Shafayat Posted March 19, 2010 Posted March 19, 2010 (edited) This is the beta version of my program "Executable Blocker".Its goal is to stop any executable from running. So that no unwanted software is (accidentally or intentional) not allowed to run.This is just a beta. And there are some features that do not work yet. I am just posting this one because I promised in one of the following posts that I'd post it the next day.Simple Extract the file and run Launcher.exe (no need to copy to Program Files...)This is free and opensource. I DO urge you to continue posting comments and suggestion while I do not want you just now to modify the entire project. Instead just tell me what needs to be done (and how). Because it is a pain in the a** to combine two scripts altered by different coders.I'll be posting the STABLE version soon.Best RegardsShafayatDOWNLOAD: http://sss13x.ucoz.net/mess/Executable_Blocker_1.89.x.rar Edited March 23, 2010 by Shafayat [Not using this account any more. Using "iShafayet" instead]
FranckGr Posted March 19, 2010 Posted March 19, 2010 (edited) Great script ... I Like the way it works But I dont think it will block these keys (It is not a problem for a server anyway ...) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit Am I wrong ? But what about the Services and espescially SvcHost service (starting other services - Typical Confliker attack) ? HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\netsvcs I solved it on my servers by Saving (on first run) / Survey / Restore this registry key The next step should be to delete or even better "deny execution" of the created Service key in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services to "System" as conflicker will try to re-create the key if it is deleted but I really don't know how to apply security permission on a registry key with AutoIt Edited March 19, 2010 by FranckGr
Shafayat Posted March 19, 2010 Author Posted March 19, 2010 This script does not include reg and key files but which can be easily added. The theme is, if you cannot start any exe (including regedit and any exe) then you can not alter registry. And if you can not run a REG Or KEY file then you can not alter registry either. So, you can not get a new service to run or get installed. It is possible to monitor registry changes. But you'd be needed to keep your autoit process running and that is not a good thing for a server. [Not using this account any more. Using "iShafayet" instead]
Shafayat Posted March 19, 2010 Author Posted March 19, 2010 Sorry, forgot to mention, those dll files hold the icons I wanted to use. They are not needed at all. I mistakenly added them. [Not using this account any more. Using "iShafayet" instead]
ripdad Posted March 20, 2010 Posted March 20, 2010 A program like this should had come with Windows by default. On second thought -- maybe not -- it might put the anti-virus companies out of business. "The mediocre teacher tells. The Good teacher explains. The superior teacher demonstrates. The great teacher inspires." -William Arthur Ward
ripdad Posted March 20, 2010 Posted March 20, 2010 By the way - add: #include <WindowsConstants.au3> to Executable Blocker.au3 "The mediocre teacher tells. The Good teacher explains. The superior teacher demonstrates. The great teacher inspires." -William Arthur Ward
ripdad Posted March 21, 2010 Posted March 21, 2010 (edited) Shafayat - hope you don't mind - I made a few improvements - v1.02Executable Blocker Client.au3 - highlights1) no includes needed2) added tray menu check feature3) replaced code for default icon for exe's to %1 (which is their default)Executable Blocker.au3 - highlights1) no includes needed2) replaced info labels with input fields3) added cancel button to child window4) added prompts - ie: "Delete this file?"5) replaced attributes codeExecutable Blocker.zip Edited March 21, 2010 by ripdad "The mediocre teacher tells. The Good teacher explains. The superior teacher demonstrates. The great teacher inspires." -William Arthur Ward
FranckGr Posted March 22, 2010 Posted March 22, 2010 On 3/21/2010 at 10:42 AM, 'ripdad said: Shafayat - hope you don't mind - I made a few improvements - v1.02 Executable Blocker Client.au3 - highlights 1) no includes needed 2) added tray menu check feature 3) replaced code for default icon for exe's to %1 (which is their default) Executable Blocker.au3 - highlights 1) no includes needed 2) replaced info labels with input fields 3) added cancel button to child window 4) added prompts - ie: "Delete this file?" 5) replaced attributes code Executable Blocker Client.au3 $ShellOpenCommand = '\Executable Blocker.exe" "%1" "%1" "%2" "%3" "%4" "%5" "%6" "%7" "%8" "%*"' This line should be modified as this (to solve link + .bat with arguments problem $ShellOpenCommand = '\Executable Blocker.exe" "%1" %*' You could add these kind of lines on top of the script to help you with icons / Versions number #AutoIt3Wrapper_Icon=.\Protected.ico #AutoIt3Wrapper_OutFile=Executable Blocker Client.exe #AutoIt3Wrapper_OutFile_Type=exe #AutoIt3Wrapper_Compression=2 ;** Target program Resource info #AutoIt3Wrapper_res_comment=Executable Blocker Block all exes from running #AutoIt3Wrapper_res_description=Executable Blocker #AutoIt3Wrapper_Res_Fileversion=1.0.3.1 #AutoIt3Wrapper_res_fileversion_autoincrement=Y #AutoIt3Wrapper_res_legalcopyright=Copyright © 2010 Shafayat #AutoIt3Wrapper_res_field=Made By|Shafayat #AutoIt3Wrapper_res_field=Email|Shafayat at mailServer dot com with this Global $SCRIPT_VERSION = "Please Compile !" If @Compiled Then $SCRIPT_VERSION = FileGetVersion(@ScriptName) Executable Blocker.au3 Global $TestPath = _PathSplit($cmd, $szDrive, $szDir, $szFName, $szExt) To Global $CmdPath = _PathSplit($cmd, $szDrive, $szDir, $szFName, $szExt) and $filenametext = GUICtrlCreateInput($Cmd, 20, 190, 360, 20) To $filenametext = GUICtrlCreateInput($CmdPath[3]&"."&$CmdPath[4], 20, 190, 360, 20)
ripdad Posted March 22, 2010 Posted March 22, 2010 (edited) This line should be modified as this (to solve link + .bat with arguments problem$ShellOpenCommand = '\Executable Blocker.exe" "%1" %*'I think you've never seen a virus go to the 9th string.But -- I'll have to check that out - which I meant to do.#AutoIt3WrapperAutoIt3Wrapper is personalization -- which I didn't implement -- thats for the end user to do.The icons I was speaking of is different than what you are thinking. It's this registry entry:RegWrite("HKEY_CLASSES_ROOT\exehost\DefaultIcon", "", "REG_SZ", "%1")The other was causing all exe's to have the protected.ico on them.-edit-By the way .. I'll be working on a way to get the shell and service executed exe's also.I don't know if it's feasible to do so yet -- and or what other trouble it will cause -- just have to play with it some and see.. Edited March 22, 2010 by ripdad "The mediocre teacher tells. The Good teacher explains. The superior teacher demonstrates. The great teacher inspires." -William Arthur Ward
Shafayat Posted March 22, 2010 Author Posted March 22, 2010 Thank you people. Your comments were really helpful. I've added loads of new features into this software which I'll post tomorow along with the completed help file. Hold your breath till then. anyway, I've made the perfect parser for command line param and have solved problem with shell commands. I've also implemented accelerators and password protection. Please wait till tomorrow. [Not using this account any more. Using "iShafayet" instead]
ripdad Posted March 22, 2010 Posted March 22, 2010 Great - be looking forward to it. "The mediocre teacher tells. The Good teacher explains. The superior teacher demonstrates. The great teacher inspires." -William Arthur Ward
FranckGr Posted March 23, 2010 Posted March 23, 2010 On 3/22/2010 at 8:45 PM, 'Shafayat said: Thank you people. Your comments were really helpful. I've added loads of new features into this software which I'll post tomorow along with the completed help file. Hold your breath till then. anyway, I've made the perfect parser for command line param and have solved problem with shell commands. I've also implemented accelerators and password protection. Please wait till tomorrow.You also have to "patch" the *.cmd files as some windows registry keys are defining WHAT is a program (Like this one) :HKEY_USERS\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Windows\Programs / REG_SZ / com exe bat pif cmdI would also do it for the *.scr files (In fact, all executable files wheere the HKEY_CLASSES_ROOT\XXXfile\shell\open\command default parameter in the registry is "%1" %*The list on my XP SP3 is : bat, cmd, com, exe, pif, scrThis is I think enough as all other Executable types (HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\ExecutableTypes) need another (exe) file to be launched
FranckGr Posted March 23, 2010 Posted March 23, 2010 (edited) On 3/22/2010 at 7:32 PM, 'ripdad said: This line should be modified as this (to solve link + .bat with arguments problem$ShellOpenCommand = '\Executable Blocker.exe" "%1" %*'I think you've never seen a virus go to the 9th string.But -- I'll have to check that out - which I meant to do.If tou dont use "%1" %*, your arguments are passed as one single argument.Try this, create EchoArg.BAT @Echo Off ECHO %1 ECHO %2 ECHO %3 PAUSETry these onesCreate a shortcut of it and modify it to execute EchoArg.bat Arg1 Arg2 Arg3The output will be Arg1 Arg2 Arg3Instead ofArg1Arg2Arg3 I dont think you need a new Command line parser ...Try these onesExecutable Blocker Client 1.0.3.0.au3Executable Blocker 1.0.3.0.au3 Edited March 23, 2010 by FranckGr
Shafayat Posted March 23, 2010 Author Posted March 23, 2010 UPDATE!!!Updated a lot of things:1. AES 256 bit Password protection + Hashing (additional security)2. Better looking GUI3. Log viewer4. White and Black List.5. Stop Autorun.6. Quick Registry Fix7. Perfect (no command loss) command line parsing. Extracted it entirely from $CmdLineRaw NOTE: MANY THINGS DO NOT WORK YET. Mostly because It is a Beta I'll post the stable version as soon as I can.- ShafayatBTW, Can anyone help me with making a help file (a professional looking *.chm file) ? [Not using this account any more. Using "iShafayet" instead]
