I want to realize such a monitor program (call it MP). It monitors other programs' writing behavior. When the monitored programs tries to write/modify other executables, MP will give a warning to users.

How to implement this MP?
Posted on 2005-01-11 07:13:16 by dislimit
i'd say: some driver thing in ring0...
Posted on 2005-01-11 07:27:50 by lifewire
Funny,
Im creating basically the same. Just having a problem on hooking the API's in certain programs.
Anyway your going to need a driver to montior process creation.

packetvb
Posted on 2005-01-11 23:17:31 by packetvb
Will it help if I embed something inside the monitored files?
Posted on 2005-01-12 08:19:51 by dislimit
You'll want to hook the lowest level file access routines - this involves hooking the kernel, and writing OS-specific (9x vs. NT) code.
Posted on 2005-01-12 11:50:23 by f0dder
dislimit,

Well thats how i did it because I wanted to monitor a number of API calls. But my way has the flaw that I cant catch vb programs making api calls.
fodders way is better in that any call to the monitored API will be caught.
Ive done this way too but I couldnt figure out how to implemented in XP.

packetvb
Posted on 2005-01-12 19:23:19 by packetvb
Well, my idea is generally like this:
We put a tiny spy inside every monitored file (call it P), say:

Program Spy?=
{
main_program?=
{
monitor_write_behavior?P??
}
}

So every time P runs, it will ask MP to monitor its behavior. I think it is better than letting MP keep scanning all the files, isn't it?
Posted on 2005-01-12 22:06:02 by dislimit
That will be a bit hard to accomplish, dislimit - and there are many ways around it (manual tricky ways of doing imports, etc.). As for continually scanning files, one can implement a caching scheme :)
Posted on 2005-01-12 22:10:11 by f0dder
dislimit,

No need to scan.
By creating a driver that monitors CreateProcess you can suspend the main thread and then attach your "spy" to monitor all api's, then resume the thread.
Posted on 2005-01-13 00:06:21 by packetvb
Thank you all.
Packetvb, you mentioned that you are not able to implement it in XP, why?
Posted on 2005-01-13 20:24:56 by dislimit
dislimit,

It was because the XP protects certain things in kernel memory, particularly the SSDT.
Posted on 2005-01-13 22:37:33 by packetvb