Jump to content
Sign in to follow this  
logmein

Malware Scanner - quite helpful!

Recommended Posts

Malware Scanner

Features:

- Can detect over 500 malware's known fake processes.

- Very small and easy to use.

Note:

1. Some processes can be found as false positives.

2. Terminating a process may cause undesired results such as system's malfunction or shutdown. Please be careful!

3. This program is ONLY for advanced users!

4. Only tested on Windows 7 Home Premium, I need your testing result on other OS and machines!

5. This is only a tool just to check for fake processes by their name.

Source Code:

;Malware Scanner
;1.0.0
;3 Sep 2012
;8:36
;logmein
;AutoIT 3.3.8.1
#NoTrayIcon
#include <ButtonConstants.au3>
#include <EditConstants.au3>
#include <GUIConstantsEx.au3>
#include <WindowsConstants.au3>
#include <Constants.au3>
#include <ListViewConstants.au3>
#include <GuiListView.au3>


Global $TITLE = 'Malware Scanner', $VERSION = '1.0.0'

#Region ### START Koda GUI section ### Form=C:Program Files (x86)AutoIt3SciTEKodaFormsForm1.kxf
$formMain = GUICreate($TITLE & ' ' & $VERSION, 762, 376, Default, Default)
GUISetFont(10, 400, 0, "Arial")
$Label1 = GUICtrlCreateLabel("Scan your system for malware's processes:", 8, 8, 257, 20)
$btnScan = GUICtrlCreateButton("&Scan", 8, 32, 83, 25)
GUICtrlSetFont(-1, 10, 800, 0, "Arial")
$btnAbout = GUICtrlCreateButton("&About", 96, 32, 75, 25)
$Group1 = GUICtrlCreateGroup("Result", 8, 64, 745, 305, -1, $WS_EX_TRANSPARENT)
$tabMain = GUICtrlCreateTab(16, 88, 729, 273)
GUICtrlSetFont(-1, 10, 400, 0, "Arial")
$tabProcess = GUICtrlCreateTabItem("&Process")
$listProcess = GUICtrlCreateListView("Name|PID|Path", 24, 120, 714, 206)
$hdlListProcess = GUICtrlGetHandle(-1)
GUICtrlSendMsg(-1, $LVM_SETCOLUMNWIDTH, 0, 200)
GUICtrlSendMsg(-1, $LVM_SETCOLUMNWIDTH, 1, 100)
GUICtrlSendMsg(-1, $LVM_SETCOLUMNWIDTH, 2, 400)
GUICtrlSetFont(-1, 10, 400, 0, "Arial")
;$btnKill = GUICtrlCreateButton("&Kill", 584, 328, 75, 25)
GUICtrlSetFont(-1, 10, 400, 0, "Arial")
$btnKill = GUICtrlCreateButton("&Kill", 664, 328, 75, 25)
GUICtrlSetFont(-1, 10, 400, 0, "Arial")
GUICtrlCreateTabItem("")
GUICtrlCreateGroup("", -99, -99, 1, 1)
GUISetState(@SW_SHOW)
#EndRegion ### END Koda GUI section ###

While 1
$nMsg = GUIGetMsg()
Switch $nMsg
Case $GUI_EVENT_CLOSE
Exit
Case $btnScan
_Scan()
Case $btnKill
_EndProcess ()
Case $btnAbout
MsgBox (64,'About',StringUpper($TITLE) & @CRLF & 'Version: ' & $VERSION & @CRLF & 'Author: logmein (AutoITScript.com)' & @crLf & 'Special Thanks to: PsaltyDS' & @CRLF &@CRLF &'To report any suspicious process or false positives, please contact me at: minhthanh.autoit@gmail.com. I appreciate your help!','',$formMain)
EndSwitch
WEnd
Func _scan ()
_GUICtrlListView_DeleteAllItems ($hdlListProcess)
If Not FileExists ('database.3db') Then
MsgBox (32,$TITLE,'Database not found!','',$formMain)
Return
EndIf

ProgressOn ($TITLE,'Scanning for suspicious processes...','',Default,Default,18)
$processlist = _ProcessListProperties()
$read = FileRead ('database.3db')
$split = StringSplit ($read,@CRLF)
If $processlist[0][0] <> 0 Then
For $i = 1 To $processlist[0][0]
ProgressSet (Int($i*100/$processlist[0][0]),$processlist[$i][0])
For $u =1 To $split[0]
if $processlist[$i][0] = $split[$u] Then
$index = _GUICtrlListView_AddItem($hdlListProcess, $processlist[$i][0]);name
_GUICtrlListView_AddSubItem($hdlListProcess, $index, $processlist[$i][1], 1);pid
_GUICtrlListView_AddSubItem($hdlListProcess, $index, $processlist[$i][5], 2);path
EndIf
Next

Next
ProgressOff ()
Else
MsgBox(32, $TITLE, 'Can''t build process list!')
EndIf
EndFunc

Func _EndProcess()
$select = _GUICtrlListView_GetSelectedIndices($hdlListProcess, 'True');Retrieve indices of selected item (position)
If $select[0] <> 0 Then
$Msg = MsgBox(16 + 4, $TITLE, 'Are you sure to end this process? Ending a process will cause undesired result!', '', $formMain)
If $Msg = 6 Then
$GetItem = _GUICtrlListView_GetItem($hdlListProcess, $select[1], 1);retrieve process ID to be closed
MsgBox (64,$GetItem[3],'')
ProcessClose($GetItem[3])
If Not @error Then
_GUICtrlListView_DeleteItem($hdlListProcess, $select[1])
MsgBox(64, $TITLE, 'Process ended!', '', $formMain)
;_log($GetItem[3], 5)
Else
MsgBox(16, $TITLE, 'Can not end this process!', '', $formMain)
EndIf
EndIf
EndIf
EndFunc ;==>_EndProcess
;===============================================================================
; Function Name: _ProcessListProperties()
; Description: Get various properties of a process, or all processes
; Call With:     _ProcessListProperties( [$Process [, $sComputer]] )
; Parameter(s): (optional) $Process - PID or name of a process, default is "" (all)
;        (optional) $sComputer - remote computer to Get list from, default is local
; Requirement(s): AutoIt v3.2.4.9+
; Return Value(s): On Success - Returns a 2D array of processes, as in ProcessList()
;        with additional columns added:
;        [0][0] - Number of processes listed (can be 0 If no matches found)
;        [1][0] - 1st process name
;        [1][1] - 1st process PID
;        [1][2] - 1st process Parent PID
;        [1][3] - 1st process owner
;        [1][4] - 1st process priority (0 = low, 31 = high)
;        [1][5] - 1st process executable path
;        [1][6] - 1st process CPU usage
;        [1][7] - 1st process memory usage
;        [1][8] - 1st process creation date/time = "MM/DD/YYY hh:mm:ss" (hh = 00 to 23)
;        [1][9] - 1st process command line string
;        ...
;        [n][0] thru [n][9] - last process properties
; On Failure:    Returns array with [0][0] = 0 and sets @Error to non-zero (see code below)
; Author(s):     PsaltyDS at http://www.autoitscript.com/forum
; Date/Version: 12/01/2009 -- v2.0.4
; Notes:         If an integer PID or string process name is provided and no match is found,
;        Then [0][0] = 0 and @error = 0 (not treated as an error, same as ProcessList)
;        This function requires admin permissions to the target computer.
;        All properties come from the Win32_Process class in WMI.
;        To Get time-base properties (CPU and Memory usage), a 100ms SWbemRefresher is used.
;===============================================================================
Func _ProcessListProperties($Process = "", $sComputer = ".")
Local $sUserName, $sMsg, $sUserDomain, $avProcs, $dtmDate
Local $avProcs[1][2] = [[0, ""]], $n = 1

; Convert PID If passed as string
If StringIsInt($Process) Then $Process = Int($Process)

; Connect to WMI and Get process objects
$oWMI = ObjGet("winmgmts:{impersonationLevel=impersonate,authenticationLevel=pktPrivacy, (Debug)}!" & $sComputer & "rootcimv2")
If IsObj($oWMI) Then
; Get collection processes from Win32_Process
If $Process == "" Then
; Get all
$colProcs = $oWMI.ExecQuery("select * from win32_Process")
ElseIf IsInt($Process) Then
; Get by PID
$colProcs = $oWMI.ExecQuery("select * from win32_Process where ProcessId = " & $Process)
Else
; Get by Name
$colProcs = $oWMI.ExecQuery("select * from win32_Process where Name = '" & $Process & "'")
EndIf

If IsObj($colProcs) Then
; Return for no matches
If $colProcs.count = 0 Then Return $avProcs

; Size the array
ReDim $avProcs[$colProcs.count + 1][10]
$avProcs[0][0] = UBound($avProcs) - 1

; For each process...
For $oProc In $colProcs
; [n][0] = process name
$avProcs[$n][0] = $oProc.name
; [n][1] = process PID
$avProcs[$n][1] = $oProc.ProcessId
; [n][2] = Parent PID
$avProcs[$n][2] = $oProc.ParentProcessId
; [n][3] = owner
;If $oProc.GetOwner($sUserName, $sUserDomain) = 0 Then $avProcs[$n][3] = $sUserDomain & "" & $sUserName
; [n][4] = Priority
$avProcs[$n][4] = $oProc.Priority
; [n][5] = Executable path
$avProcs[$n][5] = $oProc.ExecutablePath
; [n][8] = Creation date/time
$dtmDate = $oProc.CreationDate
If $dtmDate <> "" Then
; Back referencing RegExp pattern from weaponx
Local $sRegExpPatt = "A(d{4})(d{2})(d{2})(d{2})(d{2})(d{2})(?:.*)"
$dtmDate = StringRegExpReplace($dtmDate, $sRegExpPatt, "$2/$3/$1 $4:$5:$6")
EndIf
$avProcs[$n][8] = $dtmDate
; [n][9] = Command line string
$avProcs[$n][9] = $oProc.CommandLine

; increment index
$n += 1
Next
Else
SetError(2); Error getting process collection from WMI
EndIf
; release the collection object
$colProcs = 0

; Get collection of all processes from Win32_PerfFormattedData_PerfProc_Process
; Have to use an SWbemRefresher to pull the collection, or all Perf data will be zeros
Local $oRefresher = ObjCreate("WbemScripting.SWbemRefresher")
$colProcs = $oRefresher.AddEnum($oWMI, "Win32_PerfFormattedData_PerfProc_Process").objectSet
$oRefresher.Refresh

; Time delay before calling refresher
Local $iTime = TimerInit()
Do
Sleep(20)
Until TimerDiff($iTime) >= 100
$oRefresher.Refresh

; Get PerfProc data
For $oProc In $colProcs
; Find it in the array
For $n = 1 To $avProcs[0][0]
If $avProcs[$n][1] = $oProc.IDProcess Then
; [n][6] = CPU usage
$avProcs[$n][6] = $oProc.PercentProcessorTime
; [n][7] = memory usage
$avProcs[$n][7] = $oProc.WorkingSet
ExitLoop
EndIf
Next
Next
Else
SetError(1); Error connecting to WMI
EndIf

; Return array
Return $avProcs
EndFunc ;==>_ProcessListProperties

And the most important part: Database, see attached file. Download, extract and put it into your @ScriptDir.

Thanks PsaltyDS for your useful script:)

database.zip

Edited by logmein

Share this post


Link to post
Share on other sites

;It took me for nearly 3 days to complete this database. If you copy, send or re-edit this file, please give a credit: logmein (autoitscript.com). Thanks!
yaemu.exe
msams.exe
winsfc.exe
informe.exe
sqlexp.exe
winshost.exe
ssrms.exe
mmsg.exe
svchostl.exe
wininetd.exe
windll32lib.exe
ntfs64.exe
winzip_tmp.exe
666.exe
svhost.exe
hgqhp.exe
winldr.exe
win24.exe
006.exe
exe82.exe
explorere.exe
004.exe
hloader.exe
intxt.exe
cfsys.dll
hjym.exe
msupdate.dll
zopenssl.dll
inetinfo.exe
menu.dll
data3.exe
vmlib.exe
hacker.exe
w32time.exe
008.exe
word.exe
winword.exe
mscornet.exe
kaboom.dll
namedpipe.exe
ibm00001.exe
lsassa.exe
updatexp.exe
1.exe
sqlscan.exe
ishost.exe
msoff.exe
007.exe
005.exe
ipfw.exe
ctfmon.exe
winlog.dll
wingo.exe
winspector.exe
svchosts.dll
mstasks.exe
ash.dll
szchost.exe
commando.exe
ntsys.exe
service.dll
inst.exe
hpmanager.exe
winexec32.exe
svohcst.exe
hxdef.exe
winlogonn.exe
syspol.exe
sysctl32.dll
logo1_.exe
systool.exe
wupdt.exe
ldr64.dll
wincomp.exe
winrpc.exe
avp.exe
autoupdate.exe
msaa.exe
kernal32.exe
anti_troj.exe
update.exe
lsasss.exe
csrse.exe
fservice.exe
nvctrl.exe
winmain.exe
winsetup.exe
abs.exe
hidr.exe
ntosa32.exe
spoolsvc.exe
ravmond.exe
layer.exe
loader.exe
nm32.exe
gld.exe
lodctr32.exe
wpd.exe
w.exe
winds.exe
sysconf.exe
svchot.exe
winlock.exe
ntdetect.exe
lssas.exe
pictureviewer.exe
tasker.exe
wmon32.exe
2.exe
rundll16.exe
network.exe
mssvc32.exe
csrsc.exe
mspmspv.exe
policy.dll
msmgs.exe
hookdump.exe
nethelper.dll
services32.exe
sservice.exe
nail.exe
msmsg.exe
mdms.exe
lsass32.exe
windir32.exe
regsrv.exe
heat.exe
sfc32.exe
checkreg.exe
easyav.exe
hook.dll
fontview.exe
remote.exe
mm.exe
winlogin.exe
netlib.exe
nvsc32.exe
safemode.exe
fde.dll
wkssvc.exe
n.exe
lcc.exe
npkcsvc.exe
kane.exe
svwhost.exe
eml.exe
mstc.exe
appwiz.dll
winexec.exe
web.exe
skype32.exe
ds.exe
crmss.exe
hot.exe
scardsvr32.exe
hookdll.dll
exp.exe
kl.exe
jammer2nd.exe
shmgrate.exe
wdfmrg.exe
netsvc.exe
ghost.bat
csrcc.exe
ausvc.exe
scvhost.exe
htmdeng.exe
msnlive.exe
berasjatah.exe
lsserv.exe
rpcclient.exe
brengkolang.com
iebtm.exe
dho.exe
dxdiag.exe
cmrss.exe
sms.exe
schedulingagent
loader.dll
desktop.exe
bronstab.exe
csrss32.exe
duel.exe
atipta.exe
phqghume.exe
scrss.exe
msc32.exe
si.exe
poker.exe
wid32.exe
lockx.exe
netsvcs.exe
eksplorasi.exe
skynetave.exe
tool.exe
syshost.exe
internet.exe
mirc32.exe
jif.exe
dcomcfg.exe
crypt32chain.dll
s.exe
file.exe
pmt.exe
office.exe
winhost.exe
csrrs.exe
msgfix.exe
xpsp2.exe
synchost.exe
cmd32.exe
wincomm.exe
cds.exe
csrcs.exe
icon.exe
crsss.exe
sqlserver.exe
sf.exe
stealth.exe
netmon.exe
d.exe
38.exe
cfmon.exe
vdll.dll
stb.exe
pchealth.exe
realupd.exe
srvc32.exe
wudpcom.exe
winmedia32.exe
adobe.exe
nmstt.exe
corpstats.exe
sachostb.exe
sachostp.exe
im_1.exe
browsela.dll
mswinb32.exe
im_2.exe
updtscheduler.exe
xwrm.exe
mswinf32.dll
sachostm.exe
sachostx.exe
sachostc.exe
heomstool.exe
mgsev.exe
mswinb32.dll
mswinf32.exe
intell321.exe
lockbar.exe
winnt.exe
patch.exe
uninstall.exe
winlog.exe
host.exe
agent.exe
a3d.dll
register.exe
ccapp.exe
powerscan.exe
gcc.exe
nvcpl.exe
cmdagent.exe
forcefield.exe
winrar.exe
zip.dll
awt.dll
uxtheme.dll
adg.exe
bantam.dll
wtoolsa.exe
mfc71.dll
command.exe
optimize.exe
s3hotkey.exe
6to4svc.dll
spanish.dll
tvm.exe
radio.exe
sysmonnt.exe
spysweeperui.exe
mediagateway.exe
aupdate.exe
wuaclt.exe
isusweb.dll
play.exe
acgenral.dll
ncprov.dll
iecont.dll
install.exe
nem220.dll
pxwma.dll
adv02nt5.dll
watchdog.exe
ccl30.dll
unwise.exe
starter.exe
termsrv.dll
msvidctl.dll
rasman.exe
shellvrtf.dll
sysctl32.dlll
ogo1_.exe
wpd.exew.exe
2.exerundll
16.exe
schedulingagentloader.dll
msmsgs.exe
taskmon.exe
windows.exe
wintems.exe
iexplore.exe
msdef.exe
dlhost.exe
lowlvl.dll
cfsbho.dll
linbak.dll
updater.exe
cfs7zd.dll
userinit.exe
wupdmgr.exe
uninst.exe
mssearchnet.exe
service.exe
winstart.exe
cfsupd.dll
ersvc.exe
sqltob.exe
rundll.exe
xpcom_compat.dll
scanregw.exe
internat.exe
msoeres.dll
system.exe
sysmon.exe
asferror.dll
dimm.dll
mdiui.dll
msbind.dll
setup.exe
processquicklink2.exe
wsys.dll
remind_xp.exe
geometry.dll
ativvaxx.dll
authzax.dll
advrcntr.dll
imagehlp.dll
agentpsh.dll
checkup.exe
rundll32.exe
taskmgr.exe
conime.exe
toolbar.dll
pdsched.exe
express.exe
autorun.exe
npjpi142.dll
icsdclt.dll
exec.exe
flash.exe
notify.exe
manager.exe
check.exe
pnagent.exe
mdm.exe
scrsvr.exe
ocxdll.exe
mapisvc32.exe
shine.exe
windefault.exe
microsoft.exe
wupdated.exe
scam32.exe
dllreg.exe
systray32.exe
msmsgri32.exe
lsas.exe
realupd32.exe
mssys.exe
systask32l.exe
spoler.exe
bbgdfvdd.exe
svshost.exe
fvprotect.exe
ska.exe
winsupdater.exe
antiav_exe.exe
tasksys.exe
taskcntr.exe
hjgerhds.exe
sachosts.exe
scchost.exe
msvgr.exe
shell32.exe
srv32.exe
servic.exe
systemdll.exe
antiav.exe
sachostw.exe
svchosl.exe
a65d.exe
winppr32.exe
msconfig32.exe
rundl32.exe
1004270.exe
crss.exe
relatedsetup.exe
1054571.exe
jdbgmrg.exe
schost.exe
lorena.exe
0.exe
game.exe
jawa32.exe
sempalong.exe
winxp.exe
avserve2.exe
avserve.exe
~5e.exe
av.exe
xzz.exe
ta.exe
escan.exe
3.exe
bugsfix.exe
dial.exe
y.exe
autoexec.exe
dwnupdt.exe
usbn.exe
msx.dll
wininfo.exe
dinst.exe
xxx.exe
ps1.exe
checker.exe
net.exe
live.exe
card.exe
supdate.dll
pro.exe
lex.exe
conscorr.exe
009.exe
irasyncd.exe
mstcpmon.exe
ecodec.exe
wincfg32.exe
wfdmgr.exe
gfxacc.exe
hhs32.pif
scrtkfg.exe
beta.exe
scrigz.exe
dodrrr.exe
spvspool.exe
se2ppc4you.exe
consol32.exe
picx.exe
msapp.exe
mirc.exe
ap0.exe
display.exe
bb.exe
sksockserver.exe
mario.exe
~5c.exe
dvpd.dll
~565.exe
wsupdate.exe
drv.exe
cdf.exe
gstartup.exe
fahkpym.exe
f5r4bnh.exe
xfullgames.exe
rhnura.exe
wuactl2.exe
rnocrke.dll
mmbun2.exe
wineyxrm32.dll
pacis.exe
redcross.exe
mmwho.exe
rsyszx2d.exe
toc_0008.exe
qool3.exe
nsh136.exe
bundlersi.exe
activex_300_it.exe
system32win.exe
fjdbfvk.exe
comload.dll
dtloader.exe
dialer.exe
sefer.exe
sysvcs.exe
nrpc.exe
voxdvj.exe
popcorn72.exe

