Sign in to follow this  
Followers 0
tylerh27

[HELP] Detect Unwanted Process's

18 posts in this topic

I got a great idea. It would be a program to detect any potential harmful or unwanted running programs. And it would find the source of that running program, and remove it (basically like a virus removal). If anyone knew how to start on something like this, or would want to help on this project, i'd really appreciate it.

Share this post


Link to post
Share on other sites



Get an antivirus, man!! Your idea is pretty stupid, since its impossible to do so (at least in AU3)


----------------------------------------

:bye: Hey there, was I helpful?

----------------------------------------

My Current OS: Win8 PRO (64-bit); Current AutoIt Version: v3.3.8.1

Share this post


Link to post
Share on other sites

I got a great idea. It would be a program to detect any potential harmful or unwanted running programs. And it would find the source of that running program, and remove it (basically like a virus removal). If anyone knew how to start on something like this, or would want to help on this project, i'd really appreciate it.

Best bet is to fund yourself a team of people who know what they're doing, set some goals and proceed to becoming a filthy rich bastard.

Sounds easy but it's far, far from it.

Good luck soldier!


Things that I've done..

Icon Resource Editor: icon resource editor 

AutoIt Piano: a piano

AutoIt Unlocker: unlocks files when you want to delete them

Colorful tooltips: a wrapper for the tool tips UDF

Rouge GoogleBot: a full screen animation

ASciTE text editor: a text editor written in autoit

Warning: Posts by this user are subject to change or may disappear without notice.

Share this post


Link to post
Share on other sites

I thought I had remembered seeing something similar to what you were talking about doing in one of my many searches for something else lately.

Share this post


Link to post
Share on other sites

Get an antivirus, man!! Your idea is pretty stupid, since its impossible to do so (at least in AU3)

Nice answer, But everything is possible. Just need to look at it in different way's.. The Answer to this is opposite. Only allow what you want to run. This will be very restricted but would work.

Reality: the wheel is already invented. But why not make it better. ( Lamen terms: "don't stop others from progressing forward")

Share this post


Link to post
Share on other sites

#6 ·  Posted (edited)

Why not create a WhiteListed Softwares for your Computer

and

Kill the Unwanted Processes excluding that list

To monitor the Process have a look

Edited by PhoenixXL

My code:

PredictText: Predict Text of an Edit Control Like Scite. Remote Gmail: Execute your Scripts through Gmail. StringRegExp:Share and learn RegExp.

Run As System: A command line wrapper around PSEXEC.exe to execute your apps scripts as System (LSA). Database: An easier approach for _SQ_LITE beginners.

MathsEx: A UDF for Fractions and LCM, GCF/HCF. FloatingText: An UDF for make your text floating. Clipboard Extendor: A clipboard monitoring tool. 

Custom ScrollBar: Scroll Bar made with GDI+, user can use bitmaps instead. RestrictEdit_SRE: Restrict text in an Edit Control through a Regular Expression.

Share this post


Link to post
Share on other sites

Reality: the wheel is already invented. But why not make it better. ( Lamen terms: "don't stop others from progressing forward")

I believe you meant "layman's terms"

1 person likes this

√-1 2^3 ∑ π, and it was delicious!

Share this post


Link to post
Share on other sites

Unless you're VERY knowledgable about what each and every program is and why it's running on your computer, stopping running programs that you don't want running will (at best) stop something from working on your computer, or (at the worst) cause it to crash Windows.


If I posted any code, assume that code was written using the latest release version unless stated otherwise. Also, if it doesn't work on XP I can't help with that because I don't have access to XP, and I'm not going to.
Give a programmer the correct code and he can do his work for a day. Teach a programmer to debug and he can do his work for a lifetime - by Chirag Gude
How to ask questions the smart way!

I hereby grant any person the right to use any code I post, that I am the original author of, on the autoitscript.com forums, unless I've specifically stated otherwise in the code or the thread post. If you do use my code all I ask, as a courtesy, is to make note of where you got it from.

Back up and restore Windows user files _Array.au3 - Modified array functions that include support for 2D arrays.  -  ColorChooser - An add-on for SciTE that pops up a color dialog so you can select and paste a color code into a script.  -  Customizable Splashscreen GUI w/Progress Bar - Create a custom "splash screen" GUI with a progress bar and custom label.  -  _FileGetProperty - Retrieve the properties of a file  -  SciTE Toolbar - A toolbar demo for use with the SciTE editor  -  GUIRegisterMsg demo - Demo script to show how to use the Windows messages to interact with controls and your GUI.  -   Latin Square password generator

Share this post


Link to post
Share on other sites

#10 ·  Posted (edited)

I believe you meant "layman's terms"

Thanks, Was really tired when i posted it.

Unless you're VERY knowledgable about what each and every program is and why it's running on your computer, stopping running programs that you don't want running will (at best) stop something from working on your computer, or (at the worst) cause it to crash Windows.

This is true and a risk of using a program like this. Again it can be done.

Since mostly everyone's attitude on this is "The Glass is half empty" i will take this on!

Autoit used to be really helpful to people and i have seen it has gone down a different path lately.

Edited by Kendall

Share this post


Link to post
Share on other sites

tylerh27

Already done!!! This is great. I was thinking exactly how this one works. "Runs every 3 seconds" reads from a Text document for the white list.

To all of you non believers :laser:

Share this post


Link to post
Share on other sites

You have a lousy attitude Kendall. Plus you've insulted the users here with the things you posted, you might want to temper that a little bit if you ever expect to ask for help in the future.


If I posted any code, assume that code was written using the latest release version unless stated otherwise. Also, if it doesn't work on XP I can't help with that because I don't have access to XP, and I'm not going to.
Give a programmer the correct code and he can do his work for a day. Teach a programmer to debug and he can do his work for a lifetime - by Chirag Gude
How to ask questions the smart way!

I hereby grant any person the right to use any code I post, that I am the original author of, on the autoitscript.com forums, unless I've specifically stated otherwise in the code or the thread post. If you do use my code all I ask, as a courtesy, is to make note of where you got it from.

Back up and restore Windows user files _Array.au3 - Modified array functions that include support for 2D arrays.  -  ColorChooser - An add-on for SciTE that pops up a color dialog so you can select and paste a color code into a script.  -  Customizable Splashscreen GUI w/Progress Bar - Create a custom "splash screen" GUI with a progress bar and custom label.  -  _FileGetProperty - Retrieve the properties of a file  -  SciTE Toolbar - A toolbar demo for use with the SciTE editor  -  GUIRegisterMsg demo - Demo script to show how to use the Windows messages to interact with controls and your GUI.  -   Latin Square password generator

Share this post


Link to post
Share on other sites

You have a lousy attitude Kendall. Plus you've insulted the users here with the things you posted, you might want to temper that a little bit if you ever expect to ask for help in the future.

Thanks for you opinion on my attitude. I may be a bit "Brash" sometimes. My attitude comes from everyone elses attitude toward things that can be done.

"Plus you've insulted the users here with the things you posted, you might want to temper that a little bit if you ever expect to ask for help in the future."

I dont think you should speak for others.

And im not worried about getting help from others as this is your opinion on the matter. I have been around for awhile and have no fear of that changing.

The Autoit forum is here to help people..... Lets all stick to that.

Share this post


Link to post
Share on other sites

Autoit used to be really helpful to people and i have seen it has gone down a different path lately

I'm not going to feed your flame war other than to say, I never said I spoke for anyone but myself. But with the way you tarred the user's of this forum with such a wide brush by saying that the user's of this forum are not helpful, and 3 posts before this is the answer to your request disproving that assertion, I (and probably others) will probably take a dim view of that inference.


If I posted any code, assume that code was written using the latest release version unless stated otherwise. Also, if it doesn't work on XP I can't help with that because I don't have access to XP, and I'm not going to.
Give a programmer the correct code and he can do his work for a day. Teach a programmer to debug and he can do his work for a lifetime - by Chirag Gude
How to ask questions the smart way!

I hereby grant any person the right to use any code I post, that I am the original author of, on the autoitscript.com forums, unless I've specifically stated otherwise in the code or the thread post. If you do use my code all I ask, as a courtesy, is to make note of where you got it from.

Back up and restore Windows user files _Array.au3 - Modified array functions that include support for 2D arrays.  -  ColorChooser - An add-on for SciTE that pops up a color dialog so you can select and paste a color code into a script.  -  Customizable Splashscreen GUI w/Progress Bar - Create a custom "splash screen" GUI with a progress bar and custom label.  -  _FileGetProperty - Retrieve the properties of a file  -  SciTE Toolbar - A toolbar demo for use with the SciTE editor  -  GUIRegisterMsg demo - Demo script to show how to use the Windows messages to interact with controls and your GUI.  -   Latin Square password generator

Share this post


Link to post
Share on other sites

meh... of course it can be done... really anything can be done. What it comes down to is how flexible it can be.

For example... there are a TON of viruses/trojans that mimic process names that already exist for your system. Let's take svchost.exe for example. In my processes, I'm running about 5 of them.

You can attempt to filter them by memory consumption and/or CPU usage... but that's a huge bust... too many mistakes could happen and you could kill a real system process.

If a program like this would be used strictly for people who know a thing or two about the inner workings of programs and computers, utilizing a white-list type approach would work. Now if you intend to use this for an office setting or distributing it to the public, you'll have your hands full with questions from office users and disgruntled customers of the product.


Spoiler

“Hello, ladies, look at your man, now back to me, now back at your man, now back to me. Sadly, he isn’t me, but if he stopped using ladies scented body wash and switched to Old Spice, he could smell like he’s me. Look down, back up, where are you? You’re on a boat with the man your man could smell like. What’s in your hand, back at me. I have it, it’s an oyster with two tickets to that thing you love. Look again, the tickets are now diamonds. Anything is possible when your man smells like Old Spice and not a lady. I’m on a horse.”

 

Share this post


Link to post
Share on other sites

#16 ·  Posted (edited)

So I came back cause I remembered I had once attempted to do something like what the OP described, but as you should know, I really have no idea what the bloody fuck I should be doing in order to do this correctly, so I let my subconscious mind take me wherever it wanted one day and it lead me to put this togeather, which was not a very successful outcome I guess....... (.____.)

Anyway, I had posted it and people started rating it real low so I abandoned it.

Here it is in one single script as well.

#AutoIt3Wrapper_AU3Check_Parameters=-d -w 1 -w 2 -w 3 -w 4 -w 5 -w 6
#include-once

Global Const $hKERNEL32 = DllOpen("kernel32.dll")
Global Const $hWINTRST = DllOpen("Wintrust.dll")


;~     One things to take note about the way this script works is that if you are scanning a dev tool or script
;~     interpreter like autoit for example, it will likely be flagged as a hack tool, I do not have enough
;~     experiance to come up with a more accurate manner to flag files. This is simply building a low grade
;~     stereotype profile based on the imported functions a file has, but I have found that executable packers
;~     usually have one major thing in common, an attempt to hide imported functions while leaving behind two
;~     through 6 main API functions located in kernel32.dll which are typically used by the packer stub added
;~     to the compressed file, I'm not saying this is 100% or even 50% accurate, I don't know, but it has worked
;~     on a lot of different packed PE files even if they do not have the section header name signatures present.

;~     Just try it out and lets see what we get ;)


Global $hFile = FileOpenDialog("", "", "All(*.*)")
Global $Return = _GetProbability($hFile)
ConsoleWrite("     1> Return ---- : " & $Return & @CR & _      ; String return value in human readable for telling to what it probably is
             "     2> @Error ---- : " & @error & @CR & _         ; Error level duh
             "     3> @Extended - : " & @extended & @CR & @CR) ; You can probably consider this a probability value, although it's very flawed

;~ If you want to adapt the return value into scriptable format (I.E., instead of returning description strings), change it
;~ yourself in the UDF....

; #FUNCTION# ====================================================================================================================
; Name ..........: _GetProbability
; Description ...: Checks for the stereotypical file asociation based on imported functions and section names.
; Syntax ........: _GetProbability($File)
; Parameters ....: $File                - A string containing the file location.
; Return values .: String containing the file description based on a stereotypical  API import analysis and sets the @Extended
;                        macro to the amount of hits made searching for the stereotype.
;                        If errors occure, the error level is set to either 1 or 2.
;                    @Error
;                        1 - File not Found
;                        2 - both calls to _PEInfo() failed.
; Author ........: THAT1ANONYMOUSDUDE aka ApudAngelorum aka CaptainClucks
; Modified ......:
; Remarks .......: The
; Related .......: None
; Link ..........:
; Example .......: Yes
; ===============================================================================================================================

Func _GetProbability($File)
    If Not FileExists($File) Then Return SetError(1, 0, 0)

    Local $API_IMP = True
    Local $SEC_NME = True
    Local $Packer = False
    Local $Strikes = 0
    Local $Probability = 0

    ; A lot of legit applications can/will get
    ; flagged in the checks below, and some apps
    ; even have a shi** ton of imports, so we will
    ; attempt to skip some apps that are digitally
    ; signed to avoid wasting time since we're not a real av anyway
    Wintrust($File)
    If Not @error Then
        ; check if the PE is signed
        ; only third part PEs work here
        ; Microsoft PEs don't work
        $API_IMP = False
        $SEC_NME = False
        $Packer = "SIGNED APPLICATION"
        $Probability += 10
        ; If it has a valid signature, than maybe its a trustable PE
    Else
        ; If the ass hole who made it didn't sign it, then
        ; its probably modified or the maker didn't bother to
        ; fork out the cash for a cert, commence our
        ; noob level investigation using code developed
        ; by the hyper inteligent alien hybrid aka trancexx :D
        Local $HeaderSections = _PEInfo($File, 1)
        If @error Then $SEC_NME = False

