Sign in to follow this  
Followers 0
LoWang

AutoIt compiled script is trying to send ICMP Type 0 (Echo Reply)

26 posts in this topic

Hello, I noticed this very strange thing. I have some autoit programs which I created for myself running ony my work laptop and when I tried to ping this machine from the second one I have strange thing happened - one of those programs wanted to reply to that ping and Symantec firewall noticed me about it if I want to allow it or not! Why the heck would my program do this? The one which did it just now has some network functions but they do something only when I click a button in it and otherwise it just loops sleep ;) The second program which did it does not even have any network functions at all. So what the heck is that? Maybe this is normal and I freak out like a noob, so tell me. But I always thought it is the OS which should reply to pinging... :)

Share this post


Link to post
Share on other sites



where are all those valued autoiters who should know this? :)

Share this post


Link to post
Share on other sites

Don't know but please wait at least 24 hours before you bump a thread (according to forum FAQ).


My UDFs and Tutorials:

Spoiler

UDFs:
Active Directory (NEW 2017-04-18 - Version 1.4.8.0) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX (NEW 2017-02-27 - Version 1.3.1.0) - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (2015-04-01 - Version 0.4.0.0) - Download - General Help & Support - Example Scripts
Excel - Example Scripts - Wiki
Word - Wiki
PowerPoint (2015-06-06 - Version 0.0.5.0) - Download - General Help & Support

Tutorials:
ADO - Wiki

 

Share this post


Link to post
Share on other sites

I always thought the IP Stack did the reply to an ICMP. So you are actually seeing an ICMP come in and an AutoIt3 script tries to reply?


Visit the SciTE4AutoIt3 Download page for the latest versions        Beta files                                                          Forum Rules
 
Live for the present,
Dream of the future,
Learn from the past.
  :)

Share this post


Link to post
Share on other sites

I always thought the IP Stack did the reply to an ICMP. So you are actually seeing an ICMP come in and an AutoIt3 script tries to reply?

If I read his babble correctly, he was saying a self-created autoit script is what's initiating the ping.


Lofting the cyberwinds on teknoleather wings, I am...The Blue Drache

Share this post


Link to post
Share on other sites

#7 ·  Posted (edited)

Thank you for replying. Well, Blue_drache, you are not reading it correctly ;) I said that I ping my first laptop from the second one I have to see if my wifi works (ping command from the command line) and then suddendly on my first one I see this message from our corporate Symantec Endpoint Protection!

Posted Image

pripojCdrive.exe is my script which I created for myself and colleagues and we use it to connect smb shares in our company and when I get home I sometimes leave it running. But there is absolutely no functionality which should reply to pings from another computers :) At least none that I know of. It does not matter if I say yes or no to this window - ping works normally and gets response.

And this was not the only case. Also another of my scripts tried to reply to pings and it has no network functions at all (as I wrote before) but I haven't made a photo of that warning window...

Edited by LoWang

Share this post


Link to post
Share on other sites

bump...

Share this post


Link to post
Share on other sites

#10 ·  Posted (edited)

Posted Image

Why the heck would SciTE jump want to access my network? :) I doubt the "problem" is in a firewall ...

Edited by LoWang

Share this post


Link to post
Share on other sites

SciTE Jump doesn't access the Internet.


