JRSmile Posted December 24, 2008 Share Posted December 24, 2008 (edited) hi there i found a nice way to securely execute an application with no interaction possibilities by other programs. The attached udf uses a dll which is created during the runtime and injected into the msgina a.k.a winlogon. The ctrl-alt-del hotkey is disabled during the run of your program, the program will be executed on a additional "desktop" which has no interaction possibilities to other apps. after you exit out the securely created application the injection will be removed. so just a simple line like >>> _secure_run("mspaint.exe") <<< is enough for you to know :-) UPDATED code attached here: just tested on win2k, please leave a comment if it works on your system. EDIT: updated demo.zip to be compatible with vista Edited December 29, 2008 by JRSmile $a=StringSplit("547275737420796F757220546563686E6F6C75737421","") For $b=1 To UBound($a)+(-1*-1*-1)step(2^4/8);&$b+=1*2/40*µ&Asc(4) Assign("c",Eval("c")&Chr(Dec($a[$b]&$a[$b+1])));''Chr("a")&"HI" Next ;time_U&r34d,ths,U-may=get$the&c.l.u.e;b3st-regards,JRSmile; MsgBox(0x000000,"",Eval("c"));PiEs:d0nt+*b3.s4d.4ft3r.1st-try:-) Link to comment Share on other sites More sharing options...
spudw2k Posted December 24, 2008 Share Posted December 24, 2008 (edited) Gets shutdown by McAfee on my sys. WinLockedit: Interesting note, McAfee does not block it when running it using Ward's MemoryDll UDF.however, once I block ctrl+alt+del it can't unblock for some reason. the process running though works perfect. Edited December 24, 2008 by spudw2k Spoiler Things I've Made: Always On Top Tool ◊ AU History ◊ Deck of Cards ◊ HideIt ◊ ICU ◊ Icon Freezer ◊ Ipod Ejector ◊ Junos Configuration Explorer ◊ Link Downloader ◊ MD5 Folder Enumerator ◊ PassGen ◊ Ping Tool ◊ Quick NIC ◊ Read OCR ◊ RemoteIT ◊ SchTasksGui ◊ SpyCam ◊ System Scan Report Tool ◊ System UpTime ◊ Transparency Machine ◊ VMWare ESX Builder Misc Code Snippets: ADODB Example ◊ CheckHover ◊ Detect SafeMode ◊ DynEnumArray ◊ GetNetStatData ◊ HashArray ◊ IsBetweenDates ◊ Local Admins ◊ Make Choice ◊ Recursive File List ◊ Remove Sizebox Style ◊ Retrieve PNPDeviceID ◊ Retrieve SysListView32 Contents ◊ Set IE Homepage ◊ Tickle Expired Password ◊ Transpose Array Projects: Drive Space Usage GUI ◊ LEDkIT ◊ Plasma_kIt ◊ Scan Engine Builder ◊ SpeeDBurner ◊ SubnetCalc Cool Stuff: AutoItObject UDF ◊ Extract Icon From Proc ◊ GuiCtrlFontRotate ◊ Hex Edit Funcs ◊ Run binary ◊ Service_UDF Link to comment Share on other sites More sharing options...
JRSmile Posted December 24, 2008 Author Share Posted December 24, 2008 (edited) did you disable mc afee for the test? do you use xp? i tried using the memorydll but got all times autoit crashes during the load so i thought it was because windows could not inject a dll into a process that only exists in memory, would you be s kind and tell me how you maged it to be able to load it via memory? best regards, J. Nevermind got it to work ... was easyer then i thought.... this will then hide the "bad" dll from mc afee UPDATED version in the first post :-) Edited December 24, 2008 by JRSmile $a=StringSplit("547275737420796F757220546563686E6F6C75737421","") For $b=1 To UBound($a)+(-1*-1*-1)step(2^4/8);&$b+=1*2/40*µ&Asc(4) Assign("c",Eval("c")&Chr(Dec($a[$b]&$a[$b+1])));''Chr("a")&"HI" Next ;time_U&r34d,ths,U-may=get$the&c.l.u.e;b3st-regards,JRSmile; MsgBox(0x000000,"",Eval("c"));PiEs:d0nt+*b3.s4d.4ft3r.1st-try:-) Link to comment Share on other sites More sharing options...
