April 19, 2024, 07:19:27 AM

News:

IonicWind Snippit Manager 2.xx Released!  Install it on a memory stick and take it with you!  With or without IWBasic!

[updated] Event Log Notifier

Started by sapero, May 28, 2009, 02:31:14 AM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Print
Go Down Pages1
User actions

sapero

May 28, 2009, 02:31:14 AM Last Edit: May 28, 2009, 06:47:42 AM by sapero
This project is currently targeted to Windows XP.
It is working like the AD-Watch from Ad-Aware 6 - notifies you about changes in some important registry keys, and additional - about new records in the 'System' event log. If a change is made, a balloon tolltip pops from the tray area (i have used IUserNotification interface for this).

For the Event Log i have used OpenEventLog, NotifyChangeEventLog and ReadEventLog api's. At startup i'm calling ReadEventLog in a loop to just seek to the end, to the newest log entry.

To watch registry changes, I've used RegNotifyChangeKeyValue function. If a change is made, the system changes one of event handls to signalled state. At startup I'm loading the registry trees into linked list, and when a change is detected I do just a search and compare to find new/deleted keys and new/deleted/modified values.
The code is designed to allow to undo all changes made to the registry, but the undo option is not implemented yet.
This is a list of watched keys (HKLM only)
...\Run, \RunOnce
...\Winlogon\Notify (winlogon wiruses)
...\Control\Session Manager (boot time file renames)
...\Lsa\Notification Packages (lsa wiruses)
...\Services (new/removed services)
...\Services\SharedAccess\Parameters\FirewallPolicy (firwall settings)

So if something creates a value in the Run key, tries to modify system protected file (sfc), replace protected file at boot time or install a DLL virus, you'll know about. The list of keys is not complete, it's just for testing purposes.

The binary part can be used in two ways - as standalone executable, or as a shell service (dll loaded by explorer at startup). The second option requires to register itself in the registry as a inprocess server, and needs to create a value in HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad. Explorer calls CoCreateInstance with IOleCommandTarget identifier, then calls the Exec method to start/stop the service.
To install the dll version, execute the install_dll.bat. You'll need to logoff and logon again (or restart explorer) in order to "run" the service.

The main service code you'll find the the OleCommandTarget::ThreadProc method. It has some small bugs in the registry notification area: each user notification is "modal" - the balloon tooltip does not return until you click it. If there are multiple registry changes made while the balloon is active, all the changes are merged and displayed in the next balloon tooltip, but only N characters are visible...

EDIT - updated, bad event index in NotifyChangeEventLog.

sapero

May 29, 2009, 01:48:44 PM #1
I have progressed a bit:
Registry:
* If a watched key is not marked as "watch subtree", only this key and its values are loaded into the linked list, and there will be no information that a value of child key has changed.
* Improved registry watching - added another thread that is waiting for registry changes. It appends a record in custom log file and notifies the first thread about new entries, so you'll not miss any messages. The log file is created in user TEMP directory.

Event Log:
* improved message formatting. In the provious version not all messages were properly formatted (check it: disable and stop stisvc service, then run mspaint.exe).
This is a bat file to compare the difference:
Code Select
sc stop stisvc
sc config stisvc start= disabled
mspaint
sc config stisvc start= auto

But I'm still missing something, in the "DOM ... failed to start stisvc" is one garbage character (a percent).

The code is splitted into categorized files. You may notice frequently SYSTEM\CurrentControlSet\Services\kmixer\Enum notifications, this is because it watched the whole subree for Services key, and there is no ignore list yet.

Barney

May 29, 2009, 06:51:03 PM #2
This is very interesting and one cam learn quite a lot from your programming, Sapero. Thank you for sharing.
It is a pity that more people don't try this.

Barney

Ionic Wind Support Team

May 29, 2009, 08:42:13 PM #3
Actually did something similar a while ago, monitoring about 25 keys that can start programs on XP.  While it was easy to figure out the hook needed to monitor registry writes, I was kind of stumped on how to prevent a process from writing to a registry location.  The goal was a notification like TeaTimer that allows you to block writes from unknown processes.  TeaTimer was too invasive and resource hungry.

As a side project I started a small program that allows changing the security attributes of the run registry keys so they can't be written to at all without user intervention, haven't finished it yet due to differences between XP and Vista.

Anyway nice work Sapero.

Paul.



Ionic Wind Support Team
User actions
Print
Go Up Pages1