Solved

Avoiding writing to the hard disk...

Posted on 2004-10-31
165 Views
Last Modified: 2010-04-05
Hi guys,

Here is the problem:  I noticed a nasty behaviour from some sites on the net. Many of them download (without user permission) some programs (most of them spyware, adware, even viruses etc.). and immediatly create subdirectories on the Program Files, windows/system group or other parts of the hard disk. Then they run their programs and install monitors that are not easy to get rid of. These sort of programs even write in the registry (they want to be alive as soon the user reboot or restart the system).

I wonder if there is a way to find out (thru delphi), when some program want to write some info to the hard disk or the registry qand to avoid or cancel it before it occurs? Any ideas?

best regards
Manuel López (lopem)
0
Question by:lopem
    13 Comments
     
    LVL 12

    Accepted Solution

    by:
    In Delphi 7 there is a TShellChangeNotifier component (Samples tab) which monitor a directory for changes. If can also monitor the sub-directories. So this is in the answer of the first question.

    About the registry ... I have no idea.

    BTW there are already such tools by SysInternals. FileMon and RegMon - they monitors the filesystem and the registry.
    http://www.sysinternals.com/ntw2k/source/filemon.shtml
    http://www.sysinternals.com/ntw2k/source/regmon.shtml
    You can find a lot of useful links on these pages.
    0
     
    LVL 5

    Expert Comment

    by:Hypoviax
    I will be most interested in this post and may be able to offer suggestions when i research it more.

    Hypoviax
    0
     
    LVL 3

    Author Comment

    by:lopem
    Thanks Hypoviax... I will start making some experiments with Ivanov_G comment. Let's see if we get more answers...

    Thanks in advance.
    Manuel Lopez (lopem)
    0
     
    LVL 5

    Expert Comment

    by:Hypoviax
    I'm working on a security application myself and so if your question is possible it will be useful to myself too. I will have a specific look into the registry aspect of the question.

    Regards,

    Hypoviax
    0
     
    LVL 5

    Expert Comment

    by:Hypoviax
    2 similar questions specifically on the registry (unanswered unfortunately) but may lead you in the right direction

    http://www.experts-exchange.com/Programming/Programming_Languages/Delphi/Q_21022034.html

    http://www.experts-exchange.com/Programming/Programming_Languages/Delphi/Q_20892764.html
    0
     
    LVL 5

    Expert Comment

    by:Hypoviax
    and...

    http://delphi.about.com/library/code/ncaa052003a.htm

    Is some source which may be helpful
    0
     
    LVL 11

    Expert Comment

    by:calinutz
    I guess you need to PREVENT an malevolent program to write to registry and HDD, not just observe, right? This might be just a little more difficult...
    0
     
    LVL 5

    Expert Comment

    by:Hypoviax
    But if you can observe the locations you can take action. If it writes to the registry then just delete that key. it writes to the hard disk delete the file. If you can detect it you have minimal problem preventing it.

    Hypoviax
    0
     
    LVL 26

    Expert Comment

    by:EddieShipman
    My thoughts on this matter are that you need to redo your security settings in IE or
    get rid of it altogether and get Firefox. This is like driving a tack with a sledgehammer.

    No need to fix Bill Gates screw ups, just set them correctly.
    0
     
    LVL 5

    Expert Comment

    by:Hypoviax
    But  EddieShipman such a feature is worthwhile as it would enable complete control over registry changes and disk writing  , thus allowing for protection against unknown or undetected spyware, viri etc. Although currently Firefox is safer than IE it will not be long before exploits will be found. By being able to control registry writing is, in my opinion anyway, a very good security feature. You could even automate it. Monitor the registry - if a program writes a known bad entry then the user could be alerted and the key removed. Similarly for disk writing. A new file is detected. It is scanned to determine whether or not it is a malicious exe. It then could be removed.

    Regards,

    Hypoviax
    0
     
    LVL 2

    Expert Comment

    by:LSORRELLS
    I have no idea but possible strategies:

    A strategy could be to open and keep open the registry file with a delphi program.  This would prevent writes to the registry file but would allow other program to read it.  You would then have to trap for attempts to write to the file and bring up a window which would allow you to grant permission (in essence you would close the file for a limited amount of time and then reopen it after the change is made) for the change.

    Copy the Registry your self and poll for changes to it.  Do a file comparison and pull out the changes.  If they are OK then Backup the new registry file and if not replace the new file with the old copy.

    Of course Spybot v1.3 already does that very well and for free and without ads or anything else so you might want to just use that.
    0
     
    LVL 3

    Author Comment

    by:lopem
    What about capture every singel attempt to write on disk? And I know, I can use spybot or spy sweeper. The point it how to do the same task in delphi :)

    best wishes
    Manuel Lopez (lopem)
    0
     
    LVL 5

    Assisted Solution

    by:Hypoviax
    The free Jedi Jvcl component library has a component to detect harddisk changes such as new file, filename change, change of filesize, change of attributes etc:

    http://sourceforge.net/project/showfiles.php?group_id=45786

    Then open the demo in the folder of installation:

    JCL JVCL\jvcl\examples\ChangeNotification

    Hypoviax
    0

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Course: MongoDB Object-Document Mapper for NodeJS

    NodeJS (JavaScript on the server) is awesome, but some developers get confused about NoSQL when it comes to working in Node with MongoDB (NoSQL database). Do you need a better explanation of how to use Node.js with MongoDB? The most popular choice is the Mongoose library.

    Hello everybody This Article will show you how to validate number with TEdit control, What's the TEdit control? TEdit is a standard Windows edit control on a form, it allows to user to write, read and copy/paste single line of text. Usua…
    Introduction I have seen many questions in this Delphi topic area where queries in threads are needed or suggested. I know bumped into a similar need. This article will address some of the concepts when dealing with a multithreaded delphi database…
    To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
    This video is in connection to the article "The case of a missing mobile phone (https://www.experts-exchange.com/articles/28474/The-Case-of-a-Missing-Mobile-Phone.html)". It will help one to understand clearly the steps to track a lost android phone.

    934 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now