Implementing registry monitoring using Delphi5.0Zhu Hongtao, Information Center, Second Xiangya Hospital, Central South University With the continuous popularity of the Internet, network security has attracted more and more attention. In addition to computer viruses, various hacker software, remote control software, etc. are constantly appearing on the Internet, making people more and more worried about their machines. The diversity and constant updates of this type of software make it impossible to completely protect your machine by relying on some anti-virus software alone. |
| Is there any good way to prevent software from unknown sources from being installed on my machine? The answer is to pay close attention to changes in key system files. As we all know, if a program wants to run automatically when Windows starts, there are generally three methods: |
| 1. Add a shortcut to the [Startup] group of the Start menu |
| 2. Add related items to Win.ini |
| 3. Add a key value pointing to yourself under the HKEY_Local_Machine/SoftWare/Microsoft/Windows/CurrentVersion/Run primary key in the registry. |
| The first method is too obvious and easy to spot. Therefore, general hacker programs use the latter two methods to start themselves. The author here introduces a simple registry monitor written by myself, which is used to monitor changes in key values in the registry in real time to discover programs of unknown origin. Readers who are interested can further improve on this basis. |
| Programming ideas |
| This program is developed using Delphi5.0. Delphi is a fast visual Windows program development tool produced by Borland Company. It is powerful and easy to use. The program uses a timer to compare the registry every certain time. When the program starts, it retains a data backup of the original registry key values, and then compares it with the current key values regularly. If any changes are found, the user is prompted to check. |
| Program implementation |
| 1. Create a new PRoject in Delphi and rename Form1 to FormMain |
| 2. Place a timer control TTimer on FormMain and save the Project as PiRegWatch.Dpr |
| 3. Modify the code in PiRegWatch.Dpr: |
| application.Initialize; |
| Application.CreateForm(TFormMain, FormMain); |
| //Don't display the main window when it starts |
| Application.ShowMainForm:=False; |
| Application.Run; |
| Add several objects to FormMain. |
| ObjectTypeDescription |
| RegTregistry is used to access the registry |
| IniFileTiniFile is used to save the original registry data |
| LogTstringListLog used to record changes |
| RegKeysTstringList is used to store the primary key name under the Run branch |
| 4. Retain the original registry data in the FormMain:OnCreate event. The main code is as follows: |
| … |
| self.Reg:=TRegistry.Create; |
| with self.Reg do |
| begin |
| RootKey:=HKEY_Local_Machine; |
| If OpenKey('Software/Microsoft/Windows/CurrentVersion/Run',false) |
| then |
| begin |
| RegKeys:=TStringList.Create; |
| GetValueNames(RegKeys); //Get all primary key names under Run |
| if not self.IniFile.SectionExists('RunList') then //If no data has been saved |
| begin |
| for i:=0 to Regkeys.Count-1 do //Save the original data |
| if (self.Reg.GetDataType(RegKeys.Strings[i])=rdString) |
| or(self.Reg.GetDataType(RegKeys.Strings[i])=rdExpandString) |
| then begin |
| value:=self.Reg.ReadString(RegKeys.Strings[i]); |
| self.IniFile.WriteString('RunList',RegKeys.Strings[i],value); |
| end; |
| end; |
| end; |
| end; |
| … |
| 5. Add the code to compare the registry in the TTimer1.OnTmer event. The main code is as follows: |
| procedure TFormMain.Timer1Timer(Sender: TObject); |
| var i:integer; |
| RegVal,IniVal:string; |
| begin |
| self.Timer1.Enabled:=False; |
| self.Reg.GetValueNames(RegKeys); |
| for i:=0 to RegKeys.Count-1 do //Check newly added and modified key values |
| if (self.Reg.GetDataType(RegKeys.Strings[i])=rdString) |
| or (self.Reg.GetDataType(RegKeys.Strings[i])=rdExpandString) |
| then begin |
| RegVal:=self.Reg.ReadString(RegKeys.Strings[i]); |
| IniVal:=self.IniFile.ReadString('RunList',RegKeys.Strings[i],''); |
| if RegVal<>IniVal then |
| begin |
| self.LogMsg('Item Add:'+RegKeys.Strings[i]+'='+RegVal); |
| self.IniFile.WriteString('RunList',RegKeys.Strings[i],RegVal); |
| try |
| //prompt user |
| SendMsg('ABC','','The registry has been changed: new items'+RegKeys.Strings[i]+'='+RegVal); |
| finally |
| end; |
| end; |
| end; |
| self.IniFile.ReadSection('RunList',RegKeys); |
| for i:=0 to RegKeys.Count-1 do //Check the deleted key values |
| begin |
| IniVal:=self.IniFile.ReadString('RunList',RegKeys.Strings[i],''); |
| if self.Reg.ValueExists(RegKeys.Strings[i]) and |
| ((self.Reg.GetDataType(RegKeys.Strings[i])=rdString) |
| or (self.Reg.GetDataType(RegKeys.Strings[i])=rdExpandString) ) |
| then |
| RegVal:=self.Reg.ReadString(RegKeys.Strings[i]) |
| else |
| RegVal:=''; |
| if (IniVal<>'') and (RegVal='') then |
| begin |
| self.LogMsg('Item Del:'+RegKeys.Strings[i]+'='+IniVal); |
| self.IniFile.DeleteKey('RunList',RegKeys.Strings[i]); |
| try |
| SendMsg('ABC','','Registry changed: item deleted'+RegKeys.Strings[i]+'='+IniVal); |
| finally |
| end; |
| end; |
| end; |
| self.IniFile.UpdateFile; |
| self.Timer1.Enabled:=True; |
| end; |
| 6. Perform object release and necessary cleanup work in the FormMain:OnClose event |
| procedure TFormMain.FormClose(Sender: TObject; var Action:TCloseAction); |
| begin |
| if Assigned(self.Reg) then self.Reg.Free; |
| if Assigned(self.IniFile) then self.IniFile.Free; |
| if Assigned(self.LogFile) then self.LogFile.Free; |
| if Assigned(self.RegKeys) then self.RegKeys.Free; |
| end; |
| After actual operation, this program can indeed play a certain role in discovering programs of unknown origin. Of course, its function is also very single. If it is to be further improved and the changes in other key files of the monitoring system are added, the effect will be better. Hope to communicate with interested readers. |