mary Posted March 2, 2010 Share Posted March 2, 2010 (edited) Windows have no solution to prevents execution of any program from usb stick !My idea is to hook Process creation (hooking api NtCreateSection ?).The callback function is something like this: if not StringInStr(sProcesFullPath, "c:\") then blockIt()If it possible with autoit or is there an other solution (maybe with a given dll or précompiled driver.sys) ?I found here a c exemple but i'm unable to compile the protector.sysThanks Edited March 2, 2010 by mary Link to comment Share on other sites More sharing options...
JohnOne Posted March 2, 2010 Share Posted March 2, 2010 Think Ive seen a few of these about This might be one http://www.autoitscript.com/forum/index.php?showtopic=106939 AutoIt Absolute Beginners Require a serial Pause Script Video Tutorials by Morthawt ipify Monkey's are, like, natures humans. Link to comment Share on other sites More sharing options...
mary Posted March 2, 2010 Author Share Posted March 2, 2010 (edited) Think Ive seen a few of these aboutThis might be onehttp://www.autoitscript.com/forum/index.php?showtopic=106939no , This is not my question. my goal is to prevent lanching process from usb (not only autorun.inf). Edited March 2, 2010 by mary Link to comment Share on other sites More sharing options...
Bert Posted March 2, 2010 Share Posted March 2, 2010 What you can do is have a script monitor for the types of drives that plug in. I do believe that has been discussed. If the script finds one, then it is a simple matter of listing all the exe files on the drive in an array, then have them blocked from running. It may be tricky to stop exe files with the same name as a file on a different drive such as C. The Vollatran project My blog: http://www.vollysinterestingshit.com/ Link to comment Share on other sites More sharing options...
mary Posted March 2, 2010 Author Share Posted March 2, 2010 What you can do is have a script monitor for the types of drives that plug in. I do believe that has been discussed. If the script finds one, then it is a simple matter of listing all the exe files on the drive in an array, then have them blocked from running. It may be tricky to stop exe files with the same name as a file on a different drive such as C.No, we must prevent execution early (before loading in memory) by hooking win API (CreateProcess or NtCreateSection) and not by scanning existing processList ! Link to comment Share on other sites More sharing options...
kaotkbliss Posted March 2, 2010 Share Posted March 2, 2010 No, we must prevent execution early (before loading in memory) by hooking win API (CreateProcess or NtCreateSection) and not by scanning existing processList !I think what he suggested was "search" the USB device for exe files then have the script block any of those exe's it finds from being run. 010101000110100001101001011100110010000001101001011100110010000 001101101011110010010000001110011011010010110011100100001 My Android cat and mouse gamehttps://play.google.com/store/apps/details?id=com.KaosVisions.WhiskersNSqueek We're gonna need another Timmy! Link to comment Share on other sites More sharing options...
weaponx Posted March 2, 2010 Share Posted March 2, 2010 What good is this if the files can be copied from the removable device and executed? Link to comment Share on other sites More sharing options...
kaotkbliss Posted March 2, 2010 Share Posted March 2, 2010 What good is this if the files can be copied from the removable device and executed?Well, if they were in some sort of blacklist (just the file names and not paths) then I would think AutoIt could block the exe files from any path at that point. 010101000110100001101001011100110010000001101001011100110010000 001101101011110010010000001110011011010010110011100100001 My Android cat and mouse gamehttps://play.google.com/store/apps/details?id=com.KaosVisions.WhiskersNSqueek We're gonna need another Timmy! Link to comment Share on other sites More sharing options...
weaponx Posted March 2, 2010 Share Posted March 2, 2010 So the files can be renamed. They would need to be blocked by a hash. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now