The MASM Forum

Miscellaneous => Miscellaneous Projects => Windows Projects => Topic started by: TouEnMasm on November 14, 2015, 09:20:47 PM

Title: Malware find the intruder
Post by: TouEnMasm on November 14, 2015, 09:20:47 PM
Hello,
This one is made to find malicious software who want
to mask themself.
He use lists of prog as shown in the task manager
He works with three text files.
********** memopage\ReferenceList.txt
           is the list of prog with no problem,you modify it manually with notepad
********** memopage\ActualList.txt
           is the generated list by find_intruder
********** memopage\SuspectList.txt
           Is the result of the comparison between the ReferenceList and the ActualList.txt

In SuspectList.txt you must find all that is  not usual .
You must made a search on the internet to know what they are.

If they are normal prog (updater and other prog) you can add them to
the ReferenceList.txt with the notepad.
If They are malware,you have perhaps there disk location in the text file.
If not,make a DIR /S/B on c:\ in a DOS windows (cmd.exe).
Delet them from memory with the task manager and erase them from the disk.

The ReferenceList.txt is made under windows 10,you must modify it if you have another system
The SuspectList.txt is shown in the notepad only if there is something unusual.

Made the same thing for driver and services.
The antimalware need at least Win 7

Title: Re: Malware find the intruder
Post by: jj2007 on November 14, 2015, 10:12:41 PM
Impossibile avviare il programma perché VCRUNTIME140.dll non è presente nel computer. Per risolvere il problema, provare a reinstallare il programma.

BTW, it gave me an occasion to hack together the attached little proggie that extracts the message and puts it on the clipboard. Just run it and press right Control, then right-click on the error message or whatever.
Title: Re: Malware find the intruder
Post by: TouEnMasm on November 15, 2015, 12:19:32 AM
AH! the man who want to resist again microsoft.:lol:
Courage!!.:shock:
download "vc++ redistributable 2015"
For the baby who don't want to eat his little spoon,here a direct link:
https://www.microsoft.com/fr-fr/download/details.aspx?id=48145
Choose your language if the internet don't do it

Title: Re: Malware find the intruder
Post by: TWell on November 15, 2015, 01:57:09 AM
Someone of us try not to install unnecessary versions to PC to keep testing environment clean.
For Windows 10 vcruntime140.dll 84 kt is enough but Windows 7 needs more.
Title: Re: Malware find the intruder
Post by: TouEnMasm on November 15, 2015, 02:16:00 AM
Quote
For Windows 10 vcruntime140.dll 84 kt is enough but Windows 7 needs more
Have you tested the donwload ?
If I read the needed configuration system given by Microsoft,it is
Quote
Système d'exploitation pris en charge

Windows 10 ; Windows 7 Service Pack 1; Windows 8; Windows 8.1; Windows Server 2003 Service Pack 2; Windows Server 2008 R2 SP1; Windows Server 2008 Service Pack 2; Windows Server 2012; Windows Vista Service Pack 2; Windows XP Service Pack 3
Pour plus d'informations sur la prise en charge du système d'exploitation, consultez la page Compatibilité de Visual Studio 2015. Configuration matérielle requise : •Processeur 1,6 GHz minimum
•1 Go de RAM (1,5 Go en cas d'exécution sur un ordinateur virtuel)
•50 Mo d'espace disque disponible
•Disque dur 5 400 tours/min

Title: Re: Malware find the intruder
Post by: TWell on November 15, 2015, 02:23:13 AM
In that SuspectList.txt was nothing to suspect.
Mostly drivers and virusscanner files.
Title: Re: Malware find the intruder
Post by: TouEnMasm on November 15, 2015, 02:33:33 AM
Quote
In that SuspectList.txt was nothing to suspect.
You are happy ..this time.
You can just made a copy paste (with Notepad) of this list in the ReferenceList.txt and the next time you will don't see them.

Title: Re: Malware find the intruder
Post by: jj2007 on November 15, 2015, 02:44:55 AM
Someone of us try not to install unnecessary versions to PC to keep testing environment clean.

Indeed :t
Title: Re: Malware find the intruder
Post by: 0000 on November 15, 2015, 10:50:02 AM
Doesn't seem to want to run under XP pro sp3. 
Title: Re: Malware find the intruder
Post by: TouEnMasm on November 15, 2015, 06:56:15 PM

Quote
Doesn't seem to want to run under XP pro sp3.
XP pro sp3 is given usable with the "vc++ redistributable 2015"
Have you downloaded them ?

Title: Re: Malware find the intruder
Post by: TWell on November 15, 2015, 07:38:19 PM
Can't run in XP of course. Exe needs least OS version 6.0.
K32GetProcessImageFileNameA was missing from kernel32.dll
Title: Re: Malware find the intruder
Post by: TouEnMasm on November 16, 2015, 01:11:18 AM
Quote
Can't run in XP of course. Exe needs least OS version 6.0. ?
https://msdn.microsoft.com/fr-fr/library/windows/desktop/ms683217(v=vs.85).aspx
Minimum supported client  Windows XP [desktop apps only]

I am a little lost with the various version of xp .
I am adding now the same thing for the drivers and the services and the minimal system supported will be win 7.
The usefull thing in "find the intruder" is that an anti-Malware couldn't delet services and drivers.
There is need of the user with administrator rights to delet them.
That will be too bad for XP.
Title: Re: Malware find the intruder
Post by: TWell on November 16, 2015, 01:27:04 AM
Do you notice this?
Quote
Psapi.lib on Windows Server 2008, Windows Vista, Windows Server 2003, and Windows XP
So that problem was in psapi with that program.
kernel32.dll function list here (http://www.geoffchappell.com/studies/windows/win32/kernel32/api/) and here (http://xpdll.nirsoft.net/kernel32_dll.html)
Title: Re: Malware find the intruder
Post by: TouEnMasm on November 16, 2015, 04:45:38 AM
Made the same thing for driver and services.
The antimalware need at least Win 7
he can show you all changes in the loaded modules,the installed drivers and all the services
I have a problem with Bamcof.exe
He install a service named Bamcof that i have uninstalled.
Without doing Nothing he return,any help ?