Jump to content
Sign in to follow this  
Manko

ProDLLer: Unknown code running? Befriend or Kill!

Recommended Posts

Very good :party: this is extremely useful :party: i like it ^^ no doubt that 5 stars.

Thanks! :P

Okay, I tracked down the issue. It has to do with this function call:

$mlret = DllCall($hDll, "str*", "GetModuleNameFromAddress", "int", $threads[$i][1], "int", $threads[$i][4])

Yup. That code runs RtlQueryProcessDebugInformation, which apparently was used in Process Explorer and ran into the same troubles with cygwin... I'll try and move back to toolhelp-functions. They are slower, but as a bonus they seem to get modules of "protected" processes...

The strange part is that the toolhelp-function uses RtlQueryProcessDebugInformation... (They do other interesting stuff in there that I have not had the time or will to analyse...)

I am looking into maybe doing RtlQueryProcessDebugInformation in a separate thread and looking for lockups...

does yourprogram inject that dll in sme process?

No. It doesn't, though there is atleast one Microsoft-API I use that injects microsoft-code in other procs to get info; RtlQueryProcessDebugInformation.

Sorry, not fixed but different. :mellow:

If I can help in anyway let me know.

Run this code and try to start ProDLLer.

If it doesnt work. Run it again and restart windows before trying again...

RegDelete("HKLM\SYSTEM\CurrentControlSet\Services\Skeleton")
RegDelete("HKLM\SYSTEM\ControlSet001\Services\Skeleton")
RegDelete("HKLM\SYSTEM\ControlSet002\Services\Skeleton")
RegDelete("HKLM\SYSTEM\ControlSet003\Services\Skeleton")

/Manko

Edited by Manko

Yes i rush things! (I sorta do small bursts inbetween doing nothing.) Things I have rushed and reRushed:* ProDLLer - Process manager - Unload viri modules (dll) and moore...* _WinAPI_ProcessListOWNER_WTS() - Get Processes owner list...* _WinAPI_GetCommandLineFromPID() - Get commandline of target process...* _WinAPI_ThreadsnProcesses() Much info if expanded - optional Indented "Parent/Child"-style Processlist. Moore to come... eventually...

Share this post


Link to post
Share on other sites

Yup. That code runs RtlQueryProcessDebugInformation, which apparently was used in Process Explorer and ran into the same troubles with cygwin... I'll try and move back to toolhelp-functions. They are slower, but as a bonus they seem to get modules of "protected" processes...

The strange part is that the toolhelp-function uses RtlQueryProcessDebugInformation... (They do other interesting stuff in there that I have not had the time or will to analyse...)

I am looking into maybe doing RtlQueryProcessDebugInformation in a separate thread and looking for lockups...

Ahh, another 'undocumented' function I hadn't really noticed before. I see its in one of the books I use for reference (Windows NT/2000 Native API Reference), but I guess I skipped over it. I wonder now that you mention the part about Protected processes... are there certain DLL's that are allowed access to Protected processes, or is there really some hidden trick to bypass the protection mechanism? It sure would be nice to get a hold of the 'bypass code' if its out there, so one could access most all information we would want. I remember reading that even WMI can't get some/all info about Protected processes. But ahh, a subject of discussion for another thread I suppose. At least we know the problem can be solved. :mellow:


Share this post


Link to post
Share on other sites

New version.

; 0.496
; Fixed: Sometimes old procs, next to new ones, would get marked as new.
; Fixed: RtlQueryProcessDebugInformation, (part of threads enumeration) is prone to lockups. Now runs in separate thread. (Reported by Ascend4nt)
; Change: Display GUI earlier. (Though it gives an impression of a slower start, on a slow system, we will atleast know it's started...)
; Fixed: Further errorchecking at driver load. Can't start driver from mapped drive. => Copy to local dir and start... (Reported by storme.)

@Ascend4NT: The protected procs/services ala Vista/Win7 is easy to disable, just a bitsetting in _EPROCESS structure in kernel. Others: like anti-virus and also malicous code with selfprotection, often rely on hooking api's we would like to use to get AT them... There are just too many ways...

