Jump to content

Sky Slate Blueberry Blackcurrant Watermelon Strawberry Orange Banana Apple Emerald Chocolate
Photo

Process Monitor


  • Please log in to reply
4 replies to this topic
Xatmo97
  • Members
  • 39 posts
  • Last active: May 25 2015 08:10 AM
  • Joined: 11 Dec 2008
Hey i dont know i im allowed to post the same script here as the help section but i made a cool process detection and termantion program with a simple log i used the get a process list from help file and some code from text compare v2 hope you enjoy it =)


settitlematchmode, 3
settimer match, 5000
settimer once,
return
#Persistent

;Makes a baseline process list  to compare to
once:
loop, 1
{
IfExist, %A_WorkingDir%\BaseLineProcess.txt
{
Goto, match
}
else
{
 FileAppend, processmoniter.exe, %A_WorkingDir%\BaseLineProcess.txt
 FileAppend, notepad.exe, %A_WorkingDir%\BaseLineProcess.txt
; Example #4: Retrieves a list of running processes via DllCall then shows them in a MsgBox.

d = `n  ; string separator
s := 4096  ; size of buffers and arrays (4 KB)

Process, Exist  ; sets ErrorLevel to the PID of this running script
; Get the handle of this script with PROCESS_QUERY_INFORMATION (0x0400)
h := DllCall("OpenProcess", "UInt", 0x0400, "Int", false, "UInt", ErrorLevel)
; Open an adjustable access token with this process (TOKEN_ADJUST_PRIVILEGES = 32)
DllCall("Advapi32.dll\OpenProcessToken", "UInt", h, "UInt", 32, "UIntP", t)
VarSetCapacity(ti, 16, 0)  ; structure of privileges
NumPut(1, ti, 0)  ; one entry in the privileges array...
; Retrieves the locally unique identifier of the debug privilege:
DllCall("Advapi32.dll\LookupPrivilegeValueA", "UInt", 0, "Str", "SeDebugPrivilege", "Int64P", luid)
NumPut(luid, ti, 4, "int64")
NumPut(2, ti, 12)  ; enable this privilege: SE_PRIVILEGE_ENABLED = 2
; Update the privileges of this process with the new access token:
DllCall("Advapi32.dll\AdjustTokenPrivileges", "UInt", t, "Int", false, "UInt", &ti, "UInt", 0, "UInt", 0, "UInt", 0)
DllCall("CloseHandle", "UInt", h)  ; close this process handle to save memory

hModule := DllCall("LoadLibrary", "Str", "Psapi.dll")  ; increase performance by preloading the libaray
s := VarSetCapacity(a, s)  ; an array that receives the list of process identifiers:
c := 0  ; counter for process idendifiers
DllCall("Psapi.dll\EnumProcesses", "UInt", &a, "UInt", s, "UIntP", r)
Loop, % r // 4  ; parse array for identifiers as DWORDs (32 bits):
{
   id := NumGet(a, A_Index * 4)
   ; Open process with: PROCESS_VM_READ (0x0010) | PROCESS_QUERY_INFORMATION (0x0400)
   h := DllCall("OpenProcess", "UInt", 0x0010 | 0x0400, "Int", false, "UInt", id)
   VarSetCapacity(n, s, 0)  ; a buffer that receives the base name of the module:
   e := DllCall("Psapi.dll\GetModuleBaseNameA", "UInt", h, "UInt", 0, "Str", n, "UInt", s)
   DllCall("CloseHandle", "UInt", h)  ; close process handle to save memory
   if (n && e)  ; if image is not null add to list:
      l .= n . d, c++
}
DllCall("FreeLibrary", "UInt", hModule)  ; unload the library to free memory
Sort, l, C  ; uncomment this line to sort the list alphabetically

IfNotExist %A_WorkingDir%\BaseLineProcess.txt
{
FileAppend, %l%, BaseLineProcess.txt
}
else
{
FileDelete, %A_WorkingDir%\BaseLineProcess.txt
FileAppend, %l%, BaseLineProcess.txt
}
}
Goto, match
}
;makes a compareing autoupdateing list to detect new prcesses opend
match:
FileDelete, %A_WorkingDir%\CompareProcess.txt
l :=
loop, 1
{
d = `n  ; string separator
s := 4096  ; size of buffers and arrays (4 KB)

