dexto Posted April 27, 2009 Share Posted April 27, 2009 Currently distracting myself with a security project for starting applications Have a request for advise in few problems. One is on the way I'm monitoring new applications started: using WMI list of processes better way would be with DLL even trigger anyone know such? Second one is once new application is detected (that is not in a list) it would be suspended until the user approval or denial of a process. the problem here au3 will pause waiting for response while other programs can start unsupervised. Any creative way around this limitation? Thx For a desert here is a function that returns 2D array with [0]=PID ; [1]= full path to a program. (it works) Func _GetEXEPath(); returns PID and Path Local $colItems = "", $hWnd, $objWMIService, $aWinList, $mode Local $avArray[1][2] Local $strComputer = "localhost" Local $strQuery = "SELECT ExecutablePath,ProcessId FROM Win32_Process" $objWMIService = ObjGet("winmgmts:{impersonationLevel=impersonate}!\\" & $strComputer & "\root\cimv2") If Not IsObj($objWMIService) Or @error = 1 Then SetError(1); Error connecting to WMI Return "" EndIf $colItems = $objWMIService.ExecQuery($strQuery, "WQL", 0x30) $i = 0 If IsObj($colItems) Then For $objItem In $colItems If IsObj($objItem) And not ($objItem.ExecutablePath=='') Then ReDim $avArray[$i + 1][2] $avArray[$i][0] = $objItem.ProcessId $avArray[$i][1] = $objItem.ExecutablePath $i += 1 EndIf Next Else SetError(1) Return "" EndIf If UBound($avArray) > 0 Then SetError(0) Return $avArray Else SetError(1) Return "" EndIf EndFunc ;==>_GetEXEPath Link to comment Share on other sites More sharing options...
TurionAltec Posted April 27, 2009 Share Posted April 27, 2009 Use a GUI instead of MsgBox. Link to comment Share on other sites More sharing options...
dexto Posted April 27, 2009 Author Share Posted April 27, 2009 Would it be possible to create multiple GUIs within one script? sry i don't have 2 much xp with GUIs Link to comment Share on other sites More sharing options...
Valuater Posted April 27, 2009 Share Posted April 27, 2009 Maybe... Run("notepad.exe") WinWaitActive("") Sleep(3000) ProcessApproval("notepad.exe") Func ProcessApproval($Process) $Script = "" $Script &= '$ret = MsgBox(262193,"Process Approval Needed","The new Process ""' & $Process & '"" needs approval. " & @CRLF & @CRLF & "Press OK to allow this Process to continue." & @CRLF & @CRLF & "Press Cancel to close this process." & @CRLF)' & @CRLF $Script &= 'If $ret = 1 Then' & @CRLF ; YOU NEED THIS INFO BELOW $Script &= ' ControlSend("Untitled","", "Edit1", "' & $Process & '")' & @CRLF $Script &= 'Else' & @CRLF $Script &= ' ProcessClose("' & $Process & '")' & @CRLF $Script &= 'EndIf' & @CRLF Local $file_loc = @ScriptDir & "\Killer.au3" FileDelete($file_loc) FileWrite($file_loc, $Script) If @Compiled = 1 Then $file_exe = FileGetShortName(@AutoItExe & ' /AutoIt3ExecuteScript "' & $file_loc & '"') Run($file_exe) Else $file_au3 = FileGetShortName($file_loc) Run(@AutoItExe & " " & $file_au3, "", @SW_HIDE) EndIf EndFunc ;==>ProcessApproval 8) Link to comment Share on other sites More sharing options...
dexto Posted April 27, 2009 Author Share Posted April 27, 2009 wow! Thank you! I'll be posting something when I'm satisfied with my code slightest. Link to comment Share on other sites More sharing options...
Valuater Posted April 27, 2009 Share Posted April 27, 2009 wow!Thank you!I'll be posting something when I'm satisfied with my code slightest.Welcome, looking forward to it!!8) Link to comment Share on other sites More sharing options...
dexto Posted April 28, 2009 Author Share Posted April 28, 2009 (edited) I could not figure out how to implement ProcessApproval() properly so that Guard remembered the process (for really annoying programs) Well here it is: (it will act upon new programs that start only after the ExeGuard) (it will remember the response until the next start of the ExeGuard) expandcollapse popup#include <Array.au3> Global $programs[1] Global $no[1] ;load current programs Global $tmp = _GetEXEPath() If Not IsArray($tmp) Then MsgBox(0, "", "Could not get the initial list of processes.") Exit EndIf ReDim $programs[UBound($tmp)] For $a = 0 To UBound($tmp) - 1 $programs[$a] = $tmp[$a][1] & ':' & FileGetSize($tmp[$a][1]) & ':' & FileGetTime($tmp[$a][1], 0, 1) Next While True $list = _GetEXEPath() If Not IsArray($list) Then MsgBox(0, "", "Could not get the list of processes.") Exit EndIf For $a = 0 To UBound($list) - 1 $prg = $list[$a][1] & ':' & FileGetSize($list[$a][1]) & ':' & FileGetTime($list[$a][1], 0, 1) $tmp = _ArraySearch($programs, $prg) $tmpn = _ArraySearch($no, $prg) If $tmpn > -1 Then;if program was found _ProcessSuspend($list[$a][0]) ProcessClose($list[$a][0]) ElseIf $tmp == -1 Then ConsoleWrite($list[$a][1] & @CR) _ProcessSuspend($list[$a][0]) $iMsgBoxAnswer = MsgBox(36, "New Process", $list[$a][1] & @CR & "Yes" & @TAB & "- Let the process run as usual." & @CRLF & "No" & @TAB & "- Kill the process.") If $iMsgBoxAnswer = 7 Then;No ProcessClose($list[$a][0]) ReDim $no[UBound($no) + 1] $no[UBound($no) - 1] = $prg Else;add to ok programs _ProcessResume($list[$a][0]) ReDim $programs[UBound($programs) + 1] $programs[UBound($programs) - 1] = $prg EndIf EndIf Next Sleep(1) WEnd Func ProcessApproval($PID, $Process) $Script = "" $Script &= "Func _ProcessResume($process)" & @CRLF $Script &= "$processid = ProcessExists($process)" & @CRLF $Script &= "If $processid Then" & @CRLF $Script &= " $ai_Handle = DllCall('kernel32.dll', 'int', 'OpenProcess', 'int', 0x1f0fff, 'int', False, 'int', $processid)" & @CRLF $Script &= " $i_sucess = DllCall('ntdll.dll', 'int', 'NtResumeProcess', 'int', $ai_Handle[0])" & @CRLF $Script &= " DllCall('kernel32.dll', 'ptr', 'CloseHandle', 'ptr', $ai_Handle)" & @CRLF $Script &= " If IsArray($i_sucess) Then" & @CRLF $Script &= " Return 1" & @CRLF $Script &= " Else" & @CRLF $Script &= " SetError(1)" & @CRLF $Script &= " Return 0" & @CRLF $Script &= " EndIf" & @CRLF $Script &= "Else" & @CRLF $Script &= " SetError(2)" & @CRLF $Script &= " Return 0" & @CRLF $Script &= "EndIf" & @CRLF $Script &= "EndFunc ;==>_ProcessResume" & @CRLF $Script &= '$ret = MsgBox(262193,"Process Approval Needed","The new Process ""' & $Process & '"" needs approval. " & @CRLF & @CRLF & "Press OK to allow this Process to continue." & @CRLF & @CRLF & "Press Cancel to close this process." & @CRLF&"(this approval will stay in affect untill the restart of ExeGuard)" & @CRLF)' & @CRLF $Script &= 'If $ret == 1 Then' & @CRLF $Script &= '_ProcessResume(' & $PID & ')' & @CRLF ;$Script &= ' ControlSend("Untitled","", "Edit1", "' & $PID & '")' & @CRLF $Script &= 'Else' & @CRLF $Script &= ' ProcessClose("' & $PID & '")' & @CRLF $Script &= 'EndIf' & @CRLF Local $file_loc = @ScriptDir & "\Killer" & Random(1111111, 9999999, 1) & ".au3" FileDelete($file_loc) FileWrite($file_loc, $Script) If @Compiled = 1 Then $file_exe = FileGetShortName(@AutoItExe & ' /AutoIt3ExecuteScript "' & $file_loc & '"') Run($file_exe) Else $file_au3 = FileGetShortName($file_loc) Run(@AutoItExe & " " & $file_au3, "", @SW_HIDE) EndIf EndFunc ;==>ProcessApproval Func _GetEXEPath(); returns PID and Path Local $colItems = "", $hWnd, $objWMIService, $aWinList, $mode Local $avArray[1][2] Local $strComputer = "localhost" Local $strQuery = "SELECT ExecutablePath,ProcessId FROM Win32_Process" $objWMIService = ObjGet("winmgmts:{impersonationLevel=impersonate}!\\" & $strComputer & "\root\cimv2") If Not IsObj($objWMIService) Or @error = 1 Then SetError(1); Error connecting to WMI Return "" EndIf $colItems = $objWMIService.ExecQuery($strQuery, "WQL", 0x30) $i = 0 If IsObj($colItems) Then For $objItem In $colItems If IsObj($objItem) And not ($objItem.ExecutablePath=='') Then ReDim $avArray[$i + 1][2] $avArray[$i][0] = $objItem.ProcessId $avArray[$i][1] = $objItem.ExecutablePath $i += 1 EndIf Next Else SetError(1) Return "" EndIf If UBound($avArray) > 0 Then SetError(0) Return $avArray Else SetError(1) Return "" EndIf EndFunc ;==>_GetEXEPath Func _ProcessSuspend($process) $processid = ProcessExists($process) If $processid Then $ai_Handle = DllCall("kernel32.dll", 'int', 'OpenProcess', 'int', 0x1f0fff, 'int', False, 'int', $processid) $i_sucess = DllCall("ntdll.dll", "int", "NtSuspendProcess", "int", $ai_Handle[0]) DllCall('kernel32.dll', 'ptr', 'CloseHandle', 'ptr', $ai_Handle) If IsArray($i_sucess) Then Return 1 Else SetError(1) Return 0 EndIf Else SetError(2) Return 0 EndIf EndFunc ;==>_ProcessSuspend Func _ProcessResume($process) $processid = ProcessExists($process) If $processid Then $ai_Handle = DllCall("kernel32.dll", 'int', 'OpenProcess', 'int', 0x1f0fff, 'int', False, 'int', $processid) $i_sucess = DllCall("ntdll.dll", "int", "NtResumeProcess", "int", $ai_Handle[0]) DllCall('kernel32.dll', 'ptr', 'CloseHandle', 'ptr', $ai_Handle) If IsArray($i_sucess) Then Return 1 Else SetError(1) Return 0 EndIf Else SetError(2) Return 0 EndIf EndFunc ;==>_ProcessResume Edited April 28, 2009 by dexto Link to comment Share on other sites More sharing options...
Valuater Posted April 28, 2009 Share Posted April 28, 2009 Maybe Use OnAutoitExit() and _FileWriteFromArray( $File_Location, $Programs) ... and OnAutoitStartUp() _FileReadToArray( $File_Location, $Old_Programs) Just some ideas 8) Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now