Security Based Project Idea

[RobC]

Unfortunately, you do have to pay to access Expert's Exchange (unless there really is a free subscription hidden deep in the bowels of the site...).

[mac_shinobi]

OK I did a copy and paste , if you want I can just save the page and zip it and upload it here if thats any better ?

'---------------------------------

Title: Determine if running processes are valid or not ?
asked by gecko_au2003 on 01/17/2006 09:08PM GMT
This question is worth 500 Points


What is the best way of listing all currently running processes and looping though each process to determine if it is a valid process or not ie not a virus , trojan or malware etc ??

As per here :

http://edugeek.net/index.php?name=Fo...&p=14754#14754

Send to a Friend Printer Friendly


Comment from cookre
Date: 01/17/2006 09:52PM GMT
Comment Accept

It's really not all that difficult, at least, what was described in the link.

It's fairly simple to enumerate processes and identify their original filenames for comparison against a white-list. Indeed, that's one feature of a package I'm currently developing, with the addition of optional version checking.

Now, identifying WHAT the rejected program is is a completely different problem.

Comment from gecko_au2003
Date: 01/17/2006 09:56PM GMT
Your Comment

Surely using file names isnt a good way of doing it, isnt there a digital signature or something that would be more full proof ?

Also any chance of getting a finished app with source code cookre ? ( long shot I know lol )

Comment from gecko_au2003
Date: 01/17/2006 10:09PM GMT
Your Comment

Had a better idea

Post it on that thread in that forum ( Which I am apart of ) If that is ok with you and that way you will get credit from all of them.

Must admit would be nice to get a reference from you to say that I pointed ya there lol he he but as always cookre all the help is VERY much appreicated !!

Thanks a bunch !!

Comment from cookre
Date: 01/17/2006 11:00PM GMT
Comment Accept

That gets into the area of efficacy versus useability. Once you step beyond just a filename (with full path), maintenance becomes a bit of a pain. Just imagine all the hassles when upgrading a popular app.

Also, consider the sequence of events after an OS service pack is applied. Upon reboot, many upgraded dlls have to be allowed even before anyone can logon.

It'll be a day or two before I post it - I want to sanitize it first. Also, I'll post it here, and you can provide the folks there a link.

Comment from gecko_au2003
Date: 01/17/2006 11:04PM GMT
Your Comment

ok thanks cookre ( I will obviously give you full credit ) since you are defintly due the credit !!

Comment from cookre
Date: 01/18/2006 02:00AM GMT
Comment Accept

Well, in .NET it's rather anti-climactic:

Process [] p=Process.GetProcesses();
for (int i=0; i<p.Length; i++)
{
try {MessageBox.Show(p[i].MainModule.FileName);}
catch (Exception excp) {}
}

The try/catch is there since some system process modules can't be enumerated.

This can be taken a step farther by using p[i].Modules to enumerate all loads made by the process.


Comment from cookre
Date: 01/18/2006 02:10AM GMT
Comment Accept

Since MS has taken a lot of pizazz out of coding with .NET, we offer the old-fashioned API call approach:

#include "stdafx.h"
#include <windows.h>
#include <psapi.h>
#include <stdlib.h>
#include <stdio.h>
#include <string.h>

#define ExcessiveValue 4096

DWORD ProcList[ExcessiveValue];
HMODULE hMods[ExcessiveValue];

DWORD Needed;
BOOL bRC;
DWORD NumProc;
HANDLE hProc;
DWORD i,j;
char ModName[MAX_PATH];


int main(int argc, char* argv[])
{
if (!EnumProcesses(ProcList,ExcessiveValue*sizeof(DWO RD),&Needed))
{
printf("EnumProcesses failure %d\n",GetLastError());
return 1;
}
NumProc=Needed/sizeof(DWORD);
for (i=0; i<NumProc; i++)
{
hProc=OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ,false,ProcList[i]);
if (hProc==NULL) continue;
printf("PID: %ld\n",ProcList[i]);
if (EnumProcessModules(hProc,hMods,sizeof(hMods),&Nee ded))
{
for (j=0; j<(Needed/sizeof(HMODULE)); j++)
{
if (GetModuleFileNameEx(hProc,hMods[j],ModName,sizeof(ModName)))
{
printf(" %s\n",ModName);
}
}
}
CloseHandle(hProc);
}
return 0;
}



Being a lazy SOB, I'll take c#.

'------------------------

Hope that helps

[mac_shinobi]

With regards to free registration for Experts Exchange go here :

http://www.experts-exchange.com/registerFree2.jsp