Archived

This topic is now archived and is closed to further replies.

Damocles

Stopping hackers using regmon/filemon

Recommended Posts

I noticed that the SoftWrap protection system detects if regmon is loaded at startup and propmtly drops out with the appropriate error message. This would be a handy thing to have and I was wondering if anyone knew how to detect regmon processes. The SoftWrap license does more than simply compare process names, it somehow identifies a process under any name as regmon, so there must be something about regmon that is detectable. Any ideas? ------------------------------------------ [New Delta Games] | [Sliders] [edited by - damocles on July 26, 2003 2:31:42 PM]

Share this post


Link to post
Share on other sites
Guest Anonymous Poster
They could look for the corresponding driver that regmon has (regsys.sys, friendly name is "regmon". If you type "sc query regmon" from a prompt you''ll see if it''s running.

Another option would be to call FindWindow with "RegmonClass".

Share this post


Link to post
Share on other sites
Guest Anonymous Poster
i think regmon accquires a mutex on startup. so if u were to
test for the existence of this mutex, you could determine if
regmon was running.

anyway, to side track a little, i have ZERO respect for companies
who try to hide their software configuration settings using such
tricks, or worse, install some funny keys that won''t go away
on uninstall. end rant.

Share this post


Link to post
Share on other sites
quote:
try to hide their software configuration settings using such tricks


It's not exaclty hiding configuration settings, it's hiding the registration data. Any halfwit that knows how to type regedit could remove unhidden registry keys.

Yes they could be encrypted, but that won't stop them writing down the what the value is at the time of install then simply re-entering it.

Doing either file registration checks or registry checks alone isn't enough these days - too many of the casual hackers are wising up. And a lot of people that wouldn't normally hack anything are learning how to use regedit.

The occasional stray registry key left behind is not that big a deal. If you really are so paranoid that the extra few bytes of data from that key is the bottle neck making your system run like a turtle then you've got problems. And if it bothered you that much, there are a million and one freeware regcleaners.

------------------------------------------
[New Delta Games] | [Sliders]

[edited by - damocles on July 26, 2003 2:32:01 PM]

Share this post


Link to post
Share on other sites
Damocles ur signature is corrupting my HTML formating and gdnet optics (change it) ur second link is missing a >"< after the html addy


T2k

Share this post


Link to post
Share on other sites
but Damocles, don''t you realize it''s also a futile effort ... just because something isn''t running NOW ... doesn''t mean they haven''t taken a registry snapshot a moment before, and are going to take another a moment after ... it is not possible to stop someone from detecting what changes you have made to their system ... and new version of windows begin to include technology to do this automatically ... so why would you go the opposite direction.

Realize that I understand your concern, but microsoft disagrees with you ... the real problem today that is being fought, is that of unwanted, unauthorizes appropriation of computing resources (viruses), and the exact behavior you are attempting, is the same as used by viruses ... a computer is owned by someone else, NOT YOU, and you have no rights to there hard drive or registry to do with as you please, against their wishes ... once you realize this, you will be well on your way to finding a REAL solution, not involving subterfuge.

Also note, that there are VALID reasons why people (especially corperations) are fighting against what you are trying to do ... because it is very expensive to maintain computers running correctly, and all software (including yours) is suspect ... so we demand the right to completely abolish if we wish ... which we do by maintaining deltas which record the system state each night ... so we can roll back to any desired previous state, and also, so we can install a new HD when this one fails, and have it operate the same ...

so your only working against the forward progress of self-managing and dependable systems when you try to hide your processes. Just like a virus.

Share this post


Link to post
Share on other sites
<offtopic>
Hmm. how do I write this without sounding like a flame... I don''t wanna take the credit from those using windows, by all means do, but if you are paranoid on how the regedit works and companies that tries to hide things etc etc try another operative system. I''ve been using linux distro for some time now and when I read about this problem it''s with a grin on my face I look back at my windows sessions, I mean, with free software, there really isn''t no need to hide things is it?
</offtopic>

Share this post


Link to post
Share on other sites
Guest Anonymous Poster
quote:
Original post by thec
Hmm. how do I write this without sounding like a flame...
Next time, simply don''t write anything at all. This forums isn''t meant for off-topic posts.

Share this post


Link to post
Share on other sites
Simply put: Damocles, what you want to is a waste of time and hidiously anoying.

Whats to stop someone recompiling regmon with a bunch of changes? (I know I have a version of the regmon source code).

Or someone writes a "simple" app, which catches when an app starts up and adds API hooking to prevent you finding and service/file/named object if the app is on a blacklist?

Share this post


Link to post
Share on other sites