- Mar 31, 2020
- 30
- 27
Some of the renpy games I've been following recently have been shared by malicious people who have added viruses to the games. Thanks to the F95zone team, it was cleaned up and a detailed study on the situation was initiated and intervened. Fortunately, I did not encounter malware on my system from the games I played. 
I am sharing it here as an open source and library that collects game paths and some logs such as reg, ip.
Interested friends are free to develop the code and test any program or game they want.
General Purpose of the Code
This Python code is designed to monitor and log the following system activities in real time:
Network Traffic Monitoring (IP Log):
Monitors network connections occurring on your system.
Excludes Google, Microsoft and local network IPs; hence counts the number of requests from suspicious or unknown IPs.
IP requests are sorted in the "iplog.txt" file, updating the number of requests for each IP, with the IPs making the most requests at the top.
Registry Monitoring:
Before the program starts, it takes a full snapshot of the specified registry branch (for example, HKEY_CURRENT_USER\Software).
This full snapshot is saved to the "reglog.txt" file, and the user is given the message "Registry snapshot taken, now you can run the game".
Then, the difference (diff) is calculated between the periodically taken registry snapshots; only newly added or changed records (showing only the new value) are added to the "reglogalert.txt" file.
File System Monitor (Game Folder):
Monitors file creation, modification and deletion events in the specified game folder.
Logs changes in this folder to the "filelog.txt" file, excluding its own log files (e.g. iplog.txt, reglog.txt, reglogalert.txt, templog.txt).
Temp Folder Monitor:
Monitors file creation, modification and deletion events in the %LOCALAPPDATA%\Temp folder.
These events are recorded in the "templog.txt" file, so you can track what is happening in the system's temporary file space.
Code Components and Functions
1. Logging Functions
log_to_file(filename, message):
Adds a message to the specified file. All logging functions work through this helper function.
log_ip, log_file, log_reg, log_reg_alert, log_temp:
Each one is used to write to different log files (iplog.txt, filelog.txt, reglog.txt, reglogalert.txt, templog.txt).
2. Network Traffic Monitoring (IP Log)
WHITELIST_PREFIXES and is_whitelisted(ip):
Excludes traffic from specified IP prefixes (Google, Microsoft and local IPs) by checking them.
ip_counts (collections.Counter):
Acts as a global counter to collect the number of requests from each IP address.
monitor_network(interval):
Continuously checks network connections on the system. If non-whitelisted IPs are detected, it increments the counter by one.
iplog_writer(write_interval):
At certain intervals (for example every 10 seconds), it sorts the data in the ip_counts dictionary starting from the IP that makes the most requests and updates the "iplog.txt" file. Thus, there is only one line for each IP in the log file and the number of requests is constantly updated.
3. Registry Monitoring
get_registry_snapshot(root, key_path, hive_name):
Takes a full snapshot of the specified registry branch. The snapshot contains the exact location information in the format "HIVE\AltKey...".
diff_snapshots(old_snap, new_snap):
Calculates the differences between two snapshots. For newly added or changed records, only the new value is shown; it also reports deleted records.
monitor_registry(root, key_path, interval):
Takes a full snapshot of the registry at the beginning of the program and writes this snapshot to the "reglog.txt" file. The message "Registry snapshot taken, now you can run the game" is printed on the screen. Then, new snapshots are taken periodically and compared with the first snapshot, and changes are logged to the "reglogalert.txt" file.
4. Monitor File System (Game Folder)
GameDirEventHandler:
Listens for file creation, modification and deletion events in the specified game folder. Events are recorded in the "filelog.txt" file. There are additional checks to exclude own log files (e.g. iplog.txt, reglog.txt, reglogalert.txt, templog.txt).
monitor_directory(path_to_monitor):
Monitors the specified game folder and records events in real time.
5. Monitor Temp Folder
TempDirEventHandler:
Listens for file creation, modification and deletion events in %LOCALAPPDATA%\Temp folder. These events are recorded in "templog.txt" file.
monitor_temp_directory(path_to_monitor):
Monitors the Temp folder and records file system events.
6. Main Function and Thread Management
In the main part of the program, each monitoring process (registry, network, game folder and temp folder) is run on separate threads.
A message is given to the user not to start the game until the registry image is taken.
The program continues to run until the user terminates it with CTRL+C.
Conclusion
This code provides a comprehensive solution for monitoring, logging and reporting suspicious network, file and registry activities created by a game or any application on the system.
Each component:
Monitors network traffic, updates the number of requests and detects suspicious IPs,
Monitors registry changes in detail and reports only the changes,
Monitors file system events in both the game folder and the temp folder.
To install libraries;
On the cmd screen.
Select the area where the watcher9En.py file is located.
pip install --target="c:\newfiles" psutil watchdog
Type the directory where "c:\newfiles" watcher9En.py is located.
Install with the command.
How it works.
add the path of the game/program you want to follow between quotation marks in the code
"C:\games\To\GameDirectory".
libraries are needed to make the program work, make sure they are in the same directory.
double click watcher9En.py.
wait until the full image of Regedit (reglog.txt) is taken before opening the relevant game/program.
when the cmd screen says you can now run it, run the application.
check the logs uploaded to the same directory.
If you want to stop the input and output of ip addresses, I am sharing another powershall Guide code.