        Local $Imports = _PEInfo($File)
        If @error Then $API_IMP = False

        If Not $API_IMP And Not $SEC_NME Then Return SetError(2, 0, 0)
    EndIf

    If $SEC_NME Then
        For $X = 1 To UBound($HeaderSections) - 1
            ;MsgBox(0, "Section Names", $HeaderSections[$X])
            Select
                Case StringInStr($HeaderSections[$X], "upx", 2)
                    $Packer = "UPX"
                    $Probability = +1

                Case StringInStr($HeaderSections[$X], "XCompw", 2)
                    $Packer = "XCompw"
                    $Probability = +1

                Case StringInStr($HeaderSections[$X], "XPackw", 2)
                    $Packer = "XPackw"
                    $Probability = +1

                Case StringInStr($HeaderSections[$X], "BJFnt", 2)
                    $Packer = "BJFnt"
                    $Probability += 1

                Case StringInStr($HeaderSections[$X], "PELOCKnt", 2)
                    $Packer = "PELOCKnt"
                    $Probability += 1

                Case StringInStr($HeaderSections[$X], "PCGW32", 2)
                    $Packer = "PCGW32"
                    $Probability += 1

                Case StringInStr($HeaderSections[$X], "wwpack", 2)
                    $Packer = "wwpack"
                    $Probability += 1

                Case StringInStr($HeaderSections[$X], "RLPack", 2)
                    $Packer = "RLPack"
                    $Probability += 1

                Case StringInStr($HeaderSections[$X], "exe32pack", 2)
                    $Packer = "exe32pack"
                    $Probability += 1

                Case StringInStr($HeaderSections[$X], "ASPack", 2)
                    $Packer = "ASPack"
                    $Probability += 1

                Case StringInStr($HeaderSections[$X], "PECompact", 2)
                    $Packer = "PECompact"
                    $Probability += 1

                Case StringInStr($HeaderSections[$X], "MPress", 2)
                    $Packer = "MPress"
                    $Probability += 1
            EndSelect
        Next
    EndIf

    If $API_IMP Then

        Local $Ubound

        For $X = 0 To UBound($Imports) - 1
            ; telock has an option to add a bunch of fake compressor signatures
            ; but the bastard who created it didn't count on being able to detect it based on its imports
            ; which are ALWAYS GetModuleHandleA from kernel32 and MessageBoxA from user32
            ; which appaers to be unique compared to all the others I've fiddled with
            If StringInStr($Imports[$X][0][0], "kernel32.dll", 2) Or StringInStr($Imports[$X][0][0], "user32.dll", 2) Then
                ; Only fall through if we're in the kernel32 and user32 imports are of the array
                If $Imports[$X][1][0] < 2 Then
                    ; telock seems to be very good at always hiding all imports
                    ; In this area, we will only fall through if there is only one imported function from
                    ; either kernel32 or user32, if it has more then this is not telock
                    If StringInStr($Imports[$X][1][1], "GetModuleHandleA", 2) Or StringInStr($Imports[$X][1][1], "MessageBoxA", 2) Then
                        ; In telock. the imports are always the first in the array so we don't need to go through everything in it at this point
                        $Strikes += 1
                        $Probability += 1
                        If $Strikes > 1 And Not $Packer Then
                            $Packer = "telock"
                        EndIf
                    EndIf
                EndIf
            EndIf
        Next

        If Not $Probability Then
            ; If nothing has been detected, then lets see if it's packed with WInIpackE
            ; based on it's stubs imports.
            $Ubound = UBound($Imports)
            ; If it has more imported functions from more than
            ; 4 moduals, this is most likely not WInUpackE packed.
            For $X = 1 To $Ubound - 1
                If StringInStr($Imports[$X][0][0], "kernel32.dll", 2) Then
                    ; Again, we're only interested in the imported functions from kernel32
                    If $Imports[$X][1][0] < 3 Then
                        ; Fall through only if there are less than 3 imports from kernel32
                        ; and check if they match the ones from a version of WInUpackE
                        For $Z = 1 To UBound($Imports, 3) - 1
                            If StringInStr($Imports[$X][1][$Z], "LoadLibraryA", 2) Or StringInStr($Imports[$X][1][$Z], "GetProcAddress", 2) Then
                                ; the two main imports of this bastard seem to be here
                                ; not even procexplorer detects this type of packed PE
                                ; but again take note that unpacked files may/will get
                                ; caught in this function and the ones below...
                                $Strikes += 1
                                $Probability += 3
                                If $Strikes < 2 And Not $Packer Then
                                    $Packer = "WInUpackE"
                                EndIf
                            EndIf
                        Next
                    EndIf

                EndIf
            Next

        EndIf

        If Not $Packer Then
            $Strikes = 0
            ; This is where I get really desperate and attempt to see if I
            ; can get enough hits to determin if it's packed, read on...
            $Ubound = UBound($Imports)
            If $Ubound < 15 And (FileGetSize($File) / 1024) > 4.50 Then
                ; Looking good, if we get here that means not to many moduals are  used and
                ; the file is larger than 4.50 Kb, possibly meaning we are dealing with a stub
                ; that is unpacking the original PE file and hiding its imports.
                For $X = 1 To $Ubound - 1
                    If StringInStr($Imports[$X][0][0], "kernel32.dll", 2) Then
                        ;Again, only interested in imports from kernel32
                        If $Imports[$X][1][0] > 1 And $Imports[$X][1][0] < 7 Then
                            ; Falling through this area means the file may possibly be packed
                            ; and originally imported functions may be masked by the packer
                            ; which is using only some basic API necessary to run the packed PE
                            For $Z = 1 To UBound($Imports, 3) - 1
                                If StringInStr($Imports[$X][1][$Z], "GetModuleHandleA", 2) Or _
                                        StringInStr($Imports[$X][1][$Z], "GetProcAddress", 2) Or _
                                        StringInStr($Imports[$X][1][$Z], "VirtualProtect", 2) Or _
                                        StringInStr($Imports[$X][1][$Z], "VirtualAlloc", 2) Or _
                                        StringInStr($Imports[$X][1][$Z], "VirtualFree", 2) Or _
                                        StringInStr($Imports[$X][1][$Z], "LoadLibraryA", 2) Then

                                    $Strikes += 1
                                    $Probability += 3
                                    If $Strikes > 2 And Not $Packer Then
                                        ; Getting here after having very few kernel32 imports must mean this
                                        ; file is packed, why else would such few imports be these functions
                                        ; if not a packer stub???
                                        $Packer = "PACKED"
                                    ElseIf $Strikes > 2 And $Packer Then
                                        $Probability -= 2
                                    EndIf
                                EndIf
                            Next
                        EndIf
                    EndIf
                Next
            EndIf
        EndIf