/Manko


Yes i rush things! (I sorta do small bursts inbetween doing nothing.) Things I have rushed and reRushed:* ProDLLer - Process manager - Unload viri modules (dll) and moore...* _WinAPI_ProcessListOWNER_WTS() - Get Processes owner list...* _WinAPI_GetCommandLineFromPID() - Get commandline of target process...* _WinAPI_ThreadsnProcesses() Much info if expanded - optional Indented "Parent/Child"-style Processlist. Moore to come... eventually...

Share this post


Link to post
Share on other sites

Hi Manko,

though I have joined this forum very recently but have been working with Autoit for quite sometime now. (that explains my newbie status)

For past few months I have been working on a security app for pendrives, for which I was looking for a method which is available in the script which you have written. (No new procs and procs only from prodller) DLLCalls go above my head - as on this moment.

I want to integrate this specific feature in my project. but am unable to understand as to how this is being done within the script.

Could you shed some light onto this?

Regards

Slashh.

Share this post


Link to post
Share on other sites

Hi!

It's good you found a way.

The source-code for the driver is messy (like most of my code...) and uncommented.

If there's some part of it you'd like clarified, I could do that before putting it here...

Also, I have to warn you about using my driver in ways I had not intended, it is only bugfixed for my needs and it is always early beta...

Also the piece of code you're after is not tested on all configurations (certainly not working on x64....).

btw, feel free to inspire me on new things to do with prodller... (except dump it in the bin...)

/Manko


Yes i rush things! (I sorta do small bursts inbetween doing nothing.) Things I have rushed and reRushed:* ProDLLer - Process manager - Unload viri modules (dll) and moore...* _WinAPI_ProcessListOWNER_WTS() - Get Processes owner list...* _WinAPI_GetCommandLineFromPID() - Get commandline of target process...* _WinAPI_ThreadsnProcesses() Much info if expanded - optional Indented "Parent/Child"-style Processlist. Moore to come... eventually...

Share this post


Link to post
Share on other sites

btw, feel free to inspire me on new things to do with prodller... (except dump it in the bin...)

Hi Manko,

I have used this code and skeleton.sys for the following:

App1 - initiates skeleton.sys with @AutoitPID

App1 - executes App2.

App2 - acquires the handle of skeleton.sys and executes App4, App5 - these are decrypting modules and password generation modules.

App3 - Simply executes the code.

This ensures that at every moment no new process can be started except from within the designated applications.

Debuggers and other reverse engineering tools have been taken care of.

---------

Second application is for Virus Removal, modifying it to suit the algorithm, Algorithm is as follows : it does an analysis of the threads and the processes , gets their path and checks the RC section of the file, awards points based on the information stored in the file and the ones with least points are tagged as suspicious. 1% False Positive. Dlls and their dates blabh blabh (for any injection attempt)

This is an idea - trying to complete it. I hope this entices you to go ahead and build AI into prodller.

Regards

Slashh

Share this post


Link to post
Share on other sites

A few additions:

1: IE causes a problem when started from within the process but Firefox just works great.

Well well well.... what do we have here --- Auto Downloaded Malware is unable to execute a process but embeded video and mp3 files just work fine.

2: None of the Antivirus Applications seem to have an answer for that as they themselves are unable to start heir scanning process ... thats bad news or just bad coding from AV guys...

3: GMER works great .... now it is able to terminate the processes without the worry of restart, nor does GMER hang.

4: GMER doesnt detect Spy apps but Prodller is 1+ point up ... can detect kernel spy processes ....

Rgds

Slashh

PS: a lil bit of tweakin makes it work on W2k3

Edited by slashh

Share this post


Link to post
Share on other sites

Refuses to work for me, I have tried the exe version and the script

both startup then I get the message "no ntoskrnl.exe or similar???"

I click ok and then the gui dissappears.

oops should have said, I use XP(sp2)

Yes, sadly I never tried it on xp(sp2). Din't know people still used. Is there something in the sp3 you don't wanna have onboard?

