llewxam Posted June 1, 2010 Share Posted June 1, 2010 (edited) I've done a few versions of this idea, think I may have posted one a while back, but this is my latest take on it. I use it to help remove spyware that likes to keep popping up, and that like to suppress other apps from running. To use it, just run it and double-click the process you want killed, and click as many as you need to kill. For a little extra "bang", run it with the "/nuke" switch and it will kill everything not set as an exception in an effort to kill whatever may prevent it from starting normally. $exceptionList has many, but probably not all, vital processes for WinXP and Win7, I have not tested it on WinVista but can't imagine there would be problems. However, anybody who has suggestions on additions/removals from the exception list please let me know. For that matter, any improvements at all are welcome. I compile this as PPK3, if you are going to compile it as something different, make sure you replace "PPK3.exe" in the $exceptionList or it will kill itself as soon as possible Enjoy expandcollapse popup#NoTrayIcon #region ;**** Directives created by AutoIt3Wrapper_GUI **** #AutoIt3Wrapper_UseUpx=n #AutoIt3Wrapper_Run_Tidy=y #endregion ;**** Directives created by AutoIt3Wrapper_GUI **** ;~ Coded by Ian Maxwell (llewxam) ;~ AutoIt 3.3.6.1 #include <WindowsConstants.au3> ;needed for $WS_CAPTION, $WS_VSCROLL, $WM_COMMAND #include <array.au3> ;needed for _ArrayAdd, _ArrayDelete, _ArrayUnique, _ArraySort, _ArrayBinarySearch #include <ProgressConstants.au3> ;needed for $PBS_SMOOTH, $PBS_MARQUEE #include <GuiListBox.au3> ;needed for $LBS_NOTIFY, $LBS_SORT, $LBS_NOSEL, $GUI_RUNDEFMSG, _GUICtrlListBox_* functions AdlibRegister("_Alive", 50) AdlibRegister("_Scan") $exceptionList = "PPK3.exe,[System Process],System,smss.exe,csrss.exe,wininit.exe,csrss.exe,services.exe,winlogon.exe,lsass.exe,lsm.exe,svchost.exe,atiesrxx.exe,audiodg.exe,CTAudSvc.exe,atieclxx.exe,spoolsv.exe,taskhost.exe,dwm.exe,explorer.exe,rundll32.exe,GoogleCrashHandler.exe,MOM.exe,CCC.exe,SearchIndexer.exe,wmpnetwk.exe,SearchProtocolHost.exe,SearchFilterHost.exe,dllhost.exe,mpcmdrun.exe,msiexec.exe,unsecapp.exe,vds.exe,WmiPrvSE.exe" $exceptions = StringSplit($exceptionList, ",") ;list of what not to kill Local $pList[1] ;list of running processes $pListOld = $pList ;to compare a previous process list, so $liveProc is only updated if the process list changes Local $killList[1] ;list of processes to kill $liveProcCount = 0 ;tally of processes running $killProcCount = 0 ;tally of processes to be killed $killListTrimmed = False ;flag for detecting when $killList has been trimmed $goNuclear = False ;flag set by /nuke command line switch $started = False ;used in Nuke mode to avoid crashes due to no GUI ;check for and run nuke If $CmdLine[0] Then ;many viruses/spyware apps suppress EXEs from running, nuke mode is meant to sneak For $c = 1 To $CmdLine[0] ;PPK in before it can be suppressed. Just run "ppk /nuke" or "ppk nuke" repeatedly until it starts If StringLower($CmdLine[$c]) == "/nuke" Or StringLower($CmdLine[$c]) == "nuke" Then $goNuclear = True Next EndIf If $goNuclear == True Then $pListRaw = ProcessList() If @error Then MsgBox(48, "ERROR", "The process list could not be built!") Exit EndIf Local $pListTemp[1] ;used to get the list of running processes down to a 1-dimensional array For $a = 1 To $pListRaw[0][0] _ArrayAdd($pListTemp, $pListRaw[$a][0]) Next _ArrayDelete($pListTemp, 0) $pList = _ArrayUnique($pListTemp) If $pList[0] > 0 Then Local $killList[1] For $a = 1 To $pList[0] For $b = 1 To $exceptions[0] If StringLower($pList[$a]) == StringLower($exceptions[$b]) Then ContinueLoop (2) Next _Execute($pList[$a]) _ArrayAdd($killList, $pList[$a]) Next EndIf _ArrayDelete($killList, 0) $goNuclear = False EndIf ;configure GUI $vert = ((@DesktopHeight - 80) / 3) - 40 $PPKGUI = GUICreate("Persistent Process Killer", 200, @DesktopHeight - 70, @DesktopWidth - 205, 0, $WS_CAPTION) $alive = GUICtrlCreateProgress(5, 5, 190, 20, BitOR($PBS_SMOOTH, $PBS_MARQUEE)) ;just to let the user know the app is still running $aliveStatus = 0 $closeButton = GUICtrlCreateButton("Close", 75, 35, 50, 20) $liveProcLabel = GUICtrlCreateLabel("Running Processes:", 5, 65, 190) $liveProc = GUICtrlCreateList("", 5, 80, 190, $vert, BitOR($WS_VSCROLL, $LBS_NOTIFY, $LBS_SORT)) $killProcLabel = GUICtrlCreateLabel("Processes to Kill:", 5, $vert + 85, 190) $killProc = GUICtrlCreateList("", 5, $vert + 100, 190, $vert, BitOR($WS_VSCROLL, $LBS_NOTIFY, $LBS_SORT)) GUICtrlCreateLabel("Errors:", 5, $vert * 2 + 105) $errors = GUICtrlCreateList("", 5, $vert * 2 + 120, 190, $vert, BitOR($WS_VSCROLL, $LBS_SORT, $LBS_NOSEL)) GUISetState(@SW_SHOW, $PPKGUI) GUIRegisterMsg($WM_COMMAND, "_WM_COMMAND") WinSetOnTop("Persistent Process Killer", "", 1) ;perform initial scan for running processes $pListRaw = ProcessList() If @error Then MsgBox(48, "ERROR", "The process list could not be built!") Exit EndIf Local $pListTemp[1] For $a = 1 To $pListRaw[0][0] _ArrayAdd($pListTemp, $pListRaw[$a][0]) Next _ArrayDelete($pListTemp, 0) $pList = _ArrayUnique($pListTemp) If $pList[0] > 0 Then For $a = 1 To $pList[0] For $b = 1 To $exceptions[0] If StringLower($pList[$a]) == StringLower($exceptions[$b]) Then ContinueLoop (2) Next GUICtrlSetData($liveProc, $pList[$a]) $liveProcCount += 1 Next EndIf GUICtrlSetData($liveProcLabel, "Running Processes: " & $liveProcCount) For $a = 1 To UBound($killList) - 1 GUICtrlSetData($killProc, $killList[$a]) $killProcCount += 1 Next GUICtrlSetData($killProcLabel, "Processes to Kill: " & $killProcCount) $started = True ;now all GUI controls will be used ;main loop Do $msg = GUIGetMsg() If $msg = $closeButton Then _Exit() For $a = 1 To UBound($killList) - 1 ;placed this check at beginning and end of loop so when $killList is decreased an out-of-range error will be avoided If $killListTrimmed == True Then $killListTrimmed = False ExitLoop EndIf If ProcessExists($killList[$a]) Then _Execute($killList[$a]) EndIf If $killListTrimmed == True Then $killListTrimmed = False ExitLoop EndIf Next Until 1 = 2 Func _Scan() If $started == True Then $pListOld = $pList $pListRaw = ProcessList() If @error Then MsgBox(48, "ERROR", "The process list could not be built!") Exit EndIf Local $pListTemp[1] For $a = 1 To $pListRaw[0][0] _ArrayAdd($pListTemp, $pListRaw[$a][0]) Next _ArrayDelete($pListTemp, 0) $pList = _ArrayUnique($pListTemp) If $pList[0] > 0 Then $refresh = False ;assume a refresh of $liveProc is not needed If $pList[0] <> $pListOld[0] Then $refresh = True ;different number of elements = refresh needed Else For $z = 1 To $pList[0] If $pList[$z] <> $pListOld[$z] Then $refresh = True ;something is not matching up, so a refresh is needed Next EndIf If $refresh = True Then $liveProcCount = 0 _GUICtrlListBox_BeginUpdate($liveProc) _GUICtrlListBox_ResetContent($liveProc) For $a = 1 To $pList[0] For $b = 1 To $exceptions[0] If StringLower($pList[$a]) == StringLower($exceptions[$b]) Then ContinueLoop (2) Next _GUICtrlListBox_AddString($liveProc, $pList[$a]) $liveProcCount += 1 Next _GUICtrlListBox_EndUpdate($liveProc) GUICtrlSetData($liveProcLabel, "Running Processes: " & $liveProcCount) EndIf EndIf EndIf Return EndFunc ;==>_Scan Func _Execute($victim) $killed = False $delay = TimerInit() Do ProcessClose($victim) If @error Then $status = @error Else $killed = True ExitLoop EndIf Sleep(50) Until TimerDiff($delay) > 1000 If $killed = False Then If $started == True Then GUICtrlSetData($errors, $victim & " could not be killed! (" & $status & ")") _ArraySort($killList) $index = _ArrayBinarySearch($killList, $victim) _ArrayDelete($killList, $index) _GUICtrlListBox_BeginUpdate($killProc) _GUICtrlListBox_ResetContent($killProc) For $a = 1 To UBound($killList) - 1 GUICtrlSetData($killProc, $killList[$a]) Next _GUICtrlListBox_EndUpdate($killProc) $killProcCount -= 1 GUICtrlSetData($killProcLabel, "Processes to Kill: " & $killProcCount) $killListTrimmed = True EndIf EndIf Return EndFunc ;==>_Execute Func _liveProc_DoubleClick() $sListItem = GUICtrlRead($liveProc) If $sListItem <> "" Then _ArrayAdd($killList, $sListItem) $killProcCount += 1 GUICtrlSetData($killProc, $sListItem) GUICtrlSetData($killProcLabel, "Processes to Kill: " & $killProcCount) EndIf Return EndFunc ;==>_liveProc_DoubleClick Func _killProc_DoubleClick() $sListItem = GUICtrlRead($killProc) If $sListItem <> "" Then $killProcCount = 0 _ArraySort($killList) $index = _ArrayBinarySearch($killList, $sListItem) _ArrayDelete($killList, $index) _GUICtrlListBox_BeginUpdate($killProc) _GUICtrlListBox_ResetContent($killProc) For $a = 1 To UBound($killList) - 1 GUICtrlSetData($killProc, $killList[$a]) $killProcCount += 1 Next _GUICtrlListBox_EndUpdate($killProc) GUICtrlSetData($killProcLabel, "Processes to Kill: " & $killProcCount) $killListTrimmed = True EndIf Return EndFunc ;==>_killProc_DoubleClick Func _WM_COMMAND($hWnd, $msg, $wParam, $lParam) Local $nNotifyCode = BitShift($wParam, 16) Local $nID = BitAND($wParam, 0xFFFF) Local Const $LBN_DBLCLK = 2 Switch $nID Case $liveProc Switch $nNotifyCode Case $LBN_DBLCLK _liveProc_DoubleClick() EndSwitch Case $killProc Switch $nNotifyCode Case $LBN_DBLCLK _killProc_DoubleClick() EndSwitch EndSwitch Return $GUI_RUNDEFMSG EndFunc ;==>_WM_COMMAND Func _Alive() If $started = True Then $aliveStatus += 2 If $aliveStatus > 102 Then $aliveStatus = 0 GUICtrlSetData($alive, $aliveStatus) EndIf Return EndFunc ;==>_Alive Func _Exit() $reallyQuit = MsgBox(4, "Quit?", "Are you sure you want to quit?") If $reallyQuit = 6 Then Exit Return EndFunc ;==>_Exit Edited June 13, 2010 by llewxam TarwadaC4 1 My projects: IP Scanner - Multi-threaded ping tool to scan your available networks for used and available IP addresses, shows ping times, resolves IPs in to host names, and allows individual IPs to be pinged. INFSniff - Great technicians tool - a tool which scans DriverPacks archives for INF files and parses out the HWIDs to a database file, and rapidly scans the local machine's HWIDs, searches the database for matches, and installs them. PPK3 (Persistent Process Killer V3) - Another for the techs - suppress running processes that you need to keep away, helpful when fighting spyware/viruses. Sync Tool - Folder sync tool with lots of real time information and several checking methods. USMT Front End - Front End for Microsoft's User State Migration Tool, including all files needed for USMT 3.01 and 4.01, 32 bit and 64 bit versions. Audit Tool - Computer audit tool to gather vital hardware, Windows, and Office information for IT managers and field techs. Capabilities include creating a customized site agent. CSV Viewer - Displays CSV files with automatic column sizing and font selection. Lines can also be copied to the clipboard for data extraction. MyDirStat - Lists number and size of files on a drive or specified path, allows for deletion within the app. 2048 Game - My version of 2048, fun tile game. Juice Lab - Ecigarette liquid making calculator. Data Protector - Secure notes to save sensitive information. VHD Footer - Add a footer to a forensic hard drive image to allow it to be mounted or used as a virtual machine hard drive. Find in File - Searches files containing a specified phrase. Link to comment Share on other sites More sharing options...
llewxam Posted June 2, 2010 Author Share Posted June 2, 2010 Updated with many changes Ian My projects: IP Scanner - Multi-threaded ping tool to scan your available networks for used and available IP addresses, shows ping times, resolves IPs in to host names, and allows individual IPs to be pinged. INFSniff - Great technicians tool - a tool which scans DriverPacks archives for INF files and parses out the HWIDs to a database file, and rapidly scans the local machine's HWIDs, searches the database for matches, and installs them. PPK3 (Persistent Process Killer V3) - Another for the techs - suppress running processes that you need to keep away, helpful when fighting spyware/viruses. Sync Tool - Folder sync tool with lots of real time information and several checking methods. USMT Front End - Front End for Microsoft's User State Migration Tool, including all files needed for USMT 3.01 and 4.01, 32 bit and 64 bit versions. Audit Tool - Computer audit tool to gather vital hardware, Windows, and Office information for IT managers and field techs. Capabilities include creating a customized site agent. CSV Viewer - Displays CSV files with automatic column sizing and font selection. Lines can also be copied to the clipboard for data extraction. MyDirStat - Lists number and size of files on a drive or specified path, allows for deletion within the app. 2048 Game - My version of 2048, fun tile game. Juice Lab - Ecigarette liquid making calculator. Data Protector - Secure notes to save sensitive information. VHD Footer - Add a footer to a forensic hard drive image to allow it to be mounted or used as a virtual machine hard drive. Find in File - Searches files containing a specified phrase. Link to comment Share on other sites More sharing options...
Manko Posted June 2, 2010 Share Posted June 2, 2010 I have not had the missfortune of encountering any malware that kills unknown processes so my app has functioned despite not being protected or aggressive... If I happen to chance upon such a beast, maybe I'll run your app. Sugestion: When your app has cycled through processes and killed wanted items... you could afford the luxury of checking old list against new list, so you don't have to update the whole list every second, since it is flashing... Though I'd agree prettyness is not a first priority. Bug: If a process cannot be killed, the app could not display closedialogue... /Manko Yes i rush things! (I sorta do small bursts inbetween doing nothing.) Things I have rushed and reRushed:* ProDLLer - Process manager - Unload viri modules (dll) and moore...* _WinAPI_ProcessListOWNER_WTS() - Get Processes owner list...* _WinAPI_GetCommandLineFromPID() - Get commandline of target process...* _WinAPI_ThreadsnProcesses() Much info if expanded - optional Indented "Parent/Child"-style Processlist. Moore to come... eventually... Link to comment Share on other sites More sharing options...
llewxam Posted June 2, 2010 Author Share Posted June 2, 2010 I have not had the missfortune of encountering any malware that kills unknown processes so my app has functioned despite not being protected or aggressive... If I happen to chance upon such a beast, maybe I'll run your app. Sugestion:When your app has cycled through processes and killed wanted items... you could afford the luxury of checking old list against new list, so you don't have to update the whole list every second, since it is flashing... Though I'd agree prettyness is not a first priority.Bug:If a process cannot be killed, the app could not display closedialogue.../MankoThe flickering Listbox is annoying, and I was trying to get away with a quick fix, comparing the arrays using _ArrayToString, finally realized that it being a 2D array was probably why it was failing, and I wasted more time than it would have taken to do it myself!! That is something I plan on doing tonight.I also had the beginnings of an error check on hung ProcessClose commands, but since it was unfinished I took it out of the version I posted here. Again, I hope to do that soon.Thanks for the commentsIan My projects: IP Scanner - Multi-threaded ping tool to scan your available networks for used and available IP addresses, shows ping times, resolves IPs in to host names, and allows individual IPs to be pinged. INFSniff - Great technicians tool - a tool which scans DriverPacks archives for INF files and parses out the HWIDs to a database file, and rapidly scans the local machine's HWIDs, searches the database for matches, and installs them. PPK3 (Persistent Process Killer V3) - Another for the techs - suppress running processes that you need to keep away, helpful when fighting spyware/viruses. Sync Tool - Folder sync tool with lots of real time information and several checking methods. USMT Front End - Front End for Microsoft's User State Migration Tool, including all files needed for USMT 3.01 and 4.01, 32 bit and 64 bit versions. Audit Tool - Computer audit tool to gather vital hardware, Windows, and Office information for IT managers and field techs. Capabilities include creating a customized site agent. CSV Viewer - Displays CSV files with automatic column sizing and font selection. Lines can also be copied to the clipboard for data extraction. MyDirStat - Lists number and size of files on a drive or specified path, allows for deletion within the app. 2048 Game - My version of 2048, fun tile game. Juice Lab - Ecigarette liquid making calculator. Data Protector - Secure notes to save sensitive information. VHD Footer - Add a footer to a forensic hard drive image to allow it to be mounted or used as a virtual machine hard drive. Find in File - Searches files containing a specified phrase. Link to comment Share on other sites More sharing options...
llewxam Posted June 3, 2010 Author Share Posted June 3, 2010 New changes: List flicker is fixed Fancy auto-size thingy so it fits any desktop height properly ( ) Basic error handler and error Listbox Function dedicated to killing I'm afraid the cosmetic changes and inclusion of an error list were overkill, in my testing on a non-infected computer, the only way I could get a ProcessClose to fail was by only allowing 40 milliseconds for it to work, and the only @error ever generated for that was "TerminateProcess Failed" (duh), so the usefulness of that is debatable. Maybe there is a smarter way for that to work, but if there is an issue at least it will be reported. Also, since the flicker is fixed and since that caused a side-effect of making it easier to double-click the process you want killed (the refresh used to mess with the selected item so longer periods with no refresh was needed), the AdlibRegister for the _Scan function has been shortened to the default 250MS. So, now every quarter-second the process list will be updated, and it is much less annoying! Enjoy Ian My projects: IP Scanner - Multi-threaded ping tool to scan your available networks for used and available IP addresses, shows ping times, resolves IPs in to host names, and allows individual IPs to be pinged. INFSniff - Great technicians tool - a tool which scans DriverPacks archives for INF files and parses out the HWIDs to a database file, and rapidly scans the local machine's HWIDs, searches the database for matches, and installs them. PPK3 (Persistent Process Killer V3) - Another for the techs - suppress running processes that you need to keep away, helpful when fighting spyware/viruses. Sync Tool - Folder sync tool with lots of real time information and several checking methods. USMT Front End - Front End for Microsoft's User State Migration Tool, including all files needed for USMT 3.01 and 4.01, 32 bit and 64 bit versions. Audit Tool - Computer audit tool to gather vital hardware, Windows, and Office information for IT managers and field techs. Capabilities include creating a customized site agent. CSV Viewer - Displays CSV files with automatic column sizing and font selection. Lines can also be copied to the clipboard for data extraction. MyDirStat - Lists number and size of files on a drive or specified path, allows for deletion within the app. 2048 Game - My version of 2048, fun tile game. Juice Lab - Ecigarette liquid making calculator. Data Protector - Secure notes to save sensitive information. VHD Footer - Add a footer to a forensic hard drive image to allow it to be mounted or used as a virtual machine hard drive. Find in File - Searches files containing a specified phrase. Link to comment Share on other sites More sharing options...
storme Posted June 5, 2010 Share Posted June 5, 2010 G'day Ian Looks REAL useful. I've added it to my "tools". I know it will come in handy. A couple of things I thought may be a good addition to the program. 1. Quite oftern the mouse is dead on infected computers. As well as double click what about adding "Space" and/or "enter" to select processes to be killed. 2. Have you thought about multiple selection. I've run into virus that restart the computer if any "one" of it's parts are killed off. So a quick kill of ALL parts would be useful. NUKE goes some of the way but I'd like to leave everything running EXCEPT the items I select. A complete NUKE may leave the computer non-functional BUT is a great option and in most cases will work perfectly. Thanks for the great program! John Morrison aka Storm-E Some of my small contributions to AutoIt Browse for Folder Dialog - Automation SysTreeView32 | FileHippo Download and/or retrieve program information | Get installedpath from uninstall key in registry | RoboCopy function John Morrison aka Storm-E Link to comment Share on other sites More sharing options...
Manko Posted June 5, 2010 Share Posted June 5, 2010 @storme:Multi killing will probably not work, unless they're suspended, they will still have time to discover what's happening since they are killed in sequence, not "all at once"... ...or maybe luck is on our side and they don't check fast enough... Yes i rush things! (I sorta do small bursts inbetween doing nothing.) Things I have rushed and reRushed:* ProDLLer - Process manager - Unload viri modules (dll) and moore...* _WinAPI_ProcessListOWNER_WTS() - Get Processes owner list...* _WinAPI_GetCommandLineFromPID() - Get commandline of target process...* _WinAPI_ThreadsnProcesses() Much info if expanded - optional Indented "Parent/Child"-style Processlist. Moore to come... eventually... Link to comment Share on other sites More sharing options...
llewxam Posted June 5, 2010 Author Share Posted June 5, 2010 @Manko I was checking out the update to ProDLLer and was greedily looking over the Force Terminate code, might have to use that in PPK! As is right now, unkilled processes can cause PPK to lock up, so your suspend and terminate might be very useful!! @Storm-E Not sure if I'll go the route you're thinking, but I'm thinking of having the /nuke option add everything to the $killList array so it will persistently kill what nuke kills (that much is done), then have a double-click to selectively remove items that nuke found. That should allow the same result as your suggestion. As for the keyboard shortcuts, WHEW, I'm a keyboard shortcut fanatic but can't even imagine how hard it would be to fight some nasty virii/spyware with keyboard only!! I'll ponder that one, but hopefully the persistent /nuke will serve the same purpose. (Side-note, what about plugging in a USB mouse after you have noticed the problem? Hopefully Plug&Pray would get you a pointer going...) Thanks Ian My projects: IP Scanner - Multi-threaded ping tool to scan your available networks for used and available IP addresses, shows ping times, resolves IPs in to host names, and allows individual IPs to be pinged. INFSniff - Great technicians tool - a tool which scans DriverPacks archives for INF files and parses out the HWIDs to a database file, and rapidly scans the local machine's HWIDs, searches the database for matches, and installs them. PPK3 (Persistent Process Killer V3) - Another for the techs - suppress running processes that you need to keep away, helpful when fighting spyware/viruses. Sync Tool - Folder sync tool with lots of real time information and several checking methods. USMT Front End - Front End for Microsoft's User State Migration Tool, including all files needed for USMT 3.01 and 4.01, 32 bit and 64 bit versions. Audit Tool - Computer audit tool to gather vital hardware, Windows, and Office information for IT managers and field techs. Capabilities include creating a customized site agent. CSV Viewer - Displays CSV files with automatic column sizing and font selection. Lines can also be copied to the clipboard for data extraction. MyDirStat - Lists number and size of files on a drive or specified path, allows for deletion within the app. 2048 Game - My version of 2048, fun tile game. Juice Lab - Ecigarette liquid making calculator. Data Protector - Secure notes to save sensitive information. VHD Footer - Add a footer to a forensic hard drive image to allow it to be mounted or used as a virtual machine hard drive. Find in File - Searches files containing a specified phrase. Link to comment Share on other sites More sharing options...
storme Posted June 7, 2010 Share Posted June 7, 2010 @Storm-ENot sure if I'll go the route you're thinking, but I'm thinking of having the /nuke option add everything to the $killList array so it will persistently kill what nuke kills (that much is done), then have a double-click to selectively remove items that nuke found. That should allow the same result as your suggestion.I've been usign KILLBOX in the past to kill the various bits I want to. Nuke should work in most cases. I was just thinking of a few situations that "I think" nuke would make worse. But it is a minority. As for the keyboard shortcuts, WHEW, I'm a keyboard shortcut fanatic but can't even imagine how hard it would be to fight some nasty virii/spyware with keyboard only!! I'll ponder that one, but hopefully the persistent /nuke will serve the same purpose.(Side-note, what about plugging in a USB mouse after you have noticed the problem? Hopefully Plug&Pray would get you a pointer going...)I've had to do it before and it isn't fun BUT there are a lot of keyboard short cuts that help a lot.The only think you need to add is to be able to hit the "enter" to kill the selected item. The list is already navagatable by keyboard all that is missing is the select. Some of my small contributions to AutoIt Browse for Folder Dialog - Automation SysTreeView32 | FileHippo Download and/or retrieve program information | Get installedpath from uninstall key in registry | RoboCopy function John Morrison aka Storm-E Link to comment Share on other sites More sharing options...
storme Posted June 7, 2010 Share Posted June 7, 2010 @storme:Multi killing will probably not work, unless they're suspended, they will still have time to discover what's happening since they are killed in sequence, not "all at once"... ...or maybe luck is on our side and they don't check fast enough... Most of the virus I have run into don't restart the other parts immeditaly. This could be because they don't check fast enough (it is only a seconadary function) or they delay the restart to confuse the virus removers (Us).So in most cases killing them quickly in sequence (ie selecting them all then killing them) in one cycle of the program should work.HMMM just a thought, as long as the virus doesn't have a "kill the computer if i'm messed with" function just clicking on all the virus processes one at a time then letting PPK should kill them all on subsequent passes.So a multi select isn't realy needed. Some of my small contributions to AutoIt Browse for Folder Dialog - Automation SysTreeView32 | FileHippo Download and/or retrieve program information | Get installedpath from uninstall key in registry | RoboCopy function John Morrison aka Storm-E Link to comment Share on other sites More sharing options...
Proph Posted June 9, 2010 Share Posted June 9, 2010 This is a very nice tool you have created! I am gonna definately use parts of it in my maintenance tool. Thanks for shareing! Link to comment Share on other sites More sharing options...
llewxam Posted June 10, 2010 Author Share Posted June 10, 2010 This is a very nice tool you have created! I am gonna definately use parts of it in my maintenance tool. Thanks for shareing!You're very welcome, I have a few new tricks I may update with shortly.ThanksIan My projects: IP Scanner - Multi-threaded ping tool to scan your available networks for used and available IP addresses, shows ping times, resolves IPs in to host names, and allows individual IPs to be pinged. INFSniff - Great technicians tool - a tool which scans DriverPacks archives for INF files and parses out the HWIDs to a database file, and rapidly scans the local machine's HWIDs, searches the database for matches, and installs them. PPK3 (Persistent Process Killer V3) - Another for the techs - suppress running processes that you need to keep away, helpful when fighting spyware/viruses. Sync Tool - Folder sync tool with lots of real time information and several checking methods. USMT Front End - Front End for Microsoft's User State Migration Tool, including all files needed for USMT 3.01 and 4.01, 32 bit and 64 bit versions. Audit Tool - Computer audit tool to gather vital hardware, Windows, and Office information for IT managers and field techs. Capabilities include creating a customized site agent. CSV Viewer - Displays CSV files with automatic column sizing and font selection. Lines can also be copied to the clipboard for data extraction. MyDirStat - Lists number and size of files on a drive or specified path, allows for deletion within the app. 2048 Game - My version of 2048, fun tile game. Juice Lab - Ecigarette liquid making calculator. Data Protector - Secure notes to save sensitive information. VHD Footer - Add a footer to a forensic hard drive image to allow it to be mounted or used as a virtual machine hard drive. Find in File - Searches files containing a specified phrase. Link to comment Share on other sites More sharing options...
llewxam Posted June 13, 2010 Author Share Posted June 13, 2010 Another pretty major update. Things you'll see this time around:Nuke mode is persistent (adds to $killList)Counters for running processes and processes to be killedDouble-clicking an item in "Processes to Kill" will remove it from the kill listI also have stripped the PIDs from ProcessList() since I didn't filter by PID anyway, that allowed some convenience functions like _ArrayUnique and _ArrayBinarySearch to be used rather than having to code something like that myself.As always there are things I'd love to add given the time, but this is a good update for now.EnjoyIan My projects: IP Scanner - Multi-threaded ping tool to scan your available networks for used and available IP addresses, shows ping times, resolves IPs in to host names, and allows individual IPs to be pinged. INFSniff - Great technicians tool - a tool which scans DriverPacks archives for INF files and parses out the HWIDs to a database file, and rapidly scans the local machine's HWIDs, searches the database for matches, and installs them. PPK3 (Persistent Process Killer V3) - Another for the techs - suppress running processes that you need to keep away, helpful when fighting spyware/viruses. Sync Tool - Folder sync tool with lots of real time information and several checking methods. USMT Front End - Front End for Microsoft's User State Migration Tool, including all files needed for USMT 3.01 and 4.01, 32 bit and 64 bit versions. Audit Tool - Computer audit tool to gather vital hardware, Windows, and Office information for IT managers and field techs. Capabilities include creating a customized site agent. CSV Viewer - Displays CSV files with automatic column sizing and font selection. Lines can also be copied to the clipboard for data extraction. MyDirStat - Lists number and size of files on a drive or specified path, allows for deletion within the app. 2048 Game - My version of 2048, fun tile game. Juice Lab - Ecigarette liquid making calculator. Data Protector - Secure notes to save sensitive information. VHD Footer - Add a footer to a forensic hard drive image to allow it to be mounted or used as a virtual machine hard drive. Find in File - Searches files containing a specified phrase. Link to comment Share on other sites More sharing options...
storme Posted June 13, 2010 Share Posted June 13, 2010 Another pretty major update. Things you'll see this time around:Looking good. I've added this to my "box of tricks". I can't report how it works "in practice" as I haven't had to use it yet.But I know from experience that it will be handy.ThanksJohn MorrisonakaStorm-E Some of my small contributions to AutoIt Browse for Folder Dialog - Automation SysTreeView32 | FileHippo Download and/or retrieve program information | Get installedpath from uninstall key in registry | RoboCopy function John Morrison aka Storm-E Link to comment Share on other sites More sharing options...
engjcowi Posted May 26, 2011 Share Posted May 26, 2011 hi this program is great. do u mind if i use it and some of your code please? thanks Drunken Frat-Boy Monkey Garbage Link to comment Share on other sites More sharing options...
llewxam Posted May 26, 2011 Author Share Posted May 26, 2011 hi this program is great. do u mind if i use it and some of your code please?thanksFeel free, and if you make any helpful changes post it back so they can be included!(One idea a coworker gave me recently was to add a function to not only kill the process but get the process' path and delete it - suspend and remove the malware in one shot! I have not put much time in to that idea yet as I have too many other projects right now and would probably have to use some other process UDFs to pull it off, but may try some time soon so check back on this thread periodically)ThanksIan My projects: IP Scanner - Multi-threaded ping tool to scan your available networks for used and available IP addresses, shows ping times, resolves IPs in to host names, and allows individual IPs to be pinged. INFSniff - Great technicians tool - a tool which scans DriverPacks archives for INF files and parses out the HWIDs to a database file, and rapidly scans the local machine's HWIDs, searches the database for matches, and installs them. PPK3 (Persistent Process Killer V3) - Another for the techs - suppress running processes that you need to keep away, helpful when fighting spyware/viruses. Sync Tool - Folder sync tool with lots of real time information and several checking methods. USMT Front End - Front End for Microsoft's User State Migration Tool, including all files needed for USMT 3.01 and 4.01, 32 bit and 64 bit versions. Audit Tool - Computer audit tool to gather vital hardware, Windows, and Office information for IT managers and field techs. Capabilities include creating a customized site agent. CSV Viewer - Displays CSV files with automatic column sizing and font selection. Lines can also be copied to the clipboard for data extraction. MyDirStat - Lists number and size of files on a drive or specified path, allows for deletion within the app. 2048 Game - My version of 2048, fun tile game. Juice Lab - Ecigarette liquid making calculator. Data Protector - Secure notes to save sensitive information. VHD Footer - Add a footer to a forensic hard drive image to allow it to be mounted or used as a virtual machine hard drive. Find in File - Searches files containing a specified phrase. Link to comment Share on other sites More sharing options...
engjcowi Posted May 27, 2011 Share Posted May 27, 2011 (edited) Thanks ill have a little go at your co-workers idea myself. EDIT: ive just found this and i beleive it already finds a process's location jamie Edited May 27, 2011 by engjcowi Drunken Frat-Boy Monkey Garbage Link to comment Share on other sites More sharing options...
engjcowi Posted May 28, 2011 Share Posted May 28, 2011 Hi i've made a small edition to the program which has helped me out. I added this to the gui $closeButton = GUICtrlCreateButton("Close", 85, 35, 50, 20) $processgoogleButton = GUICtrlCreateButton("Google", 135, 35, 50, 20) $processlibraryButton = GUICtrlCreateButton("Process Library", 5, 35, 80, 20) and added this to the main loop under the close button code If $msg = $processgoogleButton Then ShellExecute("http://www.google.com/search?hl=en&q=" & GUICtrlRead($liveProc) & "&btnG=Search") If $msg = $processlibraryButton Then ShellExecute("http://www.processlibrary.com/search/?q=" & GUICtrlRead($liveProc)) This way if your unsure about the process you can quickly search for it in either google or process library. Drunken Frat-Boy Monkey Garbage Link to comment Share on other sites More sharing options...
engjcowi Posted May 28, 2011 Share Posted May 28, 2011 Hi Guys Ive been working on finding the process's path and then be able to delete that process and im nearly there. Ive found the process, found the process's command line if you so want it however i just cant seem to delete the running process after its been shut down. Im probably missing something really simple but its been a long day. Anyway i hope someone can help as i feel its nearing its full potential Hope this is what you were after Ian. Ill keep trying Credits to the following posts which helped ALOT jamie expandcollapse popup#NoTrayIcon #Region ;**** Directives created by AutoIt3Wrapper_GUI **** #AutoIt3Wrapper_UseUpx=n #AutoIt3Wrapper_Run_Tidy=y #EndRegion ;**** Directives created by AutoIt3Wrapper_GUI **** ;~ Coded by Ian Maxwell (llewxam) ;~ AutoIt 3.3.6.1 ;~ Amended by Jamie Cowin ;~ Code for getting command line options from here http://www.autoitscript.com/forum/topic/88214-winapi-getcommandlinefrompid-from-any-process/ ;~ Code for getting exe location from pid from here http://www.autoitscript.com/forum/topic/49888-find-the-path-of-a-exe-files-running-the-the-handlepid/ #include <WindowsConstants.au3> ;needed for $WS_CAPTION, $WS_VSCROLL, $WM_COMMAND #include <array.au3> ;needed for _ArrayAdd, _ArrayDelete, _ArrayUnique, _ArraySort, _ArrayBinarySearch #include <ProgressConstants.au3> ;needed for $PBS_SMOOTH, $PBS_MARQUEE #include <GuiListBox.au3> ;needed for $LBS_NOTIFY, $LBS_SORT, $LBS_NOSEL, $GUI_RUNDEFMSG, _GUICtrlListBox_* functions #include <WinAPI.au3> _GetPrivilege_SEDEBUG() ; I need this for tricky processes. Not needed for most... AdlibRegister("_Alive", 50) AdlibRegister("_Scan") $exceptionList = "PPK3.exe,[System Process],System,smss.exe,csrss.exe,wininit.exe,csrss.exe,services.exe,winlogon.exe,lsass.exe,lsm.exe,svchost.exe,atiesrxx.exe,audiodg.exe,CTAudSvc.exe,atieclxx.exe,spoolsv.exe,taskhost.exe,dwm.exe,explorer.exe,rundll32.exe,GoogleCrashHandler.exe,MOM.exe,CCC.exe,SearchIndexer.exe,wmpnetwk.exe,SearchProtocolHost.exe,SearchFilterHost.exe,dllhost.exe,mpcmdrun.exe,msiexec.exe,unsecapp.exe,vds.exe,WmiPrvSE.exe" $exceptions = StringSplit($exceptionList, ",") ;list of what not to kill Local $pList[1] ;list of running processes $pListOld = $pList ;to compare a previous process list, so $liveProc is only updated if the process list changes Local $killList[1] ;list of processes to kill $liveProcCount = 0 ;tally of processes running $killProcCount = 0 ;tally of processes to be killed $killListTrimmed = False ;flag for detecting when $killList has been trimmed $goNuclear = False ;flag set by /nuke command line switch $started = False ;used in Nuke mode to avoid crashes due to no GUI ;check for and run nuke If $CmdLine[0] Then ;many viruses/spyware apps suppress EXEs from running, nuke mode is meant to sneak For $c = 1 To $CmdLine[0] ;PPK in before it can be suppressed. Just run "ppk /nuke" or "ppk nuke" repeatedly until it starts If StringLower($CmdLine[$c]) == "/nuke" Or StringLower($CmdLine[$c]) == "nuke" Then $goNuclear = True Next EndIf If $goNuclear == True Then $pListRaw = ProcessList() If @error Then MsgBox(48, "ERROR", "The process list could not be built!") Exit EndIf Local $pListTemp[1] ;used to get the list of running processes down to a 1-dimensional array For $a = 1 To $pListRaw[0][0] _ArrayAdd($pListTemp, $pListRaw[$a][0]) Next _ArrayDelete($pListTemp, 0) $pList = _ArrayUnique($pListTemp) If $pList[0] > 0 Then Local $killList[1] For $a = 1 To $pList[0] For $b = 1 To $exceptions[0] If StringLower($pList[$a]) == StringLower($exceptions[$b]) Then ContinueLoop (2) Next _Execute($pList[$a]) _ArrayAdd($killList, $pList[$a]) Next EndIf _ArrayDelete($killList, 0) $goNuclear = False EndIf ;configure GUI $vert = ((@DesktopHeight - 80) / 3) - 40 $PPKGUI = GUICreate("Persistent Process Killer", 200, @DesktopHeight - 70, @DesktopWidth - 205, 0, $WS_CAPTION) $alive = GUICtrlCreateProgress(5, 5, 190, 20, BitOR($PBS_SMOOTH, $PBS_MARQUEE)) ;just to let the user know the app is still running $aliveStatus = 0 $closeButton = GUICtrlCreateButton("Close", 85, 25, 50, 20) $processgoogleButton = GUICtrlCreateButton("Google", 135, 25, 50, 20) $processlibraryButton = GUICtrlCreateButton("Process Library", 5, 25, 80, 20) $processdeleteButton = GUICtrlCreateButton("Delete Process", 5, 45, 80, 20) $processparamsButton = GUICtrlCreateButton("Process Parameters", 85, 45, 100, 20) $liveProcLabel = GUICtrlCreateLabel("Running Processes:", 5, 65, 190) $liveProc = GUICtrlCreateList("", 5, 80, 190, $vert, BitOR($WS_VSCROLL, $LBS_NOTIFY, $LBS_SORT)) $killProcLabel = GUICtrlCreateLabel("Processes to Kill:", 5, $vert + 85, 190) $killProc = GUICtrlCreateList("", 5, $vert + 100, 190, $vert, BitOR($WS_VSCROLL, $LBS_NOTIFY, $LBS_SORT)) GUICtrlCreateLabel("Errors:", 5, $vert * 2 + 105) $errors = GUICtrlCreateList("", 5, $vert * 2 + 120, 190, $vert, BitOR($WS_VSCROLL, $LBS_SORT, $LBS_NOSEL)) GUISetState(@SW_SHOW, $PPKGUI) GUIRegisterMsg($WM_COMMAND, "_WM_COMMAND") WinSetOnTop("Persistent Process Killer", "", 1) ;perform initial scan for running processes $pListRaw = ProcessList() If @error Then MsgBox(48, "ERROR", "The process list could not be built!") Exit EndIf Local $pListTemp[1] For $a = 1 To $pListRaw[0][0] _ArrayAdd($pListTemp, $pListRaw[$a][0]) Next _ArrayDelete($pListTemp, 0) $pList = _ArrayUnique($pListTemp) If $pList[0] > 0 Then For $a = 1 To $pList[0] For $b = 1 To $exceptions[0] If StringLower($pList[$a]) == StringLower($exceptions[$b]) Then ContinueLoop (2) Next GUICtrlSetData($liveProc, $pList[$a]) $liveProcCount += 1 Next EndIf GUICtrlSetData($liveProcLabel, "Running Processes: " & $liveProcCount) For $a = 1 To UBound($killList) - 1 GUICtrlSetData($killProc, $killList[$a]) $killProcCount += 1 Next GUICtrlSetData($killProcLabel, "Processes to Kill: " & $killProcCount) $started = True ;now all GUI controls will be used ;main loop Do $msg = GUIGetMsg() If $msg = $closeButton Then _Exit() If $msg = $processgoogleButton Then ShellExecute("http://www.google.com/search?hl=en&q=" & GUICtrlRead($liveProc) & "&btnG=Search") If $msg = $processlibraryButton Then ShellExecute("http://www.processlibrary.com/search/?q=" & GUICtrlRead($liveProc)) If $msg = $processparamsButton Then Processparams() If $msg = $processdeleteButton Then DeleteProcess() ; ; For $a = 1 To UBound($killList) - 1 ;placed this check at beginning and end of loop so when $killList is decreased an out-of-range error will be avoided If $killListTrimmed == True Then $killListTrimmed = False ExitLoop EndIf If ProcessExists($killList[$a]) Then _Execute($killList[$a]) EndIf If $killListTrimmed == True Then $killListTrimmed = False ExitLoop EndIf Next Until 1 = 2 Func _Scan() If $started == True Then $pListOld = $pList $pListRaw = ProcessList() If @error Then MsgBox(48, "ERROR", "The process list could not be built!") Exit EndIf Local $pListTemp[1] For $a = 1 To $pListRaw[0][0] _ArrayAdd($pListTemp, $pListRaw[$a][0]) Next _ArrayDelete($pListTemp, 0) $pList = _ArrayUnique($pListTemp) If $pList[0] > 0 Then $refresh = False ;assume a refresh of $liveProc is not needed If $pList[0] <> $pListOld[0] Then $refresh = True ;different number of elements = refresh needed Else For $z = 1 To $pList[0] If $pList[$z] <> $pListOld[$z] Then $refresh = True ;something is not matching up, so a refresh is needed Next EndIf If $refresh = True Then $liveProcCount = 0 _GUICtrlListBox_BeginUpdate($liveProc) _GUICtrlListBox_ResetContent($liveProc) For $a = 1 To $pList[0] For $b = 1 To $exceptions[0] If StringLower($pList[$a]) == StringLower($exceptions[$b]) Then ContinueLoop (2) Next _GUICtrlListBox_AddString($liveProc, $pList[$a]) $liveProcCount += 1 Next _GUICtrlListBox_EndUpdate($liveProc) GUICtrlSetData($liveProcLabel, "Running Processes: " & $liveProcCount) EndIf EndIf EndIf Return EndFunc ;==>_Scan Func _Execute($victim) $killed = False $delay = TimerInit() Do ProcessClose($victim) If @error Then $status = @error Else $killed = True ExitLoop EndIf Sleep(50) Until TimerDiff($delay) > 1000 If $killed = False Then If $started == True Then GUICtrlSetData($errors, $victim & " could not be killed! (" & $status & ")") _ArraySort($killList) $index = _ArrayBinarySearch($killList, $victim) _ArrayDelete($killList, $index) _GUICtrlListBox_BeginUpdate($killProc) _GUICtrlListBox_ResetContent($killProc) For $a = 1 To UBound($killList) - 1 GUICtrlSetData($killProc, $killList[$a]) Next _GUICtrlListBox_EndUpdate($killProc) $killProcCount -= 1 GUICtrlSetData($killProcLabel, "Processes to Kill: " & $killProcCount) $killListTrimmed = True EndIf EndIf Return EndFunc ;==>_Execute Func _liveProc_DoubleClick() $sListItem = GUICtrlRead($liveProc) If $sListItem <> "" Then _ArrayAdd($killList, $sListItem) $killProcCount += 1 GUICtrlSetData($killProc, $sListItem) GUICtrlSetData($killProcLabel, "Processes to Kill: " & $killProcCount) EndIf Return EndFunc ;==>_liveProc_DoubleClick Func _killProc_DoubleClick() $sListItem = GUICtrlRead($killProc) If $sListItem <> "" Then $killProcCount = 0 _ArraySort($killList) $index = _ArrayBinarySearch($killList, $sListItem) _ArrayDelete($killList, $index) _GUICtrlListBox_BeginUpdate($killProc) _GUICtrlListBox_ResetContent($killProc) For $a = 1 To UBound($killList) - 1 GUICtrlSetData($killProc, $killList[$a]) $killProcCount += 1 Next _GUICtrlListBox_EndUpdate($killProc) GUICtrlSetData($killProcLabel, "Processes to Kill: " & $killProcCount) $killListTrimmed = True EndIf Return EndFunc ;==>_killProc_DoubleClick Func _WM_COMMAND($hWnd, $msg, $wParam, $lParam) Local $nNotifyCode = BitShift($wParam, 16) Local $nID = BitAND($wParam, 0xFFFF) Local Const $LBN_DBLCLK = 2 Switch $nID Case $liveProc Switch $nNotifyCode Case $LBN_DBLCLK _liveProc_DoubleClick() EndSwitch Case $killProc Switch $nNotifyCode Case $LBN_DBLCLK _killProc_DoubleClick() EndSwitch EndSwitch Return $GUI_RUNDEFMSG EndFunc ;==>_WM_COMMAND Func _Alive() If $started = True Then $aliveStatus += 2 If $aliveStatus > 102 Then $aliveStatus = 0 GUICtrlSetData($alive, $aliveStatus) EndIf Return EndFunc ;==>_Alive Func _Exit() $reallyQuit = MsgBox(4, "Quit?", "Are you sure you want to quit?") If $reallyQuit = 6 Then Exit Return EndFunc ;==>_Exit Func Processparams() $filecom = GUICtrlRead($liveProc) ;ConsoleWrite($filecom) $list = ProcessList($filecom) For $i = 1 To $list[0][0] ;MsgBox(0, $list[$i][0], $list[$i][1]) Next ;ConsoleWrite($list[1][1]) MsgBox(4096, "Parameters", _WinAPI_GetCommandLineFromPID($list[1][1])) ;get parameters ;_WinGetPath($list[1][1])) EndFunc ;==>Processparams Func DeleteProcess() $delfile = GUICtrlRead($liveProc) ; could change to the killproc list to maybe make safer and get rid of processclose in this func ????? ConsoleWrite($delfile & @LF) $list = ProcessList($delfile) For $i = 1 To $list[0][0] ;MsgBox(0, $list[$i][0], $list[$i][1]) Next ;ConsoleWrite($list[1][1] & @LF) $filetodelete = _WinGetPath($list[1][1]) ConsoleWrite($filetodelete & @LF) If $filetodelete = "" Then ConsoleWrite("No Path Found" & @LF) Else ConsoleWrite("Path Found Closing and Deleting Process" & @LF) ProcessClose($delfile) FileDelete($filetodelete) If @error = 0 Then ConsoleWrite("Cannot Delete" & @LF) EndIf EndFunc ;==>DeleteProcess ;Gets Path via PID Func _WinGetPath($PID = "") $colItems = "" $objWMIService = ObjGet("winmgmts:\\" & @ComputerName & "\root\CIMV2") $colItems = $objWMIService.ExecQuery("SELECT * FROM Win32_Process WHERE ProcessId = " & $PID, "WQL", _ 0x10 + 0x20) If IsObj($colItems) Then For $objItem In $colItems If $objItem.ExecutablePath Then Return $objItem.ExecutablePath Next EndIf EndFunc ;==>_WinGetPath Func _WinAPI_GetCommandLineFromPID($PID) $ret1 = DllCall("kernel32.dll", 'int', 'OpenProcess', 'int', $PROCESS_VM_READ + $PROCESS_QUERY_INFORMATION, 'int', False, 'int', $PID) $tag_PROCESS_BASIC_INFORMATION = "int ExitStatus;" & _ "ptr PebBaseAddress;" & _ "ptr AffinityMask;" & _ "ptr BasePriority;" & _ "ulong UniqueProcessId;" & _ "ulong InheritedFromUniqueProcessId;" $PBI = DllStructCreate($tag_PROCESS_BASIC_INFORMATION) DllCall("ntdll.dll", "int", "ZwQueryInformationProcess", "hwnd", $ret1[0], "int", 0, "ptr", DllStructGetPtr($PBI), "int", _ DllStructGetSize($PBI), "int", 0) $dw = DllStructCreate("ptr") DllCall("kernel32.dll", "int", "ReadProcessMemory", "hwnd", $ret1[0], _ "ptr", DllStructGetData($PBI, 2) + 0x10, _ ; PebBaseAddress+16 bytes <-- ptr _PROCESS_PARAMETERS "ptr", DllStructGetPtr($dw), "int", 4, "ptr", 0) $unicode_string = DllStructCreate("ushort Length;ushort MaxLength;ptr String") DllCall("kernel32.dll", "int", "ReadProcessMemory", "hwnd", $ret1[0], _ "ptr", DllStructGetData($dw, 1) + 0x40, _ ; _PROCESS_PARAMETERS+64 bytes <-- ptr CommandLine Offset (UNICODE_STRING struct) - Win XP / Vista. "ptr", DllStructGetPtr($unicode_string), "int", DllStructGetSize($unicode_string), "ptr", 0) $ret = DllCall("kernel32.dll", "int", "ReadProcessMemory", "hwnd", $ret1[0], _ "ptr", DllStructGetData($unicode_string, "String"), _ ; <-- ptr Commandline Unicode String "wstr", 0, "int", DllStructGetData($unicode_string, "Length") + 2, "int*", 0) ; read Length + terminating NULL (2 bytes in unicode) DllCall("kernel32.dll", 'int', 'CloseHandle', "hwnd", $ret1[0]) ConsoleWrite($ret[3] & @LF) If $ret[5] Then Return $ret[3] ; If bytes returned, return commandline... Return "Program run with no Parameters" ; Getting empty string is correct behaviour when there is no commandline to be had... EndFunc ;==>_WinAPI_GetCommandLineFromPID ; ####################### Below Func is Part of example - Needed to get commandline from more processes. ############ ; ####################### Thanks for this function, wraithdu! (Didn't know it was your.) :) ######################### Func _GetPrivilege_SEDEBUG() Local $tagLUIDANDATTRIB = "int64 Luid;dword Attributes" Local $count = 1 Local $tagTOKENPRIVILEGES = "dword PrivilegeCount;byte LUIDandATTRIB[" & $count * 12 & "]" ; count of LUID structs * sizeof LUID struct Local $TOKEN_ADJUST_PRIVILEGES = 0x20 Local $call = DllCall("advapi32.dll", "int", "OpenProcessToken", "ptr", _WinAPI_GetCurrentProcess(), "dword", $TOKEN_ADJUST_PRIVILEGES, "ptr*", "") Local $hToken = $call[3] $call = DllCall("advapi32.dll", "int", "LookupPrivilegeValue", "str", Chr(0), "str", "SeDebugPrivilege", "int64*", "") ;msgbox(0,"",$call[3] & " " & _WinAPI_GetLastErrorMessage()) Local $iLuid = $call[3] Local $TP = DllStructCreate($tagTOKENPRIVILEGES) Local $LUID = DllStructCreate($tagLUIDANDATTRIB, DllStructGetPtr($TP, "LUIDandATTRIB")) DllStructSetData($TP, "PrivilegeCount", $count) DllStructSetData($LUID, "Luid", $iLuid) DllStructSetData($LUID, "Attributes", $SE_PRIVILEGE_ENABLED) $call = DllCall("advapi32.dll", "int", "AdjustTokenPrivileges", "ptr", $hToken, "int", 0, "ptr", DllStructGetPtr($TP), "dword", 0, "ptr", Chr(0), "ptr", Chr(0)) Return ($call[0] <> 0) ; $call[0] <> 0 is success EndFunc ;==>_GetPrivilege_SEDEBUG Drunken Frat-Boy Monkey Garbage Link to comment Share on other sites More sharing options...
llewxam Posted May 28, 2011 Author Share Posted May 28, 2011 Hi Guys Ive been working on finding the process's path and then be able to delete that process and im nearly there. Ive found the process, found the process's command line if you so want it however i just cant seem to delete the running process after its been shut down. Im probably missing something really simple but its been a long day. Anyway i hope someone can help as i feel its nearing its full potential Hope this is what you were after Ian. Ill keep trying Credits to the following posts which helped ALOT jamie expandcollapse popup#NoTrayIcon #Region ;**** Directives created by AutoIt3Wrapper_GUI **** #AutoIt3Wrapper_UseUpx=n #AutoIt3Wrapper_Run_Tidy=y #EndRegion ;**** Directives created by AutoIt3Wrapper_GUI **** ;~ Coded by Ian Maxwell (llewxam) ;~ AutoIt 3.3.6.1 ;~ Amended by Jamie Cowin ;~ Code for getting command line options from here http://www.autoitscript.com/forum/topic/88214-winapi-getcommandlinefrompid-from-any-process/ ;~ Code for getting exe location from pid from here http://www.autoitscript.com/forum/topic/49888-find-the-path-of-a-exe-files-running-the-the-handlepid/ #include <WindowsConstants.au3> ;needed for $WS_CAPTION, $WS_VSCROLL, $WM_COMMAND #include <array.au3> ;needed for _ArrayAdd, _ArrayDelete, _ArrayUnique, _ArraySort, _ArrayBinarySearch #include <ProgressConstants.au3> ;needed for $PBS_SMOOTH, $PBS_MARQUEE #include <GuiListBox.au3> ;needed for $LBS_NOTIFY, $LBS_SORT, $LBS_NOSEL, $GUI_RUNDEFMSG, _GUICtrlListBox_* functions #include <WinAPI.au3> _GetPrivilege_SEDEBUG() ; I need this for tricky processes. Not needed for most... AdlibRegister("_Alive", 50) AdlibRegister("_Scan") $exceptionList = "PPK3.exe,[System Process],System,smss.exe,csrss.exe,wininit.exe,csrss.exe,services.exe,winlogon.exe,lsass.exe,lsm.exe,svchost.exe,atiesrxx.exe,audiodg.exe,CTAudSvc.exe,atieclxx.exe,spoolsv.exe,taskhost.exe,dwm.exe,explorer.exe,rundll32.exe,GoogleCrashHandler.exe,MOM.exe,CCC.exe,SearchIndexer.exe,wmpnetwk.exe,SearchProtocolHost.exe,SearchFilterHost.exe,dllhost.exe,mpcmdrun.exe,msiexec.exe,unsecapp.exe,vds.exe,WmiPrvSE.exe" $exceptions = StringSplit($exceptionList, ",") ;list of what not to kill Local $pList[1] ;list of running processes $pListOld = $pList ;to compare a previous process list, so $liveProc is only updated if the process list changes Local $killList[1] ;list of processes to kill $liveProcCount = 0 ;tally of processes running $killProcCount = 0 ;tally of processes to be killed $killListTrimmed = False ;flag for detecting when $killList has been trimmed $goNuclear = False ;flag set by /nuke command line switch $started = False ;used in Nuke mode to avoid crashes due to no GUI ;check for and run nuke If $CmdLine[0] Then ;many viruses/spyware apps suppress EXEs from running, nuke mode is meant to sneak For $c = 1 To $CmdLine[0] ;PPK in before it can be suppressed. Just run "ppk /nuke" or "ppk nuke" repeatedly until it starts If StringLower($CmdLine[$c]) == "/nuke" Or StringLower($CmdLine[$c]) == "nuke" Then $goNuclear = True Next EndIf If $goNuclear == True Then $pListRaw = ProcessList() If @error Then MsgBox(48, "ERROR", "The process list could not be built!") Exit EndIf Local $pListTemp[1] ;used to get the list of running processes down to a 1-dimensional array For $a = 1 To $pListRaw[0][0] _ArrayAdd($pListTemp, $pListRaw[$a][0]) Next _ArrayDelete($pListTemp, 0) $pList = _ArrayUnique($pListTemp) If $pList[0] > 0 Then Local $killList[1] For $a = 1 To $pList[0] For $b = 1 To $exceptions[0] If StringLower($pList[$a]) == StringLower($exceptions[$b]) Then ContinueLoop (2) Next _Execute($pList[$a]) _ArrayAdd($killList, $pList[$a]) Next EndIf _ArrayDelete($killList, 0) $goNuclear = False EndIf ;configure GUI $vert = ((@DesktopHeight - 80) / 3) - 40 $PPKGUI = GUICreate("Persistent Process Killer", 200, @DesktopHeight - 70, @DesktopWidth - 205, 0, $WS_CAPTION) $alive = GUICtrlCreateProgress(5, 5, 190, 20, BitOR($PBS_SMOOTH, $PBS_MARQUEE)) ;just to let the user know the app is still running $aliveStatus = 0 $closeButton = GUICtrlCreateButton("Close", 85, 25, 50, 20) $processgoogleButton = GUICtrlCreateButton("Google", 135, 25, 50, 20) $processlibraryButton = GUICtrlCreateButton("Process Library", 5, 25, 80, 20) $processdeleteButton = GUICtrlCreateButton("Delete Process", 5, 45, 80, 20) $processparamsButton = GUICtrlCreateButton("Process Parameters", 85, 45, 100, 20) $liveProcLabel = GUICtrlCreateLabel("Running Processes:", 5, 65, 190) $liveProc = GUICtrlCreateList("", 5, 80, 190, $vert, BitOR($WS_VSCROLL, $LBS_NOTIFY, $LBS_SORT)) $killProcLabel = GUICtrlCreateLabel("Processes to Kill:", 5, $vert + 85, 190) $killProc = GUICtrlCreateList("", 5, $vert + 100, 190, $vert, BitOR($WS_VSCROLL, $LBS_NOTIFY, $LBS_SORT)) GUICtrlCreateLabel("Errors:", 5, $vert * 2 + 105) $errors = GUICtrlCreateList("", 5, $vert * 2 + 120, 190, $vert, BitOR($WS_VSCROLL, $LBS_SORT, $LBS_NOSEL)) GUISetState(@SW_SHOW, $PPKGUI) GUIRegisterMsg($WM_COMMAND, "_WM_COMMAND") WinSetOnTop("Persistent Process Killer", "", 1) ;perform initial scan for running processes $pListRaw = ProcessList() If @error Then MsgBox(48, "ERROR", "The process list could not be built!") Exit EndIf Local $pListTemp[1] For $a = 1 To $pListRaw[0][0] _ArrayAdd($pListTemp, $pListRaw[$a][0]) Next _ArrayDelete($pListTemp, 0) $pList = _ArrayUnique($pListTemp) If $pList[0] > 0 Then For $a = 1 To $pList[0] For $b = 1 To $exceptions[0] If StringLower($pList[$a]) == StringLower($exceptions[$b]) Then ContinueLoop (2) Next GUICtrlSetData($liveProc, $pList[$a]) $liveProcCount += 1 Next EndIf GUICtrlSetData($liveProcLabel, "Running Processes: " & $liveProcCount) For $a = 1 To UBound($killList) - 1 GUICtrlSetData($killProc, $killList[$a]) $killProcCount += 1 Next GUICtrlSetData($killProcLabel, "Processes to Kill: " & $killProcCount) $started = True ;now all GUI controls will be used ;main loop Do $msg = GUIGetMsg() If $msg = $closeButton Then _Exit() If $msg = $processgoogleButton Then ShellExecute("http://www.google.com/search?hl=en&q=" & GUICtrlRead($liveProc) & "&btnG=Search") If $msg = $processlibraryButton Then ShellExecute("http://www.processlibrary.com/search/?q=" & GUICtrlRead($liveProc)) If $msg = $processparamsButton Then Processparams() If $msg = $processdeleteButton Then DeleteProcess() ; ; For $a = 1 To UBound($killList) - 1 ;placed this check at beginning and end of loop so when $killList is decreased an out-of-range error will be avoided If $killListTrimmed == True Then $killListTrimmed = False ExitLoop EndIf If ProcessExists($killList[$a]) Then _Execute($killList[$a]) EndIf If $killListTrimmed == True Then $killListTrimmed = False ExitLoop EndIf Next Until 1 = 2 Func _Scan() If $started == True Then $pListOld = $pList $pListRaw = ProcessList() If @error Then MsgBox(48, "ERROR", "The process list could not be built!") Exit EndIf Local $pListTemp[1] For $a = 1 To $pListRaw[0][0] _ArrayAdd($pListTemp, $pListRaw[$a][0]) Next _ArrayDelete($pListTemp, 0) $pList = _ArrayUnique($pListTemp) If $pList[0] > 0 Then $refresh = False ;assume a refresh of $liveProc is not needed If $pList[0] <> $pListOld[0] Then $refresh = True ;different number of elements = refresh needed Else For $z = 1 To $pList[0] If $pList[$z] <> $pListOld[$z] Then $refresh = True ;something is not matching up, so a refresh is needed Next EndIf If $refresh = True Then $liveProcCount = 0 _GUICtrlListBox_BeginUpdate($liveProc) _GUICtrlListBox_ResetContent($liveProc) For $a = 1 To $pList[0] For $b = 1 To $exceptions[0] If StringLower($pList[$a]) == StringLower($exceptions[$b]) Then ContinueLoop (2) Next _GUICtrlListBox_AddString($liveProc, $pList[$a]) $liveProcCount += 1 Next _GUICtrlListBox_EndUpdate($liveProc) GUICtrlSetData($liveProcLabel, "Running Processes: " & $liveProcCount) EndIf EndIf EndIf Return EndFunc ;==>_Scan Func _Execute($victim) $killed = False $delay = TimerInit() Do ProcessClose($victim) If @error Then $status = @error Else $killed = True ExitLoop EndIf Sleep(50) Until TimerDiff($delay) > 1000 If $killed = False Then If $started == True Then GUICtrlSetData($errors, $victim & " could not be killed! (" & $status & ")") _ArraySort($killList) $index = _ArrayBinarySearch($killList, $victim) _ArrayDelete($killList, $index) _GUICtrlListBox_BeginUpdate($killProc) _GUICtrlListBox_ResetContent($killProc) For $a = 1 To UBound($killList) - 1 GUICtrlSetData($killProc, $killList[$a]) Next _GUICtrlListBox_EndUpdate($killProc) $killProcCount -= 1 GUICtrlSetData($killProcLabel, "Processes to Kill: " & $killProcCount) $killListTrimmed = True EndIf EndIf Return EndFunc ;==>_Execute Func _liveProc_DoubleClick() $sListItem = GUICtrlRead($liveProc) If $sListItem <> "" Then _ArrayAdd($killList, $sListItem) $killProcCount += 1 GUICtrlSetData($killProc, $sListItem) GUICtrlSetData($killProcLabel, "Processes to Kill: " & $killProcCount) EndIf Return EndFunc ;==>_liveProc_DoubleClick Func _killProc_DoubleClick() $sListItem = GUICtrlRead($killProc) If $sListItem <> "" Then $killProcCount = 0 _ArraySort($killList) $index = _ArrayBinarySearch($killList, $sListItem) _ArrayDelete($killList, $index) _GUICtrlListBox_BeginUpdate($killProc) _GUICtrlListBox_ResetContent($killProc) For $a = 1 To UBound($killList) - 1 GUICtrlSetData($killProc, $killList[$a]) $killProcCount += 1 Next _GUICtrlListBox_EndUpdate($killProc) GUICtrlSetData($killProcLabel, "Processes to Kill: " & $killProcCount) $killListTrimmed = True EndIf Return EndFunc ;==>_killProc_DoubleClick Func _WM_COMMAND($hWnd, $msg, $wParam, $lParam) Local $nNotifyCode = BitShift($wParam, 16) Local $nID = BitAND($wParam, 0xFFFF) Local Const $LBN_DBLCLK = 2 Switch $nID Case $liveProc Switch $nNotifyCode Case $LBN_DBLCLK _liveProc_DoubleClick() EndSwitch Case $killProc Switch $nNotifyCode Case $LBN_DBLCLK _killProc_DoubleClick() EndSwitch EndSwitch Return $GUI_RUNDEFMSG EndFunc ;==>_WM_COMMAND Func _Alive() If $started = True Then $aliveStatus += 2 If $aliveStatus > 102 Then $aliveStatus = 0 GUICtrlSetData($alive, $aliveStatus) EndIf Return EndFunc ;==>_Alive Func _Exit() $reallyQuit = MsgBox(4, "Quit?", "Are you sure you want to quit?") If $reallyQuit = 6 Then Exit Return EndFunc ;==>_Exit Func Processparams() $filecom = GUICtrlRead($liveProc) ;ConsoleWrite($filecom) $list = ProcessList($filecom) For $i = 1 To $list[0][0] ;MsgBox(0, $list[$i][0], $list[$i][1]) Next ;ConsoleWrite($list[1][1]) MsgBox(4096, "Parameters", _WinAPI_GetCommandLineFromPID($list[1][1])) ;get parameters ;_WinGetPath($list[1][1])) EndFunc ;==>Processparams Func DeleteProcess() $delfile = GUICtrlRead($liveProc) ; could change to the killproc list to maybe make safer and get rid of processclose in this func ????? ConsoleWrite($delfile & @LF) $list = ProcessList($delfile) For $i = 1 To $list[0][0] ;MsgBox(0, $list[$i][0], $list[$i][1]) Next ;ConsoleWrite($list[1][1] & @LF) $filetodelete = _WinGetPath($list[1][1]) ConsoleWrite($filetodelete & @LF) If $filetodelete = "" Then ConsoleWrite("No Path Found" & @LF) Else ConsoleWrite("Path Found Closing and Deleting Process" & @LF) ProcessClose($delfile) FileDelete($filetodelete) If @error = 0 Then ConsoleWrite("Cannot Delete" & @LF) EndIf EndFunc ;==>DeleteProcess ;Gets Path via PID Func _WinGetPath($PID = "") $colItems = "" $objWMIService = ObjGet("winmgmts:\\" & @ComputerName & "\root\CIMV2") $colItems = $objWMIService.ExecQuery("SELECT * FROM Win32_Process WHERE ProcessId = " & $PID, "WQL", _ 0x10 + 0x20) If IsObj($colItems) Then For $objItem In $colItems If $objItem.ExecutablePath Then Return $objItem.ExecutablePath Next EndIf EndFunc ;==>_WinGetPath Func _WinAPI_GetCommandLineFromPID($PID) $ret1 = DllCall("kernel32.dll", 'int', 'OpenProcess', 'int', $PROCESS_VM_READ + $PROCESS_QUERY_INFORMATION, 'int', False, 'int', $PID) $tag_PROCESS_BASIC_INFORMATION = "int ExitStatus;" & _ "ptr PebBaseAddress;" & _ "ptr AffinityMask;" & _ "ptr BasePriority;" & _ "ulong UniqueProcessId;" & _ "ulong InheritedFromUniqueProcessId;" $PBI = DllStructCreate($tag_PROCESS_BASIC_INFORMATION) DllCall("ntdll.dll", "int", "ZwQueryInformationProcess", "hwnd", $ret1[0], "int", 0, "ptr", DllStructGetPtr($PBI), "int", _ DllStructGetSize($PBI), "int", 0) $dw = DllStructCreate("ptr") DllCall("kernel32.dll", "int", "ReadProcessMemory", "hwnd", $ret1[0], _ "ptr", DllStructGetData($PBI, 2) + 0x10, _ ; PebBaseAddress+16 bytes <-- ptr _PROCESS_PARAMETERS "ptr", DllStructGetPtr($dw), "int", 4, "ptr", 0) $unicode_string = DllStructCreate("ushort Length;ushort MaxLength;ptr String") DllCall("kernel32.dll", "int", "ReadProcessMemory", "hwnd", $ret1[0], _ "ptr", DllStructGetData($dw, 1) + 0x40, _ ; _PROCESS_PARAMETERS+64 bytes <-- ptr CommandLine Offset (UNICODE_STRING struct) - Win XP / Vista. "ptr", DllStructGetPtr($unicode_string), "int", DllStructGetSize($unicode_string), "ptr", 0) $ret = DllCall("kernel32.dll", "int", "ReadProcessMemory", "hwnd", $ret1[0], _ "ptr", DllStructGetData($unicode_string, "String"), _ ; <-- ptr Commandline Unicode String "wstr", 0, "int", DllStructGetData($unicode_string, "Length") + 2, "int*", 0) ; read Length + terminating NULL (2 bytes in unicode) DllCall("kernel32.dll", 'int', 'CloseHandle', "hwnd", $ret1[0]) ConsoleWrite($ret[3] & @LF) If $ret[5] Then Return $ret[3] ; If bytes returned, return commandline... Return "Program run with no Parameters" ; Getting empty string is correct behaviour when there is no commandline to be had... EndFunc ;==>_WinAPI_GetCommandLineFromPID ; ####################### Below Func is Part of example - Needed to get commandline from more processes. ############ ; ####################### Thanks for this function, wraithdu! (Didn't know it was your.) :) ######################### Func _GetPrivilege_SEDEBUG() Local $tagLUIDANDATTRIB = "int64 Luid;dword Attributes" Local $count = 1 Local $tagTOKENPRIVILEGES = "dword PrivilegeCount;byte LUIDandATTRIB[" & $count * 12 & "]" ; count of LUID structs * sizeof LUID struct Local $TOKEN_ADJUST_PRIVILEGES = 0x20 Local $call = DllCall("advapi32.dll", "int", "OpenProcessToken", "ptr", _WinAPI_GetCurrentProcess(), "dword", $TOKEN_ADJUST_PRIVILEGES, "ptr*", "") Local $hToken = $call[3] $call = DllCall("advapi32.dll", "int", "LookupPrivilegeValue", "str", Chr(0), "str", "SeDebugPrivilege", "int64*", "") ;msgbox(0,"",$call[3] & " " & _WinAPI_GetLastErrorMessage()) Local $iLuid = $call[3] Local $TP = DllStructCreate($tagTOKENPRIVILEGES) Local $LUID = DllStructCreate($tagLUIDANDATTRIB, DllStructGetPtr($TP, "LUIDandATTRIB")) DllStructSetData($TP, "PrivilegeCount", $count) DllStructSetData($LUID, "Luid", $iLuid) DllStructSetData($LUID, "Attributes", $SE_PRIVILEGE_ENABLED) $call = DllCall("advapi32.dll", "int", "AdjustTokenPrivileges", "ptr", $hToken, "int", 0, "ptr", DllStructGetPtr($TP), "dword", 0, "ptr", Chr(0), "ptr", Chr(0)) Return ($call[0] <> 0) ; $call[0] <> 0 is success EndFunc ;==>_GetPrivilege_SEDEBUG Very nice work! The problem you were having was you weren't giving the ProcessClose enough time to do it's job before the FileDelete kicked in. I made a tiny tweak: Func DeleteProcess() $delfile = GUICtrlRead($liveProc) ; could change to the killproc list to maybe make safer and get rid of processclose in this func ????? ConsoleWrite($delfile & @LF) $list = ProcessList($delfile) For $i = 1 To $list[0][0] ;MsgBox(0, $list[$i][0], $list[$i][1]) Next ;ConsoleWrite($list[1][1] & @LF) $filetodelete = _WinGetPath($list[1][1]) ConsoleWrite($filetodelete & @LF) If $filetodelete = "" Then ConsoleWrite("No Path Found" & @LF) Else ConsoleWrite("Path Found Closing and Deleting Process" & @LF) ProcessClose($delfile) ProcessWaitClose($delfile) FileDelete($filetodelete) If @error Then ConsoleWrite("Cannot Delete" & @LF) EndIf EndFunc ;==>DeleteProcess This one worked fine - at least on my non-virus-infected computer!! Thanks a lot for doing this, I will do a little more tweaking and include the changes in an update! Ian My projects: IP Scanner - Multi-threaded ping tool to scan your available networks for used and available IP addresses, shows ping times, resolves IPs in to host names, and allows individual IPs to be pinged. INFSniff - Great technicians tool - a tool which scans DriverPacks archives for INF files and parses out the HWIDs to a database file, and rapidly scans the local machine's HWIDs, searches the database for matches, and installs them. PPK3 (Persistent Process Killer V3) - Another for the techs - suppress running processes that you need to keep away, helpful when fighting spyware/viruses. Sync Tool - Folder sync tool with lots of real time information and several checking methods. USMT Front End - Front End for Microsoft's User State Migration Tool, including all files needed for USMT 3.01 and 4.01, 32 bit and 64 bit versions. Audit Tool - Computer audit tool to gather vital hardware, Windows, and Office information for IT managers and field techs. Capabilities include creating a customized site agent. CSV Viewer - Displays CSV files with automatic column sizing and font selection. Lines can also be copied to the clipboard for data extraction. MyDirStat - Lists number and size of files on a drive or specified path, allows for deletion within the app. 2048 Game - My version of 2048, fun tile game. Juice Lab - Ecigarette liquid making calculator. Data Protector - Secure notes to save sensitive information. VHD Footer - Add a footer to a forensic hard drive image to allow it to be mounted or used as a virtual machine hard drive. Find in File - Searches files containing a specified phrase. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now