        If Not $Packer Then
            ; Then lets search for a UPX packed PE if someone removed it's header signature
            $Strikes = 0
            $Probability = 0
            $Ubound = UBound($Imports)
            If $Ubound < 20 Then
                ; UPX doesn't seem to hide all the imported functions like most other packers
                For $X = 1 To $Ubound - 1
                    If StringInStr($Imports[$X][0][0], "kernel32.dll", 2) Then
                        ;Again, only interested in imports from kernel32, because UPX does seem to hide at least
                        ; the imports from kernel32 ant not others for some reason
                        If (UBound($Imports, 3) - 1) > 5 And (UBound($Imports, 3) - 1) < 10 Then
                            ; Falling through this area means the file may possibly be packed
                            ; and originally imported functions may be masked by the packer
                            ; which is using only some basic API necessary to run the packed PE
                            For $Z = 1 To UBound($Imports, 3) - 1
                                If StringInStr($Imports[$X][1][$Z], "GetModuleHandleA", 2) Or _
                                        StringInStr($Imports[$X][1][$Z], "GetProcAddress", 2) Or _
                                        StringInStr($Imports[$X][1][$Z], "VirtualProtect", 2) Or _
                                        StringInStr($Imports[$X][1][$Z], "VirtualAlloc", 2) Or _
                                        StringInStr($Imports[$X][1][$Z], "VirtualFree", 2) Or _
                                        StringInStr($Imports[$X][1][$Z], "LoadLibraryA", 2) Then

                                    $Strikes += 1
                                    $Probability += 3
                                    If $Strikes > 2 And Not $Packer Then
                                        ; Getting here after having very few kernel32 imports must mean this
                                        ; file is packed, why else would such few imports be these functions
                                        ; if not a packer stub???
                                        $Packer = "UPX"
                                    ElseIf $Strikes > 2 And $Packer Then
                                        $Probability -= 2
                                    EndIf
                                EndIf
                            Next
                        EndIf
                    EndIf
                Next
            EndIf
        EndIf

        If Not $Packer And Not $Probability Then
            ; Nothing detected, lets see if this is some kind of dev tool, script interpreter, hacktool or debugger etc
            $Ubound = UBound($Imports)
            For $X = 1 To $Ubound - 1
                If StringInStr($Imports[$X][0][0], "kernel32.dll", 2) Then
                    For $Z = 1 To UBound($Imports, 3) - 1
                        If StringInStr($Imports[$X][1][$Z], "OpenProcess", 2) Or _
                                StringInStr($Imports[$X][1][$Z], "ReadProcessMemory", 2) Or _
                                StringInStr($Imports[$X][1][$Z], "EnterCriticalSection", 2) Or _
                                StringInStr($Imports[$X][1][$Z], "GetCurrentThreadId", 2) Or _
                                StringInStr($Imports[$X][1][$Z], "ReadProcessMemory", 2) Or _
                                StringInStr($Imports[$X][1][$Z], "SetThreadContext", 2) Or _
                                StringInStr($Imports[$X][1][$Z], "VirtualAllocEx", 2) Or _
                                StringInStr($Imports[$X][1][$Z], "GetProcAddress", 2) Or _
                                StringInStr($Imports[$X][1][$Z], "WriteProcessMemory", 2) Then
                            $Strikes += 1
                            $Probability += 1
                            If $Strikes > 4 Then
                                $Packer = "HACK TOOL"
                            EndIf
                        EndIf
                    Next
                EndIf
            Next
        EndIf

        If Not $Packer And (FileGetSize($File) / 1024) < 50 Then
            $Probability = 0
            $Ubound = UBound($Imports)
            For $X = 0 To $Ubound - 1
                If StringInStr($Imports[$X][0][0], "kernel32.dll", 2) Or StringInStr($Imports[$X][0][0], "user32.dll", 2) Then

                    For $Z = 1 To UBound($Imports, 3) - 1
                        If StringInStr($Imports[$X][1][$Z], "SetWindowsHook", 2) Or _
                                StringInStr($Imports[$X][1][$Z], "GetWindowThreadProcessId", 2) Or _
                                StringInStr($Imports[$X][1][$Z], "GetWindowTextA", 2) Or _
                                StringInStr($Imports[$X][1][$Z], "GetKeyboardState", 2) Or _
                                StringInStr($Imports[$X][1][$Z], "GetKeyState", 2) Or _
                                StringInStr($Imports[$X][1][$Z], "GetModuleFileNameA", 2) Or _
                                StringInStr($Imports[$X][1][$Z], "GetUserName", 2) Or _
                                StringInStr($Imports[$X][1][$Z], "CreateToolhelp32Snapshot", 2) Then
                            $Strikes += 1
                            $Probability += 1
                            If $Strikes > 5 Then
                                ; we have ourselves a keylogger :D
                                ; or possibly a game of some kind
                                $Packer = "KEYLOGGER"
                            EndIf
                        EndIf
                    Next
                EndIf
            Next
        EndIf
    EndIf

    If Not $Packer And $Probability < 2 Then
        $Strikes = 0
        ; Nothing detected again, lets see if this is some kind of possibly malicious application
        ; or is just capable of being malicious..
        $Ubound = UBound($Imports)
        For $X = 0 To $Ubound - 1
            If StringInStr($Imports[$X][0][0], "kernel32.dll", 2) Or StringInStr($Imports[$X][0][0], "advapi32.dll", 2) Then
                ; this time we will even check imports from advapi.dll along with kernel32 imports
                For $Z = 1 To UBound($Imports, 3) - 1
                    If StringInStr($Imports[$X][1][$Z], "DeleteCriticalSection", 2) Or _
                            StringInStr($Imports[$X][1][$Z], "EnterCriticalSection", 2) Or _
                            StringInStr($Imports[$X][1][$Z], "GetCurrentThreadId", 2) Or _
                            StringInStr($Imports[$X][1][$Z], "TerminateProcess", 2) Or _
                            StringInStr($Imports[$X][1][$Z], "CreateToolhelp32Snapshot", 2) Or _
                            StringInStr($Imports[$X][1][$Z], "SetFileTime", 2) Or _
                            StringInStr($Imports[$X][1][$Z], "GetFileAttributes", 2) Or _
                            StringInStr($Imports[$X][1][$Z], "TerminateThread", 2) Or _; Below are advapi functions
                            StringInStr($Imports[$X][1][$Z], "DeviceIoControl", 2) Or _
                            StringInStr($Imports[$X][1][$Z], "OpenProcessToken", 2) Or _
                            StringInStr($Imports[$X][1][$Z], "LookupPrivilegeValue", 2) Or _
                            StringInStr($Imports[$X][1][$Z], "OpenThreadToken", 2) Or _
                            StringInStr($Imports[$X][1][$Z], "OpenSCManager", 2) Or _
                            StringInStr($Imports[$X][1][$Z], "SetSecurityDescriptorDacl", 2) Or _
                            StringInStr($Imports[$X][1][$Z], "GetTokenInformation", 2) Or _
                            StringInStr($Imports[$X][1][$Z], "GetSecurityDescriptorDacl", 2) Or _
                            StringInStr($Imports[$X][1][$Z], "GetAclInformation", 2) Then
                        ;MsgBox(0, "$Imports[$X][1][$Z]", $Imports[$X][1][$Z])
                        $Strikes += 1
                        $Probability += 1
                        If $Strikes > 4 Then
                            ; If the ass hole who made it didn't sign it, then
                            ; its probably modified or the maker didn't bother to
                            ; fork out the cash for a cert
                            $Packer = "POSSIBLY MALICIOUS"
                        EndIf
                    EndIf
                Next
            EndIf
        Next
    EndIf

