Hey i dont know i im allowed to post the same script here as the help section but i made a cool process detection and termantion program with a simple log i used the get a process list from help file and some code from text compare v2 hope you enjoy it =)
Code:
settitlematchmode, 3
settimer match, 5000
settimer once,
return
#Persistent
;Makes a baseline process list to compare to
once:
loop, 1
{
IfExist, %A_WorkingDir%\BaseLineProcess.txt
{
Goto, match
}
else
{
FileAppend, processmoniter.exe, %A_WorkingDir%\BaseLineProcess.txt
FileAppend, notepad.exe, %A_WorkingDir%\BaseLineProcess.txt
; Example #4: Retrieves a list of running processes via DllCall then shows them in a MsgBox.
d = `n ; string separator
s := 4096 ; size of buffers and arrays (4 KB)
Process, Exist ; sets ErrorLevel to the PID of this running script
; Get the handle of this script with PROCESS_QUERY_INFORMATION (0x0400)
h := DllCall("OpenProcess", "UInt", 0x0400, "Int", false, "UInt", ErrorLevel)
; Open an adjustable access token with this process (TOKEN_ADJUST_PRIVILEGES = 32)
DllCall("Advapi32.dll\OpenProcessToken", "UInt", h, "UInt", 32, "UIntP", t)
VarSetCapacity(ti, 16, 0) ; structure of privileges
NumPut(1, ti, 0) ; one entry in the privileges array...
; Retrieves the locally unique identifier of the debug privilege:
DllCall("Advapi32.dll\LookupPrivilegeValueA", "UInt", 0, "Str", "SeDebugPrivilege", "Int64P", luid)
NumPut(luid, ti, 4, "int64")
NumPut(2, ti, 12) ; enable this privilege: SE_PRIVILEGE_ENABLED = 2
; Update the privileges of this process with the new access token:
DllCall("Advapi32.dll\AdjustTokenPrivileges", "UInt", t, "Int", false, "UInt", &ti, "UInt", 0, "UInt", 0, "UInt", 0)
DllCall("CloseHandle", "UInt", h) ; close this process handle to save memory
hModule := DllCall("LoadLibrary", "Str", "Psapi.dll") ; increase performance by preloading the libaray
s := VarSetCapacity(a, s) ; an array that receives the list of process identifiers:
c := 0 ; counter for process idendifiers
DllCall("Psapi.dll\EnumProcesses", "UInt", &a, "UInt", s, "UIntP", r)
Loop, % r // 4 ; parse array for identifiers as DWORDs (32 bits):
{
id := NumGet(a, A_Index * 4)
; Open process with: PROCESS_VM_READ (0x0010) | PROCESS_QUERY_INFORMATION (0x0400)
h := DllCall("OpenProcess", "UInt", 0x0010 | 0x0400, "Int", false, "UInt", id)
VarSetCapacity(n, s, 0) ; a buffer that receives the base name of the module:
e := DllCall("Psapi.dll\GetModuleBaseNameA", "UInt", h, "UInt", 0, "Str", n, "UInt", s)
DllCall("CloseHandle", "UInt", h) ; close process handle to save memory
if (n && e) ; if image is not null add to list:
l .= n . d, c++
}
DllCall("FreeLibrary", "UInt", hModule) ; unload the library to free memory
Sort, l, C ; uncomment this line to sort the list alphabetically
IfNotExist %A_WorkingDir%\BaseLineProcess.txt
{
FileAppend, %l%, BaseLineProcess.txt
}
else
{
FileDelete, %A_WorkingDir%\BaseLineProcess.txt
FileAppend, %l%, BaseLineProcess.txt
}
}
Goto, match
}
;makes a compareing autoupdateing list to detect new prcesses opend
match:
FileDelete, %A_WorkingDir%\CompareProcess.txt
l :=
loop, 1
{
d = `n ; string separator
s := 4096 ; size of buffers and arrays (4 KB)
Process, Exist ; sets ErrorLevel to the PID of this running script
; Get the handle of this script with PROCESS_QUERY_INFORMATION (0x0400)
h := DllCall("OpenProcess", "UInt", 0x0400, "Int", false, "UInt", ErrorLevel)
; Open an adjustable access token with this process (TOKEN_ADJUST_PRIVILEGES = 32)
DllCall("Advapi32.dll\OpenProcessToken", "UInt", h, "UInt", 32, "UIntP", t)
VarSetCapacity(ti, 16, 0) ; structure of privileges
NumPut(1, ti, 0) ; one entry in the privileges array...
