Komodia's Usermode Watchdog

From Komodia
Jump to: navigation, search

Installation

psd denotes password which is client specific

  • Install the service (on XP user must be administrator, on Vista and above user must be administrator with UAC privileges)
ProtectorServiceExe.exe install psd
  • Start the service (service is set at automatic start, but requires a first time start)
sc start ProtectorServiceExe
  • Load the files (it's important to make sure CurrentDirectory is the one where the service is deployed at):
ProtectorServiceExe.exe load psd 1.txt 2.txt 3.txt 4.txt
    • 1.txt - Registry to protect file
    • 2.txt - Processes to start file
    • 3.txt - Processes to terminate file
    • 4.txt - Files to protect file


  • Start the protection:
ProtectorServiceExe.exe start psd

File format

Registry file

"type","registry key"

Type can be either "v" for value of "k" for key, key protection protects the key and all subkeys/subvalues.

Example:

"v","HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ProductId","k","HKEY_USERS\S-1-5-21-1708537768-2077806209-682003330-500\Software\Komodia"

Processes to start file

"type","process"

Type can be either "p" for process or "s" for service.

Example:

"p","C:\Windows\System32\calc.exe","s","AppMgmt"

Process to terminate file

"type","process"

Type can be either "p" for process or "s" for service.

Example:

"p","c:\windows\notepad.exe"

Files to protect file

"source file","shadow file"

The service will replicate the source file into the shadow and protect both.

Example:

"c:\windows\system32\original.txt","c:\windows\system32\shadow.txt"

Getting the file from the SDK

You can get the base files from the SDK containing the entries needed to protect the SDK (you can add your own entries to these files)

Via command line

Call the command line method:

PCProxy /Files

It will create three files in the directory where the proxy is:

  • reg.txt - Registry file
  • file.txt - Files file
  • proc.txt - Processes file

Via COM API

Call the method from DataController:

GetUserWatchdogFiles(BSTR bRegistryFile, 
		     BSTR bFilesFile, 
		     BSTR bProcessFile,
		     long lAppend)

Uninstalling the protector

  • Stop the service:
ProtectorServiceExe.exe stop psd
  • Uninstall the service:
ProtectorServiceExe.exe uninstall psd