Sign in to follow this  
Followers 0
FredAI

Help with malware removal program

7 posts in this topic

Hi everyone,

I'm developing a malware removal software using AutoIt and I need some help.

One part of the program consists in showing all non critical processes, allowing to select one of them to terminate it and also delete parent file if desired.

To show processes executable paths I use the function below, based on Ascend4nt's _ProcessFunctions.au3 UDF (Many thanks to Ascend4nt)

Func ProcessPathList()
    Local $Process = ProcessList(), $PCount = 0, $DosDriveLetter, $handle = '0x0000000000000000'
    Local $aRet[$Process[0][0]+1][2]
    Local $aDriveArray = DriveGetDrive("ALL")
$PCount = 0
Do
    $PCount +=1
    Local $han = DllCall('kernel32.dll',"handle","OpenProcess","dword",0x1000,"bool",False,"dword",$Process[$PCount][1])
    If IsArray($han) Then Local $handle = $han[0]
    ;MsgBox(0,'',$handle)
    If $handle = '0x0000000000000000' Then
        Local $han = DllCall('kernel32.dll',"handle","OpenProcess","dword",0x0400,"bool",False,"dword",$Process[$PCount][1])
        If IsArray($han) Then Local $handle = $han[0]
    EndIf
    Local $iProcess=DllCall('psapi.dll',"dword","GetProcessImageFileNameW","handle",$handle,"wstr","","dword",65536)
    If IsArray($iProcess) And  $iProcess[2] <> '' Then $aRet[$PCount][0] = $iProcess[2]
    For $Count2 = 1 To $aDriveArray[0]
        $DosDriveLetter = DllCall('kernel32.dll',"dword","QueryDosDeviceW","wstr",StringUpper($aDriveArray[$Count2]),"wstr",0,"dword",65536)
        If StringInStr($aRet[$PCount][0], $DosDriveLetter[2]) > 0 Then $aRet[$PCount][0] = StringReplace($aRet[$PCount][0], $DosDriveLetter[2], StringUpper($aDriveArray[$Count2]))
    Next
    
; System and System Idle processes are set to show their names, since they don't have a realy valid path.
    If Not FileExists($aRet[$PCount][0]) Then $aRet[$PCount][0] = $Process[$PCount][0]

; There was 5 more processes that I didn't manage to get their path, so I decided to add it. Here's where I'm cheating:
    If StringInStr($aRet[$PCount][0],':\') = 0 And StringInStr($aRet[$PCount][0],'.exe') > 0 And StringInStr($aRet[$PCount][0], 'wmiprvse.exe') = 0 Then $aRet[$PCount][0] = @SystemDir & '\' & $aRet[$PCount][0]
    If StringInStr($aRet[$PCount][0],':\') = 0 And StringInStr($aRet[$PCount][0], 'wmiprvse.exe') > 0 Then $aRet[$PCount][0]= @SystemDir & '\wbem\' & $aRet[$PCount][0]
    $aRet[$PCount][1] = $Process[$PCount][1]
Until $PCount = $Process[0][0]
    $aRet[0][0] = $PCount
    Return $aRet
EndFunc

There was seven processes I didn't manage to get the executable path:

For 'System Idle Process' and 'System', it's normal, because they don't realy have a path.

The others were two 'csrss.exe', two 'dllhost.exe' and 'wmiprvse.exe', so I made the function complete automaticaly their paths. It works fine on my three OS (Win7x64, Win7x86 and WinXpx86) but this is cheating and I'm afraid this can cause some problems and false paths.

Can someone help me get this process executable paths without cheating?

Hers's a link to download the so far developed program so you can better understand what I'm trying to create.

Thanks in advance. Fred.

Share this post


Link to post
Share on other sites



Hi Wakillon, thanks for your reply.

Your solution works fine!

I've replaced:

[font=monospace][size=2]If StringInStr($aRet[$PCount][0],':\') = 0 And StringInStr($aRet[$PCount][0],'.exe') > 0 And StringInStr($aRet[$PCount][0], 'wmiprvse.exe') = 0 Then $aRet[$PCount][0] = @SystemDir & '\' & $aRet[$PCount][0][/size][/font][font=monospace][size=2]    If StringInStr($aRet[$PCount][0],':\') = 0 And StringInStr($aRet[$PCount][0], 'wmiprvse.exe') > 0 Then $aRet[$PCount][0]= @SystemDir & '\wbem\' & $aRet[$PCount][0][/size][/font]

For

If StringInStr($aRet[$PCount][0],':\') = 0 And StringInStr($aRet[$PCount][0],'.exe') > 0 Then $aRet[$PCount][0] = _WinAPI_PathFindOnPath($aRet[$PCount][0])

And it works!

I'd rather get the path by calling Winapi.dll or Kernel32.dll, but since it seems impossible, I'm gonna leave it this way for now.

Thanks again.

Share this post


Link to post
Share on other sites

Glad to help you !

I have tried with kernell32.dll too, but it seems that doesn't work for system process.


AutoIt 3.3.14.2 X86 - SciTE 3.6.0WIN 8.1 X64 - Other Example Scripts

Share this post


Link to post
Share on other sites

Yes...Posted Image

In fact, to get almost all processes info we must compile the script and require administrator rights.

Did you download and try the program? If you did, what do you think?

Share this post


Link to post
Share on other sites

Yes...Posted Image

In fact, to get almost all processes info we must compile the script and require administrator rights.

Did you download and try the program? If you did, what do you think?

yes i did !

It look great, i do not know sigcheck of sysinternal to check for unsigned files,

but uvk options, repair system, execute commands and uvk help buttons doesn't respond ! Posted Image


AutoIt 3.3.14.2 X86 - SciTE 3.6.0WIN 8.1 X64 - Other Example Scripts

Share this post


Link to post
Share on other sites

That's because I haven't built them yet. Posted ImagePosted Image

I've just create the small button to go back to main window.

I think I'll have for a few moths yet..

sigcheck seems to work ok, but I intend to remove it and create my own function to verify file signatures.

I'm trying to learn how to do it from MSDN. If you could help me, that would be great!

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0