Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
Questions asking for code must demonstrate a minimal understanding of the problem being solved. Include attempted solutions, why they didn't work, and the expected results. See also: Stack Overflow question checklist
Closed 9 years ago.
Improve this question
I have been trying to find out how to programmatically interact with Component-Based Servicing (CBS) which is basically the TrustedInstaller and other services. With the goal to be able to query CBS for what packages are installed and get any other information they may have on installed packages. Here is a link to a overview of it.
Basically using C/C++/C# (not picky) I would like to interact with this via an API. This link is the best documentation from MSDN that is API related that I could find and it isn't much. Then here is another MSDN documentation area that that gives some details but nothing really about an API I can use to interact with it. This one is under package manager which is how you can interact via command line in a limited way to install CBS based packages. The best quote from that last link is:
"CBS provides various APIs (which are
not publicly available) to its client
installers to service the operating
system components."
Which may say it all, but I am not ready to give up yet. The home for all or at least most of this is %WINDIR%\servicing which has CbsApi.dll for starters, while it appears to be registered as a COM DLL it doesn't publicly expose any classes or functions to do anything. It seems also that most of the details that the API access are in the sub-folders such as Packages, Sessions, Editions, Version, etc.
I know not many people would be trying to do this except for myself and Greg Lambert who has a couple blog posts from a two years back basically asking the same questions and trying to figure out this "not public" API. It didn't look like he cracked this nut yet either.
So now I am at the point to reach out for help and ask the community if anyone has worked out the hidden API for this, or may want to take on the challenge and see want they can find out. Any information that helps me to take a step closer is appreciated.
The correct way to programatically access the CBS is through the API's to its clients. Depending on what you are trying to accomplish, this would involve the Windows Installer or the Windows Update Agent API, both of which are documented in the Windows SDK.
The CBS instelf is an implementation detail and shouldn't be used directly. Thr reason there is so little information publically avaiable is a combination of the fact that relying on implementation details rather than contracts is a bad practice and there is simply easier and more reliable ways to accomplish anything you'd do with CBS directly.
This part of the Windows Installer SDK deals with querying for installed components.
Maybe things have changed, because I just found MS's Component Based Servicing Reference, documenting a COM interface.
Side note: I got here via a comment on Raymond Chen's blog and its response, which made wonder "what is Component Based Servicing, why is it a disaster, and what does it have to do with auto-sort?". I still don't know the answer.
Disk space filling up is a common problem in Windows 7 due to the disaster that is Component Based Servicing.
[It wouldn't be a problem if you could disable auto-sort in Explorer, though. -Raymond]
The CBS is basically for Windows Updates and other servicing operations. Since they are released by Microsoft itself, the clients of CBS are internal teams at Microsoft. The API's are not released publicly. The tools and xml files needed for writing Windows Updates, etc. are internal to Microsoft. There is no way that third party applications can use CBS technology.
Related
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 1 year ago.
Improve this question
I have written a c# program to monitor what my daughter is doing on her computer during her online lessons (due to COVID lockdown).
She has a habit of going onto Discord to chat with her friends instead of following the lesson. She also plays Minecraft during lesson time.
I don’t have the time to keep checking up on her so my wife urged me to write this software.
But the software is detected by Windows Defender as a Trojan as shown below;
Detected: Trojan:Script/Wacatac.B!ml
This program is dangerous and executes commands from an attacker
I can see that it is a Trojan of sorts but it is not being used in that vein. I am simply using TCP SOCKETS to allow myself or my wife to keep an eye on our daughter and to message her and if need be to close down the offending application remotely.
The way that MS Defender keeps quarantining each new compilation as I fine tune the exe to do what I need it to do is a real bind.
I am hoping that somebody might know a way around this.
After all I am using an API (System.Net.Sockets) that is part of the Microsoft DotNet library.
It is as if Microsoft were banning the use of an API that it provides.
My daughter is back at school on the 8th March 2021 so it will be redundant after that (hopefully) but as a developer I would still like to know how to solve this.
... close down the offending application remotely.
To some extent, this indeed makes your program "execute commands from an attacker." It seems like the issue does not lie in whatever API you use - but instead, what the program actually does.
You may try obfuscating your program with something like ConfuserEx, though it is possible that Windows Defender flags the obfuscated build as well, because this is what some real malwares do to hide themselves. The easiest solution is to place the program in a separate directory and add that directory to Windows Defender's exclude list.
We run up against this kind of problem frequently, and realistically there's not a lot you can do about it. False positives are just a part of what we have to deal with, and the only way to deal with them for low-distribution items like personal remote administration tools - or my own common case, custom AV upgrade scripts - is to add exceptions for your own programs when you install them on a computer, and every time you update the code.
