Jump to content
ur

How to get target path of a process

Recommended Posts

How to retrieve the target executable path from a process.

My system is effected with IMG001.exe virus and I remove the folders created by it daily but still it is creating the folders everytime I login to my PC.

My Antivirus is not detecting it.

11.JPG

 

So I thought to create a process in AutoIT to check for the process name IMG001.exe and retrieve the process target exe to a log file, so that I can track where it is putting these files.

With  ProcessExists ( "process" ) , i can get the process ID.

But how to get the target location of the executable of the process.??

Share this post


Link to post
Share on other sites
1 hour ago, Deye said:

In the help file: _WinAPI_GetProcessFileName()

Thanks Deye..

I need one more help.

WHen I am trying to delete the file, it is not getting deleted once I kill the process.

So I kept 2 seconds wait at present.

But if I launch multiple copies of the file at the same time, then I am getting the same issue again.

Is there any force delete option??

Below is the copy of my script.

IMG001 Deleter.au3

Share this post


Link to post
Share on other sites

Something like this..

 

#include <WinAPIProc.au3>

Local $iID, $file, $parentID, $parentFile, $a_process = ProcessList("img001.exe")
For $i = 1 To $a_process[0][0]
    $iID = $a_process[$i][1]
    $parentID = _WinAPI_GetParentProcess($iID)
    $file = _WinAPI_GetProcessFileName($iID)
    ProcessClose($iID)
    FileSetAttrib($file, "-RASHNOT")
    FileDelete($file)
    $parentFile = _WinAPI_GetProcessFileName($parentID)
;~  ProcessClose($parentID)
;~  FileSetAttrib($parentFile, "-RASHNOT")
;~  FileDelete($parentFile)
    MsgBox(0, $parentID, $parentFile)
Next

 

Edited by Deye

Share this post


Link to post
Share on other sites

The exe I kept running in the background but still it is not able to track the process which created these folders.

 

Is there any way to get details of which process created a folder???

Share this post


Link to post
Share on other sites

Once infected by malware a machine is compromized, unsafe and must be regarded as an unreliable liar (about acting as expected).

Please delete this file.
Done! (ROTFL, he believes I'll do that!)
Please kill this process.
Done! (Keep on expecting that!)

When the leader of the armies is known to have agreed with the enemy, you shouldn't be surprised if your guys pityfully loose the war under his leadership, despite reports that they made daily amazing progress.


This wonderful site allows debugging and testing regular expressions (many flavors available). An absolute must have in your bookmarks.
Another excellent RegExp tutorial. Don't forget downloading your copy of up-to-date pcretest.exe and pcregrep.exe here
RegExp tutorial: enough to get started
PCRE v8.33 regexp documentation latest available release and currently implemented in AutoIt beta.

SQLitespeed is another feature-rich premier SQLite manager (includes import/export). Well worth a try.
SQLite Expert (freeware Personal Edition or payware Pro version) is a very useful SQLite database manager.
An excellent eBook covering almost every aspect of SQLite3: a must-read for anyone doing serious work.
SQL tutorial (covers "generic" SQL, but most of it applies to SQLite as well)
A work-in-progress SQLite3 tutorial. Don't miss other LxyzTHW pages!
SQLite official website with full documentation (may be newer than the SQLite library that comes standard with AutoIt)

Share this post


Link to post
Share on other sites

@jchd thanks for the inputs.

I have deleted this file already, but it is getting created daily.

Even the antivirus is not able to delete it.

WIndows Defender is just deleting this file but it is getting regenerated daily.

It seems some other process is generating this file which windows defender also not able to detect.

So is there any possiblity to backtrack the folders by seeing which process created that and delete the malicious file??

Share this post


Link to post
Share on other sites

If you still want to trust the untrustable, you can use process explorer to do that.


This wonderful site allows debugging and testing regular expressions (many flavors available). An absolute must have in your bookmarks.
Another excellent RegExp tutorial. Don't forget downloading your copy of up-to-date pcretest.exe and pcregrep.exe here
RegExp tutorial: enough to get started
PCRE v8.33 regexp documentation latest available release and currently implemented in AutoIt beta.

SQLitespeed is another feature-rich premier SQLite manager (includes import/export). Well worth a try.
SQLite Expert (freeware Personal Edition or payware Pro version) is a very useful SQLite database manager.
An excellent eBook covering almost every aspect of SQLite3: a must-read for anyone doing serious work.
SQL tutorial (covers "generic" SQL, but most of it applies to SQLite as well)
A work-in-progress SQLite3 tutorial. Don't miss other LxyzTHW pages!
SQLite official website with full documentation (may be newer than the SQLite library that comes standard with AutoIt)

Share this post


Link to post
Share on other sites

Process explorer will show the running processes but I need the process or program which created the folder.Is it possible to get that?

Share this post


Link to post
Share on other sites

NTFS doesn't keep history of which PID created an entry AFAIK. You need a full-featured journaling file system for that.

PE lets you see which files a process accesses.


This wonderful site allows debugging and testing regular expressions (many flavors available). An absolute must have in your bookmarks.
Another excellent RegExp tutorial. Don't forget downloading your copy of up-to-date pcretest.exe and pcregrep.exe here
RegExp tutorial: enough to get started
PCRE v8.33 regexp documentation latest available release and currently implemented in AutoIt beta.

SQLitespeed is another feature-rich premier SQLite manager (includes import/export). Well worth a try.
SQLite Expert (freeware Personal Edition or payware Pro version) is a very useful SQLite database manager.
An excellent eBook covering almost every aspect of SQLite3: a must-read for anyone doing serious work.
SQL tutorial (covers "generic" SQL, but most of it applies to SQLite as well)
A work-in-progress SQLite3 tutorial. Don't miss other LxyzTHW pages!
SQLite official website with full documentation (may be newer than the SQLite library that comes standard with AutoIt)

Share this post


Link to post
Share on other sites

I agree with jchd about trying to run programs to handle the virus on a diseased machine.  If anything at least make a bootable USB on a clean machine to scan your system after booting the flash drive.  On a clean PC you can download Avast Trial version and make a bootable flash drive with the current av database.  Boot your infected PC from the flash drive and run the scan.

 

I assume source code backups were made when the PC was still clean?

 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Similar Content

    • By Miliardsto
      I want to detect if exact process or window uses directx or opengl or maybe something else library used in applications.
      Thats becouse there could be many windows with same names and different names and the same with process. I got so much process names I want to my script works with all, so i want standardize.
      All of this processes uses DirectX or OpenGL so then If I check this window/process uses these libraries I will be sure thats the right process
    • By TryWare90Days
      I'm trying to kill a malware process, that I can't remove with my www.sophus.com/hom antivirus.

      The malware is known as coinminer,config and my Sophus only creates popups of blocking the malware.

      I know that the malware is constantly launching a svchost *32.exe processes, where the svchost.exe processes are from my Windows 7 operating system.
      I have with no luck tried to do this:
      Global $_bStatus = False
      While $_bStatus = False
                 Global $_iPid
                 Global $_sActiveTitleNew = "svchost *32.exe"
                 $_iPid = WinGetProcess($_sActiveTitleNew)
                 If $_iPid <> -1 Then $_bStatus = ProcessClose($_iPid)   
      Wend
      EXIT
       
      But the $_iPid doesn't ever show anything else than  -1, even if I can see the svchost *32.exe process in my TaskManager
       
      YES - I know I shouldn't EXIT after killing the first malware detection, but it is easier to explain the above for you, so I can get a solution.
    • By nacerbaaziz
      Hello my friends
      I have an inquiry after your permission
      I found a function to get the special line commands for any operation
      It requires the name of the process to be searched
      I want to use it to know the process
      Is this possible with this function
      Here is the code
       
      Func commandLineGet($proc, $strComputer=".")
      dim $array[1]
      local $ArrayNumber
      local $oWMI = ObjGet("winmgmts:{impersonationLevel=impersonate}!\\" & $strComputer & "\root\cimv2")
      local $oProcessColl = $oWMI.ExecQuery("Select * from Win32_Process where Name= " & '"'& $Proc & '"')
      local $Process
      For $Process In $oProcessColl
      $Process = $Process.Commandline
          ReDim $Array[UBound($Array)+1]
      $ArrayNumber = UBound($Array)-1
      $array[$ArrayNumber] = $Process
      Next
      $ArrayNumber = UBound($Array)-1
      $array[0] = $ArrayNumber
      return $array
      EndFunc
    • By simy8891
      Hi guys,
      It's been a while since I wrote my last message here and a while since I used AutoIt. I'm currently sort of desperate and I'm trying to find some help in regards of getting the network usage per process!
      I'm not interested in the total network usage of the NIC, but only on a specific PID's network utilization. They idea is to collect the amount of traffic uploaded and downloaded by a list of specific processes. So far Process Hacker and Process Explorer are capable of getting what I need, but I need to use these numbers in another script so they're sort of useless to me. I can't seem to find a way around it.
      Any idea, help is greatly appreciated.
      Thanks
    • By ur
      with the below code, I am keeping waiting for a particular file and waiting in the background.
      While $i <> 10 Sleep(60000) If FileExists(@ScriptDir&"\Binaries.ini") then --some processing-- $i = 10 endif WEnd I thought keeping the Sleep will freeze the process from resources but the CPU being uilized.But it is taking 47%.
      How to free this CPU usage also.?

×
×
  • Create New...