Sign in to follow this  
Followers 0
TomMelee

Program automation TDSS Killer, finding valid Class?

12 posts in this topic

Heya guys. I've been pumping out a ton of scripts to help me at my little IT shop here, but I'm having issues with TDSS Killer. When I run au3info against the active window, it returns almost nothing, which I'm sure is intentional to keep malware from attacking it. I get no Title, for Basic Window Info Class, I just get #32770. No basic control info, although I do get a button ID if I click scan.

Here's what I'm trying to do. It opens tdsskiller and throws no errors.

Run("../Ketarin Apps/tdsskiller.exe -tdlfs -l -qsus")
WinWaitActive("[CLASS:#32770]")
ControlClick("[CLASS:#32770]", "", 1002)

Exit

I've also tried without the #'s.

I can't seem to find applicable documentation pages, any help is appreciated.

Share this post


Link to post
Share on other sites



What does the button do that you need to press? Have you tried running it with the -silent option of TDSSKiller?


If I posted any code, assume that code was written using the latest release version unless stated otherwise. Also, if it doesn't work on XP I can't help with that because I don't have access to XP, and I'm not going to.
Give a programmer the correct code and he can do his work for a day. Teach a programmer to debug and he can do his work for a lifetime - by Chirag Gude
How to ask questions the smart way!

I hereby grant any person the right to use any code I post, that I am the original author of, on the autoitscript.com forums, unless I've specifically stated otherwise in the code or the thread post. If you do use my code all I ask, as a courtesy, is to make note of where you got it from.

Back up and restore Windows user files _Array.au3 - Modified array functions that include support for 2D arrays.  -  ColorChooser - An add-on for SciTE that pops up a color dialog so you can select and paste a color code into a script.  -  Customizable Splashscreen GUI w/Progress Bar - Create a custom "splash screen" GUI with a progress bar and custom label.  -  _FileGetProperty - Retrieve the properties of a file  -  SciTE Toolbar - A toolbar demo for use with the SciTE editor  -  GUIRegisterMsg demo - Demo script to show how to use the Windows messages to interact with controls and your GUI.  -   Latin Square password generator

Share this post


Link to post
Share on other sites

The button just starts the scan. There's a reason that I don't want to run it in silent after some tests, and I'm having trouble remembering why. I think maybe it's that the log function or something doesn't work if you do that.

Share this post


Link to post
Share on other sites

You never tell it where to write the log anyways, is there a default log file used if you don't specify one?


If I posted any code, assume that code was written using the latest release version unless stated otherwise. Also, if it doesn't work on XP I can't help with that because I don't have access to XP, and I'm not going to.
Give a programmer the correct code and he can do his work for a day. Teach a programmer to debug and he can do his work for a lifetime - by Chirag Gude
How to ask questions the smart way!

I hereby grant any person the right to use any code I post, that I am the original author of, on the autoitscript.com forums, unless I've specifically stated otherwise in the code or the thread post. If you do use my code all I ask, as a courtesy, is to make note of where you got it from.

Back up and restore Windows user files _Array.au3 - Modified array functions that include support for 2D arrays.  -  ColorChooser - An add-on for SciTE that pops up a color dialog so you can select and paste a color code into a script.  -  Customizable Splashscreen GUI w/Progress Bar - Create a custom "splash screen" GUI with a progress bar and custom label.  -  _FileGetProperty - Retrieve the properties of a file  -  SciTE Toolbar - A toolbar demo for use with the SciTE editor  -  GUIRegisterMsg demo - Demo script to show how to use the Windows messages to interact with controls and your GUI.  -   Latin Square password generator

Share this post


Link to post
Share on other sites

#5 ·  Posted (edited)

The log lives in C: by default. You can automate TDSSKiller whichever way you want, I have scripts for both manual run (where I make my techs click the button), or one that runs silently and warns you when infection is found. This will log to whatever path you want, and start with the option "decect TDLFS" (which I recommend)

Requires interaction:

ShellExecute($PathToTDSSKiller, "-l " & '"' & $PathToYourLogDirectory & "TDSSKiller.log" & '"' & " -tdlfs", "")

I have to look for the one with no interaction but that should get you started.

the -qsus switch is honestly a really bad idea. There is nothing out that is horribly bricking machines at the moment, but TDSSKiller is sketchy at best to automate removal with. Best be careful for the sake of whoever's PC you are repairing.

Edited by 0xdefea7

Share this post


Link to post
Share on other sites

If you don't specify a path but you specify -l, it writes to the directory it was called from, in this case, my big ass portable drive with all my utilities on it where it pulls the .exe from.

From what I can see wayfarer, yours still requires you to click the scan button, no? I'll go ahead and pull the qsus---script works fine w/o using shellexecute, btw. I pass a lot of switches w/o using shellexecute...unless there's something I'm not seeing in that snippet.

Share this post


Link to post
Share on other sites

I'd try it with the -silent option and see if you can figure out why you opted not to use it instead of trying to recall it.


If I posted any code, assume that code was written using the latest release version unless stated otherwise. Also, if it doesn't work on XP I can't help with that because I don't have access to XP, and I'm not going to.
Give a programmer the correct code and he can do his work for a day. Teach a programmer to debug and he can do his work for a lifetime - by Chirag Gude
How to ask questions the smart way!

I hereby grant any person the right to use any code I post, that I am the original author of, on the autoitscript.com forums, unless I've specifically stated otherwise in the code or the thread post. If you do use my code all I ask, as a courtesy, is to make note of where you got it from.

Back up and restore Windows user files _Array.au3 - Modified array functions that include support for 2D arrays.  -  ColorChooser - An add-on for SciTE that pops up a color dialog so you can select and paste a color code into a script.  -  Customizable Splashscreen GUI w/Progress Bar - Create a custom "splash screen" GUI with a progress bar and custom label.  -  _FileGetProperty - Retrieve the properties of a file  -  SciTE Toolbar - A toolbar demo for use with the SciTE editor  -  GUIRegisterMsg demo - Demo script to show how to use the Windows messages to interact with controls and your GUI.  -   Latin Square password generator

Share this post


Link to post
Share on other sites

Ok, so I sorted it out kind of but not really. I was putting the -silent behind the -l, which meant that it was dumping a log called -silent, heh. Duh.

So now I've got it working fine, I just moved -silent to the front of the string, but since my system is clean I have no idea what it does to show me if there are problems and it's running in silent mode. Any ideas on that one?

Share this post


Link to post
Share on other sites

Here is my code from a tool that I wrote. The _UpdateLog functions can be removed:

Func TDSSKiller()

;~  Returns 0 on 'Clean'
;~  Returns 1 on 'Infection Found'
;~  Returns 2 if error reading log

    Local $sTDSSRemote = "http://support.kaspersky.com/downloads/utils/tdsskiller.exe"
    Local $sTDSSLocal = @TempDir & "\QuickScan\TDSSKiller.exe"
    Local $sLogPath = @TempDir & "\QuickScan\Logs\TDSSKiller.log"
    Local $aTDSSLog
    Local $aTDSSLog, $aReport[3], $found = 0

    Download($sTDSSRemote, $sTDSSLocal)

    If FileExists($sTDSSLocal) Then
        RunWait(@ComSpec & ' /c ' & '"' & $sTDSSLocal & ' -tdlfs -silent -l ' & '"' & $sLogPath & '"', "", @SW_HIDE)
        If FileExists($sLogPath) Then
            If Not _FileReadToArray($sLogPath, $aTDSSLog) Then
                MsgBox(16, "QuickScan", "Error reading TDSSKiller log to array.")
                Return 2
            Else
                For $i = 1 To UBound($aTDSSLog) - 1
                    If StringInStr($aTDSSLog[$i], "Suspicious") Then
                        If Not _ArrayAdd($aReport, StringTrimLeft($aTDSSLog[$i], 20)) Then MsgBox(16, '', 'Error adding to array.')
                        $found = 1
                    ElseIf StringInStr($aTDSSLog[$i], "infected") Then
                        $iStrPos = Abs(StringInStr($aTDSSLog[$i], "(")) - 1
                        $iLength = Abs(StringLen($aTDSSLog[$i])) + 1
                        $sFileFound = StringTrimLeft(StringTrimRight($aTDSSLog[$i], $iLength - $iStrPos), 20)
                        If Not _ArrayAdd($aReport, "File: " & $sFileFound & ".sys") Then MsgBox(16, '', 'Error adding to array.')
                        $found = 1
                    ElseIf StringInStr($aTDSSLog[$i], "detected") Then
                        $iStrPos = StringInStr($aTDSSLog[$i], "-")
                        If Not _ArrayAdd($aReport, StringTrimLeft($aTDSSLog[$i], 20)) Then MsgBox(16, '', 'Error adding to array.')
                        $found = 1
                    EndIf
                Next
            EndIf
        EndIf
    EndIf

;~  _ArrayDisplay($aReport)

    If $found = 1 Then
        _UpdateLog("TDSSKiller found rootkits:")
        _UpdateLog("")
        For $i = 0 To UBound($aReport) - 1
            If $aReport[$i] = "" Then ContinueLoop
            _UpdateLog(Chr(9) & $aReport[$i]) ;Write to the log file from the array
        Next
        ShellExecute("notepad.exe", $Log_Summary)
    Else
        _UpdateLog("TDSSKiller scan complete.")
        _UpdateLog("")
    EndIf

    Return $found

EndFunc   ;==>TDSSKiller

Share this post


Link to post
Share on other sites

Holy crap that's elegant. I'm nowhere near ready to parse strings from logfiles yet, but this is a fantastic example of how to do it. I'm still struggling with creating a GUI, lol.

Thanks!

1 person likes this

Share this post


Link to post
Share on other sites

TomMelee,

You might want to check out the included form designer of the >ISN AutoIt Studio AutoIt IDE. It's in beta, but it's maturing nicely and it makes it MUCH easier to create GUIs!

1 person likes this

Share this post


Link to post
Share on other sites

TomMelee,

You might want to check out the included form designer of the >ISN AutoIt Studio AutoIt IDE. It's in beta, but it's maturing nicely and it makes it MUCH easier to create GUIs!

Thanks TXTechie. I was looking at Koda, but having trouble finding a n00b guide for it. I was expecting OnClick to work like MS Access, but it doesn't seem to. I'm sure it's easy, but I'm not catching on. I'll check this out and see what I see.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0

  • Similar Content

    • breakbadsp
      By breakbadsp
      AutoIT AU3info doeas not detect all gui objects uniquely for .NET GUIs developed in C#.
      this is not working now i am using COM windows approach for this, But its very difficult.
      Please let me know if anyone has done it before.
    • KB505
      By KB505
      Hello,
       
      I'm starting a script in AutoIT to automize a task in a software. I need to click a several Controls. 
      I'm just starting to learn AutoIT, and discovered that we can use the Window Info tool (au3info) to identify controls precisely and targetting safely a specific button.
      However, when I try it, I realize that most of the controls in my toolbar have the same Control Info (No ID, same class, same instance, ...). The only thing that changes is the ControlClicks Coord but I don't think that it's interesting, I don't see the difference with the Mouse Coordinates. Besides, I was aiming to write a stable script that would work even if the button changes a little bit of place for example. 
      Should I use another tool that Window Info tool to detect this Controls ? Is there another way to identify a Control ? 
      Thank you in advance for your help
       
