AutoHotkey Community

Posted: **13 Dec 2017, 03:19**

Hello all. I dont remember if ive posted this one before but this is the most recent work on this.

It monitors the processes then suspends and terminates it if it is not on the whitelist. All base processes(Currently Running Processes) are automatically added to whitelist from the first run then anything after can be added via ask for whitelist menu item or manually adding it in. Enjoy.

Edit: Updated code - 12/13/17
Changed the Wmi process list code to jNizM's WTSEnumerateProcessesEx() As its performance is much better and changed check time to 10ms
Edit: Updated code - 4/4/18
Changed the way the log list updates. It no longer constantly updates it rather only updates when you clear it or it detects new process.

Code: Select all

;Process Mon and White List
#NoTrayIcon
SetBatchLines, 10ms
Menu, MainTimeoutMenu, Add, 5 Seconds , Timeout5
Menu, MainTimeoutMenu, Add, 10 Seconds, Timeout10
Menu, MainTimeoutMenu, Add, 15 Seconds, Timeout15
Menu, MainTimeoutMenu, Add, 20 Seconds, Timeout20
Menu, MainOptionMenu, Add, Yes, Whitelist
Menu, MainTheMenu, Add, &Ask for Whitelist, :MainOptionMenu
Menu, MainTheMenu, Add, &Timeout, :MainTimeoutMenu
Gui, Menu, MainTheMenu

Gui, Add, GroupBox, x12 y-1 w230 h210 , Logging
Gui, Add, Edit, +ReadOnly x22 y19 w210 h180 vProcLog
Gui, Add, Button, x20 y210 w210 h20 ,ClearLog
Gui, Show, w260 h240,Process Mon v2
White=0
Timeout=5

SetWorkingDir %A_ScriptDir%
IfNotExist, %A_WorkingDir%\Whitelist.txt
{
for i, v in WTSEnumerateProcessesEx()
Append := Append v.ProcessName ","
StringTrimLeft, ReAppend, Append, 1
FileAppend, %ReAppend%, %A_WorkingDir%\Whitelist.txt
 Goto, Monitor
}
  Else
  {
   Goto, Monitor
  }
Return

Monitor:
List :=
for i, v in WTSEnumerateProcessesEx()
List := List v.ProcessName ","
StringTrimLeft, List2, List, 1
FileRead, File1, %A_WorkingDir%\Whitelist.txt
if File1 not contains List2
{

}
loop
{
 Loop, parse, List2, `, ,%A_Space%%A_Tab%
 {
  Mon = %A_LoopField%
   If A_LoopField =
   {
    Goto, Monitor
   }
     if Mon not in %File1%
     {
       If White=1
       {
        Proc1 = %Mon%
        ProcSus(Proc1)
        MsgBox, 262148,Notice,New Process Detected: %Mon% - Add to Whitelist?, %Timeout%
          IfMsgBox Timeout
          {
           FormatTime, Date,, MM/dd hh:mm tt
           FileAppend,Process: %Mon%`nDetected on %Date%`nAction: Terminated`n`n, %A_WorkingDir%\MissMatch.txt
           FileRead, Log, %A_WorkingDir%\MissMatch.txt
           GuiControl,, ProcLog, %Log%
           Process, Close, %Mon%
          }
            IfMsgBox Yes
            {
             ProcRes(Proc1)
             FileAppend, %Mon%`, , %A_WorkingDir%\Whitelist.txt
            }
             else
             {
              FormatTime, Date,, MM/dd hh:mm tt
              FileAppend,Process: %Mon%`nDetected on %Date%`nAction: Terminated`n`n, %A_WorkingDir%\MissMatch.txt
              FileRead, Log, %A_WorkingDir%\MissMatch.txt
              GuiControl,, ProcLog, %Log%
              Process, Close, %Mon%
             }
      }
       else
       {
        FormatTime, Date,, MM/dd hh:mm tt
        FileAppend,Process: %Mon%`nDetected on %Date%`nAction: Terminated`n`n, %A_WorkingDir%\MissMatch.txt
        FileRead, Log, %A_WorkingDir%\MissMatch.txt
        GuiControl,, ProcLog, %Log%
        Process, Close, %Mon%
       }
   }

 }
}
Return

ButtonClearLog:
FileDelete, %A_WorkingDir%\MissMatch.txt
FileRead, Log, %A_WorkingDir%\MissMatch.txt
GuiControl,, ProcLog, %Log%
return

Whitelist:
If White = 1
{
White = 0
Menu, MainOptionMenu, ToggleCheck, Yes
MsgBox, Turned Off
}
else
{
White=1
Menu, MainOptionMenu, ToggleCheck, Yes
MsgBox, Turned on
}
return

Timeout5:
Timeout=5
return

Timeout10:
Timeout=10
return

Timeout15:
Timeout=15
return

Timeout20:
Timeout=20
return

ProcSus(PID_or_Name)
{
	If InStr(PID_or_Name, ".") {
		Process, Exist, %PID_or_Name%
		PID_or_Name := ErrorLevel
	}
	If !(h := DllCall("OpenProcess", "uInt", 0x1F0FFF, "Int", 0, "Int", PID_or_Name))
		Return -1
	DllCall("ntdll.dll\NtSuspendProcess", "Int", h), DllCall("CloseHandle", "Int", h)
}
ProcRes(PID_or_Name)
{
	If InStr(PID_or_Name, ".") {
		Process, Exist, %PID_or_Name%
		PID_or_Name := ErrorLevel
	}
	If !(h := DllCall("OpenProcess", "uInt", 0x1F0FFF, "Int", 0, "Int", PID_or_Name))
		Return -1
	DllCall("ntdll.dll\NtResumeProcess", "Int", h), DllCall("CloseHandle", "Int", h)
}