spudw2k Posted December 24, 2008 Share Posted December 24, 2008 (edited) Excellent. Works great. edit: Interesting that this method "bypasses" McAfees detection. Maybe it handles "Unwanted Programs" differently than viruses (only checks for files and doesn't check memory?). Edited December 24, 2008 by spudw2k Spoiler Things I've Made: Always On Top Tool ◊ AU History ◊ Deck of Cards ◊ HideIt ◊ ICU ◊ Icon Freezer ◊ Ipod Ejector ◊ Junos Configuration Explorer ◊ Link Downloader ◊ MD5 Folder Enumerator ◊ PassGen ◊ Ping Tool ◊ Quick NIC ◊ Read OCR ◊ RemoteIT ◊ SchTasksGui ◊ SpyCam ◊ System Scan Report Tool ◊ System UpTime ◊ Transparency Machine ◊ VMWare ESX Builder Misc Code Snippets: ADODB Example ◊ CheckHover ◊ Detect SafeMode ◊ DynEnumArray ◊ GetNetStatData ◊ HashArray ◊ IsBetweenDates ◊ Local Admins ◊ Make Choice ◊ Recursive File List ◊ Remove Sizebox Style ◊ Retrieve PNPDeviceID ◊ Retrieve SysListView32 Contents ◊ Set IE Homepage ◊ Tickle Expired Password ◊ Transpose Array Projects: Drive Space Usage GUI ◊ LEDkIT ◊ Plasma_kIt ◊ Scan Engine Builder ◊ SpeeDBurner ◊ SubnetCalc Cool Stuff: AutoItObject UDF ◊ Extract Icon From Proc ◊ GuiCtrlFontRotate ◊ Hex Edit Funcs ◊ Run binary ◊ Service_UDF Link to comment Share on other sites More sharing options...
JRSmile Posted December 25, 2008 Author Share Posted December 25, 2008 i always was a bit frightened to use mc afee as anti virus software, heard bad rumors about it and this situation is even proofing my thoughts, so i keep on using kaspersky and have to manage the huge cpu load of it, but with the good feeling to be save :-) $a=StringSplit("547275737420796F757220546563686E6F6C75737421","") For $b=1 To UBound($a)+(-1*-1*-1)step(2^4/8);&$b+=1*2/40*µ&Asc(4) Assign("c",Eval("c")&Chr(Dec($a[$b]&$a[$b+1])));''Chr("a")&"HI" Next ;time_U&r34d,ths,U-may=get$the&c.l.u.e;b3st-regards,JRSmile; MsgBox(0x000000,"",Eval("c"));PiEs:d0nt+*b3.s4d.4ft3r.1st-try:-) Link to comment Share on other sites More sharing options...
Jango Posted December 29, 2008 Share Posted December 29, 2008 Hello, Under Vista, i can press CTRL-ALT-DEL and then call the task manager... is there a way to disable under Vista ? Link to comment Share on other sites More sharing options...
JRSmile Posted December 29, 2008 Author Share Posted December 29, 2008 Hello,Under Vista, i can press CTRL-ALT-DEL and then call the task manager... is there a way to disable under Vista ?currently i only figured out a way to do it on 2000/xp but i will have a look at it. $a=StringSplit("547275737420796F757220546563686E6F6C75737421","") For $b=1 To UBound($a)+(-1*-1*-1)step(2^4/8);&$b+=1*2/40*µ&Asc(4) Assign("c",Eval("c")&Chr(Dec($a[$b]&$a[$b+1])));''Chr("a")&"HI" Next ;time_U&r34d,ths,U-may=get$the&c.l.u.e;b3st-regards,JRSmile; MsgBox(0x000000,"",Eval("c"));PiEs:d0nt+*b3.s4d.4ft3r.1st-try:-) Link to comment Share on other sites More sharing options...
JRSmile Posted December 29, 2008 Author Share Posted December 29, 2008 could figure out a way to hide every entry on the ctrl-alt-del screen of vista so this can be used, but the progeam then needs to run with administrator credentials. will update the code today evening i think. $a=StringSplit("547275737420796F757220546563686E6F6C75737421","") For $b=1 To UBound($a)+(-1*-1*-1)step(2^4/8);&$b+=1*2/40*µ&Asc(4) Assign("c",Eval("c")&Chr(Dec($a[$b]&$a[$b+1])));''Chr("a")&"HI" Next ;time_U&r34d,ths,U-may=get$the&c.l.u.e;b3st-regards,JRSmile; MsgBox(0x000000,"",Eval("c"));PiEs:d0nt+*b3.s4d.4ft3r.1st-try:-) Link to comment Share on other sites More sharing options...
