Jump to content

Recommended Posts

post-28581-0-99756400-1317831005_thumb.j

Know your system!

Prod your system for unwanted code! (virus/malware)

Please report bugs/requests/criticism or whatever!

ProDLLer v0.503

Update: 23rd of October 2011

ProDLLer.rar

Earlier versions downloaded: 2726 times.

Most Recent changes...
 
; 0.503
; Fixed: Don't leave icon in tray when leaving, XP/7.
; Fixed: Don't leave them after crash either.
; Added: Don't allow shutdown or standby while ProDLLing in XP, Thanks to Prog@ndy. Vista/7, dont alow shutdown.
; Added: Don't let ProDLLer be put to sleep by idletimers in xp/vista/7.
; Fixed: Lockup when returning from sleep in vista/7, . (if "Noprocs" running then disable "noprocs" and resume all procs.)
; Change: No suspending of "theme"-service in XP. On crash, just resume all processes... like we have to in vista/7...
 
; 0.502
; Fixed: Gui-problem fixed by BeginPaint/endpaint... tested on win7
; Fixed: "Crashnet" and SuspendAll. In the unlikely event that this happens. All procs will be resumed on vist and win7.
; Fixed: Fixed false positives in SSDTshadow on vista/win7.
 
; 0.501
; Added: SSDTshadow - not complete, but fully functional. = lacking names. (Logic is painful; need to guard against faults...)
; Fixed: Lockup in crashnet if "Services.exe" and "System" is suspended. Just resume them... You can suspend again...
; Fixed: Further lockups, same, to do with themes and "lsass.exe"...
 
; 0.500
; Added: Startup-killing... to take a load off the GUI... it will ask...
; Fixed: Slowdown because I accidentaly changed ProDLLer to itterate processes every second...
; Fixed: Process-CPU-utilization. Movement of abandoned children... I cheat. Just load up new list...
; Fixed: Got rid of the Adlib. There were too many possible problems...
; Fixed: CPU-load. Is again aligned...
 
; 0.499
; Added: If over 16 procs start from 1 sec to another or if a total of 40 procs have started; "NoProcsAllowed" is activated.
; Added: Crash-recovery... Just start a new instance of ProDLLer... :)
; Change: No loading of moduleinfo at start.
; Added: Refresh moduleinfo when we need it. KINDA CLUNKY SINCE I ITERATE ALL OF THEM, RIGHT NOW....
; Added: On start of app. Disallow new procs. "NoProcsAllowed" is activated.
; Fixed: A number of bugs that crash Prodller if insane amounts of processes start and stop...
 
; 0.498
; Fixed: "KernelNot.". When disabling callbacks; adjacent CBs of same type would sometimes vanish. Famous anti-rootkit had same faulty behavior.
 
; 0.497
; Fixed: Lockup when suspending some procs during modules-itteration. Context-menu disabled during itteration.
; Fixed: Lockup after thread-view due to excessive killing of already terminated security-threads... Now checking IF it needs killing...
; Fixed: Lockup when trying to change state of services while it is already working with your earlier request. Disable display.

Thanks for functions:

Thanks to "Smoke_N" for his "_ProcessListModules()"! Apparently i borrowed it a looooong time ago. :)

Thanks to "Engine" for his GREAT "Windows Services UDF"!!!

Thanks to JScript, Larry, SmOke_N, mrRevoked for _ProcessGetPath. I used this because I'm too lazy to do one myself. :)

Special thanks to:

Thanks to wraithdu for help and support!

Thanks to Ascend4nt for support and friendship!

Thanks to trancexx for good talks and friendship!

Thanks also to this great community! I really feel empowered!

/Manko [EDIT: New version.]

Edited by Manko
Yes i rush things! (I sorta do small bursts inbetween doing nothing.) Things I have rushed and reRushed:* ProDLLer - Process manager - Unload viri modules (dll) and moore...* _WinAPI_ProcessListOWNER_WTS() - Get Processes owner list...* _WinAPI_GetCommandLineFromPID() - Get commandline of target process...* _WinAPI_ThreadsnProcesses() Much info if expanded - optional Indented "Parent/Child"-style Processlist. Moore to come... eventually...
Link to post
Share on other sites
  • Replies 99
  • Created
  • Last Reply

Top Posters In This Topic

Top Posters In This Topic

Popular Posts

Hi! The reason I have not already done that is; 1. People seldom have much trouble with such hooks. 2. Getting the names of those hooks is trickier... They reside in multiple files... I f

@rchockxm - Here you go! New version in first post. ; 0.501 ; Added: SSDTshadow - not complete, but fully functional. = lacking names. (Logic is painful; need to guard against faults...) ; Fixed:

Posted Images

Nice idea. However, if you want people to be able to compile / play with it, you'll have to provide the "service.au3" and "skeleton.sys" files. Of course that's totally up to you :)

Thanks! Files now included in first post! I will however not be ferreting out all files for compiling driver in masm32. :)

They are all standard/unmodified but you need the update and the DDK and maybe something else...?

Well if a need arises and it's impossible to find some masm_includefile or other... maybe... PM me...

But driver is included, so it should not be necessary for most.

/Manko

Yes i rush things! (I sorta do small bursts inbetween doing nothing.) Things I have rushed and reRushed:* ProDLLer - Process manager - Unload viri modules (dll) and moore...* _WinAPI_ProcessListOWNER_WTS() - Get Processes owner list...* _WinAPI_GetCommandLineFromPID() - Get commandline of target process...* _WinAPI_ThreadsnProcesses() Much info if expanded - optional Indented "Parent/Child"-style Processlist. Moore to come... eventually...
Link to post
Share on other sites

I do like it. It's something I've never thought to do before. But I can't see where/how I would really use it.

[left][sub]We're trapped in the belly of this horrible machine.[/sub][sup]And the machine is bleeding to death...[/sup][sup][/sup][/left]

Link to post
Share on other sites

I took your ColdBoot code out of here, and why doesn't it work just standalone?

#include <service.au3>

FileInstall("c:\skeleton.sys","c:\")
_StopService(".","skeleton")
_DeleteService(".","skeleton")
My_Service_Create("skeleton","Skeleton Driver","c:\skeleton.sys",$SERVICE_KERNEL_DRIVER,$SERVICE_DEMAND_START,$SERVICE_ERROR_IGNORE,0)
_StartService("skeleton")
_DeleteService(".","skeleton")
$test=DllStructCreate("char a[128]")
DllStructSetData($test,1,"\\.\skeleton")


$hColdBoot=DllCall("kernel32.dll", "int", "CreateFile", "ptr", DllStructGetPtr($test), "dword", 0xc0000000, "dword", 0, "dword", 0, "dword", 3, "dword", 0, "dword", 0)
DllCall("kernel32.dll", "int", "DeviceIoControl", "dword", $hColdBoot,"dword", 0x00226000, "ptr", 0, "dword", 0, "ptr", 0, "dword", 4, "dword*", 0, "ptr", 0)

Func My_Service_Create($sServiceName, _
                    $sDisplayName, _
                    $sBinaryPath, _
                    $nServiceType = 0x00000010, _
                    $nStartType = 0x00000002, _
                    $nErrorType = 0x00000001, _
                    $nDesiredAccess = 0x000f01ff)
   Local $hAdvapi32
   Local $hKernel32
   Local $arRet
   Local $hSC
   Local $lError = -1   

   $hAdvapi32 = DllOpen("advapi32.dll")
   If $hAdvapi32 = -1 Then Return 0
   $hKernel32 = DllOpen("kernel32.dll")
   If $hKernel32 = -1 Then Return 0
   $arRet = DllCall($hAdvapi32, "long", "OpenSCManager", _
                    "str", ".", _
                    "str", "ServicesActive", _
                    "long", $SC_MANAGER_ALL_ACCESS)
   If $arRet[0] = 0 Then
      $arRet = DllCall($hKernel32, "long", "GetLastError")
      $lError = $arRet[0]
   Else
      $hSC = $arRet[0]
      $arRet = DllCall($hAdvapi32, "long", "OpenService", _
                       "long", $hSC, _
                       "str", $sServiceName, _
                       "long", $SERVICE_INTERROGATE)
      If $arRet[0] = 0 Then
         $arRet = DllCall($hAdvapi32, "long", "CreateService", _
                          "long", $hSC, _
                          "str", $sServiceName, _
                          "str", $sDisplayName, _
                          "long", $nDesiredAccess, _
                          "long", $nServiceType, _
                          "long", $nStartType, _
                          "long", $nErrorType, _
                          "str", $sBinaryPath, _
                          "int", 0, _
                          "ptr", 0, _
                          "int", 0, _
                          "int", 0, _
                          "int", 0)
         If $arRet[0] = 0 Then          
            $arRet = DllCall($hKernel32, "long", "GetLastError")
            $lError = $arRet[0]
         Else
            DllCall($hAdvapi32, "int", "CloseServiceHandle", "long", $arRet[0])
         EndIf
      Else
         DllCall($hAdvapi32, "int", "CloseServiceHandle", "long", $arRet[0])
      EndIf   
      DllCall($hAdvapi32, "int", "CloseServiceHandle", "long", $hSC)
   EndIf
   DllClose($hAdvapi32)
   DllClose($hKernel32)   
   If $lError <> -1 Then 
      SetError($lError)
      Return 0
   EndIf
   Return 1
EndFunc