It is as if Microsoft were banning the use of an API that it provides.
Unfortunately malware uses those same APIs. AV vendors are constantly upgrading their definitions to catch as many threats as possible and common techniques used by malware are also present in remote administration tools.
From a quick search it looks like Wacatac.B!ml is a particularly problematic detection that has struck all sorts of legitimate applications, including an open-source launcher for Blender recently and several other items.
From experience the !ml tag means that the definition was derived via machine learning which means it most likely is a deep heuristic rather than a code fingerprint.
Possible Solutions
The most general way to get around this type of heuristic detection is with extended validation code signing. Since this requires a relatively expensive certification process it's unlikely to be a useful solution for your in-house child monitoring tools.
In your case perhaps a path or file exclusion would allow you to continue to refine your tool without having to worry about it constantly being detected and blocked. I wouldn't recommend this for production systems, but for home use only it's simple, althout occasionally unreliable.
Finally, you could radically change the code. If you can't find a way to avoid detection using your current code base then consider using a different technique altogether. Enable powershell remoting and run a collector script on another machine on the network. Build a web-based agent that polls a web service (on the local network of course) to get commands to run. Use a popular library that will handle the actual communications for you rather than accessing the sockets yourself. Not as efficient maybe, but sometimes all it takes is one change to get the false positives to leave you the hell alone.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
Questions asking for code must demonstrate a minimal understanding of the problem being solved. Include attempted solutions, why they didn't work, and the expected results. See also: Stack Overflow question checklist
Closed 9 years ago.
Improve this question
I release a bunch of tools for free, but recently I have began to sell an application, that has private research, and people have been able to get my source code, and one person publically released my entire source. I spent a lot of time on this program, just to have someone crack it, and release my entire source.
How can I go about protecting my program? I have tried HWID, but people are still able to crack it. I know I am limited by C#, but it the most convenient to use. I just need a way to protect my programs from people trying to do this.
You could have a look at the many obfuscation tools that are out there, for example these:
http://gapotchenko.com/eazfuscator.net
http://orangeheap.blogspot.nl
http://confuser.codeplex.com (succeeded by https://yck1509.github.io/ConfuserEx/ and then again by https://github.com/XenocodeRCE/neo-ConfuserEx)
http://ntoolbox.com)
Well, the problem with languages like C#/Java is that they are generally much easier to de-obfuscate. The way to secure this is generally to put this stuff into a webservice, but you said you couldn't really do that. What about porting specific non-trivial functions over to a language like C, and obfuscate that. Your C# program could then use reflection to make calls to this external/unmanaged dll. It would increase the difficulty for de-obfuscating, but the problem is that if someone wants it bad enough, they can figure it out as it is client-side.
It may be that legal action is the only real solution here, but this is not a site for legal advice, and I am not qualified to give it if it were.
Additionally, this could be a business decision. Consider Making your software open-source and post a donation link. I am also not qualified to give business advice, but this is worth considering. It may actually increase your revenue, not to mention the other benefits that come with releasing open-source software.
There's Dotfuscator (http://www.preemptive.com/products/dotfuscator/overview). But the best solution in some cases is to offer what you do as a web site (Software as a Service).
Consider this tool for example to convert VB to C#: http://converter.telerik.com/
Or this tool to format JSON: http://jsonformatter.curiousconcept.com/
This may or may not work for you. I don't know what the nature of the software you're trying to protect is.
No, your code needs to contain the information needed to decrypt itself, its an impossible problem to solve.
Your best solution is to put your intellectual property on a server in the cloud that only you have access to. Give your customers a unique login, audit their access to check for abuse, off load as much grunt work onto your customers machines, but keep your algorithms locked into the cloud.
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 5 years ago.
Improve this question
What tools/plugins do you use for checking in/out code?
how to communicate changes made to the code, how to make request for new functionality?
How has your team solved this?
See this previously asked question:
Multiple Programmers in Software Development. How do we work on the same code and ensure it is always updated?
There are a lot of good answers to this question, and they apply to small and large teams.
For source control, we use Svn with the Tortoise SVN client. We've used other source control systems in the past, and have found this one to be the best for our needs.
I would recommend you use SVN for source code management, if you are using visual studio you can get numerous plugins for IDE integration.
http://subversion.tigris.org/
http://www.visualsvn.com/ = SVN Server & VS Integration
Try to set up Continuous Integration for this you can use Cruise Control .Net or Hudson. Cruise control can be set up to do a build on each check in and the history is shown on a web page.
http://confluence.public.thoughtworks.org/display/CCNET/Welcome+to+CruiseControl.NET
http://hudson-ci.org/
For requesting new functionality you could use a ticketsing system, wiki or Google Wave any one of these should enable you to keep track of requirements.
