Sign in to follow this  
Followers 0
chaosONE

checking what an already compiled script (.exe) really does

8 posts in this topic

hello

the following question isnt directly related to autoit,yet it is :)

I found a cool utility online,and downloaded it

its the portable version of a program,which usually isnt portable.

fileinfo on "startup.exe" revealed it was made by autoit 3.2.xxx

so I googled,and here Im ;)

After reading/searching a bit in the forum I know its forbidden to ask how to decompile a script,well I wont ask/nor try ,but still I want to know whats going on when I start this "startup.exe"

I guess it cant be (morally) illegal to check/want to know what a program is doing.

With my firewall (tiny firewallpro) and the right settings I was able to slow the program down to step-by-step confirmation of its action,to see whats happen,but this doesnt reveal everything.

i.e. several cmd.exe instances are started,regedit,rundll32.exe,regserv32,...

Is there a way to see the arguments/parameter which startup.exe uses to start his child processes ?

regserv32 dllname

cmd => which command/..

rundll32.exe dllname

and so on.

so basicly Im looking for a monitor tool,which not only shows me path/fileinfo to a started process,but also the parameter it was started with.

I know thats sort of reverse engineering (with a twist) :D

Share this post


Link to post
Share on other sites



You might want to try something like ProcMon

thanks a lot for the tip !

Share this post


Link to post
Share on other sites

Also RegMon, and FileMon might be of use(kinda like stand-alone features of the ProcMon), and perhaps also ProcessExplorer might be of use(also made by system internals). :)

Share this post


Link to post
Share on other sites

Also RegMon, and FileMon might be of use(kinda like stand-alone features of the ProcMon), and perhaps also ProcessExplorer might be of use(also made by system internals). :)

thank you also for your suggestions.

I tried both of the standalone programs,but they are no longer supported and merged into ProcessMonitor.

Processmonitor is amazing,he shows me exactly what I wanted to know (commandline parameters/...),and all this in ONE nice interface,even export of the activity to several formats.

Especially the "Process Activity Summary" is great,I see exactly in which order child processes were spawn,and all details relating to them.

Im in love ;)

the only thing left is to figure out,how I can get a hold of the temporary files,created by the scriptfile.

%temp%\filename.reg is created,but deleted so fast that I cant copy it :D

Share this post


Link to post
Share on other sites

Perhaps create a new user, and set the ntfs access rights for that user to only write and read from the temp directory(not modify), then run the program in question with that username...

You should also look into process explorer, it's a really good app too. :)

Share this post


Link to post
Share on other sites

the only thing left is to figure out,how I can get a hold of the temporary files,created by the scriptfile.

%temp%\filename.reg is created,but deleted so fast that I cant copy it :)

Perhaps make a script that waits around for that particular file to exist that have it make a copy for you... probably faster than you are

$path="C:\Temp\filename.reg"
While 1
    Sleep(10)
    If FileExists($path) then FileCopy($path,$path & ".old")
WEnd

[u]Helpful tips:[/u]If you want better answers to your questions, take the time to reproduce your issue in a small "stand alone" example script whenever possible. Also, make sure you tell us 1) what you tried, 2) what you expected to happen, and 3) what happened instead.[u]Useful links:[/u]BrettF's update to LxP's "How to AutoIt" pdfValuater's Autoit 1-2-3 Download page for the latest versions of Autoit and SciTE[quote]<glyph> For example - if you came in here asking "how do I use a jackhammer" we might ask "why do you need to use a jackhammer"<glyph> If the answer to the latter question is "to knock my grandmother's head off to let out the evil spirits that gave her cancer", then maybe the problem is actually unrelated to jackhammers[/quote]

Share this post


Link to post
Share on other sites

#8 ·  Posted (edited)

thanks everybody for their help !!

as it was just an accident I found out about autoIT (have to admit I never ever heard of it before) I was only able to write a batchfile which does the same thing like the small autoit exe ,which was supplied with the original package I downloaded.

But seeing the possibilities with autoIT ,I think this was my last (complex) batch file I wrote :))

So I can say -------Topic closed ------ and again thanks for your quick help everybody !!!

Edited by chaosONE

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0