9

i have a program which is pretty simple. Its just a simple login form.

Is there any possibility to log what this program is doing (maybe which file he is accessing and which website he is visiting (also what this website is returning)

I mean a program that is logging which file this program is accessing and which websites (or queries) this program is sending to a website.

I would really appreciate your help.

planIT
  • 365
  • 1
  • 3
  • 6
  • 2
    On what operating system? For Linux, see [Monitoring system calls (in a reliable and secure way)](http://security.stackexchange.com/questions/8485/monitoring-system-calls-in-reliable-and-secure-way) – Gilles 'SO- stop being evil' Nov 14 '11 at 17:13
  • A corollary to this problem, is this kind of logging possible for a router or a managed switch? – Vineet Menon Nov 15 '11 at 06:28
  • Why is this having upvotes, is it on-topic here? Shouldn't this question be on http://softwarerecs.stackexchange.com? – Pacerier Jul 06 '15 at 16:19

2 Answers2

8

In case you are using Windows, you can use Process Monitor to find out which files and registry entries the software is accessing. And for the sites it is visiting (request and responses) you can use some proxy, I personally prefer Fiddler. You can also use the TCPView to check the active connections opened by the SW.

You also can use Wireshark to monitor network activity and set a filter to show you just the communication with the server you want. Or you can use Microsoft Network Monitor, which can display communication for specific process.

bretik
  • 1,870
  • 13
  • 22
  • thank you very much, this process monitor was very useful. – planIT Nov 14 '11 at 18:53
  • is there a way to see with Process Monitor WHAT a TCP Send is Sending?! – planIT Nov 14 '11 at 19:04
  • Not sure about that, anyway I edited the answer and added tools for analyzing network traffic. – bretik Nov 16 '11 at 11:22
  • @bretik, Which is better? Do you personally use TCPView, Wireshark, Fiddler, or Microsoft Network Monitor? – Pacerier Jul 06 '15 at 16:20
  • @Pacerier I personally prefer Fiddler for all applications that communicate over HTTP(S) and are able to use proxy, for other applications I use Wireshark – bretik Jul 08 '15 at 08:01
5

System call interception can help you here. Caveat: it will let you log the fact that a process communicated with a daemon/service, but if the daemon/service is not subject to logging then it will not transitively log actions that the daemon/service performs, so it cannot expose all confused deputy problems.

From the strace man page

In the simplest case strace runs the specified command until it exits. It intercepts and records the system calls which are called by a process and the signals which are received by a process. The name of each system call, its arguments and its return value are printed on standard error or to the file specified with the -o option.

Since file-system access and network socket creation are done via syscalls, logging those calls will let you reconstruct which file and network resources your program is accessing.

If you want to understand which resources are being accessed, and then make sure that the process never accesses more than that even if subverted, look into systrace.

For complicated applications, it is difficult to know the correct policy before running them. Initially, Systrace notifies the user about all system calls that an application tries to execute. The user configures a policy for the specific system call that caused the warning. After a few minutes, a policy is generated that allows the application to run without any warnings. However, events that are not covered still generate a warning. Normally, that is an indication of a security problem. Systrace improves cyber security by providing intrusion prevention.

Alternatively, policies can be learned automatically. In many instances, the automatically learned policies can be used for sandboxing immediately. Sometimes, minimal manual post-processing is necessary.

Caveat: strace was not designed for security the way systrace was so is prone to exploitable race conditions around syscall parameters. See D.W.'s comment for points to how to harden strace.

I don't know much about syscall interception on Windows, but STraceNT and vtrace looks like a good starting points.

StraceNT is a System Call Tracer for Windows. It provides similar functionality as of strace on Linux. It can trace all the calls made by a process to the imported functions from a DLL. StraceNT can be very useful in debugging and analyzing the internal working of a program.

VTrace collects data about processes, threads, messages, disk operations, network operations, and devices. The technique uses a DLL loaded into the address space of every process to intercept Win32 system calls; establishes hook functions for Windows NT kernel system calls; modifies the context switch code in memory to log context switches; and uses device filters to log accesses to devices.

Mike Samuel
  • 3,873
  • 18
  • 25
  • On Windows, I've occasionally used [StraceNT](http://www.intellectualheaven.com/default.asp?BH=projects&H=strace.htm). I have no idea how it compares with vtrace. – Gilles 'SO- stop being evil' Nov 14 '11 at 17:14
  • 2
    This is a good answer. One caution: beware that if the process being monitored is malicious, it can defeat strace monitoring in a variety of ways (preventing you from seeing what it is doing). Probably most programs/malware won't do this, but it's worth being aware of. – D.W. Nov 14 '11 at 17:45
  • @D.W. Is there anything short of full-virtualization (UML/VMWare) that will allow reliable logging? – Mike Samuel Nov 14 '11 at 17:53
  • I don't know of any off-the-shelf easy-to-use method. There are ways to do syscall monitoring reliably (see, e.g., [this answer](http://security.stackexchange.com/questions/8485/monitoring-system-calls-in-a-reliable-and-secure-way/8496#8496)), but they are complex and I don't know of off-the-shelf tools that you could just download and use. (VMWare doesn't provide an easy way to do logging. If the monitoring agent lives inside the VM, then it coulld be tampered with by the malicious code. You can build the monitoring into the VMM, but that'd require changing VMWare.) – D.W. Nov 14 '11 at 18:33