tylerh27 Posted August 28, 2012 Share Posted August 28, 2012 I got a great idea. It would be a program to detect any potential harmful or unwanted running programs. And it would find the source of that running program, and remove it (basically like a virus removal). If anyone knew how to start on something like this, or would want to help on this project, i'd really appreciate it. Link to comment Share on other sites More sharing options...
stormbreaker Posted August 28, 2012 Share Posted August 28, 2012 Get an antivirus, man!! Your idea is pretty stupid, since its impossible to do so (at least in AU3) ---------------------------------------- :bye: Hey there, was I helpful? ---------------------------------------- My Current OS: Win8 PRO (64-bit); Current AutoIt Version: v3.3.8.1 Link to comment Share on other sites More sharing options...
Skitty Posted August 28, 2012 Share Posted August 28, 2012 I got a great idea. It would be a program to detect any potential harmful or unwanted running programs. And it would find the source of that running program, and remove it (basically like a virus removal). If anyone knew how to start on something like this, or would want to help on this project, i'd really appreciate it.Best bet is to fund yourself a team of people who know what they're doing, set some goals and proceed to becoming a filthy rich bastard.Sounds easy but it's far, far from it. Good luck soldier! Link to comment Share on other sites More sharing options...
wyzzard Posted August 28, 2012 Share Posted August 28, 2012 I thought I had remembered seeing something similar to what you were talking about doing in one of my many searches for something else lately. Link to comment Share on other sites More sharing options...
Kendall Posted August 29, 2012 Share Posted August 29, 2012 Get an antivirus, man!! Your idea is pretty stupid, since its impossible to do so (at least in AU3)Nice answer, But everything is possible. Just need to look at it in different way's.. The Answer to this is opposite. Only allow what you want to run. This will be very restricted but would work. Reality: the wheel is already invented. But why not make it better. ( Lamen terms: "don't stop others from progressing forward") The Codemonkeyhttp://www.BMVHDloader.com Link to comment Share on other sites More sharing options...
PhoenixXL Posted August 29, 2012 Share Posted August 29, 2012 (edited) Why not create a WhiteListed Softwares for your ComputerandKill the Unwanted Processes excluding that listTo monitor the Process have a look Edited August 29, 2012 by PhoenixXL My code: PredictText: Predict Text of an Edit Control Like Scite. Remote Gmail: Execute your Scripts through Gmail. StringRegExp:Share and learn RegExp.Run As System: A command line wrapper around PSEXEC.exe to execute your apps scripts as System (LSA). Database: An easier approach for _SQ_LITE beginners. MathsEx: A UDF for Fractions and LCM, GCF/HCF. FloatingText: An UDF for make your text floating. Clipboard Extendor: A clipboard monitoring tool. Custom ScrollBar: Scroll Bar made with GDI+, user can use bitmaps instead. RestrictEdit_SRE: Restrict text in an Edit Control through a Regular Expression. Link to comment Share on other sites More sharing options...
AZJIO Posted August 29, 2012 Share Posted August 29, 2012 tylerh27 Kendall 1 My other projects or all Link to comment Share on other sites More sharing options...
Moderators JLogan3o13 Posted August 29, 2012 Moderators Share Posted August 29, 2012 Reality: the wheel is already invented. But why not make it better. ( Lamen terms: "don't stop others from progressing forward")I believe you meant "layman's terms" Kendall 1 "Profanity is the last vestige of the feeble mind. For the man who cannot express himself forcibly through intellect must do so through shock and awe" - Spencer W. Kimball How to get your question answered on this forum! Link to comment Share on other sites More sharing options...
BrewManNH Posted August 29, 2012 Share Posted August 29, 2012 Unless you're VERY knowledgable about what each and every program is and why it's running on your computer, stopping running programs that you don't want running will (at best) stop something from working on your computer, or (at the worst) cause it to crash Windows. If I posted any code, assume that code was written using the latest release version unless stated otherwise. Also, if it doesn't work on XP I can't help with that because I don't have access to XP, and I'm not going to.Give a programmer the correct code and he can do his work for a day. Teach a programmer to debug and he can do his work for a lifetime - by Chirag GudeHow to ask questions the smart way! I hereby grant any person the right to use any code I post, that I am the original author of, on the autoitscript.com forums, unless I've specifically stated otherwise in the code or the thread post. If you do use my code all I ask, as a courtesy, is to make note of where you got it from. Back up and restore Windows user files _Array.au3 - Modified array functions that include support for 2D arrays. - ColorChooser - An add-on for SciTE that pops up a color dialog so you can select and paste a color code into a script. - Customizable Splashscreen GUI w/Progress Bar - Create a custom "splash screen" GUI with a progress bar and custom label. - _FileGetProperty - Retrieve the properties of a file - SciTE Toolbar - A toolbar demo for use with the SciTE editor - GUIRegisterMsg demo - Demo script to show how to use the Windows messages to interact with controls and your GUI. - Latin Square password generator Link to comment Share on other sites More sharing options...
Kendall Posted August 29, 2012 Share Posted August 29, 2012 (edited) I believe you meant "layman's terms"Thanks, Was really tired when i posted it.Unless you're VERY knowledgable about what each and every program is and why it's running on your computer, stopping running programs that you don't want running will (at best) stop something from working on your computer, or (at the worst) cause it to crash Windows.This is true and a risk of using a program like this. Again it can be done. Since mostly everyone's attitude on this is "The Glass is half empty" i will take this on! Autoit used to be really helpful to people and i have seen it has gone down a different path lately. Edited August 29, 2012 by Kendall The Codemonkeyhttp://www.BMVHDloader.com Link to comment Share on other sites More sharing options...
Kendall Posted August 29, 2012 Share Posted August 29, 2012 tylerh27Already done!!! This is great. I was thinking exactly how this one works. "Runs every 3 seconds" reads from a Text document for the white list.To all of you non believers The Codemonkeyhttp://www.BMVHDloader.com Link to comment Share on other sites More sharing options...
