Controller apps vs. other stuff

GOAL: To control the paths of execution (I.e. What AV and AS authors have only begun to notice.)

OK, I'm trying this. Using BASIC I'm writing an app for 9x/ME PCs -- the simple OSs -- to alert me to the files that can run, e.g. rundll.exe, rundll32.exe, user and user32, shell, shell32, exe's that can access the registry, win.com, command.com and DOS stuff, and a few ini's, etc., and display the "point of harmless or malicious business by these files" with an allow/deny option. It works OK, but I feel that many here could contribute enormously to similar projects. THERE IS STILL A NEED -- IMO -- FOR AVs -- rather be safe than sorry. But, I feel that AV and AS software should be integrated into the design of theses kinds of controller apps.

Good idea or not?

Dave

P.S. I'd give you a screenshot of a bad guy being stopped by the controller app, but my art SUX! Gimme time!

 

i don't quite understand what you mean... first, contrary to popular misconception, all files can run... second, it's not clear to me what the "point of harmless or malicious business by these files" is or means - it's just not clear to me what you're talking about...

 

BASIC, you mean batch/dos? I am interested to hear what you are doing. Please describe more.

Sul.

 

This is nice. MS QBASIC allaws you to run DOS in QBASIC. BTW QBASIC is on the 98 installation CD.

For 9x/ME OSs, files can run if and only if one of VERY few files runs alongside it. This is why many 2000/XP/Vista/Win 7 users say that 9x/ME is poor in RAM memory management. If a person wants to inject a dll into a 9x/ME system, then the dll has to be registered, using regsvr.exe or regsvr32.exe, which in turn calls at least on of user, user32, shell, shell32, rundll, rundll32, win.com, command com (which is found often in two or more places), etc. The QBASIC app rats out what's trying to run, to modify or to launch something specifieded in clear detail via the gui (which looks terrible). It's just a matter of seeing what's in upper mem, trying to get in upper mem, and asking if I want to do that. The DOS mem command has enough switches to allow QBASIC to keep an eye on that data. The other files allow one to monitor also what or how something is doing. If someone drops on my PC, e.g., a DOS file in a payload file, such as a backloader, I'm asked if I want BLA.EXE to install some crapware by title of the file.

Dave

 

This might be of interest to you.
http://sourceforge.net/projects/fatsec
I tried it in 2007. It's buggy and hasn't seen any development since late 2004 but the basic groundwork is there.

 

Wouldn't a HIPS do the same thing that you are trying to do?

 

dw2108, what you describe can be done with some hips.
There's also a nice program called vTask Studio (with low-level Win API access) that can be useful.
Anyway, interesting project! I'd like to see some screenshots

 

Hey, thanks to all for the input! Will try to get a screenshot after Angela reworks the most ugly gui in history.

Dave

 

Yes, except for the fact the OS is 9X. The only HIPS that supports 98/ME is the free version of SSM, and they appear to be done. Then again, SSM free is a finished product that works fine without vendor support. Not that important considering the OS involved isn't supported either.

DW,
I'd also be interested to see what you're building. This sounds like an improved version of the policy editors application control. I'm still very partial to using my 98 box whenever possible, which is most of the time.

 

I don't know how one would categorize this "toy," but the system resouces must always be low.

Dave