Jump to content

MsgBox without bracking a program loop?


 Share

Recommended Posts

Currently distracting myself with a security project for starting applications

Have a request for advise in few problems.

One is on the way I'm monitoring new applications started: using WMI list of processes better way would be with DLL even trigger anyone know such?

Second one is once new application is detected (that is not in a list) it would be suspended until the user approval or denial of a process. the problem here au3 will pause waiting for response while other programs can start unsupervised. Any creative way around this limitation?

Thx

For a desert here is a function that returns 2D array with [0]=PID ; [1]= full path to a program. (it works)

Func _GetEXEPath(); returns PID and Path
    Local $colItems = "", $hWnd, $objWMIService, $aWinList, $mode
    Local $avArray[1][2]
    Local $strComputer = "localhost"
    Local $strQuery = "SELECT ExecutablePath,ProcessId FROM Win32_Process"

    $objWMIService = ObjGet("winmgmts:{impersonationLevel=impersonate}!\\" & $strComputer & "\root\cimv2")
    If Not IsObj($objWMIService) Or @error = 1 Then
        SetError(1); Error connecting to WMI
        Return ""
    EndIf
    $colItems = $objWMIService.ExecQuery($strQuery, "WQL", 0x30)

    $i = 0
    If IsObj($colItems) Then
        For $objItem In $colItems
            If IsObj($objItem) And not ($objItem.ExecutablePath=='') Then
                ReDim $avArray[$i + 1][2]
                $avArray[$i][0] = $objItem.ProcessId
                $avArray[$i][1] = $objItem.ExecutablePath
                $i += 1
            EndIf
        Next
    Else
        SetError(1)
        Return ""
    EndIf

    If UBound($avArray) > 0 Then
        SetError(0)
        Return $avArray
    Else
        SetError(1)
        Return ""
    EndIf
EndFunc  ;==>_GetEXEPath
Link to comment
Share on other sites

Maybe...

Run("notepad.exe")
WinWaitActive("")
Sleep(3000)

ProcessApproval("notepad.exe")


Func ProcessApproval($Process)
    $Script = ""
    $Script &= '$ret = MsgBox(262193,"Process Approval Needed","The new Process ""' & $Process & '"" needs approval. " & @CRLF & @CRLF & "Press  OK  to allow this Process to continue." & @CRLF & @CRLF & "Press Cancel to close this process." & @CRLF)' & @CRLF
    $Script &= 'If $ret = 1 Then' & @CRLF
    ; YOU NEED THIS INFO BELOW
    $Script &= '    ControlSend("Untitled","", "Edit1", "' & $Process & '")' & @CRLF
    $Script &= 'Else' & @CRLF
    $Script &= '    ProcessClose("' & $Process & '")' & @CRLF
    $Script &= 'EndIf' & @CRLF

    Local $file_loc = @ScriptDir & "\Killer.au3"
    FileDelete($file_loc)
    FileWrite($file_loc, $Script)
    If @Compiled = 1 Then
        $file_exe = FileGetShortName(@AutoItExe & ' /AutoIt3ExecuteScript "' & $file_loc & '"')
        Run($file_exe)
    Else
        $file_au3 = FileGetShortName($file_loc)
        Run(@AutoItExe & " " & $file_au3, "", @SW_HIDE)
    EndIf

EndFunc   ;==>ProcessApproval

8)

NEWHeader1.png

Link to comment
Share on other sites

I could not figure out how to implement ProcessApproval() properly so that Guard remembered the process (for really annoying programs)

Well here it is:

(it will act upon new programs that start only after the ExeGuard)

(it will remember the response until the next start of the ExeGuard)

#include <Array.au3>

Global $programs[1]
Global $no[1]

;load current programs
Global $tmp = _GetEXEPath()
If Not IsArray($tmp) Then
    MsgBox(0, "", "Could not get the initial list of processes.")
    Exit
EndIf
ReDim $programs[UBound($tmp)]

For $a = 0 To UBound($tmp) - 1
    $programs[$a] = $tmp[$a][1] & ':' & FileGetSize($tmp[$a][1]) & ':' & FileGetTime($tmp[$a][1], 0, 1)
Next


While True
    $list = _GetEXEPath()
    If Not IsArray($list) Then
        MsgBox(0, "", "Could not get the list of processes.")
        Exit
    EndIf
    For $a = 0 To UBound($list) - 1
        $prg = $list[$a][1] & ':' & FileGetSize($list[$a][1]) & ':' & FileGetTime($list[$a][1], 0, 1)
        $tmp = _ArraySearch($programs, $prg)
        $tmpn = _ArraySearch($no, $prg)
        If $tmpn > -1 Then;if program was found
            _ProcessSuspend($list[$a][0])
            ProcessClose($list[$a][0])
        ElseIf $tmp == -1 Then
            ConsoleWrite($list[$a][1] & @CR)
            _ProcessSuspend($list[$a][0])
            $iMsgBoxAnswer = MsgBox(36, "New Process", $list[$a][1] & @CR & "Yes" & @TAB & "- Let the process run as usual." & @CRLF & "No" & @TAB & "- Kill the process.")
            If $iMsgBoxAnswer = 7 Then;No
                ProcessClose($list[$a][0])
                ReDim $no[UBound($no) + 1]
                $no[UBound($no) - 1] = $prg
            Else;add to ok programs
                _ProcessResume($list[$a][0])
                ReDim $programs[UBound($programs) + 1]
                $programs[UBound($programs) - 1] = $prg
            EndIf
        EndIf
    Next
    Sleep(1)
WEnd