    Return SetError(-1, $Probability, $Packer)
EndFunc   ;==>_GetProbability

You also need the rest of the script below, too big to post it all in one tag ._.

Edited by CaptainClucks

Things that I've done..

Icon Resource Editor: icon resource editor 

AutoIt Piano: a piano

AutoIt Unlocker: unlocks files when you want to delete them

Colorful tooltips: a wrapper for the tool tips UDF

Rouge GoogleBot: a full screen animation

ASciTE text editor: a text editor written in autoit

Warning: Posts by this user are subject to change or may disappear without notice.

Share this post


Link to post
Share on other sites

#17 ·  Posted (edited)

This is the rest of the file you will need.

Also, take note that this will not close a process or whatever, what it's intended to do is detect if a certain file uses some windows APIs that keyloggers or possibly malicious file might use, it will detect the autoit interpreter as a hack tool and many other things that are not really hack tools, and some files hid their imports.

This is not accurate but it's just a play thing I guess...

; #FUNCTION# ====================================================================================================================
; Name ..........: _PEInfo
; Description ...:
; Syntax ........: _PEInfo($sModule[, $TypeInfo = 0])
; Parameters ....: $sModule             - A string value containing path to a PE file.
;                  $TypeInfo            - [optional] Returns array containing specified information.
;                                                Parameter 1 returns 3 dimensional array of imported functions found.
;                                                    $Imports[0][0][0] - number of modulas detected
;                                                    $Imports[n][0][0] - n modual name
;                                                    $Imports[n][n][0] - n modual imports
;                                                    $Imports[n][n][n] - n modual imported function name
;                                                Parameter 2 returns one dimensional array containing header section names.
;                                                        Use ubound() to get item count.
; Return values .: An array depending on information requested via possible parameters. If failure occured, @error is
;                        set to a positive value, check @error before using the array to avoid autoit error.
; Author ........: Trancexx
; Modified ......: THAT1ANONYMOUSDUDE aka ApudAngelorum aka CaptainClucks
; Remarks .......: This is Trancexxs work originally taken from IATManipulate.au3, I just took out what I needed for this script.
; Related .......:
; Link ..........: http://www.autoitscript.com/forum/topic/85618-reshacker-project/page__view__findpost__p__724332
; Example .......: Depends on you.
; ===============================================================================================================================

Func _PEInfo($sModule, $TypeInfo = 0)

    DllCall($hKERNEL32, "dword", "SetErrorMode", "dword", 1) ; SEM_FAILCRITICALERRORS ; will handle errors

    Local $iLoaded
    Local $a_hCall = DllCall($hKERNEL32, "hwnd", "GetModuleHandleW", "wstr", $sModule)

    If @error Then
        Return SetError(1, 0, "")
    EndIf

    Local $pPointer = $a_hCall[0]

    If Not $a_hCall[0] Then
        $a_hCall = DllCall($hKERNEL32, "hwnd", "LoadLibraryExW", "wstr", $sModule, "hwnd", 0, "int", 1) ; DONT_RESOLVE_DLL_REFERENCES
        If @error Or Not $a_hCall[0] Then
            $a_hCall = DllCall($hKERNEL32, "hwnd", "LoadLibraryExW", "wstr", $sModule, "hwnd", 0, "int", 34) ; LOAD_LIBRARY_AS_IMAGE_RESOURCE|LOAD_LIBRARY_AS_DATAFILE

            If @error Or Not $a_hCall[0] Then
                Return SetError(2, 0, "")
            EndIf
            $iLoaded = 1
            $pPointer = $a_hCall[0] - 1
        Else
            $iLoaded = 1
            $pPointer = $a_hCall[0]
        EndIf

    EndIf

    Local $hModule = $a_hCall[0]

    Local $tIMAGE_DOS_HEADER = DllStructCreate("char Magic[2];" & _
            "ushort BytesOnLastPage;" & _
            "ushort Pages;" & _
            "ushort Relocations;" & _
            "ushort SizeofHeader;" & _
            "ushort MinimumExtra;" & _
            "ushort MaximumExtra;" & _
            "ushort SS;" & _
            "ushort SP;" & _
            "ushort Checksum;" & _
            "ushort IP;" & _
            "ushort CS;" & _
            "ushort Relocation;" & _
            "ushort Overlay;" & _
            "char Reserved[8];" & _
            "ushort OEMIdentifier;" & _
            "ushort OEMInformation;" & _
            "char Reserved2[20];" & _
            "dword AddressOfNewExeHeader", _
            $pPointer)

    Local $sMagic = DllStructGetData($tIMAGE_DOS_HEADER, "Magic")

    If Not ($sMagic == "MZ") Then
        If $iLoaded Then
            Local $a_iCall = DllCall($hKERNEL32, "int", "FreeLibrary", "hwnd", $hModule)
            If @error Or Not $a_iCall[0] Then
                Return SetError(5, 0, "")
            EndIf
        EndIf
        Return SetError(3, 0, "")
    EndIf

    Local $iAddressOfNewExeHeader = DllStructGetData($tIMAGE_DOS_HEADER, "AddressOfNewExeHeader")

    $pPointer += $iAddressOfNewExeHeader ; start of PE file header

    Local $tIMAGE_NT_SIGNATURE = DllStructCreate("dword Signature", $pPointer) ; IMAGE_NT_SIGNATURE = 17744

    If DllStructGetData($tIMAGE_NT_SIGNATURE, "Signature") <> 17744 Then
        If $iLoaded Then
            $a_iCall = DllCall($hKERNEL32, "int", "FreeLibrary", "hwnd", $hModule)
            If @error Or Not $a_iCall[0] Then
                Return SetError(5, 0, "")
            EndIf
        EndIf
        Return SetError(4, 0, "")
    EndIf

    $pPointer += 4 ; size of $tIMAGE_NT_SIGNATURE structure
    $pPointer += 20 ; size of $tIMAGE_FILE_HEADER structure

