Sign in to follow this  
Followers 0
pintas

Authorize app to run

19 posts in this topic

I've been looking for some software that prevents applications from running, like an exe blocker.

I've seen here in the forum, Executable Blocker, but its not working for me, and it's not exactly what i'm looking for.

I'm trying to make a script that allows only specific software to run, instead of blocking undesired software. So, what i'm looking for it help making a script that blocks/prevents windows executables from running except if they are white-listed. I'm considering working only with .exe files for now.

Does anyone have any idea in how to do this?

Can anyone point me in the right direction please?

Share this post


Link to post
Share on other sites



#2 ·  Posted (edited)

It could be a start ...Posted Image

#include <Array.au3>

Local $_AuthorizedProcess[11] = [10, 'smss.exe', 'csrss.exe' , 'winlogon.exe', 'services.exe', 'lsass.exe', 'svchost.exe', 'explorer.exe', 'SciTE.exe', 'AutoIt3Wrapper.exe', 'AutoIt3.exe' ]
$ProcessList = ProcessList ( ) 
If IsArray ( $ProcessList ) Then
    For $I = 1 To $ProcessList[0][0]
        If Not _AlreadyInArray ( $_AuthorizedProcess, $ProcessList[$I][0] ) Then ConsoleWrite ( "ProcessClose : " & $ProcessList[$I][0] & @Crlf )
    Next
EndIf

Func _AlreadyInArray ( $_SearchArray, $_Item )
    $_Index = _ArraySearch ( $_SearchArray, $_Item ) 
    If @error Then      
        Return False
    Else  
        If  $_Index <> 0 Then
            Return True
        Else 
            Return False
        EndIf   
    EndIf
EndFunc ;==> _AlreadyInArray ( )

be carefull with system process...

Edited by wakillon

AutoIt 3.3.14.2 X86 - SciTE 3.6.0WIN 8.1 X64 - Other Example Scripts

Share this post


Link to post
Share on other sites

I've been looking for some software that prevents applications from running, like an exe blocker.

I've seen here in the forum, Executable Blocker, but its not working for me, and it's not exactly what i'm looking for.

I'm trying to make a script that allows only specific software to run, instead of blocking undesired software. So, what i'm looking for it help making a script that blocks/prevents windows executables from running except if they are white-listed. I'm considering working only with .exe files for now.

Does anyone have any idea in how to do this?

Can anyone point me in the right direction please?

I think that AV's use dll tricks but I have a simple solution that I've made especialy for you :graduated:

#cs ----------------------------------------------------------------------------

 AutoIt Version: 3.3.4.0
 Author:         myName

 Script Function:
    Template AutoIt script.

#ce ----------------------------------------------------------------------------

; Script Start - Add your code below here
Local $a_pl, $s_pl ;Will contains processes ids

While 1
    $a_pl = ProcessList()

    If $s_pl = "" Then ;First pl check
        For $i = 1 to $a_pl[0][0]
            $s_pl &= $a_pl[$i][1] & ";"
        Next
    Else
        For $i = 1 to $a_pl[0][0]
            If Not StringInStr($s_pl, $a_pl[$i][1]) Then
                $s_pl &= ";" & $a_pl[$i][1]
                _ProcessSuspend($a_pl[$i][1]) ;suspend the process

                ;Check here if the process is allowed to run
                Local $iMsg = MsgBox(36, "", "Allow the process " & $a_pl[$i][0] & " ?")

                If $iMsg = 6 Then
                    _ProcessResume($a_pl[$i][1]) ;resume the process
                Else
                    ProcessClose($a_pl[$i][1]) ;kill the process [or let the process suspended (in this case comment this line)]
                EndIf
            EndIf
        Next
    EndIf
WEnd


;Author: The Kandie Man
Func _ProcessSuspend($process)
    $processid = ProcessExists($process)
    If $processid Then
        $ai_Handle = DllCall("kernel32.dll", 'int', 'OpenProcess', 'int', 0x1f0fff, 'int', False, 'int', $processid)
        $i_sucess = DllCall("ntdll.dll","int","NtSuspendProcess","int",$ai_Handle[0])
        DllCall('kernel32.dll', 'ptr', 'CloseHandle', 'ptr', $ai_Handle)
        If IsArray($i_sucess) Then
            Return 1
        Else
            SetError(1)
            Return 0
        Endif
    Else
        SetError(2)
        Return 0
    Endif
EndFunc

;Author: The Kandie Man
Func _ProcessResume($process)
    $processid = ProcessExists($process)
    If $processid Then
        $ai_Handle = DllCall("kernel32.dll", 'int', 'OpenProcess', 'int', 0x1f0fff, 'int', False, 'int', $processid)
        $i_sucess = DllCall("ntdll.dll","int","NtResumeProcess","int",$ai_Handle[0])
        DllCall('kernel32.dll', 'ptr', 'CloseHandle', 'ptr', $ai_Handle)
        If IsArray($i_sucess) Then
            Return 1
        Else
            SetError(1)
            Return 0
        Endif
    Else
        SetError(2)
        Return 0
    Endif
EndFunc

Br, FireFox.


 

OS : Win XP SP2 (32 bits) / Win 7 SP1 (64 bits) / Win 8 (64 bits) | Autoit version: latest stable / beta.
Hardware : Intel(R) Core(TM) i5-2400 CPU @ 3.10Ghz / 8 GiB RAM DDR3.

My UDFs : Skype UDF | TrayIconEx UDF | GUI Panel UDF | Excel XML UDF | Is_Pressed_UDF

My Projects : YouTube Multi-downloader | FTP Easy-UP | Lock'n | WinKill | AVICapture | Skype TM | Tap Maker | ShellNew | Scriptner | Const Replacer | FT_Pocket | Chrome theme maker

My Examples : Capture toolIP Camera | Crosshair | Draw Captured Region | Picture Screensaver | Jscreenfix | Drivetemp | Picture viewer

My Snippets : Basic TCP | Systray_GetIconIndex | Intercept End task | Winpcap various | Advanced HotKeySet | Transparent Edit control

 

Share this post


Link to post
Share on other sites

Thank you both for your replies, i'll try them both right now.

Sweet! :graduated:

Share this post


Link to post
Share on other sites

You can also Google around for a program called "soviet protector". I can't find it but I'm not trying hard. I remember it put a filter on CreateProcess.

Share this post


Link to post
Share on other sites

Think i found it here:

Soviet Protector

But this is C, right? Any idea witch compiler/editor to use for this code?

For now i'll be playing with FireFox's script, it very close to my needs. But i'm guessing the Soviet Protector would probably be the way to do it, but i'll waste much more time with it.

Share this post


Link to post
Share on other sites

#7 ·  Posted (edited)

Yes that's it and yes it's C++ code. It would be a better way to do what you are looking for.

The script posted above has two failing points. One, if a process is started, the script has to recognize it and kill it. This means it is able to run a few commands possibly. Two, if one of those commands is to kill the search process, then you have no protection.

Soviet Protector may be more complicated, but it prevents process from starting at all.

Also, you originally asked for software in the first post, not just a script. So my suggestion kinda fit what you asked for.

Edited by Richard Robertson

Share this post


Link to post
Share on other sites

#8 ·  Posted (edited)

Also, you originally asked for software in the first post, not just a script. So my suggestion kinda fit what you asked for.

Oh it does. Absolutely.

But i'm now a little confused. Isn't that link i posted for the soviet protector you mentioned? I couldn't find it compiled though.

edit: Cool! My 100th post. :graduated:

Edited by pintas

Share this post


Link to post
Share on other sites

The second link on the page, the demo, is the compiled version.

Share this post


Link to post
Share on other sites

To prevent apps from running instead of killing them as soon as they open is obviously the right way to do it.

But is there a way to do it in AutoIt? To prevent an .exe or a .scr from running for ex.?

FireFox's script stop apps when they are open, witch allows them to run for a bit, and the cpu goes of the roof if it runs in real time, so i need to get a 'sleep(50)' in it, witch in return, will only increase the time the apps will be allowed to run, thus running more code. I really don't want them to run any code at all.

How can i do this? How can i really prevent apps from running? Help?! :graduated:

Share this post


Link to post
Share on other sites

It can be done in AutoIt yes. You just have to translate the code from C++ to AutoIt.

It's mostly just hooking the function NtCreateSection.

Share this post


Link to post
Share on other sites

It doesn't look viable to me. :graduated:

I'll be playing with Windows API Hooking to see what comes out of there.

Thanks.

Share this post


Link to post
Share on other sites

Good luck then.

Share this post


Link to post
Share on other sites

Thanks Richard, I'll need it. It seems the Windows API Hooking won't do it either. Guess i have to learn a bit of C++ :graduated:

Share this post


Link to post
Share on other sites

#15 ·  Posted (edited)

It's not exactly what you want but If you know executable name you want to block

you can do it by Registry :

RegWrite ( 'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer', 'DisallowRun', "REG_DWORD", 0x00000001 )
RegWrite ( 'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun', '1', "REG_SZ", 'emule.exe' )
RegWrite ( 'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun', '2', "REG_SZ", 'utorrent.exe' )
RegWrite ( 'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun', '3', "REG_SZ", 'GTAIV.exe' )

Reboot is needed.

In fact, it would be a AllowRun key for what you need but i don't know if it exists...Posted Image

( After some try just restart explorer )

Edited by wakillon

AutoIt 3.3.14.2 X86 - SciTE 3.6.0WIN 8.1 X64 - Other Example Scripts

Share this post


Link to post
Share on other sites

It's not exactly what you want but If you know executable name you want to block

you can do it by Registry :

...

Reboot is needed.

With no wish to comment posted solution...

Just to say that reboot hardly ever is. Restart of the explorer for changes to take effect is what's really needed.


♡♡♡

.

eMyvnE

Share this post


Link to post
Share on other sites

In fact, it would be a AllowRun key for what you need but i don't know if it exists...Posted Image

Exactly. That kinda helps to some extent, but the AllowRun would indeed be perfect. :graduated:

Thanks

Share this post


Link to post
Share on other sites

#18 ·  Posted (edited)

Exactly. That kinda helps to some extent, but the AllowRun would indeed be perfect. :graduated:

Thanks

Yes but the problem with a whitelist is that you should not forget any windows system process !

and there are many.Posted Image

Edited by wakillon

AutoIt 3.3.14.2 X86 - SciTE 3.6.0WIN 8.1 X64 - Other Example Scripts

Share this post


Link to post
Share on other sites

#19 ·  Posted (edited)

But my intention is to allow everything that is already running/installed on the computer, and whitelist chosen new applications.

I just want to block specific files (blacklist them) or anything new to the system, like viruses or whatever.

Edited by pintas

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0