Notices

Overclockers Forums > Software > Microsoft Operating Systems
Microsoft Operating Systems Microsoft Operating Systems and Applications
Forum Jump

can programs bypass Windows' "hosts" file?

Post Reply New Thread Subscribe Search this Thread
 
 
Thread Tools
Old 07-22-08, 08:33 AM Thread Starter   #1
jarthel
Member

 
jarthel's Avatar 

Join Date: Aug 2001

 
can programs bypass Windows' "hosts" file?


I have a software here that like to phone home every so often. Before you say anything, this is a licensed software that has been paid for.

Uing tcpview (from sysinternal), I found the software is calling home. I just do not like the fact that it needs to call home now and then and I do not know what data (if any) is passed on to the vendor.

so I added the domain to my hosts file. This is the entry I created:

127.0.0.1 domain-here.com.

If I view domain-here.com using a browser, I get an error message which is correct since I do not have a webserver running in localhost.

BUT it seems the offending program is still able to call home. Somehow it is able to bypass my hosts file. In TcpView, the program is using the domain to call home and not its IP.

any ideas (other than install a firewall and blocking the offending domain) on how to prevent the program from calling home?

thank you very much
jarthel is offline   QUOTE Thanks
Old 07-22-08, 08:47 AM   #2
petteyg359
Likes Popcorn

 
petteyg359's Avatar 

Join Date: Jul 2004
Location: Texas

 
ipconfig /flushdns

And how do you domain-here.com in IE is going to 127.0.0.1? Did you check that in your tcpview? The "phone" may be going to a different port, and domain-here.com may not be running on port 80.

__________________
ASRock 990FX Extreme9 - FX-8350 - 32GiB 1600 Crucial low-profile 1.35v - 7970 3GiB - 8.1 Pro x64 / Gentoo amd64 - AX760
Dell XPS 15 L502x - i7 2760QM - 16GiB 1600 - GT 540M 2GiB - 7 Pro x64 / Gentoo amd64 - Agility 4 512GB

[GB ≠ GiB] [MB ≠ MiB] [kB ≠ kiB] [1000 ≠ 1024] [Giga ≠ gram] [Mega ≠ milli] [Kelvin ≠ kilo] [Byte ≠ bit]
"Apparently, Plaintiff believes that he could sue an egg company for fraud for labeling a carton of 12 eggs a “dozen,” because some bakers would view a “dozen” as including 13 items." - Western Digital 2006
Folding User Stats
petteyg359 is offline Folding Profile SETI Profile Heatware Profile   QUOTE Thanks
Old 07-22-08, 10:50 AM   #3
CGR
Member

 
CGR's Avatar 

Join Date: Jan 2001
Location: Lower NY

10 Year Badge
 
Does the software have an auto update application? May just be checking for updates periodically.

__________________
Main System:.................................................. ......................Second System:
DFI BloodIron P35-T2RL w/ Q6600 GO@ 3.2 (9x360), 1.4v....DFI Ultra-D w/Opteron 170 @ 2.7
G.skill 4GB (2x2gb).................................................. ..............G.Skill Extreme 2GB (2x1gb)
HIS 4850 680/1108.................................................. .............Nvidia 7600GT
WD VRaptor 300gb/Seagate 1TB..........................................Raptor 74gb/Seagate 200gb
OCZ GameXtreme 600SLI

CGR is offline   QUOTE Thanks
Old 07-22-08, 09:01 PM   #4
mortimer
Member



Join Date: Mar 2005
Location: Spokane...

 
Programs don't need to use the hosts file. The hosts file was just a list of names and IP addresses that has been replaced by DNS. The way that I stop programs from accessing the Internet is to use a firewall. Zone Alarm in my case. I'm guessing that other firewalls have the same ability.
mortimer is offline   QUOTE Thanks
Old 07-22-08, 09:28 PM   #5
ShadowPho
Member

 
ShadowPho's Avatar 

Join Date: Jun 2005
Location: I am in your stack, SUBbing your registers!

 
Quote:
127.0.0.1 domain-here.com.
replace with 127.0.0.1 their-ip.com

And programs don't use hosts file per say. Widnows uses the hosts file to see if it needs to redirect the request somewhere.

__________________
"Take only that which you can give"
Need Help? IM me! I want to help the OC community!

MainComputer:
E6400@2.69-4.0 gig RAM-8800GT
ASUS P5N-E SLI

ShadowPho is offline Heatware Profile   QUOTE Thanks
Old 07-22-08, 10:22 PM   #6
petteyg359
Likes Popcorn

 
petteyg359's Avatar 

Join Date: Jul 2004
Location: Texas

 
Quote:
Originally Posted by mortimer View Post
Programs don't need to use the hosts file. The hosts file was just a list of names and IP addresses that has been replaced by DNS. The way that I stop programs from accessing the Internet is to use a firewall. Zone Alarm in my case. I'm guessing that other firewalls have the same ability.
Any program needing network access must communicate with the OS network stack. The network stack will communicate with the IP it is given, or if it is given a domain name, will check the local hosts file (whether Windows or other operating system), and only if the name is not found in the hosts file will it check remote DNS servers. Of course it will check cached entries first, hence using ipconfig /flushdns to make sure that it will look in the hosts file. A very easy way to block any program is PeerGuardian. Much less resource-intensive than ZoneAlarm, and does basically the same thing, filters incoming/outgoing connection based on IP. Just make a list of IPs the program is calling, add them to a PG2 list, and enable it as a block list.