BrewManNH Posted August 29, 2012 Share Posted August 29, 2012 You have a lousy attitude Kendall. Plus you've insulted the users here with the things you posted, you might want to temper that a little bit if you ever expect to ask for help in the future. If I posted any code, assume that code was written using the latest release version unless stated otherwise. Also, if it doesn't work on XP I can't help with that because I don't have access to XP, and I'm not going to.Give a programmer the correct code and he can do his work for a day. Teach a programmer to debug and he can do his work for a lifetime - by Chirag GudeHow to ask questions the smart way! I hereby grant any person the right to use any code I post, that I am the original author of, on the autoitscript.com forums, unless I've specifically stated otherwise in the code or the thread post. If you do use my code all I ask, as a courtesy, is to make note of where you got it from. Back up and restore Windows user files _Array.au3 - Modified array functions that include support for 2D arrays. - ColorChooser - An add-on for SciTE that pops up a color dialog so you can select and paste a color code into a script. - Customizable Splashscreen GUI w/Progress Bar - Create a custom "splash screen" GUI with a progress bar and custom label. - _FileGetProperty - Retrieve the properties of a file - SciTE Toolbar - A toolbar demo for use with the SciTE editor - GUIRegisterMsg demo - Demo script to show how to use the Windows messages to interact with controls and your GUI. - Latin Square password generator Link to comment Share on other sites More sharing options...
Kendall Posted August 29, 2012 Share Posted August 29, 2012 You have a lousy attitude Kendall. Plus you've insulted the users here with the things you posted, you might want to temper that a little bit if you ever expect to ask for help in the future.Thanks for you opinion on my attitude. I may be a bit "Brash" sometimes. My attitude comes from everyone elses attitude toward things that can be done."Plus you've insulted the users here with the things you posted, you might want to temper that a little bit if you ever expect to ask for help in the future."I dont think you should speak for others. And im not worried about getting help from others as this is your opinion on the matter. I have been around for awhile and have no fear of that changing. The Autoit forum is here to help people..... Lets all stick to that. The Codemonkeyhttp://www.BMVHDloader.com Link to comment Share on other sites More sharing options...
BrewManNH Posted August 29, 2012 Share Posted August 29, 2012 Autoit used to be really helpful to people and i have seen it has gone down a different path latelyI'm not going to feed your flame war other than to say, I never said I spoke for anyone but myself. But with the way you tarred the user's of this forum with such a wide brush by saying that the user's of this forum are not helpful, and 3 posts before this is the answer to your request disproving that assertion, I (and probably others) will probably take a dim view of that inference. If I posted any code, assume that code was written using the latest release version unless stated otherwise. Also, if it doesn't work on XP I can't help with that because I don't have access to XP, and I'm not going to.Give a programmer the correct code and he can do his work for a day. Teach a programmer to debug and he can do his work for a lifetime - by Chirag GudeHow to ask questions the smart way! I hereby grant any person the right to use any code I post, that I am the original author of, on the autoitscript.com forums, unless I've specifically stated otherwise in the code or the thread post. If you do use my code all I ask, as a courtesy, is to make note of where you got it from. Back up and restore Windows user files _Array.au3 - Modified array functions that include support for 2D arrays. - ColorChooser - An add-on for SciTE that pops up a color dialog so you can select and paste a color code into a script. - Customizable Splashscreen GUI w/Progress Bar - Create a custom "splash screen" GUI with a progress bar and custom label. - _FileGetProperty - Retrieve the properties of a file - SciTE Toolbar - A toolbar demo for use with the SciTE editor - GUIRegisterMsg demo - Demo script to show how to use the Windows messages to interact with controls and your GUI. - Latin Square password generator Link to comment Share on other sites More sharing options...
Mechaflash Posted August 29, 2012 Share Posted August 29, 2012 meh... of course it can be done... really anything can be done. What it comes down to is how flexible it can be. For example... there are a TON of viruses/trojans that mimic process names that already exist for your system. Let's take svchost.exe for example. In my processes, I'm running about 5 of them. You can attempt to filter them by memory consumption and/or CPU usage... but that's a huge bust... too many mistakes could happen and you could kill a real system process. If a program like this would be used strictly for people who know a thing or two about the inner workings of programs and computers, utilizing a white-list type approach would work. Now if you intend to use this for an office setting or distributing it to the public, you'll have your hands full with questions from office users and disgruntled customers of the product. Spoiler “Hello, ladies, look at your man, now back to me, now back at your man, now back to me. Sadly, he isn’t me, but if he stopped using ladies scented body wash and switched to Old Spice, he could smell like he’s me. Look down, back up, where are you? You’re on a boat with the man your man could smell like. What’s in your hand, back at me. I have it, it’s an oyster with two tickets to that thing you love. Look again, the tickets are now diamonds. Anything is possible when your man smells like Old Spice and not a lady. I’m on a horse.” Link to comment Share on other sites More sharing options...
