Leaderboard

This is a UDF that allows users to monitor the file system, using a combination of two internal Windows API Functions: ReadDirectoryChangesW; andSHChangeNotifyRegisterThe purpose of this UDF is to record all file system events occurring within a given path. REQUIREMENTS: AutoIt3 3.2 or higherLIST OF FUNCTIONS: EXAMPLES: The following example is of a GUI that dynamically updates when files, folders and drives change within the file system (outside of the GUI). The "Drives" list automatically updates when new drives are connected to the computer, and when existing drives are disconnected. The "Directory Listing" automatically updates whenever an external application (ie. Windows Explorer) adds, renames or deletes files and folders in the directory currently displayed. When the "Directory Listing" is automatically updated with additions or changes, the list is automatically scrolled to that change. The user may click on an item in the "Drives" list to change the "Directory Listing" to that drive. The user may also double click on a directory (<DIR>) in the "Directory Listing" to navigate to that directory. Double-clicking on "<DIR> .." will navigate back to the previous directory. The user may also press "F2" to rename an item in the "Directory Listing", and press "Delete" to delete/recycle an item in the "Directory Listing". FileSystemMonitor Explorer example.au3 The following example monitors file system events. Run this script, and then use various applications (ie. Windows Explorer) whilst the script is running, to manipulate files, folders and drives within "C:\". The changes you make should get recorded in the GUI of this example. The user may also change the Path and click "Use Path" to change monitoring to another path, other than "C:\". FileSystemMonitor example.au3 DOWNLOAD: Latest Version - v0.4 (02/05/10) FileSystemMonitor.au3 BACKGROUND: The script for ReadDirectoryChangesW comes from the following brilliant topic: [NOW WORKING] a (broken) monitor file changes script which uses ReadDirectoryChangeW The script for SHChangeNotifyRegister comes from the equally brilliant topic: SHChangeNotifyRegister() Receive notifications of shell changes. The combination of the two functions allows monitoring of most I/O functions in Windows, including: folder and file renamesfolder and file createsfolder and file deletesfolder and file updatesdrive additionsdrive removalsI began this script by using SHChangeNotifyRegister alone, but then found that it didn't catch file creations from many apps (like Internet Explorer or Opera file downloads). A detailed description of the problem is mentioned in this article: Shell Notifications Here's an excerpt: "...The Origin of Events So now, you know how to receive any of these shell notifications that are floating around, but who is actually generating them? According to the documentation, 'An application should use this function (SHChangeNotify) if it performs an action that may affect the shell'. But that seems to be a bit of wishful thinking. I can't imagine there are many applica tion developers that really give a damn whether the shell is kept informed of their actions... ...The result is that these notifications tend to be a little bit unreliable. The likelyhood of you getting an event for something, may depend on what explorer windows happen to be open at the time. The shell also only has a 10 item event buffer, and may replace some events with a generic SHCNE_UPDATEDIR in case of an overflow. In short: don't depend on these notifications for any mission-critical applications..." I then switched to ReadDirectoryChangesW, but found that it lacks in features, such as detecting removable drive additions and removals. The result I implemented was a combination of the two. I prefer the Shell Change Notify method much more than the ReadDirectoryChangeW method, though because of the issues with it (as described above) I've had to implement both approaches to catch all events. I like the fact that the Shell Change Notify method is very asynchronous in nature, running in the background as a registered Windows Message, with a seperate AutoIT function being activated whenever an event occurs, unlike ReadDirectoryChangeW's polling nature. I tried to put the monitoring of ReadDirectoryChangeW inside the MY_SHNOTIFY function above, but it didn't work. I'm still unsure why? If anyone can work it out please let me know. According to other forum topics, each call to ReadDirectoryChangeW should pull the next unprocessed event (that has occurred) out of it's queue (if that's the right word for it). So in theory, it shouldn't matter where it's called, or when. However calling it from within MY_SHNOTIFY doesn't work (even after changing the above code to make all variables global, and therefore accessible to MY_SHNOTIFY). Yet cutting and pasting the ReadDirectoryChangeW script into the Main Loop (While 1) does work. Strange.