FranckGr Posted March 23, 2010 Posted March 23, 2010 (edited) Great !May be you could you add a "Trust" (always) this program (Like in my post) filling up the White list (if you are Administrator)andan "Always refuse" mode (Kind of "Production" mode) where any new program execution will allways be rejectedOther things to take in account for the white list :1 - Only the complete Path+Program should be allowed (If you move the program in another directory, Executable Blocker should Popup)2 - A kind of MD5 check should be performed on the Program file before executing it (In case a virus modify it) Does your new command line parser need this$ShellOpenCommand = '"' & $RES_HANDLER & '" "%1" "%*"'Instead of$ShellOpenCommand = '"' & $RES_HANDLER & '" "%1" %*'I really don't think REG files need to be included (As they need Regedit.exe) Except if you want to put RegEdit in the White list.But I'm sure .cmd and .scr files should be added :Func F_RegisterShell()RegWrite("HKEY_CLASSES_ROOT\.cmd", "", "REG_SZ", "exehost")RegWrite("HKEY_CLASSES_ROOT\.scr", "", "REG_SZ", "exehost")Func F_UnRegisterShell()RegWrite("HKEY_CLASSES_ROOT\.cmd", "", "REG_SZ", "cmdfile")RegWrite("HKEY_CLASSES_ROOT\.scr", "", "REG_SZ", "scrfile")Hope you don't mind the suggestions. Well done !Franck Edited March 23, 2010 by FranckGr
Shafayat Posted March 23, 2010 Author Posted March 23, 2010 Ofcourse, I do not mind suggestions. I adore them. you're right about the reg files, also cmd and scr files. I'm adding a way to add to white list or black list from handler. That's why I made the list feature. It'll surely be available on the next version. The md5 hashing of whitelisted files seem to be a great idea. I can't wait to implement it. Thanks [Not using this account any more. Using "iShafayet" instead]
FranckGr Posted March 23, 2010 Posted March 23, 2010 On 3/23/2010 at 5:09 PM, 'Shafayat said: I'm adding a way to add to white list or black list from handler. That's why I made the list feature. It'll surely be available on the next version. Changes the GUI with the following Buttons [Trust] [Allow] [block] [Deny] [More] Trust => Goes to the White list and Execute Allow => Execute Block => Dont Execute Deny => Go to the Black List + Dont execute Trust is greyed if not Admin / Can be activated if the Password if good Before showing the GUI Check against White List (Yes = Execute) Check if Production Mode (Yes = Exit) Check against Black List (Yes = Exit) Show the GUI
ripdad Posted March 23, 2010 Posted March 23, 2010 (edited) @ShafayatI'm still studying the code - but looking good - thumbs up!I didn't think you would work on it anymore, given the fact you said it'sold script - free and open source - modify it - put in your script.Anyway, I'll back away from it. Great job so far!@FranckGrYou're right about the commandline: . $ShellOpenCommand = '\Executable Blocker.exe" "%1" %*'I'm still having trouble executing cpl's with that commandline though ..."C:\WINDOWS\system32\rundll32.exe" C:\WINDOWS\system32\shell32.dll,Control_RunDLL "C:\WINDOWS\system32\timedate.cpl",Date and TimeI suppose it will need some extra code to handle it -- some string manipulation most likely.I know you're saying "why cpl"I still remember a rash of viruses that used them. It's been years ago though.BTW - this is my "ExecutableTypes" listADE, ADP, BAS, BAT, CHM, CMD, COM, CPL, CRT, EXE, HLP, HTA, INF, INS, ISP, LNK,MDB, MDE, MSC, MSI, MSP, MST, OCX, PCD, PIF, REG, SCR, SHS, URL, VB, WSC-edit-I found a way to execute the cpl commandline with:Run(@ComSpec & ' /c ' & '"' & $CmdLineRaw & '"', '', @SW_HIDE)Seems to work with anything I throw at it too.. Edited March 24, 2010 by ripdad "The mediocre teacher tells. The Good teacher explains. The superior teacher demonstrates. The great teacher inspires." -William Arthur Ward
Shafayat Posted March 24, 2010 Author Posted March 24, 2010 Hello People. First of all, it is still open source and you can modify it anyway you like. That's why I keep posting the source. I'm a great fan of opensource. Currently, I'm aiming at 2.0.0.0 stable. When that is completed, I'll probably not work on it much. Till then I always need your help. I haven't yet tried to incorporate cpl. I'll try that. And thanks for the list, ripdad. That's a whole lot of executables man! I've a good plan on how to keep developing this tool after I release the stable version. Again, I'm not furious about includes because it is still being developed and optimization should only take place on final distribution. I still need someone to help me make documetation/help file. Can you help me with that? Best Regards Shafayat [Not using this account any more. Using "iShafayet" instead]
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now