/Manko


Yes i rush things! (I sorta do small bursts inbetween doing nothing.) Things I have rushed and reRushed:* ProDLLer - Process manager - Unload viri modules (dll) and moore...* _WinAPI_ProcessListOWNER_WTS() - Get Processes owner list...* _WinAPI_GetCommandLineFromPID() - Get commandline of target process...* _WinAPI_ThreadsnProcesses() Much info if expanded - optional Indented "Parent/Child"-style Processlist. Moore to come... eventually...

Share this post


Link to post
Share on other sites

Yes, sadly I never tried it on xp(sp2). Din't know people still used. Is there something in the sp3 you don't wanna have onboard?

/Manko

Something in sp3 I dont want, nothing in particular, just dont see any need for it as my pc is running well, and sp3 may just take up extra space (quite a bit) and may slow the sytem down, dont know really but if it aint broke... anyway didnt know it wouldnt work with sp2 or I wouldnt have tried it!!

never mind.

Share this post


Link to post
Share on other sites

Something in sp3 I dont want, nothing in particular, just dont see any need for it as my pc is running well, and sp3 may just take up extra space (quite a bit) and may slow the sytem down, dont know really but if it aint broke... anyway didnt know it wouldnt work with sp2 or I wouldnt have tried it!!

never mind.

I did not know that myself.

/Manko


Yes i rush things! (I sorta do small bursts inbetween doing nothing.) Things I have rushed and reRushed:* ProDLLer - Process manager - Unload viri modules (dll) and moore...* _WinAPI_ProcessListOWNER_WTS() - Get Processes owner list...* _WinAPI_GetCommandLineFromPID() - Get commandline of target process...* _WinAPI_ThreadsnProcesses() Much info if expanded - optional Indented "Parent/Child"-style Processlist. Moore to come... eventually...

Share this post


Link to post
Share on other sites

A few additions:

1: IE causes a problem when started from within the process but Firefox just works great.

Well well well.... what do we have here --- Auto Downloaded Malware is unable to execute a process but embeded video and mp3 files just work fine.

2: None of the Antivirus Applications seem to have an answer for that as they themselves are unable to start heir scanning process ... thats bad news or just bad coding from AV guys...

3: GMER works great .... now it is able to terminate the processes without the worry of restart, nor does GMER hang.

4: GMER doesnt detect Spy apps but Prodller is 1+ point up ... can detect kernel spy processes ....

Rgds

Slashh

PS: a lil bit of tweakin makes it work on W2k3

Interesting observations. If I get time, I would like to make the blocking mechanism interactive. It would not be ALL that much work...

I should look on that IE prob...

I have to ask, I have not put in special scanning of hidden processes, when you say "can detect kernel spy processes" what is it detecting?

/Manko


Yes i rush things! (I sorta do small bursts inbetween doing nothing.) Things I have rushed and reRushed:* ProDLLer - Process manager - Unload viri modules (dll) and moore...* _WinAPI_ProcessListOWNER_WTS() - Get Processes owner list...* _WinAPI_GetCommandLineFromPID() - Get commandline of target process...* _WinAPI_ThreadsnProcesses() Much info if expanded - optional Indented "Parent/Child"-style Processlist. Moore to come... eventually...

Share this post


Link to post
Share on other sites

with IE the issue is that IE8 starts multiple processes,.

In Prodller, you have Kernel Spy Process, i.e. those process which are in listen only mode. all other apps whch I have been using for weeding out rootkits dont have this feature.

PS: XP SP2 or XP SP3 wrks fine ... W2k3 ok.... been testing all the time on W2k3

Share this post


Link to post
Share on other sites

After using the application for a while, I've gotta say this is the perfect tool for quickly disabling rouge applications that fail to comply with taskmanager.

It's especially useful when you have friends that only know how to watch porn and download supposed video codecs and fake antivirus software.

This is purely outstanding work Manko and a great contribution to the Autoit community!

Share this post


Link to post
Share on other sites

Thanks mate!

I put it to good use too, now and then... :unsure:

/Manko


Yes i rush things! (I sorta do small bursts inbetween doing nothing.) Things I have rushed and reRushed:* ProDLLer - Process manager - Unload viri modules (dll) and moore...* _WinAPI_ProcessListOWNER_WTS() - Get Processes owner list...* _WinAPI_GetCommandLineFromPID() - Get commandline of target process...* _WinAPI_ThreadsnProcesses() Much info if expanded - optional Indented "Parent/Child"-style Processlist. Moore to come... eventually...

