11 replies to this topic

[Masonjar13]

With MBAM (Malwarebytes Anti-Malware) 2.x, CLI support has been removed. It's planned to be added back in the future, but they said that back with 2.0 and here we are still waiting.

This script was tested and designed for the free home version 2.1.6.1022 of MBAM (screenshot below).

#SingleInstance force
#Persistent
detectHiddenWindows,on
folder:="C:\ProgramData\Malwarebytes\Malwarebytes Anti-Malware\Logs"
title:="Malwarebytes Anti-Malware"
logCount:=ComObjCreate("Shell.Application").NameSpace(folder).Items.Count
run "C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe","C:\Program Files (x86)\Malwarebytes Anti-Malware",hide
winWait,% title
sleep 2000
winGetPos,,,cw,ch,% title
controlClick,% "x" cw//2 " y" ch-65,% title
winMinimize,% title
while(ComObjCreate("Shell.Application").NameSpace(folder).Items.Count=logCount)
    sleep 1000
loop,files,% folder "\mbam*.xml"
{
    if(a_index=1){
        lFile:=a_loopFileName,file:=lFile
        lFileT:=a_loopFileTimeCreated
        continue
    }
    file:=lFileT>a_loopFileTimeCreated?lFile:a_loopFileName
}
subPattern:=["<file><path>","</path><vendor>","</vendor><action>","</action><hash>","</hash></file>"]
replacePattern:=["Path: ","Vendor: ","Action: ","Hash: ","`n"]
regExMatch(file,"O)" subPattern[1] ".*" subPattern[2] ".*" subPattern[3] ".*" subPattern[4] ".*" subPattern[5],foundObjects)
loop
{
    if(foundObjects.Pos(a_index)="")
        break
    tp:=foundObjects.Value(a_index)
    for i,a in subPattern{
        tp:=strReplace(tp,subPattern[i],a,replacePattern[i])
    }
    strOut.=tp
}
if(strOut){
    msgbox,,Detected Objects,% strOut
    winActivate,% title
}
else
    winClose,% title
exitApp

If anyone could find a less arbitrary method of a "silent" scan initialization, that would be nice.

Notes:
    Using the PID/HWND is unreliable; opens a second instance for heuristics. Window class too generic.
    Seems to require a small window of time to load elements into the gui (minimizing immediately results in a blank gui).
    No visible controls.

[SnowFlake_FlowSnake]

what does this line do?

 

logCount:=ComObjCreate("Shell.Application").NameSpace(folder).Items.Count

[Jackie Sztuk _Blackholyman]

what does this line do?

logCount:=ComObjCreate("Shell.Application").NameSpace(folder).Items.Count

It stores the number of items (files) in the folder C:\ProgramData\Malwarebytes\Malwarebytes Anti-Malware\Logs

So the While loop later in the script can check against that number. To know when a new log file is created (aka when the search is done )

[Masonjar13]

Just updated it. It should now post all detected objects in a msgbox, then bring the window up. If there are no detected items, it should close. I say should, because, well, does anyone have an infected PC they could test this on?

[DataLife]

I believe you have a ( where there should be a {

loop,files,% folder "\mbam*.xml"
{
    if(a_index=1)(
        lFile:=a_loopFileName,file:=lFile
        lFileT:=a_loopFileTimeCreated
        continue
    }
    file:=lFileT>a_loopFileTimeCreated?lFile:a_loopFileName
}

I also get "Call to nonexistent function.
Specifically: strReplace(tp,subPattern[i],a,replacePattern[i]"

[Masonjar13]

@DataLife, oops, thanks for pointing out the typos fixed. You shouldn't really be getting a non-existent function call error, though. You may need to update your AHK, as strReplace() is fairly new.

[DataLife]

The fix allows the script to run but I am having a problem with ControlClick.
 
I removed Hide on the run command so I could see where it was hanging.

It does not click on Scan.

I replaced ControlClick with 

MouseMove, 444, 521

and the mouse does not move.

I commented out the Run and WinWait commands and MouseMove worked fine.

UAC is asking for permission to let MalwareBytes make changes to my system. Could UAC be causing MouseMove and ControlClick to not work?

[Masonjar13]

Perhaps. If any additional action is needed to open, the script, as it is, won't accommodate for it. I'd suggest creating an exception/disabling UAC and trying again.

[DataLife]

Okay, I disabled UAC and ControlClick still does not work.

I have AutoHotkey 1.1.22.02 ansi 32bit on Windows 8.1 64bit.

Any other ideas how to get your script to click on Scan Now?

thanks
DataLife

[Masonjar13]

But what version of MBAM are you using? As noted in the first post, this was made on 2.1.6(.1022) which gave a significant change in UI. I've updated the first post with a screenshot and more clarity.

[DataLife]

I am using the same version 2.1.6 (1022).

I tested MouseMove and Click in a separate script with MalwareBytes.

MouseMove, 444, 521

does not even move the mouse if MalwareBytes is the active window.

Click, 444, 521

does not click if MalwareBytes is the active window.

I will post a question in "ask for help" as to why MouseMove and Click won't work if MalwareBytes is the active window.

[Masonjar13]

I would highly suggest you move to unicode, as ansi is quite limited, although I'm unsure if it'll have an impact on this issue. I also suggest testing with 64-bit AHK. I don't use W8.1, nor do I have any immediate access to it, so I can't help you there.