; Retrieves the locally unique identifier of the debug privilege:
DllCall("Advapi32.dll\LookupPrivilegeValueA", "UInt", 0, "Str", "SeDebugPrivilege", "Int64P", luid)
NumPut(luid, ti, 4, "int64")
NumPut(2, ti, 12) ; enable this privilege: SE_PRIVILEGE_ENABLED = 2
; Update the privileges of this process with the new access token:
DllCall("Advapi32.dll\AdjustTokenPrivileges", "UInt", t, "Int", false, "UInt", &ti, "UInt", 0, "UInt", 0, "UInt", 0)
DllCall("CloseHandle", "UInt", h) ; close this process handle to save memory
hModule := DllCall("LoadLibrary", "Str", "Psapi.dll") ; increase performance by preloading the libaray
s := VarSetCapacity(a, s) ; an array that receives the list of process identifiers:
c := 0 ; counter for process idendifiers
DllCall("Psapi.dll\EnumProcesses", "UInt", &a, "UInt", s, "UIntP", r)
Loop, % r // 4 ; parse array for identifiers as DWORDs (32 bits):
{
id := NumGet(a, A_Index * 4)
; Open process with: PROCESS_VM_READ (0x0010) | PROCESS_QUERY_INFORMATION (0x0400)
h := DllCall("OpenProcess", "UInt", 0x0010 | 0x0400, "Int", false, "UInt", id)
VarSetCapacity(n, s, 0) ; a buffer that receives the base name of the module:
e := DllCall("Psapi.dll\GetModuleBaseNameA", "UInt", h, "UInt", 0, "Str", n, "UInt", s)
DllCall("CloseHandle", "UInt", h) ; close process handle to save memory
if (n && e) ; if image is not null add to list:
l .= n . d, c++
}
DllCall("FreeLibrary", "UInt", hModule) ; unload the library to free memory
Sort, l, C ; uncomment this line to sort the list alphabetically
IfNotExist %A_WorkingDir%\CompareProcess.txt
{
FileAppend, %l%, CompareProcess.txt
}
FileRead, 1, %A_WorkingDir%\BaseLineProcess.txt
FileRead, 2, %A_WorkingDir%\CompareProcess.txt
If 1 = %2%
{
}
; this section compares the baseline list to the comparing list to see if ;they are different if they are it finds the difference and terminates it
else
{
Path1=%A_WorkingDir%\BaseLineProcess.txt
Path2=%A_WorkingDir%\CompareProcess.txt
Loop
{
match=0
FileReadLine, line1, %Path1%, %A_Index%
Error1 := ErrorLevel
FileReadLine, line2, %Path2%, %A_Index%
Error2 := ErrorLevel
If (Error1) AND (Error2)
break
If NoWhite
{
NW1 := RegExReplace(line1,"[`t ]+")
NW2 := RegExReplace(line2,"[`t ]+")
If (NW1 = NW2)
continue
If NW1=
Error1=1
If NW2=
Error2=1
}
Else If (line1 = line2)
continue
If Error1
match+=2
If Error2
match++
If file1=
{
FileRead, file1, %Path1%
FileRead, file2, %Path2%
If NoWhite
{
file1 := RegExReplace(file1,"[`t ]+")
file2 := RegExReplace(file2,"[`t ]+")
}
}
If Mismatch
{
num3=#
num4=#
}
line1copy := NoWhite=1 ? NW1:line1
line2copy := NoWhite=1 ? NW2:line2
If Error2=0
Loop, Parse, file1, `n,`r
If (A_LoopField = line2copy)
{
match++
num4 := A_Index
break
}
If Error1=0
Loop, Parse, file2, `n,`r
If (A_LoopField = line1copy)
{
match+=2
num3 := A_Index
break
}
If (match = 3) AND !(Mismatch)
continue
i++
num := A_Index
If (Mismatch=1) AND (match != 3)
{
num5 := "/" num ":" num3
num6 := "/" num ":" num4
}
If match = 2
{
FileAppend, Line %num%%num5%`r`n%A_Tab%Process>> %line2%`r`n, %doc%
Process, Close, %line2%
FormatTime, Time, YYYYMMDDHH24MISS,
FileAppend, ----------------------------------------------------------------------------------------`n, %A_WorkingDir%\ProcessLOG.txt
FileAppend, Process %line2% Was Detected and Terminateed On %Time%`n, %A_WorkingDir%\ProcessLOG.txt
MsgBox,,, %line2% Was detetectd and terminated, 5
}
}
Goto, match
}
return
}
Login
Register
FAQ
Search
