December 10, 2009

Controlling External .Net Processes

I have a project where I wanted to be able to provide my users with a button that would open an external application. The idea is that the interaction would be seamless so that from the users perspective, the external application would seem to be apart of my application. To pull this off, I needed to be able to bring the main window(s) of the external application to the front if I had already launched it but the user clicked the button again.

For this implementation, I tried to use the following .Net implementation:

IntPtr mainWindowsHandle = _process.MainWindowHandle;
//show the process's window if applicable else inform the user
if (!mainWindowsHandle.Equals(IntPtr.Zero))
//show the process's main window
ShowWindow(mainWindowsHandle, 1);

Here we get the handle to the main window of the process and we call the win32 ShowWindow and SetForegroundWindow methods to the front.

I went ahead and tried it out with Windows' Calculator and everything seemed to work perfectly. As it turns out, however, .Net applications tend to return IntPtr.Zero as their MainWindowHandle. This would cause this implementation to fail. So it was back to the drawing board.

I found an alternative implementation that would work for .Net applications as well by jumping through a few more win32 hoops. Here is the new improved implementation:

DateTime start = DateTime.Now;
IntPtr windowHandle = IntPtr.Zero;

int waitTime = 500;

(hWnd, lParam) =>
if (windowHandle == IntPtr.Zero && DateTime.Now.Subtract(start).TotalMilliseconds <>
uint pId = 0;
GetWindowThreadProcessId(hWnd, out pId);
if (pId == _process.Id)
windowHandle = hWnd;

return true;

while (windowHandle == IntPtr.Zero && DateTime.Now.Subtract(start).TotalMilliseconds <>

//show the process's window if applicable else inform the user
if(windowHandle != IntPtr.Zero)
//show the process's main window
ShowWindow(windowHandle, SW_SHOWNORMAL);

Here we use EnumWindows to give us a list handles to open windows and find the first window that has the process ID that we are interested in. This technique seems to prevent getting a bad handle to the main window.

Here are the pInvoke signature used in C# for this implementation:

static extern bool SetForegroundWindow(IntPtr hWnd);

const uint SW_SHOWNORMAL = 1;

static extern bool ShowWindow(IntPtr hwnd, uint windowStyle);

private delegate bool EnumWindowsProc(IntPtr hWnd, IntPtr lParam);

[return: MarshalAs(UnmanagedType.Bool)]
static extern bool EnumWindows(EnumWindowsProc lpEnumFunc, IntPtr lParam);

[DllImport("user32.dll", SetLastError = true)]
static extern uint GetWindowThreadProcessId(IntPtr hWnd, out uint lpdwProcessId);

November 24, 2009

Embedding IronPython Within C#

IronPython is a Python implementation that runs on the .Net DLR and allows the use of the powerful .Net Framework from Python. While this is very exciting for Python development, there are also great advantages for other .Net languages. Using IronPython, we can run Python code from without a .Net application. More specifically, we can allow a .Net application to be extendable or scriptable with python.

In the following example, I will create a basic python 'plugin' framework in C#.

Python Code
class TestClass(object):
def __init__(self):
self.A = 5
self.B = 4
def Go(self):
return self.A + self.B

C# Code
public static object Execute(string code)
object result;

ScriptEngine engine = Python.CreateEngine();
ScriptScope scope = engine.CreateScope();
ScriptSource source = engine.CreateScriptSourceFromString(code);
object t = scope.GetVariable("TestClass");
object o = engine.Operations.CreateInstance(t);
object r = engine.Operations.InvokeMember(o, "Go");
result = r;
catch (Exception ex)
result = ex;

return result;

August 3, 2009

.Net Assembly Probing

I have a situation where I need an application to look for assemblies in a subdirectory of the path where the executable resides. For instance, if I have an executable here:


The application will normally look for assemblies it depends on here:


However, what if you would like to put the assemblies here instead:


What you can do is add a few lines to your app.config for the application that looks like this.

<assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
<probing privatePath="bin1;bin2;bin3"/>

Where the privatePath attribute is a semi-colon delimited list of subdirectories to look in. In this particular case, we would add this:

<assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
<probing privatePath="MyAssemblies"/>

July 15, 2009

Windows XP Activation Fix

I ran across a situation where after doing a repair on Windows XP, the system thought the OS had not been activated and that my 30-day grace period was up. In addition, whenever I would click 'yes' I do want to go ahead and activate, the system would reboot itself. It is also not possible to activate from safe mode. I have read that this is something of a common problem with SP3.

It turns out that Microsoft has created an application for system administrators and PC makers that allows you to put the system into a 'factory mode'. The result is that you have an unactivated OS with a 30-day grace period to activate again.

The tool is called SysPrep which you can download with a set of tools provided in a cab file from Microsoft. Here are the steps to follow:

1.) Boot into safe mode with the command prompt option.
2.) Run 'explorer'.
3.) Export the files from the cab file into some location via 'My Computer'.
4.) Run the sysprep executable.
5.) Choose the "factory" option (the system will shut down when the operation completes).
6.) Boot into Normal mode.
7.) Restart the system again (your system may reboot automatically if you try to log in).
8.) You can now use Windows XP for 30 days and/or reactivate.

Note1: If the SysPrep window continues to open every time you restart, rename the folder where you saved the tool to something else.

Note2: This process is repeatable in the event your grace period expires or the activation gets confused again.

July 12, 2009

Recover deleted files from a jailbroke iPhone (or *nix)

Here I will describe a process that will allow you to recover deleted files from an jailbroken iPhone hard drive. If you do not know what jailbroken means, your device most likely does not fall into this category. This method should also work with virtually any *nix based distribution as well. I will split this up into two parts: create disk image and analyze disk image. You will also find a list of my resources at the end. I suggest reading completely through each section before attempting it. Do not be intimidated by the length of this post. I have tried to provide a lot of information, but this operation boils down to using only 2 commands.


The instant you realize that you need to recover a deleted file, stop using the device immediately. The more you continue to use the device, the higher the chance that the files you need will be overwritten.

The first thing we need to do is to make a copy of the data on the device's hard drive. The technique we will use to do this is to use the dd tool via ssh over wifi. Here are two variations on how to achive this.

Variation 1:
SSH into the device from a host machine.

The device will need to have OpenSSH running. The default password for OpenSSH right now is 'alpine'. The host machine will also need the dd tool installed.

You will need to identify the IP address that your device is using. I like to use SBSettings app to get this information. From the host machine, run the following command:

ssh root@device.ip.address "dd if=/dev/disk0" | dd of=iphone-dump.img

where device.ip.address is the ip address of the device.

Variation 2:
SSH into a host machine from the device.

The host machine will need to have an OpenSSH server running. It must also have the dd tool installed.

Run the following command:

dd if=/dev/disk0 | ssh username@host.ip.address "dd of=iphone-dump.img"

where username is a valid user account on the host machine and host.ip.address is the ip address of the host machine.

-Only attempt this operation with the device plugged in as it tends to rapidly drain the battery.
-When you run the dd command via ssh, you will have no feedback until the operation is completed.
-The copy operation can take several hours depending on the hard drive size of the device.
-You can use the 'ls -l' command to monitor the size of the img file during the copy to make sure it is still running.
-Make sure that the host computer has enough free space to hold the entire contents of the device's hard drive.
-If he image size appears to stop growing during the operation, relax, wake up your iphone, and make sure the wifi signal strength is strong. The operation will generally continue without issue.


In a filesystem a file is stored in a some spot on your disk and information about the file such as its name and position on the disk is entered into a special section of the hard drive that acts like an index of a book. When you 'delete' a file, it is the entry in the index that is removed, not the file itself. However, any new files may be copied over the file as it is no longer being 'used'. There are several forensic tools that exist that will manual search the hard drive for files instead of relying on the index. It is in this way that we can recover deleted information. However, as you can see, there is no guarantees that the file has not been written over yet.

The iPhone uses a filesystem called HFS. This is a special format used by Apple and is not supported by a wide range of forensic tools. The tool that I use for HFS is called PhotoRec by CGSecurity. It can be downloaded from here:

To begin, run the following command:

photorec iphone-dump.img

From here, you can simply select all of the auto-detected options to have PhotoRec recover most of your disk's files.

For more control and possibly better results, you can find a step by step guide for PhotoRec here:

The popular SleuthKit tool also has support that you can choose to enable if you compile the source code yourself. The tool plans to have HFS enabled by default starting in a future release. It can be found here:

There is no gaurantee that any one tool will detect all available information. Feel free to try several different tools. Because of the nature of how the recovery works, you can easily end up with corrupt files. There exist tools that can help you to repair or extract good data from corrupt files.

-FileJuicer can help extract good data from corrupt files ( There is a 5 day trial available.
-iSquint can help repair corrupt movie files (
-The iPhone takes a temporary PNG screenshot every time you exit an application in order to create the transition effect. We can take advantage of this. If you have an image file that was unable to be recovered, make sure to have your forensic tool also recover PNG files. Sometimes you can recover one of the screenshot files in place of the unrecovered original image.