    Local $tIMAGE_OPTIONAL_HEADER = DllStructCreate("ushort Magic;" & _
            "ubyte MajorLinkerVersion;" & _
            "ubyte MinorLinkerVersion;" & _
            "dword SizeOfCode;" & _
            "dword SizeOfInitializedData;" & _
            "dword SizeOfUninitializedData;" & _
            "dword AddressOfEntryPoint;" & _
            "dword BaseOfCode;" & _
            "dword BaseOfData;" & _
            "dword ImageBase;" & _
            "dword SectionAlignment;" & _
            "dword FileAlignment;" & _
            "ushort MajorOperatingSystemVersion;" & _
            "ushort MinorOperatingSystemVersion;" & _
            "ushort MajorImageVersion;" & _
            "ushort MinorImageVersion;" & _
            "ushort MajorSubsystemVersion;" & _
            "ushort MinorSubsystemVersion;" & _
            "dword Win32VersionValue;" & _
            "dword SizeOfImage;" & _
            "dword SizeOfHeaders;" & _
            "dword CheckSum;" & _
            "ushort Subsystem;" & _
            "ushort DllCharacteristics;" & _
            "dword SizeOfStackReserve;" & _
            "dword SizeOfStackCommit;" & _
            "dword SizeOfHeapReserve;" & _
            "dword SizeOfHeapCommit;" & _
            "dword LoaderFlags;" & _
            "dword NumberOfRvaAndSizes", _
            $pPointer)

    Local $iMagic = DllStructGetData($tIMAGE_OPTIONAL_HEADER, "Magic")

    If $iMagic <> 267 Then
        If $iLoaded Then
            $a_iCall = DllCall($hKERNEL32, "int", "FreeLibrary", "hwnd", $hModule)
            If @error Or Not $a_iCall[0] Then
                Return SetError(5, 0, "")
            EndIf
        EndIf
        Return SetError(0, 1, 1) ; not 32-bit application. Structures are for 32-bit
    EndIf

    $pPointer += 96 ; size of $tIMAGE_OPTIONAL_HEADER structure

    Switch $TypeInfo
        Case 0
            Local $i, $j, $k, $MaxLen = 0, $MaxLenOld = 0
            Local $IMFA[1][1][1]

            $pPointer += 8

            ; Import Directory
            Local $tIMAGE_DIRECTORY_ENTRY_IMPORT = DllStructCreate("dword VirtualAddress;" & _
                    "dword Size", _
                    $pPointer)

            ; Virtual address of IAT
            Local $iImportDirectoryVirtAddress = DllStructGetData($tIMAGE_DIRECTORY_ENTRY_IMPORT, "VirtualAddress")

            If $iImportDirectoryVirtAddress And DllStructGetData($tIMAGE_DIRECTORY_ENTRY_IMPORT, "Size") Then ; if valid

                Local $tIMAGE_IMPORT_MODULE_DIRECTORY

                Local $iOffset, $iOffset2, $tModuleName, $iBufferOffset, $sModuleName, $iInitialOffset, $tBufferOffset, $tBuffer, $sFunctionName

                ;Local $iModuleNameOffset
                ;Local $iModuleNameLength ; for modules
                ;Local $iFunctionNameOffset, $iFunctionNameLength ; for functions

                While 1

                    $i += 1

                    $tIMAGE_IMPORT_MODULE_DIRECTORY = DllStructCreate("dword RVAOriginalFirstThunk;" & _ ; actually union
                            "dword TimeDateStamp;" & _
                            "dword ForwarderChain;" & _
                            "dword RVAModuleName;" & _
                            "dword RVAFirstThunk", _
                            DllStructGetPtr($tIMAGE_DOS_HEADER) + DllStructGetData($tIMAGE_DIRECTORY_ENTRY_IMPORT, "VirtualAddress") + $iOffset)

                    If Not DllStructGetData($tIMAGE_IMPORT_MODULE_DIRECTORY, "RVAFirstThunk") Then ; the end
                        ExitLoop
                    EndIf

                    If DllStructGetData($tIMAGE_IMPORT_MODULE_DIRECTORY, "RVAOriginalFirstThunk") Then
                        $iInitialOffset = DllStructGetPtr($tIMAGE_DOS_HEADER) + DllStructGetData($tIMAGE_IMPORT_MODULE_DIRECTORY, "RVAOriginalFirstThunk")
                    Else
                        $iInitialOffset = DllStructGetPtr($tIMAGE_DOS_HEADER) + DllStructGetData($tIMAGE_IMPORT_MODULE_DIRECTORY, "RVAFirstThunk")
                    EndIf

                    $tModuleName = DllStructCreate("char[64]", DllStructGetPtr($tIMAGE_DOS_HEADER) + DllStructGetData($tIMAGE_IMPORT_MODULE_DIRECTORY, "RVAModuleName"))
                    $sModuleName = DllStructGetData($tModuleName, 1)

                    ; Two important info I collect now
                    ; Get offset of the name of the module which holds the functions.
                    ;$iModuleNameOffset = DllStructGetData($tIMAGE_IMPORT_MODULE_DIRECTORY, "RVAModuleName")
                    ; Get length of the module name
                    ;$iModuleNameLength = StringLen($sModuleName)

                    ReDim $IMFA[$i + 1][2][UBound($IMFA, 3) + 1]
                    $IMFA[$i][0][0] = $sModuleName

                    $iOffset2 = 0
                    $j = 0

                    While 1

                        $j += 1
                        $tBufferOffset = DllStructCreate("dword", $iInitialOffset + $iOffset2)

                        $iBufferOffset = DllStructGetData($tBufferOffset, 1)
                        If Not $iBufferOffset Then ; zero value is the end
                            ExitLoop
                        EndIf

                        If BitShift($iBufferOffset, 24) Then ; MSB is set for imports by ordinal, otherwise not
                            ;MsgBox(0,"Ordinal ", BitAND($iBufferOffset, 0xFFFFFF)) ; the rest is ordinal value
                            ; But we skip this because we're no looking for this shit
                            $iOffset2 += 4 ; size of $tBufferOffset
                            ContinueLoop

                        EndIf
                        ;$j += 1
                        $tBuffer = DllStructCreate("ushort Ordinal; char Name[64]", DllStructGetPtr($tIMAGE_DOS_HEADER) + $iBufferOffset)

                        ; Get name of that funcrion
                        $sFunctionName = DllStructGetData($tBuffer, "Name")

                        ; Two more important info
                        ; Get offset of the function. 2 is size of "ushort Ordinal" from above
                        ;$iFunctionNameOffset = $iBufferOffset + 2 - DllStructGetPtr($tIMAGE_DOS_HEADER) ;<- this!
                        ; Get length of the function name
                        ;$iFunctionNameLength = StringLen($sFunctionName) ;<- and this!