Func ProcessApproval($PID, $Process)
    $Script = ""
    $Script &= "Func _ProcessResume($process)" & @CRLF
    $Script &= "$processid = ProcessExists($process)" & @CRLF
    $Script &= "If $processid Then" & @CRLF
    $Script &= "    $ai_Handle = DllCall('kernel32.dll', 'int', 'OpenProcess', 'int', 0x1f0fff, 'int', False, 'int', $processid)" & @CRLF
    $Script &= "    $i_sucess = DllCall('ntdll.dll', 'int', 'NtResumeProcess', 'int', $ai_Handle[0])" & @CRLF
    $Script &= "    DllCall('kernel32.dll', 'ptr', 'CloseHandle', 'ptr', $ai_Handle)" & @CRLF
    $Script &= "    If IsArray($i_sucess) Then" & @CRLF
    $Script &= "        Return 1" & @CRLF
    $Script &= "    Else" & @CRLF
    $Script &= "        SetError(1)" & @CRLF
    $Script &= "        Return 0" & @CRLF
    $Script &= "    EndIf" & @CRLF
    $Script &= "Else" & @CRLF
    $Script &= "    SetError(2)" & @CRLF
    $Script &= "    Return 0" & @CRLF
    $Script &= "EndIf" & @CRLF
    $Script &= "EndFunc ;==>_ProcessResume" & @CRLF

    $Script &= '$ret = MsgBox(262193,"Process Approval Needed","The new Process ""' & $Process & '"" needs approval. " & @CRLF & @CRLF & "Press  OK  to allow this Process to continue." & @CRLF & @CRLF & "Press Cancel to close this process." & @CRLF&"(this approval will stay in affect untill the restart of ExeGuard)" & @CRLF)' & @CRLF
    $Script &= 'If $ret == 1 Then' & @CRLF
    $Script &= '_ProcessResume(' & $PID & ')' & @CRLF
;$Script &= '   ControlSend("Untitled","", "Edit1", "' & $PID & '")' & @CRLF
    $Script &= 'Else' & @CRLF
    $Script &= '    ProcessClose("' & $PID & '")' & @CRLF
    $Script &= 'EndIf' & @CRLF

    Local $file_loc = @ScriptDir & "\Killer" & Random(1111111, 9999999, 1) & ".au3"
    FileDelete($file_loc)
    FileWrite($file_loc, $Script)
    If @Compiled = 1 Then
        $file_exe = FileGetShortName(@AutoItExe & ' /AutoIt3ExecuteScript "' & $file_loc & '"')
        Run($file_exe)
    Else
        $file_au3 = FileGetShortName($file_loc)
        Run(@AutoItExe & " " & $file_au3, "", @SW_HIDE)
    EndIf

EndFunc ;==>ProcessApproval

Func _GetEXEPath(); returns PID and Path
    Local $colItems = "", $hWnd, $objWMIService, $aWinList, $mode
    Local $avArray[1][2]
    Local $strComputer = "localhost"
    Local $strQuery = "SELECT ExecutablePath,ProcessId FROM Win32_Process"

    $objWMIService = ObjGet("winmgmts:{impersonationLevel=impersonate}!\\" & $strComputer & "\root\cimv2")
    If Not IsObj($objWMIService) Or @error = 1 Then
        SetError(1); Error connecting to WMI
        Return ""
    EndIf
    $colItems = $objWMIService.ExecQuery($strQuery, "WQL", 0x30)

    $i = 0
    If IsObj($colItems) Then
        For $objItem In $colItems
            If IsObj($objItem) And not ($objItem.ExecutablePath=='') Then
                ReDim $avArray[$i + 1][2]
                $avArray[$i][0] = $objItem.ProcessId
                $avArray[$i][1] = $objItem.ExecutablePath
                $i += 1
            EndIf
        Next
    Else
        SetError(1)
        Return ""
    EndIf

    If UBound($avArray) > 0 Then
        SetError(0)
        Return $avArray
    Else
        SetError(1)
        Return ""
    EndIf
EndFunc ;==>_GetEXEPath

Func _ProcessSuspend($process)
    $processid = ProcessExists($process)
    If $processid Then
        $ai_Handle = DllCall("kernel32.dll", 'int', 'OpenProcess', 'int', 0x1f0fff, 'int', False, 'int', $processid)
        $i_sucess = DllCall("ntdll.dll", "int", "NtSuspendProcess", "int", $ai_Handle[0])
        DllCall('kernel32.dll', 'ptr', 'CloseHandle', 'ptr', $ai_Handle)
        If IsArray($i_sucess) Then
            Return 1
        Else
            SetError(1)
            Return 0
        EndIf
    Else
        SetError(2)
        Return 0
    EndIf
EndFunc ;==>_ProcessSuspend

Func _ProcessResume($process)
    $processid = ProcessExists($process)
    If $processid Then
        $ai_Handle = DllCall("kernel32.dll", 'int', 'OpenProcess', 'int', 0x1f0fff, 'int', False, 'int', $processid)
        $i_sucess = DllCall("ntdll.dll", "int", "NtResumeProcess", "int", $ai_Handle[0])
        DllCall('kernel32.dll', 'ptr', 'CloseHandle', 'ptr', $ai_Handle)
        If IsArray($i_sucess) Then
            Return 1
        Else
            SetError(1)
            Return 0
        EndIf
    Else
        SetError(2)
        Return 0
    EndIf
EndFunc ;==>_ProcessResume
Edited by dexto
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...