ur

How to get target path of a process

11 posts in this topic

#1 ·  Posted

How to retrieve the target executable path from a process.

My system is effected with IMG001.exe virus and I remove the folders created by it daily but still it is creating the folders everytime I login to my PC.

My Antivirus is not detecting it.

11.JPG

 

So I thought to create a process in AutoIT to check for the process name IMG001.exe and retrieve the process target exe to a log file, so that I can track where it is putting these files.

With  ProcessExists ( "process" ) , i can get the process ID.

But how to get the target location of the executable of the process.??

Share this post


Link to post
Share on other sites



#2 ·  Posted

In the help file: _WinAPI_GetProcessFileName()

Share this post


Link to post
Share on other sites

#3 ·  Posted

1 hour ago, Deye said:

In the help file: _WinAPI_GetProcessFileName()

Thanks Deye..

I need one more help.

WHen I am trying to delete the file, it is not getting deleted once I kill the process.

So I kept 2 seconds wait at present.

But if I launch multiple copies of the file at the same time, then I am getting the same issue again.

Is there any force delete option??

Below is the copy of my script.

IMG001 Deleter.au3

Share this post


Link to post
Share on other sites

#4 ·  Posted (edited)

Something like this..

 

#include <WinAPIProc.au3>

Local $iID, $file, $parentID, $parentFile, $a_process = ProcessList("img001.exe")
For $i = 1 To $a_process[0][0]
    $iID = $a_process[$i][1]
    $parentID = _WinAPI_GetParentProcess($iID)
    $file = _WinAPI_GetProcessFileName($iID)
    ProcessClose($iID)
    FileSetAttrib($file, "-RASHNOT")
    FileDelete($file)
    $parentFile = _WinAPI_GetProcessFileName($parentID)
;~  ProcessClose($parentID)
;~  FileSetAttrib($parentFile, "-RASHNOT")
;~  FileDelete($parentFile)
    MsgBox(0, $parentID, $parentFile)
Next

 

Edited by Deye

Share this post


Link to post
Share on other sites

#5 ·  Posted

The exe I kept running in the background but still it is not able to track the process which created these folders.

 

Is there any way to get details of which process created a folder???

Share this post


Link to post
Share on other sites

#6 ·  Posted

Once infected by malware a machine is compromized, unsafe and must be regarded as an unreliable liar (about acting as expected).

Please delete this file.
Done! (ROTFL, he believes I'll do that!)
Please kill this process.
Done! (Keep on expecting that!)

When the leader of the armies is known to have agreed with the enemy, you shouldn't be surprised if your guys pityfully loose the war under his leadership, despite reports that they made daily amazing progress.


This wonderful site allows debugging and testing regular expressions (many flavors available). An absolute must have in your bookmarks.
Another excellent RegExp tutorial. Don't forget downloading your copy of up-to-date pcretest.exe and pcregrep.exe here
RegExp tutorial: enough to get started
PCRE v8.33 regexp documentation latest available release and currently implemented in AutoIt beta.

SQLitespeed is another feature-rich premier SQLite manager (includes import/export). Well worth a try.
SQLite Expert (freeware Personal Edition or payware Pro version) is a very useful SQLite database manager.
An excellent eBook covering almost every aspect of SQLite3: a must-read for anyone doing serious work.
SQL tutorial (covers "generic" SQL, but most of it applies to SQLite as well)
A work-in-progress SQLite3 tutorial. Don't miss other LxyzTHW pages!
SQLite official website with full documentation (may be newer than the SQLite library that comes standard with AutoIt)

Share this post


Link to post
Share on other sites

#7 ·  Posted

@jchd thanks for the inputs.

I have deleted this file already, but it is getting created daily.

Even the antivirus is not able to delete it.

WIndows Defender is just deleting this file but it is getting regenerated daily.

It seems some other process is generating this file which windows defender also not able to detect.

So is there any possiblity to backtrack the folders by seeing which process created that and delete the malicious file??

Share this post


Link to post
Share on other sites

#8 ·  Posted

If you still want to trust the untrustable, you can use process explorer to do that.


This wonderful site allows debugging and testing regular expressions (many flavors available). An absolute must have in your bookmarks.
Another excellent RegExp tutorial. Don't forget downloading your copy of up-to-date pcretest.exe and pcregrep.exe here
RegExp tutorial: enough to get started
PCRE v8.33 regexp documentation latest available release and currently implemented in AutoIt beta.

SQLitespeed is another feature-rich premier SQLite manager (includes import/export). Well worth a try.
SQLite Expert (freeware Personal Edition or payware Pro version) is a very useful SQLite database manager.
An excellent eBook covering almost every aspect of SQLite3: a must-read for anyone doing serious work.
SQL tutorial (covers "generic" SQL, but most of it applies to SQLite as well)
A work-in-progress SQLite3 tutorial. Don't miss other LxyzTHW pages!
SQLite official website with full documentation (may be newer than the SQLite library that comes standard with AutoIt)

Share this post


Link to post
Share on other sites

#9 ·  Posted

Process explorer will show the running processes but I need the process or program which created the folder.Is it possible to get that?

Share this post


Link to post
Share on other sites

#10 ·  Posted

NTFS doesn't keep history of which PID created an entry AFAIK. You need a full-featured journaling file system for that.

PE lets you see which files a process accesses.


This wonderful site allows debugging and testing regular expressions (many flavors available). An absolute must have in your bookmarks.
Another excellent RegExp tutorial. Don't forget downloading your copy of up-to-date pcretest.exe and pcregrep.exe here
RegExp tutorial: enough to get started
PCRE v8.33 regexp documentation latest available release and currently implemented in AutoIt beta.

SQLitespeed is another feature-rich premier SQLite manager (includes import/export). Well worth a try.
SQLite Expert (freeware Personal Edition or payware Pro version) is a very useful SQLite database manager.
An excellent eBook covering almost every aspect of SQLite3: a must-read for anyone doing serious work.
SQL tutorial (covers "generic" SQL, but most of it applies to SQLite as well)
A work-in-progress SQLite3 tutorial. Don't miss other LxyzTHW pages!
SQLite official website with full documentation (may be newer than the SQLite library that comes standard with AutoIt)

Share this post


Link to post
Share on other sites

#11 ·  Posted

I agree with jchd about trying to run programs to handle the virus on a diseased machine.  If anything at least make a bootable USB on a clean machine to scan your system after booting the flash drive.  On a clean PC you can download Avast Trial version and make a bootable flash drive with the current av database.  Boot your infected PC from the flash drive and run the scan.

 

I assume source code backups were made when the PC was still clean?

 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now

  • Similar Content

    • ur
      By ur
      With  ProcessList ( ["name"] )  we are able to get the running process list from the local machine.
       
      Is there anyway to get the list from Remote machine, more precisely to get to know the status whether a particular application is running or not on remote machine using AutoIT?
       
      We can implement through PSList.exe, but again we need to parse the text of it to read the output.
      Is there any direct UDF in AutoIT?
    • Nareshm
      By Nareshm
      If Process exits then end process and ;Some code here {1}
       
      If Process does not exits then ; My {1} Code
    • mihaijulien
      By mihaijulien
      Hello,
      I compiled a script I made that takes a command line parameter (the version of a .msi installer) when launched. The script was compiled with the /console option. The script (.au3) works fine but the executable returns  the following error:  
      Error: array variable has incorrect number of subscripts or subscript dimension range exceeded  
    • salah kai
      By salah kai
      Hey everyone
      i wanna close a process by  path like
      C:\Users\salah\AppData\Local\Temp\a.exe
      processclose(C:\Users\salah\AppData\Local\Temp\a.exe)
      i tried to split the path but i don't know how to know last loop
      and thanks 
       
    • iXX
      By iXX
      Hi!
      Looking for working code to  get full path of process  - both 32 & 64 bit.
      I tryed this bellow, but it works only for 32-bit processes, even if compiled for x64...
      Thanx for suggestions!
       
      Func _ProcessGetPath($vProcess) ;get the program path done by MrCreatoR Local $iPID = ProcessExists($vProcess) If NOT $iPID Then Return SetError(1, 0, -1) Local $aProc = DllCall('kernel32.dll', 'hwnd', 'OpenProcess', 'int', BitOR(0x0400, 0x0010), 'int', 0, 'int', $iPID) If NOT IsArray($aProc) OR NOT $aProc[0] Then Return SetError(2, 0, -1) Local $vStruct = DllStructCreate('int[1024]') Local $hPsapi_Dll = DllOpen('Psapi.dll') If $hPsapi_Dll = -1 Then $hPsapi_Dll = DllOpen(@SystemDir & '\Psapi.dll') If $hPsapi_Dll = -1 Then $hPsapi_Dll = DllOpen(@WindowsDir & '\Psapi.dll') If $hPsapi_Dll = -1 Then Return SetError(3, 0, '') DllCall($hPsapi_Dll, 'int', 'EnumProcessModules', _ 'hwnd', $aProc[0], _ 'ptr', DllStructGetPtr($vStruct), _ 'int', DllStructGetSize($vStruct), _ 'int_ptr', 0) Local $aRet = DllCall($hPsapi_Dll, 'int', 'GetModuleFileNameEx', _ 'hwnd', $aProc[0], _ 'int', DllStructGetData($vStruct, 1), _ 'str', '', _ 'int', 2048) DllClose($hPsapi_Dll) If NOT IsArray($aRet) OR StringLen($aRet[3]) = 0 Then Return SetError(4, 0, '') Return $aRet[3] EndFunc