Process, Exist  ; sets ErrorLevel to the PID of this running script
; Get the handle of this script with PROCESS_QUERY_INFORMATION (0x0400)
h := DllCall("OpenProcess", "UInt", 0x0400, "Int", false, "UInt", ErrorLevel)
; Open an adjustable access token with this process (TOKEN_ADJUST_PRIVILEGES = 32)
DllCall("Advapi32.dll\OpenProcessToken", "UInt", h, "UInt", 32, "UIntP", t)
VarSetCapacity(ti, 16, 0)  ; structure of privileges
NumPut(1, ti, 0)  ; one entry in the privileges array...
; Retrieves the locally unique identifier of the debug privilege:
DllCall("Advapi32.dll\LookupPrivilegeValueA", "UInt", 0, "Str", "SeDebugPrivilege", "Int64P", luid)
NumPut(luid, ti, 4, "int64")
NumPut(2, ti, 12)  ; enable this privilege: SE_PRIVILEGE_ENABLED = 2
; Update the privileges of this process with the new access token:
DllCall("Advapi32.dll\AdjustTokenPrivileges", "UInt", t, "Int", false, "UInt", &ti, "UInt", 0, "UInt", 0, "UInt", 0)
DllCall("CloseHandle", "UInt", h)  ; close this process handle to save memory

hModule := DllCall("LoadLibrary", "Str", "Psapi.dll")  ; increase performance by preloading the libaray
s := VarSetCapacity(a, s)  ; an array that receives the list of process identifiers:
c := 0  ; counter for process idendifiers
DllCall("Psapi.dll\EnumProcesses", "UInt", &a, "UInt", s, "UIntP", r)
Loop, % r // 4  ; parse array for identifiers as DWORDs (32 bits):
{
   id := NumGet(a, A_Index * 4)
   ; Open process with: PROCESS_VM_READ (0x0010) | PROCESS_QUERY_INFORMATION (0x0400)
   h := DllCall("OpenProcess", "UInt", 0x0010 | 0x0400, "Int", false, "UInt", id)
   VarSetCapacity(n, s, 0)  ; a buffer that receives the base name of the module:
   e := DllCall("Psapi.dll\GetModuleBaseNameA", "UInt", h, "UInt", 0, "Str", n, "UInt", s)
   DllCall("CloseHandle", "UInt", h)  ; close process handle to save memory
   if (n && e)  ; if image is not null add to list:
      l .= n . d, c++
}
DllCall("FreeLibrary", "UInt", hModule)  ; unload the library to free memory
Sort, l, C  ; uncomment this line to sort the list alphabetically
IfNotExist %A_WorkingDir%\CompareProcess.txt
{
FileAppend, %l%, CompareProcess.txt
}

FileRead, 1, %A_WorkingDir%\BaseLineProcess.txt
FileRead, 2, %A_WorkingDir%\CompareProcess.txt

If 1 = %2%
{

}
; this section compares the baseline list to the comparing list to see if ;they are different if they are it finds the difference and terminates it 
else
{
Path1=%A_WorkingDir%\BaseLineProcess.txt
Path2=%A_WorkingDir%\CompareProcess.txt