                        $MaxLenOld = $j

                        If $MaxLenOld > $MaxLen Then
                            $MaxLen = $MaxLenOld + 1
                        EndIf

                        ReDim $IMFA[UBound($IMFA) + 1][2][$MaxLen + 1]
                        $IMFA[$i][1][$j] = $sFunctionName
                        ConsoleWrite($IMFA[$i][0][0] & " > " & $sFunctionName & @CR)

                        ; Move pointer
                        $iOffset2 += 4 ; size of $tBufferOffset

                    WEnd

                    $IMFA[$i][1][0] = $j - 1
                    $k += $j - 1


                    $iOffset += 20 ; size of $tIMAGE_IMPORT_MODULE_DIRECTORY

                WEnd

                ReDim $IMFA[UBound($IMFA, 1)][2][$MaxLen + 1]
                $IMFA[0][0][0] = $k

            EndIf
        Case 1

            Local $tIMAGE_FILE_HEADER = DllStructCreate("ushort Machine;" & _
                    "ushort NumberOfSections;" & _
                    "dword TimeDateStamp;" & _
                    "dword PointerToSymbolTable;" & _
                    "dword NumberOfSymbols;" & _
                    "ushort SizeOfOptionalHeader;" & _
                    "ushort Characteristics", _
                    $pPointer - (20 + 96));Trunctiate size of $tIMAGE_OPTIONAL_HEADER and $tIMAGE_NT_SIGNATURE from pointer since we're not using them in this case


            Local $iAddressOfEntryPoint = DllStructGetData($tIMAGE_OPTIONAL_HEADER, "AddressOfEntryPoint")
            Local $Sections[1]

            Local $iNumberOfSections = DllStructGetData($tIMAGE_FILE_HEADER, "NumberOfSections")

            ReDim $Sections[$iNumberOfSections + 1]
            $Sections[0] = $iNumberOfSections

            $pPointer += 8

;~              Resources Directory
;~             Local $tIMAGE_DIRECTORY_ENTRY_RES = DllStructCreate("dword VirtualAddress;" & _
;~                     "dword Size", _
;~                     $pPointer)

;~              Virtual address of resources table
;~             Local $iResDirectoryVirtAddress = DllStructGetData($tIMAGE_DIRECTORY_ENTRY_RES, "VirtualAddress")

            $pPointer += 120 ; skip 15 data directories

            Local $tIMAGE_SECTION_HEADER
            Local $iVirtualAddress
            Local $iVirtualSize
            Local $sItemText

            For $i = 0 To $iNumberOfSections - 1

                $tIMAGE_SECTION_HEADER = DllStructCreate("char Name[8];" & _
                        "dword VirtualSize;" & _ ; union actually
                        "dword VirtualAddress;" & _
                        "dword SizeOfRawData;" & _
                        "dword PointerToRawData;" & _
                        "dword PointerToRelocations;" & _
                        "dword PointerToLinenumbers;" & _
                        "ushort NumberOfRelocations;" & _
                        "ushort NumberOfLinenumbers;" & _
                        "dword Characteristics", _
                        $pPointer)

                ; Get virtual address
                $iVirtualAddress = DllStructGetData($tIMAGE_SECTION_HEADER, "VirtualAddress")
                ; Get virtual size
                $iVirtualSize = DllStructGetData($tIMAGE_SECTION_HEADER, "VirtualSize")

                ; Find where Enty Point is (Digisoul)
                If ($iVirtualAddress <= $iAddressOfEntryPoint) And $iAddressOfEntryPoint < ($iVirtualAddress + $iVirtualSize) Then
                    $sItemText = DllStructGetData($tIMAGE_SECTION_HEADER, "Name"); & "    (entry point)"
                Else
                    $sItemText = DllStructGetData($tIMAGE_SECTION_HEADER, "Name")
                EndIf

;~                 Find resources
;~                 If ($iVirtualAddress <= $iResDirectoryVirtAddress) And $iResDirectoryVirtAddress < ($iVirtualAddress + $iVirtualSize) Then
;~                     $sItemText &= "    (resources)"
;~                 EndIf
;~
;~                 DllStructGetData($tIMAGE_SECTION_HEADER, "SizeOfRawData");  bytes
;~                 Ptr(DllStructGetData($tIMAGE_SECTION_HEADER, "PointerToRawData"))
;~                 Ptr($iVirtualAddress)
;~                 DllStructGetData($tIMAGE_SECTION_HEADER, "NumberOfRelocations")

                ; Move pointer
                $pPointer += 40 ; size of $tIMAGE_SECTION_HEADER structure
                $Sections[$i + 1] = $sItemText

            Next
            $IMFA = $Sections
    EndSwitch

    ; Free module
    If $iLoaded Then
        $a_iCall = DllCall($hKERNEL32, "int", "FreeLibrary", "hwnd", $hModule)
        If @error Or Not $a_iCall[0] Then
            Return SetError(6, 0, "")
        EndIf
    EndIf


    Return SetError(0, 0, $IMFA)

EndFunc   ;==>_PEInfo

; #FUNCTION# ====================================================================================================================
; Name ..........: Wintrust
; Description ...: Validates a PE files digital signature
; Syntax ........: Wintrust($SourceFile)
; Parameters ....: $SourceFile          - String file path.
; Return values .: Customized for this script, if it has a valid and trusted signature, returns true, else error is
;                        set to a positive value.
; Author ........: Prog@ndy
; Modified ......: THAT1ANONYMOUSDUDE aka ApudAngelorum aka CaptainClucks
; Remarks .......: You can find the original unmodified version of this script at the below link
; Related .......:
; Link ..........: http://www.autoit.de/index.php?page=Thread&postID=68477#post68477
; Example .......: No
; ===============================================================================================================================

Func Wintrust($SourceFile)
    #cs
        Please take note that this only works for
        3rd party signed software! You cannot verify
        native Microsoft application using this code
        for reasons unknown to me.

        I do not know who created this as I found it
        by googleing (Site:autoitscript.com wintrust.dll)
        This code came up in an attachment and I could not
        locate the post where this code was attached...

        Code is slightly modified to suit this script!

