Jump to content
Sign in to follow this  
Innovative

Process protection?

Recommended Posts

Innovative

I've seen some anti-viruses programs that has some kind of process protection where to task manager will returns "Access is denied!" when it's trying to end the process..

Well , i'm making a sort of protection program that monitor the bandwidth , i wanted to prevent it from closing .

Is that possible in autoit ?

Share this post


Link to post
Share on other sites
Innovative

Is that in the help files ?

I can't seems to find it ..

Edited by xVivoCity

Share this post


Link to post
Share on other sites
NickBtheITguy

I've seen some anti-viruses programs that has some kind of process protection where to task manager will returns "Access is denied!" when it's trying to end the process..

Well , i'm making a sort of protection program that monitor the bandwidth , i wanted to prevent it from closing .

Is that possible in autoit ?

I would be interested in seeing what you come up with. I have a process that we created to keep our employees from closing certain apps. The solution I came up with was to create a secondary script and the two executables monitor each other and if one is terminated it reopens it.

Example:

Opt("TrayIconHide", 1)

$on = 1

While $on = 1
    
    Sleep(1000)
    
; Check to see if the mrcc.exe file is running. If not then it starts it.
    If ProcessExists("mrcc.exe") Then
        $procmon = 1
    Else
        run("mrcc.exe")
    EndIf
    
WEnd

The main executable mrcc.exe then monitors for this script and keeps it running.

Share this post


Link to post
Share on other sites
Andreik

I would be interested in seeing what you come up with. I have a process that we created to keep our employees from closing certain apps. The solution I came up with was to create a secondary script and the two executables monitor each other and if one is terminated it reopens it.

Example:

Opt("TrayIconHide", 1)

$on = 1

While $on = 1
    
    Sleep(1000)
    
; Check to see if the mrcc.exe file is running. If not then it starts it.
    If ProcessExists("mrcc.exe") Then
        $procmon = 1
    Else
        run("mrcc.exe")
    EndIf
    
WEnd

The main executable mrcc.exe then monitors for this script and keeps it running.

This is an option but if I close this script, and then mrcc.exe?

Must be a better method. :mellow:


When the words fail... music speaks

Share this post


Link to post
Share on other sites
Pain

The solution I came up with was to create a secondary script and the two executables monitor each other and if one is terminated it reopens it.

That seems to be a pretty good method to use even though it's still not foolproof but it would still block users to kill it from task manager.

Share this post


Link to post
Share on other sites
NickBtheITguy

That seems to be a pretty good method to use even though it's still not foolproof but it would still block users to kill it from task manager.

With the scripts monitoring each other they can't close it. I've tried to close them quickly and they start back up way to fast. The only way I can kill the process is to use a tool like Procexp.exe from sysinternals to pause the programs and then terminate.

Share this post


Link to post
Share on other sites
Mobius

Doesn't, CMD PROMPT / RUN DIALOG::

TASKKILL /F /IM YourApp1.exe /IM YourApp2.exe

Work against this method?

Share this post


Link to post
Share on other sites
NickBtheITguy

Doesn't, CMD PROMPT / RUN DIALOG::

TASKKILL /F /IM YourApp1.exe /IM YourApp2.exe

Work against this method?

It would if my users were smart enough to figure that out.

Share this post


Link to post
Share on other sites
Pain

Add this to your scripts.

$handle = WinGetHandle("classname=ConsoleWindowClass", "")

If Not @error Then
ProcessClose(cmd.exe)
EndIf

Share this post


Link to post
Share on other sites
Mobius

This might help for the run dialog as well::

Opt("WinTitleMatchMode",4)
$handle = WinGetHandle("[TITLE:Run; CLASS:#32770]")
IF $handle THEN WinClose($handle)
Edited by Mobius

Share this post


Link to post
Share on other sites
Innovative

Well, is there any ways to do that ? Alternatives are my last resort, i wanted to know if it is possible to do that without alternatives in autoit.

Share this post


Link to post
Share on other sites
AgentSmith15

I doubt that your going to be able to do what you described in AutoIt. The link I showed has a script that blocks Ctrl + Alt +Delete .

Share this post


Link to post
Share on other sites
Innovative

Windows API call, look in MSDN.

What's the command name ? At least i need that to find it .

Share this post


Link to post
Share on other sites
Cw2K1

What's the command name ? At least i need that to find it .

i think my friend Volly messed with you, he don't know how it works or maybe don't want to share in public :mellow:

processes use drivers to disallow access for them to be opened, although I am pretty sure RKU and IceSword use some other method method of disallowing process open. (I am going by that claim with the results that are retuned from ProcessExplorer 10 of how it returns like Invalid Params just trying to open it, which make me wonder how the the hell that works.

Actaully check this out. This is what the RKU driver imports:

DbgPrint
ExAllocatePool
ExAllocatePoolWithTag
ExFreePool
IoBuildAsynchronousFsdRequest
IoCreateDevice
IoDeleteDevice
IoDeviceObjectType
IoDriverObjectType
IoFileObjectType
IoFreeIrp
IoFreeMdl
IoGetCurrentProcess
IoThreadToProcess
IofCallDriver
IofCompleteRequest
KeAcquireSpinLock
KeAddSystemServiceTable
KeAttachProcess
KeBugCheckEx
KeDelayExecutionThread
KeDetachProcess
KeInitializeApc
KeInitializeEvent
KeInitializeSpinLock
KeInsertQueueApc
KeReleaseSpinLock
KeSetEvent
KeSetSystemAffinityThread
KeWaitForSingleObject
KiDispatchInterrupt
MmGetPhysicalAddress
MmGetSystemRoutineAddress
MmGetVirtualForPhysical
MmIsAddressValid
MmSectionObjectType
MmSystemRangeStart
MmUnlockPages
NtBuildNumber
NtDuplicateObject
NtOpenProcess
ObOpenObjectByPointer
ObQueryNameString
ObReferenceObjectByHandle
ObfDereferenceObject
PsCreateSystemThread
PsGetCurrentProcessId
PsGetCurrentThreadId
PsLookupProcessByProcessId
PsLookupThreadByThreadId
PsProcessType
PsSetCreateProcessNotifyRoutine
PsTerminateSystemThread
PsThreadType
RtlInitUnicodeString
RtlUnwind
RtlVolumeDeviceToDosName
ZwClose
ZwCreateFile
ZwDeleteFile
ZwOpenDirectoryObject
ZwOpenKey
ZwOpenProcess
ZwQuerySystemInformation
ZwTerminateProcess
Interesting.... but no PspTerminateProcess, unless it is listed in the exe itself which is packed

Anti-rootkits can protect their processes at the kernel level and programs (most) at the user level will be unable to bypass that protection.

Depending on how Anti-rootkit drivers are coded, they can unhook kernel level hooks by other programs or malware, and create their own hooks to intercept process termination requests.

i am trying myself to do it, if i succeed than i will post the code to let you know about it. currently trying to write a code for it... Edited by Cw2K1

Enjoy the complexity.Feel the power of simplicity.

Share this post


Link to post
Share on other sites
Innovative

Lols, i don't understand any of the imports.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  

×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.