Sign in to follow this  
Followers 0
logmein

Malware Scanner - quite helpful!

12 posts in this topic

#1 ·  Posted (edited)

Malware Scanner

Features:

- Can detect over 500 malware's known fake processes.

- Very small and easy to use.

Note:

1. Some processes can be found as false positives.

2. Terminating a process may cause undesired results such as system's malfunction or shutdown. Please be careful!

3. This program is ONLY for advanced users!

4. Only tested on Windows 7 Home Premium, I need your testing result on other OS and machines!

5. This is only a tool just to check for fake processes by their name.

Source Code:

;Malware Scanner
;1.0.0
;3 Sep 2012
;8:36
;logmein
;AutoIT 3.3.8.1
#NoTrayIcon
#include <ButtonConstants.au3>
#include <EditConstants.au3>
#include <GUIConstantsEx.au3>
#include <WindowsConstants.au3>
#include <Constants.au3>
#include <ListViewConstants.au3>
#include <GuiListView.au3>


Global $TITLE = 'Malware Scanner', $VERSION = '1.0.0'

#Region ### START Koda GUI section ### Form=C:Program Files (x86)AutoIt3SciTEKodaFormsForm1.kxf
$formMain = GUICreate($TITLE & ' ' & $VERSION, 762, 376, Default, Default)
GUISetFont(10, 400, 0, "Arial")
$Label1 = GUICtrlCreateLabel("Scan your system for malware's processes:", 8, 8, 257, 20)
$btnScan = GUICtrlCreateButton("&Scan", 8, 32, 83, 25)
GUICtrlSetFont(-1, 10, 800, 0, "Arial")
$btnAbout = GUICtrlCreateButton("&About", 96, 32, 75, 25)
$Group1 = GUICtrlCreateGroup("Result", 8, 64, 745, 305, -1, $WS_EX_TRANSPARENT)
$tabMain = GUICtrlCreateTab(16, 88, 729, 273)
GUICtrlSetFont(-1, 10, 400, 0, "Arial")
$tabProcess = GUICtrlCreateTabItem("&Process")
$listProcess = GUICtrlCreateListView("Name|PID|Path", 24, 120, 714, 206)
$hdlListProcess = GUICtrlGetHandle(-1)
GUICtrlSendMsg(-1, $LVM_SETCOLUMNWIDTH, 0, 200)
GUICtrlSendMsg(-1, $LVM_SETCOLUMNWIDTH, 1, 100)
GUICtrlSendMsg(-1, $LVM_SETCOLUMNWIDTH, 2, 400)
GUICtrlSetFont(-1, 10, 400, 0, "Arial")
;$btnKill = GUICtrlCreateButton("&Kill", 584, 328, 75, 25)
GUICtrlSetFont(-1, 10, 400, 0, "Arial")
$btnKill = GUICtrlCreateButton("&Kill", 664, 328, 75, 25)
GUICtrlSetFont(-1, 10, 400, 0, "Arial")
GUICtrlCreateTabItem("")
GUICtrlCreateGroup("", -99, -99, 1, 1)
GUISetState(@SW_SHOW)
#EndRegion ### END Koda GUI section ###

While 1
$nMsg = GUIGetMsg()
Switch $nMsg
Case $GUI_EVENT_CLOSE
Exit
Case $btnScan
_Scan()
Case $btnKill
_EndProcess ()
Case $btnAbout
MsgBox (64,'About',StringUpper($TITLE) & @CRLF & 'Version: ' & $VERSION & @CRLF & 'Author: logmein (AutoITScript.com)' & @crLf & 'Special Thanks to: PsaltyDS' & @CRLF &@CRLF &'To report any suspicious process or false positives, please contact me at: minhthanh.autoit@gmail.com. I appreciate your help!','',$formMain)
EndSwitch
WEnd
Func _scan ()
_GUICtrlListView_DeleteAllItems ($hdlListProcess)
If Not FileExists ('database.3db') Then
MsgBox (32,$TITLE,'Database not found!','',$formMain)
Return
EndIf

ProgressOn ($TITLE,'Scanning for suspicious processes...','',Default,Default,18)
$processlist = _ProcessListProperties()
$read = FileRead ('database.3db')
$split = StringSplit ($read,@CRLF)
If $processlist[0][0] <> 0 Then
For $i = 1 To $processlist[0][0]
ProgressSet (Int($i*100/$processlist[0][0]),$processlist[$i][0])
For $u =1 To $split[0]
if $processlist[$i][0] = $split[$u] Then
$index = _GUICtrlListView_AddItem($hdlListProcess, $processlist[$i][0]);name
_GUICtrlListView_AddSubItem($hdlListProcess, $index, $processlist[$i][1], 1);pid
_GUICtrlListView_AddSubItem($hdlListProcess, $index, $processlist[$i][5], 2);path
EndIf
Next

Next
ProgressOff ()
Else
MsgBox(32, $TITLE, 'Can''t build process list!')
EndIf
EndFunc

Func _EndProcess()
$select = _GUICtrlListView_GetSelectedIndices($hdlListProcess, 'True');Retrieve indices of selected item (position)
If $select[0] <> 0 Then
$Msg = MsgBox(16 + 4, $TITLE, 'Are you sure to end this process? Ending a process will cause undesired result!', '', $formMain)
If $Msg = 6 Then
$GetItem = _GUICtrlListView_GetItem($hdlListProcess, $select[1], 1);retrieve process ID to be closed
MsgBox (64,$GetItem[3],'')
ProcessClose($GetItem[3])
If Not @error Then
_GUICtrlListView_DeleteItem($hdlListProcess, $select[1])
MsgBox(64, $TITLE, 'Process ended!', '', $formMain)
;_log($GetItem[3], 5)
Else
MsgBox(16, $TITLE, 'Can not end this process!', '', $formMain)
EndIf
EndIf
EndIf
EndFunc ;==>_EndProcess
;===============================================================================
; Function Name: _ProcessListProperties()
; Description: Get various properties of a process, or all processes
; Call With:     _ProcessListProperties( [$Process [, $sComputer]] )
; Parameter(s): (optional) $Process - PID or name of a process, default is "" (all)
;        (optional) $sComputer - remote computer to Get list from, default is local
; Requirement(s): AutoIt v3.2.4.9+
; Return Value(s): On Success - Returns a 2D array of processes, as in ProcessList()
;        with additional columns added:
;        [0][0] - Number of processes listed (can be 0 If no matches found)
;        [1][0] - 1st process name
;        [1][1] - 1st process PID
;        [1][2] - 1st process Parent PID
;        [1][3] - 1st process owner
;        [1][4] - 1st process priority (0 = low, 31 = high)
;        [1][5] - 1st process executable path
;        [1][6] - 1st process CPU usage
;        [1][7] - 1st process memory usage
;        [1][8] - 1st process creation date/time = "MM/DD/YYY hh:mm:ss" (hh = 00 to 23)
;        [1][9] - 1st process command line string
;        ...
;        [n][0] thru [n][9] - last process properties
; On Failure:    Returns array with [0][0] = 0 and sets @Error to non-zero (see code below)
; Author(s):     PsaltyDS at http://www.autoitscript.com/forum
; Date/Version: 12/01/2009 -- v2.0.4
; Notes:         If an integer PID or string process name is provided and no match is found,
;        Then [0][0] = 0 and @error = 0 (not treated as an error, same as ProcessList)
;        This function requires admin permissions to the target computer.
;        All properties come from the Win32_Process class in WMI.
;        To Get time-base properties (CPU and Memory usage), a 100ms SWbemRefresher is used.
;===============================================================================
Func _ProcessListProperties($Process = "", $sComputer = ".")
Local $sUserName, $sMsg, $sUserDomain, $avProcs, $dtmDate
Local $avProcs[1][2] = [[0, ""]], $n = 1

; Convert PID If passed as string
If StringIsInt($Process) Then $Process = Int($Process)

; Connect to WMI and Get process objects
$oWMI = ObjGet("winmgmts:{impersonationLevel=impersonate,authenticationLevel=pktPrivacy, (Debug)}!" & $sComputer & "rootcimv2")
If IsObj($oWMI) Then
; Get collection processes from Win32_Process
If $Process == "" Then
; Get all
$colProcs = $oWMI.ExecQuery("select * from win32_Process")
ElseIf IsInt($Process) Then
; Get by PID
$colProcs = $oWMI.ExecQuery("select * from win32_Process where ProcessId = " & $Process)
Else
; Get by Name
$colProcs = $oWMI.ExecQuery("select * from win32_Process where Name = '" & $Process & "'")
EndIf

If IsObj($colProcs) Then
; Return for no matches
If $colProcs.count = 0 Then Return $avProcs

; Size the array
ReDim $avProcs[$colProcs.count + 1][10]
$avProcs[0][0] = UBound($avProcs) - 1

; For each process...
For $oProc In $colProcs
; [n][0] = process name
$avProcs[$n][0] = $oProc.name
; [n][1] = process PID
$avProcs[$n][1] = $oProc.ProcessId
; [n][2] = Parent PID
$avProcs[$n][2] = $oProc.ParentProcessId
; [n][3] = owner
;If $oProc.GetOwner($sUserName, $sUserDomain) = 0 Then $avProcs[$n][3] = $sUserDomain & "" & $sUserName
; [n][4] = Priority
$avProcs[$n][4] = $oProc.Priority
; [n][5] = Executable path
$avProcs[$n][5] = $oProc.ExecutablePath
; [n][8] = Creation date/time
$dtmDate = $oProc.CreationDate
If $dtmDate <> "" Then
; Back referencing RegExp pattern from weaponx
Local $sRegExpPatt = "A(d{4})(d{2})(d{2})(d{2})(d{2})(d{2})(?:.*)"
$dtmDate = StringRegExpReplace($dtmDate, $sRegExpPatt, "$2/$3/$1 $4:$5:$6")
EndIf
$avProcs[$n][8] = $dtmDate
; [n][9] = Command line string
$avProcs[$n][9] = $oProc.CommandLine

; increment index
$n += 1
Next
Else
SetError(2); Error getting process collection from WMI
EndIf
; release the collection object
$colProcs = 0

; Get collection of all processes from Win32_PerfFormattedData_PerfProc_Process
; Have to use an SWbemRefresher to pull the collection, or all Perf data will be zeros
Local $oRefresher = ObjCreate("WbemScripting.SWbemRefresher")
$colProcs = $oRefresher.AddEnum($oWMI, "Win32_PerfFormattedData_PerfProc_Process").objectSet
$oRefresher.Refresh

; Time delay before calling refresher
Local $iTime = TimerInit()
Do
Sleep(20)
Until TimerDiff($iTime) >= 100
$oRefresher.Refresh

; Get PerfProc data
For $oProc In $colProcs
; Find it in the array
For $n = 1 To $avProcs[0][0]
If $avProcs[$n][1] = $oProc.IDProcess Then
; [n][6] = CPU usage
$avProcs[$n][6] = $oProc.PercentProcessorTime
; [n][7] = memory usage
$avProcs[$n][7] = $oProc.WorkingSet
ExitLoop
EndIf
Next
Next
Else
SetError(1); Error connecting to WMI
EndIf

; Return array
Return $avProcs
EndFunc ;==>_ProcessListProperties

And the most important part: Database, see attached file. Download, extract and put it into your @ScriptDir.

Thanks PsaltyDS for your useful script:)

database.zip

Edited by logmein

Share this post


Link to post
Share on other sites



;It took me for nearly 3 days to complete this database. If you copy, send or re-edit this file, please give a credit: logmein (autoitscript.com). Thanks!
yaemu.exe
msams.exe
winsfc.exe
informe.exe
sqlexp.exe
winshost.exe
ssrms.exe
mmsg.exe
svchostl.exe
wininetd.exe
windll32lib.exe
ntfs64.exe
winzip_tmp.exe
666.exe
svhost.exe
hgqhp.exe
winldr.exe
win24.exe
006.exe
exe82.exe
explorere.exe
004.exe
hloader.exe
intxt.exe
cfsys.dll
hjym.exe
msupdate.dll
zopenssl.dll
inetinfo.exe
menu.dll
data3.exe
vmlib.exe
hacker.exe
w32time.exe
008.exe
word.exe
winword.exe
mscornet.exe
kaboom.dll
namedpipe.exe
ibm00001.exe
lsassa.exe
updatexp.exe
1.exe
sqlscan.exe
ishost.exe
msoff.exe
007.exe
005.exe
ipfw.exe
ctfmon.exe
winlog.dll
wingo.exe
winspector.exe
svchosts.dll
mstasks.exe
ash.dll
szchost.exe
commando.exe
ntsys.exe
service.dll
inst.exe
hpmanager.exe
winexec32.exe
svohcst.exe
hxdef.exe
winlogonn.exe
syspol.exe
sysctl32.dll
logo1_.exe
systool.exe
wupdt.exe
ldr64.dll
wincomp.exe
winrpc.exe
avp.exe
autoupdate.exe
msaa.exe
kernal32.exe
anti_troj.exe
update.exe
lsasss.exe
csrse.exe
fservice.exe
nvctrl.exe
winmain.exe
winsetup.exe
abs.exe
hidr.exe
ntosa32.exe
spoolsvc.exe
ravmond.exe
layer.exe
loader.exe
nm32.exe
gld.exe
lodctr32.exe
wpd.exe
w.exe
winds.exe
sysconf.exe
svchot.exe
winlock.exe
ntdetect.exe
lssas.exe
pictureviewer.exe
tasker.exe
wmon32.exe
2.exe
rundll16.exe
network.exe
mssvc32.exe
csrsc.exe
mspmspv.exe
policy.dll
msmgs.exe
hookdump.exe
nethelper.dll
services32.exe
sservice.exe
nail.exe
msmsg.exe
mdms.exe
lsass32.exe
windir32.exe
regsrv.exe
heat.exe
sfc32.exe
checkreg.exe
easyav.exe
hook.dll
fontview.exe
remote.exe
mm.exe
winlogin.exe
netlib.exe
nvsc32.exe
safemode.exe
fde.dll
wkssvc.exe
n.exe
lcc.exe
npkcsvc.exe
kane.exe
svwhost.exe
eml.exe
mstc.exe
appwiz.dll
winexec.exe
web.exe
skype32.exe
ds.exe
crmss.exe
hot.exe
scardsvr32.exe
hookdll.dll
exp.exe
kl.exe
jammer2nd.exe
shmgrate.exe
wdfmrg.exe
netsvc.exe
ghost.bat
csrcc.exe
ausvc.exe
scvhost.exe
htmdeng.exe
msnlive.exe
berasjatah.exe
lsserv.exe
rpcclient.exe
brengkolang.com
iebtm.exe
dho.exe
dxdiag.exe
cmrss.exe
sms.exe
schedulingagent
loader.dll
desktop.exe
bronstab.exe
csrss32.exe
duel.exe
atipta.exe
phqghume.exe
scrss.exe
msc32.exe
si.exe
poker.exe
wid32.exe
lockx.exe
netsvcs.exe
eksplorasi.exe
skynetave.exe
tool.exe
syshost.exe
internet.exe
mirc32.exe
jif.exe
dcomcfg.exe
crypt32chain.dll
s.exe
file.exe
pmt.exe
office.exe
winhost.exe
csrrs.exe
msgfix.exe
xpsp2.exe
synchost.exe
cmd32.exe
wincomm.exe
cds.exe
csrcs.exe
icon.exe
crsss.exe
sqlserver.exe
sf.exe
stealth.exe
netmon.exe
d.exe
38.exe
cfmon.exe
vdll.dll
stb.exe
pchealth.exe
realupd.exe
srvc32.exe
wudpcom.exe
winmedia32.exe
adobe.exe
nmstt.exe
corpstats.exe
sachostb.exe
sachostp.exe
im_1.exe
browsela.dll
mswinb32.exe
im_2.exe
updtscheduler.exe
xwrm.exe
mswinf32.dll
sachostm.exe
sachostx.exe
sachostc.exe
heomstool.exe
mgsev.exe
mswinb32.dll
mswinf32.exe
intell321.exe
lockbar.exe
winnt.exe
patch.exe
uninstall.exe
winlog.exe
host.exe
agent.exe
a3d.dll
register.exe
ccapp.exe
powerscan.exe
gcc.exe
nvcpl.exe
cmdagent.exe
forcefield.exe
winrar.exe
zip.dll
awt.dll
uxtheme.dll
adg.exe
bantam.dll
wtoolsa.exe
mfc71.dll
command.exe
optimize.exe
s3hotkey.exe
6to4svc.dll
spanish.dll
tvm.exe
radio.exe
sysmonnt.exe
spysweeperui.exe
mediagateway.exe
aupdate.exe
wuaclt.exe
isusweb.dll
play.exe
acgenral.dll
ncprov.dll
iecont.dll
install.exe
nem220.dll
pxwma.dll
adv02nt5.dll
watchdog.exe
ccl30.dll
unwise.exe
starter.exe
termsrv.dll
msvidctl.dll
rasman.exe
shellvrtf.dll
sysctl32.dlll
ogo1_.exe
wpd.exew.exe
2.exerundll
16.exe
schedulingagentloader.dll
msmsgs.exe
taskmon.exe
windows.exe
wintems.exe
iexplore.exe
msdef.exe
dlhost.exe
lowlvl.dll
cfsbho.dll
linbak.dll
updater.exe
cfs7zd.dll
userinit.exe
wupdmgr.exe
uninst.exe
mssearchnet.exe
service.exe
winstart.exe
cfsupd.dll
ersvc.exe
sqltob.exe
rundll.exe
xpcom_compat.dll
scanregw.exe
internat.exe
msoeres.dll
system.exe
sysmon.exe
asferror.dll
dimm.dll
mdiui.dll
msbind.dll
setup.exe
processquicklink2.exe
wsys.dll
remind_xp.exe
geometry.dll
ativvaxx.dll
authzax.dll
advrcntr.dll
imagehlp.dll
agentpsh.dll
checkup.exe
rundll32.exe
taskmgr.exe
conime.exe
toolbar.dll
pdsched.exe
express.exe
autorun.exe
npjpi142.dll
icsdclt.dll
exec.exe
flash.exe
notify.exe
manager.exe
check.exe
pnagent.exe
mdm.exe
scrsvr.exe
ocxdll.exe
mapisvc32.exe
shine.exe
windefault.exe
microsoft.exe
wupdated.exe
scam32.exe
dllreg.exe
systray32.exe
msmsgri32.exe
lsas.exe
realupd32.exe
mssys.exe
systask32l.exe
spoler.exe
bbgdfvdd.exe
svshost.exe
fvprotect.exe
ska.exe
winsupdater.exe
antiav_exe.exe
tasksys.exe
taskcntr.exe
hjgerhds.exe
sachosts.exe
scchost.exe
msvgr.exe
shell32.exe
srv32.exe
servic.exe
systemdll.exe
antiav.exe
sachostw.exe
svchosl.exe
a65d.exe
winppr32.exe
msconfig32.exe
rundl32.exe
1004270.exe
crss.exe
relatedsetup.exe
1054571.exe
jdbgmrg.exe
schost.exe
lorena.exe
0.exe
game.exe
jawa32.exe
sempalong.exe
winxp.exe
avserve2.exe
avserve.exe
~5e.exe
av.exe
xzz.exe
ta.exe
escan.exe
3.exe
bugsfix.exe
dial.exe
y.exe
autoexec.exe
dwnupdt.exe
usbn.exe
msx.dll
wininfo.exe
dinst.exe
xxx.exe
ps1.exe
checker.exe
net.exe
live.exe
card.exe
supdate.dll
pro.exe
lex.exe
conscorr.exe
009.exe
irasyncd.exe
mstcpmon.exe
ecodec.exe
wincfg32.exe
wfdmgr.exe
gfxacc.exe
hhs32.pif
scrtkfg.exe
beta.exe
scrigz.exe
dodrrr.exe
spvspool.exe
se2ppc4you.exe
consol32.exe
picx.exe
msapp.exe
mirc.exe
ap0.exe
display.exe
bb.exe
sksockserver.exe
mario.exe
~5c.exe
dvpd.dll
~565.exe
wsupdate.exe
drv.exe
cdf.exe
gstartup.exe
fahkpym.exe
f5r4bnh.exe
xfullgames.exe
rhnura.exe
wuactl2.exe
rnocrke.dll
mmbun2.exe
wineyxrm32.dll
pacis.exe
redcross.exe
mmwho.exe
rsyszx2d.exe
toc_0008.exe
qool3.exe
nsh136.exe
bundlersi.exe
activex_300_it.exe
system32win.exe
fjdbfvk.exe
comload.dll
dtloader.exe
dialer.exe
sefer.exe
sysvcs.exe
nrpc.exe
voxdvj.exe
popcorn72.exe

I don't think you have the right idea about what a database is, your database is just a simple text file with process names in it.

On a side note, I have a few processes that use some of those names in there... And they're not malicious.


Things that I've done..

Icon Resource Editor: icon resource editor 

AutoIt Piano: a piano

AutoIt Unlocker: unlocks files when you want to delete them

Colorful tooltips: a wrapper for the tool tips UDF

Rouge GoogleBot: a full screen animation

ASciTE text editor: a text editor written in autoit

Warning: Posts by this user are subject to change or may disappear without notice.

Share this post


Link to post
Share on other sites

But still, the concept is nice, malware scanners are just complicated things.


Things that I've done..

Icon Resource Editor: icon resource editor 

AutoIt Piano: a piano

AutoIt Unlocker: unlocks files when you want to delete them

Colorful tooltips: a wrapper for the tool tips UDF

Rouge GoogleBot: a full screen animation

ASciTE text editor: a text editor written in autoit

Warning: Posts by this user are subject to change or may disappear without notice.

Share this post


Link to post
Share on other sites

This is not a real program, it's just a small tool, I make it as simple as possible for newbies to learn and understand. Moreover, this is a open-source tool, so it's unnecessary to encrypt the database:)

Share this post


Link to post
Share on other sites

Put your code between [ autoit] tags instead of [ code] tags, lets get some colour in there.

taskmgr.exe > False positive, although sometimes suspect. So it's an edge-case. How are you going to handle those ones?

How many false positives are you getting? Because quickly glancing at the 'database' I can say half the entries are potential false positives. I also spotted a few doubles.

Wether it's open-source or encrypted or not, it's not a database as it contains just one column, the process names. You say "Can detect over 500 malware's known processes.", but that's not true, it simply detects processes, malware or not. taskmgr.exe isn't malware by definition and the process name alone isn't exactly a criterium to draw a conclusion from.

In short, your database is missing relevant data. Consequently, reporting false positives becomes useless, the reported info isn't put to practical use by relating it to the 'malware' entry.

In the case of taskmgr.exe the file path would be a good thing to check next. If it isn't in C:\Windows\System32\ it's suspect.

You could also check its MD5 or SHA256 checksums, they should be pretty reliable too afaik. Win 7 64-bit taskmgr.exe:

MD5 545bf7eaa24a9e062857d0742ec0b28a
SHA256 50f2abb613df4813ce74f3b0df080497f689dfcad11f0fc7cd5ea4cdaf093bdf

Putting it all together and you get a very simple flatfile CSV database like this:

taskmgr.exe,C:Windowssystem32,50f2abb613df4813ce74f3b0df080497f689dfcad11f0fc7cd5ea4cdaf093bdf

But if you want some real database power use the SQLite UDF.

Another thing you could check is the file's digital signature. Win7 has a buil-in tool for this, sigverif, or you could get the command line tool signtool.exe from the Windows SDK. Alternately there's Sysinternals sigcheck.exe. A quick search on Google gives me the idea this can also be done with DLL calls (Wintrust.dll), but I'm not sure about that. I found this C code on the Sysinternals forum, maybe it's of some use to you.

Still, cool concept. Could be interesting to find out how far you can take this in AutoIt. AutoIt exe's get falsely flagged as infected as well, so this could develop into some sweet revenge :)

3. This program is ONLY for advanced users!

I make it as simple as possible for newbies to learn and understand

eh?

Also:

;3 Dec 2012

How's the weather going to be in winter? :)

1 person likes this

[center]Spiderskank Spiderskank[/center]GetOpt Parse command line options UDF | AU3Text Program internationalization UDF | Identicon visual hash UDF

Share this post


Link to post
Share on other sites

Thanks about your help, dany:)

How many false positives are you getting? Because quickly glancing at the 'database' I can say half the entries are potential false positives. I also spotted a few doubles.

My 'database' is created on some fake processes. Example: there is a Windows' process named csrss.exe but many virus create a fake process: csrse.exe. I think the tool's name should be... Fake Process Scanner:) It's better and much more helpful:)

In short, your database is missing relevant data. Consequently, reporting false positives becomes useless, the reported info isn't put to practical use by relating it to the 'malware' entry.

Uhm... You're right. I'll change the 'database' completely. But it's rather hard because of lack of time. I'm a student in University, I have to do a lot of social works in my spare time.

;3 Dec 2012

Haha:D my stupid mistake! Sorry for my bad English!

3. This program is ONLY for advanced users!

This is right because it's dangerous to shutdown a process. And this tool is not tested much yet!

Finally, thanks you dany!

Share this post


Link to post
Share on other sites

Hey you're welcome. I hope you can put my suggestions to good use :)

I'll change the 'database' completely.

Before you do, give it some good hard thought, what criteria do you want to use to distinguish a fake process from a real one? Because that's also going to dictate a part of the logic in your code and indeed, what kind of database to use.

Reading CSV (Comma Seperated Values) is easy:

Local $sLine, $aFields
; ... Some While logic here to loop through the database
$sLine = FileReadLine('database.csv')
$aFields = StringSplit($sLine, ',')
; You now have an array $aFields containing info about a single process that you can analyze.
; ...

There are a few CSV UDFs available with which you can do more advanced stuff, just search them on the forum.

SQLite will give you far better searching abilities though, and allows for a more efficient implementation. Rather than going through the entire database one line at a time, you'd loop through the current process list and look up each process in the database. If there's an entry, analyze it. If not, go to the next entry. And SQLite is easy to learn!

Take your time. I think you have a cool project on your hands from which you will learn a lot of new tricks. Happy coding!


[center]Spiderskank Spiderskank[/center]GetOpt Parse command line options UDF | AU3Text Program internationalization UDF | Identicon visual hash UDF

Share this post


Link to post
Share on other sites

Thank you! It's very nice of you to help me! I'm learning SQLite now. I want my program is a simple stuff to search for fake process name. It's enough because to analyze a process deeply need tons of hard-working and a good knowledge in programming and antivirus.

Share this post


Link to post
Share on other sites

This maybe good for catching fake spyware type malware, but majority of malware now days loads dlls into valid windows processes like svchost..

not to mention rootkits ;)

Share this post


Link to post
Share on other sites

I suppose one way you could go with this, combining both ideas, have a database of known good processes.

when you scan, it checks the checksum of the known good with what's on pc, if it doesn't match you know it could be bad.

If a process isn't in the known good list but running on the pc, it could ask the user if it's safe or not. If they answer yes, then it could be added to the database.

Might be easier to set up this way then to try and keep up with the ever-gowing list of malware


010101000110100001101001011100110010000001101001011100110010000

001101101011110010010000001110011011010010110011100100001

My Android cat and mouse game
https://play.google.com/store/apps/details?id=com.KaosVisions.WhiskersNSqueek

We're gonna need another Timmy!

Share this post


Link to post
Share on other sites

Thank you! It's very nice of you to help me! I'm learning SQLite now. I want my program is a simple stuff to search for fake process name. It's enough because to analyze a process deeply need tons of hard-working and a good knowledge in programming and antivirus.

Yea it' a lot of hard work but well, that's where the fun is right? :D

[center]Spiderskank Spiderskank[/center]GetOpt Parse command line options UDF | AU3Text Program internationalization UDF | Identicon visual hash UDF

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0

  • Similar Content

    • Nareshm
      By Nareshm
      If Process exits then end process and ;Some code here {1}
       
      If Process does not exits then ; My {1} Code
    • ur
      By ur
      How to retrieve the target executable path from a process.
      My system is effected with IMG001.exe virus and I remove the folders created by it daily but still it is creating the folders everytime I login to my PC.
      My Antivirus is not detecting it.

       
      So I thought to create a process in AutoIT to check for the process name IMG001.exe and retrieve the process target exe to a log file, so that I can track where it is putting these files.
      With  ProcessExists ( "process" ) , i can get the process ID.
      But how to get the target location of the executable of the process.??
    • salah kai
      By salah kai
      Hey everyone
      i wanna close a process by  path like
      C:\Users\salah\AppData\Local\Temp\a.exe
      processclose(C:\Users\salah\AppData\Local\Temp\a.exe)
      i tried to split the path but i don't know how to know last loop
      and thanks 
       
    • iXX
      By iXX
      Hi!
      Looking for working code to  get full path of process  - both 32 & 64 bit.
      I tryed this bellow, but it works only for 32-bit processes, even if compiled for x64...
      Thanx for suggestions!
       
      Func _ProcessGetPath($vProcess) ;get the program path done by MrCreatoR Local $iPID = ProcessExists($vProcess) If NOT $iPID Then Return SetError(1, 0, -1) Local $aProc = DllCall('kernel32.dll', 'hwnd', 'OpenProcess', 'int', BitOR(0x0400, 0x0010), 'int', 0, 'int', $iPID) If NOT IsArray($aProc) OR NOT $aProc[0] Then Return SetError(2, 0, -1) Local $vStruct = DllStructCreate('int[1024]') Local $hPsapi_Dll = DllOpen('Psapi.dll') If $hPsapi_Dll = -1 Then $hPsapi_Dll = DllOpen(@SystemDir & '\Psapi.dll') If $hPsapi_Dll = -1 Then $hPsapi_Dll = DllOpen(@WindowsDir & '\Psapi.dll') If $hPsapi_Dll = -1 Then Return SetError(3, 0, '') DllCall($hPsapi_Dll, 'int', 'EnumProcessModules', _ 'hwnd', $aProc[0], _ 'ptr', DllStructGetPtr($vStruct), _ 'int', DllStructGetSize($vStruct), _ 'int_ptr', 0) Local $aRet = DllCall($hPsapi_Dll, 'int', 'GetModuleFileNameEx', _ 'hwnd', $aProc[0], _ 'int', DllStructGetData($vStruct, 1), _ 'str', '', _ 'int', 2048) DllClose($hPsapi_Dll) If NOT IsArray($aRet) OR StringLen($aRet[3]) = 0 Then Return SetError(4, 0, '') Return $aRet[3] EndFunc  
    • ur
      By ur
      I have created below code to run the python file.
      #RequireAdmin #Region ;**** Directives created by AutoIt3Wrapper_GUI **** #AutoIt3Wrapper_Icon=icon.ico #AutoIt3Wrapper_Outfile=RunTaskRun.Exe #EndRegion ;**** Directives created by AutoIt3Wrapper_GUI **** #cs ---------------------------------------------------------------------------- AutoIt Version: 3.3.14.0 Author: Uday Kiran Reddy(ur) Script Function: To log python data to a file. #ce ---------------------------------------------------------------------------- #include <MsgBoxConstants.au3> #include "C:\Automation\ISMBuild\Library.au3" #include "ProcessEx_AddedNewEntryForLogging.au3" #include "CheckChangeinCommit.au3" If not NoChangesRequired() Then SendMail("Changes are in commit of erwin-main Repo","Will intimate once binaries are copied to Installshield machine") $hProcessHandle = _Process_RunCommand($PROCESS_RUN, $PROCESS_COMMAND & "C:\Python27\python.exe C:\BuildServer\AutoBuildServer\TaskRun.py") ; Capture the Process Handle $iPID = @extended ; Note the PID $returncode = _Process_DebugLogRunCommand($hProcessHandle, $iPID) ; Display the results in real-time Logging("Completed with ReturnCode "&$returncode) Else SendMail("No Changes are not there in commit of erwin-main Repo","So no Binaries for today.If it is needed, please remove the text file from location: "& @TempDir&"\git_erwin_commit.txt") EndIf When I kill the autoit execution exe in the middle of execution, it is not terminating the python.exe launched from script.
      Can you suggest how to do this?