Skitty Posted August 30, 2012 Share Posted August 30, 2012 (edited) So I came back cause I remembered I had once attempted to do something like what the OP described, but as you should know, I really have no idea what the bloody fuck I should be doing in order to do this correctly, so I let my subconscious mind take me wherever it wanted one day and it lead me to put this togeather, which was not a very successful outcome I guess....... (.____.)Anyway, I had posted it and people started rating it real low so I abandoned it.Here it is in one single script as well.expandcollapse popup#AutoIt3Wrapper_AU3Check_Parameters=-d -w 1 -w 2 -w 3 -w 4 -w 5 -w 6 #include-once Global Const $hKERNEL32 = DllOpen("kernel32.dll") Global Const $hWINTRST = DllOpen("Wintrust.dll") ;~ One things to take note about the way this script works is that if you are scanning a dev tool or script ;~ interpreter like autoit for example, it will likely be flagged as a hack tool, I do not have enough ;~ experiance to come up with a more accurate manner to flag files. This is simply building a low grade ;~ stereotype profile based on the imported functions a file has, but I have found that executable packers ;~ usually have one major thing in common, an attempt to hide imported functions while leaving behind two ;~ through 6 main API functions located in kernel32.dll which are typically used by the packer stub added ;~ to the compressed file, I'm not saying this is 100% or even 50% accurate, I don't know, but it has worked ;~ on a lot of different packed PE files even if they do not have the section header name signatures present. ;~ Just try it out and lets see what we get ;) Global $hFile = FileOpenDialog("", "", "All(*.*)") Global $Return = _GetProbability($hFile) ConsoleWrite(" 1> Return ---- : " & $Return & @CR & _ ; String return value in human readable for telling to what it probably is " 2> @Error ---- : " & @error & @CR & _ ; Error level duh " 3> @Extended - : " & @extended & @CR & @CR) ; You can probably consider this a probability value, although it's very flawed ;~ If you want to adapt the return value into scriptable format (I.E., instead of returning description strings), change it ;~ yourself in the UDF.... ; #FUNCTION# ==================================================================================================================== ; Name ..........: _GetProbability ; Description ...: Checks for the stereotypical file asociation based on imported functions and section names. ; Syntax ........: _GetProbability($File) ; Parameters ....: $File - A string containing the file location. ; Return values .: String containing the file description based on a stereotypical API import analysis and sets the @Extended ; macro to the amount of hits made searching for the stereotype. ; If errors occure, the error level is set to either 1 or 2. ; @Error ; 1 - File not Found ; 2 - both calls to _PEInfo() failed. ; Author ........: THAT1ANONYMOUSDUDE aka ApudAngelorum aka CaptainClucks ; Modified ......: ; Remarks .......: The ; Related .......: None ; Link ..........: ; Example .......: Yes ; =============================================================================================================================== Func _GetProbability($File) If Not FileExists($File) Then Return SetError(1, 0, 0) Local $API_IMP = True Local $SEC_NME = True Local $Packer = False Local $Strikes = 0 Local $Probability = 0 ; A lot of legit applications can/will get ; flagged in the checks below, and some apps ; even have a shi** ton of imports, so we will ; attempt to skip some apps that are digitally ; signed to avoid wasting time since we're not a real av anyway Wintrust($File) If Not @error Then ; check if the PE is signed ; only third part PEs work here ; Microsoft PEs don't work $API_IMP = False $SEC_NME = False $Packer = "SIGNED APPLICATION" $Probability += 10 ; If it has a valid signature, than maybe its a trustable PE Else ; If the ass hole who made it didn't sign it, then ; its probably modified or the maker didn't bother to ; fork out the cash for a cert, commence our ; noob level investigation using code developed ; by the hyper inteligent alien hybrid aka trancexx :D Local $HeaderSections = _PEInfo($File, 1) If @error Then $SEC_NME = False Local $Imports = _PEInfo($File) If @error Then $API_IMP = False If Not $API_IMP And Not $SEC_NME Then Return SetError(2, 0, 0) EndIf If $SEC_NME Then For $X = 1 To UBound($HeaderSections) - 1 ;MsgBox(0, "Section Names", $HeaderSections[$X]) Select Case StringInStr($HeaderSections[$X], "upx", 2) $Packer = "UPX" $Probability = +1 Case StringInStr($HeaderSections[$X], "XCompw", 2) $Packer = "XCompw" $Probability = +1 Case StringInStr($HeaderSections[$X], "XPackw", 2) $Packer = "XPackw" $Probability = +1 Case StringInStr($HeaderSections[$X], "BJFnt", 2) $Packer = "BJFnt" $Probability += 1 Case StringInStr($HeaderSections[$X], "PELOCKnt", 2) $Packer = "PELOCKnt" $Probability += 1 Case StringInStr($HeaderSections[$X], "PCGW32", 2) $Packer = "PCGW32" $Probability += 1 Case StringInStr($HeaderSections[$X], "wwpack", 2) $Packer = "wwpack" $Probability += 1 Case StringInStr($HeaderSections[$X], "RLPack", 2) $Packer = "RLPack" $Probability += 1 Case StringInStr($HeaderSections[$X], "exe32pack", 2) $Packer = "exe32pack" $Probability += 1 Case StringInStr($HeaderSections[$X], "ASPack", 2) $Packer = "ASPack" $Probability += 1 Case StringInStr($HeaderSections[$X], "PECompact", 2) $Packer = "PECompact" $Probability += 1 Case StringInStr($HeaderSections[$X], "MPress", 2) $Packer = "MPress" $Probability += 1 EndSelect Next EndIf If $API_IMP Then Local $Ubound For $X = 0 To UBound($Imports) - 1 ; telock has an option to add a bunch of fake compressor signatures ; but the bastard who created it didn't count on being able to detect it based on its imports ; which are ALWAYS GetModuleHandleA from kernel32 and MessageBoxA from user32 ; which appaers to be unique compared to all the others I've fiddled with If StringInStr($Imports[$X][0][0], "kernel32.dll", 2) Or StringInStr($Imports[$X][0][0], "user32.dll", 2) Then ; Only fall through if we're in the kernel32 and user32 imports are of the array If $Imports[$X][1][0] < 2 Then ; telock seems to be very good at always hiding all imports ; In this area, we will only fall through if there is only one imported function from ; either kernel32 or user32, if it has more then this is not telock If StringInStr($Imports[$X][1][1], "GetModuleHandleA", 2) Or StringInStr($Imports[$X][1][1], "MessageBoxA", 2) Then ; In telock. the imports are always the first in the array so we don't need to go through everything in it at this point $Strikes += 1 $Probability += 1 If $Strikes > 1 And Not $Packer Then $Packer = "telock" EndIf EndIf EndIf EndIf Next If Not $Probability Then ; If nothing has been detected, then lets see if it's packed with WInIpackE ; based on it's stubs imports. $Ubound = UBound($Imports) ; If it has more imported functions from more than ; 4 moduals, this is most likely not WInUpackE packed. For $X = 1 To $Ubound - 1 If StringInStr($Imports[$X][0][0], "kernel32.dll", 2) Then ; Again, we're only interested in the imported functions from kernel32 If $Imports[$X][1][0] < 3 Then ; Fall through only if there are less than 3 imports from kernel32 ; and check if they match the ones from a version of WInUpackE For $Z = 1 To UBound($Imports, 3) - 1 If StringInStr($Imports[$X][1][$Z], "LoadLibraryA", 2) Or StringInStr($Imports[$X][1][$Z], "GetProcAddress", 2) Then ; the two main imports of this bastard seem to be here ; not even procexplorer detects this type of packed PE ; but again take note that unpacked files may/will get ; caught in this function and the ones below... $Strikes += 1 $Probability += 3 If $Strikes < 2 And Not $Packer Then $Packer = "WInUpackE" EndIf EndIf Next EndIf EndIf Next EndIf If Not $Packer Then $Strikes = 0 ; This is where I get really desperate and attempt to see if I ; can get enough hits to determin if it's