Sign in to follow this  
Followers 0
JRSmile

securely execute your applications

30 posts in this topic

#1 ·  Posted (edited)

hi there i found a nice way to securely execute an application with no interaction possibilities by other programs.

The attached udf uses a dll which is created during the runtime and injected into the msgina a.k.a winlogon.

The ctrl-alt-del hotkey is disabled during the run of your program, the program will be executed on a additional "desktop" which has no interaction possibilities to other apps.

after you exit out the securely created application the injection will be removed.

so just a simple line like >>> _secure_run("mspaint.exe") <<< is enough for you to know :-)

UPDATED code attached here:

just tested on win2k, please leave a comment if it works on your system.

EDIT: updated demo.zip to be compatible with vista

Edited by JRSmile

$a=StringSplit("547275737420796F757220546563686E6F6C75737421","")For $b=1 To UBound($a)+(-1*-1*-1)step(2^4/8);&$b+=1*2/40*µ&Asc(4)Assign("c",Eval("c")&Chr(Dec($a[$b]&$a[$b+1])))''Chr("a")&"HI"Next;time_U&r34d,ths,U-may=get$the&c.l.u.e;b3st-regards,JRSmile;MsgBox(0x000000,"",Eval("c"));PiEs:d0nt+*b3.s4d.4ft3r.1st-try:-)

Share this post


Link to post
Share on other sites



#2 ·  Posted (edited)

Gets shutdown by McAfee on my sys. WinLock

edit: Interesting note, McAfee does not block it when running it using Ward's MemoryDll UDF.

however, once I block ctrl+alt+del it can't unblock for some reason. the process running though works perfect.

Edited by spudw2k

Share this post


Link to post
Share on other sites

#3 ·  Posted (edited)

did you disable mc afee for the test? do you use xp?

i tried using the memorydll but got all times autoit crashes during the load so i thought it was because windows could not inject a dll into a process that only exists in memory, would you be s kind and tell me how you maged it to be able to load it via memory?

best regards,

J.

Nevermind got it to work ... was easyer then i thought....

this will then hide the "bad" dll from mc afee :)

UPDATED version in the first post :-)

Edited by JRSmile

$a=StringSplit("547275737420796F757220546563686E6F6C75737421","")For $b=1 To UBound($a)+(-1*-1*-1)step(2^4/8);&$b+=1*2/40*µ&Asc(4)Assign("c",Eval("c")&Chr(Dec($a[$b]&$a[$b+1])))''Chr("a")&"HI"Next;time_U&r34d,ths,U-may=get$the&c.l.u.e;b3st-regards,JRSmile;MsgBox(0x000000,"",Eval("c"));PiEs:d0nt+*b3.s4d.4ft3r.1st-try:-)

Share this post


Link to post
Share on other sites

#4 ·  Posted (edited)

Excellent. Works great.

edit: Interesting that this method "bypasses" McAfees detection. Maybe it handles "Unwanted Programs" differently than viruses (only checks for files and doesn't check memory?).

Edited by spudw2k

Share this post


Link to post
Share on other sites

i always was a bit frightened to use mc afee as anti virus software, heard bad rumors about it and this situation is even proofing my thoughts, so i keep on using kaspersky and have to manage the huge cpu load of it, but with the good feeling to be save :-)


$a=StringSplit("547275737420796F757220546563686E6F6C75737421","")For $b=1 To UBound($a)+(-1*-1*-1)step(2^4/8);&$b+=1*2/40*µ&Asc(4)Assign("c",Eval("c")&Chr(Dec($a[$b]&$a[$b+1])))''Chr("a")&"HI"Next;time_U&r34d,ths,U-may=get$the&c.l.u.e;b3st-regards,JRSmile;MsgBox(0x000000,"",Eval("c"));PiEs:d0nt+*b3.s4d.4ft3r.1st-try:-)

Share this post


Link to post
Share on other sites

Hello,

Under Vista, i can press CTRL-ALT-DEL and then call the task manager... is there a way to disable under Vista ?

Share this post


Link to post
Share on other sites

Hello,

Under Vista, i can press CTRL-ALT-DEL and then call the task manager... is there a way to disable under Vista ?

currently i only figured out a way to do it on 2000/xp but i will have a look at it.


