topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • Thursday March 28, 2024, 10:05 am
  • Proudly celebrating 15+ years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Last post Author Topic: NANY 2010 Teaser: Crush MCP (Master Control Program)  (Read 54697 times)

Crush

  • Member
  • Joined in 2006
  • **
  • Posts: 402
  • Hello dude!
    • View Profile
    • Read more about this member.
    • Donate to Member
NANY 2010 Teaser: Crush MCP (Master Control Program)
« on: December 20, 2009, 03:57 PM »
I noticed that my other project is not very interesting to others, so I decided to do something more useful.

The Master Control Program is a small tool running in the background that monitors all tasks and programs.
After making a snapshot of all running processes new ones will be terminated and tracked in a deletion list.
So you can see and get protected if a virus or other unknown programs are automatically starting in the background without your permission to raise your security while working.
I´m waiting for suggestions or features you´d like to see.
« Last Edit: January 01, 2010, 09:11 AM by Crush »

mouser

  • First Author
  • Administrator
  • Joined in 2005
  • *****
  • Posts: 40,896
    • View Profile
    • Mouser's Software Zone on DonationCoder.com
    • Read more about this member.
    • Donate to Member
Re: NANY 2010 Teaser: Crush MCP (Master Control Program)
« Reply #1 on: December 20, 2009, 04:10 PM »
This could be useful.. there are already some programs for this but i think there is always room for more that are nice and simple to use.

I see a couple of issues to think through:
  • How do you add new applications to the list of allowed programs?
  • If a virus only needs half a second to infect your computer -- you aren't really going to be able to stop it just by watching background process list -- for that you need an antivirus style hook that catches files before they can execute.
  • But still it could be useful to alert you about new programs you've never seen before that are running.

mouser

  • First Author
  • Administrator
  • Joined in 2005
  • *****
  • Posts: 40,896
    • View Profile
    • Mouser's Software Zone on DonationCoder.com
    • Read more about this member.
    • Donate to Member
Re: NANY 2010 Teaser: Crush MCP (Master Control Program)
« Reply #2 on: December 20, 2009, 04:15 PM »
I think it might be nice just to have a program that made a list of the first time it saw any given program run for the first time and saved that to a nice text file, so i could always check that file and see when a new program was discovered running for the first time.  and maybe show in tray a balloon each time a new program was discovered running that had never been seen before.

Crush

  • Member
  • Joined in 2006
  • **
  • Posts: 402
  • Hello dude!
    • View Profile
    • Read more about this member.
    • Donate to Member
Re: NANY 2010 Teaser: Crush MCP (Master Control Program)
« Reply #3 on: December 20, 2009, 04:22 PM »
I also wanted to save the list to create a white- and blacklist. Perhaps a function to auto-google for killed or tracked processes would be cool.

mouser

  • First Author
  • Administrator
  • Joined in 2005
  • *****
  • Posts: 40,896
    • View Profile
    • Mouser's Software Zone on DonationCoder.com
    • Read more about this member.
    • Donate to Member
Re: NANY 2010 Teaser: Crush MCP (Master Control Program)
« Reply #4 on: December 20, 2009, 04:26 PM »
that's a nice idea.
one extra benefit of keeping this kind of list of history of when each program was run for the first time, is that it could be very helpful for diagnosing problems that you only notice a day later, etc.  and could help you diagnose a problem on a relative's computer.
note that for this kind of benefit, it doesnt have to ever kill anything.. it's just trying to track when a process first ran -- the nice part about that is how simple it would be to use, nothing to it.
maybe you could make it run two dif modes: 1) kill anything on blacklist but dont kill new programs; 2) kill everything not on whitelist
so if you only wanted to use it to keep track of the first time a program ever ran, you would just use mode 1.

Crush

  • Member
  • Joined in 2006
  • **
  • Posts: 402
  • Hello dude!
    • View Profile
    • Read more about this member.
    • Donate to Member
Re: NANY 2010 Teaser: Crush MCP (Master Control Program)
« Reply #5 on: December 20, 2009, 05:11 PM »
I see that there are a lot of very interesting informations in the system like the Filenames, Processcreationtime, Usertime, IO-Informations how many read/writes, how much datas have been transferred, memoryusage and much more. This could give useful hints if a task could be an intruding sniffer or similar - perhaps you could optimize your system with knowledge about the shutdown-priorities or IO-usage. I´ll try to track as many informations I can get from the processes.

Perry Mowbray

  • N.A.N.Y. Organizer
  • Moderator
  • Joined in 2005
  • *****
  • Posts: 1,817
    • View Profile
    • Donate to Member
Re: NANY 2010 Teaser: Crush MCP (Master Control Program)
« Reply #6 on: December 20, 2009, 06:12 PM »
Hey Crush: yes this is a neat idea (not that the other one wasn't). I like the idea that I can look back and see when things happened so that I can fix up problems.

Maybe even mash in some of the filesystem data about the actual files? Changes in versions? How would you capture automatic updates, where the programme downloads and runs and updates files?

