Jump to content
Sign in to follow this  
dexto

MsgBox without bracking a program loop?

Recommended Posts

dexto

Currently distracting myself with a security project for starting applications

Have a request for advise in few problems.

One is on the way I'm monitoring new applications started: using WMI list of processes better way would be with DLL even trigger anyone know such?

Second one is once new application is detected (that is not in a list) it would be suspended until the user approval or denial of a process. the problem here au3 will pause waiting for response while other programs can start unsupervised. Any creative way around this limitation?

Thx

For a desert here is a function that returns 2D array with [0]=PID ; [1]= full path to a program. (it works)

Func _GetEXEPath(); returns PID and Path
    Local $colItems = "", $hWnd, $objWMIService, $aWinList, $mode
    Local $avArray[1][2]
    Local $strComputer = "localhost"
    Local $strQuery = "SELECT ExecutablePath,ProcessId FROM Win32_Process"

    $objWMIService = ObjGet("winmgmts:{impersonationLevel=impersonate}!\\" & $strComputer & "\root\cimv2")
    If Not IsObj($objWMIService) Or @error = 1 Then
        SetError(1); Error connecting to WMI
        Return ""
    EndIf
    $colItems = $objWMIService.ExecQuery($strQuery, "WQL", 0x30)

    $i = 0
    If IsObj($colItems) Then
        For $objItem In $colItems
            If IsObj($objItem) And not ($objItem.ExecutablePath=='') Then
                ReDim $avArray[$i + 1][2]
                $avArray[$i][0] = $objItem.ProcessId
                $avArray[$i][1] = $objItem.ExecutablePath
                $i += 1
            EndIf
        Next
    Else
        SetError(1)
        Return ""
    EndIf

    If UBound($avArray) > 0 Then
        SetError(0)
        Return $avArray
    Else
        SetError(1)
        Return ""
    EndIf
EndFunc  ;==>_GetEXEPath

Share this post


Link to post
Share on other sites
TurionAltec

Use a GUI instead of MsgBox.

Share this post


Link to post
Share on other sites
dexto

Would it be possible to create multiple GUIs within one script?

sry i don't have 2 much xp with GUIs

Share this post


Link to post
Share on other sites
Valuater

Maybe...

Run("notepad.exe")
WinWaitActive("")
Sleep(3000)

ProcessApproval("notepad.exe")


Func ProcessApproval($Process)
    $Script = ""
    $Script &= '$ret = MsgBox(262193,"Process Approval Needed","The new Process ""' & $Process & '"" needs approval. " & @CRLF & @CRLF & "Press  OK  to allow this Process to continue." & @CRLF & @CRLF & "Press Cancel to close this process." & @CRLF)' & @CRLF
    $Script &= 'If $ret = 1 Then' & @CRLF
    ; YOU NEED THIS INFO BELOW
    $Script &= '    ControlSend("Untitled","", "Edit1", "' & $Process & '")' & @CRLF
    $Script &= 'Else' & @CRLF
    $Script &= '    ProcessClose("' & $Process & '")' & @CRLF
    $Script &= 'EndIf' & @CRLF

    Local $file_loc = @ScriptDir & "\Killer.au3"
    FileDelete($file_loc)
    FileWrite($file_loc, $Script)
    If @Compiled = 1 Then
        $file_exe = FileGetShortName(@AutoItExe & ' /AutoIt3ExecuteScript "' & $file_loc & '"')
        Run($file_exe)
    Else
        $file_au3 = FileGetShortName($file_loc)
        Run(@AutoItExe & " " & $file_au3, "", @SW_HIDE)
    EndIf

EndFunc   ;==>ProcessApproval

8)


NEWHeader1.png

Share this post


Link to post
Share on other sites
dexto

wow!

Thank you!

I'll be posting something when I'm satisfied with my code slightest.

Share this post


Link to post
Share on other sites
Valuater

wow!

Thank you!

I'll be posting something when I'm satisfied with my code slightest.

Welcome, looking forward to it!!

