how would this look in ASM?

lefnire · July 18, 2006, 11:49:55 PM

I want to track files changed by a particular process, so how might this look in ASM (roughly):

if ( (instruction at IP) == (save information to disk or registry) )
do something

zooba · July 18, 2006, 11:55:22 PM

Quite complicated. And you're skating very thin ice with this sort of question, so you will probably want to explain fully what you're trying to achieve.

We're very careful of virus writers here and the onus is on the poster to convince us that you're not one :wink

lefnire · July 19, 2006, 12:05:14 AM

well, i'm a tester and i'm trying to make a program to help test installations as well as functionality of a program. During installation, I want to see exactly what files on disk are affected in the process DIRECTLY by that particular process. the reason i say it like that is that there are programs (like InCtrl5) that can tell you what files were affected between two snapshots, but the diff shows files and registry items affected from all over (there are thousands of system files constantly changing) rather than files directly affected by a particular process. Once the program is installed, I'd also like to keep dibs on files directly affected by the program to make sure nothing is affected on disk that shouldn't be.

So I'm wondering if there's a way to peek at the IP register associated with a particular program or process. i figure each program increments the IP in accordance with its own instructions, so the IP register must be jumping back and forth depending on which program it's associated with, right? If that's the case, is there a way to monitor the instructions of a particular program and if so I'd like to determine if that instruction is a save-to-disk instruction.

PBrennick · July 19, 2006, 12:59:50 AM

I am VERY concerned by this. This is what is called hijacking a process and would allow you to intercept the out going stream and change it at will. I believe this topic should be locked until you PM a Global Moderator and fully explain your intentions. Your idea may be white as the driven snow but any answer is read by many and that can be a problem.
Paul

zooba · July 19, 2006, 03:13:55 AM

The Filemon program from www.sysinternals.com will do what you want.

Snap it up quickly, as they've just been bought by Microsoft and the freeware will probably disappear soon :'(

Telefunken · July 19, 2006, 06:29:39 AM

Looks like what he wants to do is ok to me. This could be useful I think in determining if what you just installed has spyware/malware/viruses in it. I think its a nice idea, and I had an idea like this myself once...

hutch-- · July 19, 2006, 06:44:56 AM

lefnire,

Tell us what you are trying to do and we may allow the topic but it sounds unusual. As you would be aware the IP is not readily available under 32 bit mode so it would be unusual code at best and we will need to be verey sure of your intent before this thread will be reopened.

sluggy · July 19, 2006, 11:03:32 AM

I've been busy today, so i've come into this a little late.

Quote from: lefnire on July 18, 2006, 11:49:55 PM
I want to track files changed by a particular process, so how might this look in ASM (roughly):

if ( (instruction at IP) == (save information to disk or registry) )
do something

The way i read this is:

"hook or filter all functions that write to the disk or registry".

This is NOT required for testing the functionality of a program. It is also NOT required for testing installations of programs. To check if a file has changed, do a checksum or MD5 hash on it. Or do what zooba mentioned and use Filemon and Regmon.

lefnire,
if you are a tester, what do you test? Did you do *any* research at all before you asked this question? I suggest you do some more - Google is your friend.

P1 · July 19, 2006, 01:39:12 PM

Quote from: lefnire on July 19, 2006, 12:05:14 AMSo I'm wondering if there's a way to peek at the IP register associated with a particular program or process. i figure each program increments the IP in accordance with its own instructions, so the IP register must be jumping back and forth depending on which program it's associated with, right? If that's the case, is there a way to monitor the instructions of a particular program and if so I'd like to determine if that instruction is a save-to-disk instruction.

From a technical point of view, you seem to be after in circuit emulation. Go buy a copy of SoftICE. You will save man years of software development for yourself.

I do not believe, that there is code on the scope of what your asking for here.

Which software company do you work for?

Regards, P1 :8)

hutch-- · July 20, 2006, 01:23:31 AM

We have had a satisfactory explainantion from the member so the topic has been re-opened. Please ensure that the content of this topic remains legal otherwise we wil have to remove it.

zooba · July 20, 2006, 04:14:46 AM

I still doubt there is any better way of doing this than using the tools at SysInternals. All that can be done otherwise is hooking the API calls, which is what FileMon and RegMon do.

AFAIK, the source is still available for those programs, so that might be the best place to start.

lefnire · July 21, 2006, 01:30:59 AM

well turns out hooking api calls is exactly what I was looking for... but remote thread-specific calls (kernel32 calls, i assume). filemon/regmon keep dibs on system-wide api calls, and I really want to hone in on specific processes (without having to learn which paths/processes to exclude in filemon/regmon per platform).

zooba · July 21, 2006, 01:55:08 AM

In that case, you'll need to learn about the PE file format and the DLL import table. Then you'll need to load the module manually (with your program) so you can modify it, and then execute it.

Cheers,

Zooba :U

(Mods, I know you've acknowledged a satisfactory explanation, but I haven't heard it so I'm not going to post any links or details. Just because this particular case is legitimate doesn't mean the information should be easily accessible for the illegitimate cases.)

P1 · July 21, 2006, 02:21:24 AM

Quote from: lefnire on July 21, 2006, 01:30:59 AMbut remote thread-specific calls (kernel32 calls, i assume)

Please detail your test procedure or at least document your assign task. Your not making any sense to me at least.

"remote thread-specific calls", I don't understand what your need for this is? ( This is a fair chance to explain yourself, just in case you mis-spoke about what you wanted. )

"(kernel32 calls, i assume)", Your lack of understanding on how you are representing yourself, is enough to doubt other facts as well.

Regards, P1 :8)

PBrennick · July 21, 2006, 02:35:13 AM

I remain concerned. This is an open forum and this topic is unsafe.

Paul

News:

how would this look in ASM?

lefnire

lefnire

Telefunken

lefnire