Sign in to follow this  
Followers 0
plat

Anti Spyware idea

24 posts in this topic

Hi all,

I'd like to try the following project as an anti spyware solution

I've searched the forum but haven't found anything similar enough to be of use to a newbie.....

1. scan system partition to create a 'BEFORE' snapshot using DIR /s /b

2. surf the net picking up various unwanted progs / spyware

3. scan sys partition again at a later date to create an 'AFTER' snapshot as above

4. This is the tricky bit Compare the differences between the two file lists and create a 'CHANGES' file.

5. Use the 'CHANGES' file as the input source to supply a third party delete on reboot type program (would enable in use spyware proggies to be deleted).

Any thoughts on the above gratefully received!

Share this post


Link to post
Share on other sites



Spyware, adware and any other virus type programs aren't only disk based, even if you delete them they might make preety much a lot of mess. So you gotta consider registry scan too.


My little company: Evotec (PL version: Evotec)

Share this post


Link to post
Share on other sites

InstallShield does something like you describe. (If my coworker explained it to me correctly.) With Install shield, you have a before snapshot, you then install the application, and it will take an after snapshot. It then will compare the changes and come up with the install package.

The problem with your approach is that by taking a snapshot, you lock the PC in a "photo" of its state. If later you take another snapshot, things have changed, and some things you want to have changed. Example being antivirus def files, windows updates, software updates, and so forth. A simple change to the registry that points to something you need would be deleted also. The research to look for every change would be quite daunting to say the least.

Another problem is Spyware is more often using root kits to install themselves, and the use of a snapshot is almost useless. Unless you know exactly what you are looking for, the Spyware will (odds are) slip past. I've personally have seen Spyware that would install itself in the root kernel, and it is almost impossible to remove. The way computers are today, you just about have to treat them as living machines. They are born (OS loaded and other basic software), they grow (you install more software, and customize them to your taste), they get sick (virus and Spyware infections), they need medications (antivirus, AntiSpyware), and they die (they get a infection that causes so much damage that the unit is no longer stable, and needs to be rebuilt). The computer person is like a doctor, treating the sick. The problem is the environment is evolving, just like the normal environment we all live in. New infections come along; drugs that worked on old infections no longer work, and so forth.

The idea you put forth is good, but the work to do this is quite labor intensive, for each change would need to be checked, just to see what the change is.

I will get off my soapbox now.......

:lmao:

Share this post


Link to post
Share on other sites

Thanks for the feedback folks,

i am familiar with products like ghost, deep freeze, ghost surfer et al but thought the challange of acheiving a 'similar' end result using autoit and some freeware would be interesting one!

With regard to the registry changes / rootkits i thought I could take care of that with the excellent commandline ERUNT would enable a complete registry snapshot at every reboot (like using last known good) and also would take care of the root kit / registry autoruns etc.

This then leaves the newly created unwanted files which would be compared on a 'it didn't exist before so delete it' baisis but would use a file mask to exclude specified file types such as system files - 'cause we dont wanna delete them :lmao: ).

In order to get around the problem of open / inuse files i though the commandline CopyLock could be passed the content of the CHANGES file to delete upon reboot....

There is an excellant piece of software called Total Uninstaller which achieves this i.e the opposite of wise / installshield but alas it is no longer free.

Anyone think this idea has legs or should i consign it to the recycle bin ;)

Share this post


Link to post
Share on other sites

Thanks for the feedback folks,

i am familiar with products like ghost, deep freeze, ghost surfer et al but thought the challange of acheiving a 'similar' end result using autoit and some freeware would be interesting one!

With regard to the registry changes / rootkits i thought I could take care of that with the excellent commandline ERUNT would enable a complete registry snapshot at every reboot (like using last known good) and also would take care of the root kit / registry autoruns etc.

This then leaves the newly created unwanted files which would be compared on a 'it didn't exist before so delete it' baisis but would use a file mask to exclude specified file types such as system files - 'cause we dont wanna delete them :lmao: ).

In order to get around the problem of open / inuse files i though the commandline CopyLock could be passed the content of the CHANGES file to delete upon reboot....

There is an excellant piece of software called Total Uninstaller which achieves this i.e the opposite of wise / installshield but alas it is no longer free.

