Sign in to follow this  
Followers 0
Manko

ProDLLer: Unknown code running? Befriend or Kill!

100 posts in this topic

#1 ·  Posted (edited)

post-28581-0-99756400-1317831005_thumb.j

Know your system!

Prod your system for unwanted code! (virus/malware)

Please report bugs/requests/criticism or whatever!

ProDLLer v0.503

Update: 23rd of October 2011

ProDLLer.rar

Earlier versions downloaded: 2726 times.

Most Recent changes...
 
; 0.503
; Fixed: Don't leave icon in tray when leaving, XP/7.
; Fixed: Don't leave them after crash either.
; Added: Don't allow shutdown or standby while ProDLLing in XP, Thanks to Prog@ndy. Vista/7, dont alow shutdown.
; Added: Don't let ProDLLer be put to sleep by idletimers in xp/vista/7.
; Fixed: Lockup when returning from sleep in vista/7, . (if "Noprocs" running then disable "noprocs" and resume all procs.)
; Change: No suspending of "theme"-service in XP. On crash, just resume all processes... like we have to in vista/7...
 
; 0.502
; Fixed: Gui-problem fixed by BeginPaint/endpaint... tested on win7
; Fixed: "Crashnet" and SuspendAll. In the unlikely event that this happens. All procs will be resumed on vist and win7.
; Fixed: Fixed false positives in SSDTshadow on vista/win7.
 
; 0.501
; Added: SSDTshadow - not complete, but fully functional. = lacking names. (Logic is painful; need to guard against faults...)
; Fixed: Lockup in crashnet if "Services.exe" and "System" is suspended. Just resume them... You can suspend again...
; Fixed: Further lockups, same, to do with themes and "lsass.exe"...
 
; 0.500
; Added: Startup-killing... to take a load off the GUI... it will ask...
; Fixed: Slowdown because I accidentaly changed ProDLLer to itterate processes every second...
; Fixed: Process-CPU-utilization. Movement of abandoned children... I cheat. Just load up new list...
; Fixed: Got rid of the Adlib. There were too many possible problems...
; Fixed: CPU-load. Is again aligned...
 
; 0.499
; Added: If over 16 procs start from 1 sec to another or if a total of 40 procs have started; "NoProcsAllowed" is activated.
; Added: Crash-recovery... Just start a new instance of ProDLLer... :)
; Change: No loading of moduleinfo at start.
; Added: Refresh moduleinfo when we need it. KINDA CLUNKY SINCE I ITERATE ALL OF THEM, RIGHT NOW....
; Added: On start of app. Disallow new procs. "NoProcsAllowed" is activated.
; Fixed: A number of bugs that crash Prodller if insane amounts of processes start and stop...
 
; 0.498
; Fixed: "KernelNot.". When disabling callbacks; adjacent CBs of same type would sometimes vanish. Famous anti-rootkit had same faulty behavior.
 
; 0.497
; Fixed: Lockup when suspending some procs during modules-itteration. Context-menu disabled during itteration.
; Fixed: Lockup after thread-view due to excessive killing of already terminated security-threads... Now checking IF it needs killing...
; Fixed: Lockup when trying to change state of services while it is already working with your earlier request. Disable display.

Thanks for functions:

Thanks to "Smoke_N" for his "_ProcessListModules()"! Apparently i borrowed it a looooong time ago. :)

Thanks to "Engine" for his GREAT "Windows Services UDF"!!!

Thanks to JScript, Larry, SmOke_N, mrRevoked for _ProcessGetPath. I used this because I'm too lazy to do one myself. :)

Special thanks to:

Thanks to wraithdu for help and support!

Thanks to Ascend4nt for support and friendship!

Thanks to trancexx for good talks and friendship!

Thanks also to this great community! I really feel empowered!

/Manko [EDIT: New version.]

Edited by Manko

Yes i rush things! (I sorta do small bursts inbetween doing nothing.) Things I have rushed and reRushed:* ProDLLer - Process manager - Unload viri modules (dll) and moore...* _WinAPI_ProcessListOWNER_WTS() - Get Processes owner list...* _WinAPI_GetCommandLineFromPID() - Get commandline of target process...* _WinAPI_ThreadsnProcesses() Much info if expanded - optional Indented "Parent/Child"-style Processlist. Moore to come... eventually...

Share this post


Link to post
Share on other sites



#2 ·  Posted (edited)

Nice idea. However, if you want people to be able to compile / play with it, you'll have to provide the "service.au3" and "skeleton.sys" files. Of course that's totally up to you :)

Edited by wraithdu

Share this post


Link to post
Share on other sites

Nice idea. However, if you want people to be able to compile / play with it, you'll have to provide the "service.au3" and "skeleton.sys" files. Of course that's totally up to you :)

Thanks! Files now included in first post! I will however not be ferreting out all files for compiling driver in masm32. :)

They are all standard/unmodified but you need the update and the DDK and maybe something else...?

Well if a need arises and it's impossible to find some masm_includefile or other... maybe... PM me...

But driver is included, so it should not be necessary for most.

/Manko


Yes i rush things! (I sorta do small bursts inbetween doing nothing.) Things I have rushed and reRushed:* ProDLLer - Process manager - Unload viri modules (dll) and moore...* _WinAPI_ProcessListOWNER_WTS() - Get Processes owner list...* _WinAPI_GetCommandLineFromPID() - Get commandline of target process...* _WinAPI_ThreadsnProcesses() Much info if expanded - optional Indented "Parent/Child"-style Processlist. Moore to come... eventually...

Share this post


Link to post
Share on other sites

I do like it. It's something I've never thought to do before. But I can't see where/how I would really use it.


