I am far from being a hacker, but I think to hack a software, not just to look at what it is, but what it does, too.
Normally we hex dump binary file. But ProcMon allows us to monitor and dump Windows process.
Let's get started.
What is ProcMon?
QUOTE
Process Monitor is an advanced monitoring tool for Windows that shows real-time file system, Registry and process/thread activity. It combines the features of two legacy Sysinternals utilities, Filemon and Regmon,
Download: https://docs.microsoft.com/en-us/sysinterna...wnloads/procmon
(SysInternals was acquired by Microsoft a long time ago)
So I want to show you how to "hack" software process, I take "Run as admin" compatiblity setting as an example.(I will try to change Properties of Google chrome.exe app shortcut)
Normally users need to open the Properties of the app shortcut, go to Compatibility, and tick "Run as adminstrator" to enable it, as pic shown below:
But what if you want this to be done programmatically? How do we know what Windows does when we tick "Run as administrator"? Here is where ProcMon comes handy.
You need to actually open the app shortcut, go to Compatibility, tick "Run as administrator", then click "OK" to commit changes.
Spot on! The changes to this particular registry key seem like what Windows did to enable "Run as admin", as pic shown below:
Similar to disassembling / decompiling, you need patience to find out what are really useful info and get rid of the rest.
CODE
9364 RegCreateKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags SUCCESS Desired Access: Write, Query Value, Enumerate Sub Keys, Disposition: REG_OPENED_EXISTING_KEY
9364 RegCloseKey HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags SUCCESS
9364 RegCreateKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers SUCCESS Desired Access: Write, Query Value, Enumerate Sub Keys, Disposition: REG_OPENED_EXISTING_KEY
9364 RegSetValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers\C:\Program Files (x86)\Google\Chrome\Application\chrome.exe SUCCESS Type: REG_SZ, Length: 26, Data: ~ RUNASADMIN
9364 RegCloseKey HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers SUCCESS
9364 RegCloseKey HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags SUCCESS
9364 RegCreateKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers SUCCESS Desired Access: Write, Query Value, Enumerate Sub Keys, Disposition: REG_OPENED_EXISTING_KEY
9364 RegSetValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers\C:\Program Files (x86)\Google\Chrome\Application\chrome.exe SUCCESS Type: REG_SZ, Length: 26, Data: ~ RUNASADMIN
9364 RegCloseKey HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers SUCCESS
So I go to RegEdit, and found exactly the registry key that has been written to, as pic shown below:
Then we can write code to do that (enable / disable RunAsAdmin for all shortcut of a particular app), programmatically:
Sample code in C# .NET
CODE
Console.Write("Press 1 to RunAsAdmin, Press 0 to disable RunAsAdmin");
string input = Console.ReadLine();
RegistryKey key;
if (input == "1")
{
key = Registry.LocalMachine.OpenSubKey(@"SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers", true);
key.SetValue(@"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe", "~ RUNASADMIN");
key.Close();
}
else if (input == "0")
{
//Registry.SetValue(@"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers", @"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe", "");
key = Registry.LocalMachine.OpenSubKey(@"SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers", RegistryKeyPermissionCheck.ReadWriteSubTree, RegistryRights.SetValue);
//key.DeleteSubKey(@"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe");
key.SetValue(@"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe", "");
key.Close();
}
string input = Console.ReadLine();
RegistryKey key;
if (input == "1")
{
key = Registry.LocalMachine.OpenSubKey(@"SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers", true);
key.SetValue(@"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe", "~ RUNASADMIN");
key.Close();
}
else if (input == "0")
{
//Registry.SetValue(@"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers", @"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe", "");
key = Registry.LocalMachine.OpenSubKey(@"SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers", RegistryKeyPermissionCheck.ReadWriteSubTree, RegistryRights.SetValue);
//key.DeleteSubKey(@"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe");
key.SetValue(@"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe", "");
key.Close();
}
If you do not already know, I hope this info would be useful for you..... Happy "hacking".