Kayaker
November 20th, 2000, 14:38
Hi All,
I was playing with a program that *appeared* to be resistant to Filemon/Regmon hooking. Cool, I thought. So I check for the presence of 'FilemonClass' and 'RegmonClass' in the file, apparently the usual method of detection, though I've never been lucky enough to find a proggy that did this. No dice.
No problem with other file/registry/API monitors, no anti-SoftIce, a few odd API calls at the start but I couldn't understand what effect they might be having on this. Then I happened to run the proggy under a different filename - Bingo.
The original filename began with a number. Filemon and Regmon apparently do not recognize filenames beginning with a number or a character other than a letter. You can duplicate the effect with Notepad. I checked the source code of Filemon/Regmon but couldn't figure out why this would be.
Anyway, just something to be aware of if you ever have a filename that doesn't start with a letter, or maybe if you want to throw a twist into a Reversme
Kayaker
I was playing with a program that *appeared* to be resistant to Filemon/Regmon hooking. Cool, I thought. So I check for the presence of 'FilemonClass' and 'RegmonClass' in the file, apparently the usual method of detection, though I've never been lucky enough to find a proggy that did this. No dice.
No problem with other file/registry/API monitors, no anti-SoftIce, a few odd API calls at the start but I couldn't understand what effect they might be having on this. Then I happened to run the proggy under a different filename - Bingo.
The original filename began with a number. Filemon and Regmon apparently do not recognize filenames beginning with a number or a character other than a letter. You can duplicate the effect with Notepad. I checked the source code of Filemon/Regmon but couldn't figure out why this would be.
Anyway, just something to be aware of if you ever have a filename that doesn't start with a letter, or maybe if you want to throw a twist into a Reversme
Kayaker