how do hooks of zonealarm or spybot work?
-
hiho@ll what i'm interested in: zonealarm opens a window if a "unkown" app wants to access the internet and asks if this app is allowed to do this spybot does the same for the registry. if a app wants change the registry a window is opened to ask the user if this is allowed btw: i'm not only interested in how do zonealarm and spybot know such stuff (that a app wants to change something), how can zonealarm or spybot can decide if the app is allowed or not? how can zonealarm control what the other apps are allowed to do? how does such stuff work? does it work for everything? (control of hardware and every software e.g. check if a specific function of a dll should be called?) is it a hook? if yes, how do they work? (a hint should do it) thx@ll -- modified at 14:58 Friday 27th January, 2006
-
hiho@ll what i'm interested in: zonealarm opens a window if a "unkown" app wants to access the internet and asks if this app is allowed to do this spybot does the same for the registry. if a app wants change the registry a window is opened to ask the user if this is allowed btw: i'm not only interested in how do zonealarm and spybot know such stuff (that a app wants to change something), how can zonealarm or spybot can decide if the app is allowed or not? how can zonealarm control what the other apps are allowed to do? how does such stuff work? does it work for everything? (control of hardware and every software e.g. check if a specific function of a dll should be called?) is it a hook? if yes, how do they work? (a hint should do it) thx@ll -- modified at 14:58 Friday 27th January, 2006
Not exactly what you want, but I think it will show you how to control process creation system-wide, using hooks. Clickety
"Success is the ability to go from one failure to another with no loss of enthusiasm." - W.Churchill
-- modified at 5:38 Saturday 28th January, 2006 -
hiho@ll what i'm interested in: zonealarm opens a window if a "unkown" app wants to access the internet and asks if this app is allowed to do this spybot does the same for the registry. if a app wants change the registry a window is opened to ask the user if this is allowed btw: i'm not only interested in how do zonealarm and spybot know such stuff (that a app wants to change something), how can zonealarm or spybot can decide if the app is allowed or not? how can zonealarm control what the other apps are allowed to do? how does such stuff work? does it work for everything? (control of hardware and every software e.g. check if a specific function of a dll should be called?) is it a hook? if yes, how do they work? (a hint should do it) thx@ll -- modified at 14:58 Friday 27th January, 2006
ThinkingPrometheus wrote:
if a app wants change the registry a window is opened to ask the user if this is allowed btw: i'm not only interested in how do...spybot know such stuff...
RegNotifyChangeKeyValue()is one possibility.
"The greatest good you can do for another is not just to share your riches but to reveal to him his own." - Benjamin Disraeli
-
hiho@ll what i'm interested in: zonealarm opens a window if a "unkown" app wants to access the internet and asks if this app is allowed to do this spybot does the same for the registry. if a app wants change the registry a window is opened to ask the user if this is allowed btw: i'm not only interested in how do zonealarm and spybot know such stuff (that a app wants to change something), how can zonealarm or spybot can decide if the app is allowed or not? how can zonealarm control what the other apps are allowed to do? how does such stuff work? does it work for everything? (control of hardware and every software e.g. check if a specific function of a dll should be called?) is it a hook? if yes, how do they work? (a hint should do it) thx@ll -- modified at 14:58 Friday 27th January, 2006
I would think large parts of such programs (ZoneAlarm) would run in ring 0 - essentially a driver. Programs like FileMon and RegMon from SysInternals[^] work like this. Steve
-
I would think large parts of such programs (ZoneAlarm) would run in ring 0 - essentially a driver. Programs like FileMon and RegMon from SysInternals[^] work like this. Steve
thx guys seems like a lot of work but i think driver programming is a good hint