8)


NEWHeader1.png

Share this post


Link to post
Share on other sites
dexto

I could not figure out how to implement ProcessApproval() properly so that Guard remembered the process (for really annoying programs)

Well here it is:

(it will act upon new programs that start only after the ExeGuard)

(it will remember the response until the next start of the ExeGuard)

#include <Array.au3>

Global $programs[1]
Global $no[1]

;load current programs
Global $tmp = _GetEXEPath()
If Not IsArray($tmp) Then
    MsgBox(0, "", "Could not get the initial list of processes.")
    Exit
EndIf
ReDim $programs[UBound($tmp)]

For $a = 0 To UBound($tmp) - 1
    $programs[$a] = $tmp[$a][1] & ':' & FileGetSize($tmp[$a][1]) & ':' & FileGetTime($tmp[$a][1], 0, 1)
Next


While True
    $list = _GetEXEPath()
    If Not IsArray($list) Then
        MsgBox(0, "", "Could not get the list of processes.")
        Exit
    EndIf
    For $a = 0 To UBound($list) - 1
        $prg = $list[$a][1] & ':' & FileGetSize($list[$a][1]) & ':' & FileGetTime($list[$a][1], 0, 1)
        $tmp = _ArraySearch($programs, $prg)
        $tmpn = _ArraySearch($no, $prg)
        If $tmpn > -1 Then;if program was found
            _ProcessSuspend($list[$a][0])
            ProcessClose($list[$a][0])
        ElseIf $tmp == -1 Then
            ConsoleWrite($list[$a][1] & @CR)
            _ProcessSuspend($list[$a][0])
            $iMsgBoxAnswer = MsgBox(36, "New Process", $list[$a][1] & @CR & "Yes" & @TAB & "- Let the process run as usual." & @CRLF & "No" & @TAB & "- Kill the process.")
            If $iMsgBoxAnswer = 7 Then;No
                ProcessClose($list[$a][0])
                ReDim $no[UBound($no) + 1]
                $no[UBound($no) - 1] = $prg
            Else;add to ok programs
                _ProcessResume($list[$a][0])
                ReDim $programs[UBound($programs) + 1]
                $programs[UBound($programs) - 1] = $prg
            EndIf
        EndIf
    Next
    Sleep(1)
WEnd


Func ProcessApproval($PID, $Process)
    $Script = ""
    $Script &= "Func _ProcessResume($process)" & @CRLF
    $Script &= "$processid = ProcessExists($process)" & @CRLF
    $Script &= "If $processid Then" & @CRLF
    $Script &= "    $ai_Handle = DllCall('kernel32.dll', 'int', 'OpenProcess', 'int', 0x1f0fff, 'int', False, 'int', $processid)" & @CRLF
    $Script &= "    $i_sucess = DllCall('ntdll.dll', 'int', 'NtResumeProcess', 'int', $ai_Handle[0])" & @CRLF
    $Script &= "    DllCall('kernel32.dll', 'ptr', 'CloseHandle', 'ptr', $ai_Handle)" & @CRLF
    $Script &= "    If IsArray($i_sucess) Then" & @CRLF
    $Script &= "        Return 1" & @CRLF
    $Script &= "    Else" & @CRLF
    $Script &= "        SetError(1)" & @CRLF
    $Script &= "        Return 0" & @CRLF
    $Script &= "    EndIf" & @CRLF
    $Script &= "Else" & @CRLF
    $Script &= "    SetError(2)" & @CRLF
    $Script &= "    Return 0" & @CRLF
    $Script &= "EndIf" & @CRLF
    $Script &= "EndFunc ;==>_ProcessResume" & @CRLF

    $Script &= '$ret = MsgBox(262193,"Process Approval Needed","The new Process ""' & $Process & '"" needs approval. " & @CRLF & @CRLF & "Press  OK  to allow this Process to continue." & @CRLF & @CRLF & "Press Cancel to close this process." & @CRLF&"(this approval will stay in affect untill the restart of ExeGuard)" & @CRLF)' & @CRLF
    $Script &= 'If $ret == 1 Then' & @CRLF
    $Script &= '_ProcessResume(' & $PID & ')' & @CRLF
;$Script &= '   ControlSend("Untitled","", "Edit1", "' & $PID & '")' & @CRLF
    $Script &= 'Else' & @CRLF
    $Script &= '    ProcessClose("' & $PID & '")' & @CRLF
    $Script &= 'EndIf' & @CRLF

