tag:blogger.com,1999:blog-18555569.post1890439533496610806..comments2023-06-04T08:07:03.642-03:00Comments on HEXALE (security & reverse engineering): Using whosthere.exe with psexechernanhttp://www.blogger.com/profile/12754761735106237455noreply@blogger.comBlogger3125tag:blogger.com,1999:blog-18555569.post-32420210733621620882008-09-25T17:51:00.000-03:002008-09-25T17:51:00.000-03:00That's probably because your program exe is runnin...That's probably because your program exe is running in the wrong windowstation.<BR/><BR/>Please move this question to www.hexale.org/forums so I can work with you on a solution.<BR/><BR/>Thanks!,<BR/>Hernanhernanhttps://www.blogger.com/profile/12754761735106237455noreply@blogger.comtag:blogger.com,1999:blog-18555569.post-61567098784944065272008-09-23T14:14:00.000-03:002008-09-23T14:14:00.000-03:00I’m trying to run psexec with an exe that contains...I’m trying to run psexec with an exe that contains this line of code: <BR/>gfx.CopyFromScreen(0, 0, 0, 0, new Size(screenWidth, screenHeight), CopyPixelOperation.SourceCopy);<BR/><BR/>It will hit an exception when run on a remote computer, but runs fine locally.<BR/><BR/>This is the exception: <BR/>Unhandled Exception: System.ComponentModel.Win32Exception: The handle is invalid<BR/><BR/> at System.Drawing.Graphics.CopyFromScreen(Int32 sourceX, Int32 sourceY, Int32<BR/> destinationX, Int32 destinationY, Size blockRegionSize)<BR/> at TakeScreenShot.Program.Main(String[] args)<BR/>c:\browsershotsexes\TakeScreenShot.exe exited on TestVistaErtang with error code<BR/> -532459699.<BR/><BR/>Thanks, Eric<BR/><BR/><BR/>PS This is all the code for the exe:<BR/><BR/>using System;<BR/>using System.Collections;<BR/>using System.Text;<BR/>using System.Drawing.Imaging;<BR/>using System.Drawing;<BR/>using System.Windows.Forms;<BR/>using System.Runtime.InteropServices;<BR/>//using SnipLib;<BR/>//using MS.Internal.Test.Tools<BR/><BR/>namespace TakeScreenShot<BR/>{<BR/> class Program<BR/> {<BR/> #region Console Window property stuff<BR/> [DllImport("kernel32.dll", ExactSpelling = true)]<BR/> private static extern IntPtr GetConsoleWindow();<BR/><BR/> private static IntPtr ThisConsole = GetConsoleWindow();<BR/><BR/> [DllImport("user32.dll", CharSet = CharSet.Auto, SetLastError = true)]<BR/> private static extern bool ShowWindow(IntPtr hWnd, int nCmdShow);<BR/> private const int HIDE = 0;<BR/> private const int MAXIMIZE = 3;<BR/> private const int MINIMIZE = 6;<BR/> private const int RESTORE = 9;<BR/> #endregion<BR/> static void Main(string[] args)<BR/> {<BR/> <BR/> ShowWindow(ThisConsole, HIDE); //Hides Console Window<BR/> Console.WriteLine("Minimizing the Current Console Window...");<BR/> System.Threading.Thread.Sleep(2000);<BR/> Rectangle scrBounds = Screen.GetBounds(new Point(0, 0));<BR/> int screenWidth = scrBounds.Width;<BR/> Console.WriteLine(screenWidth);<BR/> int screenHeight = scrBounds.Height;<BR/> Console.WriteLine(screenHeight);<BR/> using (Bitmap bmpScreenShot = new Bitmap(screenWidth, screenHeight))<BR/> {<BR/> using (Graphics gfx = Graphics.FromImage((Image)bmpScreenShot))<BR/> {<BR/> <BR/>Console.WriteLine(Environment.MachineName);<BR/> gfx.CopyFromScreen(0, 0, 0, 0, new Size(screenWidth, screenHeight), CopyPixelOperation.SourceCopy);<BR/> bmpScreenShot.Save("\\\\ankursi-vista\\a-ertang\\" + Environment.MachineName + "_" + screenWidth.ToString() + "x" + screenHeight.ToString() + "_test.png", ImageFormat.Png);<BR/> }<BR/> }<BR/> ShowWindow(ThisConsole, RESTORE);<BR/> }<BR/> }<BR/>}Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-18555569.post-74447256491529606302008-05-08T18:38:00.000-03:002008-05-08T18:38:00.000-03:00I prefer to attach the usage of whosthere to the W...I prefer to attach the usage of whosthere to the Windows event log so that it will only run whenever someone logs on, and will also be sure to catch any short, automated logins that only last for 1 or 2 seconds. This has the added benefit of not being listed in the running processes for more than a very brief instant.<BR/><BR/>You can tie the command directly with eventtriggers if you want, but I prefer to use a simple batch script to capture date/time info and the EID that triggered it. I've included both below.<BR/><BR/>You can use PSEXEC to launch a remote command shell (use PSEXEC's interactive switch and tell it to run cmd.exe) and enter the eventtriggers command that way. I've also used WinRAR SFX packages to zip up whosthere.exe, run_whosthere.bat, and an installer batch file that will move the files to the correct locations and issue the eventtriggers command for me. Then you just run psexec once and you're done.<BR/><BR/>Regards,<BR/>N<BR/><BR/>The command to tie it to an event id is:<BR/><BR/>eventtriggers.exe /create /l Security /t SUCCESSAUDIT /ru SYSTEM /eid #EID value# /tr wt_#EID value# /tk "C:\path\to\the\file\run_whosthere.bat #EID value#"<BR/><BR/>And here's the batch file I use:<BR/>::==run_whosthere.bat<BR/>setLocal EnableDelayedExpansion<BR/><BR/>@echo off<BR/>REM You can attach this to the event ID for network logons by issuing the following at the command prompt (replace EID with the value that you are interested in. I usually attach to 528, 540, and 552.<BR/>REM http://www.ultimatewindowssecurity.com/securitylog/Event.aspx?EventID=528<BR/>REM http://www.ultimatewindowssecurity.com/securitylog/Event.aspx?EventID=540<BR/>REM http://www.ultimatewindowssecurity.com/securitylog/Event.aspx?EventID=552<BR/>REM eventtriggers.exe /create /l Security /t SUCCESSAUDIT /ru SYSTEM /eid #EID value# /tr wt_#EID value# /tk "D:\path\to\the\file\run_whosthere.bat #EID value#"<BR/><BR/>:: Count the number of whosthere_output files<BR/>for /f %%J in ('dir /b/od whosthere_output_*') do (set latest=%%~nJ)<BR/><BR/>:: Copy the old file to the new name, delete the old file<BR/>set NEW=%latest:~17,7%<BR/>set OLD=%NEW%<BR/>set /a NEW+=1<BR/>COPY whosthere_output_%OLD%.txt whosthere_output_%NEW%.txt >NUL<BR/>DEL whosthere_output_%OLD%.txt<BR/><BR/>:: If you use the eventtriggers.exe command from above, you will be passing the EID that occurred. Record that here and dump the notice to the logfile.<BR/>set /a EID = %1%<BR/>ECHO. ******************** Logon EID %EID% %Date% %Time% ******************** >> whosthere_output_%NEW%.txt<BR/><BR/>:: Run whosthere using the output file option.<BR/>whosthere.exe -o whosthere_output_%NEW%.txtAnonymousnoreply@blogger.com