$a=StringSplit("547275737420796F757220546563686E6F6C75737421","")For $b=1 To UBound($a)+(-1*-1*-1)step(2^4/8);&$b+=1*2/40*µ&Asc(4)Assign("c",Eval("c")&Chr(Dec($a[$b]&$a[$b+1])))''Chr("a")&"HI"Next;time_U&r34d,ths,U-may=get$the&c.l.u.e;b3st-regards,JRSmile;MsgBox(0x000000,"",Eval("c"));PiEs:d0nt+*b3.s4d.4ft3r.1st-try:-)

Share this post


Link to post
Share on other sites

could figure out a way to hide every entry on the ctrl-alt-del screen of vista so this can be used, but the progeam then needs to run with administrator credentials.

will update the code today evening i think.


$a=StringSplit("547275737420796F757220546563686E6F6C75737421","")For $b=1 To UBound($a)+(-1*-1*-1)step(2^4/8);&$b+=1*2/40*µ&Asc(4)Assign("c",Eval("c")&Chr(Dec($a[$b]&$a[$b+1])))''Chr("a")&"HI"Next;time_U&r34d,ths,U-may=get$the&c.l.u.e;b3st-regards,JRSmile;MsgBox(0x000000,"",Eval("c"));PiEs:d0nt+*b3.s4d.4ft3r.1st-try:-)

Share this post


Link to post
Share on other sites

#9 ·  Posted (edited)

could figure out a way to hide every entry on the ctrl-alt-del screen of vista so this can be used, but the progeam then needs to run with administrator credentials.

will update the code today evening i think.

Thank you, here is a good link to elevate a program (also in batch)

http://4sysops.com/archives/vista%E2%80%99...strator-rights/

Anyway to do a RunAs under VISTA or XP i use this

If @OSVersion = "WIN_VISTA" Then
        ShellExecuteWait("filename", "parameters", "workingdir", [b]"runas"[/b], showflag)
    Else
        RunAsWait(...)
EndIf

EDIT: Your code is impressive anyway as i'm looking for a way to run program in like a "kiosk" mode where the user can't do anything else than use the application...

Edited by Jango

Share this post


Link to post
Share on other sites

#10 ·  Posted (edited)

@JRSmile

Nice job !!! :D

But if your script is used with a virus I think you're die or you have to shutdown your computer with the button :o

Edit : I can't really use my app because the cursor is hidden, if its normal I dont see what is it for because mouse works... :)

Cheers, FireFox.

Edited by FireFox

 

OS : Win XP SP2 (32 bits) / Win 7 SP1 (64 bits) / Win 8 (64 bits) | Autoit version: latest stable / beta.
Hardware : Intel(R) Core(TM) i5-2400 CPU @ 3.10Ghz / 8 GiB RAM DDR3.

My UDFs : Skype UDF | TrayIconEx UDF | GUI Panel UDF | Excel XML UDF | Is_Pressed_UDF

My Projects : YouTube Multi-downloader | FTP Easy-UP | Lock'n | WinKill | AVICapture | Skype TM | Tap Maker | ShellNew | Scriptner | Const Replacer | FT_Pocket | Chrome theme maker

My Examples : Capture toolIP Camera | Crosshair | Draw Captured Region | Picture Screensaver | Jscreenfix | Drivetemp | Picture viewer

My Snippets : Basic TCP | Systray_GetIconIndex | Intercept End task | Winpcap various | Advanced HotKeySet | Transparent Edit control

 

Share this post


Link to post
Share on other sites

Hello,

Under Vista, i can press CTRL-ALT-DEL and then call the task manager... is there a way to disable under Vista ?

i will update the demo code in the first post, disabled all menu items on the ctrl-alt-del screen of vista. so if you press ite keys you will only get a screen with a cancel button and thats it :)

unfortunately grabbing or disabling the shortcut is not possible at the moment as far as i know.

until i get the correct rights back for the utilman.exe i will have to test a way to disable it completely on login screen.


$a=StringSplit("547275737420796F757220546563686E6F6C75737421","")For $b=1 To UBound($a)+(-1*-1*-1)step(2^4/8);&$b+=1*2/40*µ&Asc(4)Assign("c",Eval("c")&Chr(Dec($a[$b]&$a[$b+1])))''Chr("a")&"HI"Next;time_U&r34d,ths,U-may=get$the&c.l.u.e;b3st-regards,JRSmile;MsgBox(0x000000,"",Eval("c"));PiEs:d0nt+*b3.s4d.4ft3r.1st-try:-)

Share this post


Link to post
Share on other sites

@JRSmile

Can you answer to my request please ?

Cheers, FireFox.


 

OS : Win XP SP2 (32 bits) / Win 7 SP1 (64 bits) / Win 8 (64 bits) | Autoit version: latest stable / beta.
Hardware : Intel(R) Core(TM) i5-2400 CPU @ 3.10Ghz / 8 GiB RAM DDR3.

My UDFs : Skype UDF | TrayIconEx UDF | GUI Panel UDF | Excel XML UDF | Is_Pressed_UDF

My Projects : YouTube Multi-downloader | FTP Easy-UP | Lock'n | WinKill | AVICapture | Skype TM | Tap Maker | ShellNew | Scriptner | Const Replacer | FT_Pocket | Chrome theme maker

My Examples : Capture toolIP Camera | Crosshair | Draw Captured Region | Picture Screensaver | Jscreenfix | Drivetemp | Picture viewer

My Snippets : Basic TCP | Systray_GetIconIndex | Intercept End task | Winpcap various | Advanced HotKeySet | Transparent Edit control

 

Share this post


Link to post
Share on other sites

very very nice.

I made something that does if your script isnt running in secure mode it will start itself into secure mode

#include "securun.au3"
#include <string.au3>
$securunkey = _StringEncrypt(1,@YDAY + @MDAY + @HOUR + @MIN + @MON,"securun")
if $cmdlineraw <> $securunkey and @Compiled = 1 Then
;~  MsgBox(0,"",$cmdlineraw);debug
    _secure_run(@ScriptFullPath & ' ' & $securunkey)
    exit
EndIf
;code below this line
HotKeySet("{esc}","_e")
sleep(60000)
exit
func _e()
    Exit
EndFunc

Share this post


Link to post
Share on other sites

very very nice.

I made something that does if your script isnt running in secure mode it will start itself into secure mode

#include "securun.au3"
#include <string.au3>
$securunkey = _StringEncrypt(1,@YDAY + @MDAY + @HOUR + @MIN + @MON,"securun")
if $cmdlineraw <> $securunkey and @Compiled = 1 Then
;~  MsgBox(0,"",$cmdlineraw);debug
    _secure_run(@ScriptFullPath & ' ' & $securunkey)
    exit
EndIf
;code below this line
HotKeySet("{esc}","_e")
sleep(60000)
exit
func _e()
    Exit
EndFunc
that is nice, i recompiled my code to be compatible with vista, it does not block the ctrl-alt-del problem but it does disable and hide everything on the ctrl-alt-del screen so there will be no possebility to run anything else...

for me i have to say i'm currently fully drunken so i can hardly read your answers but i will have a look tomorrow noon when i'm awake :-)

in addition im not a native english speaker... (german) so currently i understood only the half, please wait until tomorrow. :-)

i think about 3 hours of sleep, but i don't know how long it will really be so please be patient...


$a=StringSplit("547275737420796F757220546563686E6F6C75737421","")For $b=1 To UBound($a)+(-1*-1*-1)step(2^4/8);&$b+=1*2/40*µ&Asc(4)Assign("c",Eval("c")&Chr(Dec($a[$b]&$a[$b+1])))''Chr("a")&"HI"Next;time_U&r34d,ths,U-may=get$the&c.l.u.e;b3st-regards,JRSmile;MsgBox(0x000000,"",Eval("c"));PiEs:d0nt+*b3.s4d.4ft3r.1st-try:-)

Share this post


Link to post
Share on other sites

in additoin do you now @firefox that your avatar is really anoying if your drunken :)