Loop
{
 match=0
 FileReadLine, line1, %Path1%, %A_Index%
 Error1 := ErrorLevel
 FileReadLine, line2, %Path2%, %A_Index%
 Error2 := ErrorLevel
 If (Error1) AND (Error2)
  break
 If NoWhite
 {
  NW1 := RegExReplace(line1,"[`t ]+")
  NW2 := RegExReplace(line2,"[`t ]+")
  If (NW1 = NW2)
   continue
  If NW1=
   Error1=1
  If NW2=
   Error2=1
 }
 Else If (line1 = line2)
  continue
 If Error1
  match+=2
 If Error2
  match++
 If file1=
 {
  FileRead, file1, %Path1%
  FileRead, file2, %Path2%
  If NoWhite
  {
   file1 := RegExReplace(file1,"[`t ]+")
   file2 := RegExReplace(file2,"[`t ]+")
  }
 }
 If Mismatch
 {
  num3=#
  num4=#
 }
 line1copy := NoWhite=1 ? NW1:line1
 line2copy := NoWhite=1 ? NW2:line2
 If Error2=0
  Loop, Parse, file1, `n,`r
   If (A_LoopField = line2copy)
   {
    match++
    num4 := A_Index
    break
   }
 If Error1=0
  Loop, Parse, file2, `n,`r
   If (A_LoopField = line1copy)
   {
    match+=2
    num3 := A_Index
    break
   }
 If (match = 3) AND !(Mismatch)
  continue
 i++
 num := A_Index
 If (Mismatch=1) AND (match != 3)
 {
  num5 := "/" num ":" num3
  num6 := "/" num ":" num4
 }
   If match = 2
    {
   FileAppend, Line %num%%num5%`r`n%A_Tab%Process>> %line2%`r`n, %doc%
    Process, Close, %line2%
    FormatTime, Time, YYYYMMDDHH24MISS,
    FileAppend, ----------------------------------------------------------------------------------------`n, %A_WorkingDir%\ProcessLOG.txt
    FileAppend, Process %line2% Was Detected and Terminateed On %Time%`n, %A_WorkingDir%\ProcessLOG.txt
    MsgBox,,, %line2% Was detetectd and terminated, 5
    }
}
 Goto, match
}
return
}


stepansc2hots
  • Members
  • 22 posts
  • Last active: Aug 27 2015 09:56 PM
  • Joined: 30 Jan 2015

Hi,

this script addresses an important task, however, I have a few comments

 

(1) Msgbox itself  creates a process, resulting in a continuous loop (this one is easy to fix by adding

...
if ( showmsgbox == 1){
     msgbox ....
}
...
F12::
showmsgbox+=1
showmsgbox := showmsgbox > 0 ? 0 : 1
return

(2) This script doesnot work with other encodings. When I use Cyrillic I get this

 

??????
????????

...
??????e

No Cyrillics in the file path, but the locale is Russia. How to add unicode support to the script

 

Thank you,

Stepan



jNizM
  • Members
  • 928 posts
  • Last active: Jan 12 2018 09:23 AM
  • Joined: 01 Aug 2012
@stepansc2hots
you search for someting like this?
WTSEnumerateProcessesEx
WTSEnumerateProcessesEx_1.png
[AHK] 1.1.27.04 x64 Unicode | [WIN] 10 Pro (Version 1709)
My GitHub Profile | Donations are appreciated if I could help you

Guest10
  • Members
  • 1216 posts
  • Last active: Oct 30 2015 05:12 PM
  • Joined: 27 Oct 2012

What is the diff WTSEnumerateProcessesEx compared to this:

settitlematchmode, 3
settimer match, 5000
settimer once,
return
#Persistent

;Makes a baseline process list  to compare to
once:
loop, 1
{
IfExist, %A_WorkingDir%\BaseLineProcess.txt
{
Goto, match
}
else
{
 FileAppend, processmoniter.exe, %A_WorkingDir%\BaseLineProcess.txt
 FileAppend, notepad.exe, %A_WorkingDir%\BaseLineProcess.txt
; Example #4: Retrieves a list of running processes via DllCall then shows them in a MsgBox.

d = `n  ; string separator
s := 4096  ; size of buffers and arrays (4 KB)

