Help
Page 1 of 1
How to get the process handler and set the file security of a process in VBS?
#1
- Member
-
- Group: Members
- Posts: 25
- Joined: 27-October 08
- Location:Parañaque, Philippines
Posted 15 March 2009 - 09:32 AM
i really wanna know how to get the process handler using VBS scripting, or if not, an alternative maybe? this is because i'm trying to create a solution for a virus, called aoolcyqu.dll... see, it removes all access to it and i have to boot up to safe mode and return the "Allow" in the Security tab at it's Properties.. also i want to know how to retrieve the process's handler because aoolcyqu.dll is launched with one of the many SVCHOSTS that run in my computer... if you could help me please do so.. i want to do this without using any 3rd party applications like Process Explorer (Sysinternals)... i'm planning to use it in an application that i'm gonna do.. any help is a great help!
Back to top
#2
- Bleepin Engineer GRADUATE
-
- Group: Malware Response Instructor
- Posts: 10,403
- Joined: 17-January 08
- Gender:Male
- Location:Cleveland, Ohio
Posted 15 March 2009 - 11:33 AM
You can't really do that from VBS. Process Explorer uses a driver to enumerate the threads in a process... you'll need one.
You can half fake it with WMI, but you won't be able to kill the specific thread running that DLL.. you'll need to kill the entire process -- often not possible when you're talking about svchost.exe s without taking major parts of the operating system with it.
Billy3
You can half fake it with WMI, but you won't be able to kill the specific thread running that DLL.. you'll need to kill the entire process -- often not possible when you're talking about svchost.exe s without taking major parts of the operating system with it.
Billy3
#3
- Member
-
- Group: Members
- Posts: 25
- Joined: 27-October 08
- Location:Parañaque, Philippines
Posted 16 March 2009 - 09:41 AM
can you give me the name of the driver please, or the resource where i can get it... i really need it.. i get that it isn't do-able in VBS, any alternative language such as C++, or C? or anything? (hopefully not assembler)
#4
- Bleepin Engineer GRADUATE
-
- Group: Malware Response Instructor
- Posts: 10,403
- Joined: 17-January 08
- Gender:Male
- Location:Cleveland, Ohio
Posted 16 March 2009 - 02:19 PM
Drivers are typically written in C or C++, but may be written in most full-fledged programming languages. VBS is a scripting language. You can't use a driver from VBS.
Billy3
Billy3
This post has been edited by Billy O'Neal: 16 March 2009 - 02:20 PM
#5
- Hail Groovicus!
-
- Group: Moderator
- Posts: 9,605
- Joined: 05-June 04
- Gender:Male
- Location:Centerville, SD
Posted 16 March 2009 - 05:16 PM
Something else that you should consider. aoolcyqu.dll is very likely a randomly generated name. If it were a hard coded name, it would be all over Google. Have you tried feeding the file to Jotti? Chances are that somebody already knows what it is, and how to get rid of it.
"Take the risk of thinking for yourself, much more happiness, truth, beauty, and wisdom will come to you that way" - Christopher Hitchens
#6
- Member
-
- Group: Members
- Posts: 25
- Joined: 27-October 08
- Location:Parañaque, Philippines
Posted 17 March 2009 - 05:37 PM
i know how to remove it already... manually that is.. what i need to know now is how to execute it automatically...
#7
- Bleepin Engineer GRADUATE
-
- Group: Malware Response Instructor
- Posts: 10,403
- Joined: 17-January 08
- Gender:Male
- Location:Cleveland, Ohio
Posted 17 March 2009 - 08:35 PM
How'd you remove it lol?
Billy3
Billy3
#8
- Member
-
- Group: Members
- Posts: 25
- Joined: 27-October 08
- Location:Parañaque, Philippines
Posted 17 March 2009 - 10:53 PM
first, boot to Safe Mode.... then go to "%WinDir%\System32\"... you must first show the hidden system files and hidden files.. look for "aoolcyqu.dll" right click, go to Properties > Security... you will notice that the read / write and other properties don't have a check meaning there's no access to it.. unless you're the SYSTEM... put a check into "Full Control" so you'll have full control of the file then delete it.. then you're done.. now my problem is, i want to set the Security to "Full Control" without needing to boot via safe mode and through program means (without use interaction)... i don't want to use any 3rd party programs such as Fajo's program... i want to create my own program, can you give me a list of possible solutions that i can use in my program... thanks so much...
#9
- Bleepin Engineer GRADUATE
-
- Group: Malware Response Instructor
- Posts: 10,403
- Joined: 17-January 08
- Gender:Male
- Location:Cleveland, Ohio
Posted 18 March 2009 - 05:34 AM
If I did that, I'd be writing the program for you lol.
Might I suggest C instead of vbs? Not much you can do with vbs.
Billy3
Might I suggest C instead of vbs? Not much you can do with vbs.
Billy3
#10
- Learning To Bleep
-
- Group: BC Advisor
- Posts: 2,834
- Joined: 06-July 08
- Gender:Not Telling
- Location:127.0.0.1
Posted 18 March 2009 - 10:30 AM
Maybe I can write a simple program for it and post code here.. but moderator would remove entire post.. so no use.
This post has been edited by Romeo29: 18 March 2009 - 10:30 AM
#11
- Member
-
- Group: Members
- Posts: 25
- Joined: 27-October 08
- Location:Parañaque, Philippines
Posted 18 March 2009 - 09:23 PM
i'm not really expecting you guys to make the program for me, just kinda give me samples to derive from... coz i'm only 17, absolutely no proper knowledge about programming... in fact, all that i know against fighting viruses and making programs are all due to my curiosity only (i'm always fiddling with my comp to find / learn something new)... so if you've got suggestions or anything, it's greatly appreciated..
#12
- Learning To Bleep
-
- Group: BC Advisor
- Posts: 2,834
- Joined: 06-July 08
- Gender:Not Telling
- Location:127.0.0.1
Posted 18 March 2009 - 10:58 PM
If you can use C/C++ or any other language that allows Windows API, you can use MoveFileEx() with MOVEFILE_DELAY_UNTIL_REBOOT. This way ur locked file be deleted on reboot.
Its same as the MoveFile utility from www.sysinternals.com, which does the same thing.
Its same as the MoveFile utility from www.sysinternals.com, which does the same thing.
#13
- Member
-
- Group: Members
- Posts: 25
- Joined: 27-October 08
- Location:Parañaque, Philippines
Posted 18 March 2009 - 11:07 PM
um the moving and deleting of the file is not a problem, the problem is how do i set the accessibility of the files.. like in Properties > Security (this can only be done in safe mode..)
#14
- Member
-
- Group: Members
- Posts: 25
- Joined: 27-October 08
- Location:Parañaque, Philippines
Posted 21 March 2009 - 02:35 AM
no more replies?? 
Share this topic:
Page 1 of 1