Using Delphi5.0 to monitor the Registration Monitoring Zhongnan University Xiangya Second Hospital Information Center Zhu Hongtao With the continuous spread of the Internet, cyber security is increasingly attached to people. In addition to computer viruses, all kinds of hacking software, remote control software, etc., which make people feel more and more unassured. The diversity and continuous update of this type of software, etc., so that some anti-virus software can no longer protect your machine.
Is there any good way to prevent unknown software installed on your own machine? The answer is to pay close attention to the changes in system key files. Everyone knows that if a program is automatically run when Windows is started, there are generally three ways:
1. Add shortcuts in the [Start] group of the start menu
2. Add related items in Win.ini
3. Add to your own key value under the hkey_local_machine / currentversion / run master key of the registry.
The first method is too obvious, it is easy to find. So the general hacker program starts yourself after using the two methods. The author introduces a simple registry monitor that you wrote to monitor the key value of the registry in real time to discover the programs that don't know. The reader is interested in this basis for further improvement.
Program design ideas
This program develops with Delphi5.0. Delphi is a quick visualization of Windows program development tools from Borland, which is powerful and easy to use. The program is compared to the registry once a timer in the program. The program retains a data backup of the original registry related key value at startup, then compares the current key value, if the change is discovered, the user is prompted to view.
Program implementation
1. Create a new Project in Delphi, rename Form1 to FormMain
2. Place a timer control TTIMER on FormMain, save the Project as PiregWatch.dpr
3, modify the code in PiregWatch.dpr:
Application.INITIALIZE;
Application.createform (TFormMain, Formmain);
/ / Do not display when the main window is started
Application.showmainform: = false;
Application.run;
Add several objects in FormMain.
Object
REGOSTRY used to register access
INIFILE is used to save original registry data
Log TStringList used to record changes
RegKEYSTSTRINGLIST used to store the primary key name under the RUN branch
4, in the Formmain: Oncreate event, the original registry data is retained, the main code is as follows:
......
Self.reg: = tregistry.create;
With self.reg do
Begin
RootKey: = HKEY_LOCAL_MACHINE
IF OpenKey ('Software / Microsoft / Windows / CurrentVersion / Run', False)
THEN
Begin
RegKeys: = TSTRINGLIST.CREATE;
GetValuenames (regKeys); // get all the primary key names under RUN
if not self.inifile.sectionexists ('runlist') Then // If there is no saved data
Begin
For i: = 0 to regkeys.count-1 do // Save the original data
IF (Self.Reg.getDataType (regKeys.strings [i]) = rdstring)
OR (Self.Reg.getDataType (regkeys.strings [i]) = rdexpandstring) THEN BEGIN
Value: = self.reg.readstring (regKeys.strings [i]);
Self.iniFile.writestring ('runlist', regkeys.strings [i], value);
END;
END;
END;
END;
......
5. Add the code of the comparison registry in the TTIMer1.ontmer event. The main code is as follows:
Procedure TFormMain.Timer1Timer (Sender: TOBJECT);
VAR i: integer;
Regval, Inival: String;
Begin
Self.timer1.enabled: = false;
Self.reg.getvaluenames (regKeys);
For i: = 0 to regkeys.count-1 do // Check new and modified key values
IF (Self.Reg.getDataType (regKeys.strings [i]) = rdstring)
OR (Self.Reg.getDataType (regKeys.strings [i]) = rdexpandstring)
Then Begin
Regval: = self.reg.readstring (regKeys.strings [i]);
Inival: = self.inifile.readstring ('runlist', regkeys.strings [i], '');
IF regval <> inIval dam
Begin
Self.logmsg ('Item Add:' regKeys.strings [i] '=' regval);
Self.iniFile.writestring ('runlist', regKeys.strings [i], regval;
Try
//The user is prompted
Sendmsg ('abc', '', 'registry is changed: new project' regKeys.strings [i] '=' regval;
Finally
END;
END;
END;
Self.iniFile.Readsection ('runlist', regkeys);
For i: = 0 to regkeys.count-1 do // Check the key value deleted
Begin
Inival: = self.inifile.readstring ('runlist', regkeys.strings [i], '');
IF self.reg.valueexists (regkeys.strings [i]) and
((Self.reg.GetDataType (RegKeys.Strings [i]) = rdstring)
OR (Self.Reg.getDataType (RegKeys.Strings [i]) = rdexpandstring))
THEN
Regval: = self.reg.readstring (regKeys.strings [i])
Else
REGVAL: = '';
IF (inival <> ') and (regval =') THEN
Begin
Self.logmsg ('Item del:' regKeys.strings [i] '=' inival);
Self.iniFile.DeleteKey ('runlist', regkeys.strings [i]); TRY
Sendmsg ('ABC', '', ') Registry Change: Project Delete' RegKeys.Strings [i] '=' InIval);
Finally
END;
END;
END;
Self.iniFile.UpdateFile;
Self.timer1.enabled: = true;
END;
6, in the Formmain: Object release and necessary cleanup work in the onclose event
Procedure TFormMain.formClose (Sender: Tobject; VAR Action: Tclosection);
Begin
If Assigned (Self.reg).
If Assigned (Self.iniFile) Then Self.iniFile.Free;
If Assigned (Self.logfile) Then Self.logfile.free;
If Assigned (Self.Regkeys) Then Self.RegKeys.free;
END;
After actual operation, the program can actually play a role in discovering the procedures that are unknown. Of course, its function is also very single. If it is further improved, increase the changes in other key files for monitoring systems, the effect will be better. I hope to communicate with interested readers. Download the source code.