Results 1 to 5 of 5

Thread: Just a loose idea for a tool.

  1. #1
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647

    Just a loose idea for a tool.

    By no means this is a completely thought out thing,
    I would just like to listen ideas about how useful and how feasible a tool like this might be.

    When a protected program is installed, it introduces an arbitrary number of changes in the system: new files, new registry keys, hidden files, hidden records at low level hard disk locations, to keep track of time of install, number of uses, registered demo etc. etc.

    What I would like is a tool that produces an inventory of all these changes: At the time of installation, and at the time of 'demo expired' state.

    Of course Filemon and Regmon can keep track of many of these things, but with a lot of background noise, and necessarily running along the proctected app.

    What I would try goes like this:

    Set up a VMware virtual machine (Yes, I am fascinated with this toy).
    Clone it and install the Software in the clone.
    Clone it and expire the software.

    Now we have Static Snapshots of the three states, clean, active and expired.

    Scan the VMware .vmx files and pointout the differences:

    Of course scan means reversing the vmx internal structure, sorting out the disk logic structure, the file system structure and the windows registry structure.

    Because the analysis is done 'static', any antidebug, anti regmon anti filemon anti monitor tricks are effectively neutralized, no API hooking is necessary, the prtotection is NOT running, only its interactions with the machine are recorded.

    Comments?
    Last edited by naides; April 18th, 2005 at 08:09.

  2. #2
    You can, for simplicity, mount the drives in another virtual machine, so you don't have to figure out the vmx stuff. Install OS on fat32, and you'll have minimal fuss finding the differences.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  3. #3
    Naides, most software packagers are capable of doing this. I've used Installshield and Wise to repackage "nasty" applications into "easy" single click installer.exes. You set them to scan the system, then you make whatever changes you require (install app etc), then you set them to post-scan the system. They produce a comprehensive difference file and an installer script to make the changes. They're extremely effective and a lot easier than messing with VMX files. Although that would be an interesting task in itself - a la Ghost Explorer for VMware disk images.
    Still here...

  4. #4
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647
    Hi, Silver, thank you for your answer.
    One question: Would installshield, Wise, and other scanners like them catch low level, direct writing to specific disk clusters, like c-dilla and safecast/safedisk do?
    Without testing, I think these would go below the radar.
    Last edited by naides; April 18th, 2005 at 10:06.

  5. #5
    I can't answer that, unfortunately. My initial thoughts were that these programs somehow hook every API call that occurs, until I saw one quite happily deal with dongle-based registration of a CAD program. I am fairly certain they do not take disk-level images for comparison due to the speed of diff file generation and style of install script. One note, I believe the "standard" Installshield doesn't provide this facility, I think you need the Admin Studio version.
    Still here...

Similar Threads

  1. Turn that icon loose
    By mint77 in forum The Newbie Forum
    Replies: 4
    Last Post: February 7th, 2013, 23:11
  2. just an idea!!!
    By mike in forum Plugins (General)
    Replies: 5
    Last Post: February 25th, 2004, 10:21
  3. idea
    By HackeR MaN in forum Plugins (General)
    Replies: 2
    Last Post: February 16th, 2003, 12:32
  4. Just an idea ... let me know what you think
    By yaa in forum OllyDbg Support Forums
    Replies: 2
    Last Post: November 27th, 2002, 03:38

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •