Executable Blocker

[Shafayat]

This is the beta version of my program "Executable Blocker".

Its goal is to stop any executable from running. So that no unwanted software is (accidentally or intentional) not allowed to run.

This is just a beta. And there are some features that do not work yet. I am just posting this one because I promised in one of the following posts that I'd post it the next day.

Simple Extract the file and run Launcher.exe (no need to copy to Program Files...)

This is free and opensource. I DO urge you to continue posting comments and suggestion while I do not want you just now to modify the entire project. Instead just tell me what needs to be done (and how). Because it is a pain in the a** to combine two scripts altered by different coders.

I'll be posting the STABLE version soon.

Best Regards

Shafayat

DOWNLOAD: http://sss13x.ucoz.net/mess/Executable_Blocker_1.89.x.rar

Edited March 23, 2010 by Shafayat

[FranckGr]

Great script ... I Like the way it works

But I dont think it will block these keys (It is not a problem for a server anyway ...)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit

Am I wrong ?

But what about the Services and espescially SvcHost service (starting other services - Typical Confliker attack) ?

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\netsvcs

I solved it on my servers by Saving (on first run) / Survey / Restore this registry key

The next step should be to delete or even better "deny execution" of the created Service key in

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

to "System" as conflicker will try to re-create the key if it is deleted

but I really don't know how to apply security permission on a registry key with AutoIt

Edited March 19, 2010 by FranckGr

[Shafayat]

This script does not include reg and key files but which can be easily added. The theme is, if you cannot start any exe (including regedit and any exe) then you can not alter registry. And if you can not run a REG Or KEY file then you can not alter registry either. So, you can not get a new service to run or get installed.

It is possible to monitor registry changes. But you'd be needed to keep your autoit process running and that is not a good thing for a server.

[playlet]

---

Edited August 18, 2016 by playlet

[Shafayat]

Sorry, forgot to mention, those dll files hold the icons I wanted to use. They are not needed at all. I mistakenly added them.

[ripdad]

A program like this should had come with Windows by default.

On second thought -- maybe not -- it might put the anti-virus companies out of business.

[ripdad]

By the way -

add: #include <WindowsConstants.au3> to Executable Blocker.au3

[ripdad]

Shafayat - hope you don't mind - I made a few improvements - v1.02

Executable Blocker Client.au3 - highlights

1) no includes needed

2) added tray menu check feature

3) replaced code for default icon for exe's to %1 (which is their default)

Executable Blocker.au3 - highlights

1) no includes needed

2) replaced info labels with input fields

3) added cancel button to child window

4) added prompts - ie: "Delete this file?"

5) replaced attributes code

Executable Blocker.zip

Edited March 21, 2010 by ripdad

[FranckGr]

  On 3/21/2010 at 10:42 AM, 'ripdad said:

Shafayat - hope you don't mind - I made a few improvements - v1.02

Executable Blocker Client.au3 - highlights

1) no includes needed

2) added tray menu check feature

3) replaced code for default icon for exe's to %1 (which is their default)

Executable Blocker.au3 - highlights

1) no includes needed

2) replaced info labels with input fields

3) added cancel button to child window

4) added prompts - ie: "Delete this file?"

5) replaced attributes code

Executable Blocker Client.au3

$ShellOpenCommand = '\Executable Blocker.exe" "%1" "%1" "%2" "%3" "%4" "%5" "%6" "%7" "%8" "%*"'

This line should be modified as this (to solve link + .bat with arguments problem

$ShellOpenCommand = '\Executable Blocker.exe" "%1" %*'

You could add these kind of lines on top of the script to help you with icons / Versions number

#AutoIt3Wrapper_Icon=.\Protected.ico

#AutoIt3Wrapper_OutFile=Executable Blocker Client.exe

#AutoIt3Wrapper_OutFile_Type=exe

#AutoIt3Wrapper_Compression=2

;** Target program Resource info

#AutoIt3Wrapper_res_comment=Executable Blocker Block all exes from running

#AutoIt3Wrapper_res_description=Executable Blocker

#AutoIt3Wrapper_Res_Fileversion=1.0.3.1

#AutoIt3Wrapper_res_fileversion_autoincrement=Y

#AutoIt3Wrapper_res_legalcopyright=Copyright © 2010 Shafayat

#AutoIt3Wrapper_res_field=Made By|Shafayat

#AutoIt3Wrapper_res_field=Email|Shafayat at mailServer dot com

with this

Global $SCRIPT_VERSION = "Please Compile !"