Share this post


Link to post
Share on other sites

ProDLLer is back to alpha...

I need YOU to beta-test!

After more than a year of inactivity I made too many changes... I fixed some bugs bad added a lot!

But fear not! I put in crashrecoverycode that will save you while operating in enemy territory.

If ProDLLer crashes, a new instance will always be waiting to take it's place.

BEWARE! There will be bugs! :graduated:

Attachment in first post.

Most Recent changes...
 
; 0.499
; Added: If over 16 procs start from 1 sec to another or if a total of 40 procs have started; "NoProcsAllowed" is activated.
; Added: Crash-recovery... Just start a new instance of ProDLLer... :)
; Change: No loading of moduleinfo at start.
; Added: Refresh moduleinfo when we need it. KINDA CLUNKY SINCE I ITERATE ALL OF THEM, RIGHT NOW....
; Added: On start of app. Disallow new procs. "NoProcsAllowed" is activated.
; Fixed: A number of bugs that crash Prodller if insane amounts of processes start and stop...
 
; 0.498
; Fixed: "KernelNot.". When disabling callbacks; adjacent CBs of same type would sometimes vanish. Famous anti-rootkit had same faulty behavior.
 
; 0.497
; Fixed: Lockup when suspending some procs during modules-itteration. Context-menu disabled during itteration.
; Fixed: Lockup after thread-view due to excessive killing of already terminated security-threads... Now checking IF it needs killing...
; Fixed: Lockup when trying to change state of services while it is already working with your earlier request. Disable display.

/Manko

Edited by Manko

Yes i rush things! (I sorta do small bursts inbetween doing nothing.) Things I have rushed and reRushed:* ProDLLer - Process manager - Unload viri modules (dll) and moore...* _WinAPI_ProcessListOWNER_WTS() - Get Processes owner list...* _WinAPI_GetCommandLineFromPID() - Get commandline of target process...* _WinAPI_ThreadsnProcesses() Much info if expanded - optional Indented "Parent/Child"-style Processlist. Moore to come... eventually...

Share this post


Link to post
Share on other sites

Yeah! I'll admit I was too hasty with v0.499... But I needed the pressure perhaps...

v0.500 feels pretty solid...

New version in first post.

New...

; 0.500

; Added: Startup-killing... to take a load off the GUI... it will ask...

; Fixed: Slowdown because I accidentaly changed ProDLLer to itterate processes every second...

; Fixed: Process-CPU-utilization. Movement of abandoned children... I cheat. Just load up new list...

; Fixed: Got rid of the Adlib. There were too many possible problems...

; Fixed: CPU-load. Is again aligned...

+ A slew of fixes that I didn't record...

/Manko


Yes i rush things! (I sorta do small bursts inbetween doing nothing.) Things I have rushed and reRushed:* ProDLLer - Process manager - Unload viri modules (dll) and moore...* _WinAPI_ProcessListOWNER_WTS() - Get Processes owner list...* _WinAPI_GetCommandLineFromPID() - Get commandline of target process...* _WinAPI_ThreadsnProcesses() Much info if expanded - optional Indented "Parent/Child"-style Processlist. Moore to come... eventually...

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.

