Old 5th February 2007, 20:31   #41
Whizz
Junior Member
 
Join Date: Feb 2007
Posts: 5
Re: Re: Trojan AV Trigger

Quote:
Originally posted by CharlesB2
The best way to handle the problem is to recompile the DLL by removing the function that kills a process, since I believe it is the one that is used by trojans. I have done it myself, if you're interested I can put it on the wiki...

Cheers
That sounds good, but actually I do need the kill a process function. So taking it out would be a bit of a pain.

Do you have the full source (or anyone else out there) for a Micro$oft compiler and can provide a link?

I presume its coded in C/++. I might try to obfuscate it and re-compile to see if that gets it through.
Whizz is offline   Reply With Quote
Old 6th February 2007, 08:30   #42
CharlesB2
Junior Member
 
Join Date: Feb 2005
Location: Orsay, France
Posts: 10
Re: Re: Re: Trojan AV Trigger

Quote:
Originally posted by Whizz
That sounds good, but actually I do need the kill a process function. So taking it out would be a bit of a pain.

Do you have the full source (or anyone else out there) for a Micro$oft compiler and can provide a link?

I presume its coded in C/++. I might try to obfuscate it and re-compile to see if that gets it through.
The source is in the archive, on the wiki page: http://nsis.sourceforge.net/NsProcess_plugin

Cheers
CharlesB2 is offline   Reply With Quote
Old 3rd May 2007, 23:13   #43
JamesKiller
Senior Member
 
Join Date: Jan 2007
Posts: 125
when I am using this plugins, i have a problem which can not kill the old vesion of my application.
for example: i have version 1 : myservice
i make a new build, then install it, it can't kill verison 1 process?
I think it would a bug ???
Any thoughts?
JamesKiller is offline   Reply With Quote
Old 4th May 2007, 02:26   #44
goldy1064
Senior Member
 
Join Date: Jun 2005
Posts: 211
Well, if version 1 is a service, as the name you gave implies, you would need to ensure that it won't auto-recover when killed.
goldy1064 is offline   Reply With Quote
Old 4th May 2007, 06:11   #45
Whizz
Junior Member
 
Join Date: Feb 2007
Posts: 5
Quote:
Originally posted by JamesKiller
when I am using this plugins, i have a problem which can not kill the old vesion of my application.
for example: i have version 1 : myservice
i make a new build, then install it, it can't kill verison 1 process?
I think it would a bug ???
Any thoughts?
Services are not really like a normal program process. They are controlled by the 'Services Controller' (SC) which deals with both services and devices.

You should 'stop' your service officially, advise the SC to remove it from the database, update it, reload into the database and then 'start' it again.

If it is a protected service, then you have to advise the SC to make the changes at next boot up. Which is really quite difficult in the newer OS's of XP/Vista. And probably you shouldn't be touching anyway.

NSProcess is probably not the plugin for you when dealing with services.
Whizz is offline   Reply With Quote
Old 10th October 2007, 18:46   #46
M-Force
Junior Member
 
Join Date: Mar 2006
Posts: 28
Question What AV packages are triggered by nsProcess?

Hi,

is it still an issue that nsProcess is trigger AV packages as a trojan virus?
If so do you have a list of such AV packages?
I would like to check my installer for such problem.
M-Force is offline   Reply With Quote
Old 10th October 2007, 21:26   #47
Whizz
Junior Member
 
Join Date: Feb 2007
Posts: 5
I have not seen the problem since I re-compiled the source code myself, using my own compiler. Rather than using the distributed version from the download location. This is the distro version I use now.

When I was experimenting, I found that the following AV systems did trigger a false detection:

Panda
Macafee/NAI
BitDefender
F-Secure
Symantec/Norton

I did not have access to any other AV engines to test further. Actually 1 detection was too many!!!

Once I recompiled and the issue went away, then I did not test any further. Nor have I tried downloading to see if there was a newer version by the author.

I guess the original was being compiled with an non-fully patched version of MS:C++. I did no changes, just compiled and used the resultant file.
Whizz is offline   Reply With Quote
Old 25th April 2008, 00:29   #48
99999999
Junior Member
 
Join Date: Nov 2006
Posts: 43
Is there source code available for the nsProcess plugn?
99999999 is offline   Reply With Quote
Old 25th April 2008, 06:24   #49
Whizz
Junior Member
 
Join Date: Feb 2007
Posts: 5
As stated by CharlesB2 earlier in the thread. It is in the Archive on the Wiki page.

Did you read the whole of this thread?? I guess not.
Whizz is offline   Reply With Quote
Old 12th May 2008, 15:37   #50
afisk
Junior Member
 
Join Date: May 2008
Location: New York City
Posts: 3
Do you have a link to your re-compiled DLL by any chance, Whizz? Maybe you could add it to the wiki? I don't do much Windows programming and don't have everything set up to compile my own. You can also reach me at "a" at my domain --- littleshoot.org. Would be a huge help. I'd even paypal you $10 -- seriously.

-Adam Fisk
afisk is offline   Reply With Quote
Old 10th June 2008, 16:32   #51
arantius
Junior Member
 
Join Date: Jun 2000
Posts: 32
I've patched this plugin to add a CloseProcess method, a nicer alternative to KillProcess.

I offer no guarantees as to its quality, as C++ is not my primary skill. However, the updated nsProcess.c file is attached for anyone who might find it useful.
Attached Files
File Type: zip nsprocess.zip (4.1 KB, 534 views)
arantius is offline   Reply With Quote
Old 19th January 2009, 17:50   #52
Ivan Andreevich
Junior Member
 
Join Date: Nov 2003
Location: Vancouver, BC
Posts: 48
Any plans to make a version that could be used to kill processes by PID?
Ivan Andreevich is offline   Reply With Quote
Old 1st February 2010, 16:02   #53
skuallpa
Junior Member
 
Join Date: Jun 2009
Posts: 30
Hello,

the plugin works well for normal build of nsis under x64. However, it failed to find processes for nsis unicode build

Do you have a solution for this?

Thanks in advance

Website : http://www.timelapse-photo.com
skuallpa is offline   Reply With Quote
Old 17th February 2011, 13:24   #54
roderickm
Junior Member
 
Join Date: Feb 2011
Posts: 1
Thumbs up Windows 7

Hello,

FYI, the FindProcess function works on Windows 7 - even when the process was started by a different user. Thanks!
roderickm is offline   Reply With Quote
Old 17th February 2011, 13:25   #55
Afrow UK
Moderator
 
Afrow UK's Avatar
 
Join Date: Nov 2002
Location: Surrey, England
Posts: 8,434
It won't work on x64 Windows (unless it uses WMI).

Stu
Afrow UK is offline   Reply With Quote
Old 28th June 2011, 09:14   #56
brainsucker
Senior Member
 
brainsucker's Avatar
 
Join Date: Sep 2002
Location: Minsk, Belarus
Posts: 190
Send a message via ICQ to brainsucker
nsProcess 1.6 with NSIS UNICODE support

It actually works for me on Win7 x64, but I have UAC prompts disabled, mb this is the reason.

Please find NSIS UNICODE/ANSI version attached, I'm too lazy to rebuild installer so you'll have to rename nsProcessW.dll to nsProcess.dll manually.

It also contains new function _CloseProcess, which tries to close all windows first, waits for 3 seconds for process to exit (so it can save all data), and then terminates it.
Attached Files
File Type: 7z nsProcess_1_6.7z (14.9 KB, 6323 views)
brainsucker is offline   Reply With Quote
Old 18th August 2017, 09:20   #57
mrjohn
Member
 
Join Date: Feb 2009
Posts: 61
Hi,for me this plugin doesn't work,I'm on W10x64 ,NSIS v3.02.1
Example code always returns value 6 for any process tested

There is other alternative to find a running process?

thanks!
mrjohn is offline   Reply With Quote
Old 19th August 2017, 07:27   #58
r2du-soft
Senior Member
 
r2du-soft's Avatar
 
Join Date: Nov 2013
Location: Iran
Posts: 242
Quote:
Originally Posted by mrjohn View Post
Hi,for me this plugin doesn't work,I'm on W10x64 ,NSIS v3.02.1
Example code always returns value 6 for any process tested

There is other alternative to find a running process?

thanks!
hi my friend
also i have windows 10 x64
i tested,everything is right,Perhaps you are faced with this problem: in windows 10 Calc.exe process name is Calculator.exe you must edit example scrip!
if plugin not found process name return 603 and if find process return 0 !
this is nsProcess plugin return values:
HTML Code:
// Return codes are as follows:
//   0   = Success
//   601 = No permission to terminate process
//   602 = Not all processes terminated successfully
//   603 = Process was not currently running
//   604 = Unable to identify system type
//   605 = Unsupported OS
//   606 = Unable to load NTDLL.DLL
//   607 = Unable to get procedure address from NTDLL.DLL
//   608 = NtQuerySystemInformation failed
//   609 = Unable to load KERNEL32.DLL
//   610 = Unable to get procedure address from KERNEL32.DLL
//   611 = CreateToolhelp32Snapshot failed
if you have problem with nsProcess plugin,try this:

HTML Code:
	FindProcDLL::FindProc "Calculator.exe"
	MessageBox MB_OK "$R0"
if not found process return 0
and if found process return 1
r2du-soft is offline   Reply With Quote
Old 19th August 2017, 19:24   #59
mrjohn
Member
 
Join Date: Feb 2009
Posts: 61
I've solved for my case using a simple trick:trying to open main exe file for append and catch error in case if it is running
mrjohn is offline   Reply With Quote
Old 21st August 2017, 18:43   #60
mrjohn
Member
 
Join Date: Feb 2009
Posts: 61
@r2du-soft: I've done test again, nsProcess 1.6 gives me always value 6 for any process tested,and your second solution gives always 0,dll downloaded from there
mrjohn is offline   Reply With Quote
Old 29th August 2017, 02:39   #61
tnteverett
Junior Member
 
Join Date: Jul 2017
Posts: 17
Plugin Directory

The ZIP file has only one DLL and unzipping does not put it in the right directory. Not knowing where it goes, this is what I have done.

Installation file: 20140806212030!NsProcess.zip
Instructions:
Copy to the base installation directory of NSIS, typically "C:\Program Files (x86)\NSIS"
Using WinZip, right click and select "Extract to Here"
This action puts files in the wrong place. You will need to move the following files.
Move "C:\Program Files (x86)\NSIS\Plugin\nsProcess.dll"
to
"C:\Program Files (x86)\NSIS\Plugins\x86-ansi\nsProcess.dll"
and
"C:\Program Files (x86)\NSIS\Plugins\x86-unicode\nsProcess.dll"

I assume the right place is ansi but did not want to test it further, just wanted it to work.

Note that the NsProcess.zip downloads but will not open.
Same problem with nsProcess_1_6.7z

When will ZIP release be fixed to include both and in the right directories?
C:\Program Files (x86)\NSIS\Plugins\x86-unicode
C:\Program Files (x86)\NSIS\Plugins\x86-ansi
tnteverett is offline   Reply With Quote
Reply
Go Back   Winamp & SHOUTcast Forums > Developer Center > NSIS Discussion

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump