Implement registry monitoring with Delphi5.0

zhaozj2021-02-11  185

Using Delphi5.0 to monitor the Registration Monitoring Zhongnan University Xiangya Second Hospital Information Center Zhu Hongtao With the continuous spread of the Internet, cyber security is increasingly attached to people. In addition to computer viruses, all kinds of hacking software, remote control software, etc., which make people feel more and more unassured. The diversity and continuous update of this type of software, etc., so that some anti-virus software can no longer protect your machine.

Is there any good way to prevent unknown software installed on your own machine? The answer is to pay close attention to the changes in system key files. Everyone knows that if a program is automatically run when Windows is started, there are generally three ways:

1. Add shortcuts in the [Start] group of the start menu

2. Add related items in Win.ini

3. Add to your own key value under the hkey_local_machine / currentversion / run master key of the registry.

The first method is too obvious, it is easy to find. So the general hacker program starts yourself after using the two methods. The author introduces a simple registry monitor that you wrote to monitor the key value of the registry in real time to discover the programs that don't know. The reader is interested in this basis for further improvement.

Program design ideas

This program develops with Delphi5.0. Delphi is a quick visualization of Windows program development tools from Borland, which is powerful and easy to use. The program is compared to the registry once a timer in the program. The program retains a data backup of the original registry related key value at startup, then compares the current key value, if the change is discovered, the user is prompted to view.

Program implementation

1. Create a new Project in Delphi, rename Form1 to FormMain

2. Place a timer control TTIMER on FormMain, save the Project as PiregWatch.dpr

3, modify the code in PiregWatch.dpr:

Application.INITIALIZE;

Application.createform (TFormMain, Formmain);

/ / Do not display when the main window is started

Application.showmainform: = false;

Application.run;

Add several objects in FormMain.

Object                  

REGOSTRY     used to register access

INIFILE              is used to save original registry data

Log TStringList     used to record changes

RegKEYSTSTRINGLIST     used to store the primary key name under the RUN branch

4, in the Formmain: Oncreate event, the original registry data is retained, the main code is as follows:

......

Self.reg: = tregistry.create;

With self.reg do

Begin

RootKey: = HKEY_LOCAL_MACHINE

IF OpenKey ('Software / Microsoft / Windows / CurrentVersion / Run', False)

THEN

Begin

RegKeys: = TSTRINGLIST.CREATE;

GetValuenames (regKeys); // get all the primary key names under RUN

if not self.inifile.sectionexists ('runlist') Then // If there is no saved data

Begin

For i: = 0 to regkeys.count-1 do // Save the original data

IF (Self.Reg.getDataType (regKeys.strings [i]) = rdstring)

OR (Self.Reg.getDataType (regkeys.strings [i]) = rdexpandstring) THEN BEGIN

Value: = self.reg.readstring (regKeys.strings [i]);

Self.iniFile.writestring ('runlist', regkeys.strings [i], value);

END;

END;

END;

END;

......

5. Add the code of the comparison registry in the TTIMer1.ontmer event. The main code is as follows:

Procedure TFormMain.Timer1Timer (Sender: TOBJECT);

VAR i: integer;

Regval, Inival: String;

Begin

Self.timer1.enabled: = false;

Self.reg.getvaluenames (regKeys);

For i: = 0 to regkeys.count-1 do // Check new and modified key values

IF (Self.Reg.getDataType (regKeys.strings [i]) = rdstring)

OR (Self.Reg.getDataType (regKeys.strings [i]) = rdexpandstring)

Then Begin

Regval: = self.reg.readstring (regKeys.strings [i]);

Inival: = self.inifile.readstring ('runlist', regkeys.strings [i], '');

IF regval <> inIval dam

Begin

Self.logmsg ('Item Add:' regKeys.strings [i] '=' regval);

Self.iniFile.writestring ('runlist', regKeys.strings [i], regval;

Try

//The user is prompted

Sendmsg ('abc', '', 'registry is changed: new project' regKeys.strings [i] '=' regval;

Finally

END;

END;

END;

Self.iniFile.Readsection ('runlist', regkeys);

For i: = 0 to regkeys.count-1 do // Check the key value deleted

Begin

Inival: = self.inifile.readstring ('runlist', regkeys.strings [i], '');

IF self.reg.valueexists (regkeys.strings [i]) and

((Self.reg.GetDataType (RegKeys.Strings [i]) = rdstring)

OR (Self.Reg.getDataType (RegKeys.Strings [i]) = rdexpandstring))

THEN

Regval: = self.reg.readstring (regKeys.strings [i])

Else

REGVAL: = '';

IF (inival <> ') and (regval =') THEN

Begin

Self.logmsg ('Item del:' regKeys.strings [i] '=' inival);

Self.iniFile.DeleteKey ('runlist', regkeys.strings [i]); TRY

Sendmsg ('ABC', '', ') Registry Change: Project Delete' RegKeys.Strings [i] '=' InIval);

Finally

END;

END;

END;

Self.iniFile.UpdateFile;

Self.timer1.enabled: = true;

END;

6, in the Formmain: Object release and necessary cleanup work in the onclose event

Procedure TFormMain.formClose (Sender: Tobject; VAR Action: Tclosection);

Begin

If Assigned (Self.reg).

If Assigned (Self.iniFile) Then Self.iniFile.Free;

If Assigned (Self.logfile) Then Self.logfile.free;

If Assigned (Self.Regkeys) Then Self.RegKeys.free;

END;

After actual operation, the program can actually play a role in discovering the procedures that are unknown. Of course, its function is also very single. If it is further improved, increase the changes in other key files for monitoring systems, the effect will be better. I hope to communicate with interested readers. Download the source code.

转载请注明原文地址:https://www.9cbs.com/read-5699.html

New Post(0)