Security Based Project Idea

RobC · 18-01-2006, 03:09 PM

Unfortunately, you do have to pay to access Expert's Exchange (unless there really is a free subscription hidden deep in the bowels of the site...).

mac_shinobi · 18-01-2006, 07:08 PM

OK I did a copy and paste , if you want I can just save the page and zip it and upload it here if thats any better ?

'---------------------------------

Title: Determine if running processes are valid or not ?
asked by gecko_au2003 on 01/17/2006 09:08PM GMT
This question is worth 500 Points

What is the best way of listing all currently running processes and looping though each process to determine if it is a valid process or not ie not a virus , trojan or malware etc ??

As per here :

http://edugeek.net/index.php?name=Fo...&p=14754#14754

Send to a Friend Printer Friendly

Comment from cookre
Date: 01/17/2006 09:52PM GMT
Comment Accept

It's really not all that difficult, at least, what was described in the link.

It's fairly simple to enumerate processes and identify their original filenames for comparison against a white-list. Indeed, that's one feature of a package I'm currently developing, with the addition of optional version checking.

Now, identifying WHAT the rejected program is is a completely different problem.

Comment from gecko_au2003
Date: 01/17/2006 09:56PM GMT
Your Comment

Surely using file names isnt a good way of doing it, isnt there a digital signature or something that would be more full proof ?

Also any chance of getting a finished app with source code cookre ? ( long shot I know lol )

Comment from gecko_au2003
Date: 01/17/2006 10:09PM GMT
Your Comment

Had a better idea

Post it on that thread in that forum ( Which I am apart of ) If that is ok with you and that way you will get credit from all of them.

Must admit would be nice to get a reference from you to say that I pointed ya there lol he he but as always cookre all the help is VERY much appreicated !!

Thanks a bunch !!

Comment from cookre
Date: 01/17/2006 11:00PM GMT
Comment Accept

That gets into the area of efficacy versus useability. Once you step beyond just a filename (with full path), maintenance becomes a bit of a pain. Just imagine all the hassles when upgrading a popular app.

Also, consider the sequence of events after an OS service pack is applied. Upon reboot, many upgraded dlls have to be allowed even before anyone can logon.

It'll be a day or two before I post it - I want to sanitize it first. Also, I'll post it here, and you can provide the folks there a link.

Comment from gecko_au2003
Date: 01/17/2006 11:04PM GMT
Your Comment

ok thanks cookre ( I will obviously give you full credit ) since you are defintly due the credit !!

Comment from cookre
Date: 01/18/2006 02:00AM GMT
Comment Accept

Well, in .NET it's rather anti-climactic:

Process [] p=Process.GetProcesses();
for (int i=0; i<p.Length; i++)
{
try {MessageBox.Show(p[i].MainModule.FileName);}
catch (Exception excp) {}
}

The try/catch is there since some system process modules can't be enumerated.

This can be taken a step farther by using p[i].Modules to enumerate all loads made by the process.

Comment from cookre
Date: 01/18/2006 02:10AM GMT
Comment Accept

Since MS has taken a lot of pizazz out of coding with .NET, we offer the old-fashioned API call approach:

#include "stdafx.h"
#include <windows.h>
#include <psapi.h>
#include <stdlib.h>
#include <stdio.h>
#include <string.h>

#define ExcessiveValue 4096

DWORD ProcList[ExcessiveValue];
HMODULE hMods[ExcessiveValue];

DWORD Needed;
BOOL bRC;
DWORD NumProc;
HANDLE hProc;
DWORD i,j;
char ModName[MAX_PATH];

int main(int argc, char* argv[])
{
if (!EnumProcesses(ProcList,ExcessiveValue*sizeof(DWO RD),&Needed))
{
printf("EnumProcesses failure %d\n",GetLastError());
return 1;
}
NumProc=Needed/sizeof(DWORD);
for (i=0; i<NumProc; i++)
{
hProc=OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ,false,ProcList[i]);
if (hProc==NULL) continue;
printf("PID: %ld\n",ProcList[i]);
if (EnumProcessModules(hProc,hMods,sizeof(hMods),&Nee ded))
{
for (j=0; j<(Needed/sizeof(HMODULE)); j++)
{
if (GetModuleFileNameEx(hProc,hMods[j],ModName,sizeof(ModName)))
{
printf(" %s\n",ModName);
}
}
}
CloseHandle(hProc);
}
return 0;
}

Being a lazy SOB, I'll take c#.

'------------------------

Hope that helps

mac_shinobi · 18-01-2006, 08:15 PM

With regards to free registration for Experts Exchange go here :

http://www.experts-exchange.com/registerFree2.jsp

Welcome, Register for free! or Login below:
User Name		Remember Me?
Password

18-01-2006, 03:09 PM	#16
RobC Join Date: Jun 2005 Location: Elgin, Scotland Posts: 365 Thanks: 1 Thanked 3 Times in 3 Posts Rep Power: 8	Re: Security Based Project Idea Unfortunately, you do have to pay to access Expert's Exchange (unless there really is a free subscription hidden deep in the bowels of the site...).

