iamtheky Posted March 22, 2016 Share Posted March 22, 2016 A couple of protections i would like to see implemented in an AutoIt script: 1) Create a service(s) that cannot be killed. A pair that watch each other is fine, i think tm may even have 3 or 4 that all do that. 2) There are folders with Everyone-Full Control acls. I'm admin, I can takeown, i can set myself as Full control and delete the everyone group. I cannot however rename, modify, nor delete any of these files or folders, how the crap? It even taunts me and says I have to ask my currently logged on account for permissions, and then deny me. If you can mimic that, that would be neat. ,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-. |(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/ (_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_) | | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) ( | | | | |)| | \ / | | | | | |)| | `--. | |) \ | | `-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_| '-' '-' (__) (__) (_) (__) Link to comment Share on other sites More sharing options...
orbs Posted March 22, 2016 Share Posted March 22, 2016 @iamtheky, four hours since your OP, still no response. that can either be because the dev/admin/mod teams are still fast asleep, or they are in total bewilderment as to what-the-hell-are-you-thinking. You have been here long enough – and moreover, you are a sys.admin! – to know that what you are asking is straight-out malicious. that is obvious for your first comment, not so obvious but still true for the second one. and yes, even an enterprise the size of Microsoft can demonstrate behaviour that can be considered malicious by users and admins, see GWX and Windows 10 upgrade promotion methods, for example. Now let yourself contradict yourself: 4 hours ago, iamtheky said: ... I'm admin ... I cannot however rename, modify, nor delete any of these files or folders, how the crap? ... If you can mimic that, that would be neat. you describe an annoying situation that someone imposed on you, then you want to reproduce it to impose it on your users as well? as for the unstoppable service - how can that NOT be considered malicious? technically, a watchdog service/process can be easily circumvented (with adequate permissions) - by terminating the entire process tree, for example. the most "unstoppable" behaviour you can achieve is to write the service to run as a kernel driver. if you feel adventurous, by all means go ahead - no one will stop you. but ethically, i doubt anyone here is able to assist you in clear conscience with any of your ideas. Signature - my forum contributions: Spoiler UDF: LFN - support for long file names (over 260 characters) InputImpose - impose valid characters in an input control TimeConvert - convert UTC to/from local time and/or reformat the string representation AMF - accept multiple files from Windows Explorer context menu DateDuration - literal description of the difference between given dates Apps: Touch - set the "modified" timestamp of a file to current time Show For Files - tray menu to show/hide files extensions, hidden & system files, and selection checkboxes SPDiff - Single-Pane Text Diff Link to comment Share on other sites More sharing options...
iamtheky Posted March 22, 2016 Author Share Posted March 22, 2016 (edited) you misunderstand. AV is not malicious, nor is building watchdog services or cacls. I have many, many ways to do this, but was wondering if anyone knows this particular mechanism. This is academic, I only point out that I am admin, in that I could undo this with Napalm if desired. If a mod deems that an answer to this could be used maliciously they will lock it, but thank you for your concern and you may want to read this: Edited March 22, 2016 by iamtheky ,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-. |(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/ (_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_) | | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) ( | | | | |)| | \ / | | | | | |)| | `--. | |) \ | | `-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_| '-' '-' (__) (__) (_) (__) Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now