Anyone think this idea has legs or should i consign it to the recycle bin ;)

personally i don't think it's really worth your time. I say that because of the tools people already have, system restore, registry backups, last known good, etc, not to mention the plethora of spyware scanners. In addition, not every new file or registry entry is a bad one, and by adding in a confirmation for each thing to be deleted, you'd be pretty much removing the very efficiency you mean to create. I would say you definitely had a neat idea, which someone would probably use (one born every minute?) but as far as a real project, i personally don't think it would be worth the time investment, except possibly for the knowledge gained by creating a new project.

1100111 00001011101111 00011101101111 00010111100100 00001111110100 00110111110010 00101101111001 0011100i didn't make up this form of encryption, but i like it.credit to the lvl 6 challenge on arcanum.co.nz

Share this post


Link to post
Share on other sites

#6 ·  Posted (edited)

i am interested in this. i use bartpe at work...and spyware/viruses are alot easier to deal with when you remove its files, then you only need to deal with the registry stuff (which theres also tools in bartpe...and then stuff in windows afterward)

maybe something like this....i dont think this is completely right...but its a start

#include <GuiConstants.au3>
#Include <process.au3>

$tempfile1 = "C:\Spyware_Finder_Temp1.txt"
$tempfile2 = "C:\Spyware_Finder_Temp2.txt"
$tempfile3 = "C:\Spyware_Finder_Results.txt"

Dim $line1 = 1
Dim $line2 = 1

SplashTextOn ( "Scanning", "Scanning Files")
_RunDOS("DIR c:\ /s /b > " & $tempfile1)
SplashOff ()
MsgBox(0, "", "Click OK when ready to scan again")
_RunDOS("DIR c:\ /s /b > " & $tempfile2)

GuiCreate("MyGUI", 392, 239)

$edit1 = GuiCtrlCreateEdit("", 10, 30, 370, 80, $WS_VSCROLL)
$edit2 = GuiCtrlCreateEdit("", 10, 150, 370, 80, $WS_VSCROLL)
$count1 = GuiCtrlCreateLabel("", 10, 10, 90, 20)
$count2 = GuiCtrlCreateLabel("", 10, 130, 100, 20)

GuiSetState()
While 1
    $file1 = FileReadLine ($tempfile1, $line1)
    If @error = -1 Then $file1 = ""
    $file2 = FileReadLine ($tempfile2, $line2)
    If @error = -1 Then ExitLoop
;SplashTextOn ( "comparing", $line1 & @LF & $file1 & @LF & @LF & $line2 & @LF & $file2, 500, 250)
    GUICtrlSetData ( $edit1, $file1)
    GUICtrlSetData ( $edit2, $file2)
    GUICtrlSetData ( $count1, $line1)
    GUICtrlSetData ( $count2, $line2)

    If $file2 = $file1 Then
        $line1 += 1
        $line2 += 1
    Else
        If $file2 <> $tempfile2 Then FileWrite($tempfile3, $file2 & @CRLF)
        $line2 += 1
    EndIf
Wend
Exit
Edited by ACalcutt

Andrew Calcutt

Http://www.Vistumbler.net

Http://www.TechIdiots.net

Its not an error, its a undocumented feature

Share this post


Link to post
Share on other sites

maybe delete useing killbox

http://www.bleepingcomputer.com/files/killbox.php

$deletefiles = "C:\Spyware_Finder_Results.txt"
$line=1
Run("Killbox.exe")
WinWaitActive("Pocket Killbox")

While 1
    $file1 = FileReadLine ($deletefiles, $line)
    If @error = -1 Then ExitLoop
    ClipPut ($file1)
    WinActivate("Pocket Killbox")
    Send("!fp")
    $line += 1
WEnd

ControlClick("Pocket Killbox", "", "ThunderRT6OptionButton4");click delete on reboot
ControlClick("Pocket Killbox", "", "ThunderRT6OptionButton1");click "All files"
    
ControlClick("Pocket Killbox", "", "ThunderRT6CommandButton2");click delete button

WinWaitActive("Delete next Reboot")
;ControlClick("Delete next Reboot", "", "Button1"); reboot now
ControlClick("Delete next Reboot", "", "Button2"); do not reboot now

Andrew Calcutt

Http://www.Vistumbler.net

Http://www.TechIdiots.net

Its not an error, its a undocumented feature

Share this post


Link to post
Share on other sites

#8 ·  Posted (edited)

the comparing file names takes to long...any ideas on making it faster? i looked to fileopen and other commands, i but i dont really know how to use them