18-01-2006, 07:08 PM	#17
mac_shinobi Join Date: Aug 2005 Posts: 1,694 Thanks: 11 Thanked 31 Times in 30 Posts Rep Power: 15	Re: Security Based Project Idea OK I did a copy and paste , if you want I can just save the page and zip it and upload it here if thats any better ? '--------------------------------- Title: Determine if running processes are valid or not ? asked by gecko_au2003 on 01/17/2006 09:08PM GMT This question is worth 500 Points What is the best way of listing all currently running processes and looping though each process to determine if it is a valid process or not ie not a virus , trojan or malware etc ?? As per here : http://edugeek.net/index.php?name=Fo...&p=14754#14754 Send to a Friend Printer Friendly Comment from cookre Date: 01/17/2006 09:52PM GMT Comment Accept It's really not all that difficult, at least, what was described in the link. It's fairly simple to enumerate processes and identify their original filenames for comparison against a white-list. Indeed, that's one feature of a package I'm currently developing, with the addition of optional version checking. Now, identifying WHAT the rejected program is is a completely different problem. Comment from gecko_au2003 Date: 01/17/2006 09:56PM GMT Your Comment Surely using file names isnt a good way of doing it, isnt there a digital signature or something that would be more full proof ? Also any chance of getting a finished app with source code cookre ? ( long shot I know lol ) Comment from gecko_au2003 Date: 01/17/2006 10:09PM GMT Your Comment Had a better idea Post it on that thread in that forum ( Which I am apart of ) If that is ok with you and that way you will get credit from all of them. Must admit would be nice to get a reference from you to say that I pointed ya there lol he he but as always cookre all the help is VERY much appreicated !! Thanks a bunch !! Comment from cookre Date: 01/17/2006 11:00PM GMT Comment Accept That gets into the area of efficacy versus useability. Once you step beyond just a filename (with full path), maintenance becomes a bit of a pain. Just imagine all the hassles when upgrading a popular app. Also, consider the sequence of events after an OS service pack is applied. Upon reboot, many upgraded dlls have to be allowed even before anyone can logon. It'll be a day or two before I post it - I want to sanitize it first. Also, I'll post it here, and you can provide the folks there a link. Comment from gecko_au2003 Date: 01/17/2006 11:04PM GMT Your Comment ok thanks cookre ( I will obviously give you full credit ) since you are defintly due the credit !! Comment from cookre Date: 01/18/2006 02:00AM GMT Comment Accept Well, in .NET it's rather anti-climactic: Process [] p=Process.GetProcesses(); for (int i=0; i<p.Length; i++) { try {MessageBox.Show(p[i].MainModule.FileName);} catch (Exception excp) {} } The try/catch is there since some system process modules can't be enumerated. This can be taken a step farther by using p[i].Modules to enumerate all loads made by the process. Comment from cookre Date: 01/18/2006 02:10AM GMT Comment Accept Since MS has taken a lot of pizazz out of coding with .NET, we offer the old-fashioned API call approach: #include "stdafx.h" #include <windows.h> #include <psapi.h> #include <stdlib.h> #include <stdio.h> #include <string.h> #define ExcessiveValue 4096 DWORD ProcList[ExcessiveValue]; HMODULE hMods[ExcessiveValue]; DWORD Needed; BOOL bRC; DWORD NumProc; HANDLE hProc; DWORD i,j; char ModName[MAX_PATH]; int main(int argc, char* argv[]) { if (!EnumProcesses(ProcList,ExcessiveValue*sizeof(DWO RD),&Needed)) { printf("EnumProcesses failure %d\n",GetLastError()); return 1; } NumProc=Needed/sizeof(DWORD); for (i=0; i<NumProc; i++) { hProc=OpenProcess(PROCESS_QUERY_INFORMATION \| PROCESS_VM_READ,false,ProcList[i]); if (hProc==NULL) continue; printf("PID: %ld\n",ProcList[i]); if (EnumProcessModules(hProc,hMods,sizeof(hMods),&Nee ded)) { for (j=0; j<(Needed/sizeof(HMODULE)); j++) { if (GetModuleFileNameEx(hProc,hMods[j],ModName,sizeof(ModName))) { printf(" %s\n",ModName); } } } CloseHandle(hProc); } return 0; } Being a lazy SOB, I'll take c#. '------------------------ Hope that helps

18-01-2006, 08:15 PM	#18
mac_shinobi Join Date: Aug 2005 Posts: 1,694 Thanks: 11 Thanked 31 Times in 30 Posts Rep Power: 15	Re: Security Based Project Idea With regards to free registration for Experts Exchange go here : http://www.experts-exchange.com/registerFree2.jsp

Thread Tools	Search Thread
Show Printable Version Email this Page	Search Thread: Advanced Search

		EduGeek.net Forums > Coding and Web Development > Group Project
Security Based Project Idea

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

Register now for FREE and post messages!
Username: Password: Confirm Password: E-Mail: Confirm E-Mail: Birthday: Image Verification I agree to forum rules