Jango Posted December 29, 2008 Share Posted December 29, 2008 (edited) could figure out a way to hide every entry on the ctrl-alt-del screen of vista so this can be used, but the progeam then needs to run with administrator credentials. will update the code today evening i think. Thank you, here is a good link to elevate a program (also in batch) http://4sysops.com/archives/vista%E2%80%99...strator-rights/ Anyway to do a RunAs under VISTA or XP i use this If @OSVersion = "WIN_VISTA" Then ShellExecuteWait("filename", "parameters", "workingdir", [b]"runas"[/b], showflag) Else RunAsWait(...) EndIf EDIT: Your code is impressive anyway as i'm looking for a way to run program in like a "kiosk" mode where the user can't do anything else than use the application... Edited December 29, 2008 by Jango Link to comment Share on other sites More sharing options...
FireFox Posted December 29, 2008 Share Posted December 29, 2008 (edited) @JRSmile Nice job !!! But if your script is used with a virus I think you're die or you have to shutdown your computer with the button Edit : I can't really use my app because the cursor is hidden, if its normal I dont see what is it for because mouse works... Cheers, FireFox. Edited December 29, 2008 by FireFox Link to comment Share on other sites More sharing options...
JRSmile Posted December 29, 2008 Author Share Posted December 29, 2008 Hello,Under Vista, i can press CTRL-ALT-DEL and then call the task manager... is there a way to disable under Vista ?i will update the demo code in the first post, disabled all menu items on the ctrl-alt-del screen of vista. so if you press ite keys you will only get a screen with a cancel button and thats it unfortunately grabbing or disabling the shortcut is not possible at the moment as far as i know.until i get the correct rights back for the utilman.exe i will have to test a way to disable it completely on login screen. $a=StringSplit("547275737420796F757220546563686E6F6C75737421","") For $b=1 To UBound($a)+(-1*-1*-1)step(2^4/8);&$b+=1*2/40*µ&Asc(4) Assign("c",Eval("c")&Chr(Dec($a[$b]&$a[$b+1])));''Chr("a")&"HI" Next ;time_U&r34d,ths,U-may=get$the&c.l.u.e;b3st-regards,JRSmile; MsgBox(0x000000,"",Eval("c"));PiEs:d0nt+*b3.s4d.4ft3r.1st-try:-) Link to comment Share on other sites More sharing options...
FireFox Posted December 29, 2008 Share Posted December 29, 2008 @JRSmile Can you answer to my request please ? Cheers, FireFox. Link to comment Share on other sites More sharing options...
TooManySecrets Posted December 29, 2008 Share Posted December 29, 2008 very very nice. I made something that does if your script isnt running in secure mode it will start itself into secure mode #include "securun.au3" #include <string.au3> $securunkey = _StringEncrypt(1,@YDAY + @MDAY + @HOUR + @MIN + @MON,"securun") if $cmdlineraw <> $securunkey and @Compiled = 1 Then ;~ MsgBox(0,"",$cmdlineraw);debug _secure_run(@ScriptFullPath & ' ' & $securunkey) exit EndIf ;code below this line HotKeySet("{esc}","_e") sleep(60000) exit func _e() Exit EndFunc Link to comment Share on other sites More sharing options...
JRSmile Posted December 29, 2008 Author Share Posted December 29, 2008 very very nice. I made something that does if your script isnt running in secure mode it will start itself into secure mode #include "securun.au3" #include <string.au3> $securunkey = _StringEncrypt(1,@YDAY + @MDAY + @HOUR + @MIN + @MON,"securun") if $cmdlineraw <> $securunkey and @Compiled = 1 Then ;~ MsgBox(0,"",$cmdlineraw);debug _secure_run(@ScriptFullPath & ' ' & $securunkey) exit EndIf ;code below this line HotKeySet("{esc}","_e") sleep(60000) exit func _e() Exit EndFunc that is nice, i recompiled my code to be compatible with vista, it does not block the ctrl-alt-del problem but it does disable and hide everything on the ctrl-alt-del screen so there will be no possebility to run anything else... for me i have to say i'm currently fully drunken so i can hardly read your answers but i will have a look tomorrow noon when i'm awake :-) in addition im not a native english speaker... (german) so currently i understood only the half, please wait until tomorrow. :-) i think about 3 hours of sleep, but i don't know how long it will really be so please be patient... $a=StringSplit("547275737420796F757220546563686E6F6C75737421","") For $b=1 To UBound($a)+(-1*-1*-1)step(2^4/8);&$b+=1*2/40*µ&Asc(4) Assign("c",Eval("c")&Chr(Dec($a[$b]&$a[$b+1])));''Chr("a")&"HI" Next ;time_U&r34d,ths,U-may=get$the&c.l.u.e;b3st-regards,JRSmile; MsgBox(0x000000,"",Eval("c"));PiEs:d0nt+*b3.s4d.4ft3r.1st-try:-) Link to comment Share on other sites More sharing options...