  • Similar Content

    • By bobflumox
      Hi all,
      My programming knowledge is very basic.
      I have an old script that creates shares and assign permissions. It normally registers SetAcl.ocx if necessary and creates an object to assign permissions.
      The command that registers SetAcl was apparently working fine under Windows 7 but is not working under Windows 10.
      RunWait("regsvr32.exe path\to\setacl.ocx /s", "", @SW_HIDE) As I'm logged in as admin, I changed this command to :
      RunAsWait(@UserName, "", "", 0, "regsvr32.exe path\to\setacl.ocx /s", "", @SW_HIDE) It seems to terminate correctly but the script still doesn't work as expected.
      To check that, I've created that small script :
      Local $objSetAcl = ObjCreate("SETACL.SetACLCtrl.1") If IsObj($objSetAcl) Then ConsoleWrite("Object successfully created." & @CRLF) Else ConsoleWrite("Object not created. Registering SetAcl.ocx" & @CRLF) Local $result = RunAsWait(@UserName, "", "", 0, "regsvr32.exe path\to\setacl.ocx /s", "", @SW_HIDE); Use of my admin username to elevate CMD ConsoleWrite("Return code : " & $result & @CRLF) ConsoleWrite("Creating object" & @CRLF) $objSetAcl = ObjCreate("SETACL.SetACLCtrl.1") If IsObj($objSetAcl) Then ConsoleWrite("Object successfully created." & @CRLF) Else ConsoleWrite("Object creation failed." & @CRLF) EndIf EndIf It tries to register SetAcl.ocx, return code 0 seems to be fine but still can't use SetAcl.
      But if I go to CMD as admin, run the regsvr32 command and restart my script, it can create the object without issue.
      I know my poor knowledge makes me miss something. Anyone can help me figure this out ?
    • By Gowrisankar
      Dear members of the forum,
      I'm working on a project in which I have to use Image recognition technique. 
      Due to client restrictions, I couldn't use AutoIt for this project. 
      Is there a way to use this DLL "ImageSearchDLL.dll" (which is used to do image recognition steps in AutoIt) in VB.Net to achieve the same result? 
      I have used this DLL few years before and got good results. If there is a latest version of this DLL and if you can share it, that will be helpful too.
      Any guidance is deeply appreciated.
    • By DesireDenied
      Hey guys,
      I having some hard times getting false-positive, probably because I am trying to execute my AutoUpdater.
      Here is my code:
       
      Global $iUpdateTimer = 0 While 1 checkUpdates(10) WEnd Func checkUpdates($iDelay = 10) $iDelay = $iDelay * 1000 * 60 If TimerDiff($iUpdateTimer) > $iDelay Then ConsoleWrite('checking for updates...' & @CRLF) $iUpdateTimer = TimerInit() If FileExists('AutoUpdater.exe') Then ShellExecuteWait('AutoUpdater.exe') ; this is the line which cause my problem EndIf EndFunc And AutoUpdater code:
      #include <MsgBoxConstants.au3> #include <FileConstants.au3> Global $sExecName = 'test.exe' Global $sUpdatePath = @UserProfileDir &'\desktop\AnyAppName\update\'& $sExecName Global $sUserPath = @UserProfileDir &'\desktop\AnyAppName\'& $sExecName Global $sCopyright = 'someUniqueStringHere' If Not FileExists($sUpdatePath) Then Exit 0 If FileGetVersion($sUpdatePath, $FV_LEGALCOPYRIGHT) <> $sCopyright Then Exit 0 ; checking if we really want to update and execute the file If FileGetVersion($sUpdatePath) > FileGetVersion($sUserPath) Then $iResponse = MsgBox(BitOR($MB_YESNO, $MB_ICONQUESTION),'AnyAppName', 'There is an update available, would you like to update?') If $iResponse == $IDYES Then If ProcessExists($sExecName) Then ProcessClose($sExecName) Sleep(500) EndIf FileCopy($sUpdatePath, $sUserPath, $FC_OVERWRITE) Sleep(3000) ShellExecute($sUserPath) Exit 1 EndIf EndIf Exit 0 I am not trying to ask, why is my code is getting recognized as false-positive, because this is quite obvious, but is there any other way to get things done without running external process?
       

    • By nacerbaaziz
      hello autoit team
      is there any wey to check if any process run as admin or no?
      i mean e.g if i want to restart any process, now i have the ability to get the process path and commands line
      what i need is a wey to check if the process was runing as admin or no to restart it with the same state.
      here is the part that am using it to restart the process
      func _processRestart($i_pid, $s_ProcessPath) if not (ProcessExists($i_ProcessPid)) then return SetError(1, 0, -1) local $s_ProcessWorkDir = _WinAPI_GetProcessWorkingDirectory($i_ProcessPid) ProcessClose($i_ProcessPid) ProcessWaitClose($i_ProcessPid) ProcessWait(ShellExecute($i_pid,"", $s_ProcessWorkDir)) ProcessesGetList() return true endFunc thanks in advance
×
×
  • Create New...