I received a windows application that is create a file on my windows. How can I find out where the file is?
I guess the program create a text file to save a code or something. I want that file. What can I do and how can I find it?
Sorry for bad English.
You can use Process Monitor to monitor any changes to file system or registry a program makes. Filter for the name of your programs executable and for file creation. Then run your program and analyze the log. Be prepared there might be a lot of entries.
Also keep in mind that "codes" are often not just stored in files. It might be in the registry and it might not be in the format you expect...
Related
I have one Vbscript which runs continuously on my system to monitor a web page on Internet Explorer.
I have permanently deleted this Vbscript file from its original location on system by mistake, However the script is still in RAM and is still running and monitoring the web page.
This script is very important to me but I have lost it :(
I want to know if there is any way by which I can recover the code of Vbscript file from system's RAM or any temporary file as the script is still running.
I am not allowed to use any file recovery software, so please don't suggest to install any third party data recovery software.
Try using 'ADPlus.vbs' script from WinDbg:
1. http://msdn.microsoft.com/en-us/windows/hardware/hh852365
2. http://support.microsoft.com/kb/286350
As the code was running, I followed the below process to recover the running code:
Go to Task Manager
Select the process and create dump
Open online dump analyser (www.osronline.com)
Upload dump file
Download the dump analysis
The dump analysis provided almost 95% of the correct code. Code within some loops were distorted or changed. As I was the owner of the code I was able to correct it.
Use HxD, it can view all ram content relative to any process at fly. It is commonly used to hack currently running games etc.
After locating your script, it might be needed to clear alphanumeric mess between your code, N++ and regex knowledge may be useful.
I want to create a .bat file in Windows that receives a password and will call a custom utility to encrypt that password.
Is really important that the password sent to the .bat file as parameter is not logged anywhere.
My question is, if running a .bat file will create any system logs? anywhere? What if the .bat fails?
Are there any other better ways of doing this?
Thanks!
The generic answer is, "No, the running of batch files is not logged." However, there is no guarantee on a given system that the information is not saved somewhere. Or to say that again without double negatives, it is possible on some system that the information could be saved. For example, there could be a custom command shell (possibly created by the "bad" guy) that does log information.
You're going to see the command line in the process list. So if something is logging processes, or if it's long-running and someone opens the Task Manager, they could see it.
I have a build script where i create a text report file and output various log type stuff to it. The data is all being built onto an external hd which (according to 'mount') has file format "fuseblk" (which i've never heard of).
The building all seems to work ok but my report files are being saved as executables, which linux interprets as SOR files. I'd like them to just be regular text files, openable by default in my regular text editor.
I'm making the file, and writing to it, like this:
#report = File.open(File.join(DESTINATION_BUILD_FOLDER, "#{title.folder_name}_report.txt"),"w")
...
s = "making modules folder inside resource_library folder";puts s; #report.puts s
...
#report.close
I've done this lots of times before and never encountered this problem. Any ideas anyone?
cheers, max
ps i know that i can edit the saved files to make them non-executable, my question is 'why is this happening in the first place?'. Cheers :)
I don't think there's anything wrong with your program. The fuseblk just means it's being mounted through FUSE, which allows filesystem drivers to run as userspace programs, instead of kernel modules. Most likely, the filesystem is NTFS or FAT32.
The problem here is that Linux is assuming everything on the drive has the execute bit set. This is because neither NTFS nor FAT32 have the capability to store Linux permission bits (NTFS has a very different permissions system, FAT32 has virtually none). And I bet you're trying to double-click on the log files in something like the gnome file explorer, right?
Well, go there with the command line and use less or your favorite command-line editor to view them. Or right click on them in the file explorer, or open them with File -> Open from a text editor. If you ask your question to people who know Gnome (or KDE?) better, you'll probably get a better answer.
I want that an exe file can't be copied or cut from the Windows file system to paste somewhere.
The exe is made in C#. which must have to be in only one PC.
I have worked with FileSystemWatcher, NSIS, Clipboard. but for all I need to detect whether that file is being copied.
I also have seen 'Prevent'(http www free-download-blog.com disable-cut-paste-copy-delete-rename-functions-using-prevent ), but I need to prevent only that particular exe from being copied or cut.
Any pointer or idea will help.
As others have suggested you won't be able to disable the copy/cut behaviour so easily.
An alternative would be to disable the execution of the copied versions. In your executable you could check many things like :
The path of the present executable is explicitly your_path
The name of the machine and user is the one you authorise
You could even prevent the file of being executed more than once using Windows register entries (if already 1 don't launch). It won't be perfect since any experimented user could tweak that out, assuming they are seeking for that. But depending on your users profile it might be sufficient.
If you need the exe to be executable, you need to permit loading it into memory.
As soon as you do, anyone can read it to memory using ReadFile and then write to an arbitrary location using WriteFile. No shell-detectable copying involved.
A good reading: Raymond's post and its comments on preventing copying.
Well, this is a hard problem. Even if you get explorer.exe to disable cut&paste, what prevents a user from using the command window? Or writing their own exe to do it? Booting up in linux and reading it?
Still, you have a few options (there will be more, most likely) which you could try:
Use the right permissions: Set the
permissions such that the users who
you don't want to cut&paste cannot
read the file.
Write a device driver which can hook
onto the filesystem calls and do that
for you.
Encrypt the file.
And some hacky options like:
Use the APPINIT_DLLS regkey to put your own dll to be loaded into each process ( I am not sure if this will work with console process though). Then on your dll load, do IAT hooking to replace the kernel32.dll file calls.
Replace kernel32.dll with your own version. Might have to do some messing around with the PE format etc.
There are no guarantees though. If for instance, you expect them to be able to execute it, but not copy it, you are probably stuck.
Any local admin will be able to undo anything you do to prevent copying. I can pretty much guarantee the program on that page you mention relies on a service or background process to prevent copy-and-paste, and therefore is easily circumventable. If your users are in a closed environment where none of them are admins and they have very limited rights to their PCs, then you have a chance.
if you could completly block explorer from copying or moving files, then all u need is a 3rd party software for copying files (but make sure it can filter file extensions) for example Copy Handler
Set up an ENVIRONMENT variable in your machine
In your code add a check
if (ENVIRONMENT Variable=='Same as defined')
//Execute code
else
//Suspend execution
I have a process with an open filehandle to a file. I need to detect if this file has been deleted by another process (there may be a file with the same name in its place). On UNIX I was comparing the inodes of my filehandle and the file-path via stat, but this doesn't work on Win32. How can I do this in Perl?
Thanks,
-Peter
I may be mistaken (I'm not a Windows programmer), but I thought files can't be deleted or replaced when they are opened in Win32, or at least by default it isn't possible.
This is a hard problem to solve, especially across both Windows and Unix.
Let's back up. Why are you trying to detect if the file has been replaced? My guess would be that you have some sort of race condition, two programs both trying to write to the same file. Perhaps file locking would help here? Or to use a real database? SQLite and Berkley DB come to mind.
I'd try comparing size, mtime, and atime; should be very difficult for those to be the same (barring nonsense like, say, stat on a filehandle on win32 giving you the information for the current file in the filesystem regardless of whether your filehandle is on a deleted instance). If it's possible for your file to be deleted and replaced with an identical file multiple times within a given second, and you have to detect this, then you may have to go to an architectural solution like using numbered versions of your file or something.
Look at the Win32::ChangeNotify package to register for notification of changes to a file or directory. It's also possible to open the file via the Win32API::File package such that it can't be deleted while you have it open (see createFile() and OsFHandleOpen() particularly, as well as the CreateFile() docs on MSDN).