i have a program which is pretty simple. Its just a simple login form.
Is there any possibility to log what this program is doing (maybe which file he is accessing and which website he is visiting (also what this website is returning)
I mean a program that is logging which file this program is accessing and which websites (or queries) this program is sending to a website.
I would really appreciate your help.
In case you are using Windows, you can use Process Monitor to find out which files and registry entries the software is accessing. And for the sites it is visiting (request and responses) you can use some proxy, I personally prefer Fiddler. You can also use the TCPView to check the active connections opened by the SW.
You also can use Wireshark to monitor network activity and set a filter to show you just the communication with the server you want. Or you can use Microsoft Network Monitor, which can display communication for specific process.
System call interception can help you here. Caveat: it will let you log the fact that a process communicated with a daemon/service, but if the daemon/service is not subject to logging then it will not transitively log actions that the daemon/service performs, so it cannot expose all confused deputy problems.
From the strace man page
In the simplest case strace runs the specified command until it exits. It intercepts and records the system calls which are called by a process and the signals which are received by a process. The name of each system call, its arguments and its return value are printed on standard error or to the file specified with the -o option.
Since file-system access and network socket creation are done via syscalls, logging those calls will let you reconstruct which file and network resources your program is accessing.
If you want to understand which resources are being accessed, and then make sure that the process never accesses more than that even if subverted, look into systrace.
For complicated applications, it is difficult to know the correct policy before running them. Initially, Systrace notifies the user about all system calls that an application tries to execute. The user configures a policy for the specific system call that caused the warning. After a few minutes, a policy is generated that allows the application to run without any warnings. However, events that are not covered still generate a warning. Normally, that is an indication of a security problem. Systrace improves cyber security by providing intrusion prevention.
Alternatively, policies can be learned automatically. In many instances, the automatically learned policies can be used for sandboxing immediately. Sometimes, minimal manual post-processing is necessary.
Caveat: strace was not designed for security the way systrace was so is prone to exploitable race conditions around syscall parameters. See D.W.'s comment for points to how to harden strace.
I don't know much about syscall interception on Windows, but STraceNT and vtrace looks like a good starting points.
StraceNT is a System Call Tracer for Windows. It provides similar functionality as of strace on Linux. It can trace all the calls made by a process to the imported functions from a DLL. StraceNT can be very useful in debugging and analyzing the internal working of a program.
VTrace collects data about processes, threads, messages, disk operations, network operations, and devices. The technique uses a DLL loaded into the address space of every process to intercept Win32 system calls; establishes hook functions for Windows NT kernel system calls; modifies the context switch code in memory to log context switches; and uses device filters to log accesses to devices.