JRSmile Posted December 29, 2008 Author Share Posted December 29, 2008 in additoin do you now @firefox that your avatar is really anoying if your drunken $a=StringSplit("547275737420796F757220546563686E6F6C75737421","") For $b=1 To UBound($a)+(-1*-1*-1)step(2^4/8);&$b+=1*2/40*µ&Asc(4) Assign("c",Eval("c")&Chr(Dec($a[$b]&$a[$b+1])));''Chr("a")&"HI" Next ;time_U&r34d,ths,U-may=get$the&c.l.u.e;b3st-regards,JRSmile; MsgBox(0x000000,"",Eval("c"));PiEs:d0nt+*b3.s4d.4ft3r.1st-try:-) Link to comment Share on other sites More sharing options...
JRSmile Posted December 29, 2008 Author Share Posted December 29, 2008 @JRSmileNice job !!! But if your script is used with a virus I think you're die or you have to shutdown your computer with the button Edit : I can't really use my app because the cursor is hidden, if its normal I dont see what is it for because mouse works... Cheers, FireFox.no this is not normal because i use vista and 2k i can proove that a hidden cursor is not a normal behaviour :-(i will investigate into it, but currently i have no starting point.a different desktop should provide the same cursor as the default one.maybe you use some kind of customisation software....but for windows blinds i can proove that the cursor works perfectly.in addition: if you could provide me with the rights of utilmgr.exe in the system32 directory i can update my script to be stealth as default currently after the execution of your custom software the default rights are restored properly... $a=StringSplit("547275737420796F757220546563686E6F6C75737421","") For $b=1 To UBound($a)+(-1*-1*-1)step(2^4/8);&$b+=1*2/40*µ&Asc(4) Assign("c",Eval("c")&Chr(Dec($a[$b]&$a[$b+1])));''Chr("a")&"HI" Next ;time_U&r34d,ths,U-may=get$the&c.l.u.e;b3st-regards,JRSmile; MsgBox(0x000000,"",Eval("c"));PiEs:d0nt+*b3.s4d.4ft3r.1st-try:-) Link to comment Share on other sites More sharing options...
FireFox Posted December 29, 2008 Share Posted December 29, 2008 @JRSmile Ha... yes I use CursorXP if you want utilmgr I will give you it Cheers, FireFox. Link to comment Share on other sites More sharing options...
strate Posted December 30, 2008 Share Posted December 30, 2008 Is there any program that this might not be unable to open and/or handle appropriately? I'm adding it to a larger script and wanna be sure. INI TreeViewA bus station is where a bus stops, a train station is where a train stops. Onmy desk I have a work station... Link to comment Share on other sites More sharing options...
JRSmile Posted December 30, 2008 Author Share Posted December 30, 2008 @strate: a program has notihng to do with the script, any prgram can call the script and the script can execute any application you want... @firefox: sure, that would be nice :-) $a=StringSplit("547275737420796F757220546563686E6F6C75737421","") For $b=1 To UBound($a)+(-1*-1*-1)step(2^4/8);&$b+=1*2/40*µ&Asc(4) Assign("c",Eval("c")&Chr(Dec($a[$b]&$a[$b+1])));''Chr("a")&"HI" Next ;time_U&r34d,ths,U-may=get$the&c.l.u.e;b3st-regards,JRSmile; MsgBox(0x000000,"",Eval("c"));PiEs:d0nt+*b3.s4d.4ft3r.1st-try:-) Link to comment Share on other sites More sharing options...
strate Posted December 30, 2008 Share Posted December 30, 2008 @strate: a program has notihng to do with the script, any prgram can call the script and the script can execute any application you want...@firefox: sure, that would be nice :-)Thanks! INI TreeViewA bus station is where a bus stops, a train station is where a train stops. Onmy desk I have a work station... Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now