Is there any possibility on Windows to create a programm ( C# or even C++, or any other language) which can be able to trace which process are using the clipboard ?
I have a malware who modify my clipboard when i paste ethereum adresses. No tools are able to detect this malware...since i'm programmer i would like to code a tool to help me to find the malicious process.
Any idea if it's possible ?
Thanks a lot
There is no Win32 API for monitoring access to the clipboard, only for detecting when changes are made to the clipboard's content.
To do what you are asking for, you will have to write a DLL that directly hooks the Win32 OpenClipboard() function, such as with a detour, and then you can inject that DLL into all running processes, such as with SetWindowsHookEx(), AppInit_DLLs, etc. When your hook is called, it can communicate information about the calling process back to your main app as needed, such as the process ID.
You can find an existing and reputable tool that can do that for you:
Sysmon v12.0 by SysInternals.
Although it doesn't mention it on the doc page, this states
Sysmon 12 adds clipboard capturing
I sifted through some help and references and confirmed that the following config works:
<Sysmon schemaversion="4.40">
<CaptureClipboard />
<EventFiltering>
<RuleGroup name="" groupRelation="or">
<ClipboardChange onmatch="exclude">
</ClipboardChange>
</RuleGroup>
</EventFiltering>
</Sysmon>
You can view those captured events in the Windows Event Viewer, in
Applications and Services Logs/Microsoft/Windows/Sysmon/Operational.
In response to my copying text from the command prompt, I can see this logged event:
Clipboard changed:
RuleName: -
UtcTime: 2020-10-12 22:08:45.505
ProcessGuid: {0509ed25-cd58-5f84-41a3-050000003500}
ProcessId: 20708
Image: C:\Windows\System32\cmd.exe
Session: 3
etc...
Another option, for DIY programmers :)
From your code, copy something to the Clipboard with delay rendering:
::SetClipboardData(CF_TEXT, NULL);
When someone (that malware?) would attempt to get that text, you will receive a WM_RENDERFORMAT message. If you place a breakpoint there and stop your execution, the calling program will be blocked on its GetClipboardData call or something like that.
I didn't figure out where to go from here. Enumerate all processes? Attach to each one with Debugger? Look at their call stack?
Related
Im working on automating the behavious of a scientific measurement program in C#.
The program does have a .net API, but the developers of the program havent included all necessary commands eg. they havent included a simple "save as" command that i need for saving the measureing data.
Is there a way to operate the menu strip of the application and e.g. press the save as button.
I start the program from my own application by means of Process.Start();
One simple solution - copy destination path to the clipboard, then use e.g. SendKeys.SendWait() to send the following keys to your target application (with sufficient pauses between them) Ctrl+S "^s", Ctrl+V "^v", Enter "{ENTER}".
It's also a good idea to verify the folder exists, and the file does not, otherwise the saving will obviously fail, or overwrite confirmation will popup.
P.S. But before doing that, use e.g. .NET Reflector to ensure their .NET API doesn't have the save functionality: there're many cases where the SendKeys approach will fail.
By my application am creating a pdf file & sharing it via Share Charm. In most times i could successfully sharing the document to Sky Drive, Mail etc..
But at rarely when i sharing the same document am getting an error message like "Something went wrong Couldn't share Document with SkyDrive"
& after that i couldn't share that document. I want to know about at whatever conditions this error may occurs?
If its a generic message such as: Something went wrong with Share. Try again later - when you run the app from VS, then this might help (from here- images):
Open Task Manager, end the explorer.exe task (Details tab).
Select Run new task from File in Task Manager and type in explorer in the textbox and click OK.
If it is specific to Sky Drive then it is likely that it has something to do with the Sky Drive application and not your app. I'm unable to replicate the problem you are having.
I would try to isolate the error and see exactly what triggers the error.
Start with debugging the share charm, but keep in mind that if you end the debug session in the datarequest handler the charm might break and stop working, and you will need to apply the dirty fix I wrote above.
Output what happens to a file and run the share until you get the problem, and see if there is anything in the file that can help you figure out the problem.
Also, check the event log on you computer for a hint, I tend to use powershell for those things, open powershell in admin mode and run Get-EventLog Application -newest 10 | Format-List . Otherwise type Event Viewer while in the 'Metro' mode and look under Applications.
From MSDN- on common issues with the Share
Common issues
Unhandled exceptions in a target app cause it to immediately terminate and be replaced with an error message. The target app should gracefully handle any expected errors originating from the user, such as invalid input data, and report them to the user.
If a target app takes too long to respond to an activation event, the system assumes that the app is choosing not to respond and displays an error. Processing data should be moved out of the activation handler whenever possible, typically by storing a ShareOperation object and processing it asynchronously.
Calls to sharing the API can throw exceptions when called too many times or in the wrong order. When you implement a long-running share, be sure to call the share methods in the following order, without calling any single method twice in a row.