_AdapterConnections()_AlwaysRun()_AppMon()_AppMonEx()_BinaryBin()_CheckMsgBox()_CmdLineRaw()_ContextMenu()_ConvertLHWebColor()/_ConvertSHWebColor()_DesktopDimensions()_DisplayPassword()_DotNet_Load()/_DotNet_Unload()_Fibonacci()_FileCompare()_FileCompareContents()_FileNameByHandle()_FilePrefix/SRE()_FindInFile()_GetBackgroundColor()/_SetBackgroundColor()_GetConrolID()_GetCtrlClass()_GetDirectoryFormat()_GetDriveMediaType()_GetFilename()/_GetFilenameExt()_GetHardwareID()_GetIP()_GetIP_Country()_GetOSLanguage()_GetSavedSource()_GetStringSize()_GetSystemPaths()_GetURLImage()_GIFImage()_GoogleWeather()_GUICtrlCreateGroup()_GUICtrlListBox_CreateArray()_GUICtrlListView_CreateArray()_GUICtrlListView_SaveCSV()_GUICtrlListView_SaveHTML()_GUICtrlListView_SaveTxt()_GUICtrlListView_SaveXML()_GUICtrlMenu_Recent()_GUICtrlMenu_SetItemImage()_GUICtrlTreeView_CreateArray()_GUIDisable()_GUIImageList_SetIconFromHandle()_GUIRegisterMsg()_GUISetIcon()_Icon_Clear()/_Icon_Set()_IdleTime()_InetGet()_InetGetGUI()_InetGetProgress()_IPDetails()_IsFileOlder()_IsGUID()_IsHex()_IsPalindrome()_IsRegKey()_IsStringRegExp()_IsSystemDrive()_IsUPX()_IsValidType()_IsWebColor()_Language()_Log()_MicrosoftInternetConnectivity()_MSDNDataType()_PathFull/GetRelative/Split()_PathSplitEx()_PrintFromArray()_ProgressSetMarquee()_ReDim()_RockPaperScissors()/_RockPaperScissorsLizardSpock()_ScrollingCredits_SelfDelete()_SelfRename()_SelfUpdate()_SendTo()_ShellAll()_ShellFile()_ShellFolder()_SingletonHWID()_SingletonPID()_Startup()_StringCompact()_StringIsValid()_StringRegExpMetaCharacters()_StringReplaceWholeWord()_StringStripChars()_Temperature()_TrialPeriod()_UKToUSDate()/_USToUKDate()_WinAPI_Create_CTL_CODE()_WinAPI_CreateGUID()_WMIDateStringToDate()/_DateToWMIDateString()Au3 script parsingAutoIt SearchAutoIt3 PortableAutoIt3WrapperToPragmaAutoItWinGetTitle()/AutoItWinSetTitle()CodingDirToHTML5FileInstallrFileReadLastChars()GeoIP databaseGUI - Only Close ButtonGUI ExamplesGUICtrlDeleteImage()GUICtrlGetBkColor()GUICtrlGetStyle()GUIEventsGUIGetBkColor()Int_Parse() & Int_TryParse()IsISBN()LockFile()Mapping CtrlIDsOOP in AutoItParseHeadersToSciTE()PasswordValidPasteBinPosts Per DayPreExpandProtect GlobalsQueue()Resource UpdateResourcesExSciTE JumpSettings INISHELLHOOKShunting-YardSignature CreatorStack()Stopwatch()StringAddLF()/StringStripLF()StringEOLToCRLF()VSCROLLWM_COPYDATAMore Examples...

Updated: 04/09/2015

Share this post


Link to post
Share on other sites

#13 ·  Posted (edited)

Software firewalls are retarded.

Very retarded.

The worst are those that give very cryptic often verbose descriptions without actually giving information that is useful to the end user (or gives it in a manner that no user, experienced or not can use in an effective way).

Alternatively the worst case scenario is that an author of a tool uses a method they do not fully understand and thus causes such security software to freak out about the most casual of things.

Edited by Mobius

Share this post


Link to post
Share on other sites

Download and fire up WireShark and monitor your network traffic, wait until you get the message from your firewall and see what is actually sending the information to the NIC. Then you'll know where the "problem" actually is.


If I posted any code, assume that code was written using the latest release version unless stated otherwise. Also, if it doesn't work on XP I can't help with that because I don't have access to XP, and I'm not going to.
Give a programmer the correct code and he can do his work for a day. Teach a programmer to debug and he can do his work for a lifetime - by Chirag Gude
How to ask questions the smart way!

I hereby grant any person the right to use any code I post, that I am the original author of, on the autoitscript.com forums, unless I've specifically stated otherwise in the code or the thread post. If you do use my code all I ask, as a courtesy, is to make note of where you got it from.

Back up and restore Windows user files _Array.au3 - Modified array functions that include support for 2D arrays.  -  ColorChooser - An add-on for SciTE that pops up a color dialog so you can select and paste a color code into a script.  -  Customizable Splashscreen GUI w/Progress Bar - Create a custom "splash screen" GUI with a progress bar and custom label.  -  _FileGetProperty - Retrieve the properties of a file  -  SciTE Toolbar - A toolbar demo for use with the SciTE editor  -  GUIRegisterMsg demo - Demo script to show how to use the Windows messages to interact with controls and your GUI.  -   Latin Square password generator

Share this post


Link to post
Share on other sites

Another one

Posted Image

text from the details:

File Version:

File Description: TC_changetext.exe

File Path: C:scriptypokusyTC_changetext.exe

Digital Signature:

Process ID: 0x3ec (Hexadecimal) 1004 (Decimal)

Connection origin: local initiated

Protocol: ICMP

Local Address: 192.168.1.35

ICMP Type: 0 (Echo Reply)

ICMP Code: 0

Remote Name:

Remote Address: 192.168.1.40

Ethernet packet details:

Ethernet II (Packet Length: 74)

Destination: 00-15-00-15-dd-a8

Source: 58-94-6b-79-bf-88

Type: IP (0x0800)

Internet Protocol

Version: 4

Header Length: 20 bytes

Flags:

.0.. = Don't fragment: Not set

..0. = More fragments: Not set

Fragment offset:0

Time to live: 128

Protocol: 0x1 (ICMP - Internet Control Message Protocol)

Header checksum: 0x9dad (Correct)

Source: 192.168.1.35

Destination: 192.168.1.40

Internet Control Message Protocol

Type: 0 (Echo Reply)

Code: 0

Data (36 bytes)

Binary dump of the packet:

0000: 00 15 00 15 DD A8 58 94 : 6B 79 BF 88 08 00 45 00 | ......X.ky....E.

0010: 00 3C 09 88 00 00 80 01 : AD 9D C0 A8 01 23 C0 A8 | .<...........#..

0020: 01 28 00 00 5B 54 02 00 : F8 07 61 62 63 64 65 66 | .(..[T....abcdef

0030: 67 68 69 6A 6B 6C 6D 6E : 6F 70 71 72 73 74 75 76 | ghijklmnopqrstuv

0040: 77 61 62 63 64 65 66 67 : 68 69 | wabcdefghi

Share this post


Link to post
Share on other sites

Does it need a (user) program running to have the network stack answer an ICMP request, assuming it isn't kept away from doing so by registry settings?

Looks like an automated response which doesn't need user code to happen.

It may simply be that the firewall sees the ICMP being automagically issued by the network stack and (mis)associates it with the PID having had the last user time slot, or something like that. In the vein "some process HAS to be guilty for that".

A comparable answerless question would probably arise if a "DVD reader firewall" tries to associate a user program with the "something caused the DVD tray to open" when a human pressed the eject button of this drive.

Do ping responses occur without any AutoIt script running?


This wonderful site allows debugging and testing regular expressions (many flavors available). An absolute must have in your bookmarks.
Another excellent RegExp tutorial. Don't forget downloading your copy of up-to-date pcretest.exe and pcregrep.exe here
RegExp tutorial: enough to get started
PCRE v8.33 regexp documentation latest available release and currently implemented in AutoIt beta.

SQLitespeed is another feature-rich premier SQLite manager (includes import/export). Well worth a try.
SQLite Expert (freeware Personal Edition or payware Pro version) is a very useful SQLite database manager.
An excellent eBook covering almost every aspect of SQLite3: a must-read for anyone doing serious work.
SQL tutorial (covers "generic" SQL, but most of it applies to SQLite as well)
A work-in-progress SQLite3 tutorial. Don't miss other LxyzTHW pages!
SQLite official website with full documentation (may be newer than the SQLite library that comes standard with AutoIt)

Share this post


Link to post
Share on other sites

#17 ·  Posted (edited)

hm when you say it like this it may be the case. We had some bad experience with symantec products in our company before :-] But did you see the packet dump I pasted? What's with that alphabet in it?! I just continuously ping my primary laptop from the second one to check the wifi network stability and I get normal responses. From time to time - just now for example when I typed this sentence) one of the compiled autoit scripts decides to answer that pinging too! And yes ping still works after I exited all my scripts. But just a second after I launch one of them again it wants to reply to it :-] If I answer no but without remembering it seems not to try again...at least for some time.

I will try wireshark tomorrow because now I will probably go to sleep. (Without having done what I wanted again because of this disturbing mystery :- )

Edited by LoWang

Share this post


Link to post
Share on other sites

I only use Ghost (which is a product Norton got by buying the company which made it) and no other Norton product. The last one I was involved in was their beta and release of the (very good at that time) C/C++ compiler originated by Zortech. Symantec destroyed this product shortly afterwards.

Having seen too many "kits" that teens could use to take control over a Norton/Symantec "protection" on any PC worldwide further kept me forever away from their products (especially what they call security products).

Yet what you report is a bit strange.


This wonderful site allows debugging and testing regular expressions (many flavors available). An absolute must have in your bookmarks.
Another excellent RegExp tutorial. Don't forget downloading your copy of up-to-date pcretest.exe and pcregrep.exe here
RegExp tutorial: enough to get started
PCRE v8.33 regexp documentation latest available release and currently implemented in AutoIt beta.

SQLitespeed is another feature-rich premier SQLite manager (includes import/export). Well worth a try.
SQLite Expert (freeware Personal Edition or payware Pro version) is a very useful SQLite database manager.
An excellent eBook covering almost every aspect of SQLite3: a must-read for anyone doing serious work.
SQL tutorial (covers "generic" SQL, but most of it applies to SQLite as well)
A work-in-progress SQLite3 tutorial. Don't miss other LxyzTHW pages!
SQLite official website with full documentation (may be newer than the SQLite library that comes standard with AutoIt)

Share this post


Link to post
Share on other sites

Guess what...

Posted Image

File Version:

File Description: SciTE.exe

File Path: C:Program Files (x86)AutoIt3SciTESciTE.exe

Digital Signature:

Process ID: 0x2260 (Hexadecimal) 8800 (Decimal)

Connection origin: local initiated

Protocol: ICMP

Local Address: 192.168.1.35

ICMP Type: 0 (Echo Reply)

ICMP Code: 0

Remote Name:

Remote Address: 192.168.1.40

Ethernet packet details:

Ethernet II (Packet Length: 74)

Destination: 00-15-00-15-dd-a8

Source: 58-94-6b-79-bf-88

Type: IP (0x0800)

Internet Protocol

Version: 4

Header Length: 20 bytes

Flags:

.0.. = Don't fragment: Not set

..0. = More fragments: Not set

Fragment offset:0

Time to live: 128

Protocol: 0x1 (ICMP - Internet Control Message Protocol)

Header checksum: 0xee9f (Correct)

Source: 192.168.1.35

Destination: 192.168.1.40

Internet Control Message Protocol

Type: 0 (Echo Reply)

Code: 0

Data (36 bytes)

Binary dump of the packet:

0000: 00 15 00 15 DD A8 58 94 : 6B 79 BF 88 08 00 45 00 | ......X.ky....E.

0010: 00 3C 17 37 00 00 80 01 : 9F EE C0 A8 01 23 C0 A8 | .<.7.........#..

0020: 01 28 00 00 13 4B 02 00 : 40 11 61 62 63 64 65 66 | .(...K..@.abcdef

0030: 67 68 69 6A 6B 6C 6D 6E : 6F 70 71 72 73 74 75 76 | ghijklmnopqrstuv

0040: 77 61 62 63 64 65 66 67 : 68 69 | wabcdefghi

Share this post


Link to post
Share on other sites

#20 ·  Posted (edited)

OMG and now it has gone completely crazy. It reports various exe files that are supposedly trying to do ICMP reply. procex64.exe, ProtectionUtilSurrogate.exe (symantec something), SynTPEnh.exe (Thinkpad utility). So the problem is not in autoit it seems...

Now even C:\Windows\System32\csrss.exe. :-]

Edited by LoWang

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0