    Local $file_loc = @ScriptDir & "\Killer" & Random(1111111, 9999999, 1) & ".au3"
    FileDelete($file_loc)
    FileWrite($file_loc, $Script)
    If @Compiled = 1 Then
        $file_exe = FileGetShortName(@AutoItExe & ' /AutoIt3ExecuteScript "' & $file_loc & '"')
        Run($file_exe)
    Else
        $file_au3 = FileGetShortName($file_loc)
        Run(@AutoItExe & " " & $file_au3, "", @SW_HIDE)
    EndIf

EndFunc ;==>ProcessApproval

Func _GetEXEPath(); returns PID and Path
    Local $colItems = "", $hWnd, $objWMIService, $aWinList, $mode
    Local $avArray[1][2]
    Local $strComputer = "localhost"
    Local $strQuery = "SELECT ExecutablePath,ProcessId FROM Win32_Process"

    $objWMIService = ObjGet("winmgmts:{impersonationLevel=impersonate}!\\" & $strComputer & "\root\cimv2")
    If Not IsObj($objWMIService) Or @error = 1 Then
        SetError(1); Error connecting to WMI
        Return ""
    EndIf
    $colItems = $objWMIService.ExecQuery($strQuery, "WQL", 0x30)

    $i = 0
    If IsObj($colItems) Then
        For $objItem In $colItems
            If IsObj($objItem) And not ($objItem.ExecutablePath=='') Then
                ReDim $avArray[$i + 1][2]
                $avArray[$i][0] = $objItem.ProcessId
                $avArray[$i][1] = $objItem.ExecutablePath
                $i += 1
            EndIf
        Next
    Else
        SetError(1)
        Return ""
    EndIf

    If UBound($avArray) > 0 Then
        SetError(0)
        Return $avArray
    Else
        SetError(1)
        Return ""
    EndIf
EndFunc ;==>_GetEXEPath

Func _ProcessSuspend($process)
    $processid = ProcessExists($process)
    If $processid Then
        $ai_Handle = DllCall("kernel32.dll", 'int', 'OpenProcess', 'int', 0x1f0fff, 'int', False, 'int', $processid)
        $i_sucess = DllCall("ntdll.dll", "int", "NtSuspendProcess", "int", $ai_Handle[0])
        DllCall('kernel32.dll', 'ptr', 'CloseHandle', 'ptr', $ai_Handle)
        If IsArray($i_sucess) Then
            Return 1
        Else
            SetError(1)
            Return 0
        EndIf
    Else
        SetError(2)
        Return 0
    EndIf
EndFunc ;==>_ProcessSuspend

Func _ProcessResume($process)
    $processid = ProcessExists($process)
    If $processid Then
        $ai_Handle = DllCall("kernel32.dll", 'int', 'OpenProcess', 'int', 0x1f0fff, 'int', False, 'int', $processid)
        $i_sucess = DllCall("ntdll.dll", "int", "NtResumeProcess", "int", $ai_Handle[0])
        DllCall('kernel32.dll', 'ptr', 'CloseHandle', 'ptr', $ai_Handle)
        If IsArray($i_sucess) Then
            Return 1
        Else
            SetError(1)
            Return 0
        EndIf
    Else
        SetError(2)
        Return 0
    EndIf
EndFunc ;==>_ProcessResume
Edited by dexto

Share this post


Link to post
Share on other sites
Valuater

Maybe Use OnAutoitExit()

and _FileWriteFromArray( $File_Location, $Programs)

... and OnAutoitStartUp()

_FileReadToArray( $File_Location, $Old_Programs)

Just some ideas

8)


NEWHeader1.png

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×