Process, Exist  ; sets ErrorLevel to the PID of this running script
; Get the handle of this script with PROCESS_QUERY_INFORMATION (0x0400)
h := DllCall("OpenProcess", "UInt", 0x0400, "Int", false, "UInt", ErrorLevel)
; Open an adjustable access token with this process (TOKEN_ADJUST_PRIVILEGES = 32)
DllCall("Advapi32.dll\OpenProcessToken", "UInt", h, "UInt", 32, "UIntP", t)
VarSetCapacity(ti, 16, 0)  ; structure of privileges
NumPut(1, ti, 0)  ; one entry in the privileges array...
; Retrieves the locally unique identifier of the debug privilege:
DllCall("Advapi32.dll\LookupPrivilegeValueA", "UInt", 0, "Str", "SeDebugPrivilege", "Int64P", luid)
NumPut(luid, ti, 4, "int64")
NumPut(2, ti, 12)  ; enable this privilege: SE_PRIVILEGE_ENABLED = 2
; Update the privileges of this process with the new access token:
DllCall("Advapi32.dll\AdjustTokenPrivileges", "UInt", t, "Int", false, "UInt", &ti, "UInt", 0, "UInt", 0, "UInt", 0)
DllCall("CloseHandle", "UInt", h)  ; close this process handle to save memory

hModule := DllCall("LoadLibrary", "Str", "Psapi.dll")  ; increase performance by preloading the libaray
s := VarSetCapacity(a, s)  ; an array that receives the list of process identifiers:
c := 0  ; counter for process idendifiers
DllCall("Psapi.dll\EnumProcesses", "UInt", &a, "UInt", s, "UIntP", r)
Loop, % r // 4  ; parse array for identifiers as DWORDs (32 bits):
{
   id := NumGet(a, A_Index * 4)
   ; Open process with: PROCESS_VM_READ (0x0010) | PROCESS_QUERY_INFORMATION (0x0400)
   h := DllCall("OpenProcess", "UInt", 0x0010 | 0x0400, "Int", false, "UInt", id)
   VarSetCapacity(n, s, 0)  ; a buffer that receives the base name of the module:
   e := DllCall("Psapi.dll\GetModuleBaseNameA", "UInt", h, "UInt", 0, "Str", n, "UInt", s)
   DllCall("CloseHandle", "UInt", h)  ; close process handle to save memory
   if (n && e)  ; if image is not null add to list:
      l .= n . d, c++
}
DllCall("FreeLibrary", "UInt", hModule)  ; unload the library to free memory
Sort, l, C  ; uncomment this line to sort the list alphabetically

IfNotExist %A_WorkingDir%\BaseLineProcess.txt
{
FileAppend, %l%, BaseLineProcess.txt
}
else
{
FileDelete, %A_WorkingDir%\BaseLineProcess.txt
FileAppend, %l%, BaseLineProcess.txt
}
}
Goto, match
}
;makes a compareing autoupdateing list to detect new prcesses opend
match:
FileDelete, %A_WorkingDir%\CompareProcess.txt
l :=
loop, 1
{
d = `n  ; string separator
s := 4096  ; size of buffers and arrays (4 KB)

Process, Exist  ; sets ErrorLevel to the PID of this running script
; Get the handle of this script with PROCESS_QUERY_INFORMATION (0x0400)
h := DllCall("OpenProcess", "UInt", 0x0400, "Int", false, "UInt", ErrorLevel)
; Open an adjustable access token with this process (TOKEN_ADJUST_PRIVILEGES = 32)
DllCall("Advapi32.dll\OpenProcessToken", "UInt", h, "UInt", 32, "UIntP", t)
VarSetCapacity(ti, 16, 0)  ; structure of privileges
NumPut(1, ti, 0)  ; one entry in the privileges array...
; Retrieves the locally unique identifier of the debug privilege:
DllCall("Advapi32.dll\LookupPrivilegeValueA", "UInt", 0, "Str", "SeDebugPrivilege", "Int64P", luid)
NumPut(luid, ti, 4, "int64")
NumPut(2, ti, 12)  ; enable this privilege: SE_PRIVILEGE_ENABLED = 2
; Update the privileges of this process with the new access token:
DllCall("Advapi32.dll\AdjustTokenPrivileges", "UInt", t, "Int", false, "UInt", &ti, "UInt", 0, "UInt", 0, "UInt", 0)
DllCall("CloseHandle", "UInt", h)  ; close this process handle to save memory

