Skysnake Posted July 7, 2016 Posted July 7, 2016 (edited) Several questions around the forum get asked repeatedly: How to avoid false-positive Anti-Virus detection? Answered by AutoIt god himself How to make AutoIt software safe from hacking? How to prevent AutoIt software being de-compiled? How to prevent exposure of native AutoIt code? The general answers all go in the direction of (a) can't be done or (b) make it an .a3x script. The Wiki contains a single entry under "compiler directives" and the Help File contains mainly compiler info, with this note Quote Note: Scripts can be compiled with .a3x extension. They should be run with AutoIt.exe filename.a3x. The .a3x contains the script itself with all referred #include plus the FileInstall files. This format allows you to distribute smaller files as they don't include the AutoIt3.exe in each compiled script. You still need to have it accessible on the target machine but just AutoIt3.exe. Also see this thread. So I thought I would make a little demo to actually show how it works. Here are the 2 scripts. The a3x_demo.zip file contains these 2, plus the compiled .a3x file and the .EXE The body #Region ;**** Directives created by AutoIt3Wrapper_GUI **** #AutoIt3Wrapper_Outfile_type=a3x #AutoIt3Wrapper_Outfile=a3x_demo.a3x #EndRegion ;**** Directives created by AutoIt3Wrapper_GUI **** #cs ---------------------------------------------------------------------------- AutoIt Version: 3.3.14.2 Author: Skysnake Script Function: Demonstates working of a3x Instructions Code as normal Set Compiler option to .a3x as per Help File Compile Note output is (a) .a3x file, (b) now compile wrapper to make .exe file The compiled .a3x is included inside the .exe. To demonstrate, copy .exe to any new location and run. :) #ce ---------------------------------------------------------------------------- ; Script Start #include <MsgBoxConstants.au3> MsgBox($MB_SYSTEMMODAL, "a3x demo", "This message box is called from an a3x pre-compiled script " & @CRLF & "will timeout after 10 seconds or select the OK button.", 10) ; code ends The wrapper #Region ;**** Directives created by AutoIt3Wrapper_GUI **** #AutoIt3Wrapper_Outfile=a3x_wrapper.exe #EndRegion ;**** Directives created by AutoIt3Wrapper_GUI **** #cs ---------------------------------------------------------------------------- AutoIt Version: 3.3.14.2 Author: Skysnake Script Function: Wrapper for .a3x demo the INCLUDE line below forces the .a3x to be included in the new .EXE other option is to use FileIsntall and then run the a3x_demo.a3x as an external file NOTE: required in order are the following steps 1. body .au3 script 2. compile body .au3 as .a3x file, include in wrapper 3. wrapper .au3 script, to become the .exe -> compile as .EXE #ce ---------------------------------------------------------------------------- ; Script Start - #include "a3x_demo.a3x" ; code ends DOWNLOAD: The ax3_demo.zip file EDIT: 2016.07.08 Fixed typos Edited July 8, 2016 by Skysnake added a link nend, mLipok and argumentum 2 1 Skysnake Why is the snake in the sky?
argumentum Posted July 7, 2016 Posted July 7, 2016 I've done some malicious testing and this technique does not do much, I was hoping it did Follow the link to my code contribution ( and other things too ). FAQ - Please Read Before Posting.
Skysnake Posted July 8, 2016 Author Posted July 8, 2016 (edited) Dear @argumentum I am not sure how to interpret your response. This little demo was so supposed to show exactly how an .au3 file becomes an .a3x file and gets included in an .EXE. AFAIK this is the only complete example in the Forum. Thank you for reading. Edited July 8, 2016 by Skysnake Typo argumentum 1 Skysnake Why is the snake in the sky?
nend Posted July 8, 2016 Posted July 8, 2016 I've tryed it because I has a program made in Autoit wich is use by a lot of people and I get a lot "False Positive". It takes with every update about 3 weeks to report it to al virusscan company, because a lot of them reply very slow on these reports. What I've discovered is that a lot of scanners stil mark it as virus when I use a3x file packed in a exe file but it are less then usally. But I think it's a matter of time before viruscan company marks this way as virus as well. Thanks for showing how to do this. Skysnake 1
Skysnake Posted July 8, 2016 Author Posted July 8, 2016 @nend thank you kindly Skysnake Why is the snake in the sky?
orbs Posted July 19, 2016 Posted July 19, 2016 @Skysnake, it is understood that what this topic is all about is a demonstration of how to make a3x file distributable. however, as for the reasons for doing so, i side with @argumentum here. in respect to the reasons you mention - it works, but does not do much. here's how: On 7/7/2016 at 1:27 PM, Skysnake said: How to avoid false-positive Anti-Virus detection? working with your demo, i compiled it to exe directly (commented-out the wrapper directives). then i uploaded the directly-compiled exe to VirusTotal, as well as your pre-compiled wrapper using a3x. links: directly compiled compiled using a3x results: directly compiled: Antivirus Result Update Antiy-AVL Trojan/Generic.ASVCS3S.1E5 20160719 McAfee-GW-Edition BehavesLike.Win32.Downloader.ch 20160719 Qihoo-360 QVM10.1.Malware.Gen 20160719 compiled using a3x: Antivirus Result Update Antiy-AVL Trojan/Generic.ASVCS3S.1E5 20160719 McAfee-GW-Edition BehavesLike.Win32.Downloader.ch 20160719 so there is some improvement. more interestingly, in addition to current observation (above), i think it should prove interesting to follow those links and re-scan from time to time. as for the other 3 reasons you gave - 1) is it just me, or these are all rephrasing the same concept? 2) the wrapped a3x and directly-compiled exe are both equally unprotected. Signature - my forum contributions: Spoiler UDF: LFN - support for long file names (over 260 characters) InputImpose - impose valid characters in an input control TimeConvert - convert UTC to/from local time and/or reformat the string representation AMF - accept multiple files from Windows Explorer context menu DateDuration - literal description of the difference between given dates Apps: Touch - set the "modified" timestamp of a file to current time Show For Files - tray menu to show/hide files extensions, hidden & system files, and selection checkboxes SPDiff - Single-Pane Text Diff
Skysnake Posted July 19, 2016 Author Posted July 19, 2016 (edited) Dear @orbs, I could not find a complete example, so I made one and demonstrated it. As to all your other comments, I did not intend, nor suggest that I could solve these. The point was to show how it works. The reasons why these problems remain fall beyond the scope of this demo. I will admit that these appear valid, but are inherently part of the package we use, and beyond the scope of this example. What is mentioned in some posts is to (a) install AutoIt, and then (b) run the .a3x as a stand-alone file using the AutoIt interpreter. In this way the .a3x file escapes detection. This is suggested to be the preferred option. Perhaps you want to run your virus scan like this? Thank you. Edited July 20, 2016 by Skysnake typo Skysnake Why is the snake in the sky?
Skysnake Posted July 20, 2016 Author Posted July 20, 2016 I was thinking about all of this. Somewhere @Melba23 uses the term "the .a3x file is tokenised" and I was wondering how far that tokenised file is form being binary? If we can get the tokenised file converted to binary, would that solve the problems mentioned above? Skysnake Why is the snake in the sky?
Graeme Posted January 20, 2017 Posted January 20, 2017 This is good as far as it goes, but I'm wondering if you can give an example of running an A3x script with another compiled script? Run(@ScriptDir & "BasicRunProgram.exe" ,"FileToruna3x.a3x") I don't want to insert the a3x file, but run different a3x files in different places with the same compiled script... Is that possible? It sounds like it from the help file but I can't find, after quite a bit of searching, an example. Thanks for reading.
Moderators Melba23 Posted January 20, 2017 Moderators Posted January 20, 2017 Graeme, Look in the Help file under <Using AutoIt - Running Scripts - AutoIt specific command Line Switches - Run a script using another compiled script>. You run the .a3x files just as you would an standard .au3 file - the "Important Notes" section at the end of the page even suggests that this is the preferred method (and also explains why), as well as what you need to do to the master executable to ensure that it is permitted to run external scripts. M23 Any of my own code posted anywhere on the forum is available for use by others without any restriction of any kind Open spoiler to see my UDFs: Spoiler ArrayMultiColSort ---- Sort arrays on multiple columnsChooseFileFolder ---- Single and multiple selections from specified path treeview listingDate_Time_Convert -- Easily convert date/time formats, including the language usedExtMsgBox --------- A highly customisable replacement for MsgBoxGUIExtender -------- Extend and retract multiple sections within a GUIGUIFrame ---------- Subdivide GUIs into many adjustable framesGUIListViewEx ------- Insert, delete, move, drag, sort, edit and colour ListView itemsGUITreeViewEx ------ Check/clear parent and child checkboxes in a TreeViewMarquee ----------- Scrolling tickertape GUIsNoFocusLines ------- Remove the dotted focus lines from buttons, sliders, radios and checkboxesNotify ------------- Small notifications on the edge of the displayScrollbars ----------Automatically sized scrollbars with a single commandStringSize ---------- Automatically size controls to fit textToast -------------- Small GUIs which pop out of the notification area
Graeme Posted January 23, 2017 Posted January 23, 2017 Dear Melba, Thanks for your comments but sadly I had already seen that help file and not been able to make anything work. As well I was surprised that you said, just as you would a standard .au3 file. I've never run a standard au3 file other than by compiling it and running the exe file or from within the editor. This is why I was hoping for an example.
Moderators Melba23 Posted January 23, 2017 Moderators Posted January 23, 2017 (edited) Graeme, Here are 3 files: Example.exe is this script compiled to exe: #pragma compile(AutoItExecuteAllowed, True) Run("Example.exe /AutoIt3ExecuteScript Script.au3") Run ("Example.exe /AutoIt3ExecuteScript Script.a3x") Script.a3x is this script compiled to a3x: #include <MsgBoxConstants.au3> MsgBox($MB_SYSTEMMODAL, "Example", "Compiled a3x script") Script.au3 is this script left as text: ; Note no include file n the au3 script as it will not necessarily be available MsgBox(4096, "Example", "au3 script") ; So we need magic numbers instead Run Example.exe and you will see the 2 MsgBoxes appear. Note that the .a3x file automatically includes the required MsgBoxConstants file when compiled - if you try running the same script as an .au3 file you are likely to get an error. M23 Edited January 24, 2017 by Melba23 Added more detail Graeme 1 Any of my own code posted anywhere on the forum is available for use by others without any restriction of any kind Open spoiler to see my UDFs: Spoiler ArrayMultiColSort ---- Sort arrays on multiple columnsChooseFileFolder ---- Single and multiple selections from specified path treeview listingDate_Time_Convert -- Easily convert date/time formats, including the language usedExtMsgBox --------- A highly customisable replacement for MsgBoxGUIExtender -------- Extend and retract multiple sections within a GUIGUIFrame ---------- Subdivide GUIs into many adjustable framesGUIListViewEx ------- Insert, delete, move, drag, sort, edit and colour ListView itemsGUITreeViewEx ------ Check/clear parent and child checkboxes in a TreeViewMarquee ----------- Scrolling tickertape GUIsNoFocusLines ------- Remove the dotted focus lines from buttons, sliders, radios and checkboxesNotify ------------- Small notifications on the edge of the displayScrollbars ----------Automatically sized scrollbars with a single commandStringSize ---------- Automatically size controls to fit textToast -------------- Small GUIs which pop out of the notification area
Moderators Melba23 Posted January 23, 2017 Moderators Posted January 23, 2017 Graeme, My pleasure as always. M23 Any of my own code posted anywhere on the forum is available for use by others without any restriction of any kind Open spoiler to see my UDFs: Spoiler ArrayMultiColSort ---- Sort arrays on multiple columnsChooseFileFolder ---- Single and multiple selections from specified path treeview listingDate_Time_Convert -- Easily convert date/time formats, including the language usedExtMsgBox --------- A highly customisable replacement for MsgBoxGUIExtender -------- Extend and retract multiple sections within a GUIGUIFrame ---------- Subdivide GUIs into many adjustable framesGUIListViewEx ------- Insert, delete, move, drag, sort, edit and colour ListView itemsGUITreeViewEx ------ Check/clear parent and child checkboxes in a TreeViewMarquee ----------- Scrolling tickertape GUIsNoFocusLines ------- Remove the dotted focus lines from buttons, sliders, radios and checkboxesNotify ------------- Small notifications on the edge of the displayScrollbars ----------Automatically sized scrollbars with a single commandStringSize ---------- Automatically size controls to fit textToast -------------- Small GUIs which pop out of the notification area
Graeme Posted April 20, 2017 Posted April 20, 2017 So now I'm using a3x files to get around the AV problem... I'm doing this by compiling my au3 files as a3x files and running them with Run("C:\Program Files (x86)\QA\AutoIT3.exe" Example.a3x) This works fine. The only problem I have is that whereas before I could use if processexists("example.exe") do stuff now I have several instances of autoit3.exe in the process lists and I can't find out how to distinguish between them... Is there a way? Blessings
Developers Jos Posted April 20, 2017 Developers Posted April 20, 2017 Sure, I see 2 options: Use the _Singleton function with a unique name for each script Use the hidden window of each AutoIt3 session and set it to a unique name, which you then can test with WinExist() Jos SciTE4AutoIt3 Full installer Download page - Beta files Read before posting How to post scriptsource Forum etiquette Forum Rules Live for the present, Dream of the future, Learn from the past.
Graeme Posted April 20, 2017 Posted April 20, 2017 Sorry, I think I'm a bit simple. I tried to use the Singleton idea. I looked at the help and couldn't see how to set the string to identify the occurrence. I tried the name of the script and the name of the script without the extension but neither worked. Blessings
Developers Jos Posted April 20, 2017 Developers Posted April 20, 2017 Not sure what you have done so give me a example of the script how you coded the _Singleton() logic. Jos SciTE4AutoIt3 Full installer Download page - Beta files Read before posting How to post scriptsource Forum etiquette Forum Rules Live for the present, Dream of the future, Learn from the past.
argumentum Posted April 21, 2017 Posted April 21, 2017 (edited) 12 hours ago, Graeme said: Sorry, I think I'm a bit simple. #include <Array.au3> Global $sTitle = "let's call this a title, identifier, whatnot" AutoItWinSetTitle($sTitle & Chr(1) & @AutoItPID) Local $b, $n, $aMyScripts = WinList("[TITLE:" & $sTitle & ";CLASS:AutoIt v3;]") ReDim $aMyScripts[UBound($aMyScripts)][3] $aMyScripts[0][1] = "$hWindow" $aMyScripts[0][2] = "@AutoItPID" For $n = 1 To $aMyScripts[0][0] $b = StringSplit($aMyScripts[$n][0], Chr(1)) $aMyScripts[$n][0] = $b[1] $aMyScripts[$n][2] = $b[2] Next _ArrayDisplay($aMyScripts, "this way you can ProcessClose(@AutoItPID) or WinKill($hWindow)") ; also If WinExists($sTitle) Then Exit 123 That's it =) Edited April 21, 2017 by argumentum more ideas :) Follow the link to my code contribution ( and other things too ). FAQ - Please Read Before Posting.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now