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,153
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Re: NANY 2010 Teaser: Crush MCP (Master Control Program)
« Reply #7 on: December 21, 2009, 02:25 AM »
Hey Crush, I don't mean to discourage you, but as mouser already mentioned you'll need a low-level (driver) hook in order to prevent NastyCodeTM from running - simply scanning with toolhelp/psapi every X milliseconds leaves too much of a gap for malware to run (and making the wait-time too slow will end up chewing too many CPU cycles). Also, if the malware injects itself into a running process, starts through a buffer overflow in flash/acrobatreader/whatever or loads as a service through svchost, you'll have a hard time catching it this way.

So instead of trying to keep a system clean by doing usermode app whitelisting, it's probably better to focus on the logging part - less chance of killing benign processes that way, too :)
- carpe noctem

Crush

  • Member
  • Joined in 2006
  • **
  • Posts: 402
  • Hello dude!
    • View Profile
    • Read more about this member.
    • Donate to Member
Re: NANY 2010 Teaser: Crush MCP (Master Control Program)
« Reply #8 on: December 21, 2009, 05:44 AM »
The main idea was only to stop all processes that start while surfing or working with a single application after a defined moment. At first I only wanted to create a popup-blocker by new windows.

But you´re right, it´s too time consuming when I track all datas I want to check. The MCP shall not be an Antivirus or Spywarekiller. It´s intended to be a help finding suspicious processes starting without your knowledge in the background, remove perhaps some annoying tasks at low-level and get a deeper view in the behaviour of programs and tasks. It can help you to find malware by its behaviour - even if your Antivirus/Spywaredetectors are not knowing them. You´ll never be able to find dll injections or manipulated executables without reference hashes to clean original files (this could be a new idea  :-\).
If you´re really running malware while working it perhaps can stop these programs fast enough to prevent or stop making damage somehow or at least helps you to lead your attention to the process if the file accession of some processes are getting extremely exhaustive.

I needed several hours only to create the main process class containing all interesting informations and I don´t know how much time the rest will need. So if there´s not enough time a black/whitelist or other features will be included later. The time to new year is too short to code a complex program.
« Last Edit: December 21, 2009, 05:47 AM by Crush »

Perry Mowbray

  • N.A.N.Y. Organizer
  • Moderator
  • Joined in 2005
  • *****
  • Posts: 1,817
    • View Profile
    • Donate to Member
Re: NANY 2010 Teaser: Crush MCP (Master Control Program)
« Reply #9 on: December 21, 2009, 05:48 AM »
The time to new year is too short to code a complex program.

You're good Crush: just get the first bit done and the rest can happen later  :)

JavaJones

  • Review 2.0 Designer
  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 2,739
    • View Profile
    • Donate to Member
Re: NANY 2010 Teaser: Crush MCP (Master Control Program)
« Reply #10 on: December 21, 2009, 01:08 PM »
I love the idea of an app startup logging program. If you can make hashes of each exe and track last startup, last changes to exe, etc. that would be even cooler. A long-term look at all this info, then make it exportable as a CSV and we can run some analysis on it, get some nice pie charts going and hey presto, unintended (but awesome) result is a graph of system update activity, system app load history, etc. Fun stuff. I like!

- Oshyan

Crush

  • Member
  • Joined in 2006
  • **
  • Posts: 402
  • Hello dude!
    • View Profile
    • Read more about this member.
    • Donate to Member
Re: NANY 2010 Teaser: Crush MCP (Master Control Program)
« Reply #11 on: December 21, 2009, 02:09 PM »
A Hash on all of these programs is no problem, but it´s very time consuming. I´ll take a look what´s possible.

JavaJones

  • Review 2.0 Designer
  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 2,739
    • View Profile
    • Donate to Member
Re: NANY 2010 Teaser: Crush MCP (Master Control Program)
« Reply #12 on: December 21, 2009, 02:38 PM »
Hash should probably be optional, but would definitely be a nice and important feature IMO. Thanks for taking our input! I love the evolutionary app design process. :)

- Oshyan

Crush

  • Member
  • Joined in 2006
  • **
  • Posts: 402
  • Hello dude!
    • View Profile
    • Read more about this member.
    • Donate to Member
Re: NANY 2010 Teaser: Crush MCP (Master Control Program)
« Reply #13 on: December 24, 2009, 01:21 PM »
A friend tested MCP yesterday on Windows XP professional. He wasn´t able to see any text in the windows. They should be instantly filled with texts.
Perhaps someone with XP could load the executable and write some lines about its behaviour?
[attachurl=#1][/attachurl]
« Last Edit: December 26, 2009, 08:59 AM by Crush »

Stoic Joker

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 6,646
    • View Profile
    • Donate to Member
Re: NANY 2010 Teaser: Crush MCP (Master Control Program)
« Reply #14 on: December 24, 2009, 03:29 PM »
XP was VPC which started to ignore mouse input the instant I ran the program. I launched it using keyboard to get the error:

XP = This application has failed to start because the application configuration is incorrect. Reinstalling the application may fix this problem

Win 7 x64 = The application has failed to start because its side-by-side configuration is incorrect. Please see the application event log or use the command-line sxstrace.exe tool for more detail.

