Prohibiting network access based on specific PID

[justKing9]

Networking can be prohibited through the process pid or process name or port, so that the playability can be better. I hope the author can adopt it.

[justKing9]

I like your project very much. Can you give me a usdt wallet so that I can reward you?

[bytecode77]

Hey there,

can you give me a little detail here? Are you trying to disable connectivity for specific process ID's or for specific ports? And also, do you want to achieve this on one of your own computers where you can configure everything yourself, or is r77 installed at some remote location?

I might come up with a simple solution to this. By the way thank you very much for your offer! I really appreciate support for the project :) Though, I only have BTC (19FPS9C5yCtLFkGzN6zoJkHhortdKAx8MW). Again, thank you a lot for your support!

[justKing9]

I have tried Hook, NtDeviceIoControlFile, NtWriteFile, NtReadFile, NtClose, these tcp functions to make the specified program unable to connect to the network. You can read the program name or port that needs to be disconnected through HKEY_LOCAL_MACHINE\SOFTWARE$77config.

[justKing9]

You can apply for an ETH wallet, which is also more versatile and convenient. You can put it in README.md, so that we can also support your project more conveniently. All your projects provide me with rich concepts and ideas. I like it very much and will always support you.

[wineggdrop]

you can do that by hooking NtCreateFile().
NtCreateFile(
[out] PHANDLE FileHandle,
[in] ACCESS_MASK DesiredAccess,
[in] POBJECT_ATTRIBUTES ObjectAttributes,
[out] PIO_STATUS_BLOCK IoStatusBlock,
[in, optional] PLARGE_INTEGER AllocationSize,
[in] ULONG FileAttributes,
[in] ULONG ShareAccess,
[in] ULONG CreateDisposition,
[in] ULONG CreateOptions,
[in] PVOID EaBuffer,
[in] ULONG EaLength
);
1.check if the process name matchs the name you would like to disable the onnectivity.If so,hook NtCreateFile()
2.check if the ObjectAttributes->ObjectName in Hooked_NtCreateFile() call equal to L"\Device\Afd\Endpoint",which means create socket,just return STATUS_ACCESS_DENIED error.

hooking NtDeviceIoControlFile can do the same by return error code for AFD_CONNECT.

[bytecode77]

Sorry for the late response, I'm being kept busy by patching the AMSI fix for Windows Defender and next thing I've realized that Windows 24H2 broke RunPE for good, for all applications that implement process hollowing :\ So I need to fix this issue fast.

Sorry to keep you waiting here.

@wineggdrop you seem to have a lot of concrete bugfix suggestions and most of them are spot on. Great work! I would say NtDeviceIoControlFile is preferrable over NtCreateFile as it's more low level.

I'll get back to you when I have the RunPE issue sorted out.