I don't think you have the right idea about what a database is, your database is just a simple text file with process names in it.

On a side note, I have a few processes that use some of those names in there... And they're not malicious.

Share this post


Link to post
Share on other sites

This is not a real program, it's just a small tool, I make it as simple as possible for newbies to learn and understand. Moreover, this is a open-source tool, so it's unnecessary to encrypt the database:)

Share this post


Link to post
Share on other sites

Put your code between [ autoit] tags instead of [ code] tags, lets get some colour in there.

taskmgr.exe > False positive, although sometimes suspect. So it's an edge-case. How are you going to handle those ones?

How many false positives are you getting? Because quickly glancing at the 'database' I can say half the entries are potential false positives. I also spotted a few doubles.

Wether it's open-source or encrypted or not, it's not a database as it contains just one column, the process names. You say "Can detect over 500 malware's known processes.", but that's not true, it simply detects processes, malware or not. taskmgr.exe isn't malware by definition and the process name alone isn't exactly a criterium to draw a conclusion from.

In short, your database is missing relevant data. Consequently, reporting false positives becomes useless, the reported info isn't put to practical use by relating it to the 'malware' entry.

In the case of taskmgr.exe the file path would be a good thing to check next. If it isn't in C:\Windows\System32\ it's suspect.

You could also check its MD5 or SHA256 checksums, they should be pretty reliable too afaik. Win 7 64-bit taskmgr.exe:

MD5 545bf7eaa24a9e062857d0742ec0b28a
SHA256 50f2abb613df4813ce74f3b0df080497f689dfcad11f0fc7cd5ea4cdaf093bdf

Putting it all together and you get a very simple flatfile CSV database like this:

taskmgr.exe,C:Windowssystem32,50f2abb613df4813ce74f3b0df080497f689dfcad11f0fc7cd5ea4cdaf093bdf

But if you want some real database power use the SQLite UDF.

Another thing you could check is the file's digital signature. Win7 has a buil-in tool for this, sigverif, or you could get the command line tool signtool.exe from the Windows SDK. Alternately there's Sysinternals sigcheck.exe. A quick search on Google gives me the idea this can also be done with DLL calls (Wintrust.dll), but I'm not sure about that. I found this C code on the Sysinternals forum, maybe it's of some use to you.

Still, cool concept. Could be interesting to find out how far you can take this in AutoIt. AutoIt exe's get falsely flagged as infected as well, so this could develop into some sweet revenge :)

3. This program is ONLY for advanced users!

I make it as simple as possible for newbies to learn and understand

eh?

Also:

;3 Dec 2012

How's the weather going to be in winter? :)


[center]Spiderskank Spiderskank[/center]GetOpt Parse command line options UDF | AU3Text Program internationalization UDF | Identicon visual hash UDF

Share this post


Link to post
Share on other sites

Thanks about your help, dany:)

How many false positives are you getting? Because quickly glancing at the 'database' I can say half the entries are potential false positives. I also spotted a few doubles.

My 'database' is created on some fake processes. Example: there is a Windows' process named csrss.exe but many virus create a fake process: csrse.exe. I think the tool's name should be... Fake Process Scanner:) It's better and much more helpful:)

In short, your database is missing relevant data. Consequently, reporting false positives becomes useless, the reported info isn't put to practical use by relating it to the 'malware' entry.

Uhm... You're right. I'll change the 'database' completely. But it's rather hard because of lack of time. I'm a student in University, I have to do a lot of social works in my spare time.

;3 Dec 2012

Haha:D my stupid mistake! Sorry for my bad English!

3. This program is ONLY for advanced users!

This is right because it's dangerous to shutdown a process. And this tool is not tested much yet!

Finally, thanks you dany!

Share this post


Link to post
Share on other sites

Hey you're welcome. I hope you can put my suggestions to good use :)

I'll change the 'database' completely.

Before you do, give it some good hard thought, what criteria do you want to use to distinguish a fake process from a real one? Because that's also going to dictate a part of the logic in your code and indeed, what kind of database to use.

Reading CSV (Comma Seperated Values) is easy:

Local $sLine, $aFields
; ... Some While logic here to loop through the database
$sLine = FileReadLine('database.csv')
$aFields = StringSplit($sLine, ',')
; You now have an array $aFields containing info about a single process that you can analyze.
; ...

There are a few CSV UDFs available with which you can do more advanced stuff, just search them on the forum.

SQLite will give you far better searching abilities though, and allows for a more efficient implementation. Rather than going through the entire database one line at a time, you'd loop through the current process list and look up each process in the database. If there's an entry, analyze it. If not, go to the next entry. And SQLite is easy to learn!

Take your time. I think you have a cool project on your hands from which you will learn a lot of new tricks. Happy coding!


[center]Spiderskank Spiderskank[/center]GetOpt Parse command line options UDF | AU3Text Program internationalization UDF | Identicon visual hash UDF

Share this post


Link to post
Share on other sites

Thank you! It's very nice of you to help me! I'm learning SQLite now. I want my program is a simple stuff to search for fake process name. It's enough because to analyze a process deeply need tons of hard-working and a good knowledge in programming and antivirus.

Share this post


Link to post
Share on other sites

This maybe good for catching fake spyware type malware, but majority of malware now days loads dlls into valid windows processes like svchost..

not to mention rootkits ;)

Share this post


Link to post
Share on other sites

I suppose one way you could go with this, combining both ideas, have a database of known good processes.

when you scan, it checks the checksum of the known good with what's on pc, if it doesn't match you know it could be bad.

If a process isn't in the known good list but running on the pc, it could ask the user if it's safe or not. If they answer yes, then it could be added to the database.

Might be easier to set up this way then to try and keep up with the ever-gowing list of malware


010101000110100001101001011100110010000001101001011100110010000

001101101011110010010000001110011011010010110011100100001

My Android cat and mouse game
https://play.google.com/store/apps/details?id=com.KaosVisions.WhiskersNSqueek

We're gonna need another Timmy!

Share this post


Link to post
Share on other sites

Thank you! It's very nice of you to help me! I'm learning SQLite now. I want my program is a simple stuff to search for fake process name. It's enough because to analyze a process deeply need tons of hard-working and a good knowledge in programming and antivirus.

Yea it' a lot of hard work but well, that's where the fun is right? :D

[center]Spiderskank Spiderskank[/center]GetOpt Parse command line options UDF | AU3Text Program internationalization UDF | Identicon visual hash UDF

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.

  • Similar Content

    • By Exit
      Au3toCmd  ---  Avoid false positives
      Since many virus scanners sometimes prevent a "compiled autoit EXE" from being executed as "false positive", the "*.A3X" format is a suitable format to avoid this problem.
      In order to simplify this procedure, I wrote the Au3toCmd script. Here a *.Cmd file is generated from a *.Au3 file. The necessary files Autoit3.exe and *.A3x are added to the "*.Cmd" file as "alternate data streams".
      Now the Autoit Script can be called by clicking on the cmd file and the anti-virus scanners do not recognize the "false positive".
      If the short-term flashing of the CMD window bothers you, you can click the desktop shutcut that runs in a minimized window.
      Unfortunately, because of the "alternate data streams", this CMD file cannot be distributed via FTP or email.
      Only a USB stick or removable disk formatted with NTFS can be used.
      To solve this problem, Au3toCmd can be used to create a ZIP/EXE  file that is email and FTP compatible. 
      Transfer this file to the target directory on the target system.
      Expand the ZIP file on the target system and execute the "*.ADS.Run-me-first.cmd" script.
      or
      Execute the self extracting Setup.exe.

      The original CMD file is created again and the auxiliary files are deleted.
      Edit (2020.05.16)  The new version also accepts A3X and EXE files. This means that A3X and EXE files that have been compiled with special options can be used. As a side effect, other EXE files can also be included in the CMD file and therefore not detectable by virus scanners.
      Edit (2020.07.18)  Desktop shortcuts created automatically. Just delete them, if you don't like them.
      Edit (2020.07.22)  Using codepage 1252     This version is retained in the spoiler for compatibility
      Edit (2020.12.07) Self extracting Setup.exe added 
      Edit (2020.12.12) 32 Bit Windows enabled. ANSI console enabled. 
      Edit (2020.12.21) Input of remote system target directory added. 
      Here the source of Au3toCmd.au3 
      This is a nice example of peaceful interaction between Autoit (*. au3), Dos (*. cmd), Powershell(*.ps1) and VSBasic (*. vbs)
      ;============================================================================================================== ; Script Name: Au3toCmd.au3 ; Description: Creates a CMD file from any AU3/A3X/EXE file. ; The CMD file will contain the compiled version (A3X) of the AU3 input file ; and the AUTOIT3.EXE file as alternate data streams. ; Alternativly it will contain any EXE file. ; This avoids the problem with the false positives of the virus scanners. ; To avoid the short-term flashing of the CMD window, a shortcut is created on the desktop ; that runs in a minimized window. ; ; Syntax: Au3toCmd (input-file) ; Default: none ; Parameter: Name of an AU3/A3X/EXE file (optional) ; Example: Au3toCmd testfile.au3 ; ; Author: Exit ( http://www.autoitscript.com/forum/user/45639-exit ) ; SourceCode: http://www.autoitscript.com/forum/index.php?showtopic=201562 Version: 2020.12.27 ; COPYLEFT: © 2020 Freeware by "Exit" ; ALL WRONGS RESERVED ;============================================================================================================== Global $Debug = 0 ; change to '1' for debugging informations on output console #AutoIt3Wrapper_AU3Check_Parameters=-d -w 1 -w 2 -w 3 -w 4 -w 5 -w 6 -w 7 #pragma compile(inputboxres, true) #include <File.au3> #include <String.au3> #include <WinAPIGdi.au3> #include <WinAPIFiles.au3> #include <WinAPIHObj.au3> #include <WinAPIError.au3> Global $iMB, $rc, $sSourcepath, $sTargetpath, $aPathSplit, $sDrive, $sDir, $sFileName, $sExtension, $sIconPath = "", $iIconNumber = 0, $sRDir Exit _Main() Func _Main() FileDelete(@ScriptFullPath & ".console.txt") If Not _Sourcepath() Then Return SetError(1, 0, 0) If Not _IconPath() Then Return SetError(2, 0, 0) If Not _Targetpath() Then Return SetError(3, 0, 0) $iMB = MsgBox(3 + 32 + 512 + 262144, Default, $sTargetpath & " and " & @LF & @DesktopDir & "\" & $sFileName & ".lnk created." & @LF & @LF & "Create a portable EXE/ZIP file? " & @LF & @LF & "YES --> Create a SETUP.EXE file" & @LF & @LF & "NO --> Create a ZIP file" & @LF & @LF & "Cancel --> None" & @LF & @LF, 0) __CW("Er/Ex/L: " & @error & "/" & @extended & "/" & @ScriptLineNumber & " $iMB: " & $iMB & @LF) If $iMB <> 2 Then If Not _CreateZip() Then Return SetError(4, 0, 0) EndIf ;~ If MsgBox(4 + 32 + 256 + 262144, Default, "Run " & $sTargetpath & " ?", 0) = 6 Then ShellExecute(@DesktopDir & "\" & $sFileName & ".lnk") EndFunc ;==>_Main Func _Sourcepath() If StringInStr(@ScriptFullPath, " ") Then Return SetError(7, MsgBox(16 + 262144, Default, "Sorry: Script-Pathnames with embedded blanks not yet supported.", 0), 0) If $cmdline[0] > 0 Then $sSourcepath = $cmdline[1] If Not StringInStr("|.au3|.a3x|.exe|", StringRight($sSourcepath, 4)) Then $sSourcepath &= ".au3" If Not FileExists($sSourcepath) Then Beep(1000, 100) $sSourcepath = FileOpenDialog("Enter AU3/A3X/EXE Inputfile ", "", "Autoit Files(*.au3;*.a3x;*.exe)", 3) If @error Then Return SetError(5, MsgBox(16 + 262144, Default, "Error: No Inputfile given", 0), 0) EndIf $sSourcepath = _PathFull($sSourcepath) $aPathSplit = _PathSplit($sSourcepath, $sDrive, $sDir, $sFileName, $sExtension) If StringInStr($sSourcepath, " ") Then Return SetError(7, MsgBox(16 + 262144, Default, "Sorry: Pathnames with embedded blanks not yet supported.", 0), 0) FileChangeDir($sDrive & $sDir) __CW("Sourcepath: " & $sSourcepath & @LF) Return 1 EndFunc ;==>_Sourcepath Func _IconPath() Local $aTemp If $sExtension = ".exe" Then $sIconPath = $sSourcepath ElseIf FileExists($sDrive & $sDir & $sFileName & ".ico") Then $sIconPath = $sDrive & $sDir & $sFileName & ".ico" Else $aTemp = _StringBetween(FileRead($sSourcepath), "#", ".ico") If Not @error Then $aTemp = StringSplit($aTemp[0], "=, ") If FileExists($aTemp[$aTemp[0]] & ".ico") Then $sIconPath = $sDrive & $sDir & $aTemp[$aTemp[0]] & ".ico" ElseIf FileExists($sDrive & $sDir & $sFileName & ".ico") Then $sIconPath = $sDrive & $sDir & $sFileName & ".ico" Else $sIconPath = @WindowsDir & "\system32\shell32.dll" $iIconNumber = 71 EndIf EndIf EndIf __CW("IconNumber: " & $iIconNumber & " IconPath: " & $sIconPath & @CRLF) Return 1 EndFunc ;==>_IconPath Func _Targetpath() Local $sA3Dir $sTargetpath = $sDrive & $sDir & $sFileName & ".cmd" FileDelete($sTargetpath) If Not FileWriteLine($sTargetpath, _ '@echo on & cd /D %~dp0 ' & @CRLF & _ "for /f ""delims="" %%F in ('dir /R %~nx0 ^| find /C ""$DATA"" ') do set mycount=%%F" & @CRLF & _ 'if .%mycount% == .0 echo Invalid copy of %~nx0. No ADS found. & pause & goto :eof ' & @CRLF & _ 'if .%mycount% == .1 wmic process call create ''"%~f0:prog" %*'' ' & @CRLF & _ 'if .%mycount% == .2 wmic process call create ''"%~f0:prog" "%~f0:a3x" %*'' ') Then _ Return SetError(8, MsgBox(16 + 262144, Default, "Error: Cannot write to output file '" & $sTargetpath & "'", 0), 0) $sA3Dir = RegRead("HKLM\SOFTWARE" & ((@OSArch = 'X64') ? "\Wow6432Node" : "") & "\AutoIt v3\AutoIt", "InstallDir") If Not (FileExists($sA3Dir & "\autoit3.exe") And FileExists($sA3Dir & "\au3check.exe") And FileExists($sA3Dir & "\Aut2Exe\Aut2exe.exe")) Then Return SetError(9, MsgBox(16 + 262144, Default, "Error: Autoit not installed on this system.", 0), 0) Switch $sExtension Case ".au3" If ShellExecuteWait($sA3Dir & "\au3check.exe", ' -q "' & $sSourcepath & '"', "", "", @SW_HIDE) Then Return SetError(10, MsgBox(16 + 262144, Default, "Error: Input file """ & $sSourcepath & """ has Errors.", 0), 0) If ShellExecuteWait($sA3Dir & "\Aut2Exe\Aut2exe.exe", "/In " & $sSourcepath & " /out " & $sTargetpath & ":a3x") Then Return SetError(11, MsgBox(16 + 262144, Default, "Error: Cannot create target file """ & $sTargetpath & ":a3x""", 0), 0) If Not FileCopy($sA3Dir & "\Autoit3.exe", $sTargetpath & ":prog") Then Return SetError(12, MsgBox(16 + 262144, Default, "Error: Cannot create target file """ & $sTargetpath & ":prog""", 0), 0) Case ".a3x" If Not FileCopy($sSourcepath, $sTargetpath & ":a3x") Then Return SetError(13, MsgBox(16 + 262144, Default, "Error: Cannot create target file """ & $sTargetpath & ":a3x""", 0), 0) If Not FileCopy($sA3Dir & "\Autoit3.exe", $sTargetpath & ":prog") Then Return SetError(14, MsgBox(16 + 262144, Default, "Error: Cannot create target file """ & $sTargetpath & ":prog""", 0), 0) Case ".exe" If Not FileCopy($sSourcepath, $sTargetpath & ":prog") Then Return SetError(15, MsgBox(16 + 262144, Default, "Error: Cannot create target file """ & $sTargetpath & ":prog""", 0), 0) EndSwitch If Not FileCreateShortcut($sTargetpath, @DesktopDir & "\" & $sFileName & ".lnk", $sDrive & $sDir, "", "", $sIconPath, "", $iIconNumber, 7) Then Return SetError(16, MsgBox(16 + 262144, Default, "Unable to create shortcut", 0), 0) FileSetTime($sTargetpath, "", 0) ; to erase old modification time of ADS files FileSetTime($sTargetpath, "", 1) ; to erase old creation time of ADS files FileSetTime($sTargetpath, "", 2) ; to erase old access time of ADS files __Run("dir /R """ & @ScriptFullPath & "*.*""") __Run("dir /R """ & $sTargetpath & "*.*""") __CW(" $sTargetpath: " & $sTargetpath & @LF) Return 1 EndFunc ;==>_Targetpath Func _CreateZip() Local $s7za, $sRemExe If Not _Download_7z() Then Return SetError(17, 0, 0) If Not __RemoteTargetDir() Then Return SetError(17, 0, 0) $sRemExe = (StringRight($sSourcepath, 4) = ".exe") ? "rem " : "" FileDelete($sTargetpath & ".~_~.Run-me-first.cmd") If Not FileWriteLine($sTargetpath & ".~_~.Run-me-first.cmd", _ "@echo off && net file 1>NUL 2>NUL" & @CRLF & _ "if not .%errorlevel%. == .0. (powershell Start-Process -FilePath '%~f0 ' -ArgumentList '%* ' -verb runas && goto :eof) else (cd /d %~dp0)" & @CRLF & _ 'echo ' & (Eval('Debug') ? 'On' : 'Off') & @CRLF & _ 'rem pause ' & @CRLF & _ '%~d0 & cd %~dp0' & @CRLF & _ 'chcp 1252' & @CRLF & _ 'set name1=%~n0' & @CRLF & _ 'set name1=%name1:~0,-21%' & @CRLF & _ 'set compare1=%cd% ' & @CRLF & _ 'set compare2=%compare1:AppData\Local\Temp=other% ' & @CRLF & _ 'if .%compare1%==.%compare2% goto :skip' & @CRLF & _ '@mode con lines=7 cols=100' & @CRLF & _ '@echo:xN|choice 2>&1>NUL' & @CRLF & _ '@echo on & cls ' & @CRLF & _ 'echo. ' & @CRLF & _ 'echo Please extract ALL files from ZIP file first and then run this CMD again. Press any key to exit.' & @CRLF & _ 'Pause > NUL: & goto :eof' & @CRLF & _ ':skip ' & @CRLF & _ 'set sRDir="' & $sRDir & '"' & @CRLF & _ 'if NOT .%sRDir%.==."1". goto :skip1 ' & @CRLF & _ 'set olddir="%cd%"' & @CRLF & _ 'cd ..' & @CRLF & _ 'set sRDir=%cd%' & @CRLF & _ 'cd %olddir%' & @CRLF & _ 'goto :skipend ' & @CRLF & _ ':skip1 ' & @CRLF & _ 'if NOT .%sRDir%.==."2". goto :skip2 ' & @CRLF & _ 'rem handle "2" here' & @CRLF & _ 'set sRDir=%ProgramFiles%\%name1%' & @CRLF & _ 'goto :skipend ' & @CRLF & _ ':skip2 ' & @CRLF & _ 'if NOT .%sRDir%.==."3". goto :skip3 ' & @CRLF & _ 'rem handle "3" here' & @CRLF & _ 'set sRDir=%UserProfile%\%name1%' & @CRLF & _ 'goto :skipend ' & @CRLF & _ ':skip3 ' & @CRLF & _ 'if NOT .%sRDir%.==."4". goto :skip4 ' & @CRLF & _ 'rem handle "4" here' & @CRLF & _ 'set sRDir=%UserProfile%\Desktop\%name1%' & @CRLF & _ 'goto :skipend ' & @CRLF & _ ':skip4 ' & @CRLF & _ 'rem handle entered path here' & @CRLF & _ 'set sRDir=%sRDir:"=%' & @CRLF & _ ':skipend ' & @CRLF & _ 'echo sRDir: %sRDir% ' & @CRLF & _ 'rem pause ' & @CRLF & _ 'ren %name1%.cmd.~_~.cmd %name1%.cmd~' & @CRLF & _ 'ren %name1%.cmd.~_~.ico %name1%.ico~' & @CRLF & _ $sRemExe & 'type %name1%.cmd.~_~.a3x > %name1%.cmd~:a3x' & @CRLF & _ $sRemExe & 'del %name1%.cmd.~_~.a3x' & @CRLF & _ 'type %name1%.cmd.~_~.prog > %name1%.cmd~:prog' & @CRLF & _ 'del %name1%.cmd.~_~.prog' & @CRLF & _ 'move /Y %name1%.cmd~ ..' & @CRLF & _ 'move /Y %name1%.ico~ ..' & @CRLF & _ 'cd .. ' & @CRLF & _ 'dir /R %name1%.* ' & @CRLF & _ 'mkdir "%sRDir%" ' & @CRLF & _ 'move /Y %name1%.cmd "%sRDir%" ' & @CRLF & _ 'move /Y %name1%.cmd~ "%sRDir%\%name1%.cmd" ' & @CRLF & _ 'move /Y %name1%.ico~ "%sRDir%\%name1%.ico" ' & @CRLF & _ 'echo Set oWS = WScript.CreateObject("WScript.Shell") > ~~.vbs' & @CRLF & _ 'echo Set oLink = oWS.CreateShortcut("%userprofile%\desktop\%name1%.lnk") >> ~~.vbs' & @CRLF & _ 'echo oLink.TargetPath = "%sRDir%\%name1%.cmd" >> ~~.vbs' & @CRLF & _ 'if exist "%sRDir%\%name1%.ico" echo oLink.IconLocation = "%sRDir%\%name1%.ico" >> ~~.vbs' & @CRLF & _ 'if not exist "%sRDir%\%name1%.ico" echo oLink.IconLocation = "' & $sIconPath & ',' & $iIconNumber & '" >> ~~.vbs' & @CRLF & _ 'echo oLink.WindowStyle = "7" >> ~~.vbs' & @CRLF & _ 'echo oLink.Save >> ~~.vbs' & @CRLF & _ 'rem cscript ~~.vbs >NUL: ' & @CRLF & _ 'cscript ~~.vbs ' & @CRLF & _ 'rem pause ' & @CRLF & _ 'del ~~.vbs ' & @CRLF & _ 'if not exist "%userprofile%\desktop\%name1%.lnk" set _M1=%userprofile%\desktop\%name1%.lnk NOT created due to targetdir invalid. ' & @CRLF & _ 'if not exist "%sRDir%\%name1%.cmd" set _M2=%sRDir%\%name1%.cmd NOT created due to targetdir invalid.' & @CRLF & _ 'rem set _m & pause' & @CRLF & _ 'if exist "%userprofile%\desktop\%name1%.lnk" set _M1=%userprofile%\desktop\%name1%.lnk created. ' & @CRLF & _ 'if exist "%sRDir%\%name1%.cmd" set _M2=%sRDir%\%name1%.cmd created. ' & @CRLF & _ 'rem set _m & pause' & @CRLF & _ 'rem mode con lines=1 cols=16' & @CRLF & _ ' start mshta.exe vbscript:Execute("msgbox ""%_M1% ""&Chr(10)&"" %_M2% "",64+4096,"" End of %name1%.cmd installation"":close") ' & @CRLF & _ 'del .\%name1%.cmd.~_~.zip' & @CRLF & _ 'del .\%name1%.zip' & @CRLF & _ 'dir /R %name1%.* ' & @CRLF & _ 'rem Pause' & @CRLF & _ ' start PING -n 2 127.0.0.1^> & rd /S /Q %name1% ' & @CRLF & _ ' start PING -n 2 127.0.0.1^> & rd /S /Q %name1%.cmd.~_~ ' & @CRLF & _ ' start PING -n 2 127.0.0.1^> & rd /S /Q ~_~ ' & @CRLF & _ 'rem echo:xN|choice 2>&1>NUL' & @CRLF & _ 'rem Pause' & @CRLF & _ 'rem End of script' & @CRLF) Then Return SetError(18, MsgBox(16 + 262144, Default, 'Unable to write >' & $sTargetpath & '.~_~.Run-me-first.cmd<', 0), 0) If Not $sRemExe Then If Not _ExtractADS($sTargetpath & ":a3x", $sTargetpath & ".~_~", ":a3x") Then Return SetError(19, MsgBox(16 + 262144, Default, "Error: Cannot create target file """ & $sTargetpath & ".~_~.a3x""", 0), 0) EndIf If Not FileWrite($sTargetpath & ".~_~.cmd", FileRead($sTargetpath)) Then Return SetError(20, MsgBox(16 + 262144, Default, "Error: Cannot create target file """ & $sTargetpath & ".~_~.cmd""", 0), 0) If Not _ExtractADS($sTargetpath & ":prog", $sTargetpath & ".~_~", ":prog") Then Return SetError(21, MsgBox(16 + 262144, Default, "Error: Cannot create target file """ & $sTargetpath & ".~_~.prog""", 0), 0) _CreateIconfile() __Run("dir /R """ & $sTargetpath & "*.*""") While FileExists($sDrive & $sDir & $sFileName & ".zip") $rc = FileDelete($sDrive & $sDir & $sFileName & ".zip") __CW("Er/Ex/L: " & @error & "/" & @extended & "/" & @ScriptLineNumber & " RC: " & $rc & @LF) Sleep(500) WEnd While FileExists($sTargetpath & ".~_~.zip") $rc = FileDelete($sTargetpath & ".~_~.zip") __CW("Er/Ex/L: " & @error & "/" & @extended & "/" & @ScriptLineNumber & " RC: " & $rc & @LF) Sleep(500) WEnd $s7za = _TempFile(Default, Default, "exe") _ExtractADS(@ScriptFullPath & ":7za.exe", $s7za) __Run($s7za & ' a -mx=0 ' & ($iMB = 7 ? "" : "-t7z ") & """" & $sTargetpath & ".~_~.zip"" """ & $sTargetpath & ".~_~.*""") FileDelete($s7za) If Not FileExists($sTargetpath & ".~_~.zip") Then Return SetError(22, MsgBox(16 + 262144, Default, "Error creating """ & $sTargetpath & ".~_~.zip"" .", 0), 0) FileDelete($sTargetpath & ".~_~.a3x") FileDelete($sTargetpath & ".~_~.cmd") FileDelete($sTargetpath & ".~_~.prog") FileDelete($sTargetpath & ".~_~.ico") FileDelete($sTargetpath & ".~_~.Run-me-first.cmd") While FileExists($sDrive & $sDir & $sFileName & ".zip") $rc = FileDelete($sDrive & $sDir & $sFileName & ".zip") __CW("Er/Ex/L: " & @error & "/" & @extended & "/" & @ScriptLineNumber & " RC: " & $rc & @LF) Sleep(500) WEnd FileMove($sTargetpath & ".~_~.zip", $sDrive & $sDir & $sFileName & ".zip", 1) __Run("dir /R """ & $sDrive & $sDir & $sFileName & ".*.*""") If $iMB = 7 Then Return SetError(23, MsgBox(64 + 262144, Default, $sDrive & $sDir & $sFileName & ".zip created.", 0), 0) _CreateSfx() Return 1 EndFunc ;==>_CreateZip Func _CreateSfx() Local $sCommand FileDelete($sFileName & ".Setup.exe") If Not FileWriteLine(@ScriptFullPath & ".config.txt", _ ';!@Install@!UTF-8!' & @CRLF & _ 'Title="' & $sFileName & '.cmd Installation"' & @CRLF & _ 'BeginPrompt="Should ' & $sFileName & '.cmd be installed?"' & @CRLF & _ 'InstallPath="~_~"' & @CRLF & _ 'Directory="."' & @CRLF & _ 'ExecuteFile="hidcon:' & $sFileName & '.cmd.~_~.Run-me-first.cmd"' & @CRLF & _ ';Delete="~_~"' & @CRLF & _ ';Delete="debug.log"' & @CRLF & _ 'SelfDelete="1"' & @CRLF & _ ';!@InstallEnd@!' & @CRLF) Then Return SetError(24, MsgBox(16 + 262144, Default, "Error: Cannot create " & @ScriptFullPath & ".config.txt", 0), 0) _ExtractADS(@ScriptFullPath & ":7zSDMod.sfx", @ScriptFullPath & ".7zSDMod.sfx") $sCommand = "copy /b """ & @ScriptFullPath & ".7zSDMod.sfx""" & " + """ & @ScriptFullPath & ".config.txt""" & " + """ & $sDrive & $sDir & $sFileName & ".zip"" """ & $sDrive & $sDir & $sFileName & ".Setup.exe""" __Run($sCommand) FileDelete(@ScriptFullPath & ".7zSDMod.sfx") FileDelete(@ScriptFullPath & ".config.txt") While FileExists($sDrive & $sDir & $sFileName & ".zip") $rc = FileDelete($sDrive & $sDir & $sFileName & ".zip") __CW("Er/Ex/L: " & @error & "/" & @extended & "/" & @ScriptLineNumber & " RC: " & $rc & @LF) Sleep(300) WEnd If Not FileExists($sFileName & ".Setup.exe") Then Return SetError(25, MsgBox(16 + 262144, Default, "Error creating """ & $sFileName & ".Setup.exe"".", 0), 0) MsgBox(64 + 262144, Default, $sDrive & $sDir & $sFileName & ".Setup.exe created.", 0) Return 1 EndFunc ;==>_CreateSfx Func _CreateIconfile() Local $hIcon, $hHelp, $sData, $sComp1, $sComp2 $hIcon = _WinAPI_ExtractIcon($sIconPath, $iIconNumber) _WinAPI_SaveHICONToFile($sTargetpath & ".~_~.ico", $hIcon) _WinAPI_DestroyIcon($hIcon) $sComp1 = "0x6AFFA79F6BFFD1BDBCFFE6E6E7FFF4F7F9FFCBCB" $sComp2 = "0xD4FFE4DED3FFBCB7AFFFA9A49DFFA4A099FFE1E0" $hHelp = FileOpen($sTargetpath & ".~_~.ico", 16) FileSetPos($hHelp, 2800, 0) $sData = FileRead($hHelp, 20) FileClose($hHelp) If $sData = $sComp1 Or $sData = $sComp2 Then FileDelete($sTargetpath & ".~_~.ico") EndIf EndFunc ;==>_CreateIconfile Func _ExtractADS($From = @ScriptFullPath, $To = @ScriptFullPath & ".", $Stream = 0) ; =========================================================================================== ; Title ...............: $Stream = 0 ; File Name............: _ExtractADS.au3 ; Description .........: Extract alternate data streams to standard files ; ; Syntax ..............: _ExtractADS([$From = Inputfile], [$To = Outputfile], [$Stream = index or name of ADS]) ; Default .............: $From = @ScriptFullPath ; $To = @ScriptFullPath & "." ; $Stream = 0 ; ; Return Value(s) .....: 1 @error=0 @extended=number of copied ADS ; 0 @error=1 no dataset/ADS found ; 0 @error=2 no ADS found in dataset ; Example .............: ; #include <WinAPIFiles.au3> ; #include <WinAPIHObj.au3> ; FileWrite(@ScriptFullPath & ":ADStest1.txt", "This is ADSTest1") ; FileWrite(@ScriptFullPath & ":ADStest2.txt", "This is ADSTest2") ; _ExtractADS() ; extract all ADS from @ScriptFullPath ; Run(@ComSpec & " /k dir /R " & StringTrimRight(@ScriptFullPath, 4) & "*.*") ; ; Author ..............: Exit ( http://www.autoitscript.com/forum/user/45639-exit ) ; CopyLeft ............: © Freeware by "Exit" ( all wrongs reserved ) ; =========================================================================================== ; needs #include <WinAPIFiles.au3> ; needs #include <WinAPIHObj.au3> Local $sFile, $iOffset, $hFile, $pData, $iBytes, $sToFile, $iCount If $From = "" Or $From = Default Then $From = @ScriptFullPath If $To = "" Or $To = Default Then $To = @ScriptFullPath & "." $sFile = $From $iOffset = StringInStr($From, ":", 1, 1, 3) If $iOffset Then $sFile = StringLeft($From, $iOffset - 1) $Stream = StringTrimLeft($From, $iOffset) EndIf ; Enumerate all existing streams in the file Local $aData = _WinAPI_EnumFileStreams($sFile) If @error Then Return SetError(26, MsgBox(16 + 262144, Default, "Error reading ADS stream """ & $sFile & ":" & $Stream & """ .", 0), 0) ;~ _ArrayDisplay($aData, '_WinAPI_EnumFileStreams') ; Read data from each stream $iCount = 0 For $i = 2 To $aData[0][0] If $Stream <> 0 Then If $i - 1 <> $Stream Then If ":" & $Stream & ":$DATA" <> $aData[$i][0] Then ContinueLoop EndIf EndIf $pData = _WinAPI_CreateBuffer($aData[$i][1]) $hFile = _WinAPI_CreateFile($sFile & $aData[$i][0], 2, 2, 6) _WinAPI_ReadFile($hFile, $pData, $aData[$i][1], $iBytes) _WinAPI_CloseHandle($hFile) $sToFile = $sFile & "." & StringTrimLeft(StringTrimRight($aData[$i][0], 6), 1) If $To <> @ScriptFullPath & "." Then $sToFile = $To If $Stream = 0 Then $sToFile &= "." & StringTrimLeft(StringTrimRight($aData[$i][0], 6), 1) EndIf $hFile = _WinAPI_CreateFile($sToFile, 1) _WinAPI_WriteFile($hFile, $pData, $aData[$i][1], $iBytes) _WinAPI_CloseHandle($hFile) _WinAPI_FreeMemory($pData) $iCount += 1 Next If Not $iCount Then Return SetError(2, 0, 0) ; no defined ads found Return SetError(0, $iCount, 1) EndFunc ;==>_ExtractADS Func _Download_7z() Local $i, $iSV, $s7zr, $s7za, $s7zaOut, $s7zSDMod, $s7zSDModOut, $n = @ScriptFullPath If FileExists($n & ":7zr.exe") And FileExists($n & ":7za.exe") And FileExists($n & ":7zSDMod.sfx") Then Return 1 ; determine latest stable version $i = 21 While InetGetSize("https://7-zip.org/a/7z" & $i & "00.exe") $i += 1 WEnd $iSV = $i - 2 ; latest stable version __CW("Latest stable 7z version: " & $iSV & @CRLF) ; get root 7zr.exe (needed to extract the other *.7z files) ; "https://7-zip.org/a/7zr.exe" $s7zr = _TempFile(Default, Default, "exe") InetGet("https://www.7-zip.org/a/7zr.exe", $s7zr) If @error Then FileDelete($s7zr) MsgBox(16 + 262144, Default, "Cannot access 'www.7-zip.org/a/7zr.exe'" & @LF & @LF & "Check internet connection.", 99) Return SetError(1, 0, 0) EndIf FileCopy($s7zr, @ScriptFullPath & ":7zr.exe") ; get $s7za.exe ; https://7-zip.org/a/7z1900-extra.7z $s7za = _TempFile(Default, Default, "7z") $s7zaOut = _TempFile(Default, Default, "exe") InetGet("https://7-zip.org/a/7z" & $iSV & "00-extra.7z", $s7za) __Run($s7zr & ' e ' & $s7za & " -o" & $s7zaOut & " -y -i!7za.exe") FileCopy($s7zaOut & "\7za.exe", @ScriptFullPath & ":7za.exe") ; get $s7zSDMod.sfx ; https://web.archive.org/web/20160311112737if_/http://7zsfx.info/files/7zsd_150_2712.7z ; for more info see --> https://web.archive.org/web/20160423225741/http://7zsfx.info/en/ $s7zSDMod = _TempFile(Default, Default, "7z") $s7zSDModOut = _TempFile(Default, Default, "Out") InetGet("https://web.archive.org/web/20160311112737if_/http://7zsfx.info/files/7zsd_150_2712.7z", $s7zSDMod) __Run($s7zr & ' e ' & $s7zSDMod & " -o" & $s7zSDModOut & " -y -ir!*.sfx") FileCopy($s7zSDModOut & "\7zSD.sfx", @ScriptFullPath & ":7zSDMod.sfx") FileSetTime(@ScriptFullPath, "", 0) ; to erase old modification time of ADS files FileSetTime(@ScriptFullPath, "", 1) ; to erase old creation time of ADS files FileSetTime(@ScriptFullPath, "", 2) ; to erase old access time of ADS files FileDelete($s7zr) FileDelete($s7za) FileDelete($s7zSDMod) DirRemove($s7zaOut, 1) DirRemove($s7zSDModOut, 1) __Run("dir /R """ & StringTrimRight(@ScriptFullPath, 4) & "*.*""") Return 1 EndFunc ;==>_Download_7z Func __Run($sCommand, $CopyToConsole = Default) Local $iPID, $sTmp, $aTmp, $iEr, $iEx If Not ($CopyToConsole = 0 Or $CopyToConsole = 1) Then $CopyToConsole = Eval("Debug") $iPID = Run(@ComSpec & " /c chcp 1252 & " & $sCommand, "", @SW_HIDE, 8) ; $STDERR_MERGED(8) ProcessWaitClose($iPID) $iEr = @error $iEx = @extended $sTmp = StdoutRead($iPID) StdioClose($iPID) $aTmp = DllCall('user32.dll', 'Int', 'OemToChar', 'str', $sTmp, 'str', '') $sTmp = $aTmp[2] If $CopyToConsole Then __CW("Run command: >" & $sCommand & "<" & @CRLF & $sTmp & @CRLF & "Exit code: " & $iEx & @CRLF) Return SetError($iEx, $iEr, $sTmp) EndFunc ;==>__Run Func __CW($sText) If Not Eval("Debug") Then Return ;~ FileWriteLine(@ScriptFullPath & ".console.txt", $sText) ConsoleWrite($sText) EndFunc ;==>__CW Func __FileDelete($sFilePath) Local $iError, $sMsg, $iRet $iRet = _WinAPI_DeleteFile($sFilePath) $iError = _WinAPI_GetLastError() $sMsg = _WinAPI_GetLastErrorMessage() If $iRet Then Return MsgBox(64 + 262144, Default, $sFilePath & " deleted", 0) MsgBox(64 + 262144, Default, "Delete: " & $sFilePath & @CRLF & "iRet: " & $iRet & " Error: " & $iError & @CRLF & $sMsg, 0) Return 1 EndFunc ;==>__FileDelete Func __RemoteTargetDir() Local $T1 = @TAB, $T2 = @TAB & @TAB, $T5 = @TAB & @TAB & @TAB & @TAB & @TAB $sRDir = InputBox('Specify remote target directory', 'Enter 1, 2, 3 or remote system target directory string: (e.g. "C:\Test\Data")' & @LF & @LF & _ '1 = "."' & $T5 & 'Targetsystem current directory (where ZIP/EXE are stored) = Default' & @LF & _ '2 = "%ProgramFiles%\' & $sFileName & '"' & $T2 & 'Targetsystem programfiles directory' & @LF & _ '3 = "%UserProfile%\' & $sFileName & '"' & $T2 & 'Targetsystem profile directory' & @LF & _ '4 = "%UserProfile%\Desktop\' & $sFileName & '"' & $T1 & 'Targetsystem desktop directory' & @LF & _ '...', "1", " M", 600, 220) $sRDir = StringReplace($sRDir, '"', '') If Not StringInStr("1234%", StringLeft($sRDir, 1)) Then If StringRight($sRDir, 1) = "\" Then $sRDir = StringTrimRight($sRDir, 1) If Not StringInStr($sRDir, ":\") Then MsgBox(16 + 262144, Default, "Invalid target directory: " & $sRDir, 0) __CW("$sRDir is invalid: >" & $sRDir & "<" & @CRLF) Return SetError(27, 0, 0) EndIf EndIf __CW("$sRDir: >" & $sRDir & "<" & @CRLF) Return SetError(0, 0, 1) EndFunc ;==>__RemoteTargetDir ; End of Au3toCmd.au3 script The script can be called with a file name of an AU3 script as a parameter.
      If no name is entered, a query is made.
      Suggestions for improvement and bug reports are welcome.
    • By DesireDenied
      Hey guys,
      I having some hard times getting false-positive, probably because I am trying to execute my AutoUpdater.
      Here is my code:
       
      Global $iUpdateTimer = 0 While 1 checkUpdates(10) WEnd Func checkUpdates($iDelay = 10) $iDelay = $iDelay * 1000 * 60 If TimerDiff($iUpdateTimer) > $iDelay Then ConsoleWrite('checking for updates...' & @CRLF) $iUpdateTimer = TimerInit() If FileExists('AutoUpdater.exe') Then ShellExecuteWait('AutoUpdater.exe') ; this is the line which cause my problem EndIf EndFunc And AutoUpdater code:
      #include <MsgBoxConstants.au3> #include <FileConstants.au3> Global $sExecName = 'test.exe' Global $sUpdatePath = @UserProfileDir &'\desktop\AnyAppName\update\'& $sExecName Global $sUserPath = @UserProfileDir &'\desktop\AnyAppName\'& $sExecName Global $sCopyright = 'someUniqueStringHere' If Not FileExists($sUpdatePath) Then Exit 0 If FileGetVersion($sUpdatePath, $FV_LEGALCOPYRIGHT) <> $sCopyright Then Exit 0 ; checking if we really want to update and execute the file If FileGetVersion($sUpdatePath) > FileGetVersion($sUserPath) Then $iResponse = MsgBox(BitOR($MB_YESNO, $MB_ICONQUESTION),'AnyAppName', 'There is an update available, would you like to update?') If $iResponse == $IDYES Then If ProcessExists($sExecName) Then ProcessClose($sExecName) Sleep(500) EndIf FileCopy($sUpdatePath, $sUserPath, $FC_OVERWRITE) Sleep(3000) ShellExecute($sUserPath) Exit 1 EndIf EndIf Exit 0 I am not trying to ask, why is my code is getting recognized as false-positive, because this is quite obvious, but is there any other way to get things done without running external process?
       

    • By nacerbaaziz
      hello autoit team
      is there any wey to check if any process run as admin or no?
      i mean e.g if i want to restart any process, now i have the ability to get the process path and commands line
      what i need is a wey to check if the process was runing as admin or no to restart it with the same state.
      here is the part that am using it to restart the process
      func _processRestart($i_pid, $s_ProcessPath) if not (ProcessExists($i_ProcessPid)) then return SetError(1, 0, -1) local $s_ProcessWorkDir = _WinAPI_GetProcessWorkingDirectory($i_ProcessPid) ProcessClose($i_ProcessPid) ProcessWaitClose($i_ProcessPid) ProcessWait(ShellExecute($i_pid,"", $s_ProcessWorkDir)) ProcessesGetList() return true endFunc thanks in advance
    • By MarkIT
      Hi AutoIT masters,
      Good day! Sorry to have bothered this forum but we really need help. We are working on an automation project that is running on VDI server. The BOTS are in .exe are running fine until AV detected them and deleted the files. The files were re-compiled and AV kept on deleting them. The copy of the .exe BOT deleted were sent to Symantec for whitelisting. After whitelisting, it is no longer deleted but no longer working as designed (showing Line script error). We checked the scripts and there were no issues since we run it using SciTE editor and it performed the desired task. Good thing we found on this thread the solution using .a3x and the BOTS worked fine and no longer deleted. Now, the problem is they are asking why the BOTS won't run in .EXE and what is the reason behind Symantec AV deleting them. We raised a case with Symantec but they cannot provide further information as they are always seeing the file as "False Positive". We even tested with Symantec turned off and those .EXE files are working fine, however, after re-enabling, it got deleted.
      Just seeking help on how to better convince them that it is really Symantec causing the issue and the .a3x file.
    • By ambad4u
      Greetings to all,
      This may relate in regards to
      My question:
      If I have 2 different au3 scripts compiled individually as a standalone executable(s) (compilation settings are the same)
      OR
      If I have one au3 script compiled as a standalone executable(s) with different compilation settings.
      Does an Anti Virus see them as one signature for all? or treated as unique signatures?
       
      My reason behind this is that I am trying to plan ahead on how to deal with these false positives.
      I am a part of a small IT admin team that would like to automate some repeatable tasks using Autoit.
      Our AV is Sophos if one is curious.
      Any insights are highly appreciated!, many thanks in advance!
×
×
  • Create New...