Turn on thread page Beta
    • Thread Starter
    Offline

    0
    ReputationRep:
    Hey guys, thought about writing my own HIDS, but i wondered if i could pick your brains on a few things.

    1) Would it matter what language i used, from C++ or Java? Im more comfortable in Java.

    2) Ive never really written programs which 'interface' with the OS, such as checking registry details etc. Is this limited per language?

    3) I need to learn more about Windows XP, how it works exactly (registry, password storage etc). All the google searches i do seem to bring up resources for your typical home user. Does anyone know any 'under the bonnet' resources?

    4) Any other useful advice would be GREATLY appreciated!

    I've worked out i need to do virus signatures, check ports for suspicious scans etc. Also check *certain* system files for modification, but im sure there's lots i dont know
    Offline

    1
    ReputationRep:
    To write a HIDS you need to know a lot of detail about how your operating system works and how malware / viruses work and how they get into the system. A lot of that is not information you're going to find out on google. I'd suggest it's also not something you're going to be able to do easily on your own. Most of companies that do IDS and other security products are fairly big places with lots of links into people who know what's going on. Most of these people will keep most of the details of what they're doing and how they're doing it private so it's harder for malware / virus writers to know how to get around their protection.
    • Thread Starter
    Offline

    0
    ReputationRep:
    (Original post by mfaxford)
    To write a HIDS you need to know a lot of detail about how your operating system works and how malware / viruses work and how they get into the system. A lot of that is not information you're going to find out on google. I'd suggest it's also not something you're going to be able to do easily on your own. Most of companies that do IDS and other security products are fairly big places with lots of links into people who know what's going on. Most of these people will keep most of the details of what they're doing and how they're doing it private so it's harder for malware / virus writers to know how to get around their protection.
    Would you be able to advise how to 'reach' the inner Operating System from high level languages like Java? Is it pretty easy with the 'System' class etc?
    Offline

    1
    ReputationRep:
    (Original post by econometric)
    Would you be able to advise how to 'reach' the inner Operating System from high level languages like Java? Is it pretty easy with the 'System' class etc?
    I'm not sure if its possible with Java. It's not a language I use. You'd probably be better using C/C++
    Offline

    0
    ReputationRep:
    Probably not possible with Java. When I wrote something similar (for Linux) it was a kernel module so had to be in C, I'd guess it has to be a driver for Windows too (afaik Windows has some sort of anti-malware interface that provides the appropriate hooks) so C.
    • Thread Starter
    Offline

    0
    ReputationRep:
    I found a lot on google, this is just one:

    http://stackoverflow.com/questions/6...try-using-java

    I'll probably answer this question one ive learnt more about the OS, but if i can access the registry, does this mean I should be able to access things like active directory, the SID storage area (for passwords) etc?

    I basically need to check whether I can check/access all the areas of the OS which would be vulnerable in the event of an attack With my limited knowledge of OS (growing each day) im not sure how much the registry covers.
    Offline

    0
    ReputationRep:
    With my limited knowledge of OS (growing each day) im not sure how much the registry covers.
    Not much.
    • Thread Starter
    Offline

    0
    ReputationRep:
    (Original post by laser)
    Not much.
    Just found JNDI tutorial which covers how to access Active Directory from Java

    It would appear i can do everything in Java. However, would i get performance issues, if my program is continuously monitoring in the background would c++ be better and slow my system down less? Or is the difference in speed negligible?
    Offline

    0
    ReputationRep:
    (Original post by econometric)
    Just found JNDI tutorial which covers how to access Active Directory from Java

    It would appear i can do everything in Java. However, would i get performance issues, if my program is continuously monitoring in the background would c++ be better and slow my system down less? Or is the difference in speed negligible?
    How would you monitor files changing on disk?
    • Thread Starter
    Offline

    0
    ReputationRep:
    (Original post by laser)
    How would you monitor files changing on disk?
    You mean regular files? Look at the size, compare the previous size with the current size- if there's a difference which shouldn't be -> problem.

    Here's the thing which im going to have problems on:

    What if i modify a file myself, how do i tell the system to ignore it? Maybe i could have 'modes'

    Mode 1: Any change automate a lock down
    Mode 2: Any change automate an alert and ask user for feedback

    etc

    Can you see a performance issue with c++ and java? Ive been told java isnt as slow as everybody thinks.
    Offline

    1
    ReputationRep:
    (Original post by econometric)
    You mean regular files? Look at the size, compare the previous size with the current size- if there's a difference which shouldn't be -> problem.
    Ho do you cope with the malware that then ensures it's replacment is the same size as the original, and has the same date stamps.

    I suspect most of the Java stuff for talking to AD is via an API for performing standard queries. To get into the inner workings I suspect you need to use C/C++ and probably have access to the documentation about the inner workings of AD from Microsoft (which I doubt they publish anywhere you can easily get hold of it)

    There are probably also many better ways of monitoring file changes but you need to get deep into the inner workings of windows (where you also have the potential of breaking things horribly).
 
 
 
Reply
Submit reply
Turn on thread page Beta
TSR Support Team

We have a brilliant team of more than 60 Support Team members looking after discussions on The Student Room, helping to make it a fun, safe and useful place to hang out.

This forum is supported by:
Updated: October 12, 2009
Poll
Black Friday: Yay or Nay?
Useful resources

The Student Room, Get Revising and Marked by Teachers are trading names of The Student Room Group Ltd.

Register Number: 04666380 (England and Wales), VAT No. 806 8067 22 Registered Office: International House, Queens Road, Brighton, BN1 3XE

Write a reply...
Reply
Hide
Reputation gems: You get these gems as you gain rep from other members for making good contributions and giving helpful advice.