IDEA: run an executeable step by step

[lifeh2o]

I wish there code be a software by which when i exute a program it ask me each and every step to allow or not. For example when i run a process it asks me when it wants to change registry, it ask when it is copying a file, it ask when it is genereating a file and all other steps.

[housetier]

That sounds like the job of a debugger to me.

[scancode]

I wish there code be a software by which when i exute a program it ask me each and every step to allow or not. For example when i run a process it asks me when it wants to change registry, it ask when it is copying a file, it ask when it is genereating a file and all other steps.

-lifeh2o (March 31, 2009, 08:13 AM)

OllyDbg [shareware, $0 registration]... or Vista's UAC :-P

[nite_monkey]

[offtopic]
How is ollydbg shareware if it can be used for free and is $0 to register... thats funny
[/offtopic]
This would be pretty useful to detect if you have a virus on your computer or something like that. If you have some program that runs in the background that would detect when the registry or filesystem was changed without your knowlege.

[scancode]

[offtopic]
How is ollydbg shareware if it can be used for free and is $0 to register... thats funny
[/offtopic]

-nite_monkey (April 01, 2009, 08:57 AM)

This software is a shareware. To use this program on a permanent basis or for commercial purposes, you should register it by sending filled registration form to Ollydbg()t-online.de. The registration is free of charge and assumes no financial or other obligations from either side - just be fair and let me know that you like this software. Even your personal data in the registration form is optional (use your nickname or pseudonym if you want).

-http://ollydbg.de/download.htm

[f0dder]

A debugger is certainly a program to "run an executeable step by step", but what lifeh2o wants is probably more along the lines of an over-zealous program behavioral analyzer/blocker. Something like what, for instance, Kaspersky antivirus offers, but blocking on all file and registry activity instead of just suspicious activity.

If you just want to monitor what happens, check out sysinternals' Process Monitor.

[lifeh2o]

f0dder got my point exactly. This is what i am inspired from kaspersky, actullay what happened was that a few days ago i have downloaded a small executeable accidently. And when i executed it, nothing appeared, and i caught it red handed. I moved to msconfig and there i found that it made 22kb exe copies in severel directories named as svchost.exe and userint.exe and moreover it added each copy two times in system startup.

I removed those files by searching them with instant file search utility "everything" and to confirm removal of those suspicious 22kb files i used "indexyourfiles" to search for 22kb files but there was no one left.
My pc saved from a big problem. I m not using any antivirus and dont want to load my system with it, but i am a fan of kaspersky. As it tells the detail of each suspicious activity.

Then i thought that if i have executed it with a program that i have suggested, i get notification of each step and may have blocked all those steps.

[f0dder]

You should probably give your system a scan with some antivirus, you might not have caught everything.

A tool like the one you describe would be major bother in everyday life, it's much less agonizing running Vista+UAC - which would have caught it trying to write to system folders and adding itself to auto-startup locations.

[lifeh2o]

No, i am pretty sure that my system is clear now, i do use process explorer, process monitor and file and reg monitor to check when i find something suspicious. I used vista a few weeks but it is only good to eyes, not to taste. And i am again on XP. Vista runs slow on 1g ram, and 2ghz dual core. All my games gives better performance on xp than vista.

Can i really use olly debugger for this purpose? i have used it but i dont know that provides enough information to understand that the software is trying to edit registry and files or not.

If so than it means that i can check any sucpicious file with it?

[f0dder]

First, you can't be 100% sure that you're clean - the executable could have downloaded and activated a rootkit, which pretty much renders process explorer & monitor useless.

Second, if you don't want to run Vista, at least consider running under a non-privileged user account. It's more bothersome on XP than on Vista, though. The alternative would be using something like "dropmyrights" on all internet-facing applications (browser, mail client, ...) but that won't stop you from malware if you accidentally(? ) double-click random executables. Dunno about Vista running slow on 1GB ram, but it runs perfectly fine on a laptop with 2GB ram, 2GHz dualcore and integrated intel graphics. I don't game much on that machine, though.

Third, OllyDbg is a debugger. It lets you handle program execution instruction by instruction. It works on individual processes, though, and what you want sounds like systemwide action.

[lifeh2o]

I love games, still trying to get external graphics card. But the integrated graphics of my mother board are enough to run any game. Any one can note a clear difference between perforemance of high graphic games on XP and Vista on integrated graphics.

I dont like to 'runas' the applications. Thats why my user has full privilages (admin). When i downloaded that file i scanned it first with Dr. Web. And my fault that i trusted on it blindly, another fault was that Dr. Web Cure It was not updated from 14 days. But the file i have downloaded was very old. I dont even tried to update it and scanned that file with Dr. Web Cure It.

Ok!, Than i should consider my idea as 'unsuitable'. But i m still sure if there is will be any it will be very beneficial. I am searching for rootkits now. Better next time.

Scan completed with Sophos Anti rootkit - No rootkit found.

 

[skrommel]

  There are antivirus programs out there that will do this, but I'd suggest using Sandboxie insted. It captures and moves all file and registry writes to a sandbox for easy retrieval.

Skrommel