Log in

View Full Version : question about debuggin an app and preventing registry access..


Mrklippel
April 19th, 2004, 15:40
hi,

i have a question,

i like to know if it is possible to write a loader that loads an exe file
AND that allows the exe file to write only to 2 given keys in the registry...

reading is allowed for all keys

writing only for 2 keys ( and their subkeys offcourse.. )

disavowed
April 19th, 2004, 16:15
yes, it is possible

Mrklippel
April 19th, 2004, 16:19
Quote:
[Originally Posted by disavowed]yes, it is possible


is it possible, you tell a little more on how to approach ?

eg hooking, or doing something else..
i'd like to know how,

because if i can prevent the app to write to any other key than it needs, i can defeat/bypass the trial scheme

eg, for all reads to registry, from within aspr i can return "notfound" or something like that

i will do that untill the last SEH' then i'll handover the control to the registry again to the program

as result the trial scheme is defeated, or is this thought to easy ???

grtz, MrKlippel

dELTA
April 19th, 2004, 19:03
One generic method would be to let the loader do the following:

1.
Inject hook/handler function (see below) into target memory space (inside PE cave, or allocate dynamic memory).

2.
Replace IAT address entry (or equivalent) of the desired registry API function with an address to your own hook/wrapper function (the one you just injected). Inside this function, forward all calls that have "legal" parameters to the real API, and for the other ones return whatever error codes you like (i.e. in this case when it attempts to write to any other registry key/value than the ones you want).

disavowed
April 19th, 2004, 19:26
easier solution: http://research.microsoft.com/sn/detours/ ("http://research.microsoft.com/sn/detours/")

Mrklippel
April 20th, 2004, 09:36
Quote:
[Originally Posted by disavowed]easier solution: http://research.microsoft.com/sn/detours/ ("http://research.microsoft.com/sn/detours/")



mmm great idea....

now i'm looking for a good asm example... so i can start working...

i like the idea of monitoring api calls..