If @Compiled Then $SCRIPT_VERSION = FileGetVersion(@ScriptName)

Executable Blocker.au3

Global $TestPath = _PathSplit($cmd, $szDrive, $szDir, $szFName, $szExt)

To

Global $CmdPath = _PathSplit($cmd, $szDrive, $szDir, $szFName, $szExt)

and

$filenametext = GUICtrlCreateInput($Cmd, 20, 190, 360, 20)

To

$filenametext = GUICtrlCreateInput($CmdPath[3]&"."&$CmdPath[4], 20, 190, 360, 20)

[ripdad]

This line should be modified as this (to solve link + .bat with arguments problem

$ShellOpenCommand = '\Executable Blocker.exe" "%1" %*'

I think you've never seen a virus go to the 9th string.

But -- I'll have to check that out - which I meant to do.

#AutoIt3Wrapper

AutoIt3Wrapper is personalization -- which I didn't implement -- thats for the end user to do.

The icons I was speaking of is different than what you are thinking. It's this registry entry:

RegWrite("HKEY_CLASSES_ROOT\exehost\DefaultIcon", "", "REG_SZ", "%1")

The other was causing all exe's to have the protected.ico on them.

-edit-

By the way .. I'll be working on a way to get the shell and service executed exe's also.

I don't know if it's feasible to do so yet -- and or what other trouble it will cause -- just have to play with it some and see.

.

Edited March 22, 2010 by ripdad

[Shafayat]

Thank you people. Your comments were really helpful. I've added loads of new features into this software which I'll post tomorow along with the completed help file. Hold your breath till then. anyway, I've made the perfect parser for command line param and have solved problem with shell commands. I've also implemented accelerators and password protection. Please wait till tomorrow.

[ripdad]

Great - be looking forward to it

.

[FranckGr]

  On 3/22/2010 at 8:45 PM, 'Shafayat said:

Thank you people. Your comments were really helpful. I've added loads of new features into this software which I'll post tomorow along with the completed help file. Hold your breath till then. anyway, I've made the perfect parser for command line param and have solved problem with shell commands. I've also implemented accelerators and password protection. Please wait till tomorrow.

You also have to "patch" the *.cmd files as some windows registry keys are defining WHAT is a program (Like this one) :

HKEY_USERS\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Windows\Programs / REG_SZ / com exe bat pif cmd

I would also do it for the *.scr files (In fact, all executable files wheere the HKEY_CLASSES_ROOT\XXXfile\shell\open\command default parameter in the registry is "%1" %*

The list on my XP SP3 is : bat, cmd, com, exe, pif, scr

This is I think enough as all other Executable types (HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\ExecutableTypes) need another (exe) file to be launched

[FranckGr]

  On 3/22/2010 at 7:32 PM, 'ripdad said:

This line should be modified as this (to solve link + .bat with arguments problem

$ShellOpenCommand = '\Executable Blocker.exe" "%1" %*'

I think you've never seen a virus go to the 9th string.

But -- I'll have to check that out - which I meant to do.

If tou dont use "%1" %*, your arguments are passed as one single argument.

Try this, create EchoArg.BAT

@Echo Off

ECHO %1

ECHO %2

ECHO %3

PAUSE

Try these ones

Create a shortcut of it and modify it to execute EchoArg.bat Arg1 Arg2 Arg3

The output will be

Arg1 Arg2 Arg3

Instead of

Arg1

Arg2

Arg3

I dont think you need a new Command line parser ...

Try these ones

Executable Blocker Client 1.0.3.0.au3

Executable Blocker 1.0.3.0.au3

Edited March 23, 2010 by FranckGr

[Shafayat]

UPDATE!!!

Updated a lot of things:

1. AES 256 bit Password protection + Hashing (additional security)

2. Better looking GUI

3. Log viewer

4. White and Black List.

5. Stop Autorun.

6. Quick Registry Fix

7. Perfect (no command loss) command line parsing. Extracted it entirely from $CmdLineRaw

NOTE: MANY THINGS DO NOT WORK YET. Mostly because It is a Beta

I'll post the stable version as soon as I can.

- Shafayat

BTW, Can anyone help me with making a help file (a professional looking *.chm file) ?

[FranckGr]

Great !

May be you could you add a "Trust" (always) this program (Like in my post) filling up the White list (if you are Administrator)

and

an "Always refuse" mode (Kind of "Production" mode) where any new program execution will allways be rejected

Other things to take in account for the white list :

1 - Only the complete Path+Program should be allowed (If you move the program in another directory, Executable Blocker should Popup)

2 - A kind of MD5 check should be performed on the Program file before executing it (In case a virus modify it)

Does your new command line parser need this

$ShellOpenCommand = '"' & $RES_HANDLER & '" "%1" "%*"'

Instead of

$ShellOpenCommand = '"' & $RES_HANDLER & '" "%1" %*'

I really don't think REG files need to be included (As they need Regedit.exe) Except if you want to put RegEdit in the White list.

But I'm sure .cmd and .scr files should be added :

Func F_RegisterShell()

RegWrite("HKEY_CLASSES_ROOT\.cmd", "", "REG_SZ", "exehost")

RegWrite("HKEY_CLASSES_ROOT\.scr", "", "REG_SZ", "exehost")

Func F_UnRegisterShell()

RegWrite("HKEY_CLASSES_ROOT\.cmd", "", "REG_SZ", "cmdfile")

RegWrite("HKEY_CLASSES_ROOT\.scr", "", "REG_SZ", "scrfile")

Hope you don't mind the suggestions. Well done !

Franck

Edited March 23, 2010 by FranckGr

[Shafayat]

Ofcourse, I do not mind suggestions. I adore them.

you're right about the reg files, also cmd and scr files.

I'm adding a way to add to white list or black list from handler. That's why I made the list feature. It'll surely be available on the next version.

The md5 hashing of whitelisted files seem to be a great idea. I can't wait to implement it.

Thanks

[FranckGr]

  On 3/23/2010 at 5:09 PM, 'Shafayat said:

I'm adding a way to add to white list or black list from handler. That's why I made the list feature. It'll surely be available on the next version.

Changes the GUI with the following Buttons

[Trust] [Allow] [block] [Deny] [More]

Trust => Goes to the White list and Execute

Allow => Execute

Block => Dont Execute

Deny => Go to the Black List + Dont execute

Trust is greyed if not Admin / Can be activated if the Password if good

Before showing the GUI

Check against White List (Yes = Execute)

Check if Production Mode (Yes = Exit)

Check against Black List (Yes = Exit)

Show the GUI

[ripdad]

@Shafayat

I'm still studying the code - but looking good - thumbs up!

I didn't think you would work on it anymore, given the fact you said it's

old script - free and open source - modify it - put in your script.

Anyway, I'll back away from it. Great job so far!

@FranckGr

You're right about the commandline: . $ShellOpenCommand = '\Executable Blocker.exe" "%1" %*'

I'm still having trouble executing cpl's with that commandline though ...

"C:\WINDOWS\system32\rundll32.exe" C:\WINDOWS\system32\shell32.dll,Control_RunDLL "C:\WINDOWS\system32\timedate.cpl",Date and Time

I suppose it will need some extra code to handle it -- some string manipulation most likely.

I know you're saying "why cpl"

I still remember a rash of viruses that used them. It's been years ago though.

BTW - this is my "ExecutableTypes" list

ADE, ADP, BAS, BAT, CHM, CMD, COM, CPL, CRT, EXE, HLP, HTA, INF, INS, ISP, LNK,

MDB, MDE, MSC, MSI, MSP, MST, OCX, PCD, PIF, REG, SCR, SHS, URL, VB, WSC

-edit-

I found a way to execute the cpl commandline with:

Run(@ComSpec & ' /c ' & '"' & $CmdLineRaw & '"', '', @SW_HIDE)

Seems to work with anything I throw at it too.

.

Edited March 24, 2010 by ripdad

[Shafayat]

Hello People.

First of all, it is still open source and you can modify it anyway you like. That's why I keep posting the source. I'm a great fan of opensource.

Currently, I'm aiming at 2.0.0.0 stable. When that is completed, I'll probably not work on it much. Till then I always need your help.

I haven't yet tried to incorporate cpl. I'll try that. And thanks for the list, ripdad. That's a whole lot of executables man!

I've a good plan on how to keep developing this tool after I release the stable version.

Again, I'm not furious about includes because it is still being developed and optimization should only take place on final distribution.

I still need someone to help me make documetation/help file. Can you help me with that?

Best Regards

Shafayat