ReportStarted
ReportDataRetrieved
ReportSubmittedBackgroundTask
You can call ReportError or ReportCompleted at any time to complete the sharing operation.
To learn more about the share API, see Windows.ApplicationModel.DataTransfer.ShareTarget namespace.
Got a working solution to this problem
See this links
How to share a file that has been created on the fly
Share Contract Closes Immediately
I have spent 3 days looking this up and I cannot find a solid answer. I want to capture debug messages and than output them to a list log. I am trying to do this in C#. Would love some help from the community to point me in the right direction.
Well, sure that's possible. Debug output is not limited to being displayed in the Output Window.
All you have to do is write a custom listener and add it to the Debug.Listeners collection. You can find the full documentation about adding trace listeners here on MSDN.
The only thing to watch out for is that the listeners are shared for debug and trace output, so if you add one, you'll receive both types of messages.
If that sounds like too much work and you just need a quick-and-dirty solution, you can download the free DebugView utility from Sysinternals. This neat little tool is a separate application that you run, and it listens to all debugging output from all of the programs installed on the machine. If you use this, you won't even have to change a single line of code in your application—all of the output send to Debug.Write will show up in the DebugView window.
Alternatively, if you're looking for something long-term that you could perhaps even ship with your application, I would encourage you to investigate adding a logging feature. There are lots of good open source libraries that provide this functionality, and it can be invaluable out in the field when your app is deployed to systems with unknown configurations.
As far as logging goes, Log4Net is solid and easy to use. You can add it to your project via NuGet (if you don't know what NuGet is, check it out: it's really nice). It allows you to log more or less wherever you want (console, file, mail, db ... )
Website contains good documentation and examples.
I'm trying make an WPF application that I could copy/cut and paste files info and it would copy/move them to a special folder. I know I can get the paths of the files being copied/cut with
var files = Clipboard.GetFileDropList();
But I would like to know, do I need to copy or move the files? I've read something about listening to WM_COPY and WM_CUT. And I tried by hooking a Hwnd hook to my window handel and it didn't work, neither WM_COPY nor WM_CUT got called. And I tried everyting.
So what's the best way of determining if the files were copied or cut?
And some code examples or links would really help a lot.
Thank you.
Work from https://stackoverflow.com/a/2078081/939213 backwards. and for copying – substitute 5 for 2.
You will not be able to install the hook. I know from experience. Windows only allows left and right clicks to be hooked from .NET. You will have to create a win32 dll, then invoke it in your .NET code to capture the hooks if you have to take that approach.
Or, as simple as this app sounds, just write it using the API anyways in C or C++.
If this is just a small feature in your application and not the application itself, you will either have to find someway to perform the injection and pass it to your .NET app, or you will have to find a way that doesn't involve hooks.
I have a question that I believe that is complex. I have an application that I execute under my Windows and it takes a long time to finish. I want to keep it running (normally), however I want to kill the file on disk - but obviously it's not possible because it's locked / in-use. I need a way to disassociate it from the running process to kill it and at the same time keep the file running. Any example of code or tool is very welcome.
Well, workarounds are welcome, for example, if there is a way to spawn it from a process, key the master and migrate the child to kill the app, or any other idea that works is welcome - even the ugly ones. :)
Thanks.
A couple of suggestions (completely stolen) from this questions answers:
You could use the MoveFileEx api function to mark the file for deletion upon next reboot.
You can inject a dll to close the handle yourself:
The typical method is as follows. You've said you want to do this in C# so here goes...
If you don't know which process has the file locked, you'll need to examine each process's handle list, and query each handle to determine if it identifies the locked file. Doing this in C# will likely require P/Invoke or an intermediary C++/CLI to call the native APIs you'll need.
Once you've figured out which process(es) have the file locked, you'll need to safely inject a small native DLL into the process (you can also inject a managed DLL, but this is messier, as you then have to start or attach to the .NET runtime).
That bootstrap DLL then closes the handle using CloseHandle etc.
Essentially: the way to unlock a "locked" file is to inject a DLL into the offending process's address space and close it yourself. You can do this using native or managed code. No matter what, you're going to need a small amount of native code or at least P/Invoke into the same.
Helpful links:
http://www.codeproject.com/KB/threads/winspy.aspx
http://damianblog.com/2008/07/02/net-code-injection/
That is a matter the application you want to kill has to handle. It shouldn't keep files open during a long running process. If the application doesn't close the file, killing it will lead to exception in that application.
Not sure if this will work on every Windows version, but here it is:
Rename process executable "foo.exe" to "foo.old"
Put new "foo.exe" to correct place
Send message to process, so it will execute new "foo.exe" image and terminate himself.
On start, remove "foo.old" file in program directory.
Update: oops, looks like you do not want to put new image, just remove old one. Then MoveFileEx is only "legal" option.