Understanding configuration options

ABPA monitoring is based on 2 main DLLs: abpa_loader.dll and ABPAEngine.dll. The first one is a light-weight DLL, which will be automatically loaded to each new process by Windows, once it will be added to special registry key. It's purpose is to decide whether current (hosting) process should monitored. Only if it decides to monitor the process, it will load "ABPAEngine.dll", which is the one to hook API functions and do the "heavy" work.

1. Loaing "abpa_loader.dll"

In order to be injected to each process, the DLL should be added to the list in the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs

2. Which applications to monitor

Following settings are possible:
  1. None - all monitoring is disables, even if "abpa_loader.dll" is still injected to new processes;
  2. Listed only - a list of regular expressions is provided, only applications matching one of regex's can be monitored;
  3. All expect for listed - a list of regular expressions for excluded applications is provided, other appications are monitored;
  4. All - all new applications will be monitored.

3. What data should be captured

There are number of event types that can be collected by ABPA. You can enable\disable each event type. For disabled events the relevant functions will not be hooked. Most of event types are available by default, except for one noted below.
  1. File events
  2. Network events
  3. Virtual Memory events
  4. Thread events
  5. Windows events
  6. Synchronization events - those events are disabled by default, in order to reduce the volume of output files.

4. Where the output is stored

You may specify any folder as output folder for ABPA files. For each process there will created be a separate output file with unique name.

Using "abpaConfig.exe"

Once you understand configuration options, the work with abpaConfig.exe should be pretty straight-forward. Just follow the instructions provided in a menu on each step, to navigate to desired option.
Note: all the changes take effect immediately (and before you're done with "abpaConfig"), so it is recommended to first make all general configuration (applications to be monitored, event types, output) and only when ready, enable ABPA monitoring to start the hooking.

Last edited Aug 11, 2008 at 12:07 PM by migo, version 1


No comments yet.