33 replies to this topic

[Xenobiologist]

HI,

I tried to create a script which can be used to secure other scripts by forcing the user to authenticate with his crendentials (username & password).

Idea: My scripts wrapps the mainScript (in his belly) and after authenticated successfully, it "fileInstalls" the script and starts it. After the mainScript ends, it deletes the script.

I think, for many users this should be enough to prevent them from starting your script.exe without permission.

I hope someone will test it, too and like it.

LoginWrapper:

AutoIt        expandcollapse  popup

; ------------------------------------------------------------------------------------------------------
;
; AutoIt Version: 3.1.1 beta
; Author:        Thorsten Meger <Th DOT Meger AT gmx DOT de>  & ...
;
; Script Function: LoginWrapper / Security Check
;
;   The script allows you to protect your script from starting by unauthenticated users.
;   This scrips wrapps your script. After authenticated successfully, it "installs" your script hidden
;   at the given location and starts it. 
;   If the "main-script" is closed, this script deletes the your Script.exe
;   Wrapper.exe contains (your script)
; ------------------------------------------------------------------------------------------------------
;   The script creates an (system/hidden) ini-File in the script-folder.
;   The login.ini contains the encrypted usernames & passwords
;   To add users who can authenticate successfully, start the script with the para defined
;   in $createNewUser default(newuser)
;   The login.ini contains one adminUser(InitialUser & InitialPassword)
;   Change Initial - user & password to your needs
; ------------------------------------------------------------------------------------------------------

; **** Change this to your script.exe ******************************************************

Dim $yourScriptExe = 'c:\MsgBox.exe'; your script.exe (I recommend c:\)
Dim $InitialUser = 'xxx'        ; change this to your "admin" user
Dim $InitialPassword = 'xxx'    ; change this to your "admin" password
Dim $iniPath = @WindowsDir & '\'; where to save the ini files
Dim $nameOfIni = 'login.ini'    ; Login.ini should be renamed to the name of the wrapped mainScript. That will allow multiple wrapping
Dim $createNewUser = 'newuser'  ; change this to secure creating new users (first parameter) e.g. : LoginWrapper.exe newuser
Dim $Sound = 1                  ; Sound On/Off, 1 = On, 0 = Off

; FileInstall doesn't work with variables, so you have to type fullPath as a string!!!
; Example : FileInstall('c:\yourPath\yourScriptExe.exe', 'c:\yourScriptExe.exe', 1); 2nd para must be the same as in $yourScriptExe!
Func _FileInstall()
    FileInstall('c:\Downloads\AutoIt-Skripte\Entwicklung\Wrapper\MsgBox.exe', 'c:\MsgBox.exe', 1); first;!!!Change here!!!
    FileSetAttrib($yourScriptExe, "+SH")
    Sleep(20)
    Run($yourScriptExe)
    If @error = 1 Then MsgBox(0, "Error", "Couldn't find the main script!", 4)
    check()
EndFunc ;==>_FileInstall
; ******************************************************************************************

#include <GUIConstants.au3>
#include <String.au3>
#include <File.au3>
Opt("RunErrorsFatal", 0)

; The GUI
$GUI = GUICreate("Security Check", 318, 223, 192, 125)
; Group
$main_G = GUICtrlCreateGroup("Credentials", 8, 56, 297, 153)
; Label
$username_L = GUICtrlCreateLabel("Username : ", 16, 80, 131, 17, $SS_SUNKEN)
$password_L = GUICtrlCreateLabel("Password : ", 16, 112, 131, 17, $SS_SUNKEN)
$status_L = GUICtrlCreateLabel("Status", 16, 176, 267, 17, $SS_SUNKEN)
$headline_L = GUICtrlCreateLabel("Login", 8, 18, 299, 33)
; Input
$username_I = GUICtrlCreateInput("", 160, 76, 121, 21, -1, $WS_EX_CLIENTEDGE)
$password_I = GUICtrlCreateInput("", 160, 110, 121, 21, $ES_PASSWORD, $WS_EX_CLIENTEDGE)
; Button
$button_B = GUICtrlCreateButton("Login", 16, 136, 131, 25, $BS_DEFPUSHBUTTON)
; CheckBox
$changePassword_C = GUICtrlCreateCheckbox("Change Password", 160, 136, 113, 25)

