Innovative Posted November 7, 2008 Share Posted November 7, 2008 I've seen some anti-viruses programs that has some kind of process protection where to task manager will returns "Access is denied!" when it's trying to end the process.. Well , i'm making a sort of protection program that monitor the bandwidth , i wanted to prevent it from closing . Is that possible in autoit ? Link to comment Share on other sites More sharing options...
Bert Posted November 7, 2008 Share Posted November 7, 2008 I know it is possible with a Windows API call, but you would have to look it up. The Vollatran project My blog: http://www.vollysinterestingshit.com/ Link to comment Share on other sites More sharing options...
Innovative Posted November 7, 2008 Author Share Posted November 7, 2008 (edited) Is that in the help files ? I can't seems to find it .. Edited November 7, 2008 by xVivoCity Link to comment Share on other sites More sharing options...
NickBtheITguy Posted November 7, 2008 Share Posted November 7, 2008 I've seen some anti-viruses programs that has some kind of process protection where to task manager will returns "Access is denied!" when it's trying to end the process.. Well , i'm making a sort of protection program that monitor the bandwidth , i wanted to prevent it from closing . Is that possible in autoit ? I would be interested in seeing what you come up with. I have a process that we created to keep our employees from closing certain apps. The solution I came up with was to create a secondary script and the two executables monitor each other and if one is terminated it reopens it. Example: Opt("TrayIconHide", 1) $on = 1 While $on = 1 Sleep(1000) ; Check to see if the mrcc.exe file is running. If not then it starts it. If ProcessExists("mrcc.exe") Then $procmon = 1 Else run("mrcc.exe") EndIf WEnd The main executable mrcc.exe then monitors for this script and keeps it running. Link to comment Share on other sites More sharing options...
Andreik Posted November 7, 2008 Share Posted November 7, 2008 I would be interested in seeing what you come up with. I have a process that we created to keep our employees from closing certain apps. The solution I came up with was to create a secondary script and the two executables monitor each other and if one is terminated it reopens it. Example: Opt("TrayIconHide", 1) $on = 1 While $on = 1 Sleep(1000) ; Check to see if the mrcc.exe file is running. If not then it starts it. If ProcessExists("mrcc.exe") Then $procmon = 1 Else run("mrcc.exe") EndIf WEnd The main executable mrcc.exe then monitors for this script and keeps it running.This is an option but if I close this script, and then mrcc.exe? Must be a better method. When the words fail... music speaks. Link to comment Share on other sites More sharing options...
Pain Posted November 7, 2008 Share Posted November 7, 2008 The solution I came up with was to create a secondary script and the two executables monitor each other and if one is terminated it reopens it.That seems to be a pretty good method to use even though it's still not foolproof but it would still block users to kill it from task manager. Link to comment Share on other sites More sharing options...
NickBtheITguy Posted November 7, 2008 Share Posted November 7, 2008 That seems to be a pretty good method to use even though it's still not foolproof but it would still block users to kill it from task manager.With the scripts monitoring each other they can't close it. I've tried to close them quickly and they start back up way to fast. The only way I can kill the process is to use a tool like Procexp.exe from sysinternals to pause the programs and then terminate. Link to comment Share on other sites More sharing options...
Mobius Posted November 7, 2008 Share Posted November 7, 2008 Doesn't, CMD PROMPT / RUN DIALOG:: TASKKILL /F /IM YourApp1.exe /IM YourApp2.exe Work against this method? Link to comment Share on other sites More sharing options...
NickBtheITguy Posted November 7, 2008 Share Posted November 7, 2008 Doesn't, CMD PROMPT / RUN DIALOG:: TASKKILL /F /IM YourApp1.exe /IM YourApp2.exe Work against this method? It would if my users were smart enough to figure that out. Link to comment Share on other sites More sharing options...
Pain Posted November 7, 2008 Share Posted November 7, 2008 Add this to your scripts. $handle = WinGetHandle("classname=ConsoleWindowClass", "") If Not @error Then ProcessClose(cmd.exe) EndIf Link to comment Share on other sites More sharing options...
Mobius Posted November 7, 2008 Share Posted November 7, 2008 (edited) This might help for the run dialog as well:: Opt("WinTitleMatchMode",4) $handle = WinGetHandle("[TITLE:Run; CLASS:#32770]") IF $handle THEN WinClose($handle) Edited November 7, 2008 by Mobius Link to comment Share on other sites More sharing options...
