Next Generation Emulation banner

1 - 10 of 10 Posts

·
Memories are all I have..
Joined
·
423 Posts
Discussion Starter #1
Hey guys, is anyone familiar with windows API hooking here? Im creating app that is able to monitor the registry on the fly using .net..but i cant seem to do it without using API hooking?
I know using the win32 api i can detect changes made. but i need to know what changes were made..i think only through API hooking can i do this?

Regards
 

·
Registered
Joined
·
2,583 Posts
Janus said:
Hey guys, is anyone familiar with windows API hooking here? Im creating app that is able to monitor the registry on the fly using .net..but i cant seem to do it without using API hooking?
I know using the win32 api i can detect changes made. but i need to know what changes were made..i think only through API hooking can i do this?

Regards
What language?
 

·
Registered
Joined
·
1,577 Posts
Either VB.net or C# most likely.
 

·
Registered
Joined
·
2,583 Posts
Well, I know that in VB6, you hooked the api by rerouting the calls to your own sub using the addressof operator, but I'm not entirely sure if it would work the same way in VB.NET.
 

·
Memories are all I have..
Joined
·
423 Posts
Discussion Starter #6
thanks for the info guys. i'll keep looking into it. besides this, anyone knows how to detect changes in the registry? one way would be to compare the 2 registry files that i export but that'll take one hell of a algorithm to have proper results..
Looks like i gotta look for some registry api too..hm..
 

·
Banned
Joined
·
177 Posts
nah not a huge algorithim. The method flare described in VB6.0 is basicly the same in vb.net just with slightly different syntax. you could actually entirely in vb6.0 code in vb.net but..that defeats the purpose of course of using .net and you'd have a slower application. Do you want to have a constant timer ticking and watching the registry? or just on an event? On a timer that would eat up a good deal of resources
 

·
Memories are all I have..
Joined
·
423 Posts
Discussion Starter #8
vb6 code? hm..
kinda like a timer? basically the programm will be watching e registry until he user tells the program to stop watching it.
 

·
Transcended
Joined
·
1,416 Posts
Well, there ARE free tools to detect Registry tweaking, like the RegMon app and counterparts... :)

What's it for, btw? A registry preservation tool? Anyway, the Registry APIs are RegCloseKey
RegCreateKeyExA
RegDeleteKeyA
RegEnumKeyA
RegOpenKeyA
RegOpenKeyExA
RegQueryValueA
RegQueryValueExA
RegSetValueExA

Plus some others. Check MSDN for safekeeping.

Usually, you want to catch the Set/Delete series. You don't want to flageach and every Query, Open, Etc...
 

·
Memories are all I have..
Joined
·
423 Posts
Discussion Starter #10
yeah i know. Especially RegMon. Been looking through it extensively these days.
Its basically for monitoring the registry to know what changes were made. kinda like regmon? but simpler. All i need to know are like what registry values/keys were made during this peroid of time.

As for the registry API, iv been through those. But problem is i need to know what was changed, the Registry API doesnt tell me what was changed, only when it is changed.
For example the RegNofity API(cant rem e name) only tells you when stuff are changed, not what. Im not too sure if the RegOpenKeyA tells you what is being opened, i'll have to go and look through it more extensively.

I have wrote a simple C# wrapper class for now. All it does is notifies you when changes are made to e registry. I suppose the next step would be able to actually find out what was changed in the registry.

Any other help you guys can give would be alot of help

Regards
 
1 - 10 of 10 Posts
Top