GUICtrlSetFont($headline_L, 18, -1, -1, "Arial")
GUICtrlSetColor($headline_L, "0xff0000")
; TrayTip
TrayTip("Security Check", "Please, authenticate with user & password", 2, 1)
GUISetState(@SW_SHOW)

;Variables
Dim $guiStatus = 0
Dim $exists = False
Dim $changeActivated = False
Dim $acceptedUser = ''
Dim $sectionArray = ''
; create Obj for speech
Dim $voice = ObjCreate("Sapi.SpVoice")

; You can change the elements which are used for encryption here
Dim $cryptArray = StringSplit("2we4rf,adfi8,i9lp,we2ay,9o0pw,asdc4,1209i,tz573,98m3,6tg5", ",")

start()

; Check at start, whether the ini file is there. If not create it with the initial credentials
Func Start()
;Check for password file
    If Not FileExists($iniPath & $nameOfIni) Then
        _FileCreate($iniPath & $nameOfIni)
        Local $cryptWord = Random(0, 9, 1)
        IniWrite($iniPath & $nameOfIni, '1', _StringEncrypt(1, $InitialUser, 'key', 2), _StringEncrypt(1, $InitialPassword, $cryptArray[$cryptWord], 2) & $cryptWord)
        FileSetAttrib($iniPath & $nameOfIni, "+SH")
    EndIf
EndFunc ;==>OnAutoItStart


; Changing GUI whether you want to login or create new users
If $cmdLine[0] > 0 Then
    If $cmdLine[1] = $createNewUser Then
        $guiStatus = 1
        GUICtrlSetData($button_B, "Save")
        GUICtrlSetData($headline_L, "New User")
        GUICtrlSetData($status_L, "Ready ...")
        GUICtrlSetState($changePassword_C, $GUI_HIDE)
    EndIf
EndIf

; Func create new user
Func createNewUser()
    Local $exists = False
    $sectionArray = IniReadSection($iniPath & $nameOfIni, '1')
    If @error Then
        MsgBox(4096, "", "Error occured, probably no INI file.")
    Else
        For $i = 1 To $sectionArray[0][0]
            If _StringEncrypt(0, $sectionArray[$i][0], 'key', 2) = GUICtrlRead($username_I) Then
                GUICtrlSetData($status_L, "User already exists!")
                If $Sound = 1 Then Speak("User already exists!")
                $exists = True
                Sleep(500)
                GUICtrlSetData($status_L, "Ready...")
                ExitLoop
            EndIf
        Next
        If $exists = False Then
            Local $cryptWord = Random(0, 9, 1)
            IniWrite($iniPath & $nameOfIni, '1', _StringEncrypt(1, GUICtrlRead($username_I), 'key', 2), _StringEncrypt(1, GUICtrlRead($password_I), $cryptArray[$cryptWord], 2) & $cryptWord)
            GUICtrlSetData($status_L, "New User created!")
            If $Sound = 1 Then Speak("New User created!")
            Sleep(500)
            GUICtrlSetData($status_L, "Ready...")
        EndIf
    EndIf
EndFunc ;==>createNewUser

