I have an IIS application with a named pipe binding. When I open powershell and run Get-ChildItem '\\.\pipe\', I see a long list of named pipes with crazy names like GUIDs. Some of them start with iisipm which I assume means they are created by IIS. How can I programmatically determine which one these pipes is associated with my IIS application?
A named pipe is just a file on the filesystem used for I/O through SMB. What you're asking is anlogous to saying, "I have a file on my desktop, what is using it?!" I will give you that your question is slightly more abstract because there are built-in ways to figure out read/writes to normal files via SACLs on Security Descriptors and using the Security event log. And while this can still be done with named pipes, you'd have to add a SACL to every named pipe and ensure proper auditing was turned on to catch this.
In this case, the easiest way to accomplish what you're looking for is to use Process Explorer to find all open handles to named pipes and find the IIS worker process that has a handle for it.
To do this:
Run Process Explorer, as admin
Press, CTRL-F for Find
Select, "File Handle or DLL..."
Type, "\Device\NamedPipe\"
..and identify which process is your IIS process and then which pipe it has a handle open to.
Edit: Handle.exe (also from Sysinternals) should also provide this information.
Related
I'm trying to automate a workflow. The automation script is mainly written in Powershell It consists of these steps: 1) Opening a program 2) Communicating with the API, reading values, etc. 3) Closing the program. This script will be run many times a day, it would suffice to not close the program every time the script is finishing, but rather check at the beginning of the script whether the program is already opened, and if not, open it. I'd like to implement both, then decide which solution to use later on.
The code for opening the program is completed, but it's not enough to just run an .exe file to open the program, as I have to load the correct settings and GUI, for this while opening the .exe file from the command line, additionally, I have to use -s, also -c. I concluded all this in runProgram.cmd, so in the Powershell script, I only run this file to open the program. However, I am unsure how the already opened program can be detected (that it's opened), and how can I close it. I believe a solution might use processes, with the help of Get-Process, but I'm unsure of its capabilities and limitations (how do I check if my program's process is not amongst the list of running processes?), and whether there is a better way of dealing with this problem.
I have found the solution:
Open the program and open Powershell, and type Get-Process (this will list all the currently running processes)
Search yours (by name). If you don't know which process is the one you're looking for, you can close your program, then type Get-Process again, and look for the process that disappeared from the list, since you closed it. Let's assume the name of it is "yourprocess".
In the code, type $val = Get-Process -Name yourprocess. If it is running, $val should equal some data about the process, if it is not running, then $val is 0. Therefore, if you want to check whether it's opened, you should use:
if($null -ne $val){...}
Finally, stopping the process: Stop-Process -Name yourprocess.
I am working on a project with around 40 script files and I am going to package the scripts to distribute them to my clients (kind of like a version release). I don't want my clients to change my scripts (at least make it hard for them to change).
I have made certain files Read Only by setting the execution policy but the clients can simply set it back to writable so I want to add in a few lines of code (preferably less than 5) to check that the scripts are not modified.
I am aware of using property LastWriteTime will do it but I will need to do this for each of the script (a hash table to keep track of the LastWriteTime for each file will be to long and not clean enough) which is not ideal.
I have also considered Get-FileHash but I am concerned about the hash code will change each time I run it.
As you already have realized, it is impossible to prevent clients from modifying scripts in water-tight a way. Bruce Schneier sums it up nicely: "Trying to make bits uncopyable is like trying to make water not wet."
To run a script, one needs to copy it at least in system's memory - and at that point you've lost control. What's to prevent copying the script in alternate a location and editing it before running? Nothing, unless you have tight control on client. Should you have tight control, setting execution policy to signed prevents running unsigned scripts. Until the client starts Powershell from command line with -Executionpolicy Bypass switch. The execution policy isn't a security system that restricts user actions .
There are a few approaches that can hinder editing, but a determined hacker can overcome those. So the root question is: why? Why shouldn't the clients modify the scripts? Is it to protect some IP? Are they trying to achieve something the scripts are not designed to? Something else?
A simple solution is to use a tool like PS2EXE that converts Powershell script as an executable. The contents can be extracted and modified, but it requires at least a bit more effort than running Notepad.
Another approach would be modules. Distribute the scripts as a Powershell module that the clients will import. Editing a module requires a bit more effort than editing a simple script file, but is quite possible too.
I'm looking for solution to delete or (preferably directly) overwrite source of an exe file while it is running.
To explain further before you get it all wrong, I'll give an example:
I have an exe file on drive D:\ which I run (with previously posted question's answer, giving params to "Start in" folder on C:\Program Files\MyProgram\" so it finds its dlls.
Now after the file is running, I'd like to rewrite the file's byte stream (just like opening it in hex editor...), or at least delete it so I can copy over new exe file directly using same name.
So far the solution I'm using is that I trigger format D: command for the whole drive D:\ (which, in my case is ramdisk and thumb-drive, as I only have this exe on it, I copy it there as necessary), since that removes the file and let's me copy new file there.
Trying to use del myProgram.exe even with -force flag triggers error that access to the file is denied. Same goes if I try to overwrite the contents of the file.
Is there any alternative to do that without using the format command, as that requires to have partition drive only for the purpose?
Update: Note: MoveFileEx and similar techniques that require termination of the process or system restart/reboot are not qualified as a solution. This should be done while the process is running without further actions that can compromise the process's run state.
On a side note, when formatting the drive using the Powershell's format command, the file is gone, although if viewing the partition using Hex viewer tool, there is full binary (hex) content of the exe visible there and an be restored using just as simple as copy-paste technique. This is one of the points as to where overwriting the file contents would be preferable than deleting the file directly.
Please note: This is a knowledge and skills based question, and would therefore appreciate sparing the moral and security-concerning comments about such actions and behaviour.
For deleting/replacing/overwriting a file at least two conditions must be met:
The user performing the operation must have the required permissions to do so. This can be verified for instance via Get-Acl or icacls.
Windows must not have an open handle to the file. This can be checked for instance with tools like Process Explorer or handle. These tools can also be used to forcibly close open handles, although that's not recommended as it may cause data loss and/or damage to the files in question. I'm not sure, though, if it's actually possible to close handles to an executable without terminating the process.
Note that antivirus software is likely to interfere with this kind of operation.
The basic problem here is that Windows loads from the .EXE upon demand, it's not all read in at once.
If you destroy the original file what happens when it tries to load in a page that no longer exists?
If I had to write something of this sort I would copy the .exe to a temporary location (beware that running code from the temp directory may be prohibited), run the new .exe, terminate the old one and then do what I want to it.
Objective:
I'm trying to use a program called Texmod.exe to start another program (exe) with certain parameters.
Background:
Texmod is program that opens up another exe and extracts/replaces textures that are pulled up in the second program while it is running. I'm trying to start the second exe with the parameters: -AlwaysFocus -ControllerOffset=1 -SaveDataId=2. Starting the second exe with shortcuts/.bat that have these parameters in a command line DOES work. However, I would like to do this in conjunction with Texmod.
Complications:
I'm using Texmod v0.9 b which doesn't support starting an exe with command line parameters. Newer versions, such as the open source reboot known as uMod, does support but it doesn't replace textures as well and crashes often compared to the original version.
Texmod.exe must start the second exe directly. Texmod can't select a shortcut to start the exe. I've tried making Texmod start another exe/.bat that then starts the second desired exe with parameters but this causes Texmod not to function.
Methods I have thought about but not sure if they work or even possible:
Somehow forcing all processes started by Texmod.exe to start with certain parameters
Somehow force the desired exe to always start with certain parameters regardless of start method (via Texmod, shortcuts, .bat, etc)
Add parameters to the process started by the desired exe after it is already running
Obviously I'm open to any ideas. Is what I'm asking even possible? Sorry if it seems unclear or I sound irrational; my knowledge on this is limited.
Edit: #Toby Speight I'm not sure what you mean by an example of the code I'm having trouble with as I'm just wondering if it's possible to perform the scenario I described. This is where I got the Texmod program from (it's the oldest release texmod.zip - Original TexMod 0.9 beta). I've searched the internet for possible solutions but I've found very few so some of the methods I've tried are:
Used Texmod.exe to start a desktop shortcut with target: "directory to exe" -AlwaysFocus -ControllerOffset=1 -SaveDataId=2. The result was Texmod couldn't use the shortcut and just opened the exe without the parameters.
Used Texmod to start an exe named caller.exe which started the exe I desired using the method described here. In command.txt, described by the instructions, I put ""name of exe.exe" -AlwaysFocus -ControllerOffset=1 -SaveDataId=2." The result was the exe started with the parameters but Texmod failed to modify the textures because it was modifying textures pulled up by caller.exe instead.
Used Texmod to open a .bat file with the lines: ""name of exe.exe" -AlwaysFocus -ControllerOffset=1 -SaveDataId=2." The result was the same as attempt described in #2.
Edit2: I also stumbled on this page where someone else claims they managed to achieve what sounds like the objective I desire. However, I do not know enough about code to understand it. If someone could look over this to see if it would work or see if they can modify it to fit the arguments that I desire.
You can use windows registry to force Windows run another app when specific .exe is called. Let me show an example: i'm trying to use TexMod with Remember Me.
Required setup:
Create a copy of game .exe, place it near original with different name, eg RememberMe_copy.exe
Go to windows registry location HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
create new key named as original .exe, in my case it's RememberMe.exe. Registry key looks like a folder.
In this key, create new string value named Debugger with full path to copy of .exe with required commandline args. For example: "C:\Program Files (x86)\Steam\steamapps\common\Remember Me\Binaries\Win32\RememberMe_copy.exe" -ReadPoolSizeFromIni. Note the path to .exe is quoted, commandline arguments are not. String value has type REG_SZ.
Now when you try to run anything called RememberMe.exe, Windows will instead run the RememberMe_copy.exe with specified parameters (and something else but we don't care). This feature is left in Windows for debugging purposes.
Finally, open TexMod, select RememberMe.exe. It will think it's running original file, but instead Windows will silently run another file with another parameters. As there is nothing else in between, TexMod is happy.
Why can't we use single file? Well, Windows will run original .exe instead of original .exe, then instead of it will run original .exe... causing infinite loop.
I have a named pipe server in my software, which I have accessed using C# and Python. I have a customer asking me if it's possible to access the named pipe through Simulink, but I have never used that software. Google and Stackoverflow don't seem to contain any examples of this, but I'm not sure that means that it's not possible. Does anyone know for sure whether Simulink is or isn't capable of accessing the named pipe server in another program?
I don't know what simulink is, but a named pipe usually just shows up like a file... they would have to go to some length to detect that a file was a pipe (fstat/lstat)
but you can make one to test with like...
mkfifo dog
echo "bark"
then try to open that file in simulink...
that is just basically the semantics of opening a file, if simulink tries to seek around in the file ... it will
fail...
you should read about what a fifo is, and play with it, like in the above example:
try in another shell: cat dog...