Avoiding writing to the hard disk...

Hi guys,

Here is the problem:  I noticed a nasty behaviour from some sites on the net. Many of them download (without user permission) some programs (most of them spyware, adware, even viruses etc.). and immediatly create subdirectories on the Program Files, windows/system group or other parts of the hard disk. Then they run their programs and install monitors that are not easy to get rid of. These sort of programs even write in the registry (they want to be alive as soon the user reboot or restart the system).

I wonder if there is a way to find out (thru delphi), when some program want to write some info to the hard disk or the registry qand to avoid or cancel it before it occurs? Any ideas?

best regards
Manuel López (lopem)
LVL 3
lopemAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
Ivanov_GConnect With a Mentor Commented:
In Delphi 7 there is a TShellChangeNotifier component (Samples tab) which monitor a directory for changes. If can also monitor the sub-directories. So this is in the answer of the first question.

About the registry ... I have no idea.

BTW there are already such tools by SysInternals. FileMon and RegMon - they monitors the filesystem and the registry.
http://www.sysinternals.com/ntw2k/source/filemon.shtml
http://www.sysinternals.com/ntw2k/source/regmon.shtml
You can find a lot of useful links on these pages.
0
 
HypoviaxCommented:
I will be most interested in this post and may be able to offer suggestions when i research it more.

Hypoviax
0
 
lopemAuthor Commented:
Thanks Hypoviax... I will start making some experiments with Ivanov_G comment. Let's see if we get more answers...

Thanks in advance.
Manuel Lopez (lopem)
0
Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

 
HypoviaxCommented:
I'm working on a security application myself and so if your question is possible it will be useful to myself too. I will have a specific look into the registry aspect of the question.

Regards,

Hypoviax
0
 
HypoviaxCommented:
2 similar questions specifically on the registry (unanswered unfortunately) but may lead you in the right direction

http://www.experts-exchange.com/Programming/Programming_Languages/Delphi/Q_21022034.html

http://www.experts-exchange.com/Programming/Programming_Languages/Delphi/Q_20892764.html
0
 
HypoviaxCommented:
and...

http://delphi.about.com/library/code/ncaa052003a.htm

Is some source which may be helpful
0
 
calinutzCommented:
I guess you need to PREVENT an malevolent program to write to registry and HDD, not just observe, right? This might be just a little more difficult...
0
 
HypoviaxCommented:
But if you can observe the locations you can take action. If it writes to the registry then just delete that key. it writes to the hard disk delete the file. If you can detect it you have minimal problem preventing it.

Hypoviax
0
 
Eddie ShipmanAll-around developerCommented:
My thoughts on this matter are that you need to redo your security settings in IE or
get rid of it altogether and get Firefox. This is like driving a tack with a sledgehammer.

No need to fix Bill Gates screw ups, just set them correctly.
0
 
HypoviaxCommented:
But  EddieShipman such a feature is worthwhile as it would enable complete control over registry changes and disk writing  , thus allowing for protection against unknown or undetected spyware, viri etc. Although currently Firefox is safer than IE it will not be long before exploits will be found. By being able to control registry writing is, in my opinion anyway, a very good security feature. You could even automate it. Monitor the registry - if a program writes a known bad entry then the user could be alerted and the key removed. Similarly for disk writing. A new file is detected. It is scanned to determine whether or not it is a malicious exe. It then could be removed.

Regards,

Hypoviax
0
 
LSORRELLSCommented:
I have no idea but possible strategies:

A strategy could be to open and keep open the registry file with a delphi program.  This would prevent writes to the registry file but would allow other program to read it.  You would then have to trap for attempts to write to the file and bring up a window which would allow you to grant permission (in essence you would close the file for a limited amount of time and then reopen it after the change is made) for the change.

Copy the Registry your self and poll for changes to it.  Do a file comparison and pull out the changes.  If they are OK then Backup the new registry file and if not replace the new file with the old copy.

Of course Spybot v1.3 already does that very well and for free and without ads or anything else so you might want to just use that.
0
 
lopemAuthor Commented:
What about capture every singel attempt to write on disk? And I know, I can use spybot or spy sweeper. The point it how to do the same task in delphi :)

best wishes
Manuel Lopez (lopem)
0
 
HypoviaxConnect With a Mentor Commented:
The free Jedi Jvcl component library has a component to detect harddisk changes such as new file, filename change, change of filesize, change of attributes etc:

http://sourceforge.net/project/showfiles.php?group_id=45786

Then open the demo in the folder of installation:

JCL JVCL\jvcl\examples\ChangeNotification

Hypoviax
0
All Courses

From novice to tech pro — start learning today.