Thx goatass for taking the initiative with the first project. I can already tell that this is going to be a great opportunity for newbies like me to learn :-)

I just downloaded the moving pix program, but before I dive too deeply into this project, I would really appreciate a little more insight on how to use filemon / regmon. I noticed that these tools were mentioned in one of the posts. I've mostly gotten by with Wdasm and SoftIce to this point but since I've now seen both filemon and regmon referenced several times, I decided I should check them out. I downloaded them and ran them, but am not quite sure what I am looking for or how to sort out the relevant information. I ran filemon once without the moving pix program being open (??to get some basline info??) and then again after opening and attempting to register moving pix. I saved both of these to a file and then opened them and attempted to compare them for any key differences. These files were *very* long and I'm not quite sure what I'm looking for or if this was the right approach ??? I know this must be a very *basic* question and I will really appreciate any pointers on the use of these tools...

Thanks in advance,
Clandestiny

Awright here:
First off, set your filter in filemon/regmon such that only events from MovingPix (i believe process name is "Moving" are captured. Then open up the program, go the registration dealy, type in your stuff, press okay, then exit. Do this for filemon and regmon---THis procedure is common for any porgrams with a registration screen (I donno if MovingPix does, as I dont have it yet...if it doesnt, then open filemon/regmon, then open MovingPix, then colse movingpix)...Then view the file. It shouldnt be THAT long, but look for any registry entires or files with the word "register", "user", "Name", "serial", "code", or anything thatl ookds like it may have something todo with it---or in some rare cases, just anything that looks out of place. .

hope this helps
--ThRaX

Hi Clandestiny and other Project keeners,

OK, I just got an error message from my post that
The "Message" field cannot contain more than 4098 characters.
So, I'll break this in 2

A couple of points re Filemon and Regmon. Rather than setting an Include filter to capture the process you think you want (Moving), you can set Exclude filters for all regular background stuff you don't want. For example, mine right now is
explorer;regmon(or filemon);???;kernel32;msgsrv32;tapisrv
for both programs. You may come up with others on your system that you're not interested in. The Include filter is "*".

This way, you're set up to go for any program, and you won't miss any situation where the main program might call another process (exe, dll) which itself tries to access a file or the registry. As an aside, I just noticed CloneCD does this, the name of the 2nd process is a nonsense name that is different each time it's run. I don't know what the REAL process is yet, but it's a neat trick

Both programs have the nifty ability when you double click on an entry to open up the associated registry key (VERY useful for a quick check to see if this might be a "suspicious" entry) or the file directory (less useful).

One thing I often do when I first see a suspicious file or reg entry which might hold some install date info is to make a backup copy of it immediately. Then you can compare a few days or runs later and see if anything has changed.

It's also useful to use an install monitor, such as Inctrl4 (PC Mag freebie), when installing for the 1st time. Sometimes it'll show things you might not pick up immediately with Filemon or Regmon. Plus, you should use these 2 the VERY 1st time you run the program, as well as any subsequent times. Occasionally a program may write something somewhere on the initial run which it won't check until later (Perfect Companion is a good example where having original Install/Filemon/Regmon logs proved helpful in ferreting (!) out some 'hidden' orphan items left behind).

For Filemon, there's a cool util called Filemon Log Killer by Marton and R0ach which removes all the duplicate Filemon log entries. This is useful for making any suspicious entries stand out. Really saves the 'ol eyeballs on those big logs. You can get it at one of the Tools sites on the shelf next to Filemon.

On to Part II...

Another indispensible part of the 'Reversers Toolset' IMHO is an API monitor. Here's one line from the APISpy32 output for Moving.exe using the Kernel32.fnl library:

0040C3F9:GetVolumeInformationA(LPSTR:012620ED:"C:\",LPSTR:00000000,
DWORD:00000000,LPDATA:006AF9D8,LPDATA:006AF9DC,
LPDATA:006AF9DC,LPSTR:00000000,DWORD:00000000)

This tells you for one thing that GetVolumeInformationA is actually used and might be important. Combine this with other Kernel32 calls plus results from User32, Advapi32 and any of the program's dll's functions (you can build your own .fnl library with APISpy32), and you can get a truckload of information on what the program is doing and the general code flow.

0040C3F9 is the address of the Call as seen in WDasm or Softice (this isn't *always* the case, but it often holds) which you can set a breakpoint on or scope out the disassembly code of

* Reference To: KERNEL32.GetVolumeInformationA, Ord:014Fh
|
:0040C3F9 FF15289B4300 Call dword ptr [00439B28]

The information in the brackets after the address and function are all 8 of the calls' stack parameters BEFORE the call, which is of course where the Win32 Programmer's Reference comes in.

The entry LPDATA:006AF9D8 is the 4th paramter of GetVolumeInformationA, or lpVolumeSerialNumber which "points to a variable that receives the volume serial number". Hmmm, might this be important? Would it be worth doing a 'dd 6AF9D8' in Softice before you F10 step over the call at 40C3F9?

Anyway, just a few ideas for now. Good Luck with the rest.

BTW, if anyone wants to bypass the email registration needed to d/l the program (why annoy the poor programmer with bogus email addresses?), here's the direct links (note the \Backslash argument):

h*tp://www.stagetools.com/downloads\Support.exe
h*tp://www.stagetools.com/downloads\MovingPix.exe
(both required)
h*tp://www.stagetools.com/downloads\OpenGL.exe
(required if you don't have OpenGL already installed (Win95, early Win98 perhaps)

Cheers,

Kayaker

Thx Kayaker and Thrax.

You were right. The filter function was the key. I acutally did not find too much that seemed relevant in regards to the Moving Pix program in either filemon or regmon, but it is good to know how to use these 2 new tools just the same. Just 1 other question though...I was wondering if there is any way to save the filter information in filemon...regmon asks me if I want to continue using my previous filters when I open the program...filemon just deletes them. Maybe I have an old version of filemon (it is v. 4.01) ?

Thx,
Clandestiny

hmm...get filemon to do something that it usually doesn't (that regmon does)....Do I hear someone calling your name Kayaker? heheh

Dang, wish I could get this board to do something it doesn't want to do and keep me logged in long enough to post as a registered user. I have to type in my nick and pw each time to post even if I'm logged in just prior to clicking on "Reply".

I don't know why you're getting that behaviour with Filemon Clandestiny. I don't think there's a "Save" feature for the filters, just the "Reset" which acts as an unsave. 4.29 is the latest version (Sept/00)

Well let's see, by using Regmon on Filemon (with the "filemon" Exclude filter omitted) it seems that Filemon keeps its filter settings under

[HKEY_CURRENT_USER\Software\Systems Internals\Filemon]
"Settings"
"InFilters"
"ExFilters"
"HiFilters"

You can check there to see if the info still exists.

I see that the last 2 or 3 posts hint at "aiding the program filemon along in it's progression through the versions" and another "fixing the message board for selfish, but useful needs"

the second would require hacking into the server though...not something I can do yet, but it would be fun...

but the first would be cool too...combining the programs is good research

Hi MR. Candyman,

Go to qferret.cjb.net and look for the essay by Kayaker. Download the zip file & enjoy the read ;-)