Sign in to follow this  
Followers 0
mary

Prevent Process creation from usb stick

9 posts in this topic

#1 ·  Posted (edited)

Windows have no solution to prevents execution of any program from usb stick !

My idea is to hook Process creation (hooking api NtCreateSection ?).

The callback function is something like this:

if not StringInStr(sProcesFullPath, "c:\") then blockIt()

If it possible with autoit or is there an other solution (maybe with a given dll or précompiled driver.sys) ?

I found here a c exemple but i'm unable to compile the protector.sys

Thanks

Edited by mary

Share this post


Link to post
Share on other sites



#3 ·  Posted (edited)

Think Ive seen a few of these about

This might be one

http://www.autoitscript.com/forum/index.php?showtopic=106939

no , This is not my question. my goal is to prevent lanching process from usb (not only autorun.inf). Edited by mary

Share this post


Link to post
Share on other sites

What you can do is have a script monitor for the types of drives that plug in. I do believe that has been discussed. If the script finds one, then it is a simple matter of listing all the exe files on the drive in an array, then have them blocked from running. It may be tricky to stop exe files with the same name as a file on a different drive such as C.

Share this post


Link to post
Share on other sites

What you can do is have a script monitor for the types of drives that plug in. I do believe that has been discussed. If the script finds one, then it is a simple matter of listing all the exe files on the drive in an array, then have them blocked from running. It may be tricky to stop exe files with the same name as a file on a different drive such as C.

No, we must prevent execution early (before loading in memory) by hooking win API (CreateProcess or NtCreateSection) and not by scanning existing processList !

Share this post


Link to post
Share on other sites

No, we must prevent execution early (before loading in memory) by hooking win API (CreateProcess or NtCreateSection) and not by scanning existing processList !

I think what he suggested was "search" the USB device for exe files then have the script block any of those exe's it finds from being run.


010101000110100001101001011100110010000001101001011100110010000

001101101011110010010000001110011011010010110011100100001

My Android cat and mouse game
https://play.google.com/store/apps/details?id=com.KaosVisions.WhiskersNSqueek

We're gonna need another Timmy!

Share this post


Link to post
Share on other sites

What good is this if the files can be copied from the removable device and executed?

Share this post


Link to post
Share on other sites

What good is this if the files can be copied from the removable device and executed?

Well, if they were in some sort of blacklist (just the file names and not paths) then I would think AutoIt could block the exe files from any path at that point.


010101000110100001101001011100110010000001101001011100110010000

001101101011110010010000001110011011010010110011100100001

My Android cat and mouse game
https://play.google.com/store/apps/details?id=com.KaosVisions.WhiskersNSqueek

We're gonna need another Timmy!

Share this post


Link to post
Share on other sites

So the files can be renamed. They would need to be blocked by a hash.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0