    • SorryButImaNewbie
      By SorryButImaNewbie
      Hello,
      I'm developing again (everybody ruuun! )
      I would like to develope a script that goes through basicly every user control on a window, and log things that happens, and maybe do some screenshots. I did something like this before.
      My problem, which I would like to avoid this time (to improve my understanding and skill) , was that when I was unable to get a ControlID or handler or anything, I simply did some math and clicked on the coordinates it should have been (for example, maxing the window, and knowing the initial set up I was ablo to calculate given control position). I know that this is a bad solution for a number of reasons. 
      Now I got authorization to install autoIT here, and i started to the work, AU3Info was unable to find anything on the window (this could be a problem, since autoIT doesn't see anything on it then, if I understood the help file) So I got the SimpleSpy script (source:
      )
      I added a bit of code to the original to display ID as well, what I received is this:
      Mouse position is retrieved 115-207
      At least we have an element title: [ADD] class: [Button] ID: [50000] (<-- coded this to display ID here as well)
      Having the following values for all properties: 
      Title is: <ADD>    Class   := <Button>    controltype:= <UIA_ButtonControlTypeId>    ,<50000>    , (0000C350)    10;187;120;35
      *** Parent Information top down ***
      3: Title is: <Compass>    Class   := <Window>    controltype:= <UIA_WindowControlTypeId>    ,<50032>    , (0000C370)    -8;-8;1936;1056
      "Title:=Compass;controltype:=UIA_WindowControlTypeId;class:=Window""    
      2: Title is: <>    Class   := <MainView>    controltype:= <UIA_CustomControlTypeId>    ,<50025>    , (0000C369)    0;23;1920;1017
      "Title:=;controltype:=UIA_CustomControlTypeId;class:=MainView""    
      1: Title is: <>    Class   := <TileNavigationView>    controltype:= <UIA_CustomControlTypeId>    ,<50025>    , (0000C369)    0;23;1920;967
      "Title:=;controltype:=UIA_CustomControlTypeId;class:=TileNavigationView""    
      0: Title is: <>    Class   := <AreasView>    controltype:= <UIA_CustomControlTypeId>    ,<50025>    , (0000C369)    0;132;1920;858
      "Title:=;controltype:=UIA_CustomControlTypeId;class:=AreasView""
       
      so far I wrote this script:
      WinActivate('Test') ;It works!! :D first official interaction Sleep(1000) ;1 sec sleep to be sure ControlClick('Test', '', '50000') If @error Then MsgBox($MB_SYSTEMMODAL, 'Error', 'ControlClick error') EndIf Sleep(1000) MsgBox(1,"Tracer message", 'ControlClick has happened') ;MouseClick() ;ControlCommand() AutoIt activates the window, but the click on the given button doesnt happen (I tried to write 50000 without ' ' on ID).
      M'I doing the @error part correctly ? (no error Msg has been displayed), sorry I rarely use AutoIT and seems to forget less and less after each neglect, but still I'm far from a proffessional
       
      Any help or suggestion is welcome, thank you for your time and insight!
    • brad3260
      By brad3260
      Hello everyone, I have been beating my head against the wall all day today over this and am hoping someone can help. I work for a company who makes assistive technology and I have multiple consumers who want to use the Mail app included in Windows 10. Most of these consumers are using eye tracking technology so the MouseClick is not an option since their eyes are constantly controlling the mouse cursor so it would be a battle between that function and their eyes. And hence I need to use ControlClick. I'm having problems with it though, I can't get it to click anything in the app. I've been left clicking on things with no apparent luck. However, when I changed it to right click, something very interesting happens, the window menu (the one you get when you hit ALT + SPACE) opens every time the ControlClick runs, regardless of the X,Y coordinates as if it is right clicking at the top left of the window every time.
      Based on the Window Info, the entire app is one big control whose position is 0,40 and the size is 1440,838.
      Does anybody have any ideas why I can apparently only click on the top left corner of the app? Any direction is greatly appreciated!
       
      Opt('MouseClickDownDelay', 100) Opt('WinTitleMatchMode', 2) Local $hWnd = WinActivate('Gmail') $inc = 30 For $hi = 1 To 10 Step 1 $hadj = $hi * $inc For $i = 1 To 10 Step 1 $adj = $i * $inc $j = ControlClick($hWnd, "", "[CLASS:ApplicationFrameInputSinkWindow; INSTANCE:1]", "Right", 1, $hadj, $adj) MouseMove($hadj, $adj, 3) Next Next  
    • Akashrai
      By Akashrai
      I want to automate a client application but auto it info tool is not detecting the GUI components. I don't know what to do. please help me out. Screenshot  of first login page of application is in attachment