hModule := DllCall("LoadLibrary", "Str", "Psapi.dll")  ; increase performance by preloading the libaray
s := VarSetCapacity(a, s)  ; an array that receives the list of process identifiers:
c := 0  ; counter for process idendifiers
DllCall("Psapi.dll\EnumProcesses", "UInt", &a, "UInt", s, "UIntP", r)
Loop, % r // 4  ; parse array for identifiers as DWORDs (32 bits):
{
   id := NumGet(a, A_Index * 4)
   ; Open process with: PROCESS_VM_READ (0x0010) | PROCESS_QUERY_INFORMATION (0x0400)
   h := DllCall("OpenProcess", "UInt", 0x0010 | 0x0400, "Int", false, "UInt", id)
   VarSetCapacity(n, s, 0)  ; a buffer that receives the base name of the module:
   e := DllCall("Psapi.dll\GetModuleBaseNameA", "UInt", h, "UInt", 0, "Str", n, "UInt", s)
   DllCall("CloseHandle", "UInt", h)  ; close process handle to save memory
   if (n && e)  ; if image is not null add to list:
      l .= n . d, c++
}
DllCall("FreeLibrary", "UInt", hModule)  ; unload the library to free memory
Sort, l, C  ; uncomment this line to sort the list alphabetically
IfNotExist %A_WorkingDir%\CompareProcess.txt
{
FileAppend, %l%, CompareProcess.txt
}

FileRead, 1, %A_WorkingDir%\BaseLineProcess.txt
FileRead, 2, %A_WorkingDir%\CompareProcess.txt

If 1 = %2%
{

}
; this section compares the baseline list to the comparing list to see if ;they are different if they are it finds the difference and terminates it 
else
{
Path1=%A_WorkingDir%\BaseLineProcess.txt
Path2=%A_WorkingDir%\CompareProcess.txt

Loop
{
 match=0
 FileReadLine, line1, %Path1%, %A_Index%
 Error1 := ErrorLevel
 FileReadLine, line2, %Path2%, %A_Index%
 Error2 := ErrorLevel
 If (Error1) AND (Error2)
  break
 If NoWhite
 {
  NW1 := RegExReplace(line1,"[`t ]+")
  NW2 := RegExReplace(line2,"[`t ]+")
  If (NW1 = NW2)
   continue
  If NW1=
   Error1=1
  If NW2=
   Error2=1
 }
 Else If (line1 = line2)
  continue
 If Error1
  match+=2
 If Error2
  match++
 If file1=
 {
  FileRead, file1, %Path1%
  FileRead, file2, %Path2%
  If NoWhite
  {
   file1 := RegExReplace(file1,"[`t ]+")
   file2 := RegExReplace(file2,"[`t ]+")
  }
 }
 If Mismatch
 {
  num3=#
  num4=#
 }
 line1copy := NoWhite=1 ? NW1:line1
 line2copy := NoWhite=1 ? NW2:line2
 If Error2=0
  Loop, Parse, file1, `n,`r
   If (A_LoopField = line2copy)
   {
    match++
    num4 := A_Index
    break
   }
 If Error1=0
  Loop, Parse, file2, `n,`r
   If (A_LoopField = line1copy)
   {
    match+=2
    num3 := A_Index
    break
   }
 If (match = 3) AND !(Mismatch)
  continue
 i++
 num := A_Index
 If (Mismatch=1) AND (match != 3)
 {
  num5 := "/" num ":" num3
  num6 := "/" num ":" num4
 }
   If match = 2
    {
   FileAppend, Line %num%%num5%`r`n%A_Tab%Process>> %line2%`r`n, %doc%
    Process, Close, %line2%
    FormatTime, Time, YYYYMMDDHH24MISS,
    FileAppend, ----------------------------------------------------------------------------------------`n, %A_WorkingDir%\ProcessLOG.txt
    FileAppend, Process %line2% Was Detected and Terminateed On %Time%`n, %A_WorkingDir%\ProcessLOG.txt
    MsgBox,,, %line2% Was detetectd and terminated, 5
    }
}
 Goto, match
}
return
}


stepansc2hots
  • Members
  • 22 posts
  • Last active: Aug 27 2015 09:56 PM
  • Joined: 30 Jan 2015

Wow, that is impressive. For a concise script to not just work, but also have gui interface.