Filemon/Regmon Programs [Archive] - RCE Messageboard's Regroupment

View Full Version : Filemon/Regmon Programs

nyx

March 22nd, 2002, 13:20

There are come programs like those from Elecomsoft that when installed(Advanced eBook Processor.etc) if filemon/regmon is running shuts it down.Well is there any advanced program other than that provided by sysinternals.Any idea how they shut these programs down ?

Thankz -nyx

Solomon

March 22nd, 2002, 15:03

1. detect the GUI with FindWindow(Ex)
2. detect the driver with CreateFileA

foxthree

March 22nd, 2002, 20:07

To add to Solomon, they mostly check the Window Class. This makes it trickier to hide the window. For instance, even if you code a small proggie that can find the Window Handle of RegMon and change it's title (a.k.a. SetWindowText), you'll be surprised to see the Window closes

Fear Not! If you look into FindWindow, it also takes the class name. So just patch the class name in the proggie and voila! RegMon is alive and well

Signed,
-- FoxThree

nyx

March 26th, 2002, 08:03

Quote:

So just patch the class name in the proggie and voila! [/B]

How ?

ancev

March 26th, 2002, 17:07

hi

you also can patch the APIs it use to detect, and hide some results.

i attached a code i did to hide explorer.exe from process viewers. but as is only work in w98.

ancev

foxthree

March 26th, 2002, 17:31

Hi:

Just hexedit it.

Signed,
-- FoxThree

KurtzHz

April 3rd, 2002, 08:38

Yo also might try the n00b-friendly Api Monitor. Even your proggie detects it, you'll still get a nice list of all (almost) API's the prog called before detection.

hxxp://www.rohitab.com/apimonitor/

nyx

April 9th, 2002, 05:58

Thanks for that link there.That was a good monitoring program I missed out.

nyx

Aimless

April 9th, 2002, 07:50

Note:

Regmon now automatically "RANDOMIZES", its own class name (check out what Mark has to say about that).

If you want to try your own thing:

1. Download SOURCES of FileMon and RegMon.
2. Note that a class name can be numbers as well as names
3. Note that the windownames can be numbers as well as names
4. Search the area where class/windows names are declared in the source
5. Add a variable and a line of code:
int random_class = date_to_number(getsystemdate())
class name = random_class
6. Compile the same
7. Henceforth, everytime you run FileMon/RegMon you should get the class name changed to getsystemdate.
8. For more complicated randomizing, try getting getsystemtime(). This changes by the nanosecond
9. Alternatively, simply look up Regmon's source to see how the class randomizer is implemented, and do the same.

...Have Phun

foxthree

April 9th, 2002, 08:29

Now you guys can forget my Hex Patching trick. Alas, guess I was too lazy to modify RegMon Sources

I'd say tis abt time somebody added stealth to *Mon proggies...

Signed,
-- FoxThree