An easy way to block registry access for a specific process

Question

An easy way to block registry access for a specific process

Is there an easy way to connect the registry to a process that runs my code? I know about SetWindowsHookEx and friends, but it's too complicated ... I still have hopes that it is as simple as LD_PRELOAD on Unix ...

+4

windows winapi hook setwindowshookex

Demiurg Dec 03 '10 at 19:14

source share

3 answers

ManAmongHippos · Answer 1 · 2011-06-17T16:39:42+0000

Read the Injection DLL Theory here: http://en.wikipedia.org/wiki/DLL_injection

However, I will put you a DLL injection fragment here: http://www.dreamincode.net/code/snippet407.htm

It is very easy to do these things, as soon as you are in the memory of an external application, after the injection you can also be part of the process.

There is something called a "workaround", which, I believe, is what you are looking for, it just hooks the function, and when this process calls it, it performs its own function. (To make sure it doesn't crash, call a function at the end of your function)

So, if you want to write your own function on CreateRegKeyEx

(http://msdn.microsoft.com/en-us/library/ms724844%28v=vs .85% 29.aspx)

It might look something like this:

  LONG WINAPI myRegCreateKeyEx(HKEY hKey, LPCTSTR lpSubKey, DWORD Reserved, LPTSTR lpClass, DWORD dwOptions, REGSAM samDesired, LPSECURITY_ATTRIBUTES lpSecurityAttributes, PHKEY phkResult, LPDWORD lpdwDisposition) { //check for suspicious keys being made via the parameters RegCreateKeyEx(hKey, lpSubKey, Reserved, lpClass, dwOptions, samDesired, lpSecurityAttributes, phkResult, lpdwDisposition); }

You can get a very well written crawl library called DetourXS here: http://www.gamedeception.net/threads/10649-DetourXS

Here is his sample code on how to set up a workaround using it:

  #include <detourxs.h> typedef DWORD (WINAPI* tGetTickCount)(void); tGetTickCount oGetTickCount; DWORD WINAPI hGetTickCount(void) { printf("GetTickCount hooked!"); return oGetTickCount(); } // To create the detour oGetTickCount = (tGetTickCount) DetourCreate("kernel32.dll", "GetTickCount", hGetTickCount, DETOUR_TYPE_JMP); // ...Or an address oGetTickCount = (tGetTickCount) DetourCreate(0x00000000, hGetTickCount, DETOUR_TYPE_JMP); // ...You can also specify the detour len oGetTickCount = (tGetTickCount) DetourCreate(0x00000000, hGetTickCount, DETOUR_TYPE_JMP, 5); // To remove the detour DetourRemove(oGetTickCount);

And if you can’t say, this snippet connects to GetTickCount (), and whenever the function is called, it writes: "GetTickCount is connected!" - then it performs the function GetTickCount, it was intended.

Sorry for being so scattered with the information, but I hope this helps. :) - I understand that this is an old question. -

Eugene Mayevski 'Allied Bits · Answer 2 · 2011-01-08T16:36:50+0000

SetWindowsHookEx will not help at all - it provides various functions.

Check if https://web.archive.org/web/20080212040635/http://www.codeproject.com/KB/system/RegMon.aspx helps. RegMon SysInternals uses a kernel-mode driver, which is a very complex way.

Update: our company offers a CallbackRegistry product that allows you to track registry operations without the hassle. And BTW we offer free non-commercial licenses upon request (subject to approval in each individual case).

Necrolis · Answer 3 · 2011-06-17T17:40:41+0000

Most winapi calls generate character table entries for inter-module calls, so it's pretty easy to hook them up, all you have to do is rewrite the IAT addresses. Using something like MSDetours, this can be done safely in a few lines of code. MSDetours also provides tools for entering a custom dll into the target process so you can bind

An easy way to block registry access for a specific process

More articles: