Sign in to follow this  
Followers 0
TomMelee

Program automation TDSS Killer, finding valid Class?

12 posts in this topic

Heya guys. I've been pumping out a ton of scripts to help me at my little IT shop here, but I'm having issues with TDSS Killer. When I run au3info against the active window, it returns almost nothing, which I'm sure is intentional to keep malware from attacking it. I get no Title, for Basic Window Info Class, I just get #32770. No basic control info, although I do get a button ID if I click scan.

Here's what I'm trying to do. It opens tdsskiller and throws no errors.

Run("../Ketarin Apps/tdsskiller.exe -tdlfs -l -qsus")
WinWaitActive("[CLASS:#32770]")
ControlClick("[CLASS:#32770]", "", 1002)

Exit

I've also tried without the #'s.

I can't seem to find applicable documentation pages, any help is appreciated.

Share this post


Link to post
Share on other sites

What does the button do that you need to press? Have you tried running it with the -silent option of TDSSKiller?


If I posted any code, assume that code was written using the latest release version unless stated otherwise. Also, if it doesn't work on XP I can't help with that because I don't have access to XP, and I'm not going to.
Give a programmer the correct code and he can do his work for a day. Teach a programmer to debug and he can do his work for a lifetime - by Chirag Gude
How to ask questions the smart way!

I hereby grant any person the right to use any code I post, that I am the original author of, on the autoitscript.com forums, unless I've specifically stated otherwise in the code or the thread post. If you do use my code all I ask, as a courtesy, is to make note of where you got it from.

Back up and restore Windows user files _Array.au3 - Modified array functions that include support for 2D arrays.  -  ColorChooser - An add-on for SciTE that pops up a color dialog so you can select and paste a color code into a script.  -  Customizable Splashscreen GUI w/Progress Bar - Create a custom "splash screen" GUI with a progress bar and custom label.  -  _FileGetProperty - Retrieve the properties of a file  -  SciTE Toolbar - A toolbar demo for use with the SciTE editor  -  GUIRegisterMsg demo - Demo script to show how to use the Windows messages to interact with controls and your GUI.  -   Latin Square password generator

Share this post


Link to post
Share on other sites

The button just starts the scan. There's a reason that I don't want to run it in silent after some tests, and I'm having trouble remembering why. I think maybe it's that the log function or something doesn't work if you do that.

Share this post


Link to post
Share on other sites

You never tell it where to write the log anyways, is there a default log file used if you don't specify one?


If I posted any code, assume that code was written using the latest release version unless stated otherwise. Also, if it doesn't work on XP I can't help with that because I don't have access to XP, and I'm not going to.
Give a programmer the correct code and he can do his work for a day. Teach a programmer to debug and he can do his work for a lifetime - by Chirag Gude
How to ask questions the smart way!

I hereby grant any person the right to use any code I post, that I am the original author of, on the autoitscript.com forums, unless I've specifically stated otherwise in the code or the thread post. If you do use my code all I ask, as a courtesy, is to make note of where you got it from.

Back up and restore Windows user files _Array.au3 - Modified array functions that include support for 2D arrays.  -  ColorChooser - An add-on for SciTE that pops up a color dialog so you can select and paste a color code into a script.  -  Customizable Splashscreen GUI w/Progress Bar - Create a custom "splash screen" GUI with a progress bar and custom label.  -  _FileGetProperty - Retrieve the properties of a file  -  SciTE Toolbar - A toolbar demo for use with the SciTE editor  -  GUIRegisterMsg demo - Demo script to show how to use the Windows messages to interact with controls and your GUI.  -   Latin Square password generator

Share this post


Link to post
Share on other sites

#5 ·  Posted (edited)

The log lives in C: by default. You can automate TDSSKiller whichever way you want, I have scripts for both manual run (where I make my techs click the button), or one that runs silently and warns you when infection is found. This will log to whatever path you want, and start with the option "decect TDLFS" (which I recommend)

Requires interaction:

ShellExecute($PathToTDSSKiller, "-l " & '"' & $PathToYourLogDirectory & "TDSSKiller.log" & '"' & " -tdlfs", "")

I have to look for the one with no interaction but that should get you started.

the -qsus switch is honestly a really bad idea. There is nothing out that is horribly bricking machines at the moment, but TDSSKiller is sketchy at best to automate removal with. Best be careful for the sake of whoever's PC you are repairing.

