Sign in to follow this  
Followers 0
GEOSoft

Trap suspicious window

3 posts in this topic

#1 ·  Posted (edited)

#cs
This AutoIt script file was generated by Project Express  v3.9.0.24 Dec 05 / 2006
Compiler Version:   3.2.1.13
Language:       English (US)
Platform(s):        All
Author:         GEOSoft
;
Project Name:       Win Trap
Project Description:        Determine the process of a "Suspicious " window and then kill it and create before and after lists
To Do List: 
Notes:  Pressing Shift + Pause will get the process of the currently active window in case an unexpected window appears
;                (Credit to herewasplato for the idea)
;                               
#ce

Opt ("WinTitleMatchMode", 2)
Opt ("TrayIconDebug", 1)
$OutFile = @DesktopDir & '\Proc_List.txt'
HotKeySet("+{Pause}", "Report")
Global $hTtl
$Ttl = InputBox("Window Trap", "Enter any portion of the window title you want to trap."& @CRLF & 'To trap any other window press "Shift + Pause".' & _
@CRLF & @CRLF & '*** NOTE:    Case Sensitive', '', '', 300, -1)
If @Error = 1 Then Exit
$P1 = ProcessList()

While WinActive($Ttl) = 0
    Sleep (1000)
WEnd

$hTtl = WinGetTitle($Ttl)
WinClose($Ttl)
Report()
Exit

Func Report()
$File = FileOpen ($OutFile,2)
If NOT $hTtl  Then $hTtl = WinGetTitle('')
$Pid = WinGetProcess($hTtl)
$P2 = ProcessList()

For $I = 1 To $P1[0][0]
    FileWriteLine($File,$P1[$I][0])
Next

FileWriteLine($File,@CRLF & @CRLF & '[Window Title '& Chr(34) & $hTtl & Chr(34) & ']')

For $I = 1 To $P2[0][0]
    If StringInStr($P2[$I][1],$Pid) Then FileWriteLine($File,'********************')
    FileWriteLine($File,$P2[$I][0])
    If StringInStr($P2[$I][1],$Pid) Then FileWriteLine($File,'********************')
Next

FileClose($File)
MsgBox ( 262160, 'Finished', 'The process list has been created on the desktop as Proc_List.txt')
ShellExecute($OutFile)
EndFunc
;;============= End of Script ============

For an explanation of why I put this together see Post # 3 in

WinWaitActive

It just traps the process of a suspicious (or any) window and creates a before and after process list as a file.

Please not that Window Titles are case sensitive so spyware Removal is not the same as Spyware Removal. However pyware Removal will get the right window because WintitleMatchMode = 2.

If someone wants to take the time to do it then it's been suggested that setting WinTitleMatchMode to 4 and using Regular Expressions may solve the case sensitivity issue. It did what I needed so I'm finished with the script and you can do what you want with it.

Edited by GEOSoft

George

Question about decompiling code? Read the decompiling FAQ and don't bother posting the question in the forums.

Be sure to read and follow the forum rules. -AKA the AutoIt Reading and Comprehension Skills test.***

The PCRE (Regular Expression) ToolKit for AutoIT - (Updated Oct 20, 2011 ver:3.0.1.13) - Please update your current version before filing any bug reports. The installer now includes both 32 and 64 bit versions. No change in version number.

Visit my Blog .. currently not active but it will soon be resplendent with news and views. Also please remove any links you may have to my website. it is soon to be closed and replaced with something else.

"Old age and treachery will always overcome youth and skill!"

Share this post


Link to post
Share on other sites



#2 ·  Posted (edited)

I'm going to guess that you wanted Chr(34) where Chr(43) is in this line:

FileWriteLine($File,@CRLF & @CRLF & '[Window Title '& Chr(43) & $hTtl & Chr(34) & ']')oÝ÷ Ù8^±Êâ¦×(®·¶¢uéíøvØ^{­«`zw«j×*®¢ÑZàZt
iªê-Â)Ý£!zr)­ë,yÛazÈb~Ö§v®±èh¶G²r¡»­ºÈ§Ø^znµº1¶¥ªí¡ûazßzwbb¶WªºEjGªºmêÞ¦íëÞ®Zqçmꮢڮ¢Ø§~§¶azÇ¢wij»h~Ø^­êh®Ö­æ¬¶)æÊ׬¶Äèµë-r©WªºEjGiÐ)¥ì^ªê-&¶¬jëh×6;fake-bad-app

For $i = 5 To 1 Step - 1
    TrayTip("Fake Bad App", "This will pop-up a window like some bad apps do in " & $i, 1)
    Sleep(1000)
Next

TrayTip("", "", 1)

MsgBox(0, "Fake Bad App", "Do not hit OK.")

Sleep(999999)
and start it.

Compile and run your code. Once the window pops up from the Fake-Bad-App, type in:

Fake

...and click OK

Your code will close the MsgBox from my Fake-Bad-App - but it will not end the app. So, the exe named Fake-Bad-App shows in both "before" and "after" process lists with no highlighting via "********************".

Maybe I don't fully understand what you are expecting to happen under the "input box senario".

...hope this helps...

Edited by herewasplato

[size="1"][font="Arial"].[u].[/u][/font][/size]

Share this post


Link to post
Share on other sites

#3 ·  Posted (edited)

I'm going to guess that you wanted Chr(34) where Chr(43) is in this line:

FileWriteLine($File,@CRLF & @CRLF & '[Window Title '& Chr(43) & $hTtl & Chr(34) & ']')

The script correctly identified the exe that generated my "Fake Bad App" window when I pressed the shift and pause hotkey combo... but using the input box to ID part of the offending title "Fake" - the report never placed the "********************" info into the second part of the report.... at least in my tests:

To test - compile "Fake-Bad-App.exe" from this:[autoit];fake-bad-app

For $i = 5 To 1 Step - 1

TrayTip("Fake Bad App", "This will pop-up a window like some bad apps do in " & $i, 1)

Sleep(1000)

Next

TrayTip("", "", 1)

MsgBox(0, "Fake Bad App", "Do not hit OK.")

Sleep(999999)[autoit]and start it.

Compile and run your code. Once the window pops up from the Fake-Bad-App, type in:

Fake

..and click OK

Your code will close the MsgBox from my Fake-Bad-App - but it will not end the app. So, the exe named Fake-Bad-App shows in both "before" and "after" process lists with no highlighting via "********************".

Maybe I don't fully understand what you are expecting to happen under the "input box senario".

...hope this helps...

There's no such a thing as bad user input :lmao: and you're correct, it should be Chr(34. I'll take a look at the rest it when I stop for a coffee which will be in about half an hour. Maybe I broke something after I used it. Probably during one of my infamous cleanup treatments. ;) Edited by GEOSoft

George

Question about decompiling code? Read the decompiling FAQ and don't bother posting the question in the forums.

Be sure to read and follow the forum rules. -AKA the AutoIt Reading and Comprehension Skills test.***

The PCRE (Regular Expression) ToolKit for AutoIT - (Updated Oct 20, 2011 ver:3.0.1.13) - Please update your current version before filing any bug reports. The installer now includes both 32 and 64 bit versions. No change in version number.

Visit my Blog .. currently not active but it will soon be resplendent with news and views. Also please remove any links you may have to my website. it is soon to be closed and replaced with something else.

"Old age and treachery will always overcome youth and skill!"

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0