Has EXE internet access? (Block it?)

Question

I would like to write a small tool which analyzed an EXE file (x32, x64) which checks if the EXE has the ability to access the internet.

I know this functionality from "Noton Firewall 2003" (very old...) which was able to scan the hard disk for EXE files which have internet access.

The question is, how to detect it? Is there some DLL file which is always imported if internet access is needed? (WININET.DLL ?) I also wonder, if it makes difference, how the communication was developed (using a framework, using sockets, using WinAPI, ...?)

Related side-question: Is there any "EASY" (and hopefully "clean") way to prevent an application to access the internet? (e.g. hooking a DLL-import which is required for EVERY kind/implementation of internet access?)

Intented usage of my tool would be something like

my_easy_firewall.exe [target-application] [parameters]

--> If application has internet access functionality, then ask if allow or deny internet access. Then run [target-application] with [parameters] with or without internet access, based on user's decision.

I would like to develop this in Borland Delphi.

Thank you.

Regards

Daniel Marschall

Answer 1

I use a workaround

For example a .bat file with content

"%~dp0"\hosts add access.blocked.com 127.0.0.1
call "%~dp0"\programname.exe
"%~dp0"\hosts del access.blocked.com

It uses the hosts.exe from the url below to edit the windows hosts file. The bat file above will edit hosts file to block unwanted example connection access.blocked.com, it will launch the program exe, will wait for it to close when finished and it will delete the entry in the hosts file so its clean again. Works perfectly.

https://code.google.com/p/hostscmd/downloads/list

Answer 2

Daniel, scanning the exe files to detect if imports some dll which is used to internet access is not reliable, because exist many methods to access the internet without import directly a dll. for example you can use the LoadLibrary function which load a dll dynamically or a COM object like the WinHttpRequest Object using late binding.

for example you can create a project like this

{$APPTYPE CONSOLE}

uses
  ActiveX,
  ComObj,
  SysUtils;


Procedure HttpGetText(const Url:string);
var
  objHTTP : OleVariant;
begin
    objHTTP:=CreateOleObject('WinHttp.WinHttpRequest.5.1');
    objHTTP.Open('GET', Url, False);
    objHTTP.Send();
    Writeln(objHTTP.ResponseText);
end;

begin
 try
    CoInitialize(nil);
    try
      HttpGetText('https://stackoverflow.com/questions/5445133/has-exe-internet-access-block-it');
      Readln;
    finally
      CoUninitialize;
    end;
 except
    on E:Exception do
    begin
        Writeln(E.Classname, ':', E.Message);
        Readln;
    end;
  end;
end.

Now using a tool to check the dll dependency you will see a small list like this

oleaut32.dll
advapi32.dll
user32.dll
kernel32.dll
ole32.dll

none of these dll are used to access internet directly.

I think which instead of detect the internet access you can monitor the TCP and UDP connections of any application using a function like GetExtendedTcpTable (check delphi samples here and here) from here you determine the port and server which the application is accessing and inform to the user. or annother way using something more advanced like Winpcap parsing the network packets captured.

Answer 3

As far I know all antimalware use some kind of signature to detect infected files.
For the related side-question, the best way to prevent an application to access the Internet is by intercept all request for TCP/IP communication. This is a firewall job and developing your Firewall is not a trivial task.