Unoffical empeg BBS

Quick Links: Empeg FAQ | RioCar.Org | Hijack | BigDisk Builder | jEmplode | emphatic
Repairs: Repairs

Topic Options
#88334 - 16/04/2002 14:19 Who likes working on SYS and VXD files?
tfabris
carpal tunnel

Registered: 20/12/1999
Posts: 31600
Loc: Seattle, WA
Tipped off by a post elsewhere on this BBS that referred to a utility called REGMON from www.sysinternals.com , I discovered that the means might exist to write a utility I've been searching for.

I just had a peek at the open-source code for Regmon, and I think it can be done. I just don't have the tool (NuMega's VtoolsD and the Microsoft DDK) to modify the SYS/VXD portions of this project.

Here's the tool I'm thinking of writing: Instead of being called REGMON, it would be called REGBLOCK. The user would feed it a pointer to a hand-created list of parent registry keys. For example:

Hkey_Local_Machine/Software/SomeKey/SomeKey
Hkey_Current_User/Software/SomeKey/SomeKey

...and any requests to read or write keys in those trees or under those trees would fail with a "key does not exist" error. But not permanently, only for as long as the blocker was running.

It looks like this is do-able, because REGMON fully hooks the system calls that read/write the registry. It seems to do it fairly cleanly, using a SYS/VXD combination on Windows NT.

Most or all of the complex user interface of REGMON could be thrown away (which is too bad, as it's the only portion of the project that I can modify and compile) in favor of a pure command-line driven utility that simply activated/deactivated the SYS/VXD hooks and pointed to the configuration file.

Anyone interested in playing with this?
_________________________
Tony Fabris

Top
#88335 - 16/04/2002 14:21 Re: Who likes working on SYS and VXD files? [Re: tfabris]
tfabris
carpal tunnel

Registered: 20/12/1999
Posts: 31600
Loc: Seattle, WA
By the way, a description of how the system hooks work is here:

http://www.win2000mag.com/Articles/Index.cfm?ArticleID=4795&pg=3
_________________________
Tony Fabris

Top
#88336 - 16/04/2002 20:26 Re: Who likes working on SYS and VXD files? [Re: tfabris]
wfaulk
carpal tunnel

Registered: 25/12/2000
Posts: 16706
Loc: Raleigh, NC US
I have neither the tools, time, expertise or desire to do this, but I was wondering what problem you're having that this utility would solve.
_________________________
Bitt Faulk

Top
#88337 - 17/04/2002 09:49 Re: Who likes working on SYS and VXD files? [Re: wfaulk]
tfabris
carpal tunnel

Registered: 20/12/1999
Posts: 31600
Loc: Seattle, WA
Several different things could be done with such a utility. The most obvious would be to keep spyware/adware from installing itself to auto-run-on-startup. In fact, pretty much any time a software package tries to install to the "Run" key in the system registry, I would like to block it.
_________________________
Tony Fabris

Top
#88338 - 17/04/2002 10:45 Re: Who likes working on SYS and VXD files? [Re: tfabris]
Roger
carpal tunnel

Registered: 18/01/2000
Posts: 5683
Loc: London, UK
What you really want to do is to block access to those keys, and _also_ to save the results to a .reg file. Then you can leave the blocker running most of the time, and then periodically see if there's anything in the .reg file that should have been allowed.


_________________________
-- roger

Top
#88339 - 17/04/2002 10:51 Re: Who likes working on SYS and VXD files? [Re: Roger]
andy
carpal tunnel

Registered: 10/06/1999
Posts: 5916
Loc: Wivenhoe, Essex, UK
If Windows didn't write to the registry quite so much you could take an approach like the personal firewalls take, popping up a dialog with:

"Allow/Always Allow/Ignore/Always Ignore"
_________________________
Remind me to change my signature to something more interesting someday

Top
#88340 - 17/04/2002 11:38 Re: Who likes working on SYS and VXD files? [Re: Roger]
tfabris
carpal tunnel

Registered: 20/12/1999
Posts: 31600
Loc: Seattle, WA
Good idea, Roger. The "RegMon" program I linked can log registry accesses already. I'm just looking to take it the next logical step and have a deny list as well. By the way, I'm also looking for bidirectional deny capablility (reads as well as writes). One might wish to control those independently, although that is not strictly necessary.
_________________________
Tony Fabris

Top
#88341 - 24/04/2002 04:39 Re: Who likes working on SYS and VXD files? [Re: tfabris]
smu
old hand

Registered: 30/07/2000
Posts: 879
Loc: Germany (Ruhrgebiet)
Hi.

As for the Run keys, look for StartUpMonitor by Mike Lin (he also wrote the nice StartUp controll panel) at http://www.mlin.net/StartupMonitor.shtml.
I use both utilities all the time.

cu,
sven
_________________________
proud owner of MkII 40GB & MkIIa 60GB both lit by God and HiJacked by Lord

Top
#88342 - 24/04/2002 09:55 Re: Who likes working on SYS and VXD files? [Re: smu]
tfabris
carpal tunnel

Registered: 20/12/1999
Posts: 31600
Loc: Seattle, WA
Okay, but the Run keys are only one of the possible reasons I would like to have a regblocker utility.
_________________________
Tony Fabris

Top
#88343 - 24/04/2002 09:57 Re: Who likes working on SYS and VXD files? [Re: tfabris]
tfabris
carpal tunnel

Registered: 20/12/1999
Posts: 31600
Loc: Seattle, WA
Hmm. Looking at StartupMonitor, it seems to have some of the functionality I'm looking for built-in to the code. Maybe I'll talk to its author and see if he'd like to take a stab at it.

Thanks for the link, Sven.
_________________________
Tony Fabris

Top