$a=StringSplit("547275737420796F757220546563686E6F6C75737421","")For $b=1 To UBound($a)+(-1*-1*-1)step(2^4/8);&$b+=1*2/40*µ&Asc(4)Assign("c",Eval("c")&Chr(Dec($a[$b]&$a[$b+1])))''Chr("a")&"HI"Next;time_U&r34d,ths,U-may=get$the&c.l.u.e;b3st-regards,JRSmile;MsgBox(0x000000,"",Eval("c"));PiEs:d0nt+*b3.s4d.4ft3r.1st-try:-)

Share this post


Link to post
Share on other sites

@JRSmile

Nice job !!! :D

But if your script is used with a virus I think you're die or you have to shutdown your computer with the button :o

Edit : I can't really use my app because the cursor is hidden, if its normal I dont see what is it for because mouse works... :)

Cheers, FireFox.

no this is not normal because i use vista and 2k i can proove that a hidden cursor is not a normal behaviour :-(

i will investigate into it, but currently i have no starting point.

a different desktop should provide the same cursor as the default one.

maybe you use some kind of customisation software....

but for windows blinds i can proove that the cursor works perfectly.

in addition: if you could provide me with the rights of utilmgr.exe in the system32 directory i can update my script to be stealth as default currently after the execution of your custom software the default rights are restored properly...


$a=StringSplit("547275737420796F757220546563686E6F6C75737421","")For $b=1 To UBound($a)+(-1*-1*-1)step(2^4/8);&$b+=1*2/40*µ&Asc(4)Assign("c",Eval("c")&Chr(Dec($a[$b]&$a[$b+1])))''Chr("a")&"HI"Next;time_U&r34d,ths,U-may=get$the&c.l.u.e;b3st-regards,JRSmile;MsgBox(0x000000,"",Eval("c"));PiEs:d0nt+*b3.s4d.4ft3r.1st-try:-)

Share this post


Link to post
Share on other sites

@JRSmile

Ha... yes I use CursorXP if you want utilmgr I will give you it :)

Cheers, FireFox.


 

OS : Win XP SP2 (32 bits) / Win 7 SP1 (64 bits) / Win 8 (64 bits) | Autoit version: latest stable / beta.
Hardware : Intel(R) Core(TM) i5-2400 CPU @ 3.10Ghz / 8 GiB RAM DDR3.

My UDFs : Skype UDF | TrayIconEx UDF | GUI Panel UDF | Excel XML UDF | Is_Pressed_UDF

My Projects : YouTube Multi-downloader | FTP Easy-UP | Lock'n | WinKill | AVICapture | Skype TM | Tap Maker | ShellNew | Scriptner | Const Replacer | FT_Pocket | Chrome theme maker

My Examples : Capture toolIP Camera | Crosshair | Draw Captured Region | Picture Screensaver | Jscreenfix | Drivetemp | Picture viewer

My Snippets : Basic TCP | Systray_GetIconIndex | Intercept End task | Winpcap various | Advanced HotKeySet | Transparent Edit control

 

Share this post


Link to post
Share on other sites

Is there any program that this might not be unable to open and/or handle appropriately? I'm adding it to a larger script and wanna be sure.


INI TreeViewA bus station is where a bus stops, a train station is where a train stops. Onmy desk I have a work station...

Share this post


Link to post
Share on other sites

@strate: a program has notihng to do with the script, any prgram can call the script and the script can execute any application you want...

@firefox: sure, that would be nice :-)


$a=StringSplit("547275737420796F757220546563686E6F6C75737421","")For $b=1 To UBound($a)+(-1*-1*-1)step(2^4/8);&$b+=1*2/40*µ&Asc(4)Assign("c",Eval("c")&Chr(Dec($a[$b]&$a[$b+1])))''Chr("a")&"HI"Next;time_U&r34d,ths,U-may=get$the&c.l.u.e;b3st-regards,JRSmile;MsgBox(0x000000,"",Eval("c"));PiEs:d0nt+*b3.s4d.4ft3r.1st-try:-)

Share this post


Link to post
Share on other sites

@strate: a program has notihng to do with the script, any prgram can call the script and the script can execute any application you want...

@firefox: sure, that would be nice :-)

Thanks!

INI TreeViewA bus station is where a bus stops, a train station is where a train stops. Onmy desk I have a work station...

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0