Edited by 0xdefea7

Share this post


Link to post
Share on other sites

If you don't specify a path but you specify -l, it writes to the directory it was called from, in this case, my big ass portable drive with all my utilities on it where it pulls the .exe from.

From what I can see wayfarer, yours still requires you to click the scan button, no? I'll go ahead and pull the qsus---script works fine w/o using shellexecute, btw. I pass a lot of switches w/o using shellexecute...unless there's something I'm not seeing in that snippet.

Share this post


Link to post
Share on other sites

I'd try it with the -silent option and see if you can figure out why you opted not to use it instead of trying to recall it.


If I posted any code, assume that code was written using the latest release version unless stated otherwise. Also, if it doesn't work on XP I can't help with that because I don't have access to XP, and I'm not going to.
Give a programmer the correct code and he can do his work for a day. Teach a programmer to debug and he can do his work for a lifetime - by Chirag Gude
How to ask questions the smart way!

I hereby grant any person the right to use any code I post, that I am the original author of, on the autoitscript.com forums, unless I've specifically stated otherwise in the code or the thread post. If you do use my code all I ask, as a courtesy, is to make note of where you got it from.

Back up and restore Windows user files _Array.au3 - Modified array functions that include support for 2D arrays.  -  ColorChooser - An add-on for SciTE that pops up a color dialog so you can select and paste a color code into a script.  -  Customizable Splashscreen GUI w/Progress Bar - Create a custom "splash screen" GUI with a progress bar and custom label.  -  _FileGetProperty - Retrieve the properties of a file  -  SciTE Toolbar - A toolbar demo for use with the SciTE editor  -  GUIRegisterMsg demo - Demo script to show how to use the Windows messages to interact with controls and your GUI.  -   Latin Square password generator

Share this post


Link to post
Share on other sites

Ok, so I sorted it out kind of but not really. I was putting the -silent behind the -l, which meant that it was dumping a log called -silent, heh. Duh.

So now I've got it working fine, I just moved -silent to the front of the string, but since my system is clean I have no idea what it does to show me if there are problems and it's running in silent mode. Any ideas on that one?

Share this post


Link to post
Share on other sites

Here is my code from a tool that I wrote. The _UpdateLog functions can be removed:

Func TDSSKiller()

;~  Returns 0 on 'Clean'
;~  Returns 1 on 'Infection Found'
;~  Returns 2 if error reading log

    Local $sTDSSRemote = "http://support.kaspersky.com/downloads/utils/tdsskiller.exe"
    Local $sTDSSLocal = @TempDir & "\QuickScan\TDSSKiller.exe"
    Local $sLogPath = @TempDir & "\QuickScan\Logs\TDSSKiller.log"
    Local $aTDSSLog
    Local $aTDSSLog, $aReport[3], $found = 0

    Download($sTDSSRemote, $sTDSSLocal)

    If FileExists($sTDSSLocal) Then
        RunWait(@ComSpec & ' /c ' & '"' & $sTDSSLocal & ' -tdlfs -silent -l ' & '"' & $sLogPath & '"', "", @SW_HIDE)
        If FileExists($sLogPath) Then
            If Not _FileReadToArray($sLogPath, $aTDSSLog) Then
                MsgBox(16, "QuickScan", "Error reading TDSSKiller log to array.")
                Return 2
            Else
                For $i = 1 To UBound($aTDSSLog) - 1
                    If StringInStr($aTDSSLog[$i], "Suspicious") Then
                        If Not _ArrayAdd($aReport, StringTrimLeft($aTDSSLog[$i], 20)) Then MsgBox(16, '', 'Error adding to array.')
                        $found = 1
                    ElseIf StringInStr($aTDSSLog[$i], "infected") Then
                        $iStrPos = Abs(StringInStr($aTDSSLog[$i], "(")) - 1
                        $iLength = Abs(StringLen($aTDSSLog[$i])) + 1
                        $sFileFound = StringTrimLeft(StringTrimRight($aTDSSLog[$i], $iLength - $iStrPos), 20)
                        If Not _ArrayAdd($aReport, "File: " & $sFileFound & ".sys") Then MsgBox(16, '', 'Error adding to array.')
                        $found = 1
                    ElseIf StringInStr($aTDSSLog[$i], "detected") Then
                        $iStrPos = StringInStr($aTDSSLog[$i], "-")
                        If Not _ArrayAdd($aReport, StringTrimLeft($aTDSSLog[$i], 20)) Then MsgBox(16, '', 'Error adding to array.')
                        $found = 1
                    EndIf
                Next
            EndIf
        EndIf
    EndIf

