Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

How to get the process handler and set the file security of a process in VBS?


  • Please log in to reply
13 replies to this topic

#1 Shadow Slash

Shadow Slash

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:09:29 PM

Posted 15 March 2009 - 09:32 AM

i really wanna know how to get the process handler using VBS scripting, or if not, an alternative maybe? this is because i'm trying to create a solution for a virus, called aoolcyqu.dll... see, it removes all access to it and i have to boot up to safe mode and return the "Allow" in the Security tab at it's Properties.. also i want to know how to retrieve the process's handler because aoolcyqu.dll is launched with one of the many SVCHOSTS that run in my computer... if you could help me please do so.. i want to do this without using any 3rd party applications like Process Explorer (Sysinternals)... i'm planning to use it in an application that i'm gonna do.. any help is a great help! Posted Image

BC AdBot (Login to Remove)

 


#2 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:06:29 AM

Posted 15 March 2009 - 11:33 AM

You can't really do that from VBS. Process Explorer uses a driver to enumerate the threads in a process... you'll need one.

You can half fake it with WMI, but you won't be able to kill the specific thread running that DLL.. you'll need to kill the entire process -- often not possible when you're talking about svchost.exe s without taking major parts of the operating system with it.

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#3 Shadow Slash

Shadow Slash
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:09:29 PM

Posted 16 March 2009 - 09:41 AM

can you give me the name of the driver please, or the resource where i can get it... i really need it.. i get that it isn't do-able in VBS, any alternative language such as C++, or C? or anything? (hopefully not assembler)

#4 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:06:29 AM

Posted 16 March 2009 - 02:19 PM

Drivers are typically written in C or C++, but may be written in most full-fledged programming languages. VBS is a scripting language. You can't use a driver from VBS.

Billy3

Edited by Billy O'Neal, 16 March 2009 - 02:20 PM.

Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#5 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:07:29 AM

Posted 16 March 2009 - 05:16 PM

Something else that you should consider. aoolcyqu.dll is very likely a randomly generated name. If it were a hard coded name, it would be all over Google. Have you tried feeding the file to Jotti? Chances are that somebody already knows what it is, and how to get rid of it.

#6 Shadow Slash

Shadow Slash
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:09:29 PM

Posted 17 March 2009 - 05:37 PM

i know how to remove it already... manually that is.. what i need to know now is how to execute it automatically...

#7 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:06:29 AM

Posted 17 March 2009 - 08:35 PM

How'd you remove it lol?

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#8 Shadow Slash

Shadow Slash
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:09:29 PM

Posted 17 March 2009 - 10:53 PM

first, boot to Safe Mode.... then go to "%WinDir%\System32\"... you must first show the hidden system files and hidden files.. look for "aoolcyqu.dll" right click, go to Properties > Security... you will notice that the read / write and other properties don't have a check meaning there's no access to it.. unless you're the SYSTEM... put a check into "Full Control" so you'll have full control of the file then delete it.. then you're done.. now my problem is, i want to set the Security to "Full Control" without needing to boot via safe mode and through program means (without use interaction)... i don't want to use any 3rd party programs such as Fajo's program... i want to create my own program, can you give me a list of possible solutions that i can use in my program... thanks so much...

#9 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:06:29 AM

Posted 18 March 2009 - 05:34 AM

If I did that, I'd be writing the program for you lol.

Might I suggest C instead of vbs? Not much you can do with vbs.

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#10 Romeo29

Romeo29

    Learning To Bleep


  • Members
  • 3,194 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:127.0.0.1
  • Local time:08:29 AM

Posted 18 March 2009 - 10:30 AM

Maybe I can write a simple program for it and post code here.. but moderator would remove entire post.. so no use.

Edited by Romeo29, 18 March 2009 - 10:30 AM.


#11 Shadow Slash

Shadow Slash
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:09:29 PM

Posted 18 March 2009 - 09:23 PM

i'm not really expecting you guys to make the program for me, just kinda give me samples to derive from... coz i'm only 17, absolutely no proper knowledge about programming... in fact, all that i know against fighting viruses and making programs are all due to my curiosity only (i'm always fiddling with my comp to find / learn something new)... so if you've got suggestions or anything, it's greatly appreciated..

#12 Romeo29

Romeo29

    Learning To Bleep


  • Members
  • 3,194 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:127.0.0.1
  • Local time:08:29 AM

Posted 18 March 2009 - 10:58 PM

If you can use C/C++ or any other language that allows Windows API, you can use MoveFileEx() with MOVEFILE_DELAY_UNTIL_REBOOT. This way ur locked file be deleted on reboot.

Its same as the MoveFile utility from www.sysinternals.com, which does the same thing.

#13 Shadow Slash

Shadow Slash
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:09:29 PM

Posted 18 March 2009 - 11:07 PM

um the moving and deleting of the file is not a problem, the problem is how do i set the accessibility of the files.. like in Properties > Security (this can only be done in safe mode..)

#14 Shadow Slash

Shadow Slash
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:09:29 PM

Posted 21 March 2009 - 02:35 AM

no more replies?? Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users