Controller apps vs. other stuff

Discussion in 'other anti-malware software' started by dw2108, Feb 13, 2009.

Thread Status:
Not open for further replies.
  1. dw2108

    dw2108 Registered Member

    Joined:
    Jan 24, 2006
    Posts:
    480
    GOAL: To control the paths of execution (I.e. What AV and AS authors have only begun to notice.)

    OK, I'm trying this. Using BASIC I'm writing an app for 9x/ME PCs -- the simple OSs -- to alert me to the files that can run, e.g. rundll.exe, rundll32.exe, user and user32, shell, shell32, exe's that can access the registry, win.com, command.com and DOS stuff, and a few ini's, etc., and display the "point of harmless or malicious business by these files" with an allow/deny option. It works OK, but I feel that many here could contribute enormously to similar projects. THERE IS STILL A NEED -- IMO -- FOR AVs -- rather be safe than sorry. But, I feel that AV and AS software should be integrated into the design of theses kinds of controller apps.

    Good idea or not?

    Dave

    P.S. I'd give you a screenshot of a bad guy being stopped by the controller app, but my art SUX! Gimme time!
     
  2. kwismer

    kwismer Registered Member

    Joined:
    Jan 4, 2008
    Posts:
    240
    i don't quite understand what you mean... first, contrary to popular misconception, all files can run... second, it's not clear to me what the "point of harmless or malicious business by these files" is or means - it's just not clear to me what you're talking about...
     
  3. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    BASIC, you mean batch/dos? I am interested to hear what you are doing. Please describe more.

    Sul.
     
  4. dw2108

    dw2108 Registered Member

    Joined:
    Jan 24, 2006
    Posts:
    480
    This is nice. MS QBASIC allaws you to run DOS in QBASIC. BTW QBASIC is on the 98 installation CD.

    For 9x/ME OSs, files can run if and only if one of VERY few files runs alongside it. This is why many 2000/XP/Vista/Win 7 users say that 9x/ME is poor in RAM memory management. If a person wants to inject a dll into a 9x/ME system, then the dll has to be registered, using regsvr.exe or regsvr32.exe, which in turn calls at least on of user, user32, shell, shell32, rundll, rundll32, win.com, command com (which is found often in two or more places), etc. The QBASIC app rats out what's trying to run, to modify or to launch something specifieded in clear detail via the gui (which looks terrible). It's just a matter of seeing what's in upper mem, trying to get in upper mem, and asking if I want to do that. The DOS mem command has enough switches to allow QBASIC to keep an eye on that data. The other files allow one to monitor also what or how something is doing. If someone drops on my PC, e.g., a DOS file in a payload file, such as a backloader, I'm asked if I want BLA.EXE to install some crapware by title of the file.

    Dave
     
  5. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    This might be of interest to you.
    http://sourceforge.net/projects/fatsec
    I tried it in 2007. It's buggy and hasn't seen any development since late 2004 but the basic groundwork is there.
     
  6. Dregg Heda

    Dregg Heda Registered Member

    Joined:
    Dec 13, 2008
    Posts:
    830
    Wouldn't a HIPS do the same thing that you are trying to do?
     
  7. Alcyon

    Alcyon Registered Member

    Joined:
    Jan 16, 2008
    Posts:
    438
    Location:
    Montr?al, Canada
    dw2108, what you describe can be done with some hips.
    There's also a nice program called vTask Studio (with low-level Win API access) that can be useful.
    Anyway, interesting project! I'd like to see some screenshots ;)
     
  8. dw2108

    dw2108 Registered Member

    Joined:
    Jan 24, 2006
    Posts:
    480
    Hey, thanks to all for the input! Will try to get a screenshot after Angela reworks the most ugly gui in history.

    Dave
     
  9. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Yes, except for the fact the OS is 9X. The only HIPS that supports 98/ME is the free version of SSM, and they appear to be done. Then again, SSM free is a finished product that works fine without vendor support. Not that important considering the OS involved isn't supported either.

    DW,
    I'd also be interested to see what you're building. This sounds like an improved version of the policy editors application control. I'm still very partial to using my 98 box whenever possible, which is most of the time.
     
  10. dw2108

    dw2108 Registered Member

    Joined:
    Jan 24, 2006
    Posts:
    480
    I don't know how one would categorize this "toy," but the system resouces must always be low.

    Dave
     
Loading...
Thread Status:
Not open for further replies.