Edited by ACalcutt

Andrew Calcutt

Http://www.Vistumbler.net

Http://www.TechIdiots.net

Its not an error, its a undocumented feature

Share this post


Link to post
Share on other sites

#9 ·  Posted (edited)

i used an array and that sped things up greatly (6hrs to like under5mins)

keep in mind this program assumes no files get deleted, if something get deleted its going to mess up all remaining results

my first autoit array :-)

;--------------------------------------------------------
#include <file.au3>
#include <GuiConstants.au3>
#Include <process.au3>
$tempfile1 = "C:\Spyware_Finder_Temp1.txt"
$tempfile2 = "C:\Spyware_Finder_Temp2.txt"
$tempfile3 = "C:\Spyware_Finder_Results.txt"
Dim $array1, $array2
Dim $line1 = 1
Dim $line2 = 1
;--------------------------------------------------------
FileDelete($tempfile1);remove old files if they exist
FileDelete($tempfile2)
FileDelete($tempfile3)
;--------------------------------------------------------

SplashTextOn ( "Scanning", "Scanning Files", 200, 75)
_RunDOS("DIR c:\ /s /b > " & $tempfile1);pipe index results to tempfile1
SplashOff ()
MsgBox(0, "", "Click OK when ready to scan again")
SplashTextOn ( "Scanning", "Scanning Files", 200, 75)
_RunDOS("DIR c:\ /s /b > " & $tempfile2);pipe index results to tempfile2
SplashOff ()

_FileReadToArray($tempfile1, $array1); create an array with tempfile1(each line contains a filename)
_FileReadToArray($tempfile2, $array2); create an array with tempfile2

;Comparing GUI
GuiCreate("Comparing", 392, 239)
$edit1 = GuiCtrlCreateEdit("", 10, 30, 370, 80, $WS_VSCROLL)
$edit2 = GuiCtrlCreateEdit("", 10, 150, 370, 80, $WS_VSCROLL)
$count1 = GuiCtrlCreateLabel("", 10, 10, 90, 20)
$count2 = GuiCtrlCreateLabel("", 10, 130, 100, 20)
GuiSetState()
;Comparing GUI End
While 1
    If $line1 <= $array1[0] Then
        $file1 = $array1[$line1]
    Else
        $file1 = ""
    EndIf
    If $line2 <= $array2[0] Then
        $file2 = $array2[$line2]
    Else
        ExitLoop
    EndIf
    GUICtrlSetData ( $edit1, $file1)
    GUICtrlSetData ( $edit2, $file2)
    GUICtrlSetData ( $count1, $line1)
    GUICtrlSetData ( $count2, $line2)
    If $file2 = $file1 Then
        $line1 += 1
        $line2 += 1
    Else
        If $file2 <> $tempfile2 Then FileWrite($tempfile3, $file2 & @CRLF)
        $line2 += 1
    EndIf
Wend
Edited by ACalcutt

Andrew Calcutt

Http://www.Vistumbler.net

Http://www.TechIdiots.net

Its not an error, its a undocumented feature

Share this post


Link to post
Share on other sites

Wow! thanks ACalcutt

I tested the concept on an installation of SpyWare Doctor (like the irony!) to see if it removed all traces; Together with the registry backup via ERUNT it was toast! It did take an age as you've said (6 hours on a 20Gig sys partition) but now with your latest code it flies! (~4mins) As almost all spyware / virii / trojans are software installations this idea should work on them all?

With regard tp Killbox; It works fine but I was trying to use CopyLock (link in earlier post) as it has a command line version which should make it possible to acheive the same result without the pop up gui...

While 1

call to copylock + name of file to delete

WEnd

As a newb I am getting stuck passing the $file1 parameter to the command line. This is what I have tried

RunWait(@ComSpec & " /c " & "c:\cl.exe & $file1")

I think the concatination is correct and the file names are being passed to the clipboard (checked with MsgBox) but it seems the string content is not available in the command shell?! Any ideas?

Share this post


Link to post
Share on other sites

#11 ·  Posted (edited)

untested...but i think it should be

RunWait(@ComSpec & 'c:\cl.exe "' & $file1 & '"')

if you dont put quotes around the filename, any filename where theres a space will mess things up...you had a the variable inside quotes, and you were missing a space between cl.exe and you filename

ex.

