Hiding registry activity
https://stackoverflow.com/questions/4248206
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
The Project: I am currently developing a security system and the system relies on the registry for support.
The Problem: If someone managed to locate the registry key I am using, that person could bypass the system. I need to be able to avoid Registry Monitors and other software so that activity with the registry key would be hidden.
Does anyone know how to do this or is there a better method I could use for this purpose?
Thank you.
Solution
Why are you trying to hide your software from administrators? The administrator owns the machine, and normally only malware tries to hide itself from machine owners.
There are rootkit-type techniques that will work against most detection attempts. But if you have to resort to that type of technique, your software will resemble a true rootkit. This is normally a bad thing - in fact, some AV (and tools like RootkitRevealer) will find your software and kill it. Are you sure you want to engage in that type of battle?
It's hard to advise on a suitable alternative without knowing what you're trying to protect or prevent. Your first action should be to create a threat model. Then you might want to look at techniques involving a digital certificate to keep your private information secret and free from non-detectable tampering. Your app can legitimately install its own digital certificate without your customer ever being aware.
Edit: In answer to your comment, the best way of ensuring that certificate removal is detected is to "phone home" during install with a hash of the machine's identity. The hash identifies the machine uniquely without giving you any information about the machine. There are licensing schemes that will do all this for you, such as Desaware's licensing system.
OTHER TIPS
Not foolproof in any way, but you could look for the most common ones (like RegMon and Process Explorer etc) and if you find any off them running you can put up a dialog telling the user that he has to disable them to be allowed to continue. You'd have to keep checking for those though so that he doesn't start it again after the install starts. I think this is what the copyprotection for some games do.
Though I'd thought the user could just export most/all sections of the registry in text format before the installation and then again afterwards and just do a compare so even if you could make sure that nothing was running you'd still not be able to make sure that your changes couldn't be found.
The correct thing to do is design a system that cannot be bypassed simply by knowing the registry keys used.