;~  _ArrayDisplay($aReport)

    If $found = 1 Then
        _UpdateLog("TDSSKiller found rootkits:")
        _UpdateLog("")
        For $i = 0 To UBound($aReport) - 1
            If $aReport[$i] = "" Then ContinueLoop
            _UpdateLog(Chr(9) & $aReport[$i]) ;Write to the log file from the array
        Next
        ShellExecute("notepad.exe", $Log_Summary)
    Else
        _UpdateLog("TDSSKiller scan complete.")
        _UpdateLog("")
    EndIf

    Return $found

EndFunc   ;==>TDSSKiller

Share this post


Link to post
Share on other sites

Holy crap that's elegant. I'm nowhere near ready to parse strings from logfiles yet, but this is a fantastic example of how to do it. I'm still struggling with creating a GUI, lol.

Thanks!

1 person likes this

Share this post


Link to post
Share on other sites

TomMelee,

You might want to check out the included form designer of the >ISN AutoIt Studio AutoIt IDE. It's in beta, but it's maturing nicely and it makes it MUCH easier to create GUIs!

1 person likes this

Share this post


Link to post
Share on other sites

TomMelee,

You might want to check out the included form designer of the >ISN AutoIt Studio AutoIt IDE. It's in beta, but it's maturing nicely and it makes it MUCH easier to create GUIs!

Thanks TXTechie. I was looking at Koda, but having trouble finding a n00b guide for it. I was expecting OnClick to work like MS Access, but it doesn't seem to. I'm sure it's easy, but I'm not catching on. I'll check this out and see what I see.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0

  • Similar Content

    • Trisha
      By Trisha
      I tried (using AutoIt) to automate a scenario where i  have to open IE with specific URL on my extranet(Xen Desktop or Citrix ) ,from there i need to download  file and then through WinSCP; I  have to move that file to another location that can be access from my Local system using VMWare.
      I did as far as the above step. Now i want to navigate from my extranet to my local desktop system. But i am not able to move  from there.Mouse click is also not working.Please find the below screenshot highlighted in YELLOW.
       


    • CYCho
      By CYCho
      Browsers seem to have a built-in feature to insert a check box (Prevent this page from creating additional dialogues) into the message box created by an web site. This check box seems to appear when the same message box is triggered in succession within a short span of time. My problem is that AutoIt cannot read the text of the IE11 message box when this check box is included. I started to experence this after my Windows 10 was updated to Anniversay Update. I would like to know if anyone has experienced the same thing and if there is a solution to let the AutoIt read the text.
    • PauloRodrigues
      By PauloRodrigues
      I need to select an item from a SAP combobox, could anyone help me or did something like that? I tried to use some AutoIt functions but without success.
      When i try to identify the combobox with au3Info, this is the return:


      Could anyone help me with this challange?
    • breakbadsp
      By breakbadsp
      AutoIT AU3info doeas not detect all gui objects uniquely for .NET GUIs developed in C#.
      this is not working now i am using COM windows approach for this, But its very difficult.
      Please let me know if anyone has done it before.
    • KB505
      By KB505
      Hello,
       
      I'm starting a script in AutoIT to automize a task in a software. I need to click a several Controls. 
      I'm just starting to learn AutoIT, and discovered that we can use the Window Info tool (au3info) to identify controls precisely and targetting safely a specific button.
      However, when I try it, I realize that most of the controls in my toolbar have the same Control Info (No ID, same class, same instance, ...). The only thing that changes is the ControlClicks Coord but I don't think that it's interesting, I don't see the difference with the Mouse Coordinates. Besides, I was aiming to write a stable script that would work even if the button changes a little bit of place for example. 
      Should I use another tool that Window Info tool to detect this Controls ? Is there another way to identify a Control ? 
      Thank you in advance for your help