1

Topic: IWebBrowser2 Interception of reading of the register

It is necessary for each process of my program with IWebBrowser2 to set a separate folder with temporal files (,  and ). As far as I know, it is impossible to make standard methods of it. Process Monitor showed that my process causes RegQueryValue for way reading to temporal files. Intercepted RegQueryValue (A and W) by means of Detour - calls did not happen. API Monitor showed that calls go RegQueryValueEx but NOT for way reading to temporal files. Intercepted RegQueryValueEx. Calls went similar to results API Monitor. How to make interception as at Process Monitor? Or a cancer to solve the task in another way?

2

Re: IWebBrowser2 Interception of reading of the register

WA> It is necessary for each process of my program with IWebBrowser2 to set a separate folder with temporal files (,  and ). WA> As far as I know, standard methods of it it is impossible to make. WA> Process Monitor showed that my process causes RegQueryValue for way reading to temporal files. WA> intercepted RegQueryValue (A and W) by means of Detour - calls did not happen. WA> API Monitor showed that calls go RegQueryValueEx but NOT for way reading to temporal files. WA> intercepted RegQueryValueEx. Calls went similar to results API Monitor. WA> How to make interception as at Process Monitor? WA> Or a cancer to solve the task in another way? At ProcMon' there is a possibility of display of call stack of event. There it will be visible what function causes IWebBrowser2 (possibly at once , time interceptions in ADVAPI32 do not see reading). P.S. ProcMon, apparently from this call stack, tracks the register c usage RegistryCallback in the driver.

3

Re: IWebBrowser2 Interception of reading of the register

Hello, EreTIk, you wrote: ETI> At ProcMon' there is a possibility of display of call stack of event. There it will be visible what function causes IWebBrowser2 (possibly at once , time interceptions in ADVAPI32 do not see reading). ETI> P.S. ProcMon, apparently from this call stack, tracks the register c usage RegistryCallback in the driver. Detour in a state to intercept NtQueryValueKey? Esteemed a little about RegistryCallback Like approaches for my task But it it is necessary to write the driver or it is possible to push in the program?

4

Re: IWebBrowser2 Interception of reading of the register

WA> Detour in a state to intercept NtQueryValueKey? I think yes. Plus to everything, implementation IWebBrowser2, possibly, causes ntdll! NtQueryValueKey on static import also it is possible to install simply interception  in the import table the handler (a question in portability: whether all target implementations IWebBrowser2 use this  a call). On the other hand: nobody guarantees that in new OS does not appear NtQueryValueKey Ex and implementation IWebBrowser2 will not use it. WA> esteemed a little about RegistryCallback WA> Like approaches for my task WA> But it it is necessary to write the driver or it is possible to push in the program? It is the interface only for drivers. IMHO, for the sake of such task independently to implement the driver it is not necessary: time for training, time for implementation, time for testing, certificate purchase. Well in summary - the error in the driver leads BSOD' all system (or if the error is exploited, harmful the software will drag your signed driver, what by means of it to fulfill the arbitrary not signed code in a kernel, and yours a software will be  antiviruses on the driver).

5

Re: IWebBrowser2 Interception of reading of the register

Hello, WinAx, you wrote: WA> It is necessary for each process of my program with IWebBrowser2 to set a separate folder with temporal files (,  and ). WA> As far as I know, standard methods of it it is impossible to make. WA> Process Monitor showed that my process causes RegQueryValue for way reading to temporal files. I not so in this subject, but probably helps. If IWebBrowser2 stores a way to temporal files, ,  etc. in the register it is possible to try to palm off on copy IWebBrowser2 completely the adjustments of the register. It becomes through so.