Jump to content

How to get target path of a process


 Share

Recommended Posts

How to retrieve the target executable path from a process.

My system is effected with IMG001.exe virus and I remove the folders created by it daily but still it is creating the folders everytime I login to my PC.

My Antivirus is not detecting it.

11.JPG

 

So I thought to create a process in AutoIT to check for the process name IMG001.exe and retrieve the process target exe to a log file, so that I can track where it is putting these files.

With  ProcessExists ( "process" ) , i can get the process ID.

But how to get the target location of the executable of the process.??

Link to comment
Share on other sites

1 hour ago, Deye said:

In the help file: _WinAPI_GetProcessFileName()

Thanks Deye..

I need one more help.

WHen I am trying to delete the file, it is not getting deleted once I kill the process.

So I kept 2 seconds wait at present.

But if I launch multiple copies of the file at the same time, then I am getting the same issue again.

Is there any force delete option??

Below is the copy of my script.

IMG001 Deleter.au3

Link to comment
Share on other sites

Something like this..

 

#include <WinAPIProc.au3>

Local $iID, $file, $parentID, $parentFile, $a_process = ProcessList("img001.exe")
For $i = 1 To $a_process[0][0]
    $iID = $a_process[$i][1]
    $parentID = _WinAPI_GetParentProcess($iID)
    $file = _WinAPI_GetProcessFileName($iID)
    ProcessClose($iID)
    FileSetAttrib($file, "-RASHNOT")
    FileDelete($file)
    $parentFile = _WinAPI_GetProcessFileName($parentID)
;~  ProcessClose($parentID)
;~  FileSetAttrib($parentFile, "-RASHNOT")
;~  FileDelete($parentFile)
    MsgBox(0, $parentID, $parentFile)
Next

 

Edited by Deye
Link to comment
Share on other sites

The exe I kept running in the background but still it is not able to track the process which created these folders.

 

Is there any way to get details of which process created a folder???

Link to comment
Share on other sites

Once infected by malware a machine is compromized, unsafe and must be regarded as an unreliable liar (about acting as expected).

Please delete this file.
Done! (ROTFL, he believes I'll do that!)
Please kill this process.
Done! (Keep on expecting that!)

When the leader of the armies is known to have agreed with the enemy, you shouldn't be surprised if your guys pityfully loose the war under his leadership, despite reports that they made daily amazing progress.

This wonderful site allows debugging and testing regular expressions (many flavors available). An absolute must have in your bookmarks.
Another excellent RegExp tutorial. Don't forget downloading your copy of up-to-date pcretest.exe and pcregrep.exe here
RegExp tutorial: enough to get started
PCRE v8.33 regexp documentation latest available release and currently implemented in AutoIt beta.

SQLitespeed is another feature-rich premier SQLite manager (includes import/export). Well worth a try.
SQLite Expert (freeware Personal Edition or payware Pro version) is a very useful SQLite database manager.
An excellent eBook covering almost every aspect of SQLite3: a must-read for anyone doing serious work.
SQL tutorial (covers "generic" SQL, but most of it applies to SQLite as well)
A work-in-progress SQLite3 tutorial. Don't miss other LxyzTHW pages!
SQLite official website with full documentation (may be newer than the SQLite library that comes standard with AutoIt)

Link to comment
Share on other sites

@jchd thanks for the inputs.

I have deleted this file already, but it is getting created daily.

Even the antivirus is not able to delete it.

WIndows Defender is just deleting this file but it is getting regenerated daily.

It seems some other process is generating this file which windows defender also not able to detect.

So is there any possiblity to backtrack the folders by seeing which process created that and delete the malicious file??

Link to comment
Share on other sites

If you still want to trust the untrustable, you can use process explorer to do that.

This wonderful site allows debugging and testing regular expressions (many flavors available). An absolute must have in your bookmarks.
Another excellent RegExp tutorial. Don't forget downloading your copy of up-to-date pcretest.exe and pcregrep.exe here
RegExp tutorial: enough to get started
PCRE v8.33 regexp documentation latest available release and currently implemented in AutoIt beta.

SQLitespeed is another feature-rich premier SQLite manager (includes import/export). Well worth a try.
SQLite Expert (freeware Personal Edition or payware Pro version) is a very useful SQLite database manager.
An excellent eBook covering almost every aspect of SQLite3: a must-read for anyone doing serious work.
SQL tutorial (covers "generic" SQL, but most of it applies to SQLite as well)
A work-in-progress SQLite3 tutorial. Don't miss other LxyzTHW pages!
SQLite official website with full documentation (may be newer than the SQLite library that comes standard with AutoIt)

Link to comment
Share on other sites

NTFS doesn't keep history of which PID created an entry AFAIK. You need a full-featured journaling file system for that.

PE lets you see which files a process accesses.

This wonderful site allows debugging and testing regular expressions (many flavors available). An absolute must have in your bookmarks.
Another excellent RegExp tutorial. Don't forget downloading your copy of up-to-date pcretest.exe and pcregrep.exe here
RegExp tutorial: enough to get started
PCRE v8.33 regexp documentation latest available release and currently implemented in AutoIt beta.

SQLitespeed is another feature-rich premier SQLite manager (includes import/export). Well worth a try.
SQLite Expert (freeware Personal Edition or payware Pro version) is a very useful SQLite database manager.
An excellent eBook covering almost every aspect of SQLite3: a must-read for anyone doing serious work.
SQL tutorial (covers "generic" SQL, but most of it applies to SQLite as well)
A work-in-progress SQLite3 tutorial. Don't miss other LxyzTHW pages!
SQLite official website with full documentation (may be newer than the SQLite library that comes standard with AutoIt)

Link to comment
Share on other sites

I agree with jchd about trying to run programs to handle the virus on a diseased machine.  If anything at least make a bootable USB on a clean machine to scan your system after booting the flash drive.  On a clean PC you can download Avast Trial version and make a bootable flash drive with the current av database.  Boot your infected PC from the flash drive and run the scan.

 

I assume source code backups were made when the PC was still clean?

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...