; check user and password
Func verifyUserAndPassword()
    $exists = False
    GUICtrlSetData($status_L, "Verifying User")
    $sectionArray = IniReadSection($iniPath & $nameOfIni, '1')
    If @error Then
        MsgBox(4096, "", "Error occured, probably no INI file.")
    Else
        For $i = 1 To $sectionArray[0][0]
            Local $user = _StringEncrypt(0, $sectionArray[$i][0], 'key', 2)
            If $user = GUICtrlRead($username_I) Then
                Local $cryptNr = StringRight($sectionArray[$i][1], 1)
                Local $value = StringLeft($sectionArray[$i][1], StringLen($sectionArray[$i][1]) - 1)
                If _StringEncrypt(0, $value, $cryptArray[$cryptNr], 2) = GUICtrlRead($password_I) Then
                    GUICtrlSetData($status_L, "Login accepted! Welcome! " & $user)
                    If $Sound = 1 Then Speak("Login accepted! Welcome! " & $user)
                    $exists = True
                    $acceptedUser = GUICtrlRead($username_I)
                    If Not BitAND(GUICtrlRead($changePassword_C), $GUI_CHECKED) Then
                        _FileInstall()
                    EndIf
                EndIf
            EndIf
        Next
    EndIf
    If $exists = False Then
        Sleep(200)
        GUICtrlSetData($status_L, "Access denied!")
        If $Sound = 1 Then Speak("Access denied!", 2, 100)
        Sleep(500)
        GUICtrlSetData($status_L, "Ready...")
    EndIf
EndFunc ;==>verifyUserAndPassword

While 1
    $msg = GUIGetMsg()
    Select
        Case $msg = $GUI_EVENT_CLOSE
            ExitLoop
        Case $msg = $button_B
            If (StringLen(GUICtrlRead($username_I)) < 3 Or StringLen(GUICtrlRead($password_I)) < 3) And $exists = False Then
                GUICtrlSetData($status_L, "Minimum 3 letters")
                If $Sound = 1 Then Speak("Minimum 3 letters")
            Else
                If $guiStatus = 0 And Not BitAND(GUICtrlRead($changePassword_C), $GUI_DISABLE) And $changeActivated = False Then
                    verifyUserAndPassword()
                ElseIf $guiStatus = 1 And Not BitAND(GUICtrlRead($changePassword_C), $GUI_DISABLE) And $changeActivated = False Then
                    createNewUser()
                EndIf
                If $changeActivated = True Then
                    If GUICtrlRead($username_I) = GUICtrlRead($password_I) Then
                        For $i = 1 To $sectionArray[0][0]
                            If _StringEncrypt(0, $sectionArray[$i][0], 'key', 2) = $acceptedUser Then
                                Local $cryptWord = Random(0, 9, 1)
                                IniWrite($iniPath & $nameOfIni, '1', _StringEncrypt(1, $acceptedUser, 'key', 2), _StringEncrypt(1, GUICtrlRead($username_I), $cryptArray[$cryptWord], 2) & $cryptWord)
                                ExitLoop
                            EndIf
                        Next
                        If (StringLen(GUICtrlRead($username_I)) < 3 Or StringLen(GUICtrlRead($password_I)) < 3) Then
                            GUICtrlSetData($status_L, "Minimum 3 letters")
                            If $Sound = 1 Then Speak("Minimum 3 letters")
                        Else
                            GUICtrlSetData($status_L, "New password saved!")
                            If $Sound = 1 Then Speak("New password saved!")
                            Sleep(500)
                            GUICtrlSetData($status_L, "Program closes in 1 sec")
                            If $Sound = 1 Then Speak("Security Check closes ...")
                            Sleep(200)
                            check()
                        EndIf
                    Else
                        GUICtrlSetData($status_L, "New passwords dont't match!")
                        GUICtrlSetData($username_I, "")
                        GUICtrlSetData($password_I, "")
                        If $Sound = 1 Then Speak("New passwords dont't match!")
                    EndIf
                EndIf
                If BitAND(GUICtrlRead($changePassword_C), $GUI_CHECKED) And Not BitAND(GUICtrlRead($changePassword_C), $GUI_DISABLE) And $changeActivated = False Then
                    changePassword()
                EndIf
            EndIf
    EndSelect
WEnd

; Preparing GUI for checking password
Func changePassword()
    If $exists = True Then
        $changeActivated = True
        GUICtrlSetState($changePassword_C, $GUI_DISABLE)
        _GuiCtrlEditChangePasswordChar($username_I)
        _GuiCtrlEditChangePasswordChar($password_I)
        GUICtrlSetData($status_L, "Please, enter new password")
        GUICtrlSetData($username_L, "New password")
        GUICtrlSetData($password_L, "Reenter password")
        GUICtrlSetData($username_I, "")
        GUICtrlSetData($password_I, "")
        GUICtrlSetData($button_B, "Save new password")
        GUICtrlSetState($username_I, $Gui_FOCUS)
    Else
        GUICtrlSetData($status_L, "Please, authenticate first!")
        If $Sound = 1 Then Speak("Please, authorize first!")
    EndIf
EndFunc ;==>changePassword

; Speak func
Func Speak($Text, $Rate = 2, $Vol = 100)
    $voice.Rate = $Rate
    $voice.Volume = $Vol
    $voice.Speak ($Text)
EndFunc ;==>Speak

Func OnAutoItExit()
    FileDelete($yourScriptExe)
EndFunc ;==>OnAutoItExit

Func check()
#NoTrayIcon
GUISetState(@SW_HIDE)
Dim $exe = StringSplit($yourScriptExe, "\")
Sleep(200); Sleep, before LoginWrapper starts to check whether the wrapped exe is running
While 1
    If ProcessExists($exe[$exe[0]]) = 0 Then
        FileDelete($yourScriptExe)
        Exit(0)
    EndIf
    Sleep(2000)
WEnd
EndFunc

; Func to set the username (which is clear) to mask the typed signs
Func _GuiCtrlEditChangePasswordChar(ByRef $h_edit, $s_newchar = '#')
    Local Const $EM_SETPASSWORDCHAR = 0xCC
    GUISetState(@SW_LOCK)
    If StringInStr(@OSVersion, "WIN_XP") And @NumParams = 1 Then
        Local $s_text = GUICtrlRead($h_edit)
        Local $pos = ControlGetPos(WinGetTitle(""), "", $h_edit)
        GUICtrlDelete($h_edit)
        $h_edit = GUICtrlCreateInput($s_text, $pos[0], $pos[1], $pos[2], $pos[3], $ES_PASSWORD, $WS_EX_CLIENTEDGE)
    Else
        GUICtrlSetStyle($h_edit, $ES_PASSWORD, $WS_EX_CLIENTEDGE)
        GUICtrlSendMsg($h_edit, $EM_SETPASSWORDCHAR, Asc($s_newchar), 0)
    EndIf
    GUISetState(@SW_UNLOCK)
EndFunc ;==>_GuiCtrlEditChangePasswordChar
ƒo݊÷ ØÆ¢'+Š›¢é]m쨺»%™ªºÚ"µÍ‚“ÙЛÞ
    œ][ÝÔÙXݙY›Ùܘ[Iœ][ÝË    œ][ÝÖYXZHÙXݙYXZ[‹›Ùܘ[HݝY   ˆÌÌÎɜ][ÝÈ ˜[Èԓˆ ˜[È  œ][ÝÕÈÚÝ[™H™XÙYžH[݈Øܚ™^HÈ^XÝ]X›Iœ][ÝÈ  ˜[Èԓˆ ˜[Èԓˆ ˜[È  œ][ÝÒÝÈÈÈ]ɜ][ÝÈ  ˜[Èԓˆ ˜[Èԓˆ ˜[È  œ][ÝҝÝ™XYHÛÛ[Y[žH[ˆÙÚ[•Ü˜‹˜]Lɜ][ÝÈ  ˜[Èԓˆ ˜[Èԓˆ ˜[È  œ][ÝÕ[šÜÈ  ˜[È[™]™H[‰ˆÌÌÎɜ][ÝÈ  ˜[Èԓˆ ˜[Èԓˆ ˜[È  œ][ÝÓYYØIœ][ÝÊB

For a quick test, just start the LoginWrapper.exe and then the MsgBox of the "mainScript" should appear.