Hope this helps.
You can pretty much use any tools for small development teams you wish. There are lots of options.
Personally, my team uses SVN for code, and Trac for tracking - mostly because it's very cost effective for a small team. However, there's nothing C#/.NET specific about that setup.
If your team has MSDN subscriptions, you might want to consider Team Foundation Server. It has many features for integration with Visual Studio that are (arguably) superior to some of the alternatives.
You should use one of the many available source control repositories. Trust me, you won't know what you did without it :)
There are plugins for Visual Studio for working on a team, but personally I've never used them.
I've done team projects with both Subversion and Mercurial... just make sure to check in the solution and project files, and all related code.
Everyone will also need to be running the same version of Visual Studio.
For requesting new functionality, you might want to consider an external solution like Trac or Bitbucket or some other free system that includes issue tracking.
Well, how small? I work on a team of 5, and we communicate well with IM, or just dropping by and talking. That being said, the team is pretty responsible, so you can trust everyone to carry their weight. I would suggest you use subversion for source control if your company doesn't have anything.
We're a team of 3 C# developers.
For version control, we use AnkhSVN, an open source SVN client that integrates with Visual Studio.
For project management, issue tracking and feature requests, we use Redmine.
What tools/plugins do you use for checking in/out code?
Mercurial -- once you've used a DVCS, it's hard to imagine going back. Everybody uses their own favorite editor; usually, that's Emacs, which comes with support for many VCSs, including Mercurial.
how to communicate changes made to the code, how to make request for new functionality?
Changes are tracked in version control. You can look at the changesets as you pull them, or browse the web interface. Or just ask people at lunch what you're working on -- no developer is an island. New functionality is tracked, along with bugs, in the bug tracker.
How has your team solved this?
We're a small team using C#, but nothing here is specific to C# or small teams. I've used very similar systems with other size teams, and other languages/platforms.
We have a team of three and currently use Source Gear Vault for source control and Fogbugz for bug/feature tracking. Source Gear integrates into Visual Studio nicely and works over http which makes it easy to access from anywhere. Check ins and outs can be done directly in Visual Studio or a standalone client.
Source Gear also integrates with Fogbugz.
Used to use Visual Source safe and would never go back...
I work on a small team of 1-5, depending on the project.
What tools/plugins do you use for checking in/out code?
We use Git with Github for new projects, and TFS for some legacy work.
I see a lot of people recommending a certain provider without telling you why. I have used TFS, SourceGear, SVN (a little), and Git. I prefer Git because it stays out of my way. Git is command-line based. My typical source control workflow is a handful of simple commands, but learning those commands took a few tries.
how to communicate changes made to the code, how to make request for new functionality?
We use Pivotal Tracker for story writing and organizing priority.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.
Closed 7 years ago.
Improve this question
I've been looking for a simple key/license system for our users. Its partly to stop piracy (avoid users from sharing the application around) and the other half to track the number of 'licensed users' we have. I have already read a few good suggestions on SO but I'm curious as to how people have implemented the 30 day evaluation criteria.
Do you generate a key that stores the date somewhere and do a comparison each time or is it a little more complicated - deleting the file/removing the registry shouldn't deactivate.
Are there any example implementations out there that can give me a head start? The irony is that our PM doesn't want to license a third-party system to do it for us.
This is for a Windows Forms application.
Have you checked out the Rhino-Licensing project by Ayende Rahien. You can also see his blog post about licensing a commercial product which led him to develop this solution.
There are two separate challenges: i. How do you prevent a copied app from running. ii. How to prevent users from ripping out/bypassing your prevention scheme. The first one is usually done by taking a hard to copy signature of the user's system (e.g. Hard Drive ID + Processor ID + RAM, etc) and using it as the seed/key AND activating it on-line by calling "home".
The Second issue is harder to do in .Net since the source code can be in someway extracted and recompiled to exclude your protection system. The key here is to make it cheaper to buy the license than to remove the protection at the user's end. You may find that for most products, the suggestion to use a customized engine to encrypt your product libraries that also contain your copy-protect and decrypt it at initial run-time, might be enough.
I am not sure you can actually protect a .NET - There may be commercial solutions that do the trick. The reason is .NET code can be seen through Lutz Roeder (Thanks Jasonh for the heads up) Red Gate's Reflector (It was formerly by the named guy above). The best way to deal with it is to look for code obfuscation which makes reflecting more trickier, I can point you to one place I know of that does this for free - Phoenix - NtCore.Com.