        Edit: I believe this may be made by Pr@gandy
        after more research

        Edit2: Confirmed, this was made by above user.
    #CE

    Local Const $WTD_UI_NONE = 2
    Local Const $WTD_REVOKE_NONE = 0
    Local Const $WTD_CHOICE_FILE = 1
    Local Const $WTD_SAFER_FLAG = 0x00000100
    Local Const $TRUST_E_PROVIDER_UNKNOWN = 0x800B0001
    Local Const $TRUST_E_SUBJECT_FORM_UNKNOWN = 0x800B0003
    Local Const $TRUST_E_SUBJECT_NOT_TRUSTED = 0x800B0004
    Local Const $TRUST_E_NOSIGNATURE = 0x800B0100
    Local Const $TRUST_E_EXPLICIT_DISTRUST = 0x800B0111
    Local Const $CRYPT_E_SECURITY_SETTINGS = 0x80092026

    Local Const $tagWINTRUST_FILE_INFO = "DWORD cbStruct;" & _
            "ptr pcwszFilePath;" & _
            "HWND hFile;" & _
            "ptr  pgKnownSubject;"

    Local Const $tagWINTRUST_DATA = "DWORD cbStruct;" & _
            "ptr   pPolicyCallbackData;" & _
            "ptr   pSIPClientData;" & _
            "DWORD dwUIChoice;" & _
            "DWORD fdwRevocationChecks;" & _
            "DWORD dwUnionChoice;" & _
            "ptr   pInfoStruct;" & _
            "DWORD dwStateAction;" & _
            "HWND  hWVTStateData;" & _
            "ptr   pwszURLReference;" & _
            "DWORD dwProvFlags;" & _
            "DWORD dwUIContext;"

    Local Const $WINTRUST_ACTION_GENERIC_VERIFY_V2 = _GUIDStruct("{00AAC56B-CD44-11d0-8CC2-00C04FC295EE}")

    Local $pGUID = DllStructGetPtr($WINTRUST_ACTION_GENERIC_VERIFY_V2)
    Local $WINTRUST_FILE_INFO = DllStructCreate($tagWINTRUST_FILE_INFO)
    DllStructSetData($WINTRUST_FILE_INFO, 1, DllStructGetSize($WINTRUST_FILE_INFO))
    Local $wszSourceFile = DllStructCreate("wchar[" & StringLen($SourceFile) + 1 & "]")
    DllStructSetData($wszSourceFile, 1, $SourceFile)
    DllStructSetData($WINTRUST_FILE_INFO, "pcwszFilePath", DllStructGetPtr($wszSourceFile))
    Local $WINTRUST_DATA = DllStructCreate($tagWINTRUST_DATA)
    Local $pWINTRUST_DATA = DllStructGetPtr($WINTRUST_DATA)
    DllStructSetData($WINTRUST_DATA, 1, DllStructGetSize($WINTRUST_DATA))
    DllStructSetData($WINTRUST_DATA, "pPolicyCallbackData", 0)
    DllStructSetData($WINTRUST_DATA, "pSIPClientData", 0)
    DllStructSetData($WINTRUST_DATA, "dwUIChoice", $WTD_UI_NONE)
    DllStructSetData($WINTRUST_DATA, "fdwRevocationChecks", $WTD_REVOKE_NONE)
    DllStructSetData($WINTRUST_DATA, "dwUnionChoice", $WTD_CHOICE_FILE)
    DllStructSetData($WINTRUST_DATA, "dwStateAction", 0)
    DllStructSetData($WINTRUST_DATA, "hWVTStateData", 0)
    DllStructSetData($WINTRUST_DATA, "pwszURLReference", 0)
    DllStructSetData($WINTRUST_DATA, "dwProvFlags", $WTD_SAFER_FLAG)
    DllStructSetData($WINTRUST_DATA, "dwUIContext", 0)
    DllStructSetData($WINTRUST_DATA, "pInfoStruct", DllStructGetPtr($WINTRUST_FILE_INFO))

    Local $LStatus = DllCall($hWINTRST, "long", "WinVerifyTrust", _
            "hWnd", 0, _
            "ptr", $pGUID, _
            "ptr", $pWINTRUST_DATA _
            )
    If Not @error Then
        $LStatus = $LStatus[0]
    Else
        $LStatus = -1
    EndIf

    Switch $LStatus
        Case 0 ; ERROR_SUCCESS
            Return SetError(0, 0, "Verified")
        Case $TRUST_E_NOSIGNATURE
            ; Get the reason for no signature.
            Local $dwLastError = DllCall($hKERNEL32, "dword", "GetLastError")
            $dwLastError = $dwLastError[0]
            If ($TRUST_E_NOSIGNATURE == $dwLastError Or $TRUST_E_SUBJECT_FORM_UNKNOWN == $dwLastError Or $TRUST_E_PROVIDER_UNKNOWN == $dwLastError) Then
                ; The file was not signed.
                Return SetError(1, 0, "Not Signed")
            Else
                ; The signature was not valid or there was an error
                ; opening the file.
                Return SetError(1, 0, "Unable to verify")
            EndIf
        Case $TRUST_E_EXPLICIT_DISTRUST
            ; The hash that represents the subject or the publisher
            ; is not allowed by the admin or user.
            Return SetError(1, 0, "Not Trusted")

        Case $TRUST_E_SUBJECT_NOT_TRUSTED
            ; The user clicked "No" when asked to install and run.
            Return SetError(1, 0, "Not Trusted")

        Case $CRYPT_E_SECURITY_SETTINGS
            #CS
                The hash that represents the subject or the publisher
                was not explicitly trusted by the admin and the
                admin policy has disabled user trust. No signature,
                publisher or time stamp errors.
            #CE
            Return SetError(1, 0, "Not Trusted")
        Case -1
            Return SetError(1, 0, "Unable to verify")

        Case Else
            ; The UI was disabled in dwUIChoice or the admin policy
            ; has disabled user trust. lStatus contains the
            ; publisher or time stamp chain error.
            Return SetError(1, 0, "Unable to verify")
    EndSwitch
    Return SetError(1, 0, "Unable to verify")
EndFunc   ;==>Wintrust

Func _GUIDStruct($IID)
    $IID = StringRegExpReplace($IID, "([}{])", "")
    $IID = StringSplit($IID, "-")
    Local $_GUID = "DWORD Data1;  ushort Data2;  ushort Data3;  BYTE Data4[8];"
    Local $GUID = DllStructCreate($_GUID)
    If $IID[0] = 5 Then $IID[4] &= $IID[5]
    If $IID[0] > 5 Or $IID[0] < 4 Then Return SetError(1, 0, 0)
    DllStructSetData($GUID, 1, Dec($IID[1]))
    DllStructSetData($GUID, 2, Dec($IID[2]))
    DllStructSetData($GUID, 3, Dec($IID[3]))
    DllStructSetData($GUID, 4, Binary("0x" & $IID[4]))
    Return $GUID
EndFunc   ;==>_GUIDStruct
Edited by CaptainClucks

Things that I've done..

Icon Resource Editor: icon resource editor 

AutoIt Piano: a piano

AutoIt Unlocker: unlocks files when you want to delete them

Colorful tooltips: a wrapper for the tool tips UDF

Rouge GoogleBot: a full screen animation

ASciTE text editor: a text editor written in autoit

Warning: Posts by this user are subject to change or may disappear without notice.

Share this post


Link to post
Share on other sites

Even a dumb 'antivirus' will need to execute funcs in kernel drivers to remove corrupt/infected files. What say about this?


----------------------------------------

:bye: Hey there, was I helpful?

----------------------------------------

My Current OS: Win8 PRO (64-bit); Current AutoIt Version: v3.3.8.1

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0