Innovative Posted November 8, 2008 Author Share Posted November 8, 2008 Well, is there any ways to do that ? Alternatives are my last resort, i wanted to know if it is possible to do that without alternatives in autoit. Link to comment Share on other sites More sharing options...
Innovative Posted November 8, 2008 Author Share Posted November 8, 2008 Well .. ? Link to comment Share on other sites More sharing options...
AgentSmith15 Posted November 8, 2008 Share Posted November 8, 2008 Well what?Try looking around the forums...http://www.autoitscript.com/forum/index.php?showtopic=71488 [center][/center] Link to comment Share on other sites More sharing options...
Innovative Posted November 8, 2008 Author Share Posted November 8, 2008 Well what?Try looking around the forums...http://www.autoitscript.com/forum/index.php?showtopic=71488 I seriously won't be here if i can find any from the search function ..Btw, what's with that link ? I can't see anything related to my question . Link to comment Share on other sites More sharing options...
Bert Posted November 8, 2008 Share Posted November 8, 2008 Windows API call, look in MSDN. The Vollatran project My blog: http://www.vollysinterestingshit.com/ Link to comment Share on other sites More sharing options...
AgentSmith15 Posted November 8, 2008 Share Posted November 8, 2008 I doubt that your going to be able to do what you described in AutoIt. The link I showed has a script that blocks Ctrl + Alt +Delete . [center][/center] Link to comment Share on other sites More sharing options...
Innovative Posted November 8, 2008 Author Share Posted November 8, 2008 Windows API call, look in MSDN. What's the command name ? At least i need that to find it . Link to comment Share on other sites More sharing options...
Cw2K1 Posted November 8, 2008 Share Posted November 8, 2008 (edited) What's the command name ? At least i need that to find it . i think my friend Volly messed with you, he don't know how it works or maybe don't want to share in public processes use drivers to disallow access for them to be opened, although I am pretty sure RKU and IceSword use some other method method of disallowing process open. (I am going by that claim with the results that are retuned from ProcessExplorer 10 of how it returns like Invalid Params just trying to open it, which make me wonder how the the hell that works. Actaully check this out. This is what the RKU driver imports: expandcollapse popupDbgPrint ExAllocatePool ExAllocatePoolWithTag ExFreePool IoBuildAsynchronousFsdRequest IoCreateDevice IoDeleteDevice IoDeviceObjectType IoDriverObjectType IoFileObjectType IoFreeIrp IoFreeMdl IoGetCurrentProcess IoThreadToProcess IofCallDriver IofCompleteRequest KeAcquireSpinLock KeAddSystemServiceTable KeAttachProcess KeBugCheckEx KeDelayExecutionThread KeDetachProcess KeInitializeApc KeInitializeEvent KeInitializeSpinLock KeInsertQueueApc KeReleaseSpinLock KeSetEvent KeSetSystemAffinityThread KeWaitForSingleObject KiDispatchInterrupt MmGetPhysicalAddress MmGetSystemRoutineAddress MmGetVirtualForPhysical MmIsAddressValid MmSectionObjectType MmSystemRangeStart MmUnlockPages NtBuildNumber NtDuplicateObject NtOpenProcess ObOpenObjectByPointer ObQueryNameString ObReferenceObjectByHandle ObfDereferenceObject PsCreateSystemThread PsGetCurrentProcessId PsGetCurrentThreadId PsLookupProcessByProcessId PsLookupThreadByThreadId PsProcessType PsSetCreateProcessNotifyRoutine PsTerminateSystemThread PsThreadType RtlInitUnicodeString RtlUnwind RtlVolumeDeviceToDosName ZwClose ZwCreateFile ZwDeleteFile ZwOpenDirectoryObject ZwOpenKey ZwOpenProcess ZwQuerySystemInformation ZwTerminateProcessInteresting.... but no PspTerminateProcess, unless it is listed in the exe itself which is packed Anti-rootkits can protect their processes at the kernel level and programs (most) at the user level will be unable to bypass that protection. Depending on how Anti-rootkit drivers are coded, they can unhook kernel level hooks by other programs or malware, and create their own hooks to intercept process termination requests. i am trying myself to do it, if i succeed than i will post the code to let you know about it. currently trying to write a code for it... Edited November 8, 2008 by Cw2K1 Enjoy the complexity.Feel the power of simplicity. Link to comment Share on other sites More sharing options...
Innovative Posted November 9, 2008 Author Share Posted November 9, 2008 Lols, i don't understand any of the imports. Link to comment Share on other sites More sharing options...
Recommended Posts