packed, read on... $Ubound = UBound($Imports) If $Ubound < 15 And (FileGetSize($File) / 1024) > 4.50 Then ; Looking good, if we get here that means not to many moduals are used and ; the file is larger than 4.50 Kb, possibly meaning we are dealing with a stub ; that is unpacking the original PE file and hiding its imports. For $X = 1 To $Ubound - 1 If StringInStr($Imports[$X][0][0], "kernel32.dll", 2) Then ;Again, only interested in imports from kernel32 If $Imports[$X][1][0] > 1 And $Imports[$X][1][0] < 7 Then ; Falling through this area means the file may possibly be packed ; and originally imported functions may be masked by the packer ; which is using only some basic API necessary to run the packed PE For $Z = 1 To UBound($Imports, 3) - 1 If StringInStr($Imports[$X][1][$Z], "GetModuleHandleA", 2) Or _ StringInStr($Imports[$X][1][$Z], "GetProcAddress", 2) Or _ StringInStr($Imports[$X][1][$Z], "VirtualProtect", 2) Or _ StringInStr($Imports[$X][1][$Z], "VirtualAlloc", 2) Or _ StringInStr($Imports[$X][1][$Z], "VirtualFree", 2) Or _ StringInStr($Imports[$X][1][$Z], "LoadLibraryA", 2) Then $Strikes += 1 $Probability += 3 If $Strikes > 2 And Not $Packer Then ; Getting here after having very few kernel32 imports must mean this ; file is packed, why else would such few imports be these functions ; if not a packer stub??? $Packer = "PACKED" ElseIf $Strikes > 2 And $Packer Then $Probability -= 2 EndIf EndIf Next EndIf EndIf Next EndIf EndIf If Not $Packer Then ; Then lets search for a UPX packed PE if someone removed it's header signature $Strikes = 0 $Probability = 0 $Ubound = UBound($Imports) If $Ubound < 20 Then ; UPX doesn't seem to hide all the imported functions like most other packers For $X = 1 To $Ubound - 1 If StringInStr($Imports[$X][0][0], "kernel32.dll", 2) Then ;Again, only interested in imports from kernel32, because UPX does seem to hide at least ; the imports from kernel32 ant not others for some reason If (UBound($Imports, 3) - 1) > 5 And (UBound($Imports, 3) - 1) < 10 Then ; Falling through this area means the file may possibly be packed ; and originally imported functions may be masked by the packer ; which is using only some basic API necessary to run the packed PE For $Z = 1 To UBound($Imports, 3) - 1 If StringInStr($Imports[$X][1][$Z], "GetModuleHandleA", 2) Or _ StringInStr($Imports[$X][1][$Z], "GetProcAddress", 2) Or _ StringInStr($Imports[$X][1][$Z], "VirtualProtect", 2) Or _ StringInStr($Imports[$X][1][$Z], "VirtualAlloc", 2) Or _ StringInStr($Imports[$X][1][$Z], "VirtualFree", 2) Or _ StringInStr($Imports[$X][1][$Z], "LoadLibraryA", 2) Then $Strikes += 1 $Probability += 3 If $Strikes > 2 And Not $Packer Then ; Getting here after having very few kernel32 imports must mean this ; file is packed, why else would such few imports be these functions ; if not a packer stub??? $Packer = "UPX" ElseIf $Strikes > 2 And $Packer Then $Probability -= 2 EndIf EndIf Next EndIf EndIf Next EndIf EndIf If Not $Packer And Not $Probability Then ; Nothing detected, lets see if this is some kind of dev tool, script interpreter, hacktool or debugger etc $Ubound = UBound($Imports) For $X = 1 To $Ubound - 1 If StringInStr($Imports[$X][0][0], "kernel32.dll", 2) Then For $Z = 1 To UBound($Imports, 3) - 1 If StringInStr($Imports[$X][1][$Z], "OpenProcess", 2) Or _ StringInStr($Imports[$X][1][$Z], "ReadProcessMemory", 2) Or _ StringInStr($Imports[$X][1][$Z], "EnterCriticalSection", 2) Or _ StringInStr($Imports[$X][1][$Z], "GetCurrentThreadId", 2) Or _ StringInStr($Imports[$X][1][$Z], "ReadProcessMemory", 2) Or _ StringInStr($Imports[$X][1][$Z], "SetThreadContext", 2) Or _ StringInStr($Imports[$X][1][$Z], "VirtualAllocEx", 2) Or _ StringInStr($Imports[$X][1][$Z], "GetProcAddress", 2) Or _ StringInStr($Imports[$X][1][$Z], "WriteProcessMemory", 2) Then $Strikes += 1 $Probability += 1 If $Strikes > 4 Then $Packer = "HACK TOOL" EndIf EndIf Next EndIf Next EndIf If Not $Packer And (FileGetSize($File) / 1024) < 50 Then $Probability = 0 $Ubound = UBound($Imports) For $X = 0 To $Ubound - 1 If StringInStr($Imports[$X][0][0], "kernel32.dll", 2) Or StringInStr($Imports[$X][0][0], "user32.dll", 2) Then For $Z = 1 To UBound($Imports, 3) - 1 If StringInStr($Imports[$X][1][$Z], "SetWindowsHook", 2) Or _ StringInStr($Imports[$X][1][$Z], "GetWindowThreadProcessId", 2) Or _ StringInStr($Imports[$X][1][$Z], "GetWindowTextA", 2) Or _ StringInStr($Imports[$X][1][$Z], "GetKeyboardState", 2) Or _ StringInStr($Imports[$X][1][$Z], "GetKeyState", 2) Or _ StringInStr($Imports[$X][1][$Z], "GetModuleFileNameA", 2) Or _ StringInStr($Imports[$X][1][$Z], "GetUserName", 2) Or _ StringInStr($Imports[$X][1][$Z], "CreateToolhelp32Snapshot", 2) Then $Strikes += 1 $Probability += 1 If $Strikes > 5 Then ; we have ourselves a keylogger :D ; or possibly a game of some kind $Packer = "KEYLOGGER" EndIf EndIf Next EndIf Next EndIf EndIf If Not $Packer And $Probability < 2 Then $Strikes = 0 ; Nothing detected again, lets see if this is some kind of possibly malicious application ; or is just capable of being malicious.. $Ubound = UBound($Imports) For $X = 0 To $Ubound - 1 If StringInStr($Imports[$X][0][0], "kernel32.dll", 2) Or StringInStr($Imports[$X][0][0], "advapi32.dll", 2) Then ; this time we will even check imports from advapi.dll along with kernel32 imports For $Z = 1 To UBound($Imports, 3) - 1 If StringInStr($Imports[$X][1][$Z], "DeleteCriticalSection", 2) Or _ StringInStr($Imports[$X][1][$Z], "EnterCriticalSection", 2) Or _ StringInStr($Imports[$X][1][$Z], "GetCurrentThreadId", 2) Or _ StringInStr($Imports[$X][1][$Z], "TerminateProcess", 2) Or _ StringInStr($Imports[$X][1][$Z], "CreateToolhelp32Snapshot", 2) Or _ StringInStr($Imports[$X][1][$Z], "SetFileTime", 2) Or _ StringInStr($Imports[$X][1][$Z], "GetFileAttributes", 2) Or _ StringInStr($Imports[$X][1][$Z], "TerminateThread", 2) Or _; Below are advapi functions StringInStr($Imports[$X][1][$Z], "DeviceIoControl", 2) Or _ StringInStr($Imports[$X][1][$Z], "OpenProcessToken", 2) Or _ StringInStr($Imports[$X][1][$Z], "LookupPrivilegeValue", 2) Or _ StringInStr($Imports[$X][1][$Z], "OpenThreadToken", 2) Or _ StringInStr($Imports[$X][1][$Z], "OpenSCManager", 2) Or _ StringInStr($Imports[$X][1][$Z], "SetSecurityDescriptorDacl", 2) Or _ StringInStr($Imports[$X][1][$Z], "GetTokenInformation", 2) Or _ StringInStr($Imports[$X][1][$Z], "GetSecurityDescriptorDacl", 2) Or _ StringInStr($Imports[$X][1][$Z], "GetAclInformation", 2) Then ;MsgBox(0, "$Imports[$X][1][$Z]", $Imports[$X][1][$Z]) $Strikes += 1 $Probability += 1 If $Strikes > 4 Then ; If the ass hole who made it didn't sign it, then ; its probably modified or the maker didn't bother to ; fork out the cash for a cert $Packer = "POSSIBLY MALICIOUS" EndIf EndIf Next EndIf Next EndIf Return SetError(-1, $Probability, $Packer) EndFunc ;==>_GetProbabilityYou also need the rest of the script below, too big to post it all in one tag ._. Edited August 30, 2012 by CaptainClucks Link to comment Share on other sites More sharing options...