__________________
ASRock 990FX Extreme9 - FX-8350 - 32GiB 1600 Crucial low-profile 1.35v - 7970 3GiB - 8.1 Pro x64 / Gentoo amd64 - AX760
Dell XPS 15 L502x - i7 2760QM - 16GiB 1600 - GT 540M 2GiB - 7 Pro x64 / Gentoo amd64 - Agility 4 512GB

[GB ≠ GiB] [MB ≠ MiB] [kB ≠ kiB] [1000 ≠ 1024] [Giga ≠ gram] [Mega ≠ milli] [Kelvin ≠ kilo] [Byte ≠ bit]
"Apparently, Plaintiff believes that he could sue an egg company for fraud for labeling a carton of 12 eggs a “dozen,” because some bakers would view a “dozen” as including 13 items." - Western Digital 2006
Folding User Stats
petteyg359 is offline Folding Profile SETI Profile Heatware Profile   QUOTE Thanks
Old 07-23-08, 06:40 AM   #7
hansen
Member



Join Date: Oct 2007

 
Quote:
Originally Posted by jarthel View Post
BUT it seems the offending program is still able to call home. Somehow it is able to bypass my hosts file. In TcpView, the program is using the domain to call home and not its IP.
You cannot determine from tcpview how the program connects. tcpview will just try and resolve the remote ip to a hostname, if one has been configured.

The program can resolve a name like everybody else, it can have the ip hardcoded, it can manually ask a dns server (bypassing the dns in windows, and therefor the hosts file), ...
hansen is offline   QUOTE Thanks
Old 07-23-08, 10:00 AM   #8
petteyg359
Likes Popcorn

 
petteyg359's Avatar 

Join Date: Jul 2004
Location: Texas

 
Quote:
Originally Posted by jarthel View Post
I have a software here that like to phone home every so often. Before you say anything, this is a licensed software that has been paid for.
Here, I must say something. The simple act of denying illegal use in the original post is rather suspicious... The fact that you won't tell us what this software is, or the domain it is attempting to connect to, is even more suspicious.

We could probably help more if you'd tell us what software it is. If you can't do that, then most of us are left thinking you're using this forum for a purpose that is against the rules.

__________________
ASRock 990FX Extreme9 - FX-8350 - 32GiB 1600 Crucial low-profile 1.35v - 7970 3GiB - 8.1 Pro x64 / Gentoo amd64 - AX760
Dell XPS 15 L502x - i7 2760QM - 16GiB 1600 - GT 540M 2GiB - 7 Pro x64 / Gentoo amd64 - Agility 4 512GB

[GB ≠ GiB] [MB ≠ MiB] [kB ≠ kiB] [1000 ≠ 1024] [Giga ≠ gram] [Mega ≠ milli] [Kelvin ≠ kilo] [Byte ≠ bit]
"Apparently, Plaintiff believes that he could sue an egg company for fraud for labeling a carton of 12 eggs a “dozen,” because some bakers would view a “dozen” as including 13 items." - Western Digital 2006
Folding User Stats
petteyg359 is offline Folding Profile SETI Profile Heatware Profile   QUOTE Thanks
Old 07-23-08, 10:21 AM   #9
=ACID RAIN=
Member

 
=ACID RAIN='s Avatar 

Join Date: May 2003
Location: Kingwood, TX

 
Dude said he bought the software. It could be quicktime pro, or some legit (ha!) porn updater. Either way, he said he paid for it, so who cares about what the software is. Not like you can hack out a fix if it's not open source anyways LOL.

Firewall it, if it somehow bypasses internal DNS/hosts entries.

edit: Or make a dns server on your lan and make a manual entry with a bogus IP. I'd go with option A though.

__________________
MY HEAT | Websense who? | Windows lockdown
Mine: Q6600 . IP35 Pro . 8GB RAM . Velociraptor 150 . Win7 Enterprise
Wife: E6600 . GA-G31M-ES2 . 4GB RAM . Buncha drives . WinXP Pro
Domain Controller: E6600 . GA-G31M-S2L . 2GB RAM . 36GB Raptor . 2 x 1.5TB WD Green . 2008 R2
HTPC: E6300 . P5B . 1GB RAM . 320GB . Win7 Enterprise
Sandbox 1: Dell Optiplex GX270 SFF (new caps) . 1GB RAM . 120GB . FreeBSD 7.2
Sandbox 2: 3800+ X2. K8N Neo4 (new caps) . 1GB RAM . 4 x 400GB RAID0 . 2008 R2 (WDS, WSUS)
Sandbox 3: Opteron 146 . 768MB RAM . 120GB . 2008 R2 (headless, no video, remote only)
Laptop: Vostro 1700 . 4GB RAM . Win7 Enterprise
=ACID RAIN= is offline   QUOTE Thanks

Post Reply New Thread Subscribe


Overclockers Forums > Software > Microsoft Operating Systems
Microsoft Operating Systems Microsoft Operating Systems and Applications
Forum Jump

Thread Tools Search this Thread
Search this Thread:

Advanced Search


Mobile Skin
All times are GMT -5. The time now is 07:18 AM.
Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.
You can add these icons by updating your profile information to include your Heatware ID, Benching Profile ID or your Folding/SETI profile ID. Edit your profile!
X

Welcome to Overclockers.com

Create your username to jump into the discussion!

New members like you have made this the best community on the Internet since 1998!


(4 digit year)

Why Join Us?

  • Share experience
  • Max out your hardware
  • Best forum members anywhere
  • Customized forum experience

Already a member?