WTSEnumerateProcessesEx()
{
    static hWTSAPI := DllCall("LoadLibrary", "str", "wtsapi32.dll", "ptr")

    if !(DllCall("wtsapi32\WTSEnumerateProcessesEx", "ptr", 0, "uint*", 0, "uint", -2, "ptr*", buf, "uint*", TTL))
        throw Exception("WTSEnumerateProcessesEx failed", -1)
    addr := buf, WTS_PROCESS_INFO := []
    loop % TTL
    {
        WTS_PROCESS_INFO[A_Index, "SessionID"]   := NumGet(addr+0, "uint")
        WTS_PROCESS_INFO[A_Index, "ProsessID"]   := NumGet(addr+4, "uint")
        WTS_PROCESS_INFO[A_Index, "ProcessName"] := StrGet(NumGet(addr+8, "ptr"))
        WTS_PROCESS_INFO[A_Index, "UserSID"]     := NumGet(addr+8+A_PtrSize, "ptr")
        addr += 8 + (A_PtrSize * 2)
    }
    if !(DllCall("wtsapi32\WTSFreeMemoryEx", "int", 0, "ptr", buf, "uint", TTL))
        throw Exception("WTSFreeMemoryEx failed", -1)
    return WTS_PROCESS_INFO
}

GuiClose:
ExitApp
return

Posted: **13 Dec 2017, 09:09**

thanks,but I want to use a blacklist.

Posted: **13 Dec 2017, 19:30**

@wyagd edited and added a black list code for you

Posted: **16 Dec 2017, 02:27**

At the very least add the option to whitelist all currently running processes, providing a prompt to whitelist a newly created process.

And prehaps when killing an illicit process, kill all it's children as well, that sounded so horrible...

Code: Select all

KillProc_Children(ParentPid_Exe){
	static Processes, i
	ParentPID:=","
	If !(Processes)
		Processes:=ComObjGet("winmgmts:").ExecQuery("Select * from Win32_Process")
	i++
	for Process in Processes
		If (Process.Name=ParentPidOrExe || Process.ProcessID=ParentPidOrExe)
			ParentPID.=process.ProcessID ","
	for Process in Processes
		If InStr(ParentPID,"," Process.ParentProcessId ","){
			KillChildProcesses(process.ProcessID)
			Process,Close,% process.ProcessID 
		}
	i--
	If !i
		Processes=
}

alteratively just use task kill, it's more reliable, i find the above script tends to suspend processes at times instead of killing them,

Code: Select all

taskkill /f /im %pid_exe% /T

Posted: **16 Dec 2017, 07:55**

when you first run the program it will make all currently running processes already whitelisted and the menu option Ask for Whitelist will ask you if you want to whitelist a newly detected process. Also i switched away from the winmgmts as when you add it in loops of 1 sec or more it can consume too much cpu well 4 % cpu is not too much but i like it with the new one i did as it uses not even 0.5% of my cpu now xD

Dont forget to run it as admin as that can cause odd things if you dont like suspending processes and not being able to terminate them lol

Posted: **17 Dec 2017, 06:44**

Neat, BTW if u just use SetBatchLines, 1 u can still have low CPU usage with out using Sleep anywhere, it sleeps 10ms after every line. Cheers.

Posted: **19 Dec 2017, 12:03**

Very nice! On the whitelist vs blacklist, think people will need both to accomplish what the intended goal appears to be. Anything unknown would then be given 4 options. Ask you, put in unknown list and allow to run for only X amount of time, automatically whitelist, or automatically blacklist.

An unknown list would function like quarantine. If you have a group of processes that you don't know about, you might want to allow them temporarily until you get a chance to look them up or have the script check various designated whitelists or blacklist databases on the Internet. Of course if you are more cautious or concerned, then automatically blacklist them.

Posted: **20 Dec 2017, 12:32**

I love this script! How do i make sure that the program never loads before i can approve it? sometimes not often program will load right before the question appears if i should allow it

Posted: **20 Dec 2017, 14:23**

Please add a feature that lets me get an alert every time a program loads even if its on the whitelist. Sometimes I approve programs but would like to monitor every time they launch in the background. Just to get an alert that I can click ok and it goes away.

I only want this for a select few programs that I trust but want to keep an eye on.

Anyone has ideas how to add this to this awesome script?

Posted: **26 Dec 2017, 04:59**

Excellent! thanks for sharing!

Posted: **26 Dec 2017, 15:46**

great suggestions @yolanda venga ive changed check times to 10ms it should now close processes much faster now

AutoHotkey Community

Process Monitor & Whitelist

Process Monitor & Whitelist

Re: Process Monitor & Whitelist

Re: Process Monitor & Whitelist

Re: Process Monitor & Whitelist

Re: Process Monitor & Whitelist

Re: Process Monitor & Whitelist

Re: Process Monitor & Whitelist

Re: Process Monitor & Whitelist

Re: Process Monitor & Whitelist

Re: Process Monitor & Whitelist

Re: Process Monitor & Whitelist