I'm testing software (including testing installations) and have been using programs that diff snapshots for registry items and files, such that modified files and registry items between two snapshots are shown.  The reason for this is that I want to see if files are affected during installation or program usage that shouldn't be affected, but the set of programs I've been using (filemone/regmon, InCtrl5, InstallRite, etc) covers too much, and each tester that uses these programs will have to become familiar with what is constantly changing on his or her system.  Plus, say there's a registry key in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows that is modified during an installation or usage of the program that SHOULDN'T be... this would likely be unnoticed by the tester since it's in a place where registry items are constantly changing.
This is why I don't want to use InCtrl5 or filemon/regmon or instalrite, etc... because they track everything that was changed during 2 snapshots rather than everything that was changed BY a particular process.

Here's an example...I built a java parser to weed out items that are constantly changing (by using InCtrl5 to diff snapshots where I did nothing but wait 10 minutes, or restart, or something).  C:\Program Files\Mozilla applications (firefox and thunderbird) are updated on program usage, so I parsed those out of my installations-test diff.  Turned out that both firefox and thunderbird were corrupted during the installation of our program, and it took me hours to figure it out.

However, if I built a program that could track files and registry items directly affected by the installation process, then I wouldn't have to worry about items that are affected over the network, or microsoft's cryptography items that are constantly changing... I know exactly what was affected by the installer.

There have also been times when using a program a certain way corrupts system files.  If this program is running in the background, it can tell me which files are modified that shouldn't be.

So what I'd like to know how to do is monitor the IP register of a particular program, so that I can see if an instruction pointed at by that IP register is a "write" instruction.  Rather than knowing the IP of the program I'd be writing, this would need to track the instructions of another process and follow its IP incrementation.  Is there a way to know the IP register of another application or process?
Posted on 2006-07-19 12:51:55 by lefnire

So what I'd like to know how to do is monitor the IP register of a particular program, so that I can see if an instruction pointed at by that IP register is a "write" instruction.  Rather than knowing the IP of the program I'd be writing, this would need to track the instructions of another process and follow its IP incrementation.  Is there a way to know the IP register of another application or process?

This is overkill, and would require running the program in single-step debug mode, which kills performance - and makes a lot of copy-protected apps fail.

What you want to do is hook "modify routines" (CreateFile, WriteFile, ... anything you can change of, probably including registry routines as well). This can be done at about three levels...

1) hooking the win32 api - flaky.
2) hooking the NT native api - better.
3) writing a filter driver - best.

Unfortunately we probably can't help you too much with any of this, even though your intentions seem good, since it's one of those "shady" topics that can be abused by the idiot fringe. So, ironically enough, looking at rootkits might be your best bet >_<
Posted on 2006-07-19 14:04:03 by f0dder
lefnire,

In this post :

http://www.asmcommunity.net/board/index.php?topic=24720.0

We discusses using ReadDirectoryChangesW to monitor changes in certain or all folders.

What you described as monitoring the behavior of another process in real time would be difficult/impossible/illegal as f0dder described.

farrier
Posted on 2006-07-19 20:39:29 by farrier
lefnire,

Take a look at SVS (Software Virtualization Solution) from Altiris at http://juice.altiris.com/svs

It's free for personal use and it uses filter driver to do its job. Basicly it captures your install and saves it to a special folder at C: drives root and when the layer where that captured program reside is active, the filter driver redirects all file/registry access to that special folder. Better and more thorough explanation is found at the above mentioned site.

I use it a lot to see what happens when I install some programs. Its also handy tool, because it's virtualization capabilities to test software and use different version of same software at same machine.
Posted on 2006-07-20 17:24:41 by SamiP
well, f0dder's suggestion of hooking api is exactly what I was looking for, which turns out not to be impossible/illegal.  So I'm reading tuts on user32/kernel32 injection hooking, but what is a filter driver?
Posted on 2006-07-20 20:37:23 by lefnire

well, f0dder's suggestion of hooking api is exactly what I was looking for, which turns out not to be impossible/illegal.

It's not illegal, but it's a "shady subject" as I already explained. And it's not impossible either, but it's a flaky approach that won't catch everything.


So I'm reading tuts on user32/kernel32 injection hooking, but what is a filter driver?

The Windows NT driver model is "layered", letting "topmost" drivers filter requests; if a driver isn't interested in a certain request, it will let the request pass-through to a lower driver, otherwise it can either handle the request entirely itself, or do some processing and pass on to the lower-level driver.

Posted on 2006-07-21 03:30:22 by f0dder