Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Avoiding writing to the hard disk...

Posted on 2004-10-31
13
Medium Priority
?
168 Views
Last Modified: 2010-04-05
Hi guys,

Here is the problem:  I noticed a nasty behaviour from some sites on the net. Many of them download (without user permission) some programs (most of them spyware, adware, even viruses etc.). and immediatly create subdirectories on the Program Files, windows/system group or other parts of the hard disk. Then they run their programs and install monitors that are not easy to get rid of. These sort of programs even write in the registry (they want to be alive as soon the user reboot or restart the system).

I wonder if there is a way to find out (thru delphi), when some program want to write some info to the hard disk or the registry qand to avoid or cancel it before it occurs? Any ideas?

best regards
Manuel López (lopem)
0
Comment
Question by:lopem
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
13 Comments
 
LVL 12

Accepted Solution

by:
Ivanov_G earned 300 total points
ID: 12458379
In Delphi 7 there is a TShellChangeNotifier component (Samples tab) which monitor a directory for changes. If can also monitor the sub-directories. So this is in the answer of the first question.

About the registry ... I have no idea.

BTW there are already such tools by SysInternals. FileMon and RegMon - they monitors the filesystem and the registry.
http://www.sysinternals.com/ntw2k/source/filemon.shtml
http://www.sysinternals.com/ntw2k/source/regmon.shtml
You can find a lot of useful links on these pages.
0
 
LVL 5

Expert Comment

by:Hypoviax
ID: 12460230
I will be most interested in this post and may be able to offer suggestions when i research it more.

Hypoviax
0
 
LVL 3

Author Comment

by:lopem
ID: 12460244
Thanks Hypoviax... I will start making some experiments with Ivanov_G comment. Let's see if we get more answers...

Thanks in advance.
Manuel Lopez (lopem)
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
LVL 5

Expert Comment

by:Hypoviax
ID: 12460324
I'm working on a security application myself and so if your question is possible it will be useful to myself too. I will have a specific look into the registry aspect of the question.

Regards,

Hypoviax
0
 
LVL 5

Expert Comment

by:Hypoviax
ID: 12460345
2 similar questions specifically on the registry (unanswered unfortunately) but may lead you in the right direction

http://www.experts-exchange.com/Programming/Programming_Languages/Delphi/Q_21022034.html

http://www.experts-exchange.com/Programming/Programming_Languages/Delphi/Q_20892764.html
0
 
LVL 5

Expert Comment

by:Hypoviax
ID: 12460349
and...

http://delphi.about.com/library/code/ncaa052003a.htm

Is some source which may be helpful
0
 
LVL 11

Expert Comment

by:calinutz
ID: 12460988
I guess you need to PREVENT an malevolent program to write to registry and HDD, not just observe, right? This might be just a little more difficult...
0
 
LVL 5

Expert Comment

by:Hypoviax
ID: 12461071
But if you can observe the locations you can take action. If it writes to the registry then just delete that key. it writes to the hard disk delete the file. If you can detect it you have minimal problem preventing it.

Hypoviax
0
 
LVL 26

Expert Comment

by:EddieShipman
ID: 12467232
My thoughts on this matter are that you need to redo your security settings in IE or
get rid of it altogether and get Firefox. This is like driving a tack with a sledgehammer.

No need to fix Bill Gates screw ups, just set them correctly.
0
 
LVL 5

Expert Comment

by:Hypoviax
ID: 12467387
But  EddieShipman such a feature is worthwhile as it would enable complete control over registry changes and disk writing  , thus allowing for protection against unknown or undetected spyware, viri etc. Although currently Firefox is safer than IE it will not be long before exploits will be found. By being able to control registry writing is, in my opinion anyway, a very good security feature. You could even automate it. Monitor the registry - if a program writes a known bad entry then the user could be alerted and the key removed. Similarly for disk writing. A new file is detected. It is scanned to determine whether or not it is a malicious exe. It then could be removed.

Regards,

Hypoviax
0
 
LVL 2

Expert Comment

by:LSORRELLS
ID: 12467855
I have no idea but possible strategies:

A strategy could be to open and keep open the registry file with a delphi program.  This would prevent writes to the registry file but would allow other program to read it.  You would then have to trap for attempts to write to the file and bring up a window which would allow you to grant permission (in essence you would close the file for a limited amount of time and then reopen it after the change is made) for the change.

Copy the Registry your self and poll for changes to it.  Do a file comparison and pull out the changes.  If they are OK then Backup the new registry file and if not replace the new file with the old copy.

Of course Spybot v1.3 already does that very well and for free and without ads or anything else so you might want to just use that.
0
 
LVL 3

Author Comment

by:lopem
ID: 12468549
What about capture every singel attempt to write on disk? And I know, I can use spybot or spy sweeper. The point it how to do the same task in delphi :)

best wishes
Manuel Lopez (lopem)
0
 
LVL 5

Assisted Solution

by:Hypoviax
Hypoviax earned 300 total points
ID: 12468709
The free Jedi Jvcl component library has a component to detect harddisk changes such as new file, filename change, change of filesize, change of attributes etc:

http://sourceforge.net/project/showfiles.php?group_id=45786

Then open the demo in the folder of installation:

JCL JVCL\jvcl\examples\ChangeNotification

Hypoviax
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A lot of questions regard threads in Delphi.   One of the more specific questions is how to show progress of the thread.   Updating a progressbar from inside a thread is a mistake. A solution to this would be to send a synchronized message to the…
Creating an auto free TStringList The TStringList is a basic and frequently used object in Delphi. On many occasions, you may want to create a temporary list, process some items in the list and be done with the list. In such cases, you have to…
This tutorial will teach you the special effect of super speed similar to the fictional character Wally West aka "The Flash" After Shake : http://www.videocopilot.net/presets/after_shake/ All lightning effects with instructions : http://www.mediaf…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…
Suggested Courses

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question