Hi! How can I hook windows RegCreateKey API?
I'v found some example on Keyboard hook but I could not adapt it to win API.

What I'm really curious about is to PATCH the windows API.

Thanks
SoftMan
Posted on 2006-03-09 01:58:51 by SoftMan
This post is crossing into a touchy subject. We tend not to discuss hooks that deal with important system processes. You should ask your question on some other forum because I doubt it will be answered here.
Posted on 2006-03-09 02:58:58 by SpooK
Well i dont know why we shouldnt discuss Hooks in this forum because microsoft has included the program called "Spy++" in its Visual Studio 6 and it installs all sort of hooks on any window. but anyway ...
Posted on 2006-03-09 11:56:56 by XCHG
its dodgy because the information that might be given could be used for other 'less legal' reasons.
the best advice i can give (hopefully without getting in trouble with a mod) would be to checkout a tool called regmon (which most of us should already know about anyway) from www.sysinternals.com which i think has source code which documents how to apply such a hook, albeit from ring0
Posted on 2006-03-09 17:16:47 by evlncrn8
I don't mind Ring-0 hooks, since anyone in administration of a computer should know what they are installing/doing.
Posted on 2006-03-09 19:00:48 by SpooK
I agree with you Spook, a good admin user should know what's going on in their computer.  The methods of Ring-0 hooks and other subversive tactics is an almost prerequisite knowledge nowadays in order to protect ones system.

Unfortunately I don't think there are many discussions on the subject that might not violate the principles this board is trying to uphold.  Service Descriptor Table hooks and callgates would seem to fall into the same category as patching API's.  There are few "accepted" ways of programming ring0 hooks.

Perhap what should be focussed on then are the 'supported' ways of programming, when dealing with 'dicey' subjects such as system hooking and the like. Most techniques like SSDT hooking will be a thing of the past anyway (PatchGuard on Windows x64), though no doubt new undocumented techniques will be produced.


Along those lines, I can think of only a few 'accepted' methods of ring0 hooking, since you brought the subject up..

PsSetCreateProcessNotifyRoutine / PsSetCreateThreadNotifyRoutine is one.  The other are the Registry Callback functions MS designed specifically for registry "hooking" for Server 2003, Windows x64, and to a lesser degree XP, - CmRegisterCallback and CmUnRegisterCallback.  These are what Regmon uses now for the recent OS's.  I get the funny feeling that MS may be directly acknowledging the relevance of Regmon in doing so, if not to its author itself, in allowing this. (Perhaps to a small degree at least).

Looking to the future then in terms of programming methods, I thought that referencing this might be useful enough subject matter, documentation on CmRegisterCallback and CmUnRegisterCallback:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/Kernel_r/hh/Kernel_r/k102_ec214e13-1342-48b5-9a31-8c6c9da57cd6.xml.asp

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/Kernel_r/hh/Kernel_r/DrvrRtns_988f8f3d-4ee8-4351-8fc0-703a88bd8421.xml.asp


Spook, as administrator of this board, take heart through the stupid server attacks and all the other crap you have to go through. This remains an excellent board and service to all, and I think there are few who don't honestly appreciate it.

Regards,
Kayaker
Posted on 2006-03-09 20:48:05 by Kayaker
Thank you for the links above.

The hooking information is needed, for creating an installation logger software, for security reasons.
I'm working as a programmer for a carparts wholesale company. And many unwanted softwares are attacking our system. So I wanna create a software, which logs file create, and registry activities in the background, and also will be able to fully uninstall the unwanted files and created registry entries. There are some commercial, and freeware softwares for this purpose, but I'm not really pleased, and I don't have a feeling, that I have full control over this processes by this softwares.

Thank you again
SoftMan


Posted on 2006-03-10 01:58:45 by SoftMan
Hi

Maybe it can be interesting for others, looking for similar information, than a C source code is downloadable  from http://www.sysinternals.com/Utilities/AccessEnum.html where RegistryCallback is used.

Softman
Posted on 2006-03-11 02:03:08 by SoftMan

The hooking information is needed, for creating an installation logger software, for security reasons.
I'm working as a programmer for a carparts wholesale company.  So I wanna create a software, which logs file create, and registry activities in the background, and also will be able to fully uninstall the unwanted files and created registry entries. There are some commercial, and freeware softwares for this purpose, but I'm not really pleased, and I don't have a feeling, that I have full control over this processes by this softwares.

You are better off using those applications you are "not happy with". You have no idea how difficult it is to cover all the areas and methods that trojans, spyware and malware exploit. Don't reinvent the wheel, use something that is already on the market.


And many unwanted softwares are attacking our system.
So do things the proper way: install a firewall, restrict permissions and people's access to the machine, set up a group policy to not allow software to be installed, prevent employees from surfing for pr0n, etc.
Posted on 2006-03-18 03:42:24 by sluggy
It is reasonably straight forward on win2k upwards to create restricted user profiles that directly exclude any software from being installed or from any direct internet access that leaves the computer vulnerable. Keep the admin password unknown and the machine is then reasonably safe from most of what you need to protect it from.

Keep the customer data on a seperate partition from the boot partition and keep an up to date disk image of the boot partition and even if someone finds a way to do something stupid you can restore the boot partition in about 5 minutes.

Something like an active registry monitor is more likely to be useful at the admin profile level where the BIG mistakes can be made but it would be a mistake to allow normal user levels the access to do anything past what the machine is normally used for as you can end up with all sorts of junk on it that should not be there.

Regards,

hutch at movsd dot com
Posted on 2006-03-18 05:11:53 by hutch--