mary Posted March 2, 2010 Posted March 2, 2010 (edited) Windows have no solution to prevents execution of any program from usb stick !My idea is to hook Process creation (hooking api NtCreateSection ?).The callback function is something like this: if not StringInStr(sProcesFullPath, "c:\") then blockIt()If it possible with autoit or is there an other solution (maybe with a given dll or précompiled driver.sys) ?I found here a c exemple but i'm unable to compile the protector.sysThanks Edited March 2, 2010 by mary
JohnOne Posted March 2, 2010 Posted March 2, 2010 Think Ive seen a few of these about This might be one http://www.autoitscript.com/forum/index.php?showtopic=106939 AutoIt Absolute Beginners Require a serial Pause Script Video Tutorials by Morthawt ipify Monkey's are, like, natures humans.
mary Posted March 2, 2010 Author Posted March 2, 2010 (edited) Think Ive seen a few of these aboutThis might be onehttp://www.autoitscript.com/forum/index.php?showtopic=106939no , This is not my question. my goal is to prevent lanching process from usb (not only autorun.inf). Edited March 2, 2010 by mary
Bert Posted March 2, 2010 Posted March 2, 2010 What you can do is have a script monitor for the types of drives that plug in. I do believe that has been discussed. If the script finds one, then it is a simple matter of listing all the exe files on the drive in an array, then have them blocked from running. It may be tricky to stop exe files with the same name as a file on a different drive such as C. The Vollatran project My blog: http://www.vollysinterestingshit.com/
mary Posted March 2, 2010 Author Posted March 2, 2010 What you can do is have a script monitor for the types of drives that plug in. I do believe that has been discussed. If the script finds one, then it is a simple matter of listing all the exe files on the drive in an array, then have them blocked from running. It may be tricky to stop exe files with the same name as a file on a different drive such as C.No, we must prevent execution early (before loading in memory) by hooking win API (CreateProcess or NtCreateSection) and not by scanning existing processList !
kaotkbliss Posted March 2, 2010 Posted March 2, 2010 No, we must prevent execution early (before loading in memory) by hooking win API (CreateProcess or NtCreateSection) and not by scanning existing processList !I think what he suggested was "search" the USB device for exe files then have the script block any of those exe's it finds from being run. 010101000110100001101001011100110010000001101001011100110010000 001101101011110010010000001110011011010010110011100100001 My Android cat and mouse gamehttps://play.google.com/store/apps/details?id=com.KaosVisions.WhiskersNSqueek We're gonna need another Timmy!
weaponx Posted March 2, 2010 Posted March 2, 2010 What good is this if the files can be copied from the removable device and executed?
kaotkbliss Posted March 2, 2010 Posted March 2, 2010 What good is this if the files can be copied from the removable device and executed?Well, if they were in some sort of blacklist (just the file names and not paths) then I would think AutoIt could block the exe files from any path at that point. 010101000110100001101001011100110010000001101001011100110010000 001101101011110010010000001110011011010010110011100100001 My Android cat and mouse gamehttps://play.google.com/store/apps/details?id=com.KaosVisions.WhiskersNSqueek We're gonna need another Timmy!
weaponx Posted March 2, 2010 Posted March 2, 2010 So the files can be renamed. They would need to be blocked by a hash.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now