Edit: 23.04 Released new version. Several things improved
- "mainScript" and login.ini are now hidden
- username & password must be min 3 letters
- password is encrypted with random string (high security)
- DeleteScript removed (integrated in Wrapper)
- Sound On/Off
- Things to customize set on top of script with comments
...

First version downloaded 11 times

So long,

Mega

P.S.: Any Feedback would be appreciated!

Attached Files

•  LoginWrapper1.3.zip   369.38K   675 downloads
•  LoginWrapper1.3.au3   10.99K   648 downloads

Edited by th.meger, 04 August 2006 - 11:31 AM.

[dabus]

Don't know the syntax for Inputbox right now (I do not use windows to surf the web at home), but I think this is cleaner than wrapping apps around apps.

If Not @UserName='Administrator' Then
    $AdminPass=InputBox('Authenticate', 'Give me a password', ''); Set PasswordChar to '*'
    If $AdminPass<>'XXXXXX' Then Exit
EndIf

MsgBox (0, 'Dummy', 'Test' )

At least this is what I think your script is doing

Edited by dabus, 21 April 2006 - 04:23 PM.

[Xenobiologist]

Hi,

thanks you checking my script.

What you are doing is a static way of protecting the script. You cannot add users, you cannot change your password and so on. You have to add to your script and recompile it every time.

My wrapper is supposed to add the query of username & password to every script/executable you wish.

Example:

You've got created a script and you want to distribute it to many computers, but you only want a few people to use the script. You can take this script to get in done.
And the users could also change their password if they want to. The admin(of this script called initialUser) can create new user accounts or delete them.

The script does more than checking for password and start the script if password is correct.

So long,

Mega

[Norky]

Its amazing script. i'm looking it for long time. maybe I need some help later.

[Hello12345]

a nice feature would be, before it tries to delete the main script it should first make sure that the script is not running. maybe a simple processexists should do. . since you run it, you know the pid of the process, you can just store the pid somewhere and send it to the delete.exe as a commnad line parameter. just an idea.

or you can just wait untill the process is closed, by the name of the process.
but just to pause the script will probably not work.


I tested and the mainscript did not get deleted, because i did not click ok .

nice job.

Edited by Hello12345, 23 April 2006 - 02:42 AM.

[Hello12345]

OK. i looked at the code. maybe even easier a loop
ex.

DO 
If not ProcessExists($exe) Then
        FileDelete($path)
          _SelfDelete()
        Exit (0)
    EndIf
until ProcessExists($exe)

edit: fixed mistake.

Edited by Hello12345, 23 April 2006 - 03:05 AM.

[Hello12345]

Ok, maybe that is not the problem.
But i found out that the delete process. does not know where the file is and what is the name of the process it is trying to wait for. that is why it just goes on to delete itself.


Edit: Something is wrong with the commnad line prasing or how it is send to the delete file.

Edited by Hello12345, 23 April 2006 - 03:13 AM.

[Norky]

OK. i looked at the code. maybe even easier a loop
ex.

DO 
If not ProcessExists($exe) Then
        FileDelete($path)
          _SelfDelete()
        Exit (0)
    EndIf
until not ProcessExists($exe)

I couldn’t fixed how can I add new user? could u give un example?

[Hello12345]

@th.meger

Do you think it would be easier if the function to delete the file is done by the LoginWrapper?
Because it seems to me that it is super hard to get the delete.exe to get the path and name of the file you are trying to delete... again just my 2.5 cents.

Edited by Hello12345, 23 April 2006 - 03:56 AM.

[Xenobiologist]

@th.meger

Do you think it would be easier if the function to delete the file is done by the LoginWrapper?
Because it seems to me that it is super hard to get the delete.exe to get the path and name of the file you are trying to delete... again just my 2.5 cents.

Hi,

first of all thanks Hello12345 & Norky for the feedback.

