It monitors the processes then suspends and terminates it if it is not on the whitelist. All base processes(Currently Running Processes) are automatically added to whitelist from the first run then anything after can be added via ask for whitelist menu item or manually adding it in. Enjoy.
Edit: Updated code - 12/13/17
Changed the Wmi process list code to jNizM's WTSEnumerateProcessesEx() As its performance is much better and changed check time to 10ms
Edit: Updated code - 4/4/18
Changed the way the log list updates. It no longer constantly updates it rather only updates when you clear it or it detects new process.
Code: Select all
;Process Mon and White List
#NoTrayIcon
SetBatchLines, 10ms
Menu, MainTimeoutMenu, Add, 5 Seconds , Timeout5
Menu, MainTimeoutMenu, Add, 10 Seconds, Timeout10
Menu, MainTimeoutMenu, Add, 15 Seconds, Timeout15
Menu, MainTimeoutMenu, Add, 20 Seconds, Timeout20
Menu, MainOptionMenu, Add, Yes, Whitelist
Menu, MainTheMenu, Add, &Ask for Whitelist, :MainOptionMenu
Menu, MainTheMenu, Add, &Timeout, :MainTimeoutMenu
Gui, Menu, MainTheMenu
Gui, Add, GroupBox, x12 y-1 w230 h210 , Logging
Gui, Add, Edit, +ReadOnly x22 y19 w210 h180 vProcLog
Gui, Add, Button, x20 y210 w210 h20 ,ClearLog
Gui, Show, w260 h240,Process Mon v2
White=0
Timeout=5
SetWorkingDir %A_ScriptDir%
IfNotExist, %A_WorkingDir%\Whitelist.txt
{
for i, v in WTSEnumerateProcessesEx()
Append := Append v.ProcessName ","
StringTrimLeft, ReAppend, Append, 1
FileAppend, %ReAppend%, %A_WorkingDir%\Whitelist.txt
Goto, Monitor
}
Else
{
Goto, Monitor
}
Return
Monitor:
List :=
for i, v in WTSEnumerateProcessesEx()
List := List v.ProcessName ","
StringTrimLeft, List2, List, 1
FileRead, File1, %A_WorkingDir%\Whitelist.txt
if File1 not contains List2
{
}
loop
{
Loop, parse, List2, `, ,%A_Space%%A_Tab%
{
Mon = %A_LoopField%
If A_LoopField =
{
Goto, Monitor
}
if Mon not in %File1%
{
If White=1
{
Proc1 = %Mon%
ProcSus(Proc1)
MsgBox, 262148,Notice,New Process Detected: %Mon% - Add to Whitelist?, %Timeout%
IfMsgBox Timeout
{
FormatTime, Date,, MM/dd hh:mm tt
FileAppend,Process: %Mon%`nDetected on %Date%`nAction: Terminated`n`n, %A_WorkingDir%\MissMatch.txt
FileRead, Log, %A_WorkingDir%\MissMatch.txt
GuiControl,, ProcLog, %Log%
Process, Close, %Mon%
}
IfMsgBox Yes
{
ProcRes(Proc1)
FileAppend, %Mon%`, , %A_WorkingDir%\Whitelist.txt
}
else
{
FormatTime, Date,, MM/dd hh:mm tt
FileAppend,Process: %Mon%`nDetected on %Date%`nAction: Terminated`n`n, %A_WorkingDir%\MissMatch.txt
FileRead, Log, %A_WorkingDir%\MissMatch.txt
GuiControl,, ProcLog, %Log%
Process, Close, %Mon%
}
}
else
{
FormatTime, Date,, MM/dd hh:mm tt
FileAppend,Process: %Mon%`nDetected on %Date%`nAction: Terminated`n`n, %A_WorkingDir%\MissMatch.txt
FileRead, Log, %A_WorkingDir%\MissMatch.txt
GuiControl,, ProcLog, %Log%
Process, Close, %Mon%
}
}
}
}
Return
ButtonClearLog:
FileDelete, %A_WorkingDir%\MissMatch.txt
FileRead, Log, %A_WorkingDir%\MissMatch.txt
GuiControl,, ProcLog, %Log%
return
Whitelist:
If White = 1
{
White = 0
Menu, MainOptionMenu, ToggleCheck, Yes
MsgBox, Turned Off
}
else
{
White=1
Menu, MainOptionMenu, ToggleCheck, Yes
MsgBox, Turned on
}
return
Timeout5:
Timeout=5
return
Timeout10:
Timeout=10
return
Timeout15:
Timeout=15
return
Timeout20:
Timeout=20
return
ProcSus(PID_or_Name)
{
If InStr(PID_or_Name, ".") {
Process, Exist, %PID_or_Name%
PID_or_Name := ErrorLevel
}
If !(h := DllCall("OpenProcess", "uInt", 0x1F0FFF, "Int", 0, "Int", PID_or_Name))
Return -1
DllCall("ntdll.dll\NtSuspendProcess", "Int", h), DllCall("CloseHandle", "Int", h)
}
ProcRes(PID_or_Name)
{
If InStr(PID_or_Name, ".") {
Process, Exist, %PID_or_Name%
PID_or_Name := ErrorLevel
}
If !(h := DllCall("OpenProcess", "uInt", 0x1F0FFF, "Int", 0, "Int", PID_or_Name))
Return -1
DllCall("ntdll.dll\NtResumeProcess", "Int", h), DllCall("CloseHandle", "Int", h)
}
WTSEnumerateProcessesEx()
{
static hWTSAPI := DllCall("LoadLibrary", "str", "wtsapi32.dll", "ptr")
if !(DllCall("wtsapi32\WTSEnumerateProcessesEx", "ptr", 0, "uint*", 0, "uint", -2, "ptr*", buf, "uint*", TTL))
throw Exception("WTSEnumerateProcessesEx failed", -1)
addr := buf, WTS_PROCESS_INFO := []
loop % TTL
{
WTS_PROCESS_INFO[A_Index, "SessionID"] := NumGet(addr+0, "uint")
WTS_PROCESS_INFO[A_Index, "ProsessID"] := NumGet(addr+4, "uint")
WTS_PROCESS_INFO[A_Index, "ProcessName"] := StrGet(NumGet(addr+8, "ptr"))
WTS_PROCESS_INFO[A_Index, "UserSID"] := NumGet(addr+8+A_PtrSize, "ptr")
addr += 8 + (A_PtrSize * 2)
}
if !(DllCall("wtsapi32\WTSFreeMemoryEx", "int", 0, "ptr", buf, "uint", TTL))
throw Exception("WTSFreeMemoryEx failed", -1)
return WTS_PROCESS_INFO
}
GuiClose:
ExitApp
return