At work, someone wrote a virus that infects flash drives. Whenever one of these flash drives is inserted into a computer, the CD key as well as passwords and other sensitive information is retrieved and either stored on the flash drive or transmitted somewhere (I don't know).
I'm trying to write a virus killer for this - is there any way for my program to watch a few registry keys and be notified by Windows when they are read from or written to? Standard hooks won't cut it.
This is for Windows XP, to be written in either C++ or VBScript, another language if necessary.
And no, our anti-virus software doesn't catch it.
Well, autorun should be disabled for all flash media. RegMon can help you out, as can WinPooch. A decent firewall should block it from transmitting any data.
Thanks for your suggestion. Yes, RegMon is nice, but it has some problems.
1) It's not embedable and would require installation on every single computer in the school.
2) You can't watch every computer and kill processes as necessary remotely. There are too many computers.
What I intend to write will be a single program on the main server that will be run on every login and monitor the users' computers until they log off. If any suspicious activity is detected, it will send the user id to the administrator and kill the infecting processes.
After a lot of research, I finally found the answer buried on MSDN. There are a few steps involved:
Write a virtual device driver that does the following:
1) Call CmRegisterCallback to register your watching function with the system.
2) For every registry operation, your function will be called. Filter out the calls you don't need to handle first so you won't slow the system down.
3) Return STATUS_SUCCESS for successful calls, and an error value of your choice (such as ERROR_ACCESS_DENIED) to block a registry operation.
4) When done, call CmUnRegisterCallback to remove your hooking function.
(Keep in mind that the following will work only in Windows.)
Code:#include <windows.h> #include <wdm.h> #include <ntddk.h> #include <ntifs.h> //declaration for the watching callback function NTSTATUS RegWatcher(LPVOID,LPVOID,LPVOID); NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegistryPath) { uint64_t qwHookId; //do some stuff here... //now set the registry hook CmRegisterCallback(RegWatcher,NULL,&qwHookId); //wait until the driver is unloaded... //now remove the hook. CmUnRegisterCallback(&qwHookId); } NTSTATUS RegWatcher(LPVOID lpData, LPVOID lpRegCallType, LPVOID lpCallData) { //we only care about registry reads in this example REG_NOTIFY_CLASS *calltype = (REG_NOTIFY_CLASS *)lpRegCallType; if(*calltype != REG_NOTIFY_CLASS::RegNtQueryKey) return STATUS_SUCCESS; //caught a registry read, continue processing //deny access for some reason return ERROR_ACCESS_DENIED; }
Newbie
You need to hook Registry key write and read in kernel level to watch the registry key access. I remember there is a source code in wenpoint security info web site. But I could not find now. You can do a search.
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
LinkBack URL
About LinkBacks
Bookmarks