App Log Source-SideBySide EventID 33

Activation context generation failed for "W:\Documents\= ALL Downloads =\MCP.exe". Dependent Assembly Microsoft.VC90.MFC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.21022.8" could not be found. Please use sxstrace.exe for detailed diagnosis.

Crush

  • Member
  • Joined in 2006
  • **
  • Posts: 402
  • Hello dude!
    • View Profile
    • Read more about this member.
    • Donate to Member
Re: NANY 2010 Teaser: Crush MCP (Master Control Program)
« Reply #15 on: December 24, 2009, 05:09 PM »
Ok, I don´t understand the message particularly, but I see something should be loaded and isn´t there. So I removed some unused features (ballast), made it more system-friendly and changed the download link of the last post. I hope this version works.
« Last Edit: December 24, 2009, 05:20 PM by Crush »

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,153
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Re: NANY 2010 Teaser: Crush MCP (Master Control Program)
« Reply #16 on: December 24, 2009, 05:12 PM »
Sounds like vc2008 runtimes are missing on your system?
- carpe noctem

Crush

  • Member
  • Joined in 2006
  • **
  • Posts: 402
  • Hello dude!
    • View Profile
    • Read more about this member.
    • Donate to Member
Re: NANY 2010 Teaser: Crush MCP (Master Control Program)
« Reply #17 on: December 24, 2009, 05:18 PM »
You can download it here.
fodder: You can run it?

Stoic Joker

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 6,646
    • View Profile
    • Donate to Member
Re: NANY 2010 Teaser: Crush MCP (Master Control Program)
« Reply #18 on: December 24, 2009, 06:47 PM »
Better, no errors this time (runtimes not needed) ...was fine on Win 7 x64, but got no text in XP.

Crush

  • Member
  • Joined in 2006
  • **
  • Posts: 402
  • Hello dude!
    • View Profile
    • Read more about this member.
    • Donate to Member
Re: NANY 2010 Teaser: Crush MCP (Master Control Program)
« Reply #19 on: December 24, 2009, 08:15 PM »
Stoic Joker: Please install the runtimes (it´s not very much) and run it again - perhaps the text becomes visible. Without it the prog is rather useless.
« Last Edit: December 24, 2009, 08:55 PM by Crush »

Stoic Joker

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 6,646
    • View Profile
    • Donate to Member
Re: NANY 2010 Teaser: Crush MCP (Master Control Program)
« Reply #20 on: December 24, 2009, 09:24 PM »
Stoic Joker: Please install the runtimes (it´s not very much) and run it again - perhaps the text becomes visible. Without it the prog is rather useless.
Installed the runtimes & still no text. Not sure if it'll help but here's a screenshot of the XP desktop. If it is (supposed to be) using any of the 08 runtime stuff, it doesn't appear to be calling for it.
Crush-MPC.jpgNANY 2010 Teaser: Crush MCP (Master Control Program)
« Last Edit: December 24, 2009, 09:35 PM by Stoic Joker »

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,153
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Re: NANY 2010 Teaser: Crush MCP (Master Control Program)
« Reply #21 on: December 25, 2009, 06:49 AM »
It works here...

But ugh, what's with...
  • Themed looks?
  • German text?
  • Draggable menu- and toolbar?
  • Editor-style status bar?

I know this is stuff you get pretty much for free with MFC, but that doesn't make it any less ugly nor superfluous :)

Works fine on my Win7-64bit, on my XP-SP3 vmware it starts with no errors but no text either (I haven't installed VS2008 runtimes there afaik, dunno if it's included with SP3?). Time to check API call return values for errors :P
- carpe noctem

Tuxman

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 2,466
    • View Profile
    • Donate to Member
Re: NANY 2010 Teaser: Crush MCP (Master Control Program)
« Reply #22 on: December 25, 2009, 08:31 AM »
German text?
I can perfectly live with that.  8)

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,153
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Re: NANY 2010 Teaser: Crush MCP (Master Control Program)
« Reply #23 on: December 25, 2009, 09:15 AM »
German text?
I can perfectly live with that.  8)
Too bad die drittes reich failed, leaving English as the great uniting language ;)
- carpe noctem

Tuxman

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 2,466
    • View Profile
    • Donate to Member
Re: NANY 2010 Teaser: Crush MCP (Master Control Program)
« Reply #24 on: December 25, 2009, 09:20 AM »
In Europe, German is still the primary language of many countries (Germany, Austria, parts of Switzerland, Liechtenstein, Luxemburg, even in the Netherlands they speak German). English is not.
I wonder why these US-American weirdos think that their broken English accent is the one and only global language. Sort of arrogance, I guess.

 :P
« Last Edit: December 25, 2009, 09:23 AM by Tuxman »