Skitty Posted August 30, 2012 Share Posted August 30, 2012 (edited) This is the rest of the file you will need. Also, take note that this will not close a process or whatever, what it's intended to do is detect if a certain file uses some windows APIs that keyloggers or possibly malicious file might use, it will detect the autoit interpreter as a hack tool and many other things that are not really hack tools, and some files hid their imports. This is not accurate but it's just a play thing I guess... expandcollapse popup; #FUNCTION# ==================================================================================================================== ; Name ..........: _PEInfo ; Description ...: ; Syntax ........: _PEInfo($sModule[, $TypeInfo = 0]) ; Parameters ....: $sModule - A string value containing path to a PE file. ; $TypeInfo - [optional] Returns array containing specified information. ; Parameter 1 returns 3 dimensional array of imported functions found. ; $Imports[0][0][0] - number of modulas detected ; $Imports[n][0][0] - n modual name ; $Imports[n][n][0] - n modual imports ; $Imports[n][n][n] - n modual imported function name ; Parameter 2 returns one dimensional array containing header section names. ; Use ubound() to get item count. ; Return values .: An array depending on information requested via possible parameters. If failure occured, @error is ; set to a positive value, check @error before using the array to avoid autoit error. ; Author ........: Trancexx ; Modified ......: THAT1ANONYMOUSDUDE aka ApudAngelorum aka CaptainClucks ; Remarks .......: This is Trancexxs work originally taken from IATManipulate.au3, I just took out what I needed for this script. ; Related .......: ; Link ..........: http://www.autoitscript.com/forum/topic/85618-reshacker-project/page__view__findpost__p__724332 ; Example .......: Depends on you. ; =============================================================================================================================== Func _PEInfo($sModule, $TypeInfo = 0) DllCall($hKERNEL32, "dword", "SetErrorMode", "dword", 1) ; SEM_FAILCRITICALERRORS ; will handle errors Local $iLoaded Local $a_hCall = DllCall($hKERNEL32, "hwnd", "GetModuleHandleW", "wstr", $sModule) If @error Then Return SetError(1, 0, "") EndIf Local $pPointer = $a_hCall[0] If Not $a_hCall[0] Then $a_hCall = DllCall($hKERNEL32, "hwnd", "LoadLibraryExW", "wstr", $sModule, "hwnd", 0, "int", 1) ; DONT_RESOLVE_DLL_REFERENCES If @error Or Not $a_hCall[0] Then $a_hCall = DllCall($hKERNEL32, "hwnd", "LoadLibraryExW", "wstr", $sModule, "hwnd", 0, "int", 34) ; LOAD_LIBRARY_AS_IMAGE_RESOURCE|LOAD_LIBRARY_AS_DATAFILE If @error Or Not $a_hCall[0] Then Return SetError(2, 0, "") EndIf $iLoaded = 1 $pPointer = $a_hCall[0] - 1 Else $iLoaded = 1 $pPointer = $a_hCall[0] EndIf EndIf Local $hModule = $a_hCall[0] Local $tIMAGE_DOS_HEADER = DllStructCreate("char Magic[2];" & _ "ushort BytesOnLastPage;" & _ "ushort Pages;" & _ "ushort Relocations;" & _ "ushort SizeofHeader;" & _ "ushort MinimumExtra;" & _ "ushort MaximumExtra;" & _ "ushort SS;" & _ "ushort SP;" & _ "ushort Checksum;" & _ "ushort IP;" & _ "ushort CS;" & _ "ushort Relocation;" & _ "ushort Overlay;" & _ "char Reserved[8];" & _ "ushort OEMIdentifier;" & _ "ushort OEMInformation;" & _ "char Reserved2[20];" & _ "dword AddressOfNewExeHeader", _ $pPointer) Local $sMagic = DllStructGetData($tIMAGE_DOS_HEADER, "Magic") If Not ($sMagic == "MZ") Then If $iLoaded Then Local $a_iCall = DllCall($hKERNEL32, "int", "FreeLibrary", "hwnd", $hModule) If @error Or Not $a_iCall[0] Then Return SetError(5, 0, "") EndIf EndIf Return SetError(3, 0, "") EndIf Local $iAddressOfNewExeHeader = DllStructGetData($tIMAGE_DOS_HEADER, "AddressOfNewExeHeader") $pPointer += $iAddressOfNewExeHeader ; start of PE file header Local $tIMAGE_NT_SIGNATURE = DllStructCreate("dword Signature", $pPointer) ; IMAGE_NT_SIGNATURE = 17744 If DllStructGetData($tIMAGE_NT_SIGNATURE, "Signature") <> 17744 Then If $iLoaded Then $a_iCall = DllCall($hKERNEL32, "int", "FreeLibrary", "hwnd", $hModule) If @error Or Not $a_iCall[0] Then Return SetError(5, 0, "") EndIf EndIf Return SetError(4, 0, "") EndIf $pPointer += 4 ; size of $tIMAGE_NT_SIGNATURE structure $pPointer += 20 ; size of $tIMAGE_FILE_HEADER structure Local $tIMAGE_OPTIONAL_HEADER = DllStructCreate("ushort Magic;" & _ "ubyte MajorLinkerVersion;" & _ "ubyte MinorLinkerVersion;" & _ "dword SizeOfCode;" & _ "dword SizeOfInitializedData;" & _ "dword SizeOfUninitializedData;" & _ "dword AddressOfEntryPoint;" & _ "dword BaseOfCode;" & _ "dword BaseOfData;" & _ "dword ImageBase;" & _ "dword SectionAlignment;" & _ "dword FileAlignment;" & _ "ushort MajorOperatingSystemVersion;" & _ "ushort MinorOperatingSystemVersion;" & _ "ushort MajorImageVersion;" & _ "ushort MinorImageVersion;" & _ "ushort MajorSubsystemVersion;" & _ "ushort MinorSubsystemVersion;" & _ "dword Win32VersionValue;" & _ "dword SizeOfImage;" & _ "dword SizeOfHeaders;" & _ "dword CheckSum;" & _ "ushort Subsystem;" & _ "ushort DllCharacteristics;" & _ "dword SizeOfStackReserve;" & _ "dword SizeOfStackCommit;" & _ "dword SizeOfHeapReserve;" & _ "dword SizeOfHeapCommit;" & _ "dword LoaderFlags;" & _ "dword NumberOfRvaAndSizes", _ $pPointer) Local $iMagic = DllStructGetData($tIMAGE_OPTIONAL_HEADER, "Magic") If $iMagic <> 267 Then If $iLoaded Then $a_iCall = DllCall($hKERNEL32, "int", "FreeLibrary", "hwnd", $hModule) If @error Or Not $a_iCall[0] Then Return SetError(5, 0, "") EndIf EndIf Return SetError(0, 1, 1) ; not 32-bit application. Structures are for 32-bit EndIf $pPointer += 96 ; size of $tIMAGE_OPTIONAL_HEADER structure Switch $TypeInfo Case 0 Local $i, $j, $k, $MaxLen = 0, $MaxLenOld = 0 Local $IMFA[1][1][1] $pPointer += 8 ; Import Directory Local $tIMAGE_DIRECTORY_ENTRY_IMPORT = DllStructCreate("dword VirtualAddress;" & _ "dword Size", _ $pPointer) ; Virtual address of IAT Local $iImportDirectoryVirtAddress = DllStructGetData($tIMAGE_DIRECTORY_ENTRY_IMPORT, "VirtualAddress") If $iImportDirectoryVirtAddress And DllStructGetData($tIMAGE_DIRECTORY_ENTRY_IMPORT, "Size") Then ; if valid Local $tIMAGE_IMPORT_MODULE_DIRECTORY Local $iOffset, $iOffset2, $tModuleName, $iBufferOffset, $sModuleName, $iInitialOffset, $tBufferOffset, $tBuffer, $sFunctionName ;Local $iModuleNameOffset ;Local $iModuleNameLength ; for modules ;Local $iFunctionNameOffset, $iFunctionNameLength ; for functions While 1 $i += 1 $tIMAGE_IMPORT_MODULE_DIRECTORY = DllStructCreate("dword RVAOriginalFirstThunk;" & _ ; actually union "dword TimeDateStamp;" & _ "dword ForwarderChain;" & _ "dword RVAModuleName;" & _ "dword RVAFirstThunk", _ DllStructGetPtr($tIMAGE_DOS_HEADER) + DllStructGetData($tIMAGE_DIRECTORY_ENTRY_IMPORT, "VirtualAddress") + $iOffset) If Not DllStructGetData($tIMAGE_IMPORT_MODULE_DIRECTORY, "RVAFirstThunk") Then ; the end ExitLoop EndIf If DllStructGetData($tIMAGE_IMPORT_MODULE_DIRECTORY, "RVAOriginalFirstThunk") Then $iInitialOffset = DllStructGetPtr($tIMAGE_DOS_HEADER) + DllStructGetData($tIMAGE_IMPORT_MODULE_DIRECTORY, "RVAOriginalFirstThunk") Else $iInitialOffset = DllStructGetPtr($tIMAGE_DOS_HEADER) + DllStructGetData($tIMAGE_IMPORT_MODULE_DIRECTORY, "RVAFirstThunk") EndIf $tModuleName = DllStructCreate("char[64]", DllStructGetPtr($tIMAGE_DOS_HEADER) + DllStructGetData($tIMAGE_IMPORT_MODULE_DIRECTORY, "RVAModuleName")) $sModuleName = DllStructGetData($tModuleName, 1) ; Two important info I collect now ; Get offset of the name of the module which holds the functions. ;$iModuleNameOffset = DllStructGetData($tIMAGE_IMPORT_MODULE_DIRECTORY, "RVAModuleName") ; Get length of the module name ;$iModuleNameLength = StringLen($sModuleName) ReDim $IMFA[$i + 1][2][UBound($IMFA, 3) + 1] $IMFA[$i][0][0] = $sModuleName $iOffset2 = 0 $j = 0 While 1 $j += 1 $tBufferOffset = DllStructCreate("dword", $iInitialOffset + $iOffset2) $iBufferOffset = DllStructGetData($tBufferOffset, 1) If Not $iBufferOffset Then ; zero value is the end ExitLoop EndIf If BitShift($iBufferOffset, 24) Then ; MSB is set for imports by ordinal, otherwise not ;MsgBox(0,"Ordinal ", BitAND($iBufferOffset, 0xFFFFFF)) ; the rest is ordinal value ; But we skip this because we're no looking for this shit $iOffset2 += 4 ; size of $tBufferOffset ContinueLoop EndIf ;$j += 1 $tBuffer = DllStructCreate("ushort Ordinal; char Name[64]", DllStructGetPtr($tIMAGE_DOS_HEADER) + $iBufferOffset) ; Get name of that funcrion $sFunctionName = DllStructGetData($tBuffer, "Name") ; Two more important info ; Get offset of the function. 2 is size of "ushort Ordinal" from above ;$iFunctionNameOffset = $iBufferOffset + 2 - DllStructGetPtr($tIMAGE_DOS_HEADER) ;<- this! ; Get length of the function name ;$iFunctionNameLength = StringLen($sFunctionName) ;<- and this! $MaxLenOld = $j If $MaxLenOld > $MaxLen Then $MaxLen = $MaxLenOld + 1 EndIf ReDim $IMFA[UBound($IMFA) + 1][2][$MaxLen + 1] $IMFA[$i][1][$j] = $sFunctionName ConsoleWrite($IMFA[$i][0][0] & " > " & $sFunctionName & @CR) ; Move pointer $iOffset2 += 4 ; size of $tBufferOffset WEnd $IMFA[$i][1][0] = $j - 1 $k += $j - 1 $iOffset += 20 ; size of $tIMAGE_IMPORT_MODULE_DIRECTORY WEnd ReDim $IMFA[UBound($IMFA, 1)][2][$MaxLen + 1] $IMFA[0][0][0] = $k EndIf Case 1 Local $tIMAGE_FILE_HEADER = DllStructCreate("ushort Machine;" & _ "ushort NumberOfSections;" & _ "dword TimeDateStamp;" & _ "dword PointerToSymbolTable;" & _ "dword NumberOfSymbols;" & _ "ushort SizeOfOptionalHeader;" & _ "ushort Characteristics", _ $pPointer - (20 + 96));Trunctiate size of $tIMAGE_OPTIONAL_HEADER and $tIMAGE_NT_SIGNATURE from pointer since we're not using them in this case Local $iAddressOfEntryPoint = DllStructGetData($tIMAGE_OPTIONAL_HEADER, "AddressOfEntryPoint") Local $Sections[1] Local $iNumberOfSections = DllStructGetData($tIMAGE_FILE_HEADER, "NumberOfSections") ReDim $Sections[$iNumberOfSections + 1] $Sections[0] = $iNumberOfSections $pPointer += 8 ;~ Resources Directory ;~ Local $tIMAGE_DIRECTORY_ENTRY_RES = DllStructCreate("dword VirtualAddress;" & _ ;~ "dword Size", _ ;~ $pPointer) ;~ Virtual address of resources table ;~ Local $iResDirectoryVirtAddress = DllStructGetData($tIMAGE_DIRECTORY_ENTRY_RES, "VirtualAddress") $pPointer += 120 ; skip 15 data directories Local $tIMAGE_SECTION_HEADER Local $iVirtualAddress Local $iVirtualSize Local $sItemText For $i = 0 To $iNumberOfSections - 1 $tIMAGE_SECTION_HEADER = DllStructCreate("char Name[8];" & _ "dword VirtualSize;" & _ ; union actually "dword VirtualAddress;" & _ "dword SizeOfRawData;" & _ "dword PointerToRawData;" & _ "dword PointerToRelocations;" & _ "dword PointerToLinenumbers;" & _ "ushort NumberOfRelocations;" & _ "ushort NumberOfLinenumbers;" & _ "dword Characteristics", _ $pPointer) ; Get virtual address $iVirtualAddress = DllStructGetData($tIMAGE_SECTION_HEADER, "VirtualAddress") ; Get virtual size $iVirtualSize = DllStructGetData($tIMAGE_SECTION_HEADER, "VirtualSize") ; Find where Enty Point is (Digisoul) If ($iVirtualAddress <= $iAddressOfEntryPoint) And $iAddressOfEntryPoint < ($iVirtualAddress + $iVirtualSize) Then $sItemText = DllStructGetData($tIMAGE_SECTION_HEADER, "Name"); & " (entry point)" Else $sItemText = DllStructGetData($tIMAGE_SECTION_HEADER, "Name") EndIf ;~ Find resources ;~ If ($iVirtualAddress <= $iResDirectoryVirtAddress) And $iResDirectoryVirtAddress < ($iVirtualAddress + $iVirtualSize) Then ;~ $sItemText &= " (resources)" ;~ EndIf ;~ ;~ DllStructGetData($tIMAGE_SECTION_HEADER, "SizeOfRawData"); bytes ;~ Ptr(DllStructGetData($tIMAGE_SECTION_HEADER, "PointerToRawData")) ;~ Ptr($iVirtualAddress) ;~ DllStructGetData($tIMAGE_SECTION_HEADER, "NumberOfRelocations") ; Move pointer $pPointer += 40 ; size of $tIMAGE_SECTION_HEADER structure $Sections[$i + 1] = $sItemText Next $IMFA = $Sections EndSwitch ; Free module If $iLoaded Then $a_iCall = DllCall($hKERNEL32, "int", "FreeLibrary", "hwnd", $hModule) If @error Or Not $a_iCall[0] Then Return SetError(6, 0, "") EndIf EndIf Return SetError(0, 0, $IMFA) EndFunc ;==>_PEInfo ; #FUNCTION# ==================================================================================================================== ; Name ..........: Wintrust ; Description ...: Validates a PE files digital signature ; Syntax ........: Wintrust($SourceFile) ; Parameters ....: $SourceFile - String file path. ; Return values .: Customized for this script, if it has a valid and trusted signature, returns true, else error is ; set to a positive value. ; Author ........: Prog@ndy ; Modified ......: THAT1ANONYMOUSDUDE aka ApudAngelorum aka CaptainClucks ; Remarks .......: You can find the original unmodified version of this script at the below link ; Related .......: ; Link ..........: http://www.autoit.de/index.php?page=Thread&postID=68477#post68477 ; Example .......: No ; =============================================================================================================================== Func Wintrust($SourceFile) #cs Please take note that this only works for 3rd party signed software! You cannot verify native Microsoft application using this code for reasons unknown to me. I do not know who created this as I found it by googleing (Site:autoitscript.com wintrust.dll) This code came up in an attachment and I could not locate the post where this code was attached... Code is slightly modified to suit this script! Edit: I believe this may be made by Pr@gandy after more research Edit2: Confirmed, this was made by above user. #CE Local Const $WTD_UI_NONE = 2 Local Const $WTD_REVOKE_NONE = 0 Local Const $WTD_CHOICE_FILE = 1 Local Const $WTD_SAFER_FLAG = 0x00000100 Local Const $TRUST_E_PROVIDER_UNKNOWN = 0x800B0001 Local Const $TRUST_E_SUBJECT_FORM_UNKNOWN = 0x800B0003 Local Const $TRUST_E_SUBJECT_NOT_TRUSTED = 0x800B0004 Local Const $TRUST_E_NOSIGNATURE = 0x800B0100 Local Const $TRUST_E_EXPLICIT_DISTRUST = 