The more esoteric solution would be to create a .NET hosting environment in C++, load the binary image (which could be encrypted) and the hosting environment than undecrypt it in memory - have heard of that theory but not sure how that would be done in practice. Please do not use your own protection scheme as there could be a weakness.
Someone once said - "Security through obscurity"....
Hope this helps,
Best regards,
Tom.
I worked on a project that handled this by putting some critical functionality (for example data storage, reporting, or payments) on an external server we ran, and requiring the user to log in to this server to get the functionality.
Customers can make backups, share, or run the application locally, but to access this critical function they have to type a password in to our application and connect to our server. Customers knew the password allowed changing their data, so they would not want to share the password with other people.
This was handy because we do not care how many copes of the application are out in the wild, we only track server connections. We included machine-identifying data like MAC address in the connection data, so we can track which machines are connecting.
I'm not just saying this because my company sells the OffByZero Cobalt software licensing solution for .NET: your PM should know that software licensing is very hard to get right, and if you roll your own, you'll be supporting it for the foreseeable future.
Take a look at the article Developing for Software Protection and Licensing; it explains how to choose a solution, why you should obfuscate your application and gives a number of tips for structuring your code to be harder to crack.
In particular it makes the point that the vast majority of companies should outsource their software licensing, as it makes no sense to spend developer time on building and maintaining a complex system that isn't your core business.
What is more important to your company: adding an important new feature to your product, or tracking down a peculiar permission behaviour on an ancient version of Windows that's clobbering your licensing system?
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.
Closed 7 years ago.
Improve this question
I'm a C# developer looking to get into home automation as a hobby. I have done a little research, but was wondering if anyone knows of a good .NET library that supports Insteon hardware. I'd rather use Insteon than X10 due to reliability issues.
My ultimate objective at this point is to have a simple home automation server (maybe lights and climate control) with a secure ASP.NET web application interface. I'm more interested in actually building it and learning about it rather than finding an existing solution.
Thanks for any suggestions or comments.
Edit:
Thanks for the help, everyone.
Does anyone have experience with Z-wave technology? Seems promising - appears to be higher quality hardware, includes a core library, supports .NET, etc. ControlThink appears to have a pretty good controller and SDK.
Here's an interesting application to consider: Stall Status: Know Before You Go
We found there really wasn't much developer support for Insteon unless you wanted to buy their SDK and agree to their rather heavy-handed license agreement. Rather than go that route, we wrote our own .NET library called FluentDwelling and we open-sourced it. You can find a download link, and some get-you-started code samples if you follow that link.
The source code comes with a full suite of unit tests (requires NUnit, also free), so you can add improvements and make changes if you like.
I would avoid X10 like the plague. Between things like modern TV's and power strips, bridged power junction boxes and just plain strange wiring, X10 signals tend to just "disappear" and never get to their destination.
If you really want to give X10 a shot, I've got a box of X10 stuff in the garage that was worth $250+ new and it's all completely useless in my house, so you can have it. Some of it worked in my old house, but it won't so much as turn a light on 2 outlets away where I live now.
X10 is viewed by most modern electronics as "noise" on the line (which, technically, it is) and something to be filtered out rather than passed along or left alone.
I can't remember if it covers the specific technologies you mention but you should definately check out this episode of .NET Rocks. They talk about all the different stuff you can do with home automation and a lot about how to do it. I believe one of the main points was that Microsoft Robotics Studio was a good tool to use, as it uses a lot of the same abstractions as you would otherwise use.
I know it's been a long time since this post was made, however I was wondering if you'd picked a route, and what you've ended up doing with home automation since.
I've been doing this kind of stuff with many of the technologies available, but I've always done it on top of a product called homeseer. .net plug-ins and vb.net and c# scripting can be done on top of this foundation. I've been thinking of rolling my own similar to what you were describing. Any thoughts, tips, decisions you've made etc?
A bit off topic, but listen to the latest episode of dot net rocks, one of the finalists of my .net story built an home automation solution that really made me want to dive into home automation again.
Totally awsome solution.
http://www.dotnetrocks.com/default.aspx?showNum=518
I think this would bee a place to start
insteon sdk
Some research via Google looking for an Insteon SDK only yields stuff from way back in 2005. There's only information on serial port interfaces (no USB) and the only language mentioned is something called DockLight scripting that also looks like it hasn't been updated since 2005.
X10, on the other hand, boasts support for C++, VisualBasic, VB Script, and JavaScript. No .Net listed, but VisualBasic/VB Script likely implies a COM object you can easily import for use in C#. They're also much more USB friendly, and the kit costs 1/4 of the Insteon kit ($50 vs $200).
If you were actually building a product I would understand the reliability concern. But since this is a home project I think you'll have much better luck with X10.
you can try C-bus by Clipsal(schneider) it's free.