[left][sub]We're trapped in the belly of this horrible machine.[/sub][sup]And the machine is bleeding to death...[/sup][sup][/sup][/left]

Share this post


Link to post
Share on other sites

I took your ColdBoot code out of here, and why doesn't it work just standalone?

#include <service.au3>

FileInstall("c:\skeleton.sys","c:\")
_StopService(".","skeleton")
_DeleteService(".","skeleton")
My_Service_Create("skeleton","Skeleton Driver","c:\skeleton.sys",$SERVICE_KERNEL_DRIVER,$SERVICE_DEMAND_START,$SERVICE_ERROR_IGNORE,0)
_StartService("skeleton")
_DeleteService(".","skeleton")
$test=DllStructCreate("char a[128]")
DllStructSetData($test,1,"\\.\skeleton")


$hColdBoot=DllCall("kernel32.dll", "int", "CreateFile", "ptr", DllStructGetPtr($test), "dword", 0xc0000000, "dword", 0, "dword", 0, "dword", 3, "dword", 0, "dword", 0)
DllCall("kernel32.dll", "int", "DeviceIoControl", "dword", $hColdBoot,"dword", 0x00226000, "ptr", 0, "dword", 0, "ptr", 0, "dword", 4, "dword*", 0, "ptr", 0)

Func My_Service_Create($sServiceName, _
                    $sDisplayName, _
                    $sBinaryPath, _
                    $nServiceType = 0x00000010, _
                    $nStartType = 0x00000002, _
                    $nErrorType = 0x00000001, _
                    $nDesiredAccess = 0x000f01ff)
   Local $hAdvapi32
   Local $hKernel32
   Local $arRet
   Local $hSC
   Local $lError = -1   

   $hAdvapi32 = DllOpen("advapi32.dll")
   If $hAdvapi32 = -1 Then Return 0
   $hKernel32 = DllOpen("kernel32.dll")
   If $hKernel32 = -1 Then Return 0
   $arRet = DllCall($hAdvapi32, "long", "OpenSCManager", _
                    "str", ".", _
                    "str", "ServicesActive", _
                    "long", $SC_MANAGER_ALL_ACCESS)
   If $arRet[0] = 0 Then
      $arRet = DllCall($hKernel32, "long", "GetLastError")
      $lError = $arRet[0]
   Else
      $hSC = $arRet[0]
      $arRet = DllCall($hAdvapi32, "long", "OpenService", _
                       "long", $hSC, _
                       "str", $sServiceName, _
                       "long", $SERVICE_INTERROGATE)
      If $arRet[0] = 0 Then
         $arRet = DllCall($hAdvapi32, "long", "CreateService", _
                          "long", $hSC, _
                          "str", $sServiceName, _
                          "str", $sDisplayName, _
                          "long", $nDesiredAccess, _
                          "long", $nServiceType, _
                          "long", $nStartType, _
                          "long", $nErrorType, _
                          "str", $sBinaryPath, _
                          "int", 0, _
                          "ptr", 0, _
                          "int", 0, _
                          "int", 0, _
                          "int", 0)
         If $arRet[0] = 0 Then          
            $arRet = DllCall($hKernel32, "long", "GetLastError")
            $lError = $arRet[0]
         Else
            DllCall($hAdvapi32, "int", "CloseServiceHandle", "long", $arRet[0])
         EndIf
      Else
         DllCall($hAdvapi32, "int", "CloseServiceHandle", "long", $arRet[0])
      EndIf   
      DllCall($hAdvapi32, "int", "CloseServiceHandle", "long", $hSC)
   EndIf
   DllClose($hAdvapi32)
   DllClose($hKernel32)   
   If $lError <> -1 Then 
      SetError($lError)
      Return 0
   EndIf
   Return 1
EndFunc

[left][sub]We're trapped in the belly of this horrible machine.[/sub][sup]And the machine is bleeding to death...[/sup][sup][/sup][/left]

Share this post


Link to post
Share on other sites

1. I took your ColdBoot code out of here, and why doesn't it work just standalone?

2. I do like it. It's something I've never thought to do before. But I can't see where/how I would really use it.

Hi!

1. Because a DllCall returns an array and you took out this part:

if $hColdBoot[0] = -1 Then 
    msgbox(0,"","Could not aquire cold boot handle!",5)
    $hColdboot=0
Else
    $hColdboot=$hColdBoot[0] ; ###### - Gets the result from the first arrayparameter into the single variable... - ####### 
EndIfoÝ÷ Øò¢çhmÁ©íjYm«r¢çȦ¦©àzÚ-+ºÚ"µÍØ[
    ][ÝÚÙ[Ì ][ÝË  ][ÝÚ[ ][ÝË  ][ÝÑ]XÙR[ÐÛÛÛ    ][ÝË  ][ÝÙÛÜ  ][ÝË  ÌÍÚÛÛÛÝÌK   ][ÝÙÛÜ  ][ÝË  ][ÝÜ][ÝË    ][ÝÙÛÜ  ][ÝË  ][ÝÜ][ÝË    ][ÝÙÛÜ  ][ÝË
    ][ÝÙÛÜ
][ÝË  ][ÝÜ][ÝË
oÝ÷ ÛeX­ßÛ¶%~Ýz׶)àjwkzj/x&j­çeÌ!Èkz¨Ê&zIèÂWçë¢kaz^­«h®ÊZ®Óµéæj­è§}ç-³*.®Ì¬µéÊ)ãyËbe)í£*.®Úî²×¦ºz˱©Ý²Ö²¶«xZ½êÞrÞ­çfj|¬ÊË^ÆòiÊ&n)Ú¶*'¡ûh¢[ºÚ/z¹h¢F§uæ¬zî±èZ±·ªk¡¹^«¶'.ªåÉú+¶¬¥ªí¡ûaz·¦¢ö¥¦ºzË·ljȦ¦WiËm«Zد»¬jlv÷öÖ¥Á¬¬vaz*ã¡´¨!Ú'ßÛkz¨Ø^»p!Øm¶§-Yai×(uè§~ì¶b§u×¥zاǫ¾'ANDG+y«b§vËZ®Ø§pjÈî²Û(ëax¦ëb«hëbëhëk¢éݶiËm«HÁ«©àz)ථ+Þ¬­Ø½é¦ºé¬Z²²­¶)ජajwex"[Zè­¢ëpéÈìm«Þj{©u«^÷öÙ'£!z{ajÜ"VÞ6m«_ºYh~'^jÆ®¶­sdfÆTç7FÆÂgV÷C¶3¢b3#·6¶VÆWFöâç72gV÷C²ÂgV÷C¶3¢b3#²gV÷C²¥õ7F÷6W'f6RgV÷C²âgV÷C²ÂgV÷C·6¶VÆWFöâgV÷C²²222222222ÒDTÄUDRD2ÄäRÒ2222222220¥ôFVÆWFU6W'f6RgV÷C²âgV÷C²ÂgV÷C·6¶VÆWFöâgV÷C²²222222222ÒDTÄUDRD2ÄäRÒ2222222220¤×õ6W'f6Uô7&VFRgV÷C·6¶VÆWFöâgV÷C²ÂgV÷Cµ6¶VÆWFöâG&fW"gV÷C²ÂgV÷C¶3¢b3#·6¶VÆWFöâç72gV÷C²Âb33cµ4U%d4Uô´U$äTÅôE$dU"Âb33cµ4U%d4UôDTÔäEõ5D%BÂb33cµ4U%d4UôU%$õ%ôtäõ$RÃ¥õ7F'E6W'f6RgV÷C·6¶VÆWFöâgV÷C²¥ôFVÆWFU6W'f6RgV÷C²âgV÷C²ÂgV÷C·6¶VÆWFöâgV÷C²¢b33c·FW7CÔFÆÅ7G'V7D7&VFRgV÷C¶6"³#ÒgV÷C²¤FÆÅ7G'V7E6WDFFb33c·FW7BÃÂgV÷C²b3#²b3#²âb3#·6¶VÆWFöâgV÷C²

/Manko


Yes i rush things! (I sorta do small bursts inbetween doing nothing.) Things I have rushed and reRushed:* ProDLLer - Process manager - Unload viri modules (dll) and moore...* _WinAPI_ProcessListOWNER_WTS() - Get Processes owner list...* _WinAPI_GetCommandLineFromPID() - Get commandline of target process...* _WinAPI_ThreadsnProcesses() Much info if expanded - optional Indented "Parent/Child"-style Processlist. Moore to come... eventually...

Share this post


Link to post
Share on other sites

AWESOME and UNBELIEVABLE ! When i first saw the title , i thought that it'll never be possible but ..

*Loss of words*..

Thanks for sharing !

Share this post


Link to post
Share on other sites

Thanks for sharing !

Thanks for the high praise! Hope it will be useful for you!

Have updated app in first post.

Now it lists processes in parent/child order with indentation. Now you can see what proc started which proc. +it gets easier to read.

(On the downside, it sortof broke sorting of that column... but I wanted to release now and maybe fix later.)

Added info on Company/description/priority/full path

Proclistwindow is larger and it is resizeable!

/Manko


Yes i rush things! (I sorta do small bursts inbetween doing nothing.) Things I have rushed and reRushed:* ProDLLer - Process manager - Unload viri modules (dll) and moore...* _WinAPI_ProcessListOWNER_WTS() - Get Processes owner list...* _WinAPI_GetCommandLineFromPID() - Get commandline of target process...* _WinAPI_ThreadsnProcesses() Much info if expanded - optional Indented "Parent/Child"-style Processlist. Moore to come... eventually...

Share this post


Link to post
Share on other sites

way cool! It's not like I'll be using it daily but there are situations when I really need this sort of app...

Bug thing: when resizing the window or moving the lists separator the whole thing flickers and the left list goes over the right one until i release the mouse button... not sure if this is because my cpu has only 1500 mhz

thx for sharing

Share this post


Link to post
Share on other sites

#10 ·  Posted (edited)

way cool! It's not like I'll be using it daily but there are situations when I really need this sort of app...

Bug thing: when resizing the window or moving the lists separator the whole thing flickers and the left list goes over the right one until i release the mouse button... not sure if this is because my cpu has only 1500 mhz

thx for sharing

Hi!

It's more like, I'm a crappy programmer. I actually don't know how to make it resize prettily... Ie tracking the mouse, making changes...

App worked in other respects, so I didn't bother. *blush*

Thanks for taking time and effort to comment!

/Manko

[EDIT: Have fixed much prettier resizing... (both listviews follow mouse like they should) Will not release and bump thread now though...]

Edited by Manko

Yes i rush things! (I sorta do small bursts inbetween doing nothing.) Things I have rushed and reRushed:* ProDLLer - Process manager - Unload viri modules (dll) and moore...* _WinAPI_ProcessListOWNER_WTS() - Get Processes owner list...* _WinAPI_GetCommandLineFromPID() - Get commandline of target process...* _WinAPI_ThreadsnProcesses() Much info if expanded - optional Indented "Parent/Child"-style Processlist. Moore to come... eventually...

Share this post


Link to post
Share on other sites

#11 ·  Posted (edited)

Problem resolved with new function!

A WARNING to potential users. Since I have a very clean system. I have not realised just how REALLY dangerous suspending threads can be. I just thought that if I kept updating lists of exceptions like for:

"csrss.exe" - NEVER supend on winXP, as this handles keyboard and mouse, and you would not be able to do anything else.

"ctfmon.exe" - App would be unresponsive, and might lock...

"fsgk.exe" - F-Secure antivirus. App would lock. This is used at work. BLODY SLOW AND USELESS...

...all would be good... But then I discovered lots more on laptops and readyinstalled package - brand name - systems... These procs all locked the system... They were too many!!! I had to find the cause.... And discovered it in Global message hooks. (SetWindowsHookEx)

So I started researching a way to warn the user of which processes had set these hooks. A possible way was to set a hook one self that would monitor hooks. WH_DEBUG which would return among others what sort of hook would be called and which process had installed it.

LRESULT CALLBACK DebugProc(   
    int nCode,
    WPARAM wParam,; Returns what sort of hook will be called
    LPARAM lParam   ; Returns below struct...
);

The lParam would return a pointer to the below struct.

typedef struct {
    DWORD idThread;
    DWORD idThreadInstaller;    THIS would return what I wanted. But always return 0. !!!! :( 
    LPARAM lParam;
    WPARAM wParam;
    int code;
} DEBUGHOOKINFO, *PDEBUGHOOKINFO;

Problem resolved with new function!

No matter what I did... It did not work. All the other fields in the struct is filled, but NOT the one I needed. (Of course I had put it in dll... And fiddled with security descriptors and such... no game!)I googled for days, only to find that noone could solve this and all had the same problem. :) I have continued to google and am on the track of a solution involving kernel drivers and undocumented structures deep in kernelspace... My Leads are:

http://www.experts-exchange.com/Programmin...Q_22405364.html

http://zairon.wordpress.com/2006/12/06/any...-on-my-machine/

http://www.woodmann.com/forum/archive/index.php/t-11537.html

This won't be fixed soon, so now you know, and have been warned. And I have no experience with kernel drivers... (The one I have is form a skeleton source, which I have shoves my two line code for rebooting into...)

I have to continue searching...

/Manko [EDIT:Problem resolved with new function!]

Edited by Manko

Yes i rush things! (I sorta do small bursts inbetween doing nothing.) Things I have rushed and reRushed:* ProDLLer - Process manager - Unload viri modules (dll) and moore...* _WinAPI_ProcessListOWNER_WTS() - Get Processes owner list...* _WinAPI_GetCommandLineFromPID() - Get commandline of target process...* _WinAPI_ThreadsnProcesses() Much info if expanded - optional Indented "Parent/Child"-style Processlist. Moore to come... eventually...

Share this post


Link to post
Share on other sites

#13 ·  Posted (edited)

the code gives me unendless errors

Have you downloaded extras? (The includes must ofcourse be in the INCLUDEs directory.) :)

Are you using Windows XP? (Prefered, maybe required...)

Are you administrator? (Required!)

Are you using AutoIt v3.3.0.0?

If that doesn't help, what are the errors? first error?

Thanks for replying! Don't see that often... :lmao:

/Manko

Edited by Manko

Yes i rush things! (I sorta do small bursts inbetween doing nothing.) Things I have rushed and reRushed:* ProDLLer - Process manager - Unload viri modules (dll) and moore...* _WinAPI_ProcessListOWNER_WTS() - Get Processes owner list...* _WinAPI_GetCommandLineFromPID() - Get commandline of target process...* _WinAPI_ThreadsnProcesses() Much info if expanded - optional Indented "Parent/Child"-style Processlist. Moore to come... eventually...

Share this post


Link to post
Share on other sites

#14 ·  Posted (edited)

yes at all but the errors r code related like endswitch and missing separators as i remember

Edit : line 80 _service_start("Skeleton") in correct number of parameters

i guess the services.au3 that i have is out dated or maybe urs

Edited by yehia

Share this post


Link to post
Share on other sites

yes at all but the errors r code related like endswitch and missing separators as i remember

Edit : line 80 _service_start("Skeleton") in correct number of parameters

i guess the services.au3 that i have is out dated or maybe urs

I'm guessing, if you switch to the provided services.au3, errors will go away. Make a copy of yours so you can switch back.

If that doesn't help, maybe you can give me more info...

/Manko


Yes i rush things! (I sorta do small bursts inbetween doing nothing.) Things I have rushed and reRushed:* ProDLLer - Process manager - Unload viri modules (dll) and moore...* _WinAPI_ProcessListOWNER_WTS() - Get Processes owner list...* _WinAPI_GetCommandLineFromPID() - Get commandline of target process...* _WinAPI_ThreadsnProcesses() Much info if expanded - optional Indented "Parent/Child"-style Processlist. Moore to come... eventually...

Share this post


Link to post
Share on other sites

how can i just list all the loaded dlls in an array?

Here you go!

Apparently I borrowed the module_func from Smoke_N a loooong time ago. Credits to him!!!

I just put it in my originally SMALL script and quickly forgot about it... :)

Never thought about publishing own code, back then...

I have used these APIs before, but AM lazy, so since I wasn't accustomed to Autoit-coding I just took it when I found one readymade.

#AutoIt3Wrapper_outfile=C:\TEST1.exe
#include <WinAPI.au3>   ; _GetPrivilege_SEDEBUG() - by wraithdu - uses this include. My function needs none.
#include <array.au3>    ; Needed to display array in example. Not needed by Func.

; ############ Example code #######################
#RequireAdmin

Global $avArray[100000][7], $iAdd = 0, $i
_GetPrivilege_SEDEBUG() ; I need this for tricky processes. Not needed for most...
Global $procs=ProcessList()
$avArray[0][0] = "ProcessName"
$avArray[0][1] = "th32ProcessID"
$avArray[0][4] = "ProccntUsage"
$avArray[0][5] = "modBaseSize"
$avArray[0][2] = "hModule"
$avArray[0][3] = "szModuleName"
$avArray[0][6] = "szExePath"
for $i= 3 to ubound($procs,1)-1
$iAdd+=1
_ProcessListModules($procs[$i][1])
Next
ReDim $avArray[$iAdd+1][7]
_arraydisplay($avArray, "Credits to Smoke_N for func... I just slightly modified it.")
; ###############################################


; ############ Here be func! #################### Credits to Smoke_N (Just searched for it...)
Func _ProcessListModules($dwPID)
    Local Const $TH32CS_SNAPMODULE = 0x08
    Local $aDLLCall, $tagMODULEENTRY32, $hModuleSnap
    $aDLLCall = DllCall("Kernel32.dll", "ptr", "CreateToolhelp32Snapshot", "int", $TH32CS_SNAPMODULE, "dword", $dwPID)
    $hModuleSnap = $aDLLCall[0]
    $tagMODULEENTRY32 = DllStructCreate("dword;dword;dword;dword;dword;byte;dword;ptr;char[256];char[257]")
    DllStructSetData($tagMODULEENTRY32, 1, DllStructGetSize($tagMODULEENTRY32))
    $aDLLCall = DllCall("Kernel32.dll", "int", "Module32First", "ptr", $hModuleSnap, "long", DllStructGetPtr($tagMODULEENTRY32))
    While 1
;~      typedef struct tagMODULEENTRY32 {
        ;$avArray[$iAdd][0] = DllStructGetData($tagMODULEENTRY32, 1) ;~             DWORD   dwSize;
        $avArray[$iAdd][0] = $procs[$i][0]
        ;$avArray[$iAdd][1] = DllStructGetData($tagMODULEENTRY32, 2) ;~             DWORD   th32ModuleID;
        $avArray[$iAdd][1] = DllStructGetData($tagMODULEENTRY32, 3) ;~          DWORD   th32ProcessID;
        ;$avArray[$iAdd][3] = DllStructGetData($tagMODULEENTRY32, 4) ;~             DWORD   GlblcntUsage;
        $avArray[$iAdd][4] = DllStructGetData($tagMODULEENTRY32, 5) ;~          DWORD   ProccntUsage;
        ;$avArray[$iAdd][5] = DllStructGetData($tagMODULEENTRY32, 6) ;~             BYTE  * modBaseAddr;
        $avArray[$iAdd][5] = DllStructGetData($tagMODULEENTRY32, 7) ;~          DWORD   modBaseSize;
        $avArray[$iAdd][2] = DllStructGetData($tagMODULEENTRY32, 8) ;~          HMODULE hModule;
        $avArray[$iAdd][3] = DllStructGetData($tagMODULEENTRY32, 9) ;~          char    szModule[MAX_MODULE_NAME32 + 1];
        $avArray[$iAdd][6] = DllStructGetData($tagMODULEENTRY32, 10);~          char    szExePath[MAX_PATH];
;~      } MODULEENTRY32;
        $aDLLCall = DllCall("kernel32", "int", "Module32Next", "ptr", $hModuleSnap, "long", DllStructGetPtr($tagMODULEENTRY32))
        If Not $aDLLCall[0] Then ExitLoop
        $iAdd += 1
    WEnd
    DllCall("Kernel32.dll", "int", "CloseHandle", "ptr", $hModuleSnap)
    Return
EndFunc   ;==>_ProcessListModules

; ####################### Below Func is Part of example - Needed to get commandline from more processes.
; ####################### Thanks to wraithdu!
Func _GetPrivilege_SEDEBUG()
    Local $tagLUIDANDATTRIB = "int64 Luid;dword Attributes"
    Local $count = 1
    Local $tagTOKENPRIVILEGES = "dword PrivilegeCount;byte LUIDandATTRIB[" & $count * 12 & "]" ; count of LUID structs * sizeof LUID struct
    Local $TOKEN_ADJUST_PRIVILEGES = 0x20
    Local $call = DllCall("advapi32.dll", "int", "OpenProcessToken", "ptr", _WinAPI_GetCurrentProcess(), "dword", $TOKEN_ADJUST_PRIVILEGES, "ptr*", "")
    Local $hToken = $call[3]
    $call = DllCall("advapi32.dll", "int", "LookupPrivilegeValue", "str", Chr(0), "str", "SeDebugPrivilege", "int64*", "")
    ;msgbox(0,"",$call[3] & " " & _WinAPI_GetLastErrorMessage())
    Local $iLuid = $call[3]
    Local $TP = DllStructCreate($tagTOKENPRIVILEGES)
    Local $LUID = DllStructCreate($tagLUIDANDATTRIB, DllStructGetPtr($TP, "LUIDandATTRIB"))
    DllStructSetData($TP, "PrivilegeCount", $count)
    DllStructSetData($LUID, "Luid", $iLuid)
    DllStructSetData($LUID, "Attributes", $SE_PRIVILEGE_ENABLED)
    $call = DllCall("advapi32.dll", "int", "AdjustTokenPrivileges", "ptr", $hToken, "int", 0, "ptr", DllStructGetPtr($TP), "dword", 0, "ptr", Chr(0), "ptr", Chr(0))
    Return ($call[0] <> 0) ; $call[0] <> 0 is success
EndFunc   ;==>_GetPrivilege_SEDEBUG

/Manko


Yes i rush things! (I sorta do small bursts inbetween doing nothing.) Things I have rushed and reRushed:* ProDLLer - Process manager - Unload viri modules (dll) and moore...* _WinAPI_ProcessListOWNER_WTS() - Get Processes owner list...* _WinAPI_GetCommandLineFromPID() - Get commandline of target process...* _WinAPI_ThreadsnProcesses() Much info if expanded - optional Indented "Parent/Child"-style Processlist. Moore to come... eventually...

Share this post


Link to post
Share on other sites

thanks alot man

What i'm going to do with it is a "dll scanner that would point out a spy or trojan threads injected to windows services"

thanks

Share this post


Link to post
Share on other sites

Great Program Manko :)

and i used some function of it in my Task Manager


1 £0\\/3 |-|3® $0 |\\/|µ(|-|

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0

  • Similar Content

    • BisherSH
      By BisherSH
      Good day ,
      I have the code below , and i would like to embed SQLite3.dll to the compiled file 
      Is it possible ? 
      Thanks in advance
      #include <SQLite.au3> #include <SQLite.dll.au3> _SQLite_Startup() If @error Then     MsgBox($MB_SYSTEMMODAL, "SQLite Error", "SQLite3.dll Can't be Loaded!")     Exit -1 EndIf $DB = _SQLite_Open("C:\Temp\Test.db") $Action = "TestAction" $Time = @HOUR&":"&@MIN&":"&@SEC $Date = @YEAR&"-"&@MON&"-"&@MDAY $User = @UserName $Computer = @ComputerName $DC = @LogonServer If @error Then     MsgBox($MB_SYSTEMMODAL, "SQLite Error", "Couldnt open Database")     Exit -1 EndIf _SQLite_Exec($DB,"INSERT INTO QLogs (Action,Date,Time,User,Computer,DC) " & _                               "VALUES ("& _SQLite_FastEscape($Action) & "," & _                                           _SQLite_FastEscape($Date) & "," & _                                           _SQLite_FastEscape($Time) & "," & _                                           _SQLite_FastEscape($User) & "," & _                                           _SQLite_FastEscape($Computer) & "," & _                                           _SQLite_FastEscape($DC) & ");") If @error Then     MsgBox($MB_SYSTEMMODAL, "SQLite Error", "Couldnt insert!")     Exit -1 EndIf _SQLite_Shutdown()
    • ur
      By ur
      I have created below code to run the python file.
      #RequireAdmin #Region ;**** Directives created by AutoIt3Wrapper_GUI **** #AutoIt3Wrapper_Icon=icon.ico #AutoIt3Wrapper_Outfile=RunTaskRun.Exe #EndRegion ;**** Directives created by AutoIt3Wrapper_GUI **** #cs ---------------------------------------------------------------------------- AutoIt Version: 3.3.14.0 Author: Uday Kiran Reddy(ur) Script Function: To log python data to a file. #ce ---------------------------------------------------------------------------- #include <MsgBoxConstants.au3> #include "C:\Automation\ISMBuild\Library.au3" #include "ProcessEx_AddedNewEntryForLogging.au3" #include "CheckChangeinCommit.au3" If not NoChangesRequired() Then SendMail("Changes are in commit of erwin-main Repo","Will intimate once binaries are copied to Installshield machine") $hProcessHandle = _Process_RunCommand($PROCESS_RUN, $PROCESS_COMMAND & "C:\Python27\python.exe C:\BuildServer\AutoBuildServer\TaskRun.py") ; Capture the Process Handle $iPID = @extended ; Note the PID $returncode = _Process_DebugLogRunCommand($hProcessHandle, $iPID) ; Display the results in real-time Logging("Completed with ReturnCode "&$returncode) Else SendMail("No Changes are not there in commit of erwin-main Repo","So no Binaries for today.If it is needed, please remove the text file from location: "& @TempDir&"\git_erwin_commit.txt") EndIf When I kill the autoit execution exe in the middle of execution, it is not terminating the python.exe launched from script.
      Can you suggest how to do this?
    • likehu
      By likehu
      Hello,
      I have compiled a reference DLL in VS 2015 Community and this  DLL works fine with project for which it is used. There is an interface from which u can access functions in DLL.
      Developers stated that this DLL is almost universal and can be used with any language with minor changes.
      I am trying to access its function from Autoit script and got an error 3, after calling DLLCall - "function" not found in the DLL file.
      Please have a quick look, I feel I miss something in C++ library with exporting functions and I do not know what to add as I am new to C++.
      Thank you.
      Source files and script also attached.
       
      Here is my script.
      Local $dll = DllOpen("C:\Users\Home\Desktop\dll\user.dll") ConsoleWrite("$dll handle = " & $dll & @CRLF) ;$dll handle = 1 Local $result = DllCall($dll, "double:cdecl", "ProcessQuery", "str", "dll$mynumber") If @error > 0 Then ConsoleWrite("Error: " & @error & @CRLF) ;Error = 3 If IsArray($result) Then ConsoleWrite("Array returned!" & @CRLF & "dll$mynumber: " & result[1]) Else ConsoleWrite("$result is not array. : " & $result & @CRLF) ;$result = 0 EndIf DllClose($dll) And here is dll source. As I understand, function "ProcessQuery" exported with help of DLL_IMPLEMENTS
      user.h
      //****************************************************************************** // // This file is part of the OpenHoldem project // Download page: http://code.google.com/p/openholdembot/ // Forums: http://www.maxinmontreal.com/forums/index.php // Licensed under GPL v3: http://www.gnu.org/licenses/gpl.html // //****************************************************************************** // // Purpose: Very simple user-DLL as a starting-point // // DO NOT CHANGE ANYTHING IN THIS FILE! // // This Header defines an interface // Functions and data-types must exactly match. // //****************************************************************************** #ifndef _INC_USER_H #define _INC_USER_H // Import and export directives // for use by this DLL and by OpenHoldem #ifdef USER_DLL #define DLL_IMPLEMENTS extern "C" __declspec(dllexport) #define EXE_IMPLEMENTS extern "C" __declspec(dllimport) #else #define DLL_IMPLEMENTS extern "C" __declspec(dllimport) #define EXE_IMPLEMENTS extern "C" __declspec(dllexport) #endif // Number of saved table-states // This number must not be changed, as we do a "& 0xFF" // at various places to normalize the index. const int kNumberOfHoldemStatesForDLL = 256; // SHoldemePlayer // used for sequence of 256 consequive table-states // !!!! Needs 2 more cards for Omaha, if not entirely removed struct holdem_player { char m_name[16] ; //player name if known double m_balance ; //player balance double m_currentbet ; //player current bet unsigned char m_cards[2] ; //player cards unsigned char m_name_known : 1 ; //0=no 1=yes unsigned char m_balance_known : 1 ; //0=no 1=yes unsigned char m_fillerbits : 6 ; //filler bits unsigned char m_fillerbyte ; //filler bytes }; struct holdem_state { char m_title[64] ; //table title double m_pot[10] ; //total in each pot unsigned char m_cards[5] ; //common cards unsigned char m_is_playing : 1 ; //0=sitting-out, 1=sitting-in unsigned char m_is_posting : 1 ; //0=autopost-off, 1=autopost-on unsigned char m_fillerbits : 6 ; //filler bits unsigned char m_fillerbyte ; //filler byte unsigned char m_dealer_chair ; //0-9 holdem_player m_player[10] ; //player records }; // Functions implemented and exported by the DLL, // imported by OpenHoldem DLL_IMPLEMENTS double __stdcall ProcessQuery(const char* pquery); DLL_IMPLEMENTS void __stdcall DLLOnLoad(); DLL_IMPLEMENTS void __stdcall DLLOnUnLoad(); // Functions implemented and exported by OpenHoldem, // imported by the DLL EXE_IMPLEMENTS double __stdcall GetSymbol(const char* name_of_single_symbol__not_expression); EXE_IMPLEMENTS void* __stdcall GetPrw1326(); EXE_IMPLEMENTS char* __stdcall GetHandnumber(); EXE_IMPLEMENTS void __stdcall ParseHandList(const char* name_of_list, const char* list_body); EXE_IMPLEMENTS char* __stdcall ScrapeTableMapRegion(char* p_region, int& p_returned_lengh); EXE_IMPLEMENTS void __stdcall SendChatMessage(const char *message); EXE_IMPLEMENTS void __stdcall WriteLog(char* format, ...); // Variables exported by OpenHoldem // avoiding the message-mess of WinHoldem, // no longer sending any state-messages // http://www.maxinmontreal.com/forums/viewtopic.php?f=174&t=18642 EXE_IMPLEMENTS extern holdem_state state[kNumberOfHoldemStatesForDLL]; EXE_IMPLEMENTS extern int state_index; #endif // _INC_USER_H  
      user.cpp    Here is dll$mynumber parameter.
      //****************************************************************************** // // This file is part of the OpenHoldem project // Download page: http://code.google.com/p/openholdembot/ // Forums: http://www.maxinmontreal.com/forums/index.php // Licensed under GPL v3: http://www.gnu.org/licenses/gpl.html // //****************************************************************************** // // Purpose: Very simple user-DLL as a starting-point // // Required OpenHoldem version: 7.7.6 // //****************************************************************************** // Needs to be defined here, before #include "user.h" // to generate proper export- and inport-definitions #define USER_DLL // #define OPT_DEMO_OUTPUT if you are a beginner // who wants to see some message-boxes with output of game-states, etc. // It is disabled upon request, // * as it is not really needed // * as some DLL-users don't have MFC (atlstr.h) installed // http://www.maxinmontreal.com/forums/viewtopic.php?f=156&t=16232 #undef OPT_DEMO_OUTPUT #include "user.h" #include <conio.h> #include <windows.h> #ifdef OPT_DEMO_OUTPUT #include <atlstr.h> #endif OPT_DEMO_OUTPUT // Supporting macros #define HIGH_NIBBLE(c) (((c)>>4)&0x0F) #define LOW_NIBBLE(c) ((c)&0x0F) // Card macro #define RANK(c) ( ISKNOWN(c) ? HIGH_NIBBLE(c) : 0 ) #define SUIT(c) ( ISKNOWN(c) ? LOW_NIBBLE(c) : 0 ) #define ISCARDBACK(c) ((c) == CARD_BACK) #define ISUNKNOWN(c) ((c) == CARD_UNDEFINED) #define ISNOCARD(c) ((c) == CARD_NOCARD) #define ISKNOWN(c) (!ISCARDBACK(c) && !ISUNKNOWN(c) && !ISNOCARD(c)) // ProcessQuery() // Handling the lookup of dll$symbols DLL_IMPLEMENTS double __stdcall ProcessQuery(const char* pquery) { if (pquery==NULL) return 0; if (strncmp(pquery,"dll$mynumber",13)==0) { return 12345.67; } return 0; } // OnLoad and OnUnload() // called once and at the beginning of a session // when the DLL gets loaded / unloaded // Do initilization / finalization here. DLL_IMPLEMENTS void __stdcall DLLOnLoad() { #ifdef OPT_DEMO_OUTPUT MessageBox(NULL, "event-load", "MESSAGE", MB_OK); #endif OPT_DEMO_OUTPUT } DLL_IMPLEMENTS void __stdcall DLLOnUnLoad() { #ifdef OPT_DEMO_OUTPUT MessageBox(NULL, "event-unload", "MESSAGE", MB_OK); #endif OPT_DEMO_OUTPUT } // DLL entry point // Technically required, but don't do anything here. // Initializations belong into the OnLoad() function, // where they get executed at run-time. // Doing things here at load-time is a bad idea, // as some functionalitz might not be properly initialized // (including error/handling). BOOL APIENTRY DllMain(HANDLE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) { switch (ul_reason_for_call) { case DLL_PROCESS_ATTACH: #ifdef OPT_DEMO_OUTPUT AllocConsole(); #endif OPT_DEMO_OUTPUT break; case DLL_THREAD_ATTACH: break; case DLL_THREAD_DETACH: break; case DLL_PROCESS_DETACH: #ifdef OPT_DEMO_OUTPUT FreeConsole(); #endif OPT_DEMO_OUTPUT break; } return TRUE; }  
      Source.zip
      DllAccess.au3
    • FrancescoDiMuro
      By FrancescoDiMuro
      Hi guys! How are you? Hope you're fine
      I was thinking about .dll files and, I always wanted to know what they are and how to use them in AutoIt.
      If someone would like to explain it to me, even with a practice example, I'd be very very happy! Thanks  
    • ogloed
      By ogloed
      Again, I'm struggling with DllCall(). So I have this MS C++ 6.0 compiled DLL and a manual for it. There's a function:
       
      Get information of disk arrays Declaration: VINT vr_get_array_info (VINT array_index, vr_array_info_t* pinfo); Description: Application can fetch the information of one specific disk array, which is located by index of all disk arrays in current system. Input parameters: VINT array_index : Index to all disk arrays in system, specify which disk array. vr_array_info_t *pinfo : 14 Pointer to a vr_array_info_t data structure to get the information Return value: VR_SUCCESS : Get the information successfully. VR_ERR_NOT_INITED : Raid lib hasn’t been initialized. VR_ERR_INVALID_INDEX : The input index is invalid. VR_ERR_INVALID_PARAM : Input parameter is invalid: the pointer is NULL. Here's what DLL Export Viewer says:
       
      Function Name     : int __cdecl vr_get_array_info(int,struct _vr_array_info *)
      Here's what is this _vr_array_info:
       
      typedef struct _vr_array_info { VWORD status; // current status of disk array VBYTE raidType;// same as Disk_Array.raidType, but value 0xFF means // a stand-alone disk. When it's a stand-alone disk, // only arDevices[0] and diskNum has meaning, and diskNum should // always be 1 . VBYTE diskNum;// count of valid arDevices[] members. // Note: disk array maybe incomplete, i.e. , some disk in the array maybe missing, // corresponding device ptr arDevices[i]->pRealDevice should be NULL. VDWORD capacityLow;// (Unit: sector) VDWORD capacityHigh;// (Unit: sector) // following 8 bytes define the real-capcity (in sector) of every disk in array VDWORD realCapacityLow; // (Unit: sector) VDWORD realCapacityHigh; // (Unit: sector) VDWORD stripeSize; // valid when raid is raid0, raid5 or raid01, in Kbytes VDWORD blockSize; // valid when raid is RAID5, in Kbytes VBOOL bNeedMigration; // the raid need migration // only valid when raid0/raid5/matrixRaid VBOOL bNeedInit; // the raid need initialization, only valid for RAID5 VBOOL bOptimized; // only for RAID5, this RAID5 access was optimized VBYTE systemDisk; /* does the devices within this disk array contain system files of current running OS ? the probably value are: VR_DEVICE_NOT_SYS_DISK VR_DEVICE_MAYBE_SYS_DISK VR_DEVICE_SYS_DISK they are defined in this file */ VWORD raid_index;// only raid index, no meaning with stand-alone disk VINT index; // all device index, including all raid and stand-alone disk } vr_array_info_t;

      Here's my code (function names are actually decorated, so):
       
      Local $pTest $hDLL = DllOpen(@ScriptDir & "\drvInterface.dll") ;~ VINT vr_init (void); ConsoleWrite("vr_init..." & @CRLF) $sTest = DllCall($hDLL, "int:cdecl", "?vr_init@@YAHXZ") ;~ VINT vr_get_controller_num (VINT *pnumber); ConsoleWrite("vr_get_controller_num..." & @CRLF) $sTest = DllCall($hDLL, "int:cdecl", "?vr_get_controller_num@@YAHPAH@Z", "int*", "$pTest") $iControllerNumber = $sTest[1] ConsoleWrite("$iControllerNumber = " & $iControllerNumber & @CRLF) ;~ VINT vr_get_device_num (VINT *pnumber); ConsoleWrite("vr_get_device_num..." & @CRLF) $sTest = DllCall($hDLL, "int:cdecl", "?vr_get_device_num@@YAHPAH@Z", "int*", "$pTest") $iDeviceNumber = $sTest[1] ConsoleWrite("$iDeviceNumber = " & $iDeviceNumber & @CRLF) ;~ VINT vr_get_array_num (VINT only_raid, VINT *pnumber); ConsoleWrite("vr_get_array_num..." & @CRLF) $sTest = DllCall($hDLL, "int:cdecl", "?vr_get_array_num@@YAHHPAH@Z", "int", 0, "int*", "$pTest") $iArrayNumber = $sTest[2] ConsoleWrite("$iArrayNumber = " & $iArrayNumber & @CRLF) $vr_array_info = DllStructCreate("ushort status;byte raidType;byte diskNum;dword capacityLow;dword capacityHigh;dword stripeSize;dword blockSize;boolean bNeedMigration;boolean bNeedInit;boolean bOptimized;byte systemDisk;byte raid_index;int index") ;~ VINT vr_get_array_info (VINT array_index, vr_array_info_t* pinfo); ConsoleWrite("vr_get_array_info..." & @CRLF) $sTest = DllCall($hDLL, "int:cdecl", "?vr_get_array_info@@YAHHPAU_vr_array_info@@@Z", "int", 0, "struct*", $vr_array_info) ;~ void vr_exit (void); ConsoleWrite("vr_exit..." & @CRLF) $sTest = DllCall($hDLL, "none", "?vr_exit@@YAXXZ") DllClose($hDLL) Exit Everything works fine up to vr_get_array_info part. This is where I get a "memory cannot be 'read'" Windows error ("Instruction at 0x7c93a514 referenced memory at 0x00000000").

      What am I doing wrong? Please help.
      drvInterface.dll
      ProgGuide.pdf