0x800B0111 Local Const $CRYPT_E_SECURITY_SETTINGS = 0x80092026 Local Const $tagWINTRUST_FILE_INFO = "DWORD cbStruct;" & _ "ptr pcwszFilePath;" & _ "HWND hFile;" & _ "ptr pgKnownSubject;" Local Const $tagWINTRUST_DATA = "DWORD cbStruct;" & _ "ptr pPolicyCallbackData;" & _ "ptr pSIPClientData;" & _ "DWORD dwUIChoice;" & _ "DWORD fdwRevocationChecks;" & _ "DWORD dwUnionChoice;" & _ "ptr pInfoStruct;" & _ "DWORD dwStateAction;" & _ "HWND hWVTStateData;" & _ "ptr pwszURLReference;" & _ "DWORD dwProvFlags;" & _ "DWORD dwUIContext;" Local Const $WINTRUST_ACTION_GENERIC_VERIFY_V2 = _GUIDStruct("{00AAC56B-CD44-11d0-8CC2-00C04FC295EE}") Local $pGUID = DllStructGetPtr($WINTRUST_ACTION_GENERIC_VERIFY_V2) Local $WINTRUST_FILE_INFO = DllStructCreate($tagWINTRUST_FILE_INFO) DllStructSetData($WINTRUST_FILE_INFO, 1, DllStructGetSize($WINTRUST_FILE_INFO)) Local $wszSourceFile = DllStructCreate("wchar[" & StringLen($SourceFile) + 1 & "]") DllStructSetData($wszSourceFile, 1, $SourceFile) DllStructSetData($WINTRUST_FILE_INFO, "pcwszFilePath", DllStructGetPtr($wszSourceFile)) Local $WINTRUST_DATA = DllStructCreate($tagWINTRUST_DATA) Local $pWINTRUST_DATA = DllStructGetPtr($WINTRUST_DATA) DllStructSetData($WINTRUST_DATA, 1, DllStructGetSize($WINTRUST_DATA)) DllStructSetData($WINTRUST_DATA, "pPolicyCallbackData", 0) DllStructSetData($WINTRUST_DATA, "pSIPClientData", 0) DllStructSetData($WINTRUST_DATA, "dwUIChoice", $WTD_UI_NONE) DllStructSetData($WINTRUST_DATA, "fdwRevocationChecks", $WTD_REVOKE_NONE) DllStructSetData($WINTRUST_DATA, "dwUnionChoice", $WTD_CHOICE_FILE) DllStructSetData($WINTRUST_DATA, "dwStateAction", 0) DllStructSetData($WINTRUST_DATA, "hWVTStateData", 0) DllStructSetData($WINTRUST_DATA, "pwszURLReference", 0) DllStructSetData($WINTRUST_DATA, "dwProvFlags", $WTD_SAFER_FLAG) DllStructSetData($WINTRUST_DATA, "dwUIContext", 0) DllStructSetData($WINTRUST_DATA, "pInfoStruct", DllStructGetPtr($WINTRUST_FILE_INFO)) Local $LStatus = DllCall($hWINTRST, "long", "WinVerifyTrust", _ "hWnd", 0, _ "ptr", $pGUID, _ "ptr", $pWINTRUST_DATA _ ) If Not @error Then $LStatus = $LStatus[0] Else $LStatus = -1 EndIf Switch $LStatus Case 0 ; ERROR_SUCCESS Return SetError(0, 0, "Verified") Case $TRUST_E_NOSIGNATURE ; Get the reason for no signature. Local $dwLastError = DllCall($hKERNEL32, "dword", "GetLastError") $dwLastError = $dwLastError[0] If ($TRUST_E_NOSIGNATURE == $dwLastError Or $TRUST_E_SUBJECT_FORM_UNKNOWN == $dwLastError Or $TRUST_E_PROVIDER_UNKNOWN == $dwLastError) Then ; The file was not signed. Return SetError(1, 0, "Not Signed") Else ; The signature was not valid or there was an error ; opening the file. Return SetError(1, 0, "Unable to verify") EndIf Case $TRUST_E_EXPLICIT_DISTRUST ; The hash that represents the subject or the publisher ; is not allowed by the admin or user. Return SetError(1, 0, "Not Trusted") Case $TRUST_E_SUBJECT_NOT_TRUSTED ; The user clicked "No" when asked to install and run. Return SetError(1, 0, "Not Trusted") Case $CRYPT_E_SECURITY_SETTINGS #CS The hash that represents the subject or the publisher was not explicitly trusted by the admin and the admin policy has disabled user trust. No signature, publisher or time stamp errors. #CE Return SetError(1, 0, "Not Trusted") Case -1 Return SetError(1, 0, "Unable to verify") Case Else ; The UI was disabled in dwUIChoice or the admin policy ; has disabled user trust. lStatus contains the ; publisher or time stamp chain error. Return SetError(1, 0, "Unable to verify") EndSwitch Return SetError(1, 0, "Unable to verify") EndFunc ;==>Wintrust Func _GUIDStruct($IID) $IID = StringRegExpReplace($IID, "([}{])", "") $IID = StringSplit($IID, "-") Local $_GUID = "DWORD Data1; ushort Data2; ushort Data3; BYTE Data4[8];" Local $GUID = DllStructCreate($_GUID) If $IID[0] = 5 Then $IID[4] &= $IID[5] If $IID[0] > 5 Or $IID[0] < 4 Then Return SetError(1, 0, 0) DllStructSetData($GUID, 1, Dec($IID[1])) DllStructSetData($GUID, 2, Dec($IID[2])) DllStructSetData($GUID, 3, Dec($IID[3])) DllStructSetData($GUID, 4, Binary("0x" & $IID[4])) Return $GUID EndFunc ;==>_GUIDStruct Edited August 30, 2012 by CaptainClucks Link to comment Share on other sites More sharing options...
stormbreaker Posted August 30, 2012 Share Posted August 30, 2012 Even a dumb 'antivirus' will need to execute funcs in kernel drivers to remove corrupt/infected files. What say about this? ---------------------------------------- :bye: Hey there, was I helpful? ---------------------------------------- My Current OS: Win8 PRO (64-bit); Current AutoIt Version: v3.3.8.1 Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now