$file1="c:\test\a b\test.exe"

msgbox(0, "", 'c:\cl.exe "' & $file1 & '"')

Edited by ACalcutt

Andrew Calcutt

Http://www.Vistumbler.net

Http://www.TechIdiots.net

Its not an error, its a undocumented feature

Share this post


Link to post
Share on other sites

#12 ·  Posted (edited)

something like this maybe (untest...dont have cl.exe)

;--------------------------------------------------------
;AutoIt Version: 3.1.1.102 Beta
;
;Script Author: Andrew Calcutt
;Script Date: 01/21/2006
;Script Name: RemoveNewFiles
;Script Function: Use the 'CHANGES' file as the input source to Copylock delete on reboot program
;*Needs CopyLock(cl.exe) http://noeld.com/programs.asp?cat=misc
;--------------------------------------------------------
#include <file.au3>
#Include <process.au3>
$tempfile3 = "C:\FileChange_Results.txt"
Dim $array3
Dim $line3=1

_FileReadToArray($tempfile3, $array3)
For $x = 1 to $array3[0]
    _RunDOS('c:\cl.exe "' & $array3[$line3] & '"')
    $line3 += 1
Next
Edited by ACalcutt

Andrew Calcutt

Http://www.Vistumbler.net

Http://www.TechIdiots.net

Its not an error, its a undocumented feature

Share this post


Link to post
Share on other sites

#13 ·  Posted (edited)

update - this version wont mess up if a file is deleted before the second scan starts

;--------------------------------------------------------
;AutoIt Version: 3.1.1.102 Beta
;
;Script Author: Andrew Calcutt
;Script Date: 01/21/2006
;Script Name: FileChangeSearch
;Script Function:
;   1. scan system partition to create a 'BEFORE' snapshot using DIR /s /b
;   2. scan sys partition again at a later date to create an 'AFTER' snapshot as above (after picking up new files)
;   3. Compare the differences between the two file lists and create a 'CHANGES' file.
;--------------------------------------------------------
#include <Array.au3>
#include <GuiConstants.au3>
#include <file.au3>
#Include <process.au3>
Dim $tempfile1 = "C:\FileChange_Temp1.txt"
Dim $tempfile2 = "C:\FileChange_Temp2.txt"
Dim $tempfile3 = "C:\FileChange_Results.txt"
Dim $array1, $array2
Dim $pos = 0
Dim $line = 1
;--------------------------------------------------------
FileDelete($tempfile1);remove old files if they exist
FileDelete($tempfile2)
FileDelete($tempfile3)
;--------------------------------------------------------

SplashTextOn ( "Scanning", "Scanning Files", 200, 75)
_RunDOS("DIR c:\ /s /b > " & $tempfile1);pipe index results to tempfile1
SplashOff ()
MsgBox(0, "", "Click OK when ready to scan again")
SplashTextOn ( "Scanning", "Scanning Files", 200, 75)
_RunDOS("DIR c:\ /s /b > " & $tempfile2);pipe index results to tempfile2
SplashOff ()

_FileReadToArray($tempfile1, $array1); create an array with tempfile1(each line contains a filename)
_FileReadToArray($tempfile2, $array2); create an array with tempfile2

;Comparing GUI
GuiCreate("Comparing", 392, 239)
$edit1 = GuiCtrlCreateEdit("", 10, 30, 370, 80, $WS_VSCROLL)
$edit2 = GuiCtrlCreateEdit("", 10, 150, 370, 80, $WS_VSCROLL)
$count1 = GuiCtrlCreateLabel("", 10, 10, 90, 20)
GuiSetState()
;Comparing GUI End
For $loop = 1 To $array2[0]
    GUICtrlSetData ( $edit2, $array2[$line])
    GUICtrlSetData ( $count1, $line)
    GUICtrlSetData ( $edit1, "Scanning For Match" & @CRLF)
    If $array2[$line] <> $tempfile2 Then
        $pos2 = $pos
        $pos = _ArraySearch ($array1, $array2[$line], $pos2, $array1[0])
        If @Error = 6 Or @Error = 4 Then FileWrite($tempfile3, $array2[$line] & @CRLF)
        If $pos = -1 Then
            GUICtrlSetData ( $edit1, "*** New File ***" & @CRLF)
            GUICtrlSetData ( $edit1, $array2[$line], 1)
            Sleep(1000)
            $pos = $pos2
        Else
            GUICtrlSetData ( $edit1, "Match Found on Line: " & $pos & @CRLF, 1)
            GUICtrlSetData ( $edit1, $array1[$pos], 1)
        EndIf
    EndIf
    $line += 1
Next
Edited by ACalcutt

Andrew Calcutt

Http://www.Vistumbler.net

Http://www.TechIdiots.net

Its not an error, its a undocumented feature

Share this post


Link to post
Share on other sites

Hi again,

Firstly the cl.exe / array combo works really well!