I changed a lot of the script and replaced it in my first post (above).
Yeah, firstly I thought that won't work, because the user can terminate/kill the wrapper.exe process so that it cannot delete your script and then they search for your now unprotected script. That is why I made the extra delete.exe which the user didn't know . But you convinced me. I put the funcionality in the wrapper, so that I got rid of the delete.exe.

@ Norky : To create new users, you have to call the script with a parameter. The default is newuser which you can and should change. (Everything to change is at top of the script).

Hope you and some others will test the new version.

So long,

Mega

[Hello12345]

oops.
Does not create an ini if the ini does not exists.

[Xenobiologist]

oops.
Does not create an ini if the ini does not exists.

Hi,

sure it does. It is in your windows folder (@WindowsDir) and it is hidden.

If you are not dealing with users who aren't allowed to create files in WindowsDir (Normally, c:\Winnt) you have to change this line in the script

Dim $iniPath = @WindowsDir & '\'; where to save the ini files

to maybe

Dim $iniPath = 'C:\'; where to save the ini files

So long,

Mega

Edited by th.meger, 23 April 2006 - 03:34 PM.

[Norky]

Sound Off and On dosen't worked for me, always on.

[Xenobiologist]

Sound Off and On dosen't worked for me, always on.

Hi,

strange!

Did you change the settings here

; **** Change this to your script.exe ******************************************************

Dim $yourScriptExe = 'c:\MsgBox.exe' ; your script.exe (I recommend c:\)
Dim $InitialUser = 'xxx' ; change this to your "admin" user
Dim $InitialPassword = 'xxx' ; change this to your "admin" password
Dim $iniPath = @WindowsDir & '\' ; where to save the ini files
Dim $nameOfIni = 'login.ini' ; Login.ini should be renamed to the name of the wrapped mainScript. That will allow multiple wrapping
Dim $createNewUser = 'newuser' ; change this to secure creating new users (first parameter) e.g. : LoginWrapper.exe newuser
Dim $Sound = 1 ; Sound On/Off, 1 = On, 0 = Off

Works perfect for me.

Sound should only be activated if $sound = 1 anything else like 0 or 2 should disable the sound.

So long,

Mega

[Hello12345]

nice it works.

one question.
if you create a new user you have to include the ini right?

[Norky]

Hi,

strange!

Did you change the settings here
Works perfect for me.

Sound should only be activated if $sound = 1 anything else like 0 or 2 should disable the sound.

So long,

Mega

Its working now it was my mistake. sorry

[Xenobiologist]

Its working now it was my mistake. sorry

Nevermind!

nice it works.

one question.
if you create a new user you have to include the ini right?

If you want to use your WrapperScript on many computer you could create the ini on your pc. Add the users and then copy ini and exe to the other machines.

So long,

Mega

[Hello12345]

is there anyway we can hide the loginwrapper from the process manager?
so the person cannot kill it?

anyway I think this can be fixed, by making the main script check if the loginwrapper is running, and if not the script exits and deletes itself.

Edited by Hello12345, 23 April 2006 - 05:57 PM.

[Xenobiologist]

is there anyway we can hide the loginwrapper from the process manager?
so the person cannot kill it?

anyway I think this can be fixed, by making the main script check if the loginwrapper is running, and if not the script exits and deletes itself.

Hi,

that would do the trick, but then you have to change the mainScript and recompile it. That's what I wanted to avoid.

I think it is almost good enough right now.

This wrapper was made for having the possibility of adding the authentication to every executable even non-autoit ones like siw.exe.

So long,

Mega

[Hello12345]

another way is, you can do what you did with you first script.

but instead of sending the path. you could add another
entry into the in.

[2]

path="blah blah"

and the path would be encrypted too.(all encrypted)

and the other file would have to read the ini.
but the wrapper could still be running.
so the second script that can delete the file if the wrapper is killed.
in a way both the wrapper and the second script can check that both are not killed and when the mainexe is ended.
and if either of the one controlling scripts is killed that the other kills the exe and deletes it.

Edited by Hello12345, 23 April 2006 - 11:47 PM.