Help with malware removal program

FredAI · December 17, 2010

Hi everyone,

I'm developing a malware removal software using AutoIt and I need some help.

One part of the program consists in showing all non critical processes, allowing to select one of them to terminate it and also delete parent file if desired.

To show processes executable paths I use the function below, based on Ascend4nt's _ProcessFunctions.au3 UDF (Many thanks to Ascend4nt)

Func ProcessPathList()
    Local $Process = ProcessList(), $PCount = 0, $DosDriveLetter, $handle = '0x0000000000000000'
    Local $aRet[$Process[0][0]+1][2]
    Local $aDriveArray = DriveGetDrive("ALL")
$PCount = 0
Do
    $PCount +=1
    Local $han = DllCall('kernel32.dll',"handle","OpenProcess","dword",0x1000,"bool",False,"dword",$Process[$PCount][1])
    If IsArray($han) Then Local $handle = $han[0]
    ;MsgBox(0,'',$handle)
    If $handle = '0x0000000000000000' Then
        Local $han = DllCall('kernel32.dll',"handle","OpenProcess","dword",0x0400,"bool",False,"dword",$Process[$PCount][1])
        If IsArray($han) Then Local $handle = $han[0]
    EndIf
    Local $iProcess=DllCall('psapi.dll',"dword","GetProcessImageFileNameW","handle",$handle,"wstr","","dword",65536)
    If IsArray($iProcess) And  $iProcess[2] <> '' Then $aRet[$PCount][0] = $iProcess[2]
    For $Count2 = 1 To $aDriveArray[0]
        $DosDriveLetter = DllCall('kernel32.dll',"dword","QueryDosDeviceW","wstr",StringUpper($aDriveArray[$Count2]),"wstr",0,"dword",65536)
        If StringInStr($aRet[$PCount][0], $DosDriveLetter[2]) > 0 Then $aRet[$PCount][0] = StringReplace($aRet[$PCount][0], $DosDriveLetter[2], StringUpper($aDriveArray[$Count2]))
    Next
    
; System and System Idle processes are set to show their names, since they don't have a realy valid path.
    If Not FileExists($aRet[$PCount][0]) Then $aRet[$PCount][0] = $Process[$PCount][0]

; There was 5 more processes that I didn't manage to get their path, so I decided to add it. Here's where I'm cheating:
    If StringInStr($aRet[$PCount][0],':\') = 0 And StringInStr($aRet[$PCount][0],'.exe') > 0 And StringInStr($aRet[$PCount][0], 'wmiprvse.exe') = 0 Then $aRet[$PCount][0] = @SystemDir & '\' & $aRet[$PCount][0]
    If StringInStr($aRet[$PCount][0],':\') = 0 And StringInStr($aRet[$PCount][0], 'wmiprvse.exe') > 0 Then $aRet[$PCount][0]= @SystemDir & '\wbem\' & $aRet[$PCount][0]
    $aRet[$PCount][1] = $Process[$PCount][1]
Until $PCount = $Process[0][0]
    $aRet[0][0] = $PCount
    Return $aRet
EndFunc

There was seven processes I didn't manage to get the executable path:

For 'System Idle Process' and 'System', it's normal, because they don't realy have a path.

The others were two 'csrss.exe', two 'dllhost.exe' and 'wmiprvse.exe', so I made the function complete automaticaly their paths. It works fine on my three OS (Win7x64, Win7x86 and WinXpx86) but this is cheating and I'm afraid this can cause some problems and false paths.

Can someone help me get this process executable paths without cheating?

Hers's a link to download the so far developed program so you can better understand what I'm trying to create.

Thanks in advance. Fred.

wakillon · December 17, 2010

In the helpfile i have found this :

#include <WinAPI.au3>

MsgBox(0, "PathFindOnPath Example", StringFormat( "Full path of csrss.exe:\n%s\n\n" & _WinAPI_PathFindOnPath("csrss.exe")) )

Edited December 17, 2010 by wakillon

FredAI · December 17, 2010

Hi Wakillon, thanks for your reply.

Your solution works fine!

I've replaced:

[font=monospace][size=2]If StringInStr($aRet[$PCount][0],':\') = 0 And StringInStr($aRet[$PCount][0],'.exe') > 0 And StringInStr($aRet[$PCount][0], 'wmiprvse.exe') = 0 Then $aRet[$PCount][0] = @SystemDir & '\' & $aRet[$PCount][0][/size][/font][font=monospace][size=2]    If StringInStr($aRet[$PCount][0],':\') = 0 And StringInStr($aRet[$PCount][0], 'wmiprvse.exe') > 0 Then $aRet[$PCount][0]= @SystemDir & '\wbem\' & $aRet[$PCount][0][/size][/font]

For

If StringInStr($aRet[$PCount][0],':\') = 0 And StringInStr($aRet[$PCount][0],'.exe') > 0 Then $aRet[$PCount][0] = _WinAPI_PathFindOnPath($aRet[$PCount][0])

And it works!

I'd rather get the path by calling Winapi.dll or Kernel32.dll, but since it seems impossible, I'm gonna leave it this way for now.

Thanks again.

wakillon · December 17, 2010

Glad to help you !

I have tried with kernell32.dll too, but it seems that doesn't work for system process.

FredAI · December 17, 2010

Yes... Posted Image

In fact, to get almost all processes info we must compile the script and require administrator rights.

Did you download and try the program? If you did, what do you think?

wakillon · December 17, 2010

Yes...
In fact, to get almost all processes info we must compile the script and require administrator rights.
Did you download and try the program? If you did, what do you think?

yes i did !

It look great, i do not know sigcheck of sysinternal to check for unsigned files,

but uvk options, repair system, execute commands and uvk help buttons doesn't respond ! Posted Image

FredAI · December 17, 2010

That's because I haven't built them yet. Posted Image

I've just create the small button to go back to main window.

I think I'll have for a few moths yet..

sigcheck seems to work ok, but I intend to remove it and create my own function to verify file signatures.

I'm trying to learn how to do it from MSDN. If you could help me, that would be great!

Sign In

Help with malware removal program

Recommended Posts

FredAI

wakillon

FredAI

wakillon

FredAI

wakillon

FredAI

Create an account or sign in to comment

Create an account

Sign in

Recently Browsing 0 members

Browse

AutoIt Resources

Release

Beta