Jump to content

Program automation TDSS Killer, finding valid Class?

TomMelee
 Share
Go to solution Solved by 0xdefea7,

Recommended Posts

TomMelee Seeker

TomMelee

Posted
Posted

Heya guys. I've been pumping out a ton of scripts to help me at my little IT shop here, but I'm having issues with TDSS Killer. When I run au3info against the active window, it returns almost nothing, which I'm sure is intentional to keep malware from attacking it. I get no Title, for Basic Window Info Class, I just get #32770. No basic control info, although I do get a button ID if I click scan.

Here's what I'm trying to do. It opens tdsskiller and throws no errors.

Run("../Ketarin Apps/tdsskiller.exe -tdlfs -l -qsus")
WinWaitActive("[CLASS:#32770]")
ControlClick("[CLASS:#32770]", "", 1002)

Exit

I've also tried without the #'s.

I can't seem to find applicable documentation pages, any help is appreciated.

BrewManNH Universalist

BrewManNH

Posted
Posted

What does the button do that you need to press? Have you tried running it with the -silent option of TDSSKiller?

If I posted any code, assume that code was written using the latest release version unless stated otherwise. Also, if it doesn't work on XP I can't help with that because I don't have access to XP, and I'm not going to.
Give a programmer the correct code and he can do his work for a day. Teach a programmer to debug and he can do his work for a lifetime - by Chirag Gude
How to ask questions the smart way!

I hereby grant any person the right to use any code I post, that I am the original author of, on the autoitscript.com forums, unless I've specifically stated otherwise in the code or the thread post. If you do use my code all I ask, as a courtesy, is to make note of where you got it from.

Back up and restore Windows user files _Array.au3 - Modified array functions that include support for 2D arrays.  -  ColorChooser - An add-on for SciTE that pops up a color dialog so you can select and paste a color code into a script.  -  Customizable Splashscreen GUI w/Progress Bar - Create a custom "splash screen" GUI with a progress bar and custom label.  -  _FileGetProperty - Retrieve the properties of a file  -  SciTE Toolbar - A toolbar demo for use with the SciTE editor  -  GUIRegisterMsg demo - Demo script to show how to use the Windows messages to interact with controls and your GUI.  -   Latin Square password generator

TomMelee Seeker

TomMelee

Posted
  • Author
Posted

The button just starts the scan. There's a reason that I don't want to run it in silent after some tests, and I'm having trouble remembering why. I think maybe it's that the log function or something doesn't work if you do that.

BrewManNH Universalist

BrewManNH

Posted
Posted

You never tell it where to write the log anyways, is there a default log file used if you don't specify one?

If I posted any code, assume that code was written using the latest release version unless stated otherwise. Also, if it doesn't work on XP I can't help with that because I don't have access to XP, and I'm not going to.
Give a programmer the correct code and he can do his work for a day. Teach a programmer to debug and he can do his work for a lifetime - by Chirag Gude
How to ask questions the smart way!

I hereby grant any person the right to use any code I post, that I am the original author of, on the autoitscript.com forums, unless I've specifically stated otherwise in the code or the thread post. If you do use my code all I ask, as a courtesy, is to make note of where you got it from.

Back up and restore Windows user files _Array.au3 - Modified array functions that include support for 2D arrays.  -  ColorChooser - An add-on for SciTE that pops up a color dialog so you can select and paste a color code into a script.  -  Customizable Splashscreen GUI w/Progress Bar - Create a custom "splash screen" GUI with a progress bar and custom label.  -  _FileGetProperty - Retrieve the properties of a file  -  SciTE Toolbar - A toolbar demo for use with the SciTE editor  -  GUIRegisterMsg demo - Demo script to show how to use the Windows messages to interact with controls and your GUI.  -   Latin Square password generator

0xdefea7 Prodigy

0xdefea7

Posted
Posted (edited)

The log lives in C: by default. You can automate TDSSKiller whichever way you want, I have scripts for both manual run (where I make my techs click the button), or one that runs silently and warns you when infection is found. This will log to whatever path you want, and start with the option "decect TDLFS" (which I recommend)

Requires interaction:

ShellExecute($PathToTDSSKiller, "-l " & '"' & $PathToYourLogDirectory & "TDSSKiller.log" & '"' & " -tdlfs", "")

I have to look for the one with no interaction but that should get you started.

the -qsus switch is honestly a really bad idea. There is nothing out that is horribly bricking machines at the moment, but TDSSKiller is sketchy at best to automate removal with. Best be careful for the sake of whoever's PC you are repairing.

Edited by 0xdefea7
TomMelee Seeker

TomMelee

Posted
  • Author
Posted

If you don't specify a path but you specify -l, it writes to the directory it was called from, in this case, my big ass portable drive with all my utilities on it where it pulls the .exe from.

From what I can see wayfarer, yours still requires you to click the scan button, no? I'll go ahead and pull the qsus---script works fine w/o using shellexecute, btw. I pass a lot of switches w/o using shellexecute...unless there's something I'm not seeing in that snippet.

BrewManNH Universalist

BrewManNH

Posted
Posted

I'd try it with the -silent option and see if you can figure out why you opted not to use it instead of trying to recall it.

If I posted any code, assume that code was written using the latest release version unless stated otherwise. Also, if it doesn't work on XP I can't help with that because I don't have access to XP, and I'm not going to.
Give a programmer the correct code and he can do his work for a day. Teach a programmer to debug and he can do his work for a lifetime - by Chirag Gude
How to ask questions the smart way!

I hereby grant any person the right to use any code I post, that I am the original author of, on the autoitscript.com forums, unless I've specifically stated otherwise in the code or the thread post. If you do use my code all I ask, as a courtesy, is to make note of where you got it from.

Back up and restore Windows user files _Array.au3 - Modified array functions that include support for 2D arrays.  -  ColorChooser - An add-on for SciTE that pops up a color dialog so you can select and paste a color code into a script.  -  Customizable Splashscreen GUI w/Progress Bar - Create a custom "splash screen" GUI with a progress bar and custom label.  -  _FileGetProperty - Retrieve the properties of a file  -  SciTE Toolbar - A toolbar demo for use with the SciTE editor  -  GUIRegisterMsg demo - Demo script to show how to use the Windows messages to interact with controls and your GUI.  -   Latin Square password generator

TomMelee Seeker

TomMelee

Posted
  • Author
Posted

Ok, so I sorted it out kind of but not really. I was putting the -silent behind the -l, which meant that it was dumping a log called -silent, heh. Duh.

So now I've got it working fine, I just moved -silent to the front of the string, but since my system is clean I have no idea what it does to show me if there are problems and it's running in silent mode. Any ideas on that one?

  • Solution
0xdefea7 Prodigy

0xdefea7

Posted
  • Solution
Posted

Here is my code from a tool that I wrote. The _UpdateLog functions can be removed:

Func TDSSKiller()

;~  Returns 0 on 'Clean'
;~  Returns 1 on 'Infection Found'
;~  Returns 2 if error reading log

    Local $sTDSSRemote = "http://support.kaspersky.com/downloads/utils/tdsskiller.exe"
    Local $sTDSSLocal = @TempDir & "\QuickScan\TDSSKiller.exe"
    Local $sLogPath = @TempDir & "\QuickScan\Logs\TDSSKiller.log"
    Local $aTDSSLog
    Local $aTDSSLog, $aReport[3], $found = 0

    Download($sTDSSRemote, $sTDSSLocal)

    If FileExists($sTDSSLocal) Then
        RunWait(@ComSpec & ' /c ' & '"' & $sTDSSLocal & ' -tdlfs -silent -l ' & '"' & $sLogPath & '"', "", @SW_HIDE)
        If FileExists($sLogPath) Then
            If Not _FileReadToArray($sLogPath, $aTDSSLog) Then
                MsgBox(16, "QuickScan", "Error reading TDSSKiller log to array.")
                Return 2
            Else
                For $i = 1 To UBound($aTDSSLog) - 1
                    If StringInStr($aTDSSLog[$i], "Suspicious") Then
                        If Not _ArrayAdd($aReport, StringTrimLeft($aTDSSLog[$i], 20)) Then MsgBox(16, '', 'Error adding to array.')
                        $found = 1
                    ElseIf StringInStr($aTDSSLog[$i], "infected") Then
                        $iStrPos = Abs(StringInStr($aTDSSLog[$i], "(")) - 1
                        $iLength = Abs(StringLen($aTDSSLog[$i])) + 1
                        $sFileFound = StringTrimLeft(StringTrimRight($aTDSSLog[$i], $iLength - $iStrPos), 20)
                        If Not _ArrayAdd($aReport, "File: " & $sFileFound & ".sys") Then MsgBox(16, '', 'Error adding to array.')
                        $found = 1
                    ElseIf StringInStr($aTDSSLog[$i], "detected") Then
                        $iStrPos = StringInStr($aTDSSLog[$i], "-")
                        If Not _ArrayAdd($aReport, StringTrimLeft($aTDSSLog[$i], 20)) Then MsgBox(16, '', 'Error adding to array.')
                        $found = 1
                    EndIf
                Next
            EndIf
        EndIf
    EndIf

;~  _ArrayDisplay($aReport)

    If $found = 1 Then
        _UpdateLog("TDSSKiller found rootkits:")
        _UpdateLog("")
        For $i = 0 To UBound($aReport) - 1
            If $aReport[$i] = "" Then ContinueLoop
            _UpdateLog(Chr(9) & $aReport[$i]) ;Write to the log file from the array
        Next
        ShellExecute("notepad.exe", $Log_Summary)
    Else
        _UpdateLog("TDSSKiller scan complete.")
        _UpdateLog("")
    EndIf

    Return $found

EndFunc   ;==>TDSSKiller
TomMelee Seeker

TomMelee

Posted
  • Author
Posted

Holy crap that's elegant. I'm nowhere near ready to parse strings from logfiles yet, but this is a fantastic example of how to do it. I'm still struggling with creating a GUI, lol.

Thanks!

TomMelee Seeker

TomMelee

Posted
  • Author
Posted

TomMelee,

You might want to check out the included form designer of the >ISN AutoIt Studio AutoIt IDE. It's in beta, but it's maturing nicely and it makes it MUCH easier to create GUIs!

Thanks TXTechie. I was looking at Koda, but having trouble finding a n00b guide for it. I was expecting OnClick to work like MS Access, but it doesn't seem to. I'm sure it's easy, but I'm not catching on. I'll check this out and see what I see.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...