Using the same code styling I have recently adopted within the last 5 months (since using C#), may I present to you a proof of concept for adding resources to an executable without the hassle. So far only RT_BITMAP and RT_RCDATA are supported, with inspiration taken from AutoItWrapper by Jos and wraithdu. Any ideas and collaboration are welcome. mLipok, Don't worry about the comments/regions for now. -_0 #AutoIt3Wrapper_Au3Check_Parameters=-d -w 1 -w 2 -w 3 -w 4 -w 5 -w 6 #include <Array.au3> #include <WinAPIRes.au3> ; MSDN: http://msdn.microsoft.com/en-us/library/windows/desktop/dd183374(v=vs.85).aspx ; BMP header: http://en.wikipedia.org/wiki/BMP_file_format ; Global Const $tagBITMAPFILEHEADER = 'align 2;word bfType;dword bfSize;word bfReserved1;word bfReserved2;dword bfOffBits' Global Const $RESOURCE_GUID = 'B18E2CDC-0C56-11E4-9E4A-30540707A45E' Global Const $RESOURCE_BITMAP_HEADER = 14 ; DllStructGetSize(DllStructCreate($tagBITMAPFILEHEADER)) Global Const $RESOURCE_LANG_DEFAULT = 0 Global Enum $RESOURCE, $RESOURCE_FIRSTINDEX Global Enum $RESOURCE_FILEPATH, $RESOURCE_ID, $RESOURCE_INDEX, $RESOURCE_ISNOTUPDATE, $RESOURCE_UBOUND, $RESOURCE_UPDATE, $RESOURCE_MAX Global Enum $RESOURCE_RESISADDED, $RESOURCE_RESLANG, $RESOURCE_RESLENGTH, $RESOURCE_RESNAMEORID, $RESOURCE_RESPATH, $RESOURCE_RESTYPE #Region Example Example() Func Example() ; Copy @AutoItExe to the temp directory to add resources to. Local $sFilePath = @TempDir & '\' & $RESOURCE_GUID & '.exe' FileCopy(@AutoItExe, $sFilePath) ; Open the temp directory. ShellExecute(@TempDir) ; Create a resource object. Local $hResource = _Resource($sFilePath) For $i = 1 To 20 ; Using the resource object, add the current script file as RT_RCDATA with the resource name of TEST_n. ConsoleWrite('Updated ' & $i & ': ' & _Resource_Update($hResource, @ScriptFullPath, 'TEST_' & $i, $RT_RCDATA) & @CRLF) Next ; Create an array of files successfully added to the executable. Local $aResFiles = _Resource_ToArray($hResource) _ArrayDisplay($aResFiles) ; Close the resource object. _Resource_Close($hResource) EndFunc ;==>Example #EndRegion Example Func _Resource($sFilePath) Local $aResource[$RESOURCE_FIRSTINDEX][$RESOURCE_MAX] $aResource[$RESOURCE][$RESOURCE_FILEPATH] = $sFilePath $aResource[$RESOURCE][$RESOURCE_UPDATE] = _WinAPI_BeginUpdateResource($aResource[$RESOURCE][$RESOURCE_FILEPATH]) If @error Then $aResource[$RESOURCE][$RESOURCE_UPDATE] = Null Else $aResource[$RESOURCE][$RESOURCE_ID] = $RESOURCE_GUID $aResource[$RESOURCE][$RESOURCE_INDEX] = 0 $aResource[$RESOURCE][$RESOURCE_ISNOTUPDATE] = False $aResource[$RESOURCE][$RESOURCE_UBOUND] = $RESOURCE_FIRSTINDEX EndIf Return $aResource EndFunc ;==>_Resource Func _Resource_Close(ByRef $aResource) Local $bReturn = False If __Resource_IsAPI($aResource) And $aResource[$RESOURCE][$RESOURCE_UPDATE] Then $bReturn = _WinAPI_EndUpdateResource($aResource[$RESOURCE][$RESOURCE_UPDATE], $aResource[$RESOURCE][$RESOURCE_ISNOTUPDATE]) $aResource[$RESOURCE][$RESOURCE_ISNOTUPDATE] = False If $bReturn Then $aResource[$RESOURCE][$RESOURCE_UPDATE] = Null EndIf Return $bReturn EndFunc ;==>_Resource_Close Func _Resource_ToArray(ByRef $aResource) Local $aReturn = Null If __Resource_IsAPI($aResource) Then Local Enum $eRESPATH, $eRESNAMEORID, $eRESTYPE, $eRESLANG, $eRESMAX Local $aArray[$aResource[$RESOURCE][$RESOURCE_INDEX]][$eRESMAX], _ $iIndex = 0 For $i = $RESOURCE_FIRSTINDEX To $aResource[$RESOURCE][$RESOURCE_INDEX] If $aResource[$i][$RESOURCE_RESISADDED] Then $aArray[$iIndex][$eRESPATH] = $aResource[$i][$RESOURCE_RESPATH] $aArray[$iIndex][$eRESNAMEORID] = $aResource[$i][$RESOURCE_RESNAMEORID] $aArray[$iIndex][$eRESTYPE] = $aResource[$i][$RESOURCE_RESTYPE] $aArray[$iIndex][$eRESLANG] = $aResource[$i][$RESOURCE_RESLANG] ; $aArray[$iIndex][$eRESLENGTH] = $aResource[$i][$RESOURCE_RESLENGTH] $iIndex += 1 EndIf Next ReDim $aArray[$iIndex][$eRESMAX] $aReturn = $aArray $aArray = 0 EndIf Return $aReturn EndFunc ;==>_Resource_ToArray Func _Resource_Update(ByRef $aResource, $sFilePath, $sResNameOrID, $iResType = Default, $iResLang = Default, $bIsAdd = True) Local $bReturn = False If __Resource_IsAPI($aResource) And $aResource[$RESOURCE][$RESOURCE_UPDATE] And FileExists($sFilePath) And Not (StringStripWS($sResNameOrID, $STR_STRIPALL) = '') Then If IsBool($bIsAdd) Then If $iResLang = Default Then $iResLang = $RESOURCE_LANG_DEFAULT If $iResType = Default Then $iResType = $RT_RCDATA If $bIsAdd Then Local $hFile = _WinAPI_CreateFile($sFilePath, 2, 2) ; Magic numbers! If Not @error And $hFile Then Local $iBytes = 0, $iLength = FileGetSize($sFilePath), _ $pBuffer = 0, _ $tBuffer = 0 $aResource[$RESOURCE][$RESOURCE_INDEX] += 1 If $aResource[$RESOURCE][$RESOURCE_INDEX] >= $aResource[$RESOURCE][$RESOURCE_UBOUND] Then ; Re-size the array if required. $aResource[$RESOURCE][$RESOURCE_UBOUND] = Ceiling($aResource[$RESOURCE][$RESOURCE_INDEX] * 1.3) ReDim $aResource[$aResource[$RESOURCE][$RESOURCE_UBOUND]][$RESOURCE_MAX] EndIf $aResource[$aResource[$RESOURCE][$RESOURCE_INDEX]][$RESOURCE_RESPATH] = $sFilePath $aResource[$aResource[$RESOURCE][$RESOURCE_INDEX]][$RESOURCE_RESLENGTH] = $iLength $aResource[$aResource[$RESOURCE][$RESOURCE_INDEX]][$RESOURCE_RESLANG] = $iResLang $aResource[$aResource[$RESOURCE][$RESOURCE_INDEX]][$RESOURCE_RESNAMEORID] = $sResNameOrID $aResource[$aResource[$RESOURCE][$RESOURCE_INDEX]][$RESOURCE_RESTYPE] = $iResType ; Idea inspired by Jos and wraithdu. AutoItWrapper was analysed in creating this code. Switch $iResType Case $RT_BITMAP ; http://www.codeproject.com/Articles/47708/Modify-Update-resources-of-an-Exe-DLL-on-the-fly $iLength -= $RESOURCE_BITMAP_HEADER $tBuffer = DllStructCreate('byte data[' & $iLength & ']') $pBuffer = DllStructGetPtr($tBuffer) _WinAPI_SetFilePointer($hFile, $RESOURCE_BITMAP_HEADER) _WinAPI_ReadFile($hFile, $pBuffer, $iLength, $iBytes, 0) Case $RT_ANICURSOR, $RT_CURSOR ; To be added. Case $RT_ICON ; http://blogs.msdn.com/b/oldnewthing/archive/2012/07/20/10331787.aspx ; To be added. Case $RT_STRING ; To be added. Case Else ; $RT_FONT, $RT_MANIFEST, $RT_RCDATA, $RT_VERSION $tBuffer = DllStructCreate('byte data[' & $iLength & ']') $pBuffer = DllStructGetPtr($tBuffer) _WinAPI_ReadFile($hFile, $pBuffer, $iLength, $iBytes, 0) EndSwitch If $hFile Then _WinAPI_CloseHandle($hFile) EndIf $bReturn = _WinAPI_UpdateResource($aResource[$RESOURCE][$RESOURCE_UPDATE], $iResType, $sResNameOrID, $iResLang, $pBuffer, $iLength) > 0 EndIf $aResource[$aResource[$RESOURCE][$RESOURCE_INDEX]][$RESOURCE_RESISADDED] = $bReturn Else $bReturn = _WinAPI_UpdateResource($aResource[$RESOURCE][$RESOURCE_UPDATE], $iResType, $sResNameOrID, $iResLang, 0, 0) > 0 EndIf If Not $bReturn And Not $aResource[$RESOURCE][$RESOURCE_ISNOTUPDATE] Then $aResource[$RESOURCE][$RESOURCE_ISNOTUPDATE] = True Else $aResource[$RESOURCE][$RESOURCE_ISNOTUPDATE] = False EndIf EndIf EndIf Return $bReturn EndFunc ;==>_Resource_Update Func __Resource_IsAPI(ByRef $aResource) Return UBound($aResource, $UBOUND_COLUMNS) = $RESOURCE_MAX And $aResource[$RESOURCE][$RESOURCE_ID] = $RESOURCE_GUID EndFunc ;==>__Resource_IsAPI

It's less user coding I suppose but beyond that I do not see much of a gain. It's quite simple to emulate. Global $Extended, $Error _Func() MsgBox(0,$Error,$Extended) Func _Func() _SetError("hello", "World") EndFunc Func _SetError($err = "", $ext = "") $Error = $err $Extended = $ext EndFunc

I had the same problem lately at work with McAfee. I had to ask the admins to release the exe. But as history shows it is always a false positive.

The code was written after a research. I explained that in the first post of the RunBinary thread. You don't need references because they are lame. Each was monkey see, monkey do, without understanding why something is done. You just need better knowledge of c++ language. RunBinary thread is the only valid reference because it explains in detail how to do it, it gives complete solution, shows the algo both in theory and in practice. My choice of practical language was AutoIt because it was fun to do it that way. I don't want to write c++ version for you because I'd have nothing from that. For free the only thing you'll get are tips and advices to help you learn how to do it yourself.

While I don't think it was StungStang's intention, MPH is correct. It is the decision of the AutoIt developers that certain topics are not to be discussed. I am in agreement with this because I do not want my own program, which I may have been working on for several months (or even years), to be flagged as malware as a consequence of bad publicity generated by a few thoughtless individuals. The forum rules are clear and carefully thought out. If you ignore these rules, I see this as a lack of consideration for the majority of AutoIt users who have no intention of creating any kind of malware. StungStang doesn't strike me as having bad intentions, but it doesn't really matter. Keyloggers are banned.