By no means this is a completely thought out thing,
I would just like to listen ideas about how useful and how feasible a tool like this might be.

When a protected program is installed, it introduces an arbitrary number of changes in the system: new files, new registry keys, hidden files, hidden records at low level hard disk locations, to keep track of time of install, number of uses, registered demo etc. etc.

What I would like is a tool that produces an inventory of all these changes: At the time of installation, and at the time of 'demo expired' state.

Of course Filemon and Regmon can keep track of many of these things, but with a lot of background noise, and necessarily running along the proctected app.

What I would try goes like this:

Set up a VMware virtual machine (Yes, I am fascinated with this toy).
Clone it and install the Software in the clone.
Clone it and expire the software.

Now we have Static Snapshots of the three states, clean, active and expired.

Scan the VMware .vmx files and pointout the differences:

Of course scan means reversing the vmx internal structure, sorting out the disk logic structure, the file system structure and the windows registry structure.

Because the analysis is done 'static', any antidebug, anti regmon anti filemon anti monitor tricks are effectively neutralized, no API hooking is necessary, the prtotection is NOT running, only its interactions with the machine are recorded.

Comments?

You can, for simplicity, mount the drives in another virtual machine, so you don't have to figure out the vmx stuff. Install OS on fat32, and you'll have minimal fuss finding the differences.

Naides, most software packagers are capable of doing this. I've used Installshield and Wise to repackage "nasty" applications into "easy" single click installer.exes. You set them to scan the system, then you make whatever changes you require (install app etc), then you set them to post-scan the system. They produce a comprehensive difference file and an installer script to make the changes. They're extremely effective and a lot easier than messing with VMX files. Although that would be an interesting task in itself - a la Ghost Explorer for VMware disk images.

Hi, Silver, thank you for your answer.
One question: Would installshield, Wise, and other scanners like them catch low level, direct writing to specific disk clusters, like c-dilla and safecast/safedisk do?
Without testing, I think these would go below the radar.

I can't answer that, unfortunately. My initial thoughts were that these programs somehow hook every API call that occurs, until I saw one quite happily deal with dongle-based registration of a CAD program. I am fairly certain they do not take disk-level images for comparison due to the speed of diff file generation and style of install script. One note, I believe the "standard" Installshield doesn't provide this facility, I think you need the Admin Studio version.