Please do your own research when using Applications.
You can ban windows' own applications or delete a wrong rule, always do your own research.
google translate.
I am sharing it here as an open source and library that collects game paths and some logs such as reg, ip.
Interested friends are free to develop the code and test any program or game they want.
General Purpose of the Code
This Python code is designed to monitor and log the following system activities in real time:
Network Traffic Monitoring (IP Log):
Monitors network connections occurring on your system.
Excludes Google, Microsoft and local network IPs; hence counts the number of requests from suspicious or unknown IPs.
IP requests are sorted in the "iplog.txt" file, updating the number of requests for each IP, with the IPs making the most requests at the top.
Registry Monitoring:
Before the program starts, it takes a full snapshot of the specified registry branch (for example, HKEY_CURRENT_USER\Software).
This full snapshot is saved to the "reglog.txt" file, and the user is given the message "Registry snapshot taken, now you can run the game".
Then, the difference (diff) is calculated between the periodically taken registry snapshots; only newly added or changed records (showing only the new value) are added to the "reglogalert.txt" file.
File System Monitor (Game Folder):
Monitors file creation, modification and deletion events in the specified game folder.
Logs changes in this folder to the "filelog.txt" file, excluding its own log files (e.g. iplog.txt, reglog.txt, reglogalert.txt, templog.txt).
Temp Folder Monitor:
Monitors file creation, modification and deletion events in the %LOCALAPPDATA%\Temp folder.
These events are recorded in the "templog.txt" file, so you can track what is happening in the system's temporary file space.
Code Components and Functions
1. Logging Functions
log_to_file(filename, message):
Adds a message to the specified file. All logging functions work through this helper function.
log_ip, log_file, log_reg, log_reg_alert, log_temp:
Each one is used to write to different log files (iplog.txt, filelog.txt, reglog.txt, reglogalert.txt, templog.txt).
2. Network Traffic Monitoring (IP Log)
WHITELIST_PREFIXES and is_whitelisted(ip):
Excludes traffic from specified IP prefixes (Google, Microsoft and local IPs) by checking them.
ip_counts (collections.Counter):
Acts as a global counter to collect the number of requests from each IP address.
monitor_network(interval):
Continuously checks network connections on the system. If non-whitelisted IPs are detected, it increments the counter by one.
iplog_writer(write_interval):
At certain intervals (for example every 10 seconds), it sorts the data in the ip_counts dictionary starting from the IP that makes the most requests and updates the "iplog.txt" file. Thus, there is only one line for each IP in the log file and the number of requests is constantly updated.
3. Registry Monitoring
get_registry_snapshot(root, key_path, hive_name):
Takes a full snapshot of the specified registry branch. The snapshot contains the exact location information in the format "HIVE\AltKey...".
diff_snapshots(old_snap, new_snap):
Calculates the differences between two snapshots. For newly added or changed records, only the new value is shown; it also reports deleted records.
monitor_registry(root, key_path, interval):
Takes a full snapshot of the registry at the beginning of the program and writes this snapshot to the "reglog.txt" file. The message "Registry snapshot taken, now you can run the game" is printed on the screen. Then, new snapshots are taken periodically and compared with the first snapshot, and changes are logged to the "reglogalert.txt" file.
4. Monitor File System (Game Folder)
GameDirEventHandler:
Listens for file creation, modification and deletion events in the specified game folder. Events are recorded in the "filelog.txt" file. There are additional checks to exclude own log files (e.g. iplog.txt, reglog.txt, reglogalert.txt, templog.txt).
monitor_directory(path_to_monitor):
Monitors the specified game folder and records events in real time.
5. Monitor Temp Folder
TempDirEventHandler:
Listens for file creation, modification and deletion events in %LOCALAPPDATA%\Temp folder. These events are recorded in "templog.txt" file.
monitor_temp_directory(path_to_monitor):
Monitors the Temp folder and records file system events.
6. Main Function and Thread Management
In the main part of the program, each monitoring process (registry, network, game folder and temp folder) is run on separate threads.
A message is given to the user not to start the game until the registry image is taken.
The program continues to run until the user terminates it with CTRL+C.
Conclusion
This code provides a comprehensive solution for monitoring, logging and reporting suspicious network, file and registry activities created by a game or any application on the system.
Each component:
Monitors network traffic, updates the number of requests and detects suspicious IPs,
Monitors registry changes in detail and reports only the changes,
Monitors file system events in both the game folder and the temp folder.
To install libraries;
On the cmd screen.
Select the area where the watcher9En.py file is located.
pip install --target="c:\newfiles" psutil watchdog
Type the directory where "c:\newfiles" watcher9En.py is located.
Install with the command.
How it works.
add the path of the game/program you want to follow between quotation marks in the code
"C:\games\To\GameDirectory".
libraries are needed to make the program work, make sure they are in the same directory.
double click watcher9En.py.
wait until the full image of Regedit (reglog.txt) is taken before opening the relevant game/program.
when the cmd screen says you can now run it, run the application.
check the logs uploaded to the same directory.
If you want to stop the input and output of ip addresses, I am sharing another powershall Guide code.
You don't have permission to view the spoiler content.
Log in or register now.
Please do your own research when using Applications.
You can ban windows' own applications or delete a wrong rule, always do your own research.
google translate.
Last edited: