pintas Posted November 1, 2010 Share Posted November 1, 2010 I've been looking for some software that prevents applications from running, like an exe blocker. I've seen here in the forum, Executable Blocker, but its not working for me, and it's not exactly what i'm looking for. I'm trying to make a script that allows only specific software to run, instead of blocking undesired software. So, what i'm looking for it help making a script that blocks/prevents windows executables from running except if they are white-listed. I'm considering working only with .exe files for now. Does anyone have any idea in how to do this? Can anyone point me in the right direction please? Link to comment Share on other sites More sharing options...
wakillon Posted November 1, 2010 Share Posted November 1, 2010 (edited) It could be a start ...#include <Array.au3> Local $_AuthorizedProcess[11] = [10, 'smss.exe', 'csrss.exe' , 'winlogon.exe', 'services.exe', 'lsass.exe', 'svchost.exe', 'explorer.exe', 'SciTE.exe', 'AutoIt3Wrapper.exe', 'AutoIt3.exe' ] $ProcessList = ProcessList ( ) If IsArray ( $ProcessList ) Then For $I = 1 To $ProcessList[0][0] If Not _AlreadyInArray ( $_AuthorizedProcess, $ProcessList[$I][0] ) Then ConsoleWrite ( "ProcessClose : " & $ProcessList[$I][0] & @Crlf ) Next EndIf Func _AlreadyInArray ( $_SearchArray, $_Item ) $_Index = _ArraySearch ( $_SearchArray, $_Item ) If @error Then Return False Else If $_Index <> 0 Then Return True Else Return False EndIf EndIf EndFunc ;==> _AlreadyInArray ( )be carefull with system process... Edited November 1, 2010 by wakillon AutoIt 3.3.14.2 X86 - SciTE 3.6.0 - WIN 8.1 X64 - Other Example Scripts Link to comment Share on other sites More sharing options...
FireFox Posted November 1, 2010 Share Posted November 1, 2010 I've been looking for some software that prevents applications from running, like an exe blocker. I've seen here in the forum, Executable Blocker, but its not working for me, and it's not exactly what i'm looking for. I'm trying to make a script that allows only specific software to run, instead of blocking undesired software. So, what i'm looking for it help making a script that blocks/prevents windows executables from running except if they are white-listed. I'm considering working only with .exe files for now. Does anyone have any idea in how to do this? Can anyone point me in the right direction please? I think that AV's use dll tricks but I have a simple solution that I've made especialy for you expandcollapse popup#cs ---------------------------------------------------------------------------- AutoIt Version: 3.3.4.0 Author: myName Script Function: Template AutoIt script. #ce ---------------------------------------------------------------------------- ; Script Start - Add your code below here Local $a_pl, $s_pl ;Will contains processes ids While 1 $a_pl = ProcessList() If $s_pl = "" Then ;First pl check For $i = 1 to $a_pl[0][0] $s_pl &= $a_pl[$i][1] & ";" Next Else For $i = 1 to $a_pl[0][0] If Not StringInStr($s_pl, $a_pl[$i][1]) Then $s_pl &= ";" & $a_pl[$i][1] _ProcessSuspend($a_pl[$i][1]) ;suspend the process ;Check here if the process is allowed to run Local $iMsg = MsgBox(36, "", "Allow the process " & $a_pl[$i][0] & " ?") If $iMsg = 6 Then _ProcessResume($a_pl[$i][1]) ;resume the process Else ProcessClose($a_pl[$i][1]) ;kill the process [or let the process suspended (in this case comment this line)] EndIf EndIf Next EndIf WEnd ;Author: The Kandie Man Func _ProcessSuspend($process) $processid = ProcessExists($process) If $processid Then $ai_Handle = DllCall("kernel32.dll", 'int', 'OpenProcess', 'int', 0x1f0fff, 'int', False, 'int', $processid) $i_sucess = DllCall("ntdll.dll","int","NtSuspendProcess","int",$ai_Handle[0]) DllCall('kernel32.dll', 'ptr', 'CloseHandle', 'ptr', $ai_Handle) If IsArray($i_sucess) Then Return 1 Else SetError(1) Return 0 Endif Else SetError(2) Return 0 Endif EndFunc ;Author: The Kandie Man Func _ProcessResume($process) $processid = ProcessExists($process) If $processid Then $ai_Handle = DllCall("kernel32.dll", 'int', 'OpenProcess', 'int', 0x1f0fff, 'int', False, 'int', $processid) $i_sucess = DllCall("ntdll.dll","int","NtResumeProcess","int",$ai_Handle[0]) DllCall('kernel32.dll', 'ptr', 'CloseHandle', 'ptr', $ai_Handle) If IsArray($i_sucess) Then Return 1 Else SetError(1) Return 0 Endif Else SetError(2) Return 0 Endif EndFunc Br, FireFox. Link to comment Share on other sites More sharing options...
pintas Posted November 1, 2010 Author Share Posted November 1, 2010 Thank you both for your replies, i'll try them both right now. Sweet! Link to comment Share on other sites More sharing options...
Richard Robertson Posted November 1, 2010 Share Posted November 1, 2010 You can also Google around for a program called "soviet protector". I can't find it but I'm not trying hard. I remember it put a filter on CreateProcess. Link to comment Share on other sites More sharing options...
pintas Posted November 1, 2010 Author Share Posted November 1, 2010 Think i found it here:Soviet ProtectorBut this is C, right? Any idea witch compiler/editor to use for this code?For now i'll be playing with FireFox's script, it very close to my needs. But i'm guessing the Soviet Protector would probably be the way to do it, but i'll waste much more time with it. Link to comment Share on other sites More sharing options...
Richard Robertson Posted November 2, 2010 Share Posted November 2, 2010 (edited) Yes that's it and yes it's C++ code. It would be a better way to do what you are looking for. The script posted above has two failing points. One, if a process is started, the script has to recognize it and kill it. This means it is able to run a few commands possibly. Two, if one of those commands is to kill the search process, then you have no protection. Soviet Protector may be more complicated, but it prevents process from starting at all. Also, you originally asked for software in the first post, not just a script. So my suggestion kinda fit what you asked for. Edited November 2, 2010 by Richard Robertson Link to comment Share on other sites More sharing options...
pintas Posted November 2, 2010 Author Share Posted November 2, 2010 (edited) Also, you originally asked for software in the first post, not just a script. So my suggestion kinda fit what you asked for.Oh it does. Absolutely.But i'm now a little confused. Isn't that link i posted for the soviet protector you mentioned? I couldn't find it compiled though.edit: Cool! My 100th post. Edited November 2, 2010 by pintas Link to comment Share on other sites More sharing options...
Richard Robertson Posted November 2, 2010 Share Posted November 2, 2010 The second link on the page, the demo, is the compiled version. Link to comment Share on other sites More sharing options...
pintas Posted November 2, 2010 Author Share Posted November 2, 2010 To prevent apps from running instead of killing them as soon as they open is obviously the right way to do it. But is there a way to do it in AutoIt? To prevent an .exe or a .scr from running for ex.? FireFox's script stop apps when they are open, witch allows them to run for a bit, and the cpu goes of the roof if it runs in real time, so i need to get a 'sleep(50)' in it, witch in return, will only increase the time the apps will be allowed to run, thus running more code. I really don't want them to run any code at all. How can i do this? How can i really prevent apps from running? Help?! Link to comment Share on other sites More sharing options...
Richard Robertson Posted November 2, 2010 Share Posted November 2, 2010 It can be done in AutoIt yes. You just have to translate the code from C++ to AutoIt. It's mostly just hooking the function NtCreateSection. Link to comment Share on other sites More sharing options...
pintas Posted November 2, 2010 Author Share Posted November 2, 2010 It doesn't look viable to me. I'll be playing with Windows API Hooking to see what comes out of there.Thanks. Link to comment Share on other sites More sharing options...
Richard Robertson Posted November 3, 2010 Share Posted November 3, 2010 Good luck then. Link to comment Share on other sites More sharing options...
pintas Posted November 3, 2010 Author Share Posted November 3, 2010 Thanks Richard, I'll need it. It seems the Windows API Hooking won't do it either. Guess i have to learn a bit of C++ Link to comment Share on other sites More sharing options...
wakillon Posted November 3, 2010 Share Posted November 3, 2010 (edited) It's not exactly what you want but If you know executable name you want to blockyou can do it by Registry :RegWrite ( 'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer', 'DisallowRun', "REG_DWORD", 0x00000001 ) RegWrite ( 'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun', '1', "REG_SZ", 'emule.exe' ) RegWrite ( 'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun', '2', "REG_SZ", 'utorrent.exe' ) RegWrite ( 'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun', '3', "REG_SZ", 'GTAIV.exe' )Reboot is needed.In fact, it would be a AllowRun key for what you need but i don't know if it exists...( After some try just restart explorer ) Edited November 3, 2010 by wakillon AutoIt 3.3.14.2 X86 - SciTE 3.6.0 - WIN 8.1 X64 - Other Example Scripts Link to comment Share on other sites More sharing options...
trancexx Posted November 3, 2010 Share Posted November 3, 2010 It's not exactly what you want but If you know executable name you want to blockyou can do it by Registry :...Reboot is needed.With no wish to comment posted solution...Just to say that reboot hardly ever is. Restart of the explorer for changes to take effect is what's really needed. ♡♡♡ . eMyvnE Link to comment Share on other sites More sharing options...
pintas Posted November 3, 2010 Author Share Posted November 3, 2010 In fact, it would be a AllowRun key for what you need but i don't know if it exists...Exactly. That kinda helps to some extent, but the AllowRun would indeed be perfect. Thanks Link to comment Share on other sites More sharing options...
wakillon Posted November 3, 2010 Share Posted November 3, 2010 (edited) Exactly. That kinda helps to some extent, but the AllowRun would indeed be perfect. ThanksYes but the problem with a whitelist is that you should not forget any windows system process ! and there are many. Edited November 3, 2010 by wakillon AutoIt 3.3.14.2 X86 - SciTE 3.6.0 - WIN 8.1 X64 - Other Example Scripts Link to comment Share on other sites More sharing options...
pintas Posted November 3, 2010 Author Share Posted November 3, 2010 (edited) But my intention is to allow everything that is already running/installed on the computer, and whitelist chosen new applications. I just want to block specific files (blacklist them) or anything new to the system, like viruses or whatever. Edited November 3, 2010 by pintas Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now