[left][sub]We're trapped in the belly of this horrible machine.[/sub][sup]And the machine is bleeding to death...[/sup][sup][/sup][/left]

Link to post
Share on other sites

1. I took your ColdBoot code out of here, and why doesn't it work just standalone?

2. I do like it. It's something I've never thought to do before. But I can't see where/how I would really use it.

Hi!

1. Because a DllCall returns an array and you took out this part:

if $hColdBoot[0] = -1 Then 
    msgbox(0,"","Could not aquire cold boot handle!",5)
    $hColdboot=0
Else
    $hColdboot=$hColdBoot[0] ; ###### - Gets the result from the first arrayparameter into the single variable... - ####### 
EndIfoÝ÷ Øò¢çhmÁ©íjYm«r¢çȦ¦©àzÚ-+ºÚ"µÍØ[
    ][ÝÚÙ[Ì ][ÝË  ][ÝÚ[ ][ÝË  ][ÝÑ]XÙR[ÐÛÛÛ    ][ÝË  ][ÝÙÛÜ  ][ÝË  ÌÍÚÛÛÛÝÌK   ][ÝÙÛÜ  ][ÝË  ][ÝÜ][ÝË    ][ÝÙÛÜ  ][ÝË  ][ÝÜ][ÝË    ][ÝÙÛÜ  ][ÝË
    ][ÝÙÛÜ
][ÝË  ][ÝÜ][ÝË
oÝ÷ ÛeX­ßÛ¶%~Ýz׶)àjwkzj/x&j­çeÌ!Èkz¨Ê&zIèÂWçë¢kaz^­«h®ÊZ®Óµéæj­è§}ç-³*.®Ì¬µéÊ)ãyËbe)í£*.®Úî²×¦ºz˱©Ý²Ö²¶«xZ½êÞrÞ­çfj|¬ÊË^ÆòiÊ&n)Ú¶*'¡ûh¢[ºÚ/z¹h¢F§uæ¬zî±èZ±·ªk¡¹^«¶'.ªåÉú+¶¬¥ªí¡ûaz·¦¢ö¥¦ºzË·ljȦ¦WiËm«Zد»¬jlv÷öÖ¥Á¬¬vaz*ã¡´¨!Ú'ßÛkz¨Ø^»p!Øm¶§-Yai×(uè§~ì¶b§u×¥zاǫ¾'ANDG+y«b§vËZ®Ø§pjÈî²Û(ëax¦ëb«hëbëhëk¢éݶiËm«HÁ«©àz)ථ+Þ¬­Ø½é¦ºé¬Z²²­¶)ජajwex"[Zè­¢ëpéÈìm«Þj{©u«^÷öÙ'£!z{ajÜ"VÞ6m«_ºYh~'^jÆ®¶­sdfÆTç7FÆÂgV÷C¶3¢b3#·6¶VÆWFöâç72gV÷C²ÂgV÷C¶3¢b3#²gV÷C²¥õ7F÷6W'f6RgV÷C²âgV÷C²ÂgV÷C·6¶VÆWFöâgV÷C²²222222222ÒDTÄUDRD2ÄäRÒ2222222220¥ôFVÆWFU6W'f6RgV÷C²âgV÷C²ÂgV÷C·6¶VÆWFöâgV÷C²²222222222ÒDTÄUDRD2ÄäRÒ2222222220¤×õ6W'f6Uô7&VFRgV÷C·6¶VÆWFöâgV÷C²ÂgV÷Cµ6¶VÆWFöâG&fW"gV÷C²ÂgV÷C¶3¢b3#·6¶VÆWFöâç72gV÷C²Âb33cµ4U%d4Uô´U$äTÅôE$dU"Âb33cµ4U%d4UôDTÔäEõ5D%BÂb33cµ4U%d4UôU%$õ%ôtäõ$RÃ¥õ7F'E6W'f6RgV÷C·6¶VÆWFöâgV÷C²¥ôFVÆWFU6W'f6RgV÷C²âgV÷C²ÂgV÷C·6¶VÆWFöâgV÷C²¢b33c·FW7CÔFÆÅ7G'V7D7&VFRgV÷C¶6"³#ÒgV÷C²¤FÆÅ7G'V7E6WDFFb33c·FW7BÃÂgV÷C²b3#²b3#²âb3#·6¶VÆWFöâgV÷C²

/Manko

Yes i rush things! (I sorta do small bursts inbetween doing nothing.) Things I have rushed and reRushed:* ProDLLer - Process manager - Unload viri modules (dll) and moore...* _WinAPI_ProcessListOWNER_WTS() - Get Processes owner list...* _WinAPI_GetCommandLineFromPID() - Get commandline of target process...* _WinAPI_ThreadsnProcesses() Much info if expanded - optional Indented "Parent/Child"-style Processlist. Moore to come... eventually...
Link to post
Share on other sites

Thanks for sharing !

Thanks for the high praise! Hope it will be useful for you!

Have updated app in first post.

Now it lists processes in parent/child order with indentation. Now you can see what proc started which proc. +it gets easier to read.

(On the downside, it sortof broke sorting of that column... but I wanted to release now and maybe fix later.)

Added info on Company/description/priority/full path

Proclistwindow is larger and it is resizeable!

/Manko

Yes i rush things! (I sorta do small bursts inbetween doing nothing.) Things I have rushed and reRushed:* ProDLLer - Process manager - Unload viri modules (dll) and moore...* _WinAPI_ProcessListOWNER_WTS() - Get Processes owner list...* _WinAPI_GetCommandLineFromPID() - Get commandline of target process...* _WinAPI_ThreadsnProcesses() Much info if expanded - optional Indented "Parent/Child"-style Processlist. Moore to come... eventually...
Link to post
Share on other sites

way cool! It's not like I'll be using it daily but there are situations when I really need this sort of app...

Bug thing: when resizing the window or moving the lists separator the whole thing flickers and the left list goes over the right one until i release the mouse button... not sure if this is because my cpu has only 1500 mhz

thx for sharing

Link to post
Share on other sites

way cool! It's not like I'll be using it daily but there are situations when I really need this sort of app...

Bug thing: when resizing the window or moving the lists separator the whole thing flickers and the left list goes over the right one until i release the mouse button... not sure if this is because my cpu has only 1500 mhz

thx for sharing

Hi!

It's more like, I'm a crappy programmer. I actually don't know how to make it resize prettily... Ie tracking the mouse, making changes...

App worked in other respects, so I didn't bother. *blush*

Thanks for taking time and effort to comment!

/Manko

[EDIT: Have fixed much prettier resizing... (both listviews follow mouse like they should) Will not release and bump thread now though...]

Edited by Manko
Yes i rush things! (I sorta do small bursts inbetween doing nothing.) Things I have rushed and reRushed:* ProDLLer - Process manager - Unload viri modules (dll) and moore...* _WinAPI_ProcessListOWNER_WTS() - Get Processes owner list...* _WinAPI_GetCommandLineFromPID() - Get commandline of target process...* _WinAPI_ThreadsnProcesses() Much info if expanded - optional Indented "Parent/Child"-style Processlist. Moore to come... eventually...
Link to post
Share on other sites
  • 1 month later...

Problem resolved with new function!

A WARNING to potential users. Since I have a very clean system. I have not realised just how REALLY dangerous suspending threads can be. I just thought that if I kept updating lists of exceptions like for:

"csrss.exe" - NEVER supend on winXP, as this handles keyboard and mouse, and you would not be able to do anything else.

"ctfmon.exe" - App would be unresponsive, and might lock...

"fsgk.exe" - F-Secure antivirus. App would lock. This is used at work. BLODY SLOW AND USELESS...

...all would be good... But then I discovered lots more on laptops and readyinstalled package - brand name - systems... These procs all locked the system... They were too many!!! I had to find the cause.... And discovered it in Global message hooks. (SetWindowsHookEx)

So I started researching a way to warn the user of which processes had set these hooks. A possible way was to set a hook one self that would monitor hooks. WH_DEBUG which would return among others what sort of hook would be called and which process had installed it.

LRESULT CALLBACK DebugProc(   
    int nCode,
    WPARAM wParam,; Returns what sort of hook will be called
    LPARAM lParam   ; Returns below struct...
);

The lParam would return a pointer to the below struct.

typedef struct {
    DWORD idThread;
    DWORD idThreadInstaller;    THIS would return what I wanted. But always return 0. !!!! :( 
    LPARAM lParam;
    WPARAM wParam;
    int code;
} DEBUGHOOKINFO, *PDEBUGHOOKINFO;

Problem resolved with new function!

No matter what I did... It did not work. All the other fields in the struct is filled, but NOT the one I needed. (Of course I had put it in dll... And fiddled with security descriptors and such... no game!)I googled for days, only to find that noone could solve this and all had the same problem. :) I have continued to google and am on the track of a solution involving kernel drivers and undocumented structures deep in kernelspace... My Leads are:

http://www.experts-exchange.com/Programmin...Q_22405364.html

http://zairon.wordpress.com/2006/12/06/any...-on-my-machine/

http://www.woodmann.com/forum/archive/index.php/t-11537.html

This won't be fixed soon, so now you know, and have been warned. And I have no experience with kernel drivers... (The one I have is form a skeleton source, which I have shoves my two line code for rebooting into...)

I have to continue searching...

/Manko [EDIT:Problem resolved with new function!]

Edited by Manko
Yes i rush things! (I sorta do small bursts inbetween doing nothing.) Things I have rushed and reRushed:* ProDLLer - Process manager - Unload viri modules (dll) and moore...* _WinAPI_ProcessListOWNER_WTS() - Get Processes owner list...* _WinAPI_GetCommandLineFromPID() - Get commandline of target process...* _WinAPI_ThreadsnProcesses() Much info if expanded - optional Indented "Parent/Child"-style Processlist. Moore to come... eventually...
Link to post
Share on other sites

the code gives me unendless errors

Have you downloaded extras? (The includes must ofcourse be in the INCLUDEs directory.) :)

Are you using Windows XP? (Prefered, maybe required...)

Are you administrator? (Required!)

Are you using AutoIt v3.3.0.0?

If that doesn't help, what are the errors? first error?

Thanks for replying! Don't see that often... :lmao:

/Manko

Edited by Manko
Yes i rush things! (I sorta do small bursts inbetween doing nothing.) Things I have rushed and reRushed:* ProDLLer - Process manager - Unload viri modules (dll) and moore...* _WinAPI_ProcessListOWNER_WTS() - Get Processes owner list...* _WinAPI_GetCommandLineFromPID() - Get commandline of target process...* _WinAPI_ThreadsnProcesses() Much info if expanded - optional Indented "Parent/Child"-style Processlist. Moore to come... eventually...
Link to post
Share on other sites

yes at all but the errors r code related like endswitch and missing separators as i remember

Edit : line 80 _service_start("Skeleton") in correct number of parameters

i guess the services.au3 that i have is out dated or maybe urs

Edited by yehia
Link to post
Share on other sites

yes at all but the errors r code related like endswitch and missing separators as i remember

Edit : line 80 _service_start("Skeleton") in correct number of parameters

i guess the services.au3 that i have is out dated or maybe urs

I'm guessing, if you switch to the provided services.au3, errors will go away. Make a copy of yours so you can switch back.

If that doesn't help, maybe you can give me more info...

/Manko

Yes i rush things! (I sorta do small bursts inbetween doing nothing.) Things I have rushed and reRushed:* ProDLLer - Process manager - Unload viri modules (dll) and moore...* _WinAPI_ProcessListOWNER_WTS() - Get Processes owner list...* _WinAPI_GetCommandLineFromPID() - Get commandline of target process...* _WinAPI_ThreadsnProcesses() Much info if expanded - optional Indented "Parent/Child"-style Processlist. Moore to come... eventually...
Link to post
Share on other sites
  • 3 weeks later...

how can i just list all the loaded dlls in an array?

Here you go!

Apparently I borrowed the module_func from Smoke_N a loooong time ago. Credits to him!!!

I just put it in my originally SMALL script and quickly forgot about it... :)

Never thought about publishing own code, back then...

I have used these APIs before, but AM lazy, so since I wasn't accustomed to Autoit-coding I just took it when I found one readymade.

#AutoIt3Wrapper_outfile=C:\TEST1.exe
#include <WinAPI.au3>   ; _GetPrivilege_SEDEBUG() - by wraithdu - uses this include. My function needs none.
#include <array.au3>    ; Needed to display array in example. Not needed by Func.

; ############ Example code #######################
#RequireAdmin

Global $avArray[100000][7], $iAdd = 0, $i
_GetPrivilege_SEDEBUG() ; I need this for tricky processes. Not needed for most...
Global $procs=ProcessList()
$avArray[0][0] = "ProcessName"
$avArray[0][1] = "th32ProcessID"
$avArray[0][4] = "ProccntUsage"
$avArray[0][5] = "modBaseSize"
$avArray[0][2] = "hModule"
$avArray[0][3] = "szModuleName"
$avArray[0][6] = "szExePath"
for $i= 3 to ubound($procs,1)-1
$iAdd+=1
_ProcessListModules($procs[$i][1])
Next
ReDim $avArray[$iAdd+1][7]
_arraydisplay($avArray, "Credits to Smoke_N for func... I just slightly modified it.")
; ###############################################


; ############ Here be func! #################### Credits to Smoke_N (Just searched for it...)
Func _ProcessListModules($dwPID)
    Local Const $TH32CS_SNAPMODULE = 0x08
    Local $aDLLCall, $tagMODULEENTRY32, $hModuleSnap
    $aDLLCall = DllCall("Kernel32.dll", "ptr", "CreateToolhelp32Snapshot", "int", $TH32CS_SNAPMODULE, "dword", $dwPID)
    $hModuleSnap = $aDLLCall[0]
    $tagMODULEENTRY32 = DllStructCreate("dword;dword;dword;dword;dword;byte;dword;ptr;char[256];char[257]")
    DllStructSetData($tagMODULEENTRY32, 1, DllStructGetSize($tagMODULEENTRY32))
    $aDLLCall = DllCall("Kernel32.dll", "int", "Module32First", "ptr", $hModuleSnap, "long", DllStructGetPtr($tagMODULEENTRY32))
    While 1
;~      typedef struct tagMODULEENTRY32 {
        ;$avArray[$iAdd][0] = DllStructGetData($tagMODULEENTRY32, 1) ;~             DWORD   dwSize;
        $avArray[$iAdd][0] = $procs[$i][0]
        ;$avArray[$iAdd][1] = DllStructGetData($tagMODULEENTRY32, 2) ;~             DWORD   th32ModuleID;
        $avArray[$iAdd][1] = DllStructGetData($tagMODULEENTRY32, 3) ;~          DWORD   th32ProcessID;
        ;$avArray[$iAdd][3] = DllStructGetData($tagMODULEENTRY32, 4) ;~             DWORD   GlblcntUsage;
        $avArray[$iAdd][4] = DllStructGetData($tagMODULEENTRY32, 5) ;~          DWORD   ProccntUsage;
        ;$avArray[$iAdd][5] = DllStructGetData($tagMODULEENTRY32, 6) ;~             BYTE  * modBaseAddr;
        $avArray[$iAdd][5] = DllStructGetData($tagMODULEENTRY32, 7) ;~          DWORD   modBaseSize;
        $avArray[$iAdd][2] = DllStructGetData($tagMODULEENTRY32, 8) ;~          HMODULE hModule;
        $avArray[$iAdd][3] = DllStructGetData($tagMODULEENTRY32, 9) ;~          char    szModule[MAX_MODULE_NAME32 + 1];
        $avArray[$iAdd][6] = DllStructGetData($tagMODULEENTRY32, 10);~          char    szExePath[MAX_PATH];
;~      } MODULEENTRY32;
        $aDLLCall = DllCall("kernel32", "int", "Module32Next", "ptr", $hModuleSnap, "long", DllStructGetPtr($tagMODULEENTRY32))
        If Not $aDLLCall[0] Then ExitLoop
        $iAdd += 1
    WEnd
    DllCall("Kernel32.dll", "int", "CloseHandle", "ptr", $hModuleSnap)
    Return
EndFunc   ;==>_ProcessListModules

; ####################### Below Func is Part of example - Needed to get commandline from more processes.
; ####################### Thanks to wraithdu!
Func _GetPrivilege_SEDEBUG()
    Local $tagLUIDANDATTRIB = "int64 Luid;dword Attributes"
    Local $count = 1
    Local $tagTOKENPRIVILEGES = "dword PrivilegeCount;byte LUIDandATTRIB[" & $count * 12 & "]" ; count of LUID structs * sizeof LUID struct
    Local $TOKEN_ADJUST_PRIVILEGES = 0x20
    Local $call = DllCall("advapi32.dll", "int", "OpenProcessToken", "ptr", _WinAPI_GetCurrentProcess(), "dword", $TOKEN_ADJUST_PRIVILEGES, "ptr*", "")
    Local $hToken = $call[3]
    $call = DllCall("advapi32.dll", "int", "LookupPrivilegeValue", "str", Chr(0), "str", "SeDebugPrivilege", "int64*", "")
    ;msgbox(0,"",$call[3] & " " & _WinAPI_GetLastErrorMessage())
    Local $iLuid = $call[3]
    Local $TP = DllStructCreate($tagTOKENPRIVILEGES)
    Local $LUID = DllStructCreate($tagLUIDANDATTRIB, DllStructGetPtr($TP, "LUIDandATTRIB"))
    DllStructSetData($TP, "PrivilegeCount", $count)
    DllStructSetData($LUID, "Luid", $iLuid)
    DllStructSetData($LUID, "Attributes", $SE_PRIVILEGE_ENABLED)
    $call = DllCall("advapi32.dll", "int", "AdjustTokenPrivileges", "ptr", $hToken, "int", 0, "ptr", DllStructGetPtr($TP), "dword", 0, "ptr", Chr(0), "ptr", Chr(0))
    Return ($call[0] <> 0) ; $call[0] <> 0 is success
EndFunc   ;==>_GetPrivilege_SEDEBUG

/Manko

Yes i rush things! (I sorta do small bursts inbetween doing nothing.) Things I have rushed and reRushed:* ProDLLer - Process manager - Unload viri modules (dll) and moore...* _WinAPI_ProcessListOWNER_WTS() - Get Processes owner list...* _WinAPI_GetCommandLineFromPID() - Get commandline of target process...* _WinAPI_ThreadsnProcesses() Much info if expanded - optional Indented "Parent/Child"-style Processlist. Moore to come... eventually...
Link to post
Share on other sites

thanks alot man

What i'm going to do with it is a "dll scanner that would point out a spy or trojan threads injected to windows services"

thanks

Link to post
Share on other sites
  • 3 weeks later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.

  • Similar Content

    • By Exit
      Au3toCmd  ---  Avoid false virus positives
      Since many virus scanners sometimes prevent a "compiled autoit EXE" from being executed as "false positive", the "*.A3X" format is a suitable format to avoid this problem.
      See here for more information.
      In order to simplify this procedure, I wrote the Au3toCmd script. Here a *.Cmd file is generated from a *.Au3 file. The necessary files Autoit3.exe and *.A3x are added to the "*.Cmd" file as "alternate data streams" "Base64" encoded data.
      Now the Autoit Script can be called by clicking on the cmd file and the anti-virus scanners do not recognize the "false positive".
      If the short-term flashing of the CMD window bothers you, you can click the desktop shutcut that runs in a minimized window.
      Unfortunately, because the "alternate data streams", this CMD file cannot be distributed via FTP or email.
      Only a USB sti ck or removable disk formatted with NTFS can be used.
      As the new version now uses Base64 data instead of ADS, this statement is out of date.
      For reasons of compatibility, the old version was sunk into the spoiler here.
       
       
      The script can be called with a file name of an AU3 script as a parameter.
      If no name is entered, a query is made.
      For more information, see the header of the script. 
      Suggestions, improvements and bug reports are welcome.
      Here the versions using base64 data
      Version: 2022.05.12  (Support blanks in pathnames)
      Version: 2022.06.23  (Support release candidates. Changed @CrLf to @Lf. Annual cleaning. Optimized #AutoIt3Wrapper handling)
      Version: 2022.07.22  (Support scripts with the same name but different content in different directories)
      Version: 2022.07.27  (Support blanks in usernames)
      Au3toCmd.au3
      Version: 2022.09.01  (Optimized annual cleaning)
      Au3toCmd.au3
    • By DevMode
      welcome
      I need help dealing with a C++ DLL
      Specify that I need help with how to use this function
      struct libusb_device; typedef struct libusb_context libusb_context; ssize_t LIBUSB_CALL libusb_get_device_list(libusb_context *ctx,libusb_device ***list); My problem is how to deal with "libusb_device ***list"
      my code 
      $libusb_device = DllStructCreate("PTR") Func libusb_init() $Var = DllCall($libusb0, "ptr", "libusb_init",'ptr',$_libusb_device_handle_Ptr) If @error Then Return False Return $Var[1] EndFunc Func libusb_get_device_list() MsgBox(0,VarGetType($_libusb_device_handle_Ptr),$_libusb_device_handle_Ptr) $Var = DllCall($libusb0, "int", "libusb_get_device_list","ptr",$_libusb_device_handle_Ptr,"ptr*",POINTER(POINTER($libusb_device))) $Error = @error If $Error Then Return False MsgBox(0,VarGetType($Var),$Error&@CRLF&$Var) _ArrayDisplay($Var) Return $Var[1] EndFunc  
      Thank you
      iLibUSB.dll iLibUSB_32.dll libusb.h
    • By DonChunior
      Introduction 
      In the course of my research for a project involving, among other things, the transfer of large amounts of data, I came across the BITS service and from that the idea for this UDF was born.
      For a brief overview, I'll quote from Microsoft's BITS website (https://docs.microsoft.com/en-us/windows/win32/bits/background-intelligent-transfer-service-portal).
      Availability 🛒
      The BITS UDF can be downloaded from my GitHub repository:
      🔗 https://github.com/DonChunior/BITS-UDF
      Comments 💬
      Currently, only an alpha version of the UDF is available.
      This contains by and large the full functionality of the object interfaces, but still completely lacks error checking and handling.
      I will implement this in the upcoming beta version.
      Therefore I ask you to use the UDF only for testing purposes but not in productive code!
      Acknowledgment 🤝
      Many thanks to @Nine and @Danyfirex.
      You helped me very well in solving some tricky problems.
    • By bobflumox
      Hi all,
      My programming knowledge is very basic.
      I have an old script that creates shares and assign permissions. It normally registers SetAcl.ocx if necessary and creates an object to assign permissions.
      The command that registers SetAcl was apparently working fine under Windows 7 but is not working under Windows 10.
      RunWait("regsvr32.exe path\to\setacl.ocx /s", "", @SW_HIDE) As I'm logged in as admin, I changed this command to :
      RunAsWait(@UserName, "", "", 0, "regsvr32.exe path\to\setacl.ocx /s", "", @SW_HIDE) It seems to terminate correctly but the script still doesn't work as expected.
      To check that, I've created that small script :
      Local $objSetAcl = ObjCreate("SETACL.SetACLCtrl.1") If IsObj($objSetAcl) Then ConsoleWrite("Object successfully created." & @CRLF) Else ConsoleWrite("Object not created. Registering SetAcl.ocx" & @CRLF) Local $result = RunAsWait(@UserName, "", "", 0, "regsvr32.exe path\to\setacl.ocx /s", "", @SW_HIDE); Use of my admin username to elevate CMD ConsoleWrite("Return code : " & $result & @CRLF) ConsoleWrite("Creating object" & @CRLF) $objSetAcl = ObjCreate("SETACL.SetACLCtrl.1") If IsObj($objSetAcl) Then ConsoleWrite("Object successfully created." & @CRLF) Else ConsoleWrite("Object creation failed." & @CRLF) EndIf EndIf It tries to register SetAcl.ocx, return code 0 seems to be fine but still can't use SetAcl.
      But if I go to CMD as admin, run the regsvr32 command and restart my script, it can create the object without issue.
      I know my poor knowledge makes me miss something. Anyone can help me figure this out ?
    • By Gowrisankar
      Dear members of the forum,
      I'm working on a project in which I have to use Image recognition technique. 
      Due to client restrictions, I couldn't use AutoIt for this project. 
      Is there a way to use this DLL "ImageSearchDLL.dll" (which is used to do image recognition steps in AutoIt) in VB.Net to achieve the same result? 
      I have used this DLL few years before and got good results. If there is a latest version of this DLL and if you can share it, that will be helpful too.
      Any guidance is deeply appreciated.
×
×
  • Create New...