I've just tried your latest script and got the error shown in the thumbnail below....

Share this post


Link to post
Share on other sites

#15 ·  Posted (edited)

Hi again,

Firstly the cl.exe / array combo works really well!

I've just tried your latest script and got the error shown in the thumbnail below....

are you using the latest beta? because _ArraySearch isn't in in the production release

http://www.autoitscript.com/autoit3/files/beta/autoit/

once you install the beta you have to go Start\Programs\AutoIt v3\beta\Toggle AU3 Beta

edit - also, i just changed filenames inside the copylock script and the compare script - look above

Edited by ACalcutt

Andrew Calcutt

Http://www.Vistumbler.net

Http://www.TechIdiots.net

Its not an error, its a undocumented feature

Share this post


Link to post
Share on other sites

#16 ·  Posted (edited)

i could also make this search for files that got deleted, but i didn't think that would be useful since you cant get them back anyway

and i think in my version i am going to make it ignore the temporary internet files, because i want to browse the web and see what i pick up on a test machine, and we delete the temp\temp internet files by default anyways

by changing this line

If $array2[$line] <> $tempfile2 Then

to

If $array2[$line] <> $tempfile2 Or StringInStr ( $array2[$line], "Temporary Internet Files") = 0 Then

Edited by ACalcutt

Andrew Calcutt

Http://www.Vistumbler.net

Http://www.TechIdiots.net

Its not an error, its a undocumented feature

Share this post


Link to post
Share on other sites

Yep using the Beta solved it! Thanks for you speedy responses!

Now must try and do the same with the registry :lmao:

Should keep me busy for a while.....

Share this post


Link to post
Share on other sites

#18 ·  Posted (edited)

maybe you could do

REGEDIT /E c:\reg.txt

this would dump the registry info into c:\reg.txt

then the hard part would be the comparing...because some keys are multilined

edit - looks like multiline keys end with ",\" so you could look for that

Edited by ACalcutt

Andrew Calcutt

Http://www.Vistumbler.net

Http://www.TechIdiots.net

Its not an error, its a undocumented feature

Share this post


Link to post
Share on other sites

this may help you

;By Andrew Calcutt
;_RegSubKeysSubVals([start registry key], [array name])
;
Func _RegSubKeysSubVals($startkey, ByRef $array)
    $line=0
    While 1
        $line += 1
        $reg = RegEnumVal($startkey, $line)
        If @error Then ExitLoop
        $data = RegRead($startkey, $reg)
        _ArrayAdd($array, $reg & "=" & $data)
    WEnd
    $line=0
    While 1
        $line += 1
        $reg = RegEnumKey($startkey, $line)
        If @error Then ExitLoop
        _ArrayAdd($array, "[" & $startkey & "\" & $reg & "]")
        _RegSubkeys($startkey & "\" & $reg, $array)
    WEnd
EndFunc

working example

#include <Array.au3>
Dim $reg1[1]

_RegSubKeysSubVals("HKLM\SOFTWARE\AutoIt v3", $reg1)

$reg1[0] = UBound($reg1) - 1
_ArrayDisplay($reg1, $reg1[0])

Func _RegSubKeysSubVals($startkey, ByRef $array)
    $line=0
    While 1
        $line += 1
        $reg = RegEnumVal($startkey, $line)
        If @error Then ExitLoop
        $data = RegRead($startkey, $reg)
        _ArrayAdd($array, $reg & "=" & $data)
    WEnd
    $line=0
    While 1
        $line += 1
        $reg = RegEnumKey($startkey, $line)
        If @error Then ExitLoop
        _ArrayAdd($array, "[" & $startkey & "\" & $reg & "]")
        _RegSubkeys($startkey & "\" & $reg, $array)
    WEnd
EndFunc

Andrew Calcutt

Http://www.Vistumbler.net

Http://www.TechIdiots.net

Its not an error, its a undocumented feature

Share this post


Link to post
Share on other sites

Cheers!

If I am gonna have a learning curve might as well make it a steep one! From 'Hello World' to UDF's & Arrays in a few short days ;)

If this registry rollback can be achieved without the 3rd party ERUNT prog it's one step closer to an all Autoit uninstaller!

I think the delete / move on next boot might be a step too far though; c# anyone ? :lmao:

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0