I'm trying make an WPF application that I could copy/cut and paste files info and it would copy/move them to a special folder. I know I can get the paths of the files being copied/cut with
var files = Clipboard.GetFileDropList();
But I would like to know, do I need to copy or move the files? I've read something about listening to WM_COPY and WM_CUT. And I tried by hooking a Hwnd hook to my window handel and it didn't work, neither WM_COPY nor WM_CUT got called. And I tried everyting.
So what's the best way of determining if the files were copied or cut?
And some code examples or links would really help a lot.
Thank you.
Work from https://stackoverflow.com/a/2078081/939213 backwards. and for copying – substitute 5 for 2.
You will not be able to install the hook. I know from experience. Windows only allows left and right clicks to be hooked from .NET. You will have to create a win32 dll, then invoke it in your .NET code to capture the hooks if you have to take that approach.
Or, as simple as this app sounds, just write it using the API anyways in C or C++.
If this is just a small feature in your application and not the application itself, you will either have to find someway to perform the injection and pass it to your .NET app, or you will have to find a way that doesn't involve hooks.
Related
Is there any possibility on Windows to create a programm ( C# or even C++, or any other language) which can be able to trace which process are using the clipboard ?
I have a malware who modify my clipboard when i paste ethereum adresses. No tools are able to detect this malware...since i'm programmer i would like to code a tool to help me to find the malicious process.
Any idea if it's possible ?
Thanks a lot
There is no Win32 API for monitoring access to the clipboard, only for detecting when changes are made to the clipboard's content.
To do what you are asking for, you will have to write a DLL that directly hooks the Win32 OpenClipboard() function, such as with a detour, and then you can inject that DLL into all running processes, such as with SetWindowsHookEx(), AppInit_DLLs, etc. When your hook is called, it can communicate information about the calling process back to your main app as needed, such as the process ID.
You can find an existing and reputable tool that can do that for you:
Sysmon v12.0 by SysInternals.
Although it doesn't mention it on the doc page, this states
Sysmon 12 adds clipboard capturing
I sifted through some help and references and confirmed that the following config works:
<Sysmon schemaversion="4.40">
<CaptureClipboard />
<EventFiltering>
<RuleGroup name="" groupRelation="or">
<ClipboardChange onmatch="exclude">
</ClipboardChange>
</RuleGroup>
</EventFiltering>
</Sysmon>
You can view those captured events in the Windows Event Viewer, in
Applications and Services Logs/Microsoft/Windows/Sysmon/Operational.
In response to my copying text from the command prompt, I can see this logged event:
Clipboard changed:
RuleName: -
UtcTime: 2020-10-12 22:08:45.505
ProcessGuid: {0509ed25-cd58-5f84-41a3-050000003500}
ProcessId: 20708
Image: C:\Windows\System32\cmd.exe
Session: 3
etc...
Another option, for DIY programmers :)
From your code, copy something to the Clipboard with delay rendering:
::SetClipboardData(CF_TEXT, NULL);
When someone (that malware?) would attempt to get that text, you will receive a WM_RENDERFORMAT message. If you place a breakpoint there and stop your execution, the calling program will be blocked on its GetClipboardData call or something like that.
I didn't figure out where to go from here. Enumerate all processes? Attach to each one with Debugger? Look at their call stack?
I want to be able to detect if a file is read by another process. For example, if a text editor open's a file, I want to have a function to be able to get the name of the file that was read.
I saw that you can use the FileSystemWatcher class in C# to watch a directory for file changes but they don't solve the problem, I saw these on a 6 year old thread.
Has anything new been added to C# or Win32's API since then to allow file open detection?
Indeed this is a very complex subject, you would need to work with a File System Filter Driver (https://msdn.microsoft.com/windows/hardware/drivers/ifs/index) very low level stuff which would be hard to implement, I think that at least in the .net world there is not an easy way to do this.
I work for an IT company where we all carry around flash drives that have our most used programs on them.In my spare time I am hoping to create a "main menu" item that is kind of a fun and convenient way to access these files. I am working on creating this using Visual Studio 2013 and using visual C# windows forms. I have come across a snag however that I can't seem to find a workaround for. I am by no means fluent in C#, but I need to have a button on the windows form open a file without specifying what drive it comes from. I understand that I have to specify a path, but as these will be stored on the flash drives of myself and my coworkers I cannot foresee that the path will always begin with E:. Depending on what USB slot the drive is plugged into it could be N: or F: or the like. I have provided an example below:
Using what I currently know I am opening files using this line of code:
System.Diagnostics.Process.Start("C:/Users/Myname/Desktop/Asmodeus/Anti-Virus/Anti-Virus Installers/avast_free_antivirus_setup.exe");
Is there any way possible I can have the file open simply from
System.Diagnostics.Process.Start("Asmodeus/Anti-Virus/Anti-Virus Installers/avast_free_antivirus_setup.exe");
or something of that nature?
Thanks in advance.
There must have been some mis-communication when I asked my question previously. what I am looking to do is open an executable file via a button click on the windows form using a relative path. I am not able to specify the absolute path because the application will be run from a flash drive and therefore will change depending on what USB slot it is currently inserted into.
What I am hoping to accomplish is insert a line of code that will allow me to open an executable file that is located in the \bin\debug folder along with the application itself. I have a picture for clarification but apparently do not have enough reputation to post it. Thank you and sorry for the earlier confusion.
Usually you can just use Environment.GetFolderPath (MSDN) to give you what you need. It doesn't do absolutely everything, but if you need Desktop and the like, that is plenty.
Depending on the target version of .Net, the SpecialFolders exposed are not all there. It may turn out that you need more than they provide, but in your case it doesn't sound like it.
If there is more you need that is not covered in the default, check out this project. I'm sure there are others like it, but it does a little more than the default BCL version, using the API directly. It is at least something to read and learn (and translate from vb.. use an online translator, very quick). I haven't looked at it, but it seems like you are learning this c#/.net thingy, so it might be helpful
This article is about accessing Windows special folders.
These folders include your “Favorites”, “Cookies”, system libraries and the like.
Here is code, including a large number of constant definitions, plus documentation,
allowing access to and creation of these folders.
I have a question that I believe that is complex. I have an application that I execute under my Windows and it takes a long time to finish. I want to keep it running (normally), however I want to kill the file on disk - but obviously it's not possible because it's locked / in-use. I need a way to disassociate it from the running process to kill it and at the same time keep the file running. Any example of code or tool is very welcome.
Well, workarounds are welcome, for example, if there is a way to spawn it from a process, key the master and migrate the child to kill the app, or any other idea that works is welcome - even the ugly ones. :)
Thanks.
A couple of suggestions (completely stolen) from this questions answers:
You could use the MoveFileEx api function to mark the file for deletion upon next reboot.
You can inject a dll to close the handle yourself:
The typical method is as follows. You've said you want to do this in C# so here goes...
If you don't know which process has the file locked, you'll need to examine each process's handle list, and query each handle to determine if it identifies the locked file. Doing this in C# will likely require P/Invoke or an intermediary C++/CLI to call the native APIs you'll need.
Once you've figured out which process(es) have the file locked, you'll need to safely inject a small native DLL into the process (you can also inject a managed DLL, but this is messier, as you then have to start or attach to the .NET runtime).
That bootstrap DLL then closes the handle using CloseHandle etc.
Essentially: the way to unlock a "locked" file is to inject a DLL into the offending process's address space and close it yourself. You can do this using native or managed code. No matter what, you're going to need a small amount of native code or at least P/Invoke into the same.
Helpful links:
http://www.codeproject.com/KB/threads/winspy.aspx
http://damianblog.com/2008/07/02/net-code-injection/
That is a matter the application you want to kill has to handle. It shouldn't keep files open during a long running process. If the application doesn't close the file, killing it will lead to exception in that application.
Not sure if this will work on every Windows version, but here it is:
Rename process executable "foo.exe" to "foo.old"
Put new "foo.exe" to correct place
Send message to process, so it will execute new "foo.exe" image and terminate himself.
On start, remove "foo.old" file in program directory.
Update: oops, looks like you do not want to put new image, just remove old one. Then MoveFileEx is only "legal" option.
I want to write a program that will encrypt an entire folder and it's sub-folders, I have no problem doing this but I would like to make the entire encryption process rather transparent by letting a user double click it and have it open as if it weren't encrypted, say if it were a picture or a word document and it'd open in it's respective application.
How can a running program of mine become notified about the opening of a target file, stop the file from opening, do what it needs to do (decrypt), followed by running the resulting decrypted file.
How can I watch a file and do this in C#? Can I watch for other interactions like the user copying a watched file (since it won't be in a watched folder, it should be decrypted i.e. it's dragged to a USB device), or for deleting a watched file (say if I want to shred a file before deletion)?
P.S. The FileSystemWatcher doesn't quite meet my needs. EDIT: What I mean is that FileSystemWatcher will tell me when a file is being opened, deleted and all those events, but it won't let me step in real quick, decrypt the file, and hand it back to the process that normally opens that file.
You can rename files, add them your own extension, like thepicture.jpg.encrypted. Set your program as a default program for this extension and handle opening them
It's impossible in C#. the bare minimum would need you to use user-mode hooks on NtCreateFile, NtOpenFile, etc. You can't achieve that in C#. That wouldn't even work properly due to kernel-mode code which may try to access your files. The proper way of doing this would be to write a I/O minifilter (in C of course).
EDIT: If you're really desperate, try EasyHook - it allows you to hook functions from C#. I haven't tried it though, and it does seem risky hooking vital functions like NtCreateFile. Plus you need a fair bit of Native API knowledge.
Are you using Windows? If so, why not use the built-in BitLocker?
See this link:
BitLocker drive encryption
If you are thinking about a competitive application to BitLocker, add a comment, as I can point you in that direction as well.
Instead of trying to reinvent the wheel, use NTFS file encryption. You can encrypt single files or entire folders or drives. Plus it's completely transparent to the user and does exactly what you asks (e.g. automatically decrypt when copying to a UBS drive, etc). Just use System.IO.File.Encrypt(string) - there couldn't be anything easier.
You can't do this from usermode.
Unfortunately the only way to do this is to write a minifilter driver. Minifilter drivers allow you to intercept IO requests to files, you can then encrypt/decrypt the files you care about on the fly.
It sounds simple, but encryption minifilter drivers are very, very, difficult to get right. You will have to end up shadowing file objects which is a real challenge. Check with www.osr.com, they have a ton of information on doing exactly what you want to do.
If you choose to go this route I would recommend getting a copy of VMWare Workstation and download VirtualKD. It will let you debug at near fire-wire speeds into a VM. I would start with x64 Win7 and get remote shares working first.