMouseEventArgs class as parameters, after that we take care of call the next hook in the chain. In the line 18 you can see how we convert the pointer lParam received as parameter to an struct of type MSLLHOOKSTRUCT. This class contains some valuable information like "mouseData" that represents the message type (left button down, mouse wheel ...), or "pt" that represents the point in which is the mouse.

The last thing you need to know is that you must remove the hook as soon as possible, since it's resource consuming. This can be accomplished as follows:

1 public void RemoveMouseHook()
2 {
3     if (idHookMouse > 0)
4         NativeMethods.UnhookWindowsHookEx(idHookMouse);
5 
6     mouseHookProc = null;
7     idHookMouse = 0;
8 }

These are the basis about how to build your own class to handle Mouse Hooks, if you want you can download the full source code from here, which shows you how to do the same with the Keyboard. 

I hope you find interesting and remember that you can complete all the information in our bible: the MSDN.

These days I’ve been bothered by a virus that decided to live on my laptop.

I’m not going to explain how it arrived there, because I get really mad, I’m just going to give a common sense suggestion: never, never let your laptop to other people, doesn’t matter how friends you are ….

In any case there was an interesting part on all this, since the virus had nice things to learn which I’m going to try to reproduce using .NET:

The virus introduced lot of keys in the registry; one of the most interesting was added to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify. Maybe in another post I will explain why this one is interesting, but first let’s try to add or modify registry keys from C#.

The .NET Framework, once more, has done most of the work for us. We only need to take a look to the Microsoft.Win32 namespace and there we will find the classes "Registry" and "RegistryKey", which makes extremely easy to work with the Windows Registry.

Take a look to the next code:

string keyName = @"Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify";

RegistryKey notifyKey = Registry.LocalMachine.OpenSubKey(keyName, true); 

RegistryKey testKey = notifyKey.CreateSubKey("TestKey"); 

testKey.SetValue("Asynchronous", 0x00000001, RegistryValueKind.DWord); 

testKey.SetValue("DllName", "FakeVirus.dll", RegistryValueKind.String); 

testKey.SetValue("Impersonate", 0x00000000, RegistryValueKind.DWord); 

testKey.SetValue("Logoff", "Logoff", RegistryValueKind.String); 

testKey.SetValue("Logon", "Logon", RegistryValueKind.String); 

As you already deducted we have created a new sub key called TestKey and introduced in it 5 different values, Asynchronous, DllName, Impersonate … very easy, isn't it?

With the virus I wasn’t able to delete the registry entries added because they were regenerated immediately after any kind of change. This was done monitoring the entries, something that cannot be done directly with the managed classes but Windows supports through its API.

Reproduce this mechanism is not a big problem since even if .NET doesn’t have an equivalent method we can use p/invoke (Platform Invoke) to use the unmanaged functions of the Win32 API. For more information about it you can check the next link: http://msdn2.microsoft.com/en-us/library/ms724892.aspx

I add here the most interesting part of the code in order you can build your own monitor:

// P/Invoke methods and constants 

internal class NativeMethods
{
   private NativeMethods()
   {
   } 

   [DllImport("advapi32.dll", SetLastError = true)]
   internal static extern int RegNotifyChangeKeyValue(
      IntPtr hKey,
      [MarshalAs(UnmanagedType.Bool)] 
      bool watchSubtree,
      int dwNotifyFilter, 
      IntPtr hEvent, 
      [MarshalAs(UnmanagedType.Bool)] 
      bool fAsynchronous 

   ); 

   [DllImport("advapi32.dll", SetLastError = true)]
   internal static extern int RegOpenKeyEx(
      IntPtr hKey,
      string subKey,
      uint options,
      int sam,
      out IntPtr phkResult 

   ); 

   [DllImport("advapi32.dll", SetLastError = true)]
   internal static extern int RegCloseKey(
      IntPtr hKey 

   ); 

   internal const int HKEY_CLASSES_ROOT = unchecked((int)0x80000000);
   internal const int HKEY_CURRENT_USER = unchecked((int)0x80000001);
   internal const int HKEY_LOCAL_MACHINE = unchecked((int)0x80000002);
   internal const int HKEY_USERS = unchecked((int)0x80000003);
   internal const int HKEY_PERFORMANCE_DATA= unchecked((int)0x80000004);
   internal const int HKEY_CURRENT_CONFIG = unchecked((int)0x80000005);
   internal const int HKEY_DYN_DATA = unchecked((int)0x80000006); 

   internal const int KEY_NOTIFY = 0x0010; 

   internal const int REG_NOTIFY_CHANGE_NAME = 0x00000001;
   internal const int REG_NOTIFY_CHANGE_ATTRIBUTES = 0x00000002;
   internal const int REG_NOTIFY_CHANGE_LAST_SET = 0x00000004;
   internal const int REG_NOTIFY_CHANGE_SECURITY = 0x00000008;
} 

.................................................................................................................... 

IntPtr parentKey = new IntPtr(NativeMethods.HKEY_LOCAL_MACHINE); 

string subKey = "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\TestKey" 

IntPtr monitoredKey; 

try 

{ 

   int ret = NativeMethods.RegOpenKeyEx(parentKey, subKey, 0, NativeMethods.KEY_NOTIFY, out monitoredKey);
   if (ret != 0)
   {
      throw new Win32Exception(ret);
   } 

   using (AutoResetEvent monitorEvent = new AutoResetEvent(false))
   {
      ret = NativeMethods.RegNotifyChangeKeyValue(parentKey, true, 
                        NativeMethods.REG_NOTIFY_CHANGE_NAME | NativeMethods.REG_NOTIFY_CHANGE_ATTRIBUTES | 
                        NativeMethods.REG_NOTIFY_CHANGE_LAST_SET | NativeMethods.REG_NOTIFY_CHANGE_SECURITY, 
                        monitorEvent.Handle, true); 

      if (ret != 0)
      {
         throw new Win32Exception(ret);
      }  

      monitorEvent.WaitOne();
      // Do something after the registry has changed 

   } 

} 

finally
{
   parentKey = IntPtr.Zero;
   if (monitoredKey != IntPtr.Zero)
   {
      NativeMethods.RegCloseKey(monitoredKey